Commit Graph

30125 Commits

Author SHA1 Message Date
Ján Tomko
d025c10d54 api: disallow virDomainManagedSaveDefineXML on read-only connections
The virDomainManagedSaveDefineXML can be used to alter the domain's
config used for managedsave or even execute arbitrary emulator binaries.
Forbid it on read-only connections.

Fixes: CVE-2019-10166
Reported-by: Matthias Gerstner <mgerstner@suse.de>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit db0b78457f)
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2019-06-24 09:56:23 +02:00
Ján Tomko
6a028b6e82 api: disallow virDomainSaveImageGetXMLDesc on read-only connections
The virDomainSaveImageGetXMLDesc API is taking a path parameter,
which can point to any path on the system. This file will then be
read and parsed by libvirtd running with root privileges.

Forbid it on read-only connections.

Fixes: CVE-2019-10161
Reported-by: Matthias Gerstner <mgerstner@suse.de>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit aed6a032ce)
Signed-off-by: Ján Tomko <jtomko@redhat.com>

Conflicts:
  src/libvirt-domain.c
  src/remote/remote_protocol.x

Upstream commit 12a51f372 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
alias for VIR_DOMAIN_XML_SECURE is not backported.
Just skip the commit since we now disallow the whole API on read-only
connections, regardless of the flag.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
2019-06-24 09:56:23 +02:00
Daniel P. Berrangé
ec58805400 logging: restrict sockets to mode 0600
The virtlogd daemon's only intended client is the libvirtd daemon. As
such it should never allow clients from other user accounts to connect.
The code already enforces this and drops clients from other UIDs, but
we can get earlier (and thus stronger) protection against DoS by setting
the socket permissions to 0600

Fixes CVE-2019-10132

Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit e37bd65f99)
2019-05-21 13:30:02 +01:00
Daniel P. Berrangé
618358632b locking: restrict sockets to mode 0600
The virtlockd daemon's only intended client is the libvirtd daemon. As
such it should never allow clients from other user accounts to connect.
The code already enforces this and drops clients from other UIDs, but
we can get earlier (and thus stronger) protection against DoS by setting
the socket permissions to 0600

Fixes CVE-2019-10132

Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit f111e09468)
2019-05-21 13:30:01 +01:00
Daniel P. Berrangé
d1017aeee9 admin: reject clients unless their UID matches the current UID
The admin protocol RPC messages are only intended for use by the user
running the daemon. As such they should not be allowed for any client
UID that does not match the server UID.

Fixes CVE-2019-10132

Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 96f41cd765)
2019-05-21 13:30:01 +01:00
Luyao Huang
35176b5c78 virDomainConfNWFilterInstantiate: initialize @xml to avoid random crash
If the code jump to the cleanup before assigning value to @xml
libvirtd may crash when it tries to free an uninitialized pointer.

backtrace:

0  0x00007ffff428d59c in free () from /lib64/libc.so.6
1  0x00007ffff721314a in virFree (ptrptr=ptrptr@entry=0x7fffc67f1b00) at util/viralloc.c:582
2  0x00007ffff7345ac4 in virDomainConfNWFilterInstantiate (vmname=<optimized out>,
   vmuuid=vmuuid@entry=0x7fffc0181ca8 "߉\237\\۔H\262\206z\340\302f\265\233z", net=<optimized out>,
   ignoreExists=ignoreExists@entry=true) at conf/domain_nwfilter.c:122
3  0x00007fffca5a77f6 in qemuProcessFiltersInstantiate (ignoreExists=true, def=0x7fffc0181ca0) at qemu/qemu_process.c:3028
4  qemuProcessReconnect (opaque=<optimized out>) at qemu/qemu_process.c:7653
5  0x00007ffff72c4895 in virThreadHelper (data=<optimized out>) at util/virthread.c:206
6  0x00007ffff45dcdd5 in start_thread () from /lib64/libpthread.so.0
7  0x00007ffff4305ead in clone () from /lib64/libc.so.6

Signed-off-by: Luyao Huang <lhuang@redhat.com>
(cherry picked from commit d7557f5f6f)
2018-07-06 14:31:47 +01:00
Daniel P. Berrangé
6aedf9bfad qemu: fix UNIX socket chardevs operating in client mode
When support was adding for passing a pre-opened listener socket to UNIX
chardevs, it accidentally passed the listener socket for client mode
chardevs too with predictable amounts of fail resulting. This affects
libvirt when using QEMU >= 2.12

Expand the unit test coverage to validate that we are only doing FD
passing when operating in server mode.

  https://bugzilla.redhat.com/show_bug.cgi?id=1598440

Tested-by: Richard W.M. Jones <rjones@redhat.com>
Reported-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 1bc1a7e320)
2018-07-06 14:31:35 +01:00
Daniel P. Berrangé
78920738ca qemu: don't use chardev FD passing for vhostuser backend
QEMU chardevs have a bug which makes the vhostuser backend complain
about lack of support for FD passing when validating the chardev.
While this is ultimately QEMU's responsibility to fix, libvirt needs to
avoid tickling the bug.

