Commit Graph

14316 Commits

Author SHA1 Message Date
Jim Fehlig
288fdcd06d libxl: Add comments to libxlDriverPrivate fields
Similar to the QEMU and LXC drivers, annotate the fields of
libxlDriverPrivate struct to indicate the locking rules for
their use.
2013-09-03 16:43:21 -06:00
Jim Fehlig
6cd43d3654 libxl: Use atomic ops for driver->nactive 2013-09-03 16:43:21 -06:00
Jim Fehlig
d9f19c30d0 libxl: Introduce libxlDriverConfig object
The libxlDriverPrivate struct contains an variety of data with
varying access needs. Similar to the QEMU and LXC drivers,
move all the static config data into a dedicated libxlDriverConfig
object. The only locking requirement is to hold the driver lock
while obtaining an instance of libxlDriverConfig. Once a reference
is held on the config object, it can be used completely lockless
since it is immutable.
2013-09-03 16:43:20 -06:00
Jim Fehlig
4147587669 libxl: User per-domain ctx in libxlDomainGetInfo
libxlDomainGetInfo() uses the driver-wide libxl ctx when
it would be more appropriate to use the per-domain ctx
associated with the domain.  Switch to using the per-domain
libxl ctx.
2013-09-03 16:43:20 -06:00
Jim Fehlig
e1f67c90d5 libxl: libxl: Use per-domain ctx in libxlMakeDomCreateInfo
libxlMakeDomCreateInfo() uses the driver-wide libxl ctx when
it would be more appropriate to use the per-domain ctx
associated with the domain.  Switch to using the per-domain
libxl ctx.
2013-09-03 16:43:20 -06:00
Jim Fehlig
cb0d49af11 libxl: Add libxl_version_info to libxlDriverPrivate
libxl version info is static data as far as the libxl driver
is concerned, so retrieve this info when the driver is initialized
and stash it in the libxlDriverPrivate object.  Subsequently use
the stashed info instead of repeatedly calling libxl_get_version_info().
2013-09-03 16:43:20 -06:00
Jim Fehlig
2f8d0f9021 libxl: Earlier detection of not running on Xen
Detect early on in libxl driver initialization if the driver
should be loaded at all, avoiding needless initialization steps
that only have to be undone later.  While at it, move the
detection to a helper function to improve readability.

After detecting that the driver should be loaded, subsequent
failures such as initializing the log stream, allocating libxl
ctx, etc. should be treated as failure to initialize the driver.
2013-09-03 16:43:20 -06:00
Jim Fehlig
12315cd779 libxl: Introduce libxl_domain.[ch]
Create libxl_domain.[ch] and move all functions operating on
libxlDomainObjPrivate to these files.  This will be useful for
future patches that e.g. add job support for libxlDomainObjPrivate.
2013-09-03 16:43:20 -06:00
Jim Fehlig
c9d5432d85 libxl: Move detection of autoballoon to libxl_conf
Detecting whether or not to autoballoon is configuration related,
so move the code to libxl_conf.
2013-09-03 16:43:20 -06:00
Eric Blake
11e80ddfe4 build: fix typo that broke 'make dist'
Bug introduced in commit 5c6ff42; 'make dist' fails:

make[3]: Entering directory `/home/eblake/libvirt-tmp/build3/examples/python'
make[3]: *** No rule to make target `topoology.py', needed by `distdir'.  Stop.
make[3]: Leaving directory `/home/eblake/libvirt-tmp/build3/examples/python'

* examples/python/Makefile.am (EXTRA_DIST): Spell topology right.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-09-03 16:38:29 -06:00
John Ferlan
ae83e02f3d esx_driver: Resolve Coverity RESOURCE_LEAK on error paths
New Coverity release found a couple of error paths where memory would be
leaked in an error/goto path before being properly handled.
2013-09-03 17:19:38 -04:00
John Ferlan
7f953b1909 esx_vi: Resolve Coverity RESOURCE_LEAK in error path
New coverity installation determined that the muliple if condition for
"*Alloc" and "*AppendToList" could fail during AppendToList thus leaking
memory.
2013-09-03 17:19:38 -04:00
Michal Privoznik
4471ecf669 test_virtlockd.aug.in: Use the correct file
The test should refer to Virtlockd.lns, which is the name of
the module + lens in virtlockd.aug.
2013-09-03 17:03:30 +02:00
Peter Krempa
5c6ff42254 examples: Add script to parse topology from capabilities output
Add a demo script originally written by Amador Pahim to parse topology
of the host from data provided in the capabilities XML.
2013-09-03 14:27:58 +02:00
Peter Krempa
3e29c77a26 virsh-console: Avoid using signal() in multithreaded application
Man page for signal states:

