Commit Graph

49457 Commits

Author SHA1 Message Date
Laine Stump
9953ab321e rpcgen: use proper operators when comparing types
flake8 (run on all python scripts as a part of the syntax checks)
version 6.1.0 (on macOS 14) issued many complaints like this on the
new rpcgen python scripts:

[...]libvirt/scripts/rpcgen/rpcgen/lexer.py:57:17: E721 do not compare types, for exact checks use `is` / `is not`, for instance checks use `isinstance()`

This patch changes all [type] == [type] to use "is" instead of "==",
and similarly to use "is not" instead of "!=".

(flake8 5.03, e.g. on Fedora 38, is just fine with using "==" and "!=",
but python on both likes "is" and "is not")

Fixes: commit v9.9.0-24-g8ec79e5e14
Fixes: commit v9.9.0-22-gca3f025011
Fixes: commit v9.9.0-21-g031efb691f
Fixes: commit v9.9.0-20-g8c8b97685b

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-06 12:24:30 -05:00
Andrea Bolognani
72723b2b90 rpm: Add libxml2 BuildRequires for xmllint
It's already been dragged in by the -devel package, but since
we use the command line tool directly as part of our build
process it's more correct to explicitly depend on the runtime
package.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-06 16:50:38 +01:00
Andrea Bolognani
96240eb37a rpm: Explain a couple of BuildRequires
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-06 16:50:10 +01:00
Andrea Bolognani
de40cdf3ab rpm: Rename module-init-tools -> kmod
The old package name is only kept around for compatibility
reasons.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-06 16:50:09 +01:00
Andrea Bolognani
19bf2e64de rpm: Explicitly enable NLS support
We want it both for native builds and MinGW ones.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-06 16:50:07 +01:00
Andrea Bolognani
28b8a67765 rpm: Disable expensive tests for MinGW builds
Tests are disabled so this combination never made any sense,
but with recent changes it has turned into a build failure.

Fixes: 8ce0decc37
Reported-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-06 16:49:47 +01:00
Andrea Bolognani
b6eab588b5 ci: Drop macOS 12
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-06 16:48:57 +01:00
Andrea Bolognani
cff934754a ci: Add macOS 14
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-06 16:48:56 +01:00
Andrea Bolognani
c1b78e1162 ci: Add macOS 13
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-06 16:48:54 +01:00
Andrea Bolognani
8895d59688 ci: Drop rpcgen override from macOS $PATH
We no longer use rpcgen.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-06 16:48:53 +01:00
Andrea Bolognani
2fd2385d9d ci: Update generated files
Gain native gettext on MinGW, lose glusterfs on 32-bit
architectures and rpcgen everywhere.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-06 16:48:47 +01:00
김인수
ccfda7052d Translated using Weblate (Korean)
Currently translated at 100.0% (10414 of 10414 strings)

Translation: libvirt/libvirt
Translate-URL: https://translate.fedoraproject.org/projects/libvirt/libvirt/ko/

Co-authored-by: 김인수 <simmon@nplob.com>
Signed-off-by: 김인수 <simmon@nplob.com>
2023-11-06 12:04:33 +01:00
Weblate
bbe4ac2682 Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: libvirt/libvirt
Translate-URL: https://translate.fedoraproject.org/projects/libvirt/libvirt/

Co-authored-by: Weblate <noreply@weblate.org>
Signed-off-by: Fedora Weblate Translation <i18n@lists.fedoraproject.org>
2023-11-06 12:04:33 +01:00
Temuri Doghonadze
a06e7d6503 Translated using Weblate (Georgian)
Currently translated at 4.4% (460 of 10413 strings)

Translation: libvirt/libvirt
Translate-URL: https://translate.fedoraproject.org/projects/libvirt/libvirt/ka/

Co-authored-by: Temuri Doghonadze <temuri.doghonadze@gmail.com>
Signed-off-by: Temuri Doghonadze <temuri.doghonadze@gmail.com>
2023-11-06 12:04:33 +01:00
Sergey A
bd6ec6258f Translated using Weblate (Russian)
Currently translated at 88.4% (9214 of 10414 strings)

Translation: libvirt/libvirt
Translate-URL: https://translate.fedoraproject.org/projects/libvirt/libvirt/ru/

Translated using Weblate (Russian)

Currently translated at 88.4% (9206 of 10413 strings)

Translation: libvirt/libvirt
Translate-URL: https://translate.fedoraproject.org/projects/libvirt/libvirt/ru/

Co-authored-by: Sergey A <sw@atrus.ru>
Signed-off-by: "Sergey A." <sw@atrus.ru>
2023-11-06 12:04:32 +01:00
Michal Privoznik
69cdb11fba virhostmem: Get total memory on macOS properly
Problem with HW_PHYSMEM sysctl on 64-bit macOS is that it
returns a 32-bit signed value. Thus it overflows. Switching to
HW_MEMSIZE is recommended as it's of an uint_64 type [1].

