Commit Graph

13651 Commits

Author SHA1 Message Date
Jiri Denemark
fefb0d5464 Introduce VIR_TYPED_PARAMS_DEBUG macro for dumping typed params
All APIs that take typed parameters are only using params address in
their entry point debug messages. With the new VIR_TYPED_PARAMS_DEBUG
macro, all functions can easily log all individual typed parameters
passed to them.
2013-06-25 00:38:24 +02:00
Jiri Denemark
8a7f1166e1 Introduce virTypedParamsReplaceString internal API 2013-06-25 00:38:24 +02:00
Jiri Denemark
637a7c865a Introduce virTypedParamsCheck internal API
This API is useful for checking whether only a specific subset of
supported typed parameters were passed.
2013-06-25 00:38:24 +02:00
Jiri Denemark
40369ea674 util: Emit proper error code in virTypedParamsValidate
When unsupported parameter is passed to virTypedParamsValidate,
VIR_ERR_ARGUMENT_UNSUPPORTED should be returned rather than
VIR_ERR_INVALID_ARG, which is more appropriate for supported parameters
used incorrectly.
2013-06-25 00:38:24 +02:00
Jiri Denemark
c40ed4168a Rename virTypedParameterArrayValidate as virTypedParamsValidate 2013-06-25 00:38:24 +02:00
Jiri Denemark
2ebd847924 build: Fix check-aclrules in VPATH build 2013-06-25 00:38:23 +02:00
Laine Stump
9b4a666608 pci: make virPCIDeviceDetach consistent in behavior
virPCIDeviceDetach would previously sometimes consume the input device
object (to put it on the inactive list) and sometimes not. Avoiding
memory leaks required checking beforehand to see if the device was
already on the list, and freeing the device object in the caller only
if there wasn't already an identical object on the inactive list.

This patch makes it consistent - virPCIDeviceDetach will *never*
consume the input virPCIDevice object; if it needs to put one on the
inactive list, it will create a copy and put *that* on the list. This
way the caller knows that it is always their responsibility to free
the device object they created.
2013-06-24 17:35:13 -04:00
Laine Stump
f962e8b603 pci: eliminate memory leak in virPCIDeviceReattach
virPCIDeviceReattach was making the assumption that the dev object
given to it was one and the same with the dev object on the
inactiveDevs list. If that had been the case, it would not need to
free the dev object it removed from the inactive list, because the
caller of virPCIDeviceReattach always frees the dev object that it
passes in. Since the dev object passed in is *never* the same object
that's on the list (it is a different object with the same name and
attributes, created just for the purpose of searching for the actual
object), simply doing a "ListSteal" to remove the object from the list
results in one leaked object; we need to actually free the object
after removing it from the list.
2013-06-24 17:35:01 -04:00
Laine Stump
50a8d85035 pci: new utility functions
* virPCIDeviceFindByIDs - find a device on a list w/o creating an object
    This makes searching for an existing device on a list lighter weight.

* virPCIDeviceCopy - make a copy of an existing virPCIDevice object.

* virPCIDeviceGetDriverPathAndName - construct new strings containing
    1) the name of the driver bound to this device.
    2) the full path to the sysfs config for that driver.
    (This code was lifted from virPCIDeviceUnbindFromStub, and replaced
    there with a call to this new function).
2013-06-24 17:33:38 -04:00
Laine Stump
53e52b4ac3 pci: change stubDriver from const char* to char*
Previously stubDriver was always set from a string literal, so it was
okay to use a const char * that wasn't freed when the virPCIDevice was
freed. This will not be the case in the near future, so it is now a
char* that is allocated in virPCIDeviceSetStubDriver() and freed
during virPCIDeviceFree().
2013-06-24 17:33:29 -04:00
Laine Stump
d80d0d5d40 syntax: virPCIDeviceFree is also a NOP for NULL args
add it to the syntax-check list and fix the one offending caller.
2013-06-24 17:33:23 -04:00
Jim Fehlig
c302130277 libxl: support qdisk backend
libxl supports the LIBXL_DISK_BACKEND_QDISK disk backend, where qemu
is used to provide the disk backend.  This patch simply maps the
existing <driver name='qemu'/> to LIBXL_DISK_BACKEND_QDISK.
2013-06-24 09:10:14 -06:00
Jim Fehlig
05bcf6f06d libxl: Fix disk format error message
Specifying an unsupported disk format with the tap driver resulted in
a less than helpful error message

