Commit Graph

279 Commits

Author SHA1 Message Date
Ján Tomko
60555fb8ed Indent top-level labels by one space in daemon/ 2014-03-25 14:58:38 +01:00
Eric Blake
e7708a1c47 qemu: wire up RPC for qemu monitor events
These are the first async events in the qemu protocol, so this
patch looks rather big compared to most RPC additions.  However,
a large majority of this patch is just mechanical copy-and-paste
from recently-added network events.  It didn't help that this
is also the first virConnect rather than virDomain prefix
associated with a qemu-specific API.

* src/remote/qemu_protocol.x (qemu_*_domain_monitor_event_*): New
structs and RPC messages.
* src/rpc/gendispatch.pl: Adjust naming conventions.
* daemon/libvirtd.h (daemonClientPrivate): Track qemu events.
* daemon/remote.c (remoteClientFreeFunc): Likewise.
(remoteRelayDomainQemuMonitorEvent)
(qemuDispatchConnectDomainMonitorEventRegister)
(qemuDispatchConnectDomainMonitorEventDeregister): New functions.
* src/remote/remote_driver.c (qemuEvents): Handle qemu events.
(doRemoteOpen): Register for events.
(remoteNetworkBuildEventLifecycle)
(remoteConnectDomainQemuMonitorEventRegister)
(remoteConnectDomainQemuMonitorEventDeregister): New functions.
* src/qemu_protocol-structs: Regenerate.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-03-20 11:25:37 -06:00
Daniel P. Berrange
2835c1e730 Add virLogSource variables to all source files
Any source file which calls the logging APIs now needs
to have a VIR_LOG_INIT("source.name") declaration at
the start of the file. This provides a static variable
of the virLogSource type.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-18 14:29:22 +00:00
Daniel P. Berrange
b29275d928 Move dtrace probe macros into separate header file
The dtrace probe macros rely on the logging API. We can't make
the internal.h header include the virlog.h header though since
that'd be a circular include. Instead simply split the dtrace
probes into their own header file, since there's no compelling
reason for them to be in the main internal.h header.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-18 14:29:21 +00:00
Michal Privoznik
4015396b2c virNetServer: Introduce unauth clients counter
The counter gets incremented on each unauthenticated client added to the
server and decremented whenever the client authenticates.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-03-17 17:37:42 +01:00
Eric Blake
b9dd878ff8 util: make it easier to grab only regular command exit
Auditing all callers of virCommandRun and virCommandWait that
passed a non-NULL pointer for exit status turned up some
interesting observations.  Many callers were merely passing
a pointer to avoid the overall command dying, but without
caring what the exit status was - but these callers would
be better off treating a child death by signal as an abnormal
exit.  Other callers were actually acting on the status, but
not all of them remembered to filter by WIFEXITED and convert
with WEXITSTATUS; depending on the platform, this can result
in a status being reported as 256 times too big.  And among
those that correctly parse the output, it gets rather verbose.
Finally, there were the callers that explicitly checked that
the status was 0, and gave their own message, but with fewer
details than what virCommand gives for free.

So the best idea is to move the complexity out of callers and
into virCommand - by default, we return the actual exit status
already cleaned through WEXITSTATUS and treat signals as a
failed command; but the few callers that care can ask for raw
status and act on it themselves.

