Commit Graph

105 Commits

Author SHA1 Message Date
Michal Privoznik
7bf3c13d9c tools: Disable virt-login-shell on mingw
So, after bec787ee9d we are building virt-login-shell
independent of LXC driver. This is nice, but the binary is
enabled by default which makes no sense on mingw. In fact, it
triggers some compilation errors there:

  CC       virt_login_shell-virt-login-shell.o
../../tools/virt-login-shell.c: In function 'main':
../../tools/virt-login-shell.c:289:15: error: implicit declaration of function 'sysconf' [-Werror=implicit-function-declaration]
     openmax = sysconf(_SC_OPEN_MAX);
               ^
../../tools/virt-login-shell.c:289:5: error: nested extern declaration of 'sysconf' [-Werror=nested-externs]
     openmax = sysconf(_SC_OPEN_MAX);
     ^
../../tools/virt-login-shell.c:289:23: error: '_SC_OPEN_MAX' undeclared (first use in this function)
     openmax = sysconf(_SC_OPEN_MAX);
                       ^
../../tools/virt-login-shell.c:289:23: note: each undeclared identifier is reported only once for each function it appears in
cc1: all warnings being treated as errors

While we could workaround sysconf(_SC_OPEN_MAX) issue, the binary
itself makes no sense on systems where no LXC can be spawned.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-12-24 18:03:50 +01:00
Cédric Bosdonnat
bec787ee9d Allow building lxc without virt-login-shell
Add a configure option to disable virt-login-shell build even if lxc is
enabled.
2015-12-17 15:49:06 +01:00
Michal Privoznik
bd3e16a3cf locking: Add io_timeout to sanlock
https://bugzilla.redhat.com/show_bug.cgi?id=1251190

So, if domain loses access to storage, sanlock tries to kill it
after some timeout. So far, the default is 80 seconds. But for
some scenarios this might not be enough. We should allow users to
adjust the timeout according to their needs.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-11-18 10:56:56 +01:00
Michal Privoznik
7c8250d765 wireshark: Install to generic plugin directory
There has been a report on the list [1] that we are not
installing the wireshark dissector into the correct plugin
directory. And in fact we are not. The problem is, the plugin
directory path is constructed at compile time. However, it's
dependent on the wireshark version, e.g.

  /usr/lib/wireshark/plugins/1.12.6

This is rather unfortunate, because if libvirt RPMs were built
with one version, but installed on a system with newer one, the
plugins are not really loaded. This problem lead fedora packagers
to unify plugin path to:

  /usr/lib/wireshark/plugins/

Cool! But this was enabled just in wireshark-1.12.6-4. Therefore,
we must require at least that version.

And while at it, on some distributions, the wireshark.pc file
already has a variable that defines where plugin dir is. Use that
if possible.

1: https://www.redhat.com/archives/libvirt-users/2015-October/msg00063.html

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-10-29 13:55:06 +01:00
Michal Privoznik
541a99cc8a virt-driver-vz: Require parallels-7.0.22 at least
With the latest patch to the vz driver (7d73ca06ce) I was
getting some compilation errors. It turned out, my installation
of the parallels SDK was not as fresh as it could be. Parallels
installed in my system were missing the
PRL_USE_VNET_NAME_FOR_BRIDGE_NAME symbol which simply was not
introduced at the time I was installing the SDK. The symbol was
introduced in 86e62a5d which was then part of the 7.0.22 release.
Require that version at least therefore.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-07-13 19:46:10 +03:00
Michal Privoznik
09040915c5 configure: Move Virtuozzo checks to a specific module
Eventually, every driver will be moved to a special module.
But for today the winner is Virtuozzo driver.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-07-13 19:46:10 +03:00
Eric Blake
3502f79198 maint: update to latest gnulib
Time to update to new gnulib before a release.

gcc 5.1 introduced a new -Wformat-signedness, and new gnulib now
turns it on by default.  However, it is still rather lame at the
moment, because it warns for enums, even though there is no way
to control the signeness of an enum which does not use any members
that are negative or larger than INT_MAX, and even though such an
enum would always print the same for both %d and %u:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66249

In file included from ../../src/util/virarch.c:26:0:
../../src/util/virarch.c: In function 'virArchFromHost':
../../src/util/virarch.c:180:15: error: format '%d' expects argument of type 'int', but argument 9 has type 'unsigned int' [-Werror=format=]
     VIR_DEBUG("Mapped %s to %d (%s)",

So this patch turns off the new warning as part of enabling all
other new gcc 5.1 warnings that gnulib now enables.

