August 2012 - Devel - libvirt List Archives

[libvirt] [PATCH] conf: log error when encountering multiple filterrefs in interface
by Laine Stump 15 Aug '12

15 Aug '12

Each interface has a single pointer to a filterref object. That filterref can itself point to multiple other filterrefs, but at the toplevel there is only one. The parser had previously just silently overwritten earlier filterrefs when a new one was encountered, so the interface was left with whichever was the last filterref in the xml, ignoring all the others. This patch logs an error when it sees more than one filterref. --- src/conf/domain_conf.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index ae95d81..58c424f 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -4627,6 +4627,12 @@ virDomainNetDefParseXML(virCapsPtr caps, ioeventfd = virXMLPropString(cur, "ioeventfd"); event_idx = virXMLPropString(cur, "event_idx"); } else if (xmlStrEqual (cur->name, BAD_CAST "filterref")) { + if (filter) { + virReportError(VIR_ERR_XML_ERROR, "%s", + _("Invalid specification of multiple <filterref>s " + "in a single <interface>")); + goto error; + } filter = virXMLPropString(cur, "filter"); virNWFilterHashTableFree(filterparams); filterparams = virNWFilterParseParamAttributes(cur); -- 1.7.11.2

2 2

[libvirt] [PATCH] Allow sticky bit to be read and set.
by Ján Tomko 15 Aug '12

15 Aug '12

--- src/conf/storage_conf.c | 8 +++++--- src/storage/storage_backend.c | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/src/conf/storage_conf.c b/src/conf/storage_conf.c index 3132aae..017648d 100644 --- a/src/conf/storage_conf.c +++ b/src/conf/storage_conf.c @@ -667,7 +667,8 @@ virStorageDefParsePerms(xmlXPathContextPtr ctxt, } else { int tmp; - if (virStrToLong_i(mode, NULL, 8, &tmp) < 0 || (tmp & ~0777)) { + if (virStrToLong_i(mode, NULL, 8, &tmp) < 0 || + (tmp & ~(S_ISVTX | S_IRWXUGO))) { VIR_FREE(mode); virReportError(VIR_ERR_XML_ERROR, "%s", _("malformed octal mode")); @@ -1037,7 +1038,7 @@ virStoragePoolDefFormat(virStoragePoolDefPtr def) { virBufferAddLit(&buf," <permissions>\n"); virBufferAsprintf(&buf," <mode>0%o</mode>\n", - def->target.perms.mode); + def->target.perms.mode & (S_ISVTX | S_IRWXUGO)); virBufferAsprintf(&buf," <owner>%d</owner>\n", (int) def->target.perms.uid); virBufferAsprintf(&buf," <group>%d</group>\n", @@ -1290,7 +1291,8 @@ virStorageVolTargetDefFormat(virStorageVolOptionsPtr options, virBufferAddLit(buf," <permissions>\n"); virBufferAsprintf(buf," <mode>0%o</mode>\n", - def->perms.mode); + def->perms.mode & + (S_ISVTX | S_IRWXUGO)); virBufferAsprintf(buf," <owner>%u</owner>\n", (unsigned int) def->perms.uid); virBufferAsprintf(buf," <group>%u</group>\n", diff --git a/src/storage/storage_backend.c b/src/storage/storage_backend.c index df3833a..5fd14ed 100644 --- a/src/storage/storage_backend.c +++ b/src/storage/storage_backend.c @@ -1210,7 +1210,7 @@ virStorageBackendUpdateVolTargetInfoFD(virStorageVolTargetPtr target, } } - target->perms.mode = sb.st_mode & S_IRWXUGO; + target->perms.mode = sb.st_mode & (S_ISVTX | S_IRWXUGO); target->perms.uid = sb.st_uid; target->perms.gid = sb.st_gid; -- 1.7.8.6