* src/util/vircommand.h (virCommandRawStatus): New prototype.
* src/libvirt_private.syms (util/command.h): Export it.
* docs/internals/command.html.in: Document it.
* src/util/vircommand.c (virCommandRawStatus): New function.
(virCommandWait): Adjust semantics.
* tests/commandtest.c (test1): Test it.
* daemon/remote.c (remoteDispatchAuthPolkit): Adjust callers.
* src/access/viraccessdriverpolkit.c (virAccessDriverPolkitCheck):
Likewise.
* src/fdstream.c (virFDStreamCloseInt): Likewise.
* src/lxc/lxc_process.c (virLXCProcessStart): Likewise.
* src/qemu/qemu_command.c (qemuCreateInBridgePortWithHelper):
Likewise.
* src/xen/xen_driver.c (xenUnifiedXendProbe): Simplify.
* tests/reconnect.c (mymain): Likewise.
* tests/statstest.c (mymain): Likewise.
* src/bhyve/bhyve_process.c (virBhyveProcessStart)
(virBhyveProcessStop): Don't overwrite virCommand error.
* src/libvirt.c (virConnectAuthGainPolkit): Likewise.
* src/openvz/openvz_driver.c (openvzDomainGetBarrierLimit)
(openvzDomainSetBarrierLimit): Likewise.
* src/util/virebtables.c (virEbTablesOnceInit): Likewise.
* src/util/viriptables.c (virIpTablesOnceInit): Likewise.
* src/util/virnetdevveth.c (virNetDevVethCreate): Fix debug
message.
* src/qemu/qemu_capabilities.c (virQEMUCapsInitQMP): Add comment.
* src/storage/storage_backend_iscsi.c
(virStorageBackendISCSINodeUpdate): Likewise.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-03-03 12:40:32 -07:00
Eric Blake
6831c1d327 event: pass reason for PM events
Commit 57ddcc23 (v0.9.11) introduced the pmwakeup event, with
an optional 'reason' field reserved for possible future expansion.
But it failed to wire the field through RPC, so even if we do
add a reason in the future, we will be unable to get it back
to the user.

Worse, commit 7ba5defb (v1.0.0) repeated the same mistake with
the pmsuspend_disk event.

As long as we are adding new RPC calls, we might as well fix
the events to actually match the signature so that we don't have
to add yet another RPC in the future if we do decide to start
using the reason field.

* src/remote/remote_protocol.x
(remote_domain_event_callback_pmwakeup_msg)
(remote_domain_event_callback_pmsuspend_msg)
(remote_domain_event_callback_pmsuspend_disk_msg): Add reason
field.
* daemon/remote.c (remoteRelayDomainEventPMWakeup)
(remoteRelayDomainEventPMSuspend)
(remoteRelayDomainEventPMSuspendDisk): Pass reason to client.
* src/conf/domain_event.h (virDomainEventPMWakeupNewFromDom)
(virDomainEventPMSuspendNewFromDom)
(virDomainEventPMSuspendDiskNewFromDom): Require additional
parameter.
* src/conf/domain_event.c (virDomainEventPMClass): New class.
(virDomainEventPMDispose): New function.
(virDomainEventPMWakeupNew*, virDomainEventPMSuspendNew*)
(virDomainEventPMSuspendDiskNew*)
(virDomainEventDispatchDefaultFunc): Use new class.
* src/remote/remote_driver.c (remoteDomainBuildEvent*PM*): Pass
reason through.
* src/remote_protocol-structs: Regenerate.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-02-12 10:48:16 -07:00
Eric Blake
158795d20e event: convert remaining domain events to new style
Following the patterns established by lifecycle events, this
creates all the new RPC calls needed to pass callback IDs
for every domain event, and changes the limits in client and
server codes to use modern style when possible.

I've tested all combinations: both 'old client and new server'
and 'new client and old server' continue to work with the old
RPCs, and 'new client and new server' benefit from server-side
filtering with the new RPCs.

* src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_EVENT_*): Add
REMOTE_PROC_DOMAIN_EVENT_CALLBACK_* counterparts.
* daemon/remote.c (remoteRelayDomainEvent*): Send callbackID via
newer RPC when used with new-style registration.
(remoteDispatchConnectDomainEventCallbackRegisterAny): Extend to
cover all domain events.
* src/remote/remote_driver.c (remoteDomainBuildEvent*): Add new
Callback and Helper functions.
(remoteEvents): Match order of RPC numbers, register new handlers.
(remoteConnectDomainEventRegisterAny)
(remoteConnectDomainEventDeregisterAny): Extend to cover all
domain events.
* src/remote_protocol-structs: Regenerate.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-02-12 10:48:16 -07:00
Eric Blake
0372295770 event: server RPC protocol tweaks for domain lifecycle events
This patch adds some new RPC call numbers, but for ease of review,
they sit idle until a later patch adds the client counterpart to
drive the new RPCs.  Also for ease of review, I limited this patch
to just the lifecycle event; although converting the remaining
15 domain events will be quite mechanical.  On the server side,
we have to have a function per RPC call, largely with duplicated
bodies (the key difference being that we store in our callback
opaque pointer whether events should be fired with old or new
style); meanwhile, a single function can drive multiple RPC
messages.  With a strategic choice of XDR struct layout, we can
make the event generation code for both styles fairly compact.