* .gnulib: Update to latest, in part for gcc 5.1 interaction.
* m4/virt-compile-warnings.m4: Ignore -Wformat-signedness, for now.

Signed-off-by: Eric Blake <eblake@redhat.com>
2015-05-26 10:53:12 -06:00
Roman Bogorodskiy
97e70a5935 maint: extend PIE support check
GCC installed from FreeBSD ports doesn't support building PIE executables
and fails with:

/usr/local/bin/ld: /usr/lib/crt1.o: relocation R_X86_64_32 against
`_DYNAMIC' can not be used when making a shared object; recompile with
-fPIC
/usr/lib/crt1.o: error adding symbols: Bad value
collect2: error: ld returned 1 exit status

However, the configure check for '-fPIC -DPIC' doesn't catch that. In
order to catch this case, add '-pie' to CFLAGS in m4/virt-compile-pie.m4
so it could detect lack of PIE support on configure time and don't fail
the build.
2015-05-11 20:08:47 +03:00
Pavel Hrdina
373973206a rpm-build: use pkg-config to detect wireshark presence
Wireshark supports pkg-config since 1.11.3.  Right now we build
wireshark-dissectior tool as default trough rpm build only on
fedora >= 21 and there is new wireshark that supports pkg-config.
If someone wants to build libvirt with wireshark-dissector against old
wireshark, they should specify the location by hand.

This patch is mainly to fix wrong dependency on wireshark binary as it
doesn't make sense to require that binary file to just get version info
of that package in makefile.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2015-03-16 22:58:54 +01:00
Daniel P. Berrange
87fa184910 Conditionalize use of -Wno-suggest-attribute=format pragma
Many GCC versions don't understand -Wno-suggest-attribute=format
so the pragma must only be used when supported
2015-01-16 17:12:27 +00:00
Daniel P. Berrange
a93a3b975c avoid using deprecated udev logging functions
In systemd >= 218, the udev_set_log_fn method has been marked
deprecated and turned into a no-op. Nothing in the udev client
library will print to stderr by default anymore, so we can
just stop installing a logging hook for new enough udev.
2014-12-15 18:08:45 +00:00
Eric Blake
c0e7022161 build: fix build with older dbus headers
Compilation on a RHEL 5 host failed, due to the older dbus headers
present on that machine, and triggered by commit 2aa167ca:

util/virdbus.c: In function 'virDBusMessageIterDecode':
util/virdbus.c:952: error: 'DBusBasicValue' undeclared (first use in this function)

* m4/virt-dbus.m4 (LIBVIRT_CHECK_DBUS): Check for DBusBasicValue.
* src/util/virdbuspriv.h (DBusBasicValue): Provide fallback.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-11-20 06:41:53 -07:00
Ján Tomko
046a441f3d build: prefer -fstack-protector-strong to -all
Try -fstack-protector-strong first on Linux. If that fails,
fall back to -fstack-protector-all.
2014-06-12 08:16:03 +02:00
Ján Tomko
5567baa973 build: remove ssp-buffer-size
This option only makes sense for -fstack-protector.
With -fstack-protector-all or -fstack-protector-strong,
functions are protected regardless of buffer size.

https://bugzilla.redhat.com/show_bug.cgi?id=1105456
2014-06-12 08:16:03 +02:00
Ján Tomko
fa3519cbe5 build: remove duplicit warning suppression
These warnings have already been added to $dontwarn.
2014-06-12 08:15:54 +02:00
Peter Krempa
df01390afc m4: bhyve: Fix check for the required bhyve programs
bhyveload and bhyvectl wouldn't be checked otherwise as the configure
script wouldn't execute one of the tests:

checking for bhyve... /usr/local/sbin/bhyve
checking for bhyvectl... /usr/local/sbin/bhyvectl
checking for bhyveload... /usr/local/sbin/bhyveload
./configure: line 62602: test: too many arguments

Fix the shell statement testing the 3 binaries.
2014-06-09 09:40:25 +02:00
Michal Privoznik
9e0cbcd888 virnuma: Check for numa_bitmask_isbitset presence
On some systems, libnuma can be present but it's so ancient that
it misses some symbols that virNumaGetDistances() needs. To be
more precise: numa_bitmask_isbitset() and numa_nodes_ptr are the
symbols in question. Fortunately, they were both introduced in
the same release so it's sufficient for us to check for only one
of them. And the winner is numa_bitmask_isbitset().