error: Failed to start domain test-hvm
error: internal error libxenlight does not support disk driver qed

Change the message to state that the qed format is not supported by
the tap driver, e.g.

error: Failed to start domain test-hvm
error: internal error libxenlight does not support disk format qed
with disk driver tap

While at it, check for unsupported formats in the other driver
backends.
2013-06-24 09:10:14 -06:00
Daniel P. Berrange
684ce8300e Add validation that all APIs contain ACL checks
Add a script which parses the driver API code and validates
that every API registered in a virNNNDriverPtr table contains
an ACL check matching the API name.

NB this currently whitelists a few xen driver functions
which are temporarily lacking in access control checks.
The xen driver is considered insecure until these are
fixed.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-06-24 15:47:31 +01:00
Daniel P. Berrange
5de708c1b9 Set process ID in system identity
When creating a virIdentityPtr for the system identity, include
the current process ID as an attribute.
2013-06-24 15:39:56 +01:00
Daniel P. Berrange
15af5e5f70 Add ACL checks into the secrets driver
Insert calls to the ACL checking APIs in all secrets driver
entrypoints.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-06-24 15:25:44 +01:00
Daniel P. Berrange
1eca3f5bdf Add ACL checks into the nwfilter driver
Insert calls to the ACL checking APIs in all nwfilter driver
entrypoints.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-06-24 15:25:44 +01:00
Daniel P. Berrange
20d8e1f1d7 Add ACL checks into the node device driver
Insert calls to the ACL checking APIs in all node device
driver entrypoints.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-06-24 15:25:44 +01:00
Daniel P. Berrange
a7147bc68e Add ACL checks into the interface driver
Insert calls to the ACL checking APIs in all interface
driver entrypoints.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-06-24 15:25:44 +01:00
Daniel P. Berrange
453da48b12 Add ACL checks into the network driver
Insert calls to the ACL checking APIs in all network driver
entrypoints.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-06-24 15:25:44 +01:00
Daniel P. Berrange
c930410beb Add ACL checks into the storage driver
Insert calls to the ACL checking APIs in all storage driver
entrypoints.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-06-24 15:25:44 +01:00
Daniel P. Berrange
f5e007c353 Add ACL checks into the libxl driver
Insert calls to the ACL checking APIs in all libxl driver
entrypoints.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-06-24 15:25:44 +01:00
Daniel P. Berrange
cffe870c24 Add ACL checks into the Xen driver
Insert calls to the ACL checking APIs in all Xen driver
entrypoints.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-06-24 15:25:43 +01:00
Daniel P. Berrange
d78277f934 Add ACL checks into the UML driver
Insert calls to the ACL checking APIs in all UML driver
entrypoints.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-06-24 15:25:43 +01:00
Daniel P. Berrange
279866d550 Add ACL checks into the LXC driver
Insert calls to the ACL checking APIs in all LXC driver
entrypoints.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-06-24 15:25:43 +01:00
Daniel P. Berrange
abf75aea24 Add ACL checks into the QEMU driver
Insert calls to the ACL checking APIs in all QEMU driver
entrypoints.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-06-24 15:25:43 +01:00
Daniel P. Berrange
686026225e Auto-generate helpers for checking access control rules
Extend the 'gendispatch.pl' script to be able to generate
three new types of file.

