External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-08-27 02:51:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
4f9af0857c
libvirt/tests
History
Laine Stump 753ff83a50 network: use dnsmasq --bind-dynamic when available 
This bug resolves CVE-2012-3411, which is described in the following
bugzilla report:

  https://bugzilla.redhat.com/show_bug.cgi?id=833033

The following report is specifically for libvirt on Fedora:

  https://bugzilla.redhat.com/show_bug.cgi?id=874702

In short, a dnsmasq instance run with the intention of listening for
DHCP/DNS requests only on a libvirt virtual network (which is
constructed using a Linux host bridge) would also answer queries sent
from outside the virtualization host.

This patch takes advantage of a new dnsmasq option "--bind-dynamic",
which will cause the listening socket to be setup such that it will
only receive those requests that actually come in via the bridge
interface. In order for this behavior to actually occur, not only must
"--bind-interfaces" be replaced with "--bind-dynamic", but also all
"--listen-address" options must be replaced with a single
"--interface" option. Fully:

   --bind-interfaces --except-interface lo --listen-address x.x.x.x ...

(with --listen-address possibly repeated) is replaced with:

   --bind-dynamic --interface virbrX

Of course libvirt can't use this new option if the host's dnsmasq
doesn't have it, but we still want libvirt to function (because the
great majority of libvirt installations, which only have mode='nat'
networks using RFC1918 private address ranges (e.g. 192.168.122.0/24),
are immune to this vulnerability from anywhere beyond the local subnet
of the host), so we use the new dnsmasqCaps API to check if dnsmasq
supports the new option and, if not, we use the "old" option style
instead. In order to assure that this permissiveness doesn't lead to a
vulnerable system, we do check for non-private addresses in this case,
and refuse to start the network if both a) we are using the old-style
options, and b) the network has a publicly routable IP
address. Hopefully this will provide the proper balance of not being
disruptive to those not practically affected, and making sure that
those who *are* affected get their dnsmasq upgraded.