2 2

[libvirt] [PATCH] storage: support all file permissions
by Ján Tomko 15 Aug '12

15 Aug '12

sticky, setuid and setgid are no longer ignored. --- src/conf/storage_conf.c | 6 ++++-- src/storage/storage_backend.c | 3 ++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/conf/storage_conf.c b/src/conf/storage_conf.c index 7944555..c492106 100644 --- a/src/conf/storage_conf.c +++ b/src/conf/storage_conf.c @@ -1035,7 +1035,8 @@ virStoragePoolDefFormat(virStoragePoolDefPtr def) { virBufferAddLit(&buf," <permissions>\n"); virBufferAsprintf(&buf," <mode>0%o</mode>\n", - def->target.perms.mode); + def->target.perms.mode & + (S_ISUID | S_ISGID | S_ISVTX | S_IRWXUGO)); virBufferAsprintf(&buf," <owner>%u</owner>\n", (unsigned int) def->target.perms.uid); virBufferAsprintf(&buf," <group>%u</group>\n", @@ -1275,7 +1276,8 @@ virStorageVolTargetDefFormat(virStorageVolOptionsPtr options, virBufferAddLit(buf," <permissions>\n"); virBufferAsprintf(buf," <mode>0%o</mode>\n", - def->perms.mode); + def->perms.mode & + (S_ISUID | S_ISGID | S_ISVTX | S_IRWXUGO)); virBufferAsprintf(buf," <owner>%u</owner>\n", (unsigned int) def->perms.uid); virBufferAsprintf(buf," <group>%u</group>\n", diff --git a/src/storage/storage_backend.c b/src/storage/storage_backend.c index e677cda..e9ec7a5 100644 --- a/src/storage/storage_backend.c +++ b/src/storage/storage_backend.c @@ -1210,7 +1210,8 @@ virStorageBackendUpdateVolTargetInfoFD(virStorageVolTargetPtr target, } } - target->perms.mode = sb.st_mode & S_IRWXUGO; + target->perms.mode = sb.st_mode & + (S_ISUID | S_ISGID | S_ISVTX | S_IRWXUGO); target->perms.uid = sb.st_uid; target->perms.gid = sb.st_gid; -- 1.7.8.6

4 7

[libvirt] [PATCH v11 0/7] file descriptor passing using fd sets
by Corey Bryant 14 Aug '12

14 Aug '12

libvirt's sVirt security driver provides SELinux MAC isolation for Qemu guest processes and their corresponding image files. In other words, sVirt uses SELinux to prevent a QEMU process from opening files that do not belong to it. sVirt provides this support by labeling guests and resources with security labels that are stored in file system extended attributes. Some file systems, such as NFS, do not support the extended attribute security namespace, and therefore cannot support sVirt isolation. A solution to this problem is to provide fd passing support, where libvirt opens files and passes file descriptors to QEMU. This, along with SELinux policy to prevent QEMU from opening files, can provide image file isolation for NFS files stored on the same NFS mount. This patch series adds the add-fd, remove-fd, and query-fdsets QMP monitor commands, which allow file descriptors to be passed via SCM_RIGHTS, and assigned to specified fd sets. This allows fd sets to be created per file with fds having, for example, different access rights. When QEMU needs to reopen a file with different access rights, it can search for a matching fd in the fd set. Fd sets also allow for easy tracking of fds per file, helping to prevent fd leaks. Support is also added to the block layer to allow QEMU to dup an fd from an fdset when the filename is of the /dev/fdset/nnn format, where nnn is the fd set ID. No new SELinux policy is required to prevent open of NFS files (files with type nfs_t). The virt_use_nfs boolean type simply needs to be set to false, and open will be prevented (and dup will be allowed). For example: # setsebool virt_use_nfs 0 # getsebool virt_use_nfs virt_use_nfs --> off Corey Bryant (7): qemu-char: Add MSG_CMSG_CLOEXEC flag to recvmsg qapi: Introduce add-fd, remove-fd, query-fdsets block: Prevent detection of /dev/fdset/ as floppy block: Convert open calls to qemu_open block: Convert close calls to qemu_close block: Enable qemu_open/close to work with fd sets monitor: Clean up fd sets on monitor disconnect Makefile | 2 +- block/raw-posix.c | 46 +++++---- block/raw-win32.c | 6 +- block/vdi.c | 5 +- block/vmdk.c | 25 ++--- block/vpc.c | 4 +- block/vvfat.c | 16 +-- cutils.c | 5 + monitor.c | 291 +++++++++++++++++++++++++++++++++++++++++++++++++++++ monitor.h | 5 + osdep.c | 114 +++++++++++++++++++++ qapi-schema.json | 98 ++++++++++++++++++ qemu-char.c | 12 ++- qemu-common.h | 2 + qemu-tool.c | 20 ++++ qemu-user.c | 20 ++++ qmp-commands.hx | 122 ++++++++++++++++++++++ savevm.c | 4 +- tests/Makefile | 2 +- 19 files changed, 742 insertions(+), 57 deletions(-) -- 1.7.10.4