 "The effects of signal() in a multithreaded process are unspecified."

Switch signal() to sigaction in virsh console code.
2013-09-03 14:06:11 +02:00
Peter Krempa
02eaf1821c virsh: Rename vshMakeStdinRaw to vshTTYMakeRaw and move it to virsh.c
Move the function to virsh.c to the rest of the TTY managing functions
and change the code so that it mirrors the rest.
2013-09-03 14:06:11 +02:00
Peter Krempa
40f1d18fea tools: rename console.[ch] to virsh-console.[ch] and fix coding style 2013-09-03 14:06:11 +02:00
Michal Privoznik
1dc5dea7d6 qemu: Handle huge number of queues correctly
Currently, kernel supports up to 8 queues for a multiqueue tap device.
However, if user tries to enter a huge number (e.g. one million) the tap
allocation fails, as expected. But what is not expected is the log full
of warnings:

    warning : virFileClose:83 : Tried to close invalid fd 0

The problem is, upon error we iterate over an array of FDs (handlers to
queues) and VIR_FORCE_CLOSE() over each item. However, the array is
pre-filled with zeros. Hence, we repeatedly close stdin. Ouch.
But there's more. The queues allocation is done in virNetDevTapCreate()
which cleans up the FDs in case of error. Then, its caller, the
virNetDevTapCreateInBridgePort() iterates over the FD array and tries to
close them too. And so does qemuNetworkIfaceConnect() and
qemuBuildInterfaceCommandLine().
2013-09-03 13:38:35 +02:00
Ján Tomko
418137663f Fix leaks in python bindings
https://bugzilla.redhat.com/show_bug.cgi?id=1003828
2013-09-03 13:19:17 +02:00
Peter Krempa
b46c4787dd virsh-domain: Avoid killing ssh transport tunnels when cancelling job
The vshWatchJob function registers a SIGINT handler that is used to
abort the active job and does not terminate virsh. Unfortunately, this
breaks when using the ssh transport as SIGINT is sent to the foreground
process group including the ssh transport processes which terminate.
This breaks the connection and migration is left in a insane state.

With this patch the terminal is modified to ignore key binding that
sends SIGINT and does the handling manually.

Resoves: https://bugzilla.redhat.com/show_bug.cgi?id=983348
2013-09-03 09:55:27 +02:00
Peter Krempa
ebef689363 virsh: Remember terminal state when starting and add helpers
This patch adds instrumentation to allow modification of config of the
terminal in virsh and successful reset of the state afterwards.

The added helpers allow to disable receiving of SIGINT when pressing the
key sequence (Ctrl+C usualy). This normally sends SIGINT to the
foreground process group which kills ssh processes used for transport of
the data.
2013-09-03 09:55:27 +02:00
Doug Goldstein
f8456e5a18 VMX: Add cdrom-raw dev type from VMWare Fusion
According to VMWare's documentation 'cdrom-raw' is an acceptable value
for deviceType for a CD-ROM drive. The documentation states that the VMX
configuration for a CD-ROM deviceType is as follows:

ide|scsi(n):(n).deviceType = "cdrom-raw|atapi-cdrom|cdrom-image"

From the documentation it appears the following is true:
- cdrom-image = Provides the ISO to the VM
- atapi-cdrom = Provides a NEC emulated ATAPI CD-ROM on top of the host
  CD-ROM
- cdrom-raw = Passthru for a host CD-ROM drive. Allows CD-R burning from
  within the guest.

