Many drivers had a comment that they did not validate the incoming
'flags' to virDomainGetXMLDesc() because they were relying on
virDomainDefFormat() to do it instead. This used to be the case,
but regressed in commit 0ecd6851 (1.2.12), when all of the drivers
were changed to pass 'flags' through the new helper
virDomainDefFormatConvertXMLFlags(). Since this helper silently
ignores unknown flags, we need to implement flag checking in each
driver instead.
Annoyingly, this means that any new flag values added will silently
be ignored when targeting an older libvirt, rather than our usual
practice of loudly diagnosing an unsupported flag. We'll have to
be extra vigilant that any future added flags do not cause a security
hole when sent from a newer libvirt client that expects the flag
to do one thing, but where the older server silently ignores it
instead.
Signed-off-by: Eric Blake <eblake(a)redhat.com>
---
src/conf/domain_conf.h | 3 +++
src/bhyve/bhyve_driver.c | 2 ++
src/conf/domain_conf.c | 2 ++
src/esx/esx_driver.c | 2 +-
src/hyperv/hyperv_driver.c | 2 +-
src/libxl/libxl_driver.c | 2 +-
src/lxc/lxc_driver.c | 2 +-
src/openvz/openvz_driver.c | 2 +-
src/phyp/phyp_driver.c | 2 +-
src/qemu/qemu_driver.c | 3 ++-
src/test/test_driver.c | 2 +-
src/vbox/vbox_common.c | 2 +-
src/vmware/vmware_driver.c | 2 +-
src/vz/vz_driver.c | 2 +-
14 files changed, 19 insertions(+), 11 deletions(-)
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 2bc3f879f7..324fc247b6 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -3110,6 +3110,9 @@ virDomainIOThreadIDDefPtr virDomainIOThreadIDAdd(virDomainDefPtr
def,
unsigned int iothread_id);
void virDomainIOThreadIDDel(virDomainDefPtr def, unsigned int iothread_id);
+# define VIR_DOMAIN_XML_COMMON_FLAGS \
+ (VIR_DOMAIN_XML_SECURE | VIR_DOMAIN_XML_INACTIVE | \
+ VIR_DOMAIN_XML_MIGRATABLE)
unsigned int virDomainDefFormatConvertXMLFlags(unsigned int flags);
char *virDomainDefFormat(virDomainDefPtr def,
diff --git a/src/bhyve/bhyve_driver.c b/src/bhyve/bhyve_driver.c
index 912797cfcf..3e192284cc 100644
--- a/src/bhyve/bhyve_driver.c
+++ b/src/bhyve/bhyve_driver.c
@@ -484,6 +484,8 @@ bhyveDomainGetXMLDesc(virDomainPtr domain, unsigned int flags)
virCapsPtr caps = NULL;
char *ret = NULL;
+ virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);
+
if (!(vm = bhyveDomObjFromDomain(domain)))
goto cleanup;
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 5d49f4388c..37bbf211c5 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -28996,6 +28996,8 @@ virDomainDefFormatInternal(virDomainDefPtr def,
return -1;
}
+/* Converts VIR_DOMAIN_XML_COMMON_FLAGS into VIR_DOMAIN_DEF_FORMAT_* flags,
+ * and silently ignores any other flags. */
unsigned int virDomainDefFormatConvertXMLFlags(unsigned int flags)
{
unsigned int formatFlags = 0;
diff --git a/src/esx/esx_driver.c b/src/esx/esx_driver.c
index b1af646155..379c2bae73 100644
--- a/src/esx/esx_driver.c
+++ b/src/esx/esx_driver.c
@@ -2604,7 +2604,7 @@ esxDomainGetXMLDesc(virDomainPtr domain, unsigned int flags)
virDomainDefPtr def = NULL;
char *xml = NULL;
- /* Flags checked by virDomainDefFormat */
+ virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);
memset(&data, 0, sizeof(data));
diff --git a/src/hyperv/hyperv_driver.c b/src/hyperv/hyperv_driver.c
index f41cd1c939..0e2c6c55ef 100644
--- a/src/hyperv/hyperv_driver.c
+++ b/src/hyperv/hyperv_driver.c
@@ -754,7 +754,7 @@ hypervDomainGetXMLDesc(virDomainPtr domain, unsigned int flags)
Msvm_ProcessorSettingData *processorSettingData = NULL;
Msvm_MemorySettingData *memorySettingData = NULL;
- /* Flags checked by virDomainDefFormat */
+ virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);
if (!(def = virDomainDefNew()))
goto cleanup;
diff --git a/src/libxl/libxl_driver.c b/src/libxl/libxl_driver.c
index 7981ccaf21..31b842aeee 100644
--- a/src/libxl/libxl_driver.c