1: https://github.com/apple-oss-distributions/xnu/blob/xnu-10002.1.13/bsd/sys/sysctl.h

Reported-by: Jaroslav Suchanek <jsuchane@redhat.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-06 12:01:57 +01:00
Daniel P. Berrangé
bbb2332f7e ci: workaround broken opensuse leap 15.5 tirpc
Temporarily disable '-Wmissing-include-dirs' becuase the
libtirpc pkg-config file has a bogus include dir. The
headers can fortunately still be found since they are
in the system include dir.

Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-06 04:25:51 -05:00
Daniel P. Berrangé
a1d92b93c5 ci: drop mipsel on Debian Sid
This port was discontinued and purged from the archives:

https://lists.debian.org/debian-devel-announce/2023/09/msg00000.html

Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-06 04:25:26 -05:00
Laine Stump
9231566146 build: suppress "ignoring duplicate libraries" warning on macOS
Xcode 15, which provides the compiler toolchain for building libvirt
on macOS has switched to a new linker that warns about duplicated
"-lblah" options on the ld commandline. In practice this is impossible
to prevent in a large project, and also harmless.

Fortunately the new ld command also has an option,
-no_warn_duplicate_libraries, that supresses this harmless/pointless
warning, meson has a simple way to check if that option is supported,
and libvirt's meson.build files already have examples of adding an
option to the ld commandline if it's available.

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
2023-11-03 15:56:37 -04:00
Daniel P. Berrangé
501825011c remote: use g_auto for client RPC return parameters
Currently some, but not all, methods have a call to the
xdr_free function, for the 'ret' variable. This is done
on methods where there are complex structs containing
allocated memory. In other cases the structs contain
allocated memory, but the pointer is stolen, so xdr_free
is not called. In other cases no allocated memory is
present, so xdr_free.

This is hard to reason about, because the definition of
the struct is not visible in the client stubs.

Switch to use g_auto() for the 'ret' variable, which
means 'xdr_free' is always going to be called. Some
places now need to use g_steal_pointer as a result.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-03 14:06:35 -04:00
Daniel P. Berrangé
154495a0c0 admin: use g_auto for client RPC return parameters
Currently some, but not all, methods have a call to the
xdr_free function, for the 'ret' variable. This is done
on methods where there are complex structs containing
allocated memory. In other cases the structs contain
allocated memory, but the pointer is stolen, so xdr_free
is not called. In other cases no allocated memory is
present, so xdr_free.

This is hard to reason about, because the definition of
the struct is not visible in the client stubs.

Switch to use g_auto() for the 'ret' variable, which
means 'xdr_free' is always going to be called. Some
places now need to use g_steal_pointer as a result.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-03 14:06:35 -04:00
Daniel P. Berrangé
91f3acec5b rpc: use g_auto for client RPC return parameters
Currently some, but not all, methods have a call to the
xdr_free function, for the 'ret' variable. This is done
on methods where there are complex structs containing
allocated memory. In other cases the structs contain
allocated memory, but the pointer is stolen, so xdr_free
is not called. In other cases no allocated memory is
present, so xdr_free.

This is hard to reason about, because the definition of
the struct is not visible in the client stubs.

