[libvirt] [PATCH v2] selinux: Avoid label reservations for type = none
by Shivaprasad G Bhat
For security type='none' libvirt according to the docs should not generate seclabel be it for selinux or any model. So, skip the reservation of labels when type is none.
Signed-off-by: Shivaprasad G Bhat <sbhat(a)linux.vnet.ibm.com>
---
src/security/security_selinux.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index e8c13db..c21e4fe 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -731,7 +731,9 @@ virSecuritySELinuxReserveSecurityLabel(virSecurityManagerPtr mgr,
virSecurityLabelDefPtr seclabel;
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
- if (!seclabel || seclabel->type == VIR_DOMAIN_SECLABEL_STATIC)
+ if (!seclabel ||
+ seclabel->type == VIR_DOMAIN_SECLABEL_NONE ||
+ seclabel->type == VIR_DOMAIN_SECLABEL_STATIC)
return 0;
if (getpidcon_raw(pid, &pctx) == -1) {
10 years, 1 month
[libvirt] [PATCH RFC] qemu: make time adjustment persistent if RTC changes in guest
by Wang Rui
Domain's clock xml is as below.
<clock offset='variable' basis='utc' adjustment='10'/>
If the guest modifies its RTC, libvirt will hanlde the time offset
and save the active status in qemuProcessHandleRTCChange(). However,
libvirt won't save the persistent config. So next time when vm is
restarted(shutdown and start), the time adjuestment(RTC change)
set by user will be lost.
This patch make the adjustment persistent for persistent domain.
Signed-off-by: Wang Rui <moon.wangrui(a)huawei.com>
---
I'm not sure about the current purpose so I sent a RFC patch. Is it
for some reason that RTC change from guest isn't saved to persistent
config ?
I have tested this patch by changing RTC, starting, shutting down and
migrating. It seems good. There's only a nit I have found. Some guests
will set hardware clock to current system time when shut down. So if
hardware clock is different from system clock(the difference doesn't
come from user setting, maybe from clock shift by system), the
persistent config file will be saved to a new adjustment after shutdown
with this patch. But I think the hypervisor or guest OS should fix
the nit, not libvirt.
---
src/qemu/qemu_process.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 407da5e..b03bf02 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -863,7 +863,13 @@ qemuProcessHandleRTCChange(qemuMonitorPtr mon ATTRIBUTE_UNUSED,
vm->def->clock.data.variable.adjustment = offset;
if (virDomainSaveStatus(driver->xmlopt, cfg->stateDir, vm) < 0)
- VIR_WARN("unable to save domain status with RTC change");
+ VIR_WARN("unable to save domain status with RTC change");
+
+ if (vm->persistent && vm->newDef) {
+ vm->newDef->clock.data.variable.adjustment = offset;
+ if (virDomainSaveConfig(cfg->configDir, vm->newDef) < 0)
+ VIR_WARN("unable to save domain config with RTC change");
+ }
}
event = virDomainEventRTCChangeNewFromObj(vm, offset);
--
1.7.12.4
10 years, 1 month
[libvirt] [PATCH] Don't include non-migratable features in host-model
by Ján Tomko
Commit fba6bc4 introduced supoprt for the 'invtsc' feature,
which blocks migration. We should not include it in the
host-model CPU by default, because it's intended to be used
with migration.