Simply disabling chardev FD passing just for vhostuser's chardev is
the most prudent approach, avoiding need for a QEMU version number
check.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit ed5aa85f37)
2018-07-06 14:31:29 +01:00
Daniel P. Berrangé
88924317f3 qemu: consolidate parameters of qemuBuildChrChardevStr into flags
There are two boolean parameters passed to qemuBuildChrChardevStr,
and soon there will be a third. It will be clearer to understand
from callers' POV if we use named flags instead.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 0140d4c59b)
2018-07-06 14:31:23 +01:00
Daniel P. Berrangé
941ca31e90 qemu: remove chardevStdioLogd param from vhostuser code path
The vhostuser network backend is only supported with the UNIX domain
socket chardev backend, so passing around chardevStdioLogd is not
required.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 4c76266bac)
2018-07-06 14:31:15 +01:00
Daniel P. Berrangé
3818514602 qemu: don't use chardev FD passing with standalone args
When using domxml-to-native, we must generate CLI args that can be used
in a standalone scenario. This means no FD passing can be used. To
achieve this we must clear the QEMU_CAPS_CHARDEV_FD_PASS capability bit.

Reviewed-by: John Ferlan <jferlan@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 7ac08cc929)
2018-07-06 14:30:43 +01:00
Daniel Veillard
6a32f5b89d Release of libvirt-4.5.0
- docs/news.xml: updated for the release

Signed-off-by: Daniel Veillard <veillard@redhat.com>
2018-07-02 22:11:33 +02:00
Andrea Bolognani
04e10e8714 news: Update for 4.5.0 release
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2018-07-02 17:42:30 +02:00
Jiri Denemark
5f99821911 qemu_migration: Check for active domain after talking to remote daemon
Once we called qemuDomainObjEnterRemote to talk to the destination
daemon during a peer to peer migration, the vm lock is released and we
only hold an async job. If the source domain dies at this point the
monitor EOF callback is allowed to do its job and (among other things)
clear all private data irrelevant for stopped domain. Thus when we call
qemuDomainObjExitRemote, the domain may already be gone and we should
avoid touching runtime private data (such as current job info).

In other words after acquiring the lock in qemuDomainObjExitRemote, we
need to check the domain is still alive. Unless we're doing offline
migration.

https://bugzilla.redhat.com/show_bug.cgi?id=1589730

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2018-07-02 11:53:21 +02:00
Jiri Denemark
e05ed21623 qemu_migration: Rename 'offline' variable in SrcPerformPeer2Peer
The variable is used to store the offline migration capability of the
destination daemon. Let's call it 'dstOffline' so that we can later use
'offline' to indicate whether we were asked to do offline migration.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2018-07-02 11:52:30 +02:00
Michal Privoznik
cb7a4ac4fb qemu: Allow cachetune only for KVM domains
https://bugzilla.redhat.com/show_bug.cgi?id=1541921

In TCG mode, there are no vCPU threads and thus there's nothing
to be placed into resctrl group. Forbid such configuration.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2018-06-28 17:06:52 +02:00
Jiri Denemark
57d90e3e05 qemu: Report error on unexpected job stats type
If we ever fail to properly set jobinfo->statsType,
qemuDomainJobInfoToParams would return -1 without setting an error.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2018-06-28 15:27:59 +02:00
Stefan Berger
43b0b4f834 security: Add swtpm paths to the domain's AppArmor profile
This patch extends the AppArmor domain profile with file paths
the swtpm accesses for state, log, pid, and socket files.

Both, QEMU and swtpm, use this AppArmor profile.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Cc: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2018-06-28 06:50:43 -04:00
Julio Faracco
f8c65481d5 nwfilter: variable 'obj' must be initialized inside nwfilterBindingCreateXML().
The function nwfilterBindingCreateXML() is failing to compile due to a
conditional branch which leads to an undefined 'obj' variable. So 'obj'
must have an initial value to avoid compilation errors. See the problem:

  CC       nwfilter/libvirt_driver_nwfilter_impl_la-nwfilter_driver.lo
nwfilter/nwfilter_driver.c:752:9: error: variable 'obj' is used uninitialized whenever 'if' condition is true [-Werror,-Wsometimes-uninitialized]
    if (virNWFilterBindingCreateXMLEnsureACL(conn, def) < 0)
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
nwfilter/nwfilter_driver.c:779:10: note: uninitialized use occurs here
    if (!obj)
         ^~~
nwfilter/nwfilter_driver.c:752:5: note: remove the 'if' if its condition is always false
    if (virNWFilterBindingCreateXMLEnsureACL(conn, def) < 0)
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
nwfilter/nwfilter_driver.c:742:33: note: initialize the variable 'obj' to silence this warning
    virNWFilterBindingObjPtr obj;
                                ^
                                 = NULL

This commit initialized 'obj' with NULL to fix the error properly.