- 'aclheader' - defines signatures of helper APIs for
  doing authorization checks. There is one helper API
  for each API requiring an auth check. Any @acl
  annotations result in a method being generated with
  a suffix of 'EnsureACL'. If the ACL check requires
  examination of flags, an extra 'flags' param will be
  present. Some examples

  extern int virConnectBaselineCPUEnsureACL(void);
  extern int virConnectDomainEventDeregisterEnsureACL(virDomainDefPtr domain);
  extern int virDomainAttachDeviceFlagsEnsureACL(virDomainDefPtr domain, unsigned int flags);

  Any @aclfilter annotations resuilt in a method being
  generated with a suffix of 'CheckACL'.

  extern int virConnectListAllDomainsCheckACL(virDomainDefPtr domain);

  These are used for filtering individual objects from APIs
  which return a list of objects

- 'aclbody' - defines the actual implementation of the
  methods described above. This calls into the access
  manager APIs. A complex example:

    /* Returns: -1 on error (denied==error), 0 on allowed */
    int virDomainAttachDeviceFlagsEnsureACL(virConnectPtr conn,
                                            virDomainDefPtr domain,
                                            unsigned int flags)
    {
        virAccessManagerPtr mgr;
        int rv;

        if (!(mgr = virAccessManagerGetDefault()))
            return -1;

        if ((rv = virAccessManagerCheckDomain(mgr,
                                              conn->driver->name,
                                              domain,
                                              VIR_ACCESS_PERM_DOMAIN_WRITE)) <= 0) {
            virObjectUnref(mgr);
            if (rv == 0)
                virReportError(VIR_ERR_ACCESS_DENIED, NULL);
            return -1;
        }
        if (((flags & (VIR_DOMAIN_AFFECT_CONFIG|VIR_DOMAIN_AFFECT_LIVE)) == 0) &&
            (rv = virAccessManagerCheckDomain(mgr,
                                              conn->driver->name,
                                              domain,
                                              VIR_ACCESS_PERM_DOMAIN_SAVE)) <= 0) {
            virObjectUnref(mgr);
            if (rv == 0)
                virReportError(VIR_ERR_ACCESS_DENIED, NULL);
            return -1;
        }
        if (((flags & (VIR_DOMAIN_AFFECT_CONFIG)) == (VIR_DOMAIN_AFFECT_CONFIG)) &&
            (rv = virAccessManagerCheckDomain(mgr,
                                              conn->driver->name,
                                              domain,
                                              VIR_ACCESS_PERM_DOMAIN_SAVE)) <= 0) {
            virObjectUnref(mgr);
            if (rv == 0)
                virReportError(VIR_ERR_ACCESS_DENIED, NULL);
            return -1;
        }
        virObjectUnref(mgr);
        return 0;
    }

- 'aclsyms' - generates a linker script to export the
   APIs to drivers. Some examples

  virConnectBaselineCPUEnsureACL;
  virConnectCompareCPUEnsureACL;

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-06-24 15:25:19 +01:00
Daniel P. Berrange
e341435e50 Add ACL annotations to all RPC messages
Introduce annotations to all RPC messages to declare what
access control checks are required. There are two new
annotations defined:

 @acl: <object>:<permission>
 @acl: <object>:<permission>:<flagname>

  Declare the access control requirements for the API. May be repeated
  multiple times, if multiple rules are required.

    <object> is one of 'connect', 'domain', 'network', 'storagepool',
             'interface', 'nodedev', 'secret'.
    <permission> is one of the permissions in access/viraccessperm.h
    <flagname> indicates the rule only applies if the named flag
    is set in the API call

 @aclfilter: <object>:<permission>

  Declare an access control filter that will be applied to a list
  of objects being returned by an API. This allows the returned
  list to be filtered to only show those the user has permissions
  against

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-06-24 15:24:36 +01:00
Daniel P. Berrange
b904bba7f4 Add a policy kit access control driver
Add an access control driver that uses the pkcheck command
to check authorization requests. This is fairly inefficient,
particularly for cases where an API returns a list of objects
and needs to check permission for each object.