https://bugzilla.redhat.com/show_bug.cgi?id=1138221
---
src/cpu/cpu_map.xml | 2 +-
src/cpu/cpu_x86.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++++-----
2 files changed, 59 insertions(+), 6 deletions(-)
diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
index 12987a0..18c7b0d 100644
--- a/src/cpu/cpu_map.xml
+++ b/src/cpu/cpu_map.xml
@@ -328,7 +328,7 @@
</feature>
<!-- Advanced Power Management edx features -->
- <feature name='invtsc'>
+ <feature name='invtsc' migratable='no'>
<cpuid function='0x80000007' edx='0x00000100'/>
</feature>
diff --git a/src/cpu/cpu_x86.c b/src/cpu/cpu_x86.c
index af2e08e..21a7007 100644
--- a/src/cpu/cpu_x86.c
+++ b/src/cpu/cpu_x86.c
@@ -89,6 +89,7 @@ struct x86_map {
struct x86_vendor *vendors;
struct x86_feature *features;
struct x86_model *models;
+ struct x86_feature *migrate_blockers;
};
static struct x86_map* virCPUx86Map = NULL;
@@ -592,6 +593,28 @@ x86FeatureFree(struct x86_feature *feature)
static struct x86_feature *
+x86FeatureCopy(const struct x86_feature *src)
+{
+ struct x86_feature *feature;
+
+ if (VIR_ALLOC(feature) < 0)
+ return NULL;
+
+ if (VIR_STRDUP(feature->name, src->name) < 0)
+ goto error;
+
+ if ((feature->data = x86DataCopy(src->data)) == NULL)
+ goto error;
+
+ return feature;
+
+ error:
+ x86FeatureFree(feature);
+ return NULL;
+}
+
+
+static struct x86_feature *
x86FeatureFind(const struct x86_map *map,
const char *name)
{
@@ -677,6 +700,9 @@ x86FeatureLoad(xmlXPathContextPtr ctxt,
int ret = 0;
size_t i;
int n;
+ char *str = NULL;
+ bool migratable = true;
+ struct x86_feature *migrate_blocker = NULL;
if (!(feature = x86FeatureNew()))
goto error;
@@ -694,6 +720,10 @@ x86FeatureLoad(xmlXPathContextPtr ctxt,
goto ignore;
}
+ str = virXPathString("string(@migratable)", ctxt);
+ if (STREQ_NULLABLE(str, "no"))
+ migratable = false;
+
n = virXPathNodeSet("./cpuid", ctxt, &nodes);
if (n < 0)
goto ignore;
@@ -710,6 +740,14 @@ x86FeatureLoad(xmlXPathContextPtr ctxt,
goto error;
}
+ if (!migratable) {
+ if ((migrate_blocker = x86FeatureCopy(feature)) == NULL)
+ goto error;
+
+ migrate_blocker->next = map->migrate_blockers;
+ map->migrate_blockers = migrate_blocker;
+ }
+
if (map->features == NULL) {
map->features = feature;
} else {
@@ -720,6 +758,7 @@ x86FeatureLoad(xmlXPathContextPtr ctxt,
out:
ctxt->node = ctxt_node;
VIR_FREE(nodes);
+ VIR_FREE(str);
return ret;
@@ -728,6 +767,7 @@ x86FeatureLoad(xmlXPathContextPtr ctxt,
ignore:
x86FeatureFree(feature);
+ x86FeatureFree(migrate_blocker);
goto out;
}
@@ -1093,6 +1133,12 @@ x86MapFree(struct x86_map *map)
x86VendorFree(vendor);
}
+ while (map->migrate_blockers != NULL) {
+ struct x86_feature *migrate_blocker = map->migrate_blockers;
+ map->migrate_blockers = migrate_blocker->next;
+ x86FeatureFree(migrate_blocker);
+ }
+
VIR_FREE(map);
}
@@ -2025,16 +2071,15 @@ x86UpdateHostModel(virCPUDefPtr guest,
const virCPUDef *host)
{
virCPUDefPtr oldguest = NULL;
+ const struct x86_map *map;
+ const struct x86_feature *feat;
size_t i;
int ret = -1;
guest->match = VIR_CPU_MATCH_EXACT;
- /* no updates are required */
- if (guest->nfeatures == 0) {
- virCPUDefFreeModel(guest);
- return virCPUDefCopyModel(guest, host, true);
- }
+ if (!(map = virCPUx86GetMap()))
+ goto cleanup;
/* update the host model according to the desired configuration */
if (!(oldguest = virCPUDefCopy(guest)))
@@ -2044,6 +2089,14 @@ x86UpdateHostModel(virCPUDefPtr guest,
if (virCPUDefCopyModel(guest, host, true) < 0)
goto cleanup;
+ /* Remove non-migratable features by default */
+ for (i = 0; i < guest->nfeatures; i++) {
+ for (feat = map->migrate_blockers; feat; feat = feat->next) {
+ if (STREQ(feat->name, guest->features[i].name))
+ VIR_DELETE_ELEMENT_INPLACE(guest->features, i, guest->nfeatures);
+ }
+ }
+
for (i = 0; i < oldguest->nfeatures; i++) {
if (virCPUDefUpdateFeature(guest,
oldguest->features[i].name,
--
1.8.5.5
10 years, 1 month
[libvirt] [PATCH 1/1] libvirtd crash when defining scsi storage pool
by Pradipta Kr. Banerjee
libvirtd crashes when there is an existing SCSI pool
with adapter type as 'scsi_host' and defining a new SCSI pool with adapter
type as 'fc_host' and parent attribute missing.