Signed-off-by: Julio Faracco <jcfaracco@gmail.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
2018-06-28 09:44:28 +02:00
Michal Privoznik
4ad54a417a conf: Forbid device alias change on device-update
https://bugzilla.redhat.com/show_bug.cgi?id=1585108

When updating a live device users might pass different alias than
the one the device has. Currently, this is silently ignored which
goes against our behaviour for other parts of the device where we
explicitly allow only certain changes and error out loudly on
anything else.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-06-27 16:43:09 +02:00
Michal Privoznik
5e9b150fe0 conf: Reintroduce action to virDomainDefCompatibleDevice
This was lost in c57f3fd2f8. But now we are going to
need it again (except the DETACH action where checking for device
compatibility does not make much sense anyway).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-06-27 16:42:27 +02:00
Michal Privoznik
84de7fbfdb qemuDomainUpdateDeviceFlags: Parse device as live if needed
When updating device it's worth parsing live info too as users
might want to update it as well.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-06-27 15:57:49 +02:00
Pavel Hrdina
36e92adc7e spec: list new nwfilter schema files
Commit <41d619e99c2015eab2d56bea874e23ba9f52f829> introduced new RNG
schema files for nwfilter but forgot to update spec file.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2018-06-27 10:42:52 +02:00
Cole Robinson
a7d6c48dad syms: Fix placement of virDomainGetBlkioParametersAssignFromDef
It's in the domain_addr.h section, but should be in the
domain_conf.h section

Signed-off-by: Cole Robinson <crobinso@redhat.com>
2018-06-26 15:54:41 -04:00
Bjoern Walk
8a1acc7ebc qemu: hotplug: fix mdev attach for vfio-ccw
Mediated devices of model 'vfio-ccw' are using CCW addresses, so make
sure to call the correct address preparation code for the model.

Reviewed-by: Shalini Chellathurai Saroja <shalini@linux.ibm.com>
Reviewed-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
Signed-off-by: Bjoern Walk <bwalk@linux.ibm.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-06-26 14:57:32 -04:00
John Ferlan
5c73acec32 docs: Add news article for volume encryption modifications
Include both the domain and storage modifications in a "Removed
features" section as well as describing the improvement to allow
using a raw input volume to create the luks encrypted volume.

Signed-off-by: John Ferlan <jferlan@redhat.com>
ACKed-by: Michal Privoznik <mprivozn@redhat.com>
2018-06-26 14:02:43 -04:00
John Ferlan
39cef12a95 storage: Add support for using inputvol for encryption
Starting with QEMU 2.9, encryption convert processing requires
a multi-step process in order to generate an encrypted image from
some non encrypted raw image.

Processing requires to first create an encrypted image using the
sizing parameters from the input source and second to use the
--image-opts, -n, and --target-image-opts options along with inline
driver options to describe the input and output files, generating
two commands such as:

  $ qemu-img create -f luks \
      --object secret,id=demo.img_encrypt0,file=/path/to/secretFile \
      -o key-secret=demo.img_encrypt0 \
      demo.img 500K
  Formatting 'demo.img', fmt=luks size=512000 key-secret=demo.img_encrypt0
  $ qemu-img convert --image-opts -n --target-image-opts \
      --object secret,id=demo.img_encrypt0,file=/path/to/secretFile \
      driver=raw,file.filename=sparse.img \
      driver=luks,file.filename=demo.img,key-secret=demo.img_encrypt0
  $

This patch handles the convert processing by running the processing
in a do..while loop essentially reusing the existing create logic and
arguments to create the target vol from the inputvol and then converting
the inputvol using new arguments.

This then allows the following virsh command to work properly:

  virsh vol-create-from default encrypt1-luks.xml data.img --inputpool default

where encrypt1-luks.xml would provided the path and secret for
the new image, while data.img would be the source image.

