Commit Graph

40905 Commits

Author SHA1 Message Date
Daniel P. Berrangé
c212eb6c7f qemu: taint the VM if it is using a deprecated CPU model
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 17:31:57 +00:00
Daniel P. Berrangé
30626ed15b qemu: add ability to associate a string message with taint warning
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 17:31:31 +00:00
Daniel P. Berrangé
2273065746 conf: introduce new taint flag for deprecated configuration
Hypervisors are capable of reporting that some features are deprecated.
This should be used to mark a domain as tainted.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 17:30:58 +00:00
Daniel P. Berrangé
1e260cc449 qemu: report whether a machine type is deprecated in capabilities
QEMU has the ability to mark machine types as deprecated. This should be
exposed to management applications in the capabilities.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 17:30:52 +00:00
Daniel P. Berrangé
5138a09260 qemu: report whether a CPU model is deprecated in dom capabilities
QEMU has the ability to mark CPUs as deprecated. This should be exposed
to management applications in the domain capabilities.

This attribute is only set when the model is actually deprecated.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 17:26:39 +00:00
Daniel P. Berrangé
f9f11c4ae8 docs: use a relative link to the kbase page
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 16:33:18 +00:00
Peter Krempa
bfdfa64010 viralloc: Remove VIR_ALLOC_VAR
The use case VIR_ALLOC_VAR deals with is very unlikely. We had just 2
legitimate uses, which were reimplemented locally using g_malloc0 and
sizeof instead as they used a static number of members of the trailing
array.

Remove VIR_ALLOC_VAR since in most cases the direct implementation is
shorter and clearer and there are no users of it currently.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 16:09:25 +01:00
Peter Krempa
52ca0a6229 virNetDevGetEthtoolGFeatures: Avoid use of VIR_ALLOC_VAR
In this case we need a 'struct ethtool_gfeatures' followed by two
'struct ethtool_get_features_block' so there's no risk of overflow.

Use g_malloc0 and sizeof() to allocate the memory instead of
VIR_ALLOC_VAR.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 16:09:25 +01:00
Peter Krempa
729ac13938 locking: sanlock: Avoid use of VIR_ALLOC_VAR for 'struct sanlk_resource'
In both cases we need memory for a 'struct sanlk_resource' followed by
one 'struct sanlk_disk', thus there's no risk of overflow.

Use g_malloc0 and sizeof() to allocate the memory instead of
VIR_ALLOC_VAR.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 16:09:25 +01:00
Peter Krempa
7d836cfba1 virLockManagerSanlockAddDisk: Refactor cleanup
Use g_autofree to allow removal of 'cleanup:' and the 'ret' variable.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 16:09:25 +01:00
Peter Krempa
30a42dcddc virLockManagerSanlockAddLease: Refactor cleanup
Use g_autofree and remove the 'cleanup' section and 'ret' variable.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 16:09:25 +01:00
Peter Krempa
add18b06c7 virNWFilterVarCombIter: Allocate 'iter' member separately
Switch to the more common approach of having arrays allocated separately
rather than trailing the struct.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 16:09:25 +01:00
Peter Krempa
ed97683897 util: alloc: Remove VIR_DISPOSE_STRING
Users were replaced with virSecureEraseString with explicit freeing of
the memory.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:14 +01:00
Peter Krempa
de4d0103b6 virnetlibsshsession: Replace VIR_DISPOSE_STRING with virSecureEraseString
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:14 +01:00
Peter Krempa
2025001609 util: alloc: Remove VIR_AUTODISPOSE_STR
There are no users any more. The replacement is to use g_auto and
virSecureEraseString explicitly.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:14 +01:00
Peter Krempa
7979d85783 virNetLibsshAuthenticatePassword: Use virSecureEraseString instead of VIR_AUTODISPOSE_STR
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:13 +01:00
Peter Krempa
a1709a68a5 cmdSecretGetValue: Use virSecureEraseString instead of VIR_AUTODISPOSE_STR
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:13 +01:00
Peter Krempa
7f0780c0d2 virStorageBackendRBDOpenRADOSConn: Use virSecureEraseString instead of VIR_AUTODISPOSE_STR
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:13 +01:00
Peter Krempa
3b1d2ff510 qemuBuildRBDSecinfoURI: Use virSecureEraseString instead of VIR_AUTODISPOSE_STR
In this instance attempting to be correct is really pointless since the
secret is formatted into another string which is not erased securely and
then put on the commandline.