Switch to use g_auto() for the 'ret' variable, which
means 'xdr_free' is always going to be called. Some
places now need to use g_steal_pointer as a result.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-03 14:06:35 -04:00
Daniel P. Berrangé
086fa214bb rpcgen: add g_auto function support
This will eliminate the need to call xdr_free to clear
pointers from data structures.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-03 14:06:35 -04:00
Daniel P. Berrangé
a62486b95f build: switch over to new rpc generator code
This replaces use of 'rpcgen' with our new python impl of
the RPC code generator. Since the new impl generates code
that matches our style/coding rules, and does not contain
long standing bugs, we no longer need to post-process the
output.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-03 14:06:35 -04:00
Daniel P. Berrangé
ac9e6ff649 rpcgen: define entrypoint for running new rpcgen impl
The new program takes the form

  rpcgen [--mode source|header|repr] \
         [--header include] \
         xdr-file output-file

If '--mode' is not given it parses the XDR file but does not
generate anything, which is useful as a syntax check. The
'source' mode gives the '.c' file content, while 'header'
gives the '.h' file content. 'repr' gives a representation
of the abstract syntax tree, mostly useful for debugging
the parser.

If '--header' is given, it is added as a local #include ".."
statement in the output and is valid for either 'header'
or 'source' modes.

Either 'xdr-file' or 'output-file' can be omitted in which
case they default to stdin/stdout respectively.

This rpcgen program will directly include the 'config.h'
header in its output.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-03 14:06:35 -04:00
Daniel P. Berrangé
40cbaa8fbe rpcgen: add test case for XDR serialization
Test the serialization done by libtirpc, so that when we later
switch to our own code, we can prove wire compatibility.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-03 14:06:35 -04:00
Daniel P. Berrangé
8ec79e5e14 rpcgen: add a C code generator for XDR protocol specs
This implements a C code generator that emits code that is
(almost) identical to the classic 'rpcgen' program. The
key differences are:

 - Skip inlining of calls for struct fields
 - Skip K&R style function prototypes in headers
 - Use int64_t instead of quad_t for OS portability
 - Saner whitespace / indentation

The tests/demo.c and tests/demo.h files were created using
the traditional 'rpcgen' program, and then editted to cut
out the leading boilerplate, and the differences mentioned
above.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-03 14:06:35 -04:00
Daniel P. Berrangé
518af85344 rpcgen: define a visitor API for XDR protocol specs
The visitor API defines an interface for visiting each element
in the XDR protocol spec abstract syntax tree.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-03 14:06:35 -04:00
Daniel P. Berrangé
ca3f025011 rpcgen: add an XDR protocol parser
This adds a parser capable of handling the XDR protocol files.

The parsing grammar requirements are detailed in

  https://www.rfc-editor.org/rfc/rfc4506#section-6.3

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-03 14:06:35 -04:00
Daniel P. Berrangé
031efb691f rpcgen: add an XDR protocol abstract syntax tree
This introduces classes needed to form an abstract syntax
tree representing the XDR protocol language.

The syntax requirements are detailed in

  https://www.rfc-editor.org/rfc/rfc4506#section-6.3

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-03 14:06:35 -04:00
Daniel P. Berrangé
8c8b97685b rpcgen: add an XDR protocol lexer
This adds a lexer capable of handling the XDR protocol files.

The lexical rquirements are detailed in

  https://www.rfc-editor.org/rfc/rfc4506#section-6.2

pytest is introduced as a build dependancy for testing python
code.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-03 14:06:35 -04:00
Daniel P. Berrangé
a24ab56da8 build-aux: introduce 'black' tool for python formatting
The 'black' tool is intended to be an opinionated formatting
tool for python code. It is complementary to flake8 which
validates coding bad practices, but (mostly) ignores code
layout issues.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-03 14:06:35 -04:00
Daniel P. Berrangé
72a5ccedf0 build-aux: skip E203 and W503 flake8 checks
The flake8 check W503 does not want a line break before
binary operator. This is contrary to the style that the
'black' formatting tool wants to use. Defer to 'black'
as it is intended to be an opinionated formatting tool
standardizing python code style, and thus not to be
customized per project.

The flake8 check E203 does not want whitespace before
a ':'. This is, however, desirable when indexing array
slices eg

   self.lookahead[skip : skip + 1]

which is a format that 'black' produces.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-03 14:06:34 -04:00
Daniel P. Berrangé
07e18c18a4 rpcgen: drop type-puning workarounds
The current RPC code is post-processed to introduce an
intermediate variable, rather than casting directly
to char ** at time of use. This is said to be a workaround
for type-puning warnings that the compiler emitted.