Signed-off-by: John Ferlan <jferlan@redhat.com>
ACKed-by: Michal Privoznik <mprivozn@redhat.com>
2018-06-26 14:02:43 -04:00
John Ferlan
40f0e0348d storage: Remove storageBackendGenerateSecretData
Since we no longer support creating qcow2 encryption format
volumes, we no longer have to possibly create some secret and
have no real need for the function, so move the remaining
functionality to build the secret path back into the caller
storageBackendCreateQemuImg.

Signed-off-by: John Ferlan <jferlan@redhat.com>
ACKed-by: Michal Privoznik <mprivozn@redhat.com>
2018-06-26 14:02:43 -04:00
John Ferlan
9b753116f0 storage: Clean up storageBackendCreateQemuImgOpts
Since we only generate the @encinfo when there's a secret object
and thus we need to reference it in the options,

Signed-off-by: John Ferlan <jferlan@redhat.com>
ACKed-by: Michal Privoznik <mprivozn@redhat.com>
2018-06-26 14:02:43 -04:00
John Ferlan
9fe597dd09 storage: Clean up storageBackendCreateQemuImgCheckEncryption
Remove the checks for qcow encryption since both callers (create
and resize) would have already disallowed usage.

Signed-off-by: John Ferlan <jferlan@redhat.com>
ACKed-by: Michal Privoznik <mprivozn@redhat.com>
2018-06-26 14:02:43 -04:00
John Ferlan
8f83af6823 storage: Disallow create/resize of qcow2 encrypted images
https://bugzilla.redhat.com/show_bug.cgi?id=1526382

Since commit c4eedd793 disallowed qcow2 encrypted images to be
used for domains, it no longer makes sense to allow a qcow2
encrypted volume to be created or resized.

Add a test that will exhibit the failure of creation as well
as the xml2xml validation of the format still being correct.

Update the documentation to note the removal of the capability
to create and use qcow/default encrypted volumes.

Signed-off-by: John Ferlan <jferlan@redhat.com>
ACKed-by: Michal Privoznik <mprivozn@redhat.com>
2018-06-26 14:02:43 -04:00
John Ferlan
a02d879858 tests: Remove qcow2 encryption from storagevol tests
We're about to disallow creation of a qcow2 encrypted storage
volume, so let's remove the qcow encryption element from the
tests which are testing whether other format='qcow2' related
features work properly.

Signed-off-by: John Ferlan <jferlan@redhat.com>
ACKed-by: Michal Privoznik <mprivozn@redhat.com>
2018-06-26 14:02:43 -04:00
John Ferlan
af0e6580cd storage: Rename encryption info variable for clarity
Change from @enc to @encinfo leaving @enc for the vol->target.encryption
in the storageBackendCreateQemuImgSetOptions code path.

Signed-off-by: John Ferlan <jferlan@redhat.com>
ACKed-by: Michal Privoznik <mprivozn@redhat.com>
2018-06-26 14:02:43 -04:00
John Ferlan
23e9aa7297 tests: Add luks creation examples to storagevolxml2argvtest
Add the storagevolxml2xmltest "luks" and "luks-cipher" tests
to the storagevolxml2argvtest.

Signed-off-by: John Ferlan <jferlan@redhat.com>
ACKed-by: Michal Privoznik <mprivozn@redhat.com>
2018-06-26 14:02:43 -04:00
John Ferlan
b056e09b28 storage: Don't allow encryption secretPath to be NULL
Allowing a NULL @secretPath for virStorageBackendCreateQemuImgCmdFromVol
would result in a generated command line with a dangling "file=" output.
So let's make sure the @secretPath exists before processing.

This means we should pass a dummy path from the storage test.

Signed-off-by: John Ferlan <jferlan@redhat.com>
ACKed-by: Michal Privoznik <mprivozn@redhat.com>
2018-06-26 14:02:43 -04:00
Cole Robinson
5b603a7870 domain_addr: Fix weird comment format
Signed-off-by: Cole Robinson <crobinso@redhat.com>
2018-06-26 13:59:50 -04:00
Daniel P. Berrangé
f14c37ce4c nwfilter: convert virt drivers to use public API for nwfilter bindings
Remove the callbacks that the nwfilter driver registers with the domain
object config layer. Instead make the current helper methods call into
the public API for creating/deleting nwfilter bindings.

Reviewed-by: John Ferlan <jferlan@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-06-26 18:17:23 +01:00
Daniel P. Berrangé
2d9318b6ce nwfilter: wire up new APIs for creating and deleting nwfilter bindings
This allows the virsh commands nwfilter-binding-create and
nwfilter-binding-delete to be used.

Note using these commands lets you delete filters that were
previously created automatically by the virt drivers, or add
filters for VM nics that were not there before. Generally it
is expected these new APIs will only be used by virt drivers.
It is the admin's responsibility to not shoot themselves in
the foot.