For eg when defining a storage-pool with the following XML will crash libvirtd
if there already exists a SCSI pool with adapter type 'scsi_host'
<pool type='scsi'>
<name>TEST_SCSI_FC_POOL</name>
<source>
<adapter type='fc_host' wwnn='1234567890abcdef' wwpn='abcdef1234567890'/>
</source>
<target>
<path>/dev/disk/by-path</path>
</target>
</pool>
This happens because for fc_host, adapter 'name' is not relevant whereas
for scsi_host its mandatory attribute. However the check in libvirt for
finding duplicate storage pools doesn't take that into account while comparing,
resulting into crash
This patch fixes the issue
Signed-off-by: Pradipta Kr. Banerjee <bpradip(a)in.ibm.com>
---
src/conf/storage_conf.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/conf/storage_conf.c b/src/conf/storage_conf.c
index 8b6fd79..54a4589 100644
--- a/src/conf/storage_conf.c
+++ b/src/conf/storage_conf.c
@@ -2126,8 +2126,10 @@ virStoragePoolSourceFindDuplicate(virStoragePoolObjListPtr pools,
STREQ(pool->def->source.adapter.data.fchost.wwpn,
def->source.adapter.data.fchost.wwpn))
matchpool = pool;
- } else if (pool->def->source.adapter.type ==
- VIR_STORAGE_POOL_SOURCE_ADAPTER_TYPE_SCSI_HOST){
+ } else if ((pool->def->source.adapter.type ==
+ VIR_STORAGE_POOL_SOURCE_ADAPTER_TYPE_SCSI_HOST)\
+ && (def->source.adapter.type ==
+ VIR_STORAGE_POOL_SOURCE_ADAPTER_TYPE_SCSI_HOST)) {
if (STREQ(pool->def->source.adapter.data.name,
def->source.adapter.data.name))
matchpool = pool;
--
1.9.3
10 years, 1 month
[libvirt] libvirt-qemu.so subject to sVirt?
by bancfc@openmailbox.org
Hello. I am thinking about using the feature of passing through qemu
commands via libvirt. Before I do that I want to make sure that it
doesn't have negative security implications.
I understand that talking to qemu-kvm directly via commandline strips
vms from having sVirt protections applied.
Is use of this feature the same case?
10 years, 1 month
[libvirt] [PATCH 0/2] syntax check: hanging braces
by Eric Blake
Another case where it is worth enforcing a common existing
style, and documenting it in HACKING. Here, there were
fewer offenders, so the series is not split in as many pieces.
Obviously depends on my earlier series for if-else {} checks,
as otherwise this will detect several 'else' as lacking a
hanging brace.
Eric Blake (2):
maint: use hanging curly braces
maint: tighten curly brace syntax checking
HACKING | 27 +++++++++++++++++++++++++++
cfg.mk | 18 ++++++++++++------
docs/hacking.html.in | 31 +++++++++++++++++++++++++++++++
src/conf/domain_conf.c | 6 ++----
src/interface/interface_backend_netcf.c | 9 +++------
src/network/bridge_driver.c | 3 +--
src/util/virfile.c | 3 +--
src/util/virnetdev.c | 3 +--
src/util/virnetdevmacvlan.c | 5 ++---
src/util/virtypedparam.c | 3 +--
src/util/virutil.c | 6 ++----
src/vbox/vbox_common.c | 4 ++--
tests/seclabeltest.c | 6 ++----
13 files changed, 87 insertions(+), 37 deletions(-)
--
1.9.3
10 years, 1 month
[libvirt] [PATCH 0/2] Yet another seclabel patchset
by Michal Privoznik
*** BLURB HERE ***
Michal Privoznik (2):
conf: Fix even implicit labels
tests: Add test cases for previous commit
src/conf/domain_conf.c | 7 +++
.../qemuhotplug-hotplug-base+disk-scsi.xml | 2 +-
.../qemuhotplug-hotplug-base+disk-usb.xml | 2 +-
.../qemuhotplug-hotplug-base+disk-virtio.xml | 2 +-
.../qemuxml2argvdata/qemuxml2argv-hotplug-base.xml | 2 +-
.../qemuxml2argv-seclabel-dynamic-none-relabel.xml | 53 ++++++++++++++++++++++
...emuxml2xmlout-seclabel-dynamic-none-relabel.xml | 53 ++++++++++++++++++++++
.../qemuxml2xmlout-seclabel-dynamic-relabel.xml | 28 ++++++++++++
.../qemuxml2xmlout-seclabel-none.xml | 28 ++++++++++++
tests/qemuxml2xmltest.c | 5 +-
tests/testutilsqemu.c | 10 ++++
11 files changed, 186 insertions(+), 6 deletions(-)
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-none-relabel.xml
create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-seclabel-dynamic-none-relabel.xml
create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-seclabel-dynamic-relabel.xml
create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-seclabel-none.xml
--
1.8.5.5
10 years, 1 month
[libvirt] [PATCH 0/6] syntax check: catch mismatched {} in if-else
by Eric Blake
After complaining about it in a recent review, I decided to
automate things.
