Commit Graph

32778 Commits

Author SHA1 Message Date
Daniel P. Berrangé
ae076bb40e remote: enforce ACL write permission for getting guest time & hostname
Getting the guest time and hostname both require use of guest agent
commands. These must not be allowed for read-only users, so the
permissions check must validate "write" permission not "read".

Fixes CVE-2019-3886
Reviewed-by: Jim Fehlig <jfehlig@suse.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-04-11 15:21:53 +01:00
Daniel P. Berrangé
2a07c990bd api: disallow virDomainGetHostname for read-only connections
The virDomainGetHostname API is fetching guest information and this may
involve use of an untrusted guest agent. As such its use must be
forbidden on a read-only connection to libvirt.

Fixes CVE-2019-3886
Reviewed-by: Jim Fehlig <jfehlig@suse.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-04-11 15:21:48 +01:00
Daniel P. Berrangé
ec59a95a2c docs: add advanced search capabilities
Allow targetting the search scope to the website, wiki or mailing lists
only. When javascript is disabled this should gracefully fallback to
only searching the website.

Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-04-11 15:20:17 +01:00
Daniel P. Berrangé
97e743ac14 docs: move javascript logic into a standalone file
Instead of duplicating javascript in every single page, put it in a
standalone file which can be cached by the browser.

Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-04-11 15:20:17 +01:00
Daniel P. Berrangé
db3d4f96c9 docs: ensure javascript files are included in dist & install rules
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-04-11 15:20:17 +01:00
Daniel P. Berrangé
d5cbf85f1a build-aux: ensure all scripts are included in EXTRA_DIST
Few of the scripts in build-aux are included in EXTRA_DIST. This is not
a serious problem since they are primarily tools intended for developers
upstream, and downstream builds won't need them. Having them missing,
however, complicates downstream patching because it means patches that
are auto-exported from git will fail to apply if they include a change
to a file in build-aux/.  By bundling all these scripts in the dist we
make patching more straightforward.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-04-11 15:20:17 +01:00
Pavel Hrdina
6d82b979d0 libvirtd.conf: remove extra # after log_outputs line
The only place where we have extra empty comment line.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2019-04-11 15:04:55 +02:00
Michal Privoznik
c14b5694b7 virsh: Add virshDomainShutdownModeCompleter
This completer is used to offer shutdown/reboot modes.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
2019-04-11 08:54:34 +02:00
Cole Robinson
02b562514c tests: qemuxml2xml: make GIC handling optional
Make all users of GIC_X use ARG_GIC explicitly, and drop the
required gic parameter from DO_TEST_FULL

Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Cole Robinson <crobinso@redhat.com>
2019-04-10 19:12:48 -04:00
Cole Robinson
ffa8ea8d5f tests: qemuxml2xml: Use testQemuInfoSetArgs
No functional change, just replacing the old custom infrastructure

Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Cole Robinson <crobinso@redhat.com>
2019-04-10 19:12:48 -04:00
Cole Robinson
0bae87d674 tests: qemuxml2xml: Use struct testQemuInfo
The qemuxml2xml testInfo is now just a subset of testQemuInfo, so it's
a drop in replacement

Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Cole Robinson <crobinso@redhat.com>
2019-04-10 19:12:48 -04:00
Cole Robinson
89effa6159 tests: add testQemuGetLatestCaps
Move the capslatest building from qemuxml2argv to testutilsqemu

Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Cole Robinson <crobinso@redhat.com>
2019-04-10 19:12:42 -04:00
Cole Robinson
2b9d64096f tests: Move testQemuInfo* to testutilsqemu
So it can eventually be shared with qemuxml2xml

Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Cole Robinson <crobinso@redhat.com>
2019-04-10 19:05:08 -04:00
Cole Robinson
4234676a78 tests: qemuxml2argv: Rename testInfo* to testQemuInfo*
In preparation for moving these bits to a shared place, rename them
to match one of the testutilsqemu.c function prefixes. Rename
info->flags handling too as it will need to be moved

testInfoSetPaths isn't renamed because it will stay local

Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Cole Robinson <crobinso@redhat.com>
2019-04-10 19:05:08 -04:00
Cole Robinson
180bf85c72 tests: qemuxml2argv: add testInfoSetPaths
This moves infile and outfile building outside the test case,
which better fits the pattern of qemuxml2xmltest. It also lets us
drop the qemuxml2argtest-specific 'suffix' from testInfo

Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Cole Robinson <crobinso@redhat.com>
2019-04-10 19:05:08 -04:00
Cole Robinson
2d3ba1bf06 tests: qemuxml2argv: Add info->{in,out}file
Track infile and outfile in testInfo. This is step towards moving path
creation out of the test case, which will eventually help sharing more
code with qemuxml2xmltest.c

Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Cole Robinson <crobinso@redhat.com>
2019-04-10 19:05:08 -04:00
Cole Robinson
e231798b4f tests: qemuxml2xml: Remove info->outActiveName
Reuse info->outfile for it. This requires us to set paths before
each virTestRun invocation

Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Cole Robinson <crobinso@redhat.com>
2019-04-10 19:05:08 -04:00
Cole Robinson
ebf6df814e tests: qemuxml2xml: Add info->{in,out}file
Just renamed from existing inName and outActiveName

Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Cole Robinson <crobinso@redhat.com>
2019-04-10 19:05:08 -04:00
Cole Robinson
05388311b6 tests: qemuxml2xml: Break out testInfoSet*Paths
These will need to be separate to share testInfo with qemuxml2argv

Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Cole Robinson <crobinso@redhat.com>
2019-04-10 19:05:08 -04:00
Peter Krempa
17f160b288 util: json: Use VIR_APPEND_ELEMENT in virJSONValueObjectAppend
The function open-codes addition into an array. Use the helper instead.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-04-10 16:34:57 +02:00
Peter Krempa
0ef161c88f qemu: block: Use VIR_RETURN_PTR
Demonstrate how VIR_RETURN_PTR is used by refactoring qemu_block.c

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-04-10 16:34:57 +02:00
Peter Krempa
267f1e6da5 internal: Introduce VIR_RETURN_PTR
With the introduction of more and more internal data types which support
VIR_AUTOPTR it's becoming common to see the following pattern:

  VIR_AUTOPTR(virSomething) some = NULL
  virSomethingPtr ret = NULL;

  ... (ret is not touched ) ...

  VIR_STEAL_PTR(ret, some);
  return ret;

This patch introduces a macro named VIR_RETURN_PTR which returns the
pointer directly without the need for an explicitly defined return
variable and use of VIR_STEAL_PTR. Internally obviously a temporary
pointer is created to allow setting the original pointer to NULL so that
the VIR_AUTOPTR function does not free the memory which we want to
actually return.

The name of the temporary variable is deliberately long and complex to
minimize the possibility of collision.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-04-10 16:34:57 +02:00
Peter Krempa
c9cec6a8b0 qemu: block: Remove unneeded cleanup jumps
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-04-10 16:34:57 +02:00
Peter Krempa
6542fbe2d5 qemu: block: Add and use AUTOPTR func for qemuBlockNodeNameBackingChainData
This is a locally used helper struct but we can make use of automatic
freeing for it.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-04-10 16:34:57 +02:00
Peter Krempa
7141bdd5bf qemu: block: Use VIR_AUTOFREE for char *
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-04-10 16:34:57 +02:00
Peter Krempa
ae0c36ecbb qemu: block: Use VIR_AUTOPTR for virHashTablePtr
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-04-10 16:34:57 +02:00
Peter Krempa
bc6eabbec3 qemu: block: Use VIR_AUTOPTR for virURIPtr
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-04-10 16:34:57 +02:00
Peter Krempa
46bd9ee7d7 util: uri: Introduce VIR_AUTOPTR freeing function
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-04-10 16:34:57 +02:00
Peter Krempa
e8ef1dd174 qemu: block: Use VIR_AUTOPTR for virJSONValue
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-04-10 16:34:57 +02:00
Peter Krempa
1d2eb86682 qemu: block: Introduce and use AUTOPTR func for qemuBlockStorageSourceAttachDataPtr
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-04-10 16:34:57 +02:00
Ján Tomko
e0befb78b1 qemuHotplugDiskSourceDataFree: also free backends
Also free the backends array, not just its members.