A CD-ROM prior to this patch would always provide an 'atapi-cdrom' is
modeled as:
  <disk type='block' device='cdrom'>
    <source dev='/dev/scd0'/>
    <target dev='hda' bus='ide'/>
    <address type='drive' controller='0' bus='0' target='0' unit='0'/>
  </disk>

This patch allows the 'device' attribute to be set to 'lun' for a raw
acccess CD-ROM such as:
  <disk type='block' device='lun'>
    <source dev='/dev/scd0'/>
    <target dev='hda' bus='ide'/>
    <address type='drive' controller='0' bus='0' target='0' unit='0'/>
  </disk>
2013-09-02 17:41:30 -05:00
Doug Goldstein
dba04e7fa0 VMX: Some serial ports are not actually connected
Sometimes a serial port might not be actually wired to a device when the
user does not have the VM powered on and we should not consider this a
fatal error.
2013-09-02 17:41:30 -05:00
Cole Robinson
4fa172215d qemu: Support virtio-mmio transport for virtio on ARM
Starting with qemu 1.6, the qemu-system-arm vexpress-a9 model has a
hardcoded virtio-mmio transport which enables attaching all virtio
devices.

On the command line, we have to use virtio-XXX-device rather than
virtio-XXX-pci, thankfully s390 already set the precedent here so
it's fairly straight forward.

At the XML level, this adds a new device address type virtio-mmio.
The controller and addressing don't have any subelements at the
moment because we they aren't needed for this usecase, but could
be added later if needed.

Add a test case for an ARM guest with one of every virtio device
enabled.
2013-09-02 16:53:40 -04:00
Cole Robinson
54a77c6df3 qemu: Fix networking for ARM guests
Similar to the chardev bit, ARM boards depend on the old style '-net nic'
for actually instantiating net devices. But we can't block out
-netdev altogether since it's needed for upcoming virtio support.

And add tests for working ARM XML with console, disk, and networking.
2013-09-02 16:53:40 -04:00
Cole Robinson
3730353f63 domain_conf: Add disk bus=sd, wire it up for qemu
This corresponds to '-sd' and '-drive if=sd' on the qemu command line.
Needed for many ARM boards which don't provide any other way to
pass in storage.
2013-09-02 16:53:40 -04:00
Cole Robinson
68e5e93e4e qemu: Don't try to allocate PCI addresses for ARM 2013-09-02 16:53:40 -04:00
Cole Robinson
3a2beaee1d qemu: Fix specifying char devs for ARM
QEMU ARM boards don't give us any way to explicitly wire in
a -chardev, so use the old style -serial options.

Unfortunately this isn't as simple as just turning off the CHARDEV flag
for qemu-system-arm, as upcoming virtio support _will_ use device/chardev.
2013-09-02 16:53:40 -04:00
Cole Robinson
7c9617641d qemu: Don't add default memballoon device on ARM
And add test cases for a basic working ARM guest.
2013-09-02 16:53:39 -04:00
Cole Robinson
d40cde318a domain_conf: Add default memballoon in PostParse callbacks
This should be a no-op change for now.
2013-09-02 16:53:39 -04:00
Cole Robinson
a216e64872 qemu: Set QEMU_AUDIO_DRV=none with -nographic
On my machine, a guest fails to boot if it has a sound card, but not
graphical device/display is configured, because pulseaudio fails to
initialize since it can't access $HOME.

A workaround is removing the audio device, however on ARM boards there
isn't any option to do that, so -nographic always fails.

Set QEMU_AUDIO_DRV=none if no <graphics> are configured. Unfortunately
this has massive test suite fallout.

Add a qemu.conf parameter nographics_allow_host_audio, that if enabled
will pass through QEMU_AUDIO_DRV from sysconfig (similar to
vnc_allow_host_audio)
2013-09-02 16:53:39 -04:00
Guido Günther
f1f0e53b08 Pass AM_LDFLAGS to driver modules too
This gives us a RO got, otherwise Debian's lintian complains:

W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so
W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_storage.so
W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_uml.so
W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_vbox.so
W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_xen.so
W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_nwfilter.so
W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_storage.so
W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_uml.so
W: libvirt-sanlock: hardening-no-relro usr/lib/libvirt/lock-driver/sanlock.so
2013-09-02 19:09:17 +02:00
Guido Günther
fe502de3bc Fix AM_LDFLAGS typo 2013-09-02 19:09:15 +02:00
Fred A. Kemp
feba2febce qemu: Support setting the 'removable' flag for USB disks
Add an attribute named 'removable' to the 'target' element of disks,
which controls the removable flag. For instance, on a Linux guest it
controls the value of /sys/block/$dev/removable. This option is only
valid for USB disks (i.e. bus='usb'), and its default value is 'off',
which is the same behaviour as before.