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-06-04 16:06:51 +02:00
Eric Blake
5fa10f3208 maint: fix typo in previous patch
Use correct variable name.

* m4/virt-selinux.m4: Fix one last variable name.
2014-05-28 20:01:57 -06:00
Jim Fehlig
b109c09765 maint: cleanup detection of const'ness of selinux ctx
Commit 292d3f2d fixed the build with libselinux 2.3, but missed
some suggestions by eblake

https://www.redhat.com/archives/libvir-list/2014-May/msg00977.html

This patch changes the macro introduced in 292d3f2d to either be
empty in the case of newer libselinux, or contain 'const' in the
case of older libselinux.  The macro is then used directly in
tests/securityselinuxhelper.c.
2014-05-28 16:52:48 -06:00
Cédric Bosdonnat
292d3f2d38 build: fix build with libselinux 2.3
Several function signatures changed in libselinux 2.3, now taking
a 'const char *' instead of 'security_context_t'.  The latter is
defined in selinux/selinux.h as

  typedef char *security_context_t;

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-05-28 12:17:04 -06:00
Eric Blake
25034b3c40 build: use --with-systemd-daemon as configure option
Commit 68954fb added a configure option --with-systemd_daemon,
which violates the conventions of configure files preferring
dash in all option names.  This fixes it, before we hit a
release where the tarball is baked with an awkward name.

* m4/virt-lib.m4 (LIBVIRT_CHECK_LIB, LIBVIRT_CHECK_LIB_ALT)
(LIBVIRT_CHECK_PKG): Favor - over _ in configure option names.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-02-26 05:59:22 -07:00
Michal Privoznik
68954fb25c virNetServerRun: Notify systemd that we're accepting clients
Systemd does not forget about the cases, where client service needs to
wait for daemon service to initialize and start accepting new clients.
Setting a dependency in client is not enough as systemd doesn't know
when the daemon has initialized itself and started accepting new
clients. However, it offers a mechanism to solve this. The daemon needs
to call a special systemd function by which the daemon tells "I'm ready
to accept new clients". This is exactly what we need with
libvirtd-guests (client) and libvirtd (daemon). So now, with this
change, libvirt-guests.service is invoked not any sooner than
libvirtd.service calls the systemd notify function.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-02-24 10:54:48 +01:00
Roman Bogorodskiy
0eb4a5f4f1 bhyve: add a basic driver
At this point it has a limited functionality and is highly
experimental. Supported domain operations are:

  * define
  * start
  * destroy
  * dumpxml
  * dominfo

It's only possible to have only one disk device and only one
network, which should be of type bridge.
2014-02-19 14:21:50 +00:00
Richard W.M. Jones
fe881ae086 aarch64: Disable -fstack-protector.
I'm using gcc-4.8.2-7.fc21.aarch64 which does not appear to support
this option.
2014-01-01 14:21:21 +00:00
Eric Blake
318ea3cb77 storage: initial support for linking with libgfapi
We support gluster volumes in domain XML, so we also ought to
support them as a storage pool.  Besides, a future patch will
want to take advantage of libgfapi to handle the case of a
gluster device holding qcow2 rather than raw storage, and for
that to work, we need a storage backend that can read gluster
storage volume contents.  This sets up the framework.

Note that the new pool is named 'gluster' to match a
<disk type='network'><source protocol='gluster'> image source
already supported in a <domain>; it does NOT match the
<pool type='netfs'><source><target type='glusterfs'>,
since that uses a FUSE mount to a local file name rather than
a network name.

This and subsequent patches have been tested against glusterfs
3.4.1 (available on Fedora 19); there are likely bugs in older
versions that may prevent decent use of gfapi, so this patch
enforces the minimum version tested.  A future patch may lower
the minimum.  On the other hand, I hit at least two bugs in
3.4.1 that will be fixed in 3.5/3.4.2, where it might be worth
raising the minimum: glfs_readdir is nicer to use than
glfs_readdir_r [1], and glfs_fini should only return failure on
an actual failure [2].