It would be desirable to use the polkit API but this links
to glib with abort-on-OOM behaviour, so can't be used. The
other alternative is to speak to dbus directly

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-06-24 15:24:36 +01:00
Daniel P. Berrange
ed3bac713c Setup default access control manager in libvirtd
Add a new 'access_drivers' config parameter to the libvirtd.conf
configuration file. This allows admins to setup the default
access control drivers to use for API authorization. The same
driver is to be used by all internal drivers & APIs

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-06-24 15:24:36 +01:00
Daniel P. Berrange
ba7b867b46 Set conn->driver before running driver connectOpen method
The access control checks in the 'connectOpen' driver method
will require 'conn->driver' to be non-NULL. Set this before
running the 'connectOpen' method and NULL-ify it again on
failure.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-06-24 15:24:36 +01:00
Daniel P. Berrange
a93cd08fd5 Define basic internal API for access control
This patch introduces the virAccessManagerPtr class as the
interface between virtualization drivers and the access
control drivers. The viraccessperm.h file defines the
various permissions that will be used for each type of object
libvirt manages

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-06-24 15:24:36 +01:00
Ján Tomko
d3c8788492 qemu: check if block I/O limits fit into long long
We can only pass values up to LLONG_MAX through JSON
and QEMU checks if the int64_t number is not negative
at startup since 1.5.0.

https://bugzilla.redhat.com/show_bug.cgi?id=974010
2013-06-24 14:18:14 +02:00
Ján Tomko
7a99eb912f Get rid of useless VIR_STORAGE_FILE_FEATURE_NONE
It's not used anywhere except for the switch in
virStorageBackendCreateQemuImgOpts, where leaving it in causes
a dead code coverity warning and omitting it breaks compilation
because of unhandled enum value.

Introduced by 6298f74.
2013-06-24 08:44:46 +02:00
Ján Tomko
695593fe00 netdev: accept NULL in virNetDevSetupControl
Commit b9c6b073 dropped the version of virNetDevSetupControl
that didn't check for NULL arguments, but we call it like that
in virNetDevBridgeDelete.
2013-06-21 20:22:07 +02:00
Jim Fehlig
3a3b8f6956 xen: Implement virConnectGetSysinfo
virConnectGetSysinfo was never implemented in the legacy xen driver.
This patch provides an implementation based on the qemu driver.
2013-06-21 10:42:24 -06:00
Jim Fehlig
fdc10e8d80 libxl: Implement virConnectGetSysinfo
virConnectGetSysinfo was never implemented in the libxl driver.
This patch provides an implementation based on the qemu driver.
2013-06-21 10:42:24 -06:00
Jim Fehlig
ba64b97134 libxl: Allow libxl to set NIC devid
libxl contains logic to determine an appropriate devid for new devices
that do not specify one in their configuration.  For all device types
except NICs, the libxl driver allows libxl to determine devid.  Do the
same for NICs.
2013-06-21 10:16:47 -06:00
Ján Tomko
6298f74d9a storage: add support for creating qcow2 images with extensions
Add -o compat= and -o lazy_refcounts options for qemu-img.
2013-06-21 13:25:30 +02:00
Ján Tomko
31d42506fb conf: add features to volume target XML
Add <features> and <compat> elements to volume target XML.

<compat> is a string which for qcow2 represents the QEMU version
it should be compatible with. Valid values are 0.10 and 1.1.
1.1 is implicit if the <features> element is present, otherwise
qemu-img default is used. 0.10 can be specified to explicitly
create older images after the qemu-img default changes.

<features> contains optional features, so far
<lazy_refcounts/> is available, which enables caching of reference
counters, improving performance for snapshots.
2013-06-21 13:25:30 +02:00
Ján Tomko
a1ee8e18c9 util: add support for qcow2v3 image detection
Detect qcow2 images with version 3 in the image header as
VIR_STORAGE_FILE_QCOW2.