Eric Blake (6):
maint: use consistent if-else braces in conf and friends
maint: use consistent if-else braces in qemu
maint: use consistent if-else braces in xen and friends
maint: use consistent if-else braces in lxc, vbox, phyp
maint: use consistent if-else braces in remaining spots
maint: enforce previous if-else {} cleanups
cfg.mk | 7 ++++
daemon/stream.c | 6 ++--
src/conf/domain_conf.c | 30 ++++++++---------
src/conf/interface_conf.c | 56 ++++++++++++++++---------------
src/conf/node_device_conf.c | 4 +--
src/conf/nwfilter_conf.c | 27 ++++++++++-----
src/conf/secret_conf.c | 12 +++----
src/cpu/cpu_x86.c | 18 +++++-----
src/esx/esx_vi_types.c | 6 ++--
src/libxl/libxl_conf.c | 12 +++----
src/lxc/lxc_driver.c | 24 ++++++-------
src/lxc/lxc_fuse.c | 34 ++++++++++---------
src/network/bridge_driver.c | 8 ++---
src/node_device/node_device_hal.c | 3 +-
src/nwfilter/nwfilter_ebiptables_driver.c | 4 +--
src/nwfilter/nwfilter_gentech_driver.c | 5 +--
src/phyp/phyp_driver.c | 45 ++++++++++++++-----------
src/qemu/qemu_capabilities.c | 6 ++--
src/qemu/qemu_command.c | 56 +++++++++++++++++--------------
src/qemu/qemu_driver.c | 36 ++++++++++----------
src/qemu/qemu_hotplug.c | 9 ++---
src/qemu/qemu_monitor_text.c | 30 ++++++-----------
src/qemu/qemu_process.c | 3 +-
src/remote/remote_driver.c | 14 ++++----
src/rpc/virnetsocket.c | 18 +++++-----
src/security/virt-aa-helper.c | 14 ++++----
src/storage/storage_backend_disk.c | 4 +--
src/uml/uml_driver.c | 4 +--
src/util/viralloc.c | 6 ++--
src/util/virbuffer.c | 6 ++--
src/util/virdbus.c | 4 +--
src/util/virnetdev.c | 4 +--
src/util/virnetdevvportprofile.c | 3 +-
src/util/virpci.c | 10 +++---
src/util/virsocketaddr.c | 8 ++---
src/util/viruri.c | 38 ++++++++++-----------
src/vbox/vbox_common.c | 12 +++----
src/vbox/vbox_tmpl.c | 3 +-
src/xen/xen_hypervisor.c | 18 +++++-----
src/xen/xend_internal.c | 20 +++++------
src/xenapi/xenapi_driver.c | 13 ++++---
src/xenconfig/xen_common.c | 8 ++---
src/xenconfig/xen_sxpr.c | 18 +++++-----
tests/cputest.c | 6 ++--
tests/testutils.c | 4 +--
tools/virsh-domain.c | 8 ++---
tools/virsh-host.c | 8 ++---
47 files changed, 351 insertions(+), 341 deletions(-)
--
1.9.3
10 years, 1 month
[libvirt] [PATCH 0/2] syntax check: doubled semicolon
by Eric Blake
As long as I'm on a syntax-check binge, finish off a task I
started several weeks ago.
Eric Blake (2):
maint: update to latest gnulib
maint: syntax check for double semicolons
.gnulib | 2 +-
cfg.mk | 8 ++++++++
src/xenconfig/xen_common.c | 2 +-
3 files changed, 10 insertions(+), 2 deletions(-)
--
1.9.3
10 years, 1 month