[1] http://lists.gnu.org/archive/html/gluster-devel/2013-10/msg00085.html
[2] http://lists.gnu.org/archive/html/gluster-devel/2013-10/msg00086.html

* configure.ac (WITH_STORAGE_GLUSTER): New conditional.
* m4/virt-gluster.m4: new file.
* libvirt.spec.in (BuildRequires): Support gluster in spec file.
* src/conf/storage_conf.h (VIR_STORAGE_POOL_GLUSTER): New pool
type.
* src/conf/storage_conf.c (poolTypeInfo): Treat similar to
sheepdog and rbd.
(virStoragePoolDefFormat): Don't output target for gluster.
* src/storage/storage_backend_gluster.h: New file.
* src/storage/storage_backend_gluster.c: Likewise.
* po/POTFILES.in: Add new file.
* src/storage/storage_backend.c (backends): Register new type.
* src/Makefile.am (STORAGE_DRIVER_GLUSTER_SOURCES): Build new files.
* src/storage/storage_backend.h (_virStorageBackend): Documet
assumption.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-11-25 11:02:52 -07:00
Daniel P. Berrange
a7a1244a73 Remove python binding
The python binding now lives in

  http://libvirt.org/git/?p=libvirt-python.git

that repo also provides an RPM which is upgrade compatible
with the old libvirt-python sub-RPM.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-11-25 16:08:00 +00:00
Eric Blake
e5f46105a1 build: add configure --without-readline
Make it much easier to test a configuration built without readline
support, by reusing our existing library probe machinery.  It gets
a bit tricky with readline, which does not provide a pkg-config
snippet, and which on some platforms requires one of several
terminal libraries as a prerequiste, but the end result should be
the same default behavior but now with the option to disable things.

* m4/virt-readline.m4 (LIBVIRT_CHECK_READLINE): Simplify by using
LIBVIRT_CHECK_LIB.
* tools/virsh.c: Convert USE_READLINE to WITH_READLINE.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-10-07 08:39:47 -06:00
Eric Blake
d6eac3f377 build: move readline check into its own macro
A future patch will allow disabling readline; doing this in an
isolated file instead of configure.ac will make the task easier.

* configure.ac: Move readline code...
* m4/virt-readline.m4: ...here.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-10-07 08:35:57 -06:00
Eric Blake
21114ce9c2 maint: update to latest gnulib
Since we're about to freeze, it's time to pick up the latest
upstream gnulib.  Among other changes, gnulib now guarantees the
use of some -f flags that we were previously manually adding.

* .gnulib: Update to latest, in part for warning improvements.
* m4/virt-compile-warnings.m4 (LIBVIRT_COMPILE_WARNINGS): Drop
flags that are now guaranteed by gnulib.
* bootstrap: Resync to gnulib.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-09-24 06:53:07 -06:00
Eric Blake
f92c7e31fc build: fix regression in requiring yajl for new enough qemu
Jonathan Lebon reported an issue to me off-list about his build
failing to use qemu because he failed to install yajl-devel.  But
I recalled specifically tweaking configure.ac to die in that
situation (commits 350583c, ba9c38b).  After a bit more
head-scratching, we found the cause of the regression: commit
654c709 rearranged things so that the qemu version check now
occurs before AC_ARG_WITH has had a chance to set either
$with_qemu or $with_yajl.

Coincidentally, this fix aligns with a documentation patch that
was just posted to the autoconf mailing list :)
http://thread.gmane.org/gmane.comp.sysutils.autoconf.patches/8324

* m4/virt-lib.m4 (LIBVIRT_CHECK_LIB, LIBVIRT_CHECK_LIB_ALT)
(LIBVIRT_CHECK_PKG): Populate defaults earlier.
* configure.ac (AC_ARG_WITH): Likewise for drivers.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-09-10 12:03:19 -06:00
Eric Blake
ff77742104 build: avoid obsolete AC_HELP_STRING
Autoconf states that AC_HELP_STRING is obsolete, and that new
programs should use AS_HELP_STRING.  We also had instances of
not properly quoting the macro usage, and not relying on autoconf's
word-wrapping abilities to avoid long lines.  I validated that this
commit has no impact to the generated configure file.

* configure.ac (AC_ARG_WITH, AC_ARG_ENABLE): Autoconf recommends
the use of AS_HELP_STRING.  Also, use proper quoting and wrap long
lines.
* m4/virt-apparmor.m4 (LIBVIRT_CHECK_APPARMOR): Likewise.
* m4/virt-selinux.m4 (LIBVIRT_CHECK_SELINUX): Likewise.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-09-09 13:27:49 -06:00
Guido Günther
3e2799add2 Check for --no-copy-dt-needed linker flag
and use it when available
2013-08-22 16:17:36 +02:00
Guido Günther
d9527b6d56 Simplify RELRO_LDFLAGS
by adding it to AM_LDFLAGS instead of every linking rule and
by avoiding a forked grep.
2013-08-22 16:17:35 +02:00
Eric Blake
10ec64105b maint: slightly reduce configure size
Rather than inlining gl_WARN_ADD loads of time, we can shave about
17k size off of the configure script by delaying it to a cleanup
shell loop.