Keep the secure handling for correctness.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:13 +01:00
Peter Krempa
ffc13e76ac libxlMakeNetworkDiskSrc: Use virSecureEraseString instead of VIR_AUTODISPOSE_STR
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:13 +01:00
Peter Krempa
39089a6faf util: virsecureerase: Introduce virSecureEraseString
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:13 +01:00
Peter Krempa
bacf612607 util: viralloc: Remove VIR_DISPOSE(_N)
The macros are unused now and callers who care about clearing the memory
they use should use memset() appropriately.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:13 +01:00
Peter Krempa
f08fea10fb tests: viralloc: Remove testDispose case
The VIR_DISPOSE* APIs will be phased out. Additionally the test isn't
really doing useful work in ensuring that the values are indeed cleared
thus there's no point in keeping it around.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:13 +01:00
Peter Krempa
8bac46997f storageBackendCreateQemuImgSecretPath: Use virSecureErase instead of VIR_DISPOSE_N
Clear out the value using virSecureErase and free it with g_free so
that VIR_DISPOSE_N can be phased out.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:13 +01:00
Peter Krempa
91858434b4 virCryptoEncryptDataAESgnutls: Use virSecureErase instead of memset
Clear the key and IV structs using virSecureErase.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:13 +01:00
Peter Krempa
288d051494 virCryptoEncryptDataAESgnutls: Use virSecureErase instead of VIR_DISPOSE_N
Clear out the value using virSecureErase and free it with g_free so
that VIR_DISPOSE_N can be phased out.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:13 +01:00
Peter Krempa
549305922a virStorageBackendRBDOpenRADOSConn: Use virSecureErase instead of VIR_DISPOSE_N
Switch the secret value to 'g_autofree' for handling of the memory and
clear it out using virSecureErase.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:12 +01:00
Peter Krempa
e6195ed80c virsh: cmdSecretGetValue: Use virSecureErase instead of VIR_DISPOSE_N
Switch the secret value to 'g_autofree' for handling of the memory and
clear it out using virSecureErase.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:12 +01:00
Peter Krempa
ee88bce43d qemu: domain: Use virSecureErase for clearing secrets instead of VIR_DISPOSE_N
Phase out use of VIR_DISPOSE_N from the qemu driver. Use memset in the
appropriate cases.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:12 +01:00
Peter Krempa
3217d445b9 libxlMakeNetworkDiskSrc: Avoid use of VIR_DISPOSE_N
Clear the secret right after use with virSecureErase.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:12 +01:00
Peter Krempa
fabd172065 storage_backend_iscsi(_direct): Properly clear secrets
The code pretends that it cares about clearing the secret values, but
passes the secret value to a realloc, which may copy the value somewhere
else and doesn't sanitize the original location when it does so.

Since we want to construct a string from the value, let's copy it to a
new piece of memory which has the space for the 'NUL' byte ourselves, to
prevent a random realloc keeping the data around.

While at it, use virSecureErase instead of VIR_DISPOSE_N since it's
being phased out.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:12 +01:00
Peter Krempa
8d6353a066 virsh: cmdSecretSetValue: Rework handling of the secret value
Use a single buffer for the secret to make it easier to follow it's
lifecycle. For base64 decoding use a local temporary buffer which will
be cleared right away.

This also uses virSecureErase for clearing the bufer instead of
VIR_DISPOSE_N which is being phased out.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:12 +01:00
Peter Krempa
43696418af util: Introduce virsecureerase module
The module will provide functions for disposing secrets stored in
memory.

Note that for now it's implemented using memset, which is not really
secure.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:12 +01:00
Peter Krempa
5761f8ab54 virNetLibsshSessionAuthAddPrivKeyAuth: Refactor cleanup
Shuffle the code around to remove the need for temporary variables and
labels for cleaning them.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:12 +01:00
Peter Krempa
34e522418f virNetLibsshSessionAuthAddPrivKeyAuth: Don't unlock unlocked 'sess' on error
The check whether @keyfile is non-NULL is before locking @sess, but uses
the 'error' label which unlocks '@sess'.