Neither GCC or CLang emit any warnings for the code in
question today, across any of the architectures we
test in CI. Thus it is presumed that somewhere in the
15 years since the workaround was done, the compilers
have got smarter and do the right thing.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-03 14:06:34 -04:00
Laine Stump
3d9019e64f tests: ignore $__CF_USER_TEXT_ENCODING in env during commandtest
This environment variable is supposedly set according to the contents
of ~/.CFUserTextEncoding, and certainly on MacOS 14 (Sonoma) it is set
in the environment of child processes created by execve() (used by
virCommand()), causing commandtest to fail. (However, the value that is
shown in $__CF_USER_TEXT_ENCODING during the test 1) is not in the
environment of the shell the test is run from, and 2) doesn't match
the contents of ~/.CFUserTextEncoding.)

It is true, though, that filtering out this environment setting from
the test results permits commandtest to pass on macOS 14 (Sonoma).

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
2023-11-03 13:31:26 -04:00
Pavel Hrdina
4f4a8dce94 qemu_process: fix crash in qemuSaveImageDecompressionStart
Commit changing the code to allow passing NULL as @data into
qemuSaveImageDecompressionStart() was not correct as it left the
original call into the function as well.

Introduced-by: 2f3e582a1a
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2247754
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2023-11-03 14:17:06 +01:00
Andrea Bolognani
abb6906260 rpc: Make rpcgen produce ANSI C code
This is the default for the version of rpcgen shipped with
Linux distributions, but the one in macOS and possibly others
default to K&R C, which modern compilers don't appreciate.

Luckily, all versions of rpcgen shipped with our target
platforms seem to support the -C option.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Laine Stump <laine@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-03 12:03:23 +01:00
Peter Krempa
47ee78048c qemu: block: Remove unused flags QEMU_BLOCK_STORAGE_SOURCE_BACKEND_PROPS_ flags
QEMU_BLOCK_STORAGE_SOURCE_BACKEND_PROPS_SKIP_UNMAP is no longer
referenced inside the code.

QEMU_BLOCK_STORAGE_SOURCE_BACKEND_PROPS_AUTO_READONLY is passed from
various code paths to the qemuBlockStorageSourceGetBackendProps helper,
but it's no longer used.

Both thus can be removed.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2023-11-02 15:32:43 +01:00
Peter Krempa
620ef445ce qemuBlockStorageSourceGetBackendProps: Remove unused logic for (auto-)read-only flags
The code was refactored to format the 'read-only' and 'auto-read-only'
flags via the common helper, so the logic determining their values can
be removed.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2023-11-02 15:32:32 +01:00
Peter Krempa
fc18e01e52 qemuBlockStorageSourceGetBackendProps: Use qemuBlockStorageSourceAddBlockdevCommonProps
Use the qemuBlockStorageSourceAddBlockdevCommonProps helper when
formatting protocol layer both when it's used as backing for a format
node and when it's used as the effective node.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2023-11-02 15:32:22 +01:00
Peter Krempa
3ad5d7b2bb qemuBuildHostdevSCSIAttachPrepare: Use "effective node" mode for getting blockdev props
The resulting properties are identical, as the hostdev backend code
doesn't set any of the extra properties.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2023-11-02 15:32:08 +01:00
Peter Krempa
ec936526c2 qemuBlockStorageSourceGetBackendProps: Introduce QEMU_BLOCK_STORAGE_SOURCE_BACKEND_PROPS_EFFECTIVE_NODE
Introduce a mode where the protocol layer -blockdev will be formatted
so that it can be used as the effective node (used to access data from
the device). For this new mode we'll use
qemuBlockStorageSourceAddBlockdevCommonProps.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2023-11-02 15:31:51 +01:00
Peter Krempa
80494dfb74 qemu: block: Use qemuBlockStorageSourceAddBlockdevCommonProps for storage slice
Use the new helper in qemuBlockStorageSourceGetBlockdevStorageSliceProps
to format the common bits.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2023-11-02 15:31:40 +01:00
Peter Krempa
ce153ef2ad qemu: block: Add helper to add common properties for -blockdev configuration
The new helper replaces qemuBlockStorageSourceGetBlockdevFormatCommonProps
and the two inline instances generating the common properties for a
blockdev layer.