* m4/virt-compile-warnings.m4 (LIBVIRT_COMPILE_WARNINGS): Track a
list of things to check, rather than inlining multiple checks.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-08-16 13:31:05 -06:00
Giuseppe Scrivano
a197fe5f9f configure: fix formatting of missing pkg-config modules error
It adds an empty space after the package version.  Previously the error
message looked like:

"You must install the dbus-1 >= 1.0.0pkg-config module to compile libvirt"

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2013-08-08 13:31:10 -06:00
Eric Blake
ff38690be9 maint: the compiler is not always named gcc
https://bugzilla.redhat.com/show_bug.cgi?id=994589 complained that
even when using a cross-compiler not named 'gcc', the configure
output confusingly referred to gcc.

* m4/virt-compile-warnings.m4 (LIBVIRT_COMPILE_WARNINGS): Use a
more generic statement in configure output.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-08-07 09:44:52 -06:00
Ján Tomko
4b91dc24d1 Fix build with clang
Partially revert cdd703f's revert of c163410, as linking with clang
with --param=ssp-buffer-size=4 still fails with:
"argument unused during compilation".
2013-07-04 11:35:59 +02:00
Eric Blake
cdd703f475 maint: update to latest gnulib
The latest mingw headers on Fedora 19 fail to build with gnulib
without an update.

Meanwhile, now that upstream gnulib has better handling of -W
probing for clang, we can drop some of our own solutions in
favor of upstream; thus this reverts commit c1634100, "Correctly
detect warning flags with clang".

* .gnulib: Update to latest, for mingw and clang.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-07-03 11:02:33 -06:00
Roman Bogorodskiy
cc7cd6232e FreeBSD: disable buggy -fstack-protector-all
FreeBSD ships an old gcc 4.2.1 which generates
bogus code, e.g. getsockopt() call returns
struct xucred with bogus values, which doesn't even
allow to connect to libvirtd:

error: Failed to find group record for gid '1284660778': No error: 0

So roll back to just -fstack-protector on FreeBSD.
2013-05-15 15:20:52 -06:00
Daniel P. Berrange
71b54636f0 Don't duplicate compiler warning flags when linking
Automake already passes all CFLAGS to the linker too, so it
is not necessary to set WARN_LDFLAGS in addition to the
WARN_CFLAGS variable.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-05-14 15:02:37 +01:00
Daniel P. Berrange
c163410044 Correctly detect warning flags with clang
Clang will happily claim to support any warning flags
unless the -Werror and -Wunknown-warning-option flags
are set. Thus we need to make sure these are set when
testing for clags.

We must also set the clang specific warning flags
-Wno-unused-command-line-argument to avoid a warning
from the ssp-buffer-size flag when linking .o files.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-05-14 15:00:22 +01:00
Daniel P. Berrange
c43b685a1d Ensure consistent enablement of gcc 'diagnostic' pragma
The virt-compile-warnings.m4 file would do an explicit
check for whether the compile could use the 'diagnostic'
pragma push/pop feature. The src/internal.h file would
then only enable it for GCC >= 4.6

This breaks with clang which supports the pragma but
does not claim GCC 4.6 compat. Export a variable from
the m4 check to the header file so they are consistent.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-05-14 15:00:22 +01:00
Daniel P. Berrange
c03eff7717 Don't enable -fPIE on Win32 platforms
On win32, all code is position independent and adding -fPIE
to the compiler flags results in warnings being printed