Fixes: d3f9dda2c9

Signed-off-by: Ján Tomko <jtomko@redhat.com>
2019-04-10 16:28:50 +02:00
Ján Tomko
c264cb1b1c qemu: remove qemuGetDomainDefaultHugepath
It is no longer used.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
2019-04-10 16:24:33 +02:00
Ján Tomko
07c6738460 qemu: do not fill in default pagesize in qemuGetDomainHupageMemPath
Commit 6864d8f740 moved this one level up
for qemuBuildMemoryBackendProps but left qemuBuildMemPathStr intact.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
2019-04-10 16:24:33 +02:00
Ján Tomko
b261c9c3a0 qemu: rename function for getting the default hugepage size
Use qemuBuildMemoryGetDefaultPagesize.

Fixes: 6864d8f740
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2019-04-10 16:24:33 +02:00
Andrea Bolognani
947ea8665e tests: Fix MinGW build for domaincapstest
Commit 5b9819eedc started using the virFileWrapper APIs in
the test program, and correctly called them only in the section
of code guarded by WITH_QEMU; however, a single call to the
virFileWrapperClearPrefixes() function ended up in the
hypervisor-agnostic section, causing a build failure on MinGW.

Move the call to the QEMU-only section; while at it, also drop
the virFileWrapperRemovePrefix() calls, which are entirely
redundant since we'd drop all prefixes immediately afterwards
anyway.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Acked-by: Michal Privoznik <mprivozn@redhat.com>
2019-04-10 16:08:13 +02:00
Michal Privoznik
5b9819eedc domain capabilities: Expose firmware auto selection feature
If a management application wants to use firmware auto selection
feature it can't currently know if the libvirtd it's talking to
support is or not. Moreover, it doesn't know which values that
are accepted for the @firmware attribute of <os/> when parsing
will allow successful start of the domain later, i.e. if the mgmt
application wants to use 'bios' whether there exists a FW
descriptor in the system that describes bios.

This commit then adds 'firmware' enum to <os/> element in
<domainCapabilities/> XML like this:

  <enum name='firmware'>
    <value>bios</value>
    <value>efi</value>
  </enum>

We can see both 'bios' and 'efi' listed which means that there
are descriptors for both found in the system (matched with the
machine type and architecture reported in the domain capabilities
earlier and not shown here).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
2019-04-10 13:58:51 +02:00
Michal Privoznik
9c0d73bf49 qemu_firmware: Introduce qemuFirmwareGetSupported
The point of this API is to fetch all FW descriptors, parse them
and return list of supported interfaces and SMM feature for given
combination of machine type and guest architecture.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
2019-04-10 13:58:30 +02:00
Michal Privoznik
2337309e04 qemu_firmware: Separate machine and arch matching into a function
This part of the code will be reused later.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
2019-04-10 13:54:07 +02:00
Michal Privoznik
15e0b76480 qemu_firmware: Separate firmware loading into a function
This piece of code will be reused later.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
2019-04-10 13:45:51 +02:00
Peter Krempa
f785318187 Revert "Include unistd.h directly by files using it"
This reverts commit a5e1602090.