(--bind-dynamic was added to dnsmasq in upstream commit
54dd393f3938fc0c19088fbd319b95e37d81a2b0, which was included in
dnsmasq-2.63)
2012-11-29 15:02:39 -05:00
..
capabilityschemadata Update xml schemas according to libvirt source 2012-08-02 14:36:23 -06:00
commanddata command: shell-quote when logging commands 2012-08-31 08:10:58 -07:00
confdata Change the default of mdns_adv to false 2012-03-27 09:54:49 -06:00
cputestdata Removed more AMD-specific features from cpu64-rhel* models 2012-03-09 14:36:31 +01:00
domainschemadata parallels: implement containers creation 2012-09-13 21:19:58 +08:00
domainsnapshotxml2xmlin snapshot: new XML for external system checkpoint 2012-11-02 09:56:23 -06:00
domainsnapshotxml2xmlout snapshot: new XML for external system checkpoint 2012-11-02 09:56:23 -06:00
interfaceschemadata Update interface.rng and xml test files to match netcf 0.1.5 2010-01-19 21:13:03 +01:00
lxcxml2xmldata numad: Always output 'placement' of <vcpu> 2012-05-08 16:57:37 -06:00
networkxml2argvdata network: use dnsmasq --bind-dynamic when available 2012-11-29 15:02:39 -05:00
networkxml2xmlin conf: parser/formatter/rng for <forward mode='hostdev'> 2012-08-17 15:43:26 -04:00
networkxml2xmlout conf: parser/formatter/rng for <forward mode='hostdev'> 2012-08-17 15:43:26 -04:00
nodedevschemadata Update xml schemas according to libvirt source 2012-08-02 14:36:23 -06:00
nodeinfodata nodeinfotest: Add test data from a AMD bulldozer machine. 2012-11-13 00:35:36 +01:00
nwfilterxml2xmlin nwfilter: Add support for ipset 2012-05-21 06:26:34 -04:00
nwfilterxml2xmlout nwfilter: Add support for ipset 2012-05-21 06:26:34 -04:00
qemuhelpdata qemuhelpdata: Revert my 'fix' 2012-11-23 09:25:20 +01:00
qemuxml2argvdata tests: Add tests for gluster protocol based network disks support 2012-11-27 10:19:22 +01:00
qemuxml2xmloutdata Remove probing of CPU models when launching QEMU guests 2012-09-27 10:24:52 +01:00
qemuxmlnsdata qemu: pass -usb and usb hubs earlier, so USB disks with static address are handled properly 2012-10-30 08:54:32 +01:00
sexpr2xmldata storage: treat 'aio' like 'raw' at parse time 2012-10-19 17:35:09 -06:00
storagepoolxml2xmlin Update xml schemas according to libvirt source 2012-08-02 14:36:23 -06:00
storagepoolxml2xmlout Update xml schemas according to libvirt source 2012-08-02 14:36:23 -06:00
storagevolxml2xmlin Added timestamps to storage volumes 2012-08-02 17:14:17 -06:00
storagevolxml2xmlout Add a sheepdog backend for the storage driver 2012-07-18 20:08:27 +01:00
vmx2xmldata vmx: handle shared folders parsing 2012-07-21 20:15:02 +02:00
xencapsdata Add suspend info to Xen, LXC and UML hypervisor capabilities 2011-11-30 10:12:30 +00:00
xmconfigdata numad: Always output 'placement' of <vcpu> 2012-05-08 16:57:37 -06:00
xml2sexprdata Xen: Fix <clock> handling 2012-04-02 09:33:54 -06:00
xml2vmxdata vmx: handle shared folders formatting 2012-07-21 19:45:02 +02:00
.valgrind.supp tests: suppress more valgrind situations 2011-05-03 08:03:39 -06:00
capabilityschematest Make test suite output less verbose 2010-01-15 16:28:05 +00:00
commandhelper.c maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
commandtest.c Remove spurious whitespace between function name & open brackets 2012-11-02 13:36:49 +00:00
conftest.c Remove spurious whitespace between function name & open brackets 2012-11-02 13:36:49 +00:00
cpuset use virBitmap to store cpumask info. 2012-09-17 14:59:37 -04:00
cputest.c maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
define-dev-segfault numad: Always output 'placement' of <vcpu> 2012-05-08 16:57:37 -06:00
domainschematest Add LXC XML files to schema test & fix problems this uncovers 2012-03-27 15:52:25 +01:00
domainsnapshotschematest Domain snapshot RNG and tests. 2010-05-20 13:50:03 -04:00
domainsnapshotxml2xmltest.c Replace 'struct qemud_driver *' with virQEMUDriverPtr 2012-11-28 18:17:25 +00:00
esxutilstest.c build: properly skip tests 2011-12-01 13:49:20 -07:00
eventtest.c maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
int-overflow tests: Don't use bash if we don't have to 2011-07-29 17:17:21 +02:00
interfaceschematest Make test suite output less verbose 2010-01-15 16:28:05 +00:00
interfacexml2xmltest.c Cleanup for a return statement in source files 2012-03-26 14:45:22 -06:00
jsontest.c Add test case for parsing JSON docs 2011-06-30 18:04:02 +01:00
libvirtd-fail Fix up "make check" 2009-10-07 12:18:13 +02:00
libvirtd-pool Fix up "make check" 2009-10-07 12:18:13 +02:00
libvirtdconftest.c maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
lxcxml2xmltest.c build: silence recent syntax check violations 2012-03-29 21:23:59 -06:00
Makefile.am Introduce an internal API for handling file based lockspaces 2012-10-16 15:45:55 +01:00
networkschematest Make test suite output less verbose 2010-01-15 16:28:05 +00:00
networkxml2argvtest.c util: capabilities detection for dnsmasq 2012-11-29 15:02:39 -05:00
networkxml2xmltest.c conf: parser/formatter/rng for <forward mode='hostdev'> 2012-08-17 15:43:26 -04:00
nodedevschematest Make test suite output less verbose 2010-01-15 16:28:05 +00:00
nodedevxml2xmltest.c Cleanup for a return statement in source files 2012-03-26 14:45:22 -06:00
nodeinfotest.c nodeinfotest: Add test data from a AMD bulldozer machine. 2012-11-13 00:35:36 +01:00
nwfilterschematest nwfilter: Add filter schema for nwfilter XML, extend domain XML schema 2010-04-06 11:09:46 -04:00
nwfilterxml2xmltest.c nwfilter: Add support for ipset 2012-05-21 06:26:34 -04:00
object-locking.ml maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
oomtrace.pl Remove tabs from all perl files & enforce this 2012-07-30 13:09:57 +01:00
openvzutilstest.c numad: Always output 'placement' of <vcpu> 2012-05-08 16:57:37 -06:00
openvzutilstest.conf openvz: Add simple test for openvzReadNetworkConf 2011-06-01 11:58:15 +02:00