I debated about adding a tri-state witness variable per
connection (values 'unknown', 'legacy', 'modern').  It would start
as 'unknown', move to 'legacy' if any RPC call is made to a legacy
event call, and move to 'modern' if the feature probe is made;
then the event code could issue an error if the witness state is
incorrect (a legacy RPC call while in 'modern', a modern RPC call
while in 'unknown' or 'legacy', and a feature probe while in
'legacy' or 'modern').  But while it might prevent odd behavior
caused by protocol fuzzing, I don't see that it would prevent
any security holes, so I considered it bloat.

Note that sticking @acl markers on the new RPCs generates unused
functions in access/viraccessapicheck.c, because there is no new
API call that needs to use the new checks; however, having a
consistent .x file is worth the dead code.

* src/libvirt_internal.h (VIR_DRV_FEATURE_REMOTE_EVENT_CALLBACK):
New feature.
* src/remote/remote_protocol.x
(REMOTE_PROC_CONNECT_DOMAIN_EVENT_CALLBACK_REGISTER_ANY)
(REMOTE_PROC_CONNECT_DOMAIN_EVENT_CALLBACK_DEREGISTER_ANY)
(REMOTE_PROC_DOMAIN_EVENT_CALLBACK_LIFECYCLE): New RPCs.
* daemon/remote.c (daemonClientCallback): Add field.
(remoteDispatchConnectDomainEventCallbackRegisterAny)
(remoteDispatchConnectDomainEventCallbackDeregisterAny): New
functions.
(remoteDispatchConnectDomainEventRegisterAny)
(remoteDispatchConnectDomainEventDeregisterAny): Mark legacy use.
(remoteRelayDomainEventLifecycle): Change message based on legacy
or new use.
(remoteDispatchConnectSupportsFeature): Advertise new feature.
* src/remote_protocol-structs: Regenerate.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-02-12 10:48:15 -07:00
Eric Blake
047fd2e83e event: dynamically manage server-side RPC domain events
This patch continues the earlier conversion made for network
events, with a goal of introducing server-side event filtering
in a later patch.  Actual behavior is unchanged without
further RPC changes.

* daemon/libvirtd.h (daemonClientPrivate): Alter the tracking of
domain events.
* daemon/remote.c (remoteClientInitHook, remoteClientFreeFunc)
(remoteRelayDomainEvent*)
(remoteDispatchConnectDomainEventRegister)
(remoteDispatchConnectDomainEventRegisterAny): Track domain
callbacks dynamically.
2014-02-12 10:48:15 -07:00
Eric Blake
11f20e43f1 event: move event filtering to daemon (regression fix)
https://bugzilla.redhat.com/show_bug.cgi?id=1058839

Commit f9f56340 for CVE-2014-0028 almost had the right idea - we
need to check the ACL rules to filter which events to send.  But
it overlooked one thing: the event dispatch queue is running in
the main loop thread, and therefore does not normally have a
current virIdentityPtr.  But filter checks can be based on current
identity, so when libvirtd.conf contains access_drivers=["polkit"],
we ended up rejecting access for EVERY event due to failure to
look up the current identity, even if it should have been allowed.

Furthermore, even for events that are triggered by API calls, it
is important to remember that the point of events is that they can
be copied across multiple connections, which may have separate
identities and permissions.  So even if events were dispatched
from a context where we have an identity, we must change to the
correct identity of the connection that will be receiving the
event, rather than basing a decision on the context that triggered
the event, when deciding whether to filter an event to a
particular connection.

If there were an easy way to get from virConnectPtr to the
appropriate virIdentityPtr, then object_event.c could adjust the
identity prior to checking whether to dispatch an event.  But
setting up that back-reference is a bit invasive.  Instead, it
is easier to delay the filtering check until lower down the
stack, at the point where we have direct access to the RPC
client object that owns an identity.  As such, this patch ends
up reverting a large portion of the framework of commit f9f56340.
We also have to teach 'make check' to special-case the fact that
the event registration filtering is done at the point of dispatch,
rather than the point of registration.  Note that even though we
don't actually use virConnectDomainEventRegisterCheckACL (because
the RegisterAny variant is sufficient), we still generate the
function for the purposes of documenting that the filtering
takes place.