Getting rid of unistd.h from our headers will require more work than
just fixing the broken mingw build. Revert it until I have a more
complete proposal.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
2019-04-10 12:26:32 +02:00
Peter Krempa
a5e1602090 Include unistd.h directly by files using it
util/virutil.h bogously included unistd.h. Drop it and replace it by
including it directly where needed.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-04-10 09:12:04 +02:00
Peter Krempa
285c5f28c4 util: Move enum convertors into virenum.(c|h)
virutil.(c|h) is a very gross collection of random code. Remove the enum
handlers from there so we can limit the scope where virtutil.h is used.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-04-10 09:12:04 +02:00
Peter Krempa
c0abcca417 util: Don't include 'viralloc.h' into other header files
'viralloc.h' does not provide any type or macro which would be necessary
in headers. Prevent leakage of the inclusion.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-04-10 09:12:04 +02:00
Peter Krempa
a4bfc2521f util: Move the VIR_AUTO(CLEAN|PTR) helper macros into a separate header
Keeping them with viralloc.h forcibly pulls in the other stuff from
viralloc.h into other header files. This in turn creates a mess
as more and more headers pull in the 'viral' header file.

If we want to make 'viralloc.h' omnipresent we should pick a different
approach.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-04-10 09:12:03 +02:00
Han Han
9895f00126 vmx: Define VMX_CONFIG_FORMAT_ARGV
Define VMX_CONFIG_FORMAT_ARGV to replace the hardcoded 'vmware-vmx'
string used by the domxml-X-native APIs. This follows the pattern used
by other drivers.

Reviewed-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Han Han <hhan@redhat.com>
2019-04-09 15:30:04 -04:00
Michal Privoznik
9009858d5b docs: Add virt-lightning app
There was this introduction made on the users list:

https://www.redhat.com/archives/libvirt-users/2019-March/msg00046.html

Add the application onto the list of apps known to use libvirt.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
2019-04-09 16:59:49 +02:00
Peter Krempa
c3e1275b60 rpc: Refactor cleanup paths in virNetLibsshAuthenticatePassword
Now that the memory disposal is handled automatically we can simplify
the cleanup paths. In this case it's not as simple as sometimes the
value of the called function is returned.

While at it fix the initialization value of the returned variable.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-04-09 16:22:19 +02:00
Pavel Hrdina
99582f2403 cpu_map: rename x86_EPYC-IBRS file to x86_EPYC-IBPB
The later is the correct CPU model name.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2019-04-09 13:12:51 +02:00
Julio Faracco
692400f446 util: Fix uninitalized variable to avoid garbage
This commit fixes an unitialized variable to avoid garbage value
when virNetDevBridgeGet method returns error. When, that method fails
before initialize 'val' variable, it can cause problems related to
that.

Signed-off-by: Julio Faracco <jcfaracco@gmail.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
2019-04-09 10:23:09 +02:00
Eric Blake
f66f70acbe snapshot: Fix use-after-free during snapshot delete
Commit b647d2195 introduced a use-after-free situation when the caller
is trying to delete a snapshot and its children: if the callback
function deletes the parent, it is no longer safe to query the parent
to learn which children also need to be deleted (where we previously
saved deleting the parent for last).  To fix the problem, while still
maintaining support for topological visits of callback functions, we
have to stash off any information needed for later traversal prior to
using a callback function (virDomainMomentForEachChild already does
this, it is only virDomainMomentActOnDescendant that was running into
problems).

Sadly, the testsuite did not cover the problem at the time. Worse,
even though I later added commit 280a2b41e to catch problems like
this, and even though that test is indeed sufficient to detect the
problem when run under valgrind or suitable MALLOC_PERTURB_ settings,
I'm guilty of not running the test in such an environment.  Thus,
v5.2.0 has a regression that could have been prevented had we used the
testsuite to its full power. On the bright side, deleting snapshots
requires ACL domain:snapshot, which is arguably as powerful as
domain:write, so I don't think this use-after-free forms a security
hole.

At some point, it would be nice to convert virDomainMomentObj into a
virObject, at which point, the solution is even simpler: add
virObjectRef/Unref around the callback. But as that will require
auditing even more places in the code, I went with the simplest patch
for the regression fix.

Fixes: b647d2195
Reported-by: Roman Bogorodskiy <bogorodskiy@gmail.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Tested-by: Roman Bogorodskiy <bogorodskiy@gmail.com>
2019-04-08 14:19:18 -05:00