The new helper is to be used for both the format layer and the storage
backing layer, thus a new parameter 'effective' switches between the
modes.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2023-11-02 15:31:29 +01:00
Peter Krempa
84df50dc87 qemuBlockStorageSourceGetBackendProps: Unify ordering of fields
Use the same ordering of the relevant fields as we do for the format
layer -blockdev so that later they can be refactored without test
fallout.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2023-11-02 15:31:10 +01:00
Peter Krempa
a175dfc487 virDomainDiskGetDetectZeroesMode: Return proper type
Change the return value type to 'virDomainDiskGetDetectZeroes'.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2023-11-02 15:24:10 +01:00
Peter Krempa
16e57a98d0 qemuBlockStorageSourceGetBackendProps: Unify cases for '!onlytarget' and '!legacy'
At this point only a single code path (for formatting -drive for legacy
SD cards) uses the 'legacy' output and that code path doesn't populate
the node name. Thus we can unify the code block and simplify the JSON
formatters.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2023-11-02 15:24:09 +01:00
Andrea Bolognani
ca4cb3d7dc src: Remove duplicated VIR_REQUIRE_FLAG_GOTO() call
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2023-11-02 11:02:18 +01:00
Daniel P. Berrangé
e7facdca25 logging: lockdown the systemd service configuration
The 'systemd-analyze security' command looks at the unit file
configuration and reports on any settings which increase the
attack surface for the daemon. Since most systemd units are
fairly minimalist, this is generally informing us about settings
that we never put any thought into using before.

In its current configuration it reports

  # systemd-analyze security virtlogd.service
  ...snip...
  → Overall exposure level for virtlogd.service: 9.6 UNSAFE 😨

which is pretty terrible as a score.

If we apply all of the recommendations that appear possible
without (knowingly) breaking functionality it reports:

  # systemd-analyze security virtlogd.service
  ...snip...
  → Overall exposure level for virtlogd.service: 2.2 OK 🙂

which is a pretty decent improvement.

Some of the settings we would like to enable require a systemd
version that is newer than that available in our oldest distro
target - RHEL-8 at v239.

NB, RestrictSUIDSGID is technically newer than 239, but RHEL-8
backported it, and other distros we target have it by default.

Remaining recommendations are

✗ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER)

  We block FOWNER/IPC_OWNER, but can't block the two DAC
  capabilities. Historically apps/users might point QEMU
  to log files in $HOME, pre-created with their own user
  ID.

✗ IPAddressDeny=

  Not required since RestrictAddressFamilies blocks IP
  usage. Ignoring this avoids the overhead of creating
  a traffic filter than will never be used.

✗ NoNewPrivileges=

  Highly desirable, but cannot enable it yet, because it
  will block the ability to transition to the virtlogd_t
  SELinux domain during execve. The SELinux policy needs
  fixing to permit this transition under NNP first.

✗ PrivateTmp=

  There is a decent chance people have VMs configured
  with a serial port logfile pointing at /tmp. We would
  cause a regression to use private /tmp for logging

✗ PrivateUsers=

  This would put virtlogd inside a user namespace where
  its root is in fact unprivileged. Same problem as the
  User= setting below

✗ ProcSubset=

  Libraries we link to might read certain non-PID related
  files from /proc

✗ ProtectClock=

  Requires v245

✗ ProtectHome=

  Same problem as PrivateTmp=. There's a decent chance
  that someone has a VM configured to write a logfile
  to /home

✗ ProtectHostname=

  Requires v241

✗ ProtectKernelLogs

  Requires v244

✗ ProtectProc

  Requires v247

✗ ProtectSystem=

  We only set it to 'full', as 'strict' is not viable for
  our required usage

✗ RootDirectory=/RootImage=

  We are not capable of running inside a custom chroot
  given needs to write log files to arbitrary places

✗ RestrictAddressFamilies=~AF_UNIX

  We need AF_UNIX to communicate with other libvirt daemons

✗ SystemCallFilter=~@resources

  We link to libvirt.so which links to libnuma.so which has
  a constructor that calls set_mempolicy. This is highly
  undesirable todo during a constructor.

✗ User=/DynamicUser=

  This is highly desirable, but we currently read/write
  logs as root, and directories we're told to write into
  could be anywhere. So using a non-root user would have
  a major risk of regressions for applications and also
  have upgrade implications

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2023-11-01 11:34:06 +00:00
Jiri Denemark
bfcf4be172 Post-release version bump to 9.10.0
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2023-11-01 10:42:48 +01:00