+++ b/src/libxl/libxl_driver.c
@@ -2621,7 +2621,7 @@ libxlDomainGetXMLDesc(virDomainPtr dom, unsigned int flags)
virDomainDefPtr def;
char *ret = NULL;
- /* Flags checked by virDomainDefFormat */
+ virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);
if (!(vm = libxlDomObjFromDomain(dom)))
goto cleanup;
diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
index c48f6d9067..516a6b4de3 100644
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -987,7 +987,7 @@ static char *lxcDomainGetXMLDesc(virDomainPtr dom,
virDomainObjPtr vm;
char *ret = NULL;
- /* Flags checked by virDomainDefFormat */
+ virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);
if (!(vm = lxcDomObjFromDomain(dom)))
goto cleanup;
diff --git a/src/openvz/openvz_driver.c b/src/openvz/openvz_driver.c
index 06950ce9ed..39eeb2c12e 100644
--- a/src/openvz/openvz_driver.c
+++ b/src/openvz/openvz_driver.c
@@ -519,7 +519,7 @@ static char *openvzDomainGetXMLDesc(virDomainPtr dom, unsigned int
flags) {
virDomainObjPtr vm;
char *ret = NULL;
- /* Flags checked by virDomainDefFormat */
+ virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);
if (!(vm = openvzDomObjFromDomain(driver, dom->uuid)))
return NULL;
diff --git a/src/phyp/phyp_driver.c b/src/phyp/phyp_driver.c
index dc082b1d08..e54799dbb4 100644
--- a/src/phyp/phyp_driver.c
+++ b/src/phyp/phyp_driver.c
@@ -3214,7 +3214,7 @@ phypDomainGetXMLDesc(virDomainPtr dom, unsigned int flags)
unsigned long long memory;
unsigned int vcpus;
- /* Flags checked by virDomainDefFormat */
+ virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);
memset(&def, 0, sizeof(virDomainDef));
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 971f915619..b039675d1a 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -7342,7 +7342,8 @@ static char
virDomainObjPtr vm;
char *ret = NULL;
- /* Flags checked by virDomainDefFormat */
+ virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS | VIR_DOMAIN_XML_UPDATE_CPU,
+ NULL);
if (!(vm = qemuDomObjFromDomain(dom)))
goto cleanup;
diff --git a/src/test/test_driver.c b/src/test/test_driver.c
index c1faff46ff..cde9e3d417 100644
--- a/src/test/test_driver.c
+++ b/src/test/test_driver.c
@@ -2628,7 +2628,7 @@ static char *testDomainGetXMLDesc(virDomainPtr domain, unsigned int
flags)
virDomainObjPtr privdom;
char *ret = NULL;
- /* Flags checked by virDomainDefFormat */
+ virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);
if (!(privdom = testDomObjFromDomain(domain)))
return NULL;
diff --git a/src/vbox/vbox_common.c b/src/vbox/vbox_common.c
index 664650f217..d95fe7c7ae 100644
--- a/src/vbox/vbox_common.c
+++ b/src/vbox/vbox_common.c
@@ -4052,7 +4052,7 @@ static char *vboxDomainGetXMLDesc(virDomainPtr dom, unsigned int
flags)
if (!data->vboxObj)
return ret;
- /* Flags checked by virDomainDefFormat */
+ virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);
if (openSessionForMachine(data, dom->uuid, &iid, &machine) < 0)
goto cleanup;
diff --git a/src/vmware/vmware_driver.c b/src/vmware/vmware_driver.c
index f94b3252fe..f4b0989afd 100644
--- a/src/vmware/vmware_driver.c
+++ b/src/vmware/vmware_driver.c
@@ -932,7 +932,7 @@ vmwareDomainGetXMLDesc(virDomainPtr dom, unsigned int flags)
virDomainObjPtr vm;
char *ret = NULL;
- /* Flags checked by virDomainDefFormat */
+ virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);
if (!(vm = vmwareDomObjFromDomain(driver, dom->uuid)))
return NULL;
diff --git a/src/vz/vz_driver.c b/src/vz/vz_driver.c
index b22a44d6ad..f99ade82b6 100644
--- a/src/vz/vz_driver.c
+++ b/src/vz/vz_driver.c
@@ -724,7 +724,7 @@ vzDomainGetXMLDesc(virDomainPtr domain, unsigned int flags)
virDomainObjPtr dom;
char *ret = NULL;
- /* Flags checked by virDomainDefFormat */
+ virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);
if (!(dom = vzDomObjFromDomain(domain)))
return NULL;
--
2.20.1