Also note that I did not entirely delete the notion of a filter
from object_event.c; I still plan on using that for my upcoming
patch series for qemu monitor events in libvirt-qemu.so.  In
other words, while this patch changes ACL filtering to live in
remote.c and therefore we have no current client of the filtering
in object_event.c, the notion of filtering in object_event.c is
still useful down the road.

* src/check-aclrules.pl: Exempt event registration from having to
pass checkACL filter down call stack.
* daemon/remote.c (remoteRelayDomainEventCheckACL)
(remoteRelayNetworkEventCheckACL): New functions.
(remoteRelay*Event*): Use new functions.
* src/conf/domain_event.h (virDomainEventStateRegister)
(virDomainEventStateRegisterID): Drop unused parameter.
* src/conf/network_event.h (virNetworkEventStateRegisterID):
Likewise.
* src/conf/domain_event.c (virDomainEventFilter): Delete unused
function.
* src/conf/network_event.c (virNetworkEventFilter): Likewise.
* src/libxl/libxl_driver.c: Adjust caller.
* src/lxc/lxc_driver.c: Likewise.
* src/network/bridge_driver.c: Likewise.
* src/qemu/qemu_driver.c: Likewise.
* src/remote/remote_driver.c: Likewise.
* src/test/test_driver.c: Likewise.
* src/uml/uml_driver.c: Likewise.
* src/vbox/vbox_tmpl.c: Likewise.
* src/xen/xen_driver.c: Likewise.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-02-05 08:03:31 -07:00
Eric Blake
8d9d098b6d event: wire up RPC for server-side network event filtering
We haven't had a release with network events yet, so we are free
to fix the RPC so that it actually does what we want.  Doing
client-side filtering of per-network events is inefficient if a
connection is only interested in events on a single network out
of hundreds available on the server.  But to do server-side
per-network filtering, the server needs to know which network
to filter on - so we need to pass an optional network over on
registration.  Furthermore, it is possible to have a client with
both a global and per-network filter; in the existing code, the
server sends only one event and the client replicates to both
callbacks.  But with server-side filtering, the server will send
the event twice, so we need a way for the client to know which
callbackID is sending an event, to ensure that the client can
filter out events from a registration that does not match the
callbackID from the server.  Likewise, the existing style of
deregistering by eventID alone is fine; but in the new style,
we have to remember which callbackID to delete.

This patch fixes the RPC wire definition to contain all the
needed pieces of information, and hooks into the server and
client side improvements of the previous patches, in order to
switch over to full server-side filtering of network events.
Also, since we fixed this in time, all released versions of
libvirtd that support network events also support per-network
filtering, so we can hard-code that assumption into
network_event.c.

Converting domain events to server-side filtering will require
the introduction of new RPC numbers, as well as a server
feature bit that the client can use to tell whether to use
old-style (server only supports global events) or new-style
(server supports filtered events), so that is deferred to a
later set of patches.