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-04-15 17:35:30 +01:00
Daniel P. Berrange
e57aaa6fcf Disable cast-align warnings in various places
There are a number of places which generate cast alignment
warnings, which are difficult or impossible to address. Use
pragmas to disable the warnings in these few places

conf/nwfilter_conf.c: In function 'virNWFilterRuleDetailsParse':
conf/nwfilter_conf.c:1806:16: warning: cast increases required alignment of target type [-Wcast-align]
         item = (nwItemDesc *)((char *)nwf + att[idx].dataIdx);
conf/nwfilter_conf.c: In function 'virNWFilterRuleDefDetailsFormat':
conf/nwfilter_conf.c:3238:16: warning: cast increases required alignment of target type [-Wcast-align]
         item = (nwItemDesc *)((char *)def + att[i].dataIdx);

storage/storage_backend_mpath.c: In function 'virStorageBackendCreateVols':
storage/storage_backend_mpath.c:247:17: warning: cast increases required alignment of target type [-Wcast-align]
         names = (struct dm_names *)(((char *)names) + next);

nwfilter/nwfilter_dhcpsnoop.c: In function 'virNWFilterSnoopDHCPDecode':
nwfilter/nwfilter_dhcpsnoop.c:994:15: warning: cast increases required alignment of target type [-Wcast-align]
         pip = (struct iphdr *) pep->eh_data;
nwfilter/nwfilter_dhcpsnoop.c:1004:11: warning: cast increases required alignment of target type [-Wcast-align]
     pup = (struct udphdr *) ((char *) pip + (pip->ihl << 2));

nwfilter/nwfilter_learnipaddr.c: In function 'procDHCPOpts':
nwfilter/nwfilter_learnipaddr.c:327:33: warning: cast increases required alignment of target type [-Wcast-align]
                 uint32_t *tmp = (uint32_t *)&dhcpopt->value;
nwfilter/nwfilter_learnipaddr.c: In function 'learnIPAddressThread':
nwfilter/nwfilter_learnipaddr.c:501:43: warning: cast increases required alignment of target type [-Wcast-align]
                     struct iphdr *iphdr = (struct iphdr*)(packet +
nwfilter/nwfilter_learnipaddr.c:538:43: warning: cast increases required alignment of target type [-Wcast-align]
                     struct iphdr *iphdr = (struct iphdr*)(packet +
nwfilter/nwfilter_learnipaddr.c:544:48: warning: cast increases required alignment of target type [-Wcast-align]
                         struct udphdr *udphdr= (struct udphdr *)

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-04-08 10:03:21 +01:00
Daniel P. Berrange
fc8c1787d8 Enable full RELRO mode
By passing the flags -z relro -z now to the linker, we can force
it to resolve all library symbols at startup, instead of on-demand.
This allows it to then make the global offset table (GOT) read-only,
which makes some security attacks harder.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-04-03 16:19:35 +01:00
Daniel P. Berrange
1150999ca4 Build all binaries with PIE
PIE (position independent executable) adds security to executables
by composing them entirely of position-independent code (PIC. The
.so libraries already build with -fPIC. This adds -fPIE which is
the equivalent to -fPIC, but for executables. This for allows Exec
Shield to use address space layout randomization to prevent attackers
from knowing where existing executable code is during a security
attack using exploits that rely on knowing the offset of the
executable code in the binary, such as return-to-libc attacks.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-04-03 16:19:35 +01:00
Daniel P. Berrange
9fe43021f3 Fix typo in configure.ac causing $LIBS to gain a copy of $CFLAGS
The virt-dbus.m4 check for DBus was preserving $LIBS before
modifying it. Except it wasn't. It was preserving another
copy of $CFLAGS. The result was that after the check completed,
$LIBS got polluted with $CFLAGS

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-02-05 18:04:16 +00:00
Daniel P. Berrange
688b3ecfe9 Fix typo LIBCURL_{CFLAGS,LIBS} to CURL_{CFLAGS,LIBS}
Some places missed the conversion from LIBCURL_{CFLAGS,LIBS} to
CURL_{CFLAGS,LIBS}, and a part of curl check was left in
configure.ac instead of m4/virt-curl.m4 by mistake
2013-01-14 17:22:31 +00:00
Eric Blake
cc453bb548 maint: typo fix
I noticed this typo while configuring on a freshly-installed machine.

* m4/virt-udev.m4: Correct pciaccess name.
2013-01-14 09:33:48 -07:00
Daniel P. Berrange
907a39e735 Add a test suite for validating SELinux labelling
There are many aspects of the guest XML which result in the
SELinux driver applying file labelling. With the increasing
configuration options it is desirable to test this behaviour.
It is not possible to assume that the test suite has the
ability to set SELinux labels. Most filesystems though will
support extended attributes. Thus for the purpose of testing,
it is possible to extend the existing LD_PRELOAD hack to
override setfilecon() and getfilecon() to simply use the
'user.libvirt.selinux' attribute for the sake of testing.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-01-14 13:40:04 +00:00