1 7

[libvirt] [PATCH] random: link with -lm when needed
by Eric Blake 14 Aug '12

14 Aug '12

Use of ldexp() requires -lm on some platforms; use gnulib to determine this for our makefile. Also, optimize virRandomInt() for the case of a power-of-two limit (actually rather common, given that Daniel has a pending patch to replace virRandomBis(10) with code that will default to virRandomInt(1024) on default SELinux settings). * .gnulib: Update to latest, for ldexp. * bootstrap.conf (gnulib_modules): Import ldexp. * src/Makefile.am (libvirt_util_la_CFLAGS): Link with -lm when needed. * src/util/virrandom.c (virRandomInt): Optimize powers of 2. --- Gnulib changes: * .gnulib dbd9144...271dd74 (37): > ldexp: relax license > update from texinfo > gnulib-tool: Fix persistence of --witness-c-macro option. > count-leading-zeros: use a lookup table on non-gcc compilers > count-leading-zeros: new module > maintainer-makefile: Fix syntax error with dash. > extern-inline: also ignore -Wmissing-declarations > autoupdate > maint.mk: sc_prohibit_magic_number_exit: avoid new false positives > gnumakefile: better interaction with Automake-NG > base64: Use extern C scope in header file, for C++. > stat-time, timespec, u64: support naive out-of-dir builds > Fix typo: 'linline' -> 'inline' (thanks to Eric Blake). > Keep the extern-inline macros closer together. > Fix indenting. > utimens: use extern-inline > u64: use extern-inline > timespec: use extern-inline > stat-time: use extern-inline > extern-inline: new module > maint.mk: a "release-commit" wrapper to do-release-commit-and-tag > autoupdate > autoupdate > maint.mk: use silent-rules support from Automake > maint.mk: provide a web-manual-update target > README-release: shorten the circuit to post a news > gnu-web-doc-update: fix --help > passfd: fix comment on recvfd > maint.mk: avoid a sub-shell > maint.mk: absolute VPATH issue > update from texinfo > gitlog-to-changelog: fix previous change > gitlog-to-changelog: don't expect .git to be in $srcdir > maint.mk: absolute VPATH build fix > clean-temp: Fix memory leak. > maint: fix grammar in a ChangeLog entry > maint.mk: new rule: refresh-gnulib-patches .gnulib | 2 +- bootstrap.conf | 1 + src/Makefile.am | 2 +- src/util/virrandom.c | 4 ++++ 4 files changed, 7 insertions(+), 2 deletions(-) diff --git a/.gnulib b/.gnulib index dbd9144..271dd74 160000 --- a/.gnulib +++ b/.gnulib @@ -1 +1 @@ -Subproject commit dbd914496c99c52220e5f5ba4121d6cb55fb3beb +Subproject commit 271dd74fdf54ec2a03e73a5173b0b5697f6088f1 diff --git a/bootstrap.conf b/bootstrap.conf index a4e1c2f..a6cfe24 100644 --- a/bootstrap.conf +++ b/bootstrap.conf @@ -61,6 +61,7 @@ intprops ioctl isatty largefile +ldexp listen localeconv maintainer-makefile diff --git a/src/Makefile.am b/src/Makefile.am index e94f977..cec4789 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -654,7 +654,7 @@ libvirt_util_la_SOURCES = \ $(UTIL_SOURCES) libvirt_util_la_CFLAGS = $(CAPNG_CFLAGS) $(YAJL_CFLAGS) $(LIBNL_CFLAGS) \ $(AM_CFLAGS) $(AUDIT_CFLAGS) $(DEVMAPPER_CFLAGS) \ - $(DBUS_CFLAGS) + $(DBUS_CFLAGS) $(LDEXP_LIBM) libvirt_util_la_LIBADD = $(CAPNG_LIBS) $(YAJL_LIBS) $(LIBNL_LIBS) \ $(THREAD_LIBS) $(AUDIT_LIBS) $(DEVMAPPER_LIBS) \ $(RT_LIBS) $(DBUS_LIBS) $(MSCOM_LIBS) $(LIBXML_LIBS) diff --git a/src/util/virrandom.c b/src/util/virrandom.c index 363fcab..8870865 100644 --- a/src/util/virrandom.c +++ b/src/util/virrandom.c @@ -24,6 +24,7 @@ #include <stdlib.h> #include <inttypes.h> #include <math.h> +#include <strings.h> #include "virrandom.h" #include "threads.h" @@ -135,6 +136,9 @@ double virRandom(void) */ uint32_t virRandomInt(uint32_t max) { + if ((max & (max - 1)) == 0) + return virRandomBits(ffs(max)); + double val = virRandom(); return val * max; } -- 1.7.11.2