To achieve this, 'removable=on' (or 'off') is appended to the '-device
usb-storage' parameter sent to qemu when adding a USB disk via
'-disk'. A capability flag QEMU_CAPS_USB_STORAGE_REMOVABLE was added
to keep track if this option is supported by the qemu version used.

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=922495
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
2013-09-02 14:45:38 +02:00
Fred A. Kemp
071249771b qemu: Add capability flag for usb-storage
Allow use of the usb-storage device only if the new capability flag
QEMU_CAPS_DEVICE_USB_STORAGE is set, which it is for qemu(-kvm)
versions >= 0.12.1.2-rhel62-beta.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
2013-09-02 13:54:26 +02:00
Doug Goldstein
68b9fa6423 VMX: Create virVMXFormatDisk() from HD and CD-ROM
virVMXFormatHardDisk() and virVMXFormatCDROM() duplicated a lot of code
from each other and made a lot of nested if checks to build each part of
the VMX file. This hopefully simplifies the code path while combining
the two functions with no net difference.
2013-09-01 23:11:50 -05:00
Daniel Veillard
85240daba2 Release of libvirt-1.1.2
* configure.ac docs/news.html.in libvirt.spec.in: update for the release
* po/*.po*: merged new localizations and regenerated
2013-09-02 09:47:37 +08:00
John Ferlan
5a8352f234 qemu_hotplug: Resolve DEADCODE coverity error
Remove unused 'cgroup' variable in qemuDomainAttachDeviceDiskLive() to
resolve coverity DEADCODE complaint
2013-09-01 19:30:59 -04:00
Hongwei Bi
461b1c8b7b Fix memory leak in cmdAttachDisk
When virBufferError is ok in cmdAttachDisk, the latter
should 'goto cleanup', instead of returning a false to
prevent memory leaking.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-08-31 15:50:23 -06:00
Eric Blake
902d62f0d4 build: fix virtlockd file distribution
Since virtlockd is only built when libvirtd is built, we should
not install its auxiliary files unconditionally.  This solves
two failures.  1. 'make distcheck' complains:

rm -f Makefile
ERROR: files left in build directory after distclean:
./src/virtlockd.8

2. './autobuild.sh' complains:

Checking for unpackaged file(s): /usr/lib/rpm/check-files
/home/eblake/rpmbuild/BUILDROOT/mingw-libvirt-1.1.1-1.fc19.eblake1377879911.x86_64
error: Installed (but unpackaged) file(s) found:
   /usr/i686-w64-mingw32/sys-root/mingw/etc/libvirt/virtlockd.conf

/usr/i686-w64-mingw32/sys-root/mingw/share/augeas/lenses/tests/test_virtlockd.aug
   /usr/i686-w64-mingw32/sys-root/mingw/share/augeas/lenses/virtlockd.aug
   /usr/i686-w64-mingw32/sys-root/mingw/share/man/man8/virtlockd.8
   /usr/x86_64-w64-mingw32/sys-root/mingw/etc/libvirt/virtlockd.conf

/usr/x86_64-w64-mingw32/sys-root/mingw/share/augeas/lenses/tests/test_virtlockd.aug
   /usr/x86_64-w64-mingw32/sys-root/mingw/share/augeas/lenses/virtlockd.aug
   /usr/x86_64-w64-mingw32/sys-root/mingw/share/man/man8/virtlockd.8