These images have a feature bitfield, with just one feature supported
so far: lazy_refcounts.

The header length changed too, moving the location of the backing
format name.
2013-06-21 13:25:29 +02:00
Ján Tomko
19f75d5eeb qemu: add hv_vapic and hv_spinlocks support
XML:
<features>
  <hyperv>
    <vapic state='on'/>
    <spinlocks state='on' retries='4096'/>
  </hyperv>
</features>

results in the following QEMU command line:
qemu -cpu <cpu_model>,hv_vapic,hv_spinlocks=0x1000

https://bugzilla.redhat.com/show_bug.cgi?id=784836
2013-06-21 13:24:44 +02:00
Ján Tomko
800b51d7b0 conf: add vapic and spinlocks to hyperv features
Add new CPU features for HyperV:
vapic for virtual APIC support
spinlocks for setting spinlock support

<features>
  <hyperv>
    <vapic state='on'/>
    <spinlocks state='on' retries='4096'/>
  </hyperv>
</features>

https://bugzilla.redhat.com/show_bug.cgi?id=784836
2013-06-21 12:33:46 +02:00
Roman Bogorodskiy
ce2400676d BSD: implement bridge add/remove port and set STP 2013-06-21 10:23:28 +02:00
Roman Bogorodskiy
b9c6b073e6 BSD: implement virNetDevBridgeCreate() and virNetDevBridgeDelete()
Implementation uses SIOCIFCREATE2 and SIOCIFDESTROY ioctls.
Also, drop static virNetDevSetupControl() as we have
public one avialable now.
2013-06-21 10:23:28 +02:00
Osier Yang
9b8ee6d0f2 conf: Requires either uuid or usage of secret
As the RNG schema for disk auth secret implies, it requires either
"uuid" or "usage":

  <define name='diskAuthSecret'>
    <element name='secret'>
      <attribute name='type'>
        <choice>
          <value>ceph</value>
          <value>iscsi</value>
        </choice>
      </attribute>
      <choice>
        <attribute name='uuid'>
          <ref name="UUID"/>
        </attribute>
        <attribute name='usage'>
          <ref name='genericName'/>
        </attribute>
      </choice>
    </element>
  </define>
2013-06-21 09:41:48 +02:00
Jiri Denemark
adb7b0b562 qemu: Make probing for commands declarative 2013-06-21 09:32:42 +02:00
Jiri Denemark
61a2841493 qemu: Make probing for events declarative 2013-06-21 09:32:42 +02:00
Jim Fehlig
24d0e67aba build: Fix build with -Werror
Commit 752596b5 broke the build with -Werror

qemu/qemu_hotplug.c: In function 'qemuDomainChangeGraphics':
qemu/qemu_hotplug.c:1980:39: error: declaration of 'listen' shadows a
  global declaration [-Werror=shadow]

Fix with s/listen/newlisten/
2013-06-20 12:59:19 -06:00
Laine Stump
2bdf548f5f network: increase max number of routes
This fixes the problem reported in:

   https://bugzilla.redhat.com/show_bug.cgi?id=972690

When checking for a collision of a new libvirt network's subnet with
any existing routes, we read all of /proc/net/route into memory, then
parse all the entries. The function that we use to read this file
requires a "maximum length" parameter, which had previously been set
to 64*1024. As each line in /proc/net/route is 128 bytes, this would
allow for a maximum of 512 entries in the routing table.

This patch increases that number to 128 * 100000, which allows for
100,000 routing table entries. This means that it's possible that 12MB
would be allocated, but that would only happen if there really were
100,000 route table entries on the system, it's only held for a very
short time.

Since there is no method of specifying and unlimited max (and that
would create a potential denial of service anyway) hopefully this
limit is large enough to accomodate everyone.
2013-06-20 14:23:36 -04:00