2 3

[libvirt] [PATCH 0/9] network: properly support openvswitch in <network>
by Laine Stump 14 Aug '12

14 Aug '12

Although it's been possible (ever since openvswitch was added to libvirt in 0.9.11) for a libvirt network to use an openvswitch bridge (by adding <virtualport type='openvswitch'>), the virtualport in the network would always have a default random interfaceid included, which would be re-used for all interfaces using that network, which doesn't really work at all. The alternative was to not specify openvswitch in the <network> definition, but to do it in the guest's <interface> definition instead - this of course goes against the principle of not having host-specific config embedded in guest config. This patch series enhances the functionality of <virtualport> elements, to allow omitting some attributes (and even the type), and to merge the interface, network, and portgroup virtualports rather than simply picking one. This not only makes openvswitch <network>s more practical (because the network can specify type='openvswitch' without also specifying an interfaceid), but also makes <virtualport> in networks and portgroups more useful in general - for example, an interface can specify an interfaceid (used only by openvswitch) *and* an instanceid (used only by 802.1Qbh), while the network's virtualport specifies only the type, and the portgroups specify the managerid, typeid, profileid, or whatever is appropriate for the type of switch used by the network. The result is that the guest config can be completely devoid of knowledge about the type of switch being used on the hardware, but can still enjoy full configurability for whatever switch ends up being used.

5 23

[libvirt] [PATCH] build: fix link error with appArmor
by Eric Blake 14 Aug '12

14 Aug '12

Commit bb705e25 missed that the appArmor helper file also needs to resolve the new symbols dragged in by domain_conf.c. * src/Makefile.am (SECURITY_DRIVER_APPARMOR_HELPER_SOURCES): Pull in datatypes.c. --- Pushing under the build-breaker rule. src/Makefile.am | 1 + 1 file changed, 1 insertion(+) diff --git a/src/Makefile.am b/src/Makefile.am index 8d54145..e94f977 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -405,6 +405,7 @@ LXC_CONTROLLER_SOURCES = \ lxc/lxc_controller.c SECURITY_DRIVER_APPARMOR_HELPER_SOURCES = \ + $(DATATYPES_SOURCES) \ security/virt-aa-helper.c PHYP_DRIVER_SOURCES = \ -- 1.7.11.2

1 0

[libvirt] [PATCH] maint: drop a leftover comment line
by Eric Blake 14 Aug '12

14 Aug '12

* tests/viratomictest.c: Fix copy-and-paste bug. --- Pushing under the trivial rule. tests/viratomictest.c | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/viratomictest.c b/tests/viratomictest.c index 772fbfe..4250329 100644 --- a/tests/viratomictest.c +++ b/tests/viratomictest.c @@ -12,7 +12,6 @@ * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public - * License along with this library; if not, write to the Free Software * License along with this library; If not, see * <http://www.gnu.org/licenses/>. * -- 1.7.11.2

1 0

[libvirt] [PATCH v2 1/2] Honour current sensitivity and category ranges in SELinux label generation
by Daniel P. Berrange 14 Aug '12