* src/Makefile.am (CLEANFILES): Add virtlockd.8.
(man8_MANS, conf_DATA, augeas_DATA, augeastest_DATA): Only install
virtlockd files when daemon is built.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-08-30 20:45:22 -06:00
Eric Blake
cd3fa76222 build: shipped files must not depend on BUILT_SOURCES
'make distcheck' was failing with:
make[3]: Entering directory `/home/eblake/libvirt-tmp2/libvirt-1.1.1/_build/docs'
perl ../../docs/genaclperms.pl ../../src/access/viraccessperm.h > ../../docs/aclperms.htmlinc
/bin/sh: ../../docs/aclperms.htmlinc: Permission denied

when simulating the case of a user doing a VPATH build from a
read-only source tree.  The culprit?  BUILT_SOURCES are _always_
built, and so must NOT be built into srcdir and need not be part
of the tarball.  On the other hand, shipped files must never
depend on files in the builddir.  While it would be possible to
fix the problem by generating aclperms.htmlinc into builddir,
we then have the problem that we ship acl.html - we'd have to
rejigger a lot of things to not ship pre-built html.  So this
patch goes the other direction - we don't need BUILT_SOURCES,
but instead ensure that we have proper dependencies so that
all files in srcdir are up-to-date at the time the tarball is
created.  And because we ship html files in the tarball, that
implies we don't expect users to be able to rebuild them, so
we must not clean any files that would trigger a rebuild except
under the maintainer rules.

* docs/Makefile.am (BUILT_SOURCES): Delete.
(CLEANFILES): Downgrade aclperms.htmlinc cleanup...
(maintainer-clean-local): ...and move hvsupport.html.in...
(MAINTAINERCLEANFILES): ...to a maintainer action.
(hvsupport.html.in): Write into srcdir.
(hvsupport.html): Ensure files are built in order.
(aclperms.htmlinc): Honor silent make.
(EXTRA_DIST): Ship aclperms.htmlinc.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-08-30 20:45:22 -06:00
Eric Blake
f06eb52fff build: fix 'make distcheck' out of the box
With the 1.1.1 tarball, if a user does 'make && make distcheck',
things pass, but if they do 'make distcheck' after 'make clean',
there is an odd failure:

  GEN      ../../docs/devhelp/index.html
I/O error : Permission denied
I/O error : Permission denied
runtime error: file ../../docs/devhelp/devhelp.xsl line 43 element document
xsltDocumentElem: unable to save to ../../docs/devhelp/libvirt-virterror.html
I/O error : Permission denied
I/O error : Permission denied

This implies that the rules for 'make dist' are missing a
dependency - the generated documentation needs to be up-to-date
before creating the tarball, or else the tarball will be missing
files, where the end user will end up trying to rebuild files in
srcdir, and that fails when srcdir is read-only.

1.1.1 plus this patch now works without issues (other issues have
crept in to 1.1.2-rc1 that prevent 'make distcheck' from working,
but those will be cleaned up in later patches).

* docs/Makefile.am (dist-local): New dependency.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-08-30 19:36:35 -06:00
Eric Blake
b9189c808b build: only create virt-login-shell for lxc builds
I noticed from an ./autobuild.sh run that we were installing a
virt-login-shell.exe binary when cross-building for mingw,
even though such a binary is necessarily worthless since the
code depends on lxc which is a Linux-only concept.

* tools/Makefile.am (conf_DATA, bin_PROGRAMS, dist_man1_MANS):
Make virt-login-shell installation conditional.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-08-30 14:00:56 -06:00
Cole Robinson
d962318c4f qemu: Only setup vhost if virtType == "kvm"
vhost only works in KVM mode at the moment, and is infact compiled
out if the emulator is built for non-native architecture. While it
may work at some point in the future for plain qemu, for now it's
just noise on the command line (and which contributes to arm cli
breakage).
2013-08-30 12:15:07 -04:00
Guido Günther
3e32544854 Process virtlockd.conf instead of libvirtd.conf 2013-08-30 17:37:12 +02:00
Daniel P. Berrange
dbd2bc8c8b Change way we fake dbus method calls
Ubuntu libdbus.so links with -Bsymbolic-functions, which means
that we can only LD_PRELOAD functions that we directly call.
Functions which libdbus.so calls internally can not be replaced.
Thus we cannot use dbus_message_new_error or dbus_message_new_method_return