pkix_asn1_tab.c Add a test case for certificate validation 2011-07-22 15:18:32 +01:00
qemuargv2xmltest.c Replace 'struct qemud_driver *' with virQEMUDriverPtr 2012-11-28 18:17:25 +00:00
qemuhelptest.c tests: update qemuhelptest data 2012-11-21 18:43:18 +01:00
qemumonitorjsontest.c Add a qemuMonitorGetCommands() method for QMP query-commands command 2012-09-27 11:04:32 +01:00
qemumonitortest.c qemu: unescape HMP commands before converting them to json 2012-02-27 16:06:02 -07:00
qemumonitortestutils.c tests: Remove temporary directories in qemumonitorjsontest 2012-11-13 09:32:15 +01:00
qemumonitortestutils.h maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
qemuxml2argvtest.c Replace 'struct qemud_driver *' with virQEMUDriverPtr 2012-11-28 18:17:25 +00:00
qemuxml2xmltest.c Replace 'struct qemud_driver *' with virQEMUDriverPtr 2012-11-28 18:17:25 +00:00
qemuxmlnstest.c Replace 'struct qemud_driver *' with virQEMUDriverPtr 2012-11-28 18:17:25 +00:00
read-bufsiz maint: avoid regression on copyright listings 2012-07-27 07:42:34 -06:00
read-non-seekable maint: avoid regression on copyright listings 2012-07-27 07:42:34 -06:00
reconnect.c tests: avoid xend ABRT crash report 2011-11-18 15:00:18 -07:00
schematestutils.sh tests: fix schema checks sorting 2011-12-22 13:01:09 -07:00
seclabeltest.c Remove spurious whitespace between function name & open brackets 2012-11-02 13:36:49 +00:00
securityselinuxhelper.c selinux: Use raw contexts 2012-10-12 17:54:09 +02:00
securityselinuxtest.c selinux: Use raw contexts 2012-10-12 17:54:09 +02:00
sexpr2xmltest.c Convert public datatypes to inherit from virObject 2012-08-07 11:47:41 +01:00
shunloadhelper.c maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
shunloadtest.c maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
sockettest.c maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
ssh.c maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
start maint: avoid regression on copyright listings 2012-07-27 07:42:34 -06:00
statstest.c Cleanup for a return statement in source files 2012-03-26 14:45:22 -06:00
storagebackendsheepdogtest.c maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
storagepoolschematest Make test suite output less verbose 2010-01-15 16:28:05 +00:00
storagepoolxml2xmltest.c Add a sheepdog backend for the storage driver 2012-07-18 20:08:27 +01:00
storagevolschematest Make test suite output less verbose 2010-01-15 16:28:05 +00:00
storagevolxml2xmltest.c Remove spurious whitespace between function name & open brackets 2012-11-02 13:36:49 +00:00
test_conf.sh Make test suite output less verbose 2010-01-15 16:28:05 +00:00
test-lib.sh tests: simplify formatting 2011-07-11 09:21:37 -06:00
testutils.c Add metadata to virLogOutputFunc 2012-11-14 19:14:07 -07:00
testutils.h maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
testutilslxc.c capabilities: defaultConsoleTargetType can depend on architecture 2012-11-09 09:20:59 -07:00
testutilslxc.h Add support for setting init argv for LXC 2012-03-27 15:52:25 +01:00
testutilsqemu.c capabilities: defaultConsoleTargetType can depend on architecture 2012-11-09 09:20:59 -07:00
testutilsqemu.h remove all trailing blank lines 2009-07-16 15:06:42 +02:00
testutilsxen.c capabilities: defaultConsoleTargetType can depend on architecture 2012-11-09 09:20:59 -07:00
testutilsxen.h remove all trailing blank lines 2009-07-16 15:06:42 +02:00
utiltest.c build: avoid 'make syntax-check' failure 2011-07-01 16:46:20 -06:00
vcpupin maint: avoid regression on copyright listings 2012-07-27 07:42:34 -06:00
viratomictest.c Remove spurious whitespace between function name & open brackets 2012-11-02 13:36:49 +00:00
virauthconfigtest.c maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
virbitmaptest.c bitmap: fix typo to use UL type of integer constant in virBitmapIsAllSet 2012-11-28 18:30:28 +08:00
virbuftest.c buf: support peeking at string contents 2012-06-11 09:21:27 -06:00
virdrivermoduletest.c build: fix build --without-network 2012-11-26 14:01:23 +01:00
virhashdata.h Rename hash.h and hash.c to virhash.h and virhash.c 2012-01-26 14:11:13 +00:00
virhashtest.c Remove spurious whitespace between function name & open brackets 2012-11-02 13:36:49 +00:00
virkeyfiletest.c maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
virlockspacetest.c Introduce an internal API for handling file based lockspaces 2012-10-16 15:45:55 +01:00
virnetmessagetest.c maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
virnetsockettest.c maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
virnettlscontexttest.c Various typos and misspellings 2012-10-12 00:03:43 +02:00
virsh-all Don't check the 'connect' command in virsh-all test 2012-08-07 11:59:08 +01:00
virsh-optparse virsh: add snapshot-create-as memspec support 2012-11-07 09:04:18 -07:00
virsh-schedinfo maint: avoid regression on copyright listings 2012-07-27 07:42:34 -06:00
virsh-synopsis maint: avoid regression on copyright listings 2012-07-27 07:42:34 -06:00
virsh-undefine build: avoid confusing make with raw name 'undefine' 2012-09-12 11:27:22 -06:00
virshtest.c virsh: output scaled values with correct units 2012-05-01 14:58:14 -06:00
virt-aa-helper-test fix AppArmor driver for pipe character devices 2011-09-28 15:43:39 +08:00
virtimetest.c Remove spurious whitespace between function name & open brackets 2012-11-02 13:36:49 +00:00
viruritest.c maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
vmx2xmltest.c capabilities: defaultConsoleTargetType can depend on architecture 2012-11-09 09:20:59 -07:00
xencapstest.c Cleanup for a return statement in source files 2012-03-26 14:45:22 -06:00
xmconfigtest.c maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
xml2sexprtest.c Cleanup for a return statement in source files 2012-03-26 14:45:22 -06:00
xml2vmxtest.c capabilities: defaultConsoleTargetType can depend on architecture 2012-11-09 09:20:59 -07:00