* src/conf/network_event.c (virNetworkEventStateRegisterClient):
Assume server-side filtering.
* src/remote/remote_protocol.x
(remote_connect_network_event_register_any_args): Add network
argument.
(remote_connect_network_event_register_any_ret): Return callbackID
instead of count.
(remote_connect_network_event_deregister_any_args): Pass
callbackID instead of eventID.
(remote_connect_network_event_deregister_any_ret): Drop unused
type.
(remote_network_event_lifecycle_msg): Add callbackID.
* daemon/remote.c
(remoteDispatchConnectNetworkEventDeregisterAny): Drop unused arg,
and deal with callbackID from client.
(remoteRelayNetworkEventLifecycle): Pass callbackID.
(remoteDispatchConnectNetworkEventRegisterAny): Likewise, and
recognize non-NULL network.
* src/remote/remote_driver.c
(remoteConnectNetworkEventRegisterAny): Pass network, and track
server side id.
(remoteConnectNetworkEventDeregisterAny): Deregister by callback id.
(remoteNetworkBuildEventLifecycle): Pass remote id to event queue.
* src/remote_protocol-structs: Regenerate.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-15 13:55:21 -07:00
Eric Blake
b9d14ef03b event: track callbackID on daemon side of RPC
Right now, the daemon side of RPC events is hard-coded to at most
one callback per eventID.  But when there are hundreds of domains
or networks coupled and multiple conections, then sending every
event to every connection that wants an event, even for the
connections that only care about events for a particular object,
is inefficient.  In order to track more than one callback in the
server, we need to store callbacks by more than just their
eventID.  This patch rearranges the daemon side to store network
callbacks in a dynamic array, which can eventually be used for
multiple callbacks of the same eventID, although actual behavior
is unchanged without further patches to the RPC protocol.  For
ease of review, domain events are saved for a later patch, as
they touch more code.

While at it, fix a bug where a malicious client could send a
negative eventID to cause network event registration to access
outside of array bounds (thankfully not a CVE, since domain
events were already doing the bounds check, and since network
events have not been released).

* daemon/libvirtd.h (daemonClientPrivate): Alter the tracking of
network events.
* daemon/remote.c (daemonClientEventCallback): New struct.
(remoteEventCallbackFree): New function.
(remoteClientInitHook, remoteRelayNetworkEventLifecycle)
(remoteClientFreeFunc)
(remoteDispatchConnectNetworkEventRegisterAny): Track network
callbacks differently.
(remoteDispatchConnectNetworkEventDeregisterAny): Enforce bounds.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-15 13:55:20 -07:00
Cédric Bosdonnat
61ac8ce0a9 Add network events to the remote driver 2013-12-11 13:26:25 +00:00
Cédric Bosdonnat
008e877779 daemon/remote.c: renamed remoteDispatchDomainEventSend
into remoteDispatchObjectEventSend as it will later be used for both
the domain and network events.
2013-12-10 13:12:58 +00:00
Chen Hanxiao
8ebd3d8892 daemon: don't free domain if it's null
If we fail to get domain, we had to judge whether
it's null or not when doing 'cleanup'.

Signed-off-by: Chen Hanxiao <chenhanxiao@cn.fujitsu.com>
2013-10-18 07:41:34 +02:00
Daniel P. Berrange
8294aa0c17 Fix crash in libvirtd when events are registered & ACLs active
When a client disconnects from libvirtd, all event callbacks
must be removed. This involves running the public API

  virConnectDomainEventDeregisterAny

This code does not run in normal API dispatch context, so no
identity was set. The result was that the access control drivers
denied the attempt to deregister callbacks. The callbacks thus
continued to trigger after the client was free'd causing fairly
predictable use of free memory & a crash.

This can be triggered by any client with readonly access when
the ACL drivers are active.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-09-27 16:42:29 +01:00
Giuseppe Scrivano
fd69544965 virConnectGetCPUModelNames: implement the remote protocol
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-09-23 15:50:35 -06:00
Jiri Denemark
604ae65744 daemon: Avoid dead code in polkit auth 2013-09-20 11:23:01 +02:00
Daniel P. Berrange
e7f400a110 Fix crash in remoteDispatchDomainMemoryStats (CVE-2013-4296)
The 'stats' variable was not initialized to NULL, so if some
early validation of the RPC call fails, it is possible to jump
to the 'cleanup' label and VIR_FREE an uninitialized pointer.
This is a security flaw, since the API can be called from a
readonly connection which can trigger the validation checks.

This was introduced in release v0.9.1 onwards by

  commit 158ba8730e
  Author: Daniel P. Berrange <berrange@redhat.com>
  Date:   Wed Apr 13 16:21:35 2011 +0100

    Merge all returns paths from dispatcher into single path

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-09-18 12:41:14 -06:00
Daniel P. Berrange
922b7fda77 Add support for using 3-arg pkcheck syntax for process (CVE-2013-4311)
With the existing pkcheck (pid, start time) tuple for identifying
the process, there is a race condition, where a process can make
a libvirt RPC call and in another thread exec a setuid application,
causing it to change to effective UID 0. This in turn causes polkit
to do its permission check based on the wrong UID.