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-30 14:23:32 +01:00
Eric Blake
dd3688e4d1 random: don't mix RAND_MAX with random_r
FreeBSD 10 recently changed their definition of RAND_MAX, to try
and cover the fact that their evenly distributed results of rand()
really are a smaller range than a full power of 2.  As a result,
I did some investigation, and learned:

1. POSIX requires random() to be evenly distributed across exactly
31 bits.  glibc also guarantees this for rand(), but the two are
unrelated, and POSIX only associates RAND_MAX with rand().
Avoiding RAND_MAX altogether thus avoids a build failure on
FreeBSD 10.

2. Concatenating random bits from a PRNG will NOT provide uniform
coverage over the larger value UNLESS the period of the original
PRNG is at least as large as the number of bits being concatenated.
Simple example: suppose that RAND_MAX were 1 with a period of 2**1
(which means that the PRNG merely alternates between 0 and 1).
Concatenating two successive rand() calls would then invariably
result in 01 or 10, which is a rather non-uniform distribution
(00 and 11 are impossible) and an even worse period (2**0, since
our second attempt will get the same number as our first attempt).
But a RAND_MAX of 1 with a period of 2**2 (alternating between
0, 1, 1, 0) provides sane coverage of all four values, if properly
tempered.  (Back-to-back calls would still only see half the values
if we don't do some tempering).  We therefore want to guarantee a
period of at least 2**64, preferably larger (as a tempering factor);
POSIX only makes this guarantee for random() with 256 bytes of info.

* src/util/virrandom.c (virRandomBits): Use constants that are
accurate for the PRNG we are using, not an unrelated PRNG.
(randomState): Ensure the period of our PRNG exceeds our usage.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-08-30 06:24:28 -06:00
Peter Krempa
8c725cc10d virsh-domain: rename print_job_progress to vshPrintJobProgress 2013-08-30 09:38:51 +02:00
Eric Blake
745aa55fbf security: provide supplemental groups even when parsing label (CVE-2013-4291)
Commit 29fe5d7 (released in 1.1.1) introduced a latent problem
for any caller of virSecurityManagerSetProcessLabel and where
the domain already had a uid:gid label to be parsed.  Such a
setup would collect the list of supplementary groups during
virSecurityManagerPreFork, but then ignores that information,
and thus fails to call setgroups() to adjust the supplementary
groups of the process.

Upstream does not use virSecurityManagerSetProcessLabel for
qemu (it uses virSecurityManagerSetChildProcessLabel instead),
so this problem remained latent until backporting the initial
commit into v0.10.2-maint (commit c061ff5, released in 0.10.2.7),
where virSecurityManagerSetChildProcessLabel has not been
backported.  As a result of using a different code path in the
backport, attempts to start a qemu domain that runs as qemu:qemu
will end up with supplementary groups unchanged from the libvirtd
parent process, rather than the desired supplementary groups of
the qemu user.  This can lead to failure to start a domain
(typical Fedora setup assigns user 107 'qemu' to both group 107
'qemu' and group 36 'kvm', so a disk image that is only readable
under kvm group rights is locked out).  Worse, it is a security
hole (the qemu process will inherit supplemental group rights
from the parent libvirtd process, which means it has access
rights to files owned by group 0 even when such files should
not normally be visible to user qemu).

LXC does not use the DAC security driver, so it is not vulnerable
at this time.  Still, it is better to plug the latent hole on
the master branch first, before cherry-picking it to the only
vulnerable branch v0.10.2-maint.

* src/security/security_dac.c (virSecurityDACGetIds): Always populate
groups and ngroups, rather than only when no label is parsed.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-08-29 08:43:03 -06:00
Daniel P. Berrange
a4d1cfdc59 Prohibit unbounded arrays in XDR protocols
The use of <> is a security issue for RPC parameters, since a
malicious client can set a huge array length causing arbitrary
memory allocation in the daemon.

It is also a robustness issue for RPC return values, because if
the stream is corrupted, it can cause the client to also allocate
arbitrary memory.

Use a syntax-check rule to prohibit any use of <>

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-29 15:36:13 +01:00