While touching the error path, update the error message to be on one
line.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:12 +01:00
Peter Krempa
26fedf9218 cmdSecretSetValue: Make it obvious that --file, --base64 and --interactive are exlcusive
Convert the conditions to else if so that it's obvious that only one of
the cases will ever be used.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:12 +01:00
Peter Krempa
ac4b55c99d qemuDomainMasterKeyCreate: Don't use VIR_DISPOSE_N on failure
When virRandomBytes fails we don't get any random bytes and even if we
did they don't have to be treated as secret as they weren't used in any
way.

Add a temporary variable with automatic freeing for the secret buffer
and assign it only on success.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:12 +01:00
Peter Krempa
b57b6b4eea libxlMakeDomBuildInfo: Don't use VIR_DISPOSE_N for USB device list
The list isn't secret which would need being disposed of. Just expand
the array and return failure when adding the NULL terminator similarly
to how we expand the list for adding devices in a loop.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:12 +01:00
Peter Krempa
9c9423a1e8 hypervFreeInvokeParams: Don't use VIR_DISPOSE_N for freeing 'params'
The struct doesn't contain any secrets to clear before freeing and even
if it did VIR_DISPOSE_N wouldn't help as the struct contains only
pointers thus the actual memory pointing to isn't sanitized.

Just free the params array pointer and then the struct itself.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:12 +01:00
gongwei
976bdfc8e7 conf: add realtime parameter for rtc
Pass the parameter clock rt to qemu to ensure that the
virtual machine is not synchronized with the host time

Signed-off-by: gongwei <gongwei@smartx.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-02-03 10:18:04 +01:00
Peter Krempa
d115019b6a util: virstring: Remove unused prototypes for virStr(n)dup
The headers weren't removed after use of VIR_STRDUP was removed.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-02 15:10:47 +01:00
Tim Wiederhake
8b1755024b vircommand: Simplify virCommandAddArg
Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:55 +01:00
Tim Wiederhake
ae9f4d5e0c vircryptotest: Directly assign string to avoid memcpy
Found by clang-tidy's "bugprone-not-null-terminated-result" check.

clang-tidy's finding is a false positive in this case, as the
memset call guarantees null termination. The assignment can be
simplified though, and this happens to silence the warning.

Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:55 +01:00
Tim Wiederhake
b62e51e540 tests: Prevent malloc with size 0
Found by clang-tidy's "clang-analyzer-optin.portability.UnixAPI" check.

Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:55 +01:00
Tim Wiederhake
2cdbfbe7ac virhostuptime: Fix rounding in uptime calculation
"f + 0.5" does not round correctly for values very close to
".5" for every integer multiple, e.g. "0.499999975".

Found by clang-tidy's "bugprone-incorrect-roundings" check.

Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:55 +01:00
Tim Wiederhake
795187fe0c udevProcessCCW: Initialize variable
`udevGetIntSysfsAttr` does not necessarily write to the third parameter,
even when it returns 0.

This was found by clang-tidy's
"clang-analyzer-core.UndefinedBinaryOperatorResult" check.

Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:55 +01:00
Tim Wiederhake
1e2e8ac88f Replace bzero() with memset()
This was found by clang-tidy's
"clang-analyzer-security.insecureAPI.bzero" check.

bzero is marked as deprecated ("LEGACY") in POSIX.1-2001 and
removed in POSIX.1-2008.

Besides its deprecation, bzero can be unsafe to use under certain
circumstances, e.g. when used to zero-out memory containing secrects.
These calls can be optimized away by the compiler, if it concludes no
further access happens to the memory, thus leaving the secrets still
in memory. Hence its classification as "insecureAPI".

Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:55 +01:00
Tim Wiederhake
4f5c22b27c virsh-domain: Fix error handling of pthread_sigmask
pthread_sigmask() returns 0 on success and "a non-zero value
on failure", but not neccessarily a negative one.

Found by clang-tidy's "bugprone-posix-return" check.

Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:55 +01:00
Tim Wiederhake
2870d99f1b qemu_tpm: Fix indentation in qemuTPMEmulatorBuildCommand
This was found by clang-tidy's "readability-misleading-indentation"
check.

Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:55 +01:00
Tim Wiederhake
a6675869fb xen: Fix indentation in xenParseXLSpice
This was found by clang-tidy's "readability-misleading-indentation"
check.

Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:55 +01:00