Reviewed-by: John Ferlan <jferlan@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-06-26 18:17:21 +01:00
Daniel P. Berrangé
f61ea979a4 nwfilter: wire up new APIs for listing and querying filter bindings
Wire up the ListAll, LookupByPortDev and GetXMLDesc APIs to allow the
virsh nwfilter-binding-list & nwfilter-binding-dumpxml commands to
work.

Reviewed-by: John Ferlan <jferlan@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-06-26 18:17:21 +01:00
Daniel P. Berrangé
3df907bfff nwfilter: remove virt driver callback layer for rebuilding filters
Now that the nwfilter driver keeps a list of bindings that it has
created, there is no need for the complex virt driver callbacks. It is
possible to simply iterate of the list of recorded filter bindings.

This means that rebuilding filters no longer has to acquire any locks on
the virDomainObj objects, as they're never touched.

Reviewed-by: John Ferlan <jferlan@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-06-26 18:17:20 +01:00
Daniel P. Berrangé
57f5621f46 nwfilter: keep track of active filter bindings
Currently the nwfilter driver does not keep any record of what filter
bindings it has active. This means that when it needs to recreate
filters, it has to rely on triggering callbacks provided by the virt
drivers. This introduces a hash table recording the virNWFilterBinding
objects so the driver has a record of all active filters.

Reviewed-by: John Ferlan <jferlan@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-06-26 18:17:13 +01:00
Daniel P. Berrangé
ec7c01832c virsh: add manpage docs for nwfilter-binding commands.
Reviewed-by: John Ferlan <jferlan@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-06-26 18:16:50 +01:00
Anya Harter
c3427c4a85 qemu: Escape commas for qemuBuildSCSIiSCSIHostdevDrvStr
Add comma escaping for netsource. This is done here because
qemuBuildNetworkDriveStr has other external callers which
may not expect an escaped comma; however, this particular
command building path needs to perform the escaping for the
hostdev command line, so we do it now to ensure src->path
and src->host->name are covered.

Signed-off-by: Anya Harter <aharter@redhat.com>
2018-06-26 11:04:38 -04:00
Anya Harter
6b770f9a3b qemu: use virBuffer in qemuBuildSCSIiSCSIHostdevDrvStr
Instead of source to enable use of virBuffer functions in
string construction.

Signed-off-by: Anya Harter <aharter@redhat.com>
2018-06-26 11:04:38 -04:00
Michal Privoznik
2d5b332312 qemuDomainObjBeginJobInternal: Report agent job in error message
If a thread is unable to acquire a job (e.g. because of timeout)
an error is reported and the error message contains reference to
the other thread holding the job. Well, the error message should
report agent job too as it is yet another source of possible
failure.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-06-26 15:10:17 +02:00
Chen Hanxiao
9e6b432d01 set-lifecycle-action: add description of type and action
In [1], <type> are described as "on_poweroff", "on_reboot",
"on_crash". but we accept "poweroff", "reboot" and "crash".
This patch adds documentation for them.

[1]: https://libvirt.org/formatdomain.html#elementsEvents

Signed-off-by: Chen Hanxiao <chenhanxiao@gmail.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2018-06-26 14:10:17 +02:00
Daniel P. Berrangé
c21679fa3f conf: introduce a virNWFilterBindingObjListPtr struct
Introduce a new struct to act as the manager of a collection of
virNWFilterBindingObjPtr objects.

Reviewed-by: John Ferlan <jferlan@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-06-26 11:22:07 +01:00
Daniel P. Berrangé
191b4396d3 conf: introduce a virNWFilterBindingObjPtr struct
Introduce a new struct to act as the stateful owner of the
virNWFilterBindingDefPtr objects.

Reviewed-by: John Ferlan <jferlan@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-06-26 11:22:07 +01:00
Daniel P. Berrangé
c0fa7713b8 conf: report an error if nic needs filtering by no driver is present
If a <interface> includes a filter name but the nwfilter driver is not
present we silently do nothing. This is very bad, because an application
that thinks it is protected by malicious guest traffic will in fact be
vulnerable. Reporting an error gives the administrator the ability to
know there is a problem and fix it.

Reviewed-by: John Ferlan <jferlan@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-06-26 11:22:07 +01:00
Daniel P. Berrangé
fca9afa084 nwfilter: convert DHCP address snooping code to virNWFilterBindingDefPtr
Use the virNWFilterBindingDefPtr struct in the DHCP address snooping code
directly.

Reviewed-by: John Ferlan <jferlan@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-06-26 11:22:07 +01:00