To address this, libvirt must get the UID the caller had at time
of connect() (from SO_PEERCRED) and pass a (pid, start time, uid)
triple to the pkcheck program.

This fix requires that libvirt is re-built against a version of
polkit that has the fix for its CVE-2013-4288, so that libvirt
can see 'pkg-config --variable pkcheck_supports_uid polkit-gobject-1'

Signed-off-by: Colin Walters <walters@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-09-18 15:13:42 +01:00
Nehal J Wani
de2eb66a9b Fix coding style issues in daemon/remote.c
Fixes for argument layouts of various functions in daemon/remote.c
2013-09-04 18:09:06 +08:00
Daniel P. Berrange
47fb5672f2 Add bounds checking on virConnectListAllSecrets RPC call
The return values for the virConnectListAllSecrets call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-29 15:36:13 +01:00
Daniel P. Berrange
12034511a1 Add bounds checking on virConnectListAllNWFilters RPC call
The return values for the virConnectListAllNWFilters call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-29 15:36:13 +01:00
Daniel P. Berrange
1dcff6a7ea Add bounds checking on virConnectListAllNodeDevices RPC call
The return values for the virConnectListAllNodeDevices call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-29 15:36:13 +01:00
Daniel P. Berrange
8be2172897 Add bounds checking on virConnectListAllInterfaces RPC call
The return values for the virConnectListAllInterfaces call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-29 15:36:13 +01:00
Daniel P. Berrange
174f7dd5ba Add bounds checking on virConnectListAllNetworks RPC call
The return values for the virConnectListAllNetworks call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-29 15:36:13 +01:00
Daniel P. Berrange
046acaf37b Add bounds checking on virStoragePoolListAllVolumes RPC call
The return values for the virStoragePoolListAllVolumes call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-29 15:36:13 +01:00
Daniel P. Berrange
c853fa8feb Add bounds checking on virConnectListAllStoragePools RPC call
The return values for the virConnectListAllStoragePools call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-29 15:36:13 +01:00
Daniel P. Berrange
9e97128ba5 Add bounds checking on virConnectListAllDomains RPC call
The return values for the virConnectListAllDomains call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-29 15:36:13 +01:00
Daniel P. Berrange
a43d4f543c Add bounds checking on virDomain{SnapshotListAllChildren,ListAllSnapshots} RPC calls
The return values for the virDomain{SnapshotListAllChildren,ListAllSnapshots}
calls were not bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-29 15:36:13 +01:00
Daniel P. Berrange
6d7d0b1869 Add bounds checking on virDomainGetJobStats RPC call
The return values for the virDomainGetJobStats call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-29 15:36:13 +01:00
Daniel P. Berrange
fd6f6a4861 Add bounds checking on virDomainMigrate*Params RPC calls (CVE-2013-4292)
The parameters for the virDomainMigrate*Params RPC calls were
not bounds checks, meaning a malicious client can cause libvirtd
to consume arbitrary memory

This issue was introduced in the 1.1.0 release of libvirt

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-29 15:36:13 +01:00
Jiri Denemark
4421e257dd Add VIR_DOMAIN_EVENT_ID_DEVICE_REMOVED event 2013-07-18 15:28:45 +02:00
Daniel P. Berrange
bfd663ef97 Introduce remote protocol support for virDomainCreate{XML}WithFiles
Since they make use of file descriptor passing, the remote protocol
methods for virDomainCreate{XML}WithFiles must be written by hand.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-18 11:01:49 +01:00
Daniel P. Berrange
483246f2e1 Convert 'int i' to 'size_t i' in daemon/ files
Convert the type of loop iterators named 'i', 'j', k',
'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or
'unsigned int', also santizing 'ii', 'jj', 'kk' to use
the normal 'i', 'j', 'k' naming

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-10 10:23:10 +01:00
Michal Privoznik
1b3e1d3ba5 Adapt to VIR_ALLOC and virAsprintf in daemon/* 2013-07-10 11:07:31 +02:00
Jiri Denemark
c0762b6518 New internal migration APIs with extensible parameters
This patch implements extensible variants of all internal migration APIs
used for v3 migration.
2013-06-25 01:13:16 +02:00
Eric Blake
f43bb1dc20 build: cast [ug]id_t when printing
This is a recurring problem for cygwin :)
For example, see commit 23a4df88.