14 Aug '12

From: "Daniel P. Berrange" <berrange(a)redhat.com> Currently the dynamic label generation code will create labels with a sensitivity of s0, and a category pair in the range 0-1023. This is fine when running a standard MCS policy because libvirtd will run with a label system_u:system_r:virtd_t:s0-s0:c0.c1023 With custom policies though, it is possible for libvirtd to have a different sensitivity, or category range. For example system_u:system_r:virtd_t:s2-s3:c512.c1023 In this case we must assign the VM a sensitivity matching the current lower sensitivity value, and categories in the range 512-1023 Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> --- src/security/security_selinux.c | 106 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 102 insertions(+), 4 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 48fd78b..bc24dca 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -106,13 +106,108 @@ virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr) int c1 = 0; int c2 = 0; char *mcs = NULL; + security_context_t ourSecContext = NULL; + context_t ourContext = NULL; + char *sens, *cat, *tmp; + int catMin, catMax, catRange; + + if (getcon(&ourSecContext) < 0) { + virReportSystemError(errno, "%s", + _("Unable to get current process SELinux context")); + goto cleanup; + } + if (!(ourContext = context_new(ourSecContext))) { + virReportSystemError(errno, + _("Unable to parse current SELinux context '%s'"), + ourSecContext); + goto cleanup; + } + + if (!(sens = strdup(context_range_get(ourContext)))) { + virReportOOMError(); + goto cleanup; + } + + /* Find and blank out the category part */ + if (!(tmp = strchr(sens, ':'))) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Cannot parse sensitivity level in %s"), + sens); + goto cleanup; + } + *tmp = '\0'; + cat = tmp + 1; + /* Find and blank out the sensitivity upper bound */ + if ((tmp = strchr(sens, '-'))) + *tmp = '\0'; + /* sens now just contains the sensitivity lower bound */ + + /* Find & extract category min */ + tmp = cat; + if (tmp[0] != 'c') { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Cannot parse category in %s"), + cat); + goto cleanup; + } + tmp++; + if (virStrToLong_i(tmp, &tmp, 10, &catMin) < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Cannot parse category in %s"), + cat); + goto cleanup; + } + + /* We *must* have a pair of categories otherwise + * there's no range to allocate VM categories from */ + if (!tmp[0]) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("No category range available")); + goto cleanup; + } + + /* Find & extract category max (if any) */ + if (tmp[0] != '.') { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Cannot parse category in %s"), + cat); + goto cleanup; + } + tmp++; + if (tmp[0] != 'c') { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Cannot parse category in %s"), + cat); + goto cleanup; + } + tmp++; + if (virStrToLong_i(tmp, &tmp, 10, &catMax) < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Cannot parse category in %s"), + cat); + goto cleanup; + } + + /* +1 since virRandomInt range is exclusive of the upper bound */ + catRange = (catMax - catMin) + 1; + + if (catRange < 8) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Category range c%d-c%d too small"), + catMin, catMax); + goto cleanup; + } + + VIR_DEBUG("Using sensitivity level '%s' cat min %d max %d range %d", + sens, catMin, catMax, catRange); for (;;) { - c1 = virRandomBits(10); - c2 = virRandomBits(10); + c1 = virRandomInt(catRange); + c2 = virRandomInt(catRange); + VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1+catMin, c2+catMin); if (c1 == c2) { - if (virAsprintf(&mcs, "s0:c%d", c1) < 0) { + if (virAsprintf(&mcs, "%s:c%d", sens, catMin + c1) < 0) { virReportOOMError(); return NULL; } @@ -122,7 +217,7 @@ virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr) c1 = c2; c2 = t; } - if (virAsprintf(&mcs, "s0:c%d,c%d", c1, c2) < 0) { + if (virAsprintf(&mcs, "%s:c%d,c%d", sens, catMin + c1, catMin + c2) < 0) { virReportOOMError(); return NULL; } @@ -136,6 +231,9 @@ virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr) cleanup: VIR_DEBUG("Found context '%s'", NULLSTR(mcs)); + VIR_FREE(sens); + freecon(ourSecContext); + context_free(ourContext); return mcs; } -- 1.7.11.2

2 3

[libvirt] [PATCH] openvz: unlock virDomainObj objects in openvzOpen
by Dmitry Guryanov 14 Aug '12

14 Aug '12

openvzOpen fucntion must leave unlocked virDomainObj objects in driver->domains. Now even simple commands like list or domain lookup hang, for example virsh -c openvz:///system list --all. Signed-off-by: Dmitry Guryanov <dguryanov(a)parallels.com> --- src/openvz/openvz_conf.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/src/openvz/openvz_conf.c b/src/openvz/openvz_conf.c index e62bf8c..802a9f8 100644 --- a/src/openvz/openvz_conf.c +++ b/src/openvz/openvz_conf.c @@ -673,6 +673,7 @@ int openvzLoadDomains(struct openvz_driver *driver) { goto cleanup; } + virDomainObjUnlock(dom); dom = NULL; } -- 1.7.1

2 1