qemu/qemu_driver.c: In function 'qemuStateInitialize':
qemu/qemu_driver.c:691:13: error: format '%d' expects type 'int', but argument 8 has type 'uid_t' [-Wformat]

* src/qemu/qemu_driver.c (qemuStateInitialize): Add casts.
* daemon/remote.c (remoteDispatchAuthList): Likewise.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-05-30 10:36:16 -06:00
Osier Yang
e25ca77303 daemon: Remove the whitespace before ";" 2013-05-21 23:41:45 +08:00
Ján Tomko
ca697e90d5 daemon: fix leak after listing all volumes
CVE-2013-1962

remoteDispatchStoragePoolListAllVolumes wasn't freeing the pool.
The pool also held a reference to the connection, preventing it from
getting freed and closing the netcf interface driver, which held two
sockets open.
2013-05-16 15:59:37 +02:00
Jim Fehlig
442eb2ba29 build: fix build with old polkit0
Commit 979e9c56 missed one case of providing the timestamp
parameter to virNetServerClientGetUNIXIdentity() when WITH_POLKIT0
is defined.
2013-05-09 09:53:42 -06:00
Daniel P. Berrange
979e9c56a7 Include process start time when doing polkit checks
Since PIDs can be reused, polkit prefers to be given
a (PID,start time) pair. If given a PID on its own,
it will attempt to lookup the start time in /proc/pid/stat,
though this is subject to races.

It is safer if the client app resolves the PID start
time itself, because as long as the app has the client
socket open, the client PID won't be reused.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-05-08 10:47:45 +01:00
Michal Privoznik
a54434f4ba Adapt to VIR_STRDUP and VIR_STRNDUP in daemon/* 2013-05-05 12:17:12 +02:00
Daniel P. Berrange
329b7602a1 More paranoid initialization of 'nparams' variable in dispatch code
Since the 'nparams' variable passed to virTypedParametersFree is
supposed to represent the size of the 'params' array, it is bad
practice to initialize it to a non-zero value, until the array
has been allocated.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-05-03 10:29:07 +01:00
Michal Privoznik
7c9a2d88cd virutil: Move string related functions to virstring.c
The source code base needs to be adapted as well. Some files
include virutil.h just for the string related functions (here,
the include is substituted to match the new file), some include
virutil.h without any need (here, the include is removed), and
some require both.
2013-05-02 16:56:55 +02:00
Daniel P. Berrange
abe038cfc0 Extend previous check to validate driver struct field names
Ensure that the driver struct field names match the public
API names. For an API virXXXX we must have a driver struct
field xXXXX. ie strip the leading 'vir' and lowercase any
leading uppercase letters.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-04-24 10:59:53 +01:00
Daniel P. Berrange
bb03636827 Make naming of remote procedures match API names exactly
A number of the remote procedure names did not match the
corresponding API names. For example, many lacked the
word 'CONNECT', others re-arranged the names. Update the
procedures so their names exactly match the API names.
Then remove the special case handling of these APIs in
the generator

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-04-24 10:33:10 +01:00
Osier Yang
1d69c6334b syntax-check: Don't include public headers in internal source
Directories python/tools/examples should include them in <> form,
though this patch allows "" form in these directories by excluding
them, a later patch will do the cleanup.
2013-04-18 11:24:46 +08:00
Daniel P. Berrange
be27de6e8d Remove hack using existance of an 'identity' string to disable auth
Currently the server determines whether authentication of clients
is complete, by checking whether an identity is set. This patch
removes that lame hack and replaces it with an explicit method
for changing the client auth code

* daemon/remote.c: Update for new APis
* src/libvirt_private.syms, src/rpc/virnetserverclient.c,
  src/rpc/virnetserverclient.h: Remove virNetServerClientGetIdentity
  and virNetServerClientSetIdentity, adding a new method
  virNetServerClientSetAuth.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-12 18:07:17 +00:00