Re: [libvirt] [PATCH] virt-aa-helper: better write denials handling
by Guido Günther
Hi,
On Mon, Jan 18, 2016 at 01:45:08PM +0100, Cédric Bosdonnat wrote:
> Better fix replacing c726af2d: introducing an 'R' permission to
> add read rule, but no explicit deny write rule.
> ---
> src/security/virt-aa-helper.c | 20 +++++++++++++++++---
> 1 file changed, 17 insertions(+), 3 deletions(-)
>
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index a2d7226..d0c5246 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -785,12 +785,18 @@ get_definition(vahControl * ctl, const char *xmlStr)
> return rc;
> }
>
> +/**
> + * The permissions allowed are apparmor valid permissions and 'R'. 'R' stands for
> + * read with no explicit deny rule.
> + */
> static int
> vah_add_path(virBufferPtr buf, const char *path, const char *perms, bool recursive)
> {
> char *tmp = NULL;
> int rc = -1;
> bool readonly = true;
> + bool explicit_deny_rule = true;
> + char *sub = NULL;
>
> if (path == NULL)
> return rc;
> @@ -815,8 +821,16 @@ vah_add_path(virBufferPtr buf, const char *path, const char *perms, bool recursi
> return rc;
> }
>
> - if (strchr(perms, 'w') != NULL)
> + if (strchr(perms, 'w') != NULL) {
> readonly = false;
> + explicit_deny_rule = false;
> + }
> +
> + if ((sub = strchr(perms, 'R')) != NULL) {
> + /* Don't write the invalid R permission, replace it with 'r' */
> + sub[0] = 'r';
> + explicit_deny_rule = false;
> + }
>
> rc = valid_path(tmp, readonly);
> if (rc != 0) {
> @@ -831,7 +845,7 @@ vah_add_path(virBufferPtr buf, const char *path, const char *perms, bool recursi
> tmp[strlen(tmp) - 1] = '\0';
>
> virBufferAsprintf(buf, " \"%s%s\" %s,\n", tmp, recursive ? "/**" : "", perms);
> - if (readonly) {
> + if (explicit_deny_rule) {
> virBufferAddLit(buf, " # don't audit writes to readonly files\n");
> virBufferAsprintf(buf, " deny \"%s%s\" w,\n", tmp, recursive ? "/**" : "");
> }
> @@ -1130,7 +1144,7 @@ get_files(vahControl * ctl)
> /* We don't need to add deny rw rules for readonly mounts,
> * this can only lead to troubles when mounting / readonly.
> */
> - if (vah_add_path(&buf, fs->src, "rw", true) != 0)
> + if (vah_add_path(&buf, fs->src, fs->readonly ? "R" : "rw", true) != 0)
> goto cleanup;
> }
> }
this looks good to me but it would be great to have Jamie's input on
that.
Ceers,
-- Guido
8 years, 7 months
[libvirt] [PATCH] tests: avoid realpath in test-lib.sh
by Eric Blake
Ever since commit ace4aecd, running 'make check' on RHEL 6 produces:
./test-lib.sh: line 21: realpath: command not found
for every shell script test, because 'realpath' was not part of
coreutils back then.
* tests/test-lib.sh (_scriptdir): Compute with only portable shell.
Signed-off-by: Eric Blake <eblake(a)redhat.com>
---
A warning message is cosmetic, and not quite a build-breaker, so
I'll wait for a review before pushing this.
tests/test-lib.sh | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/test-lib.sh b/tests/test-lib.sh
index 920b01e..8e0ce83 100644
--- a/tests/test-lib.sh
+++ b/tests/test-lib.sh
@@ -1,6 +1,6 @@
# test-lib.sh: source this file; set up for tests
-# Copyright (C) 2008-2013 Red Hat, Inc.
+# Copyright (C) 2008-2013, 2016 Red Hat, Inc.
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
@@ -18,7 +18,7 @@
#
# Based on an idea from GNU coreutils
-_scriptdir="$(realpath $(dirname $0))"
+_scriptdir="$(unset CDPATH; cd $(dirname $0) && pwd)"
test -z "$abs_srcdir" && abs_srcdir=$_scriptdir
test -z "$abs_builddir" && abs_builddir=$_scriptdir
test -z "$abs_top_srcdir" && abs_top_srcdir=$_scriptdir/..
--
1.7.1
8 years, 7 months
[libvirt] [PATCH v3 0/4] virshBlockJobWait improvements
by Michael Chapman
v2 discussion at:
http://www.redhat.com/archives/libvir-list/2016-January/msg01063.html
As requested I've split this into separate commits. All of the comment
nitpicks have been applied.
With regards to using "break" or "goto cleanup" to exit the loop, I decided
to use "goto" on all the error cases and "break" everywhere else. I had
noticed another bug where the SIGINT signal action wasn't reset if the
virTimeMillisNow() call failed; that's fixed in patch 3 in this series.
Michael Chapman (4):
virsh: avoid unnecessary progress updates
virsh: be consistent with style of loop exit
virsh: ensure SIGINT action is reset on all errors
virsh: improve waiting for block job readiness
tools/virsh-domain.c | 65 ++++++++++++++++++++++++++++++----------------------
1 file changed, 37 insertions(+), 28 deletions(-)
--
2.4.3
8 years, 7 months
[libvirt] [PATCH] qemu: Mark some functions as static
by Cole Robinson
---
src/qemu/qemu_command.c | 16 +++++++++++++---
src/qemu/qemu_command.h | 11 -----------
src/qemu/qemu_process.h | 2 --
3 files changed, 13 insertions(+), 16 deletions(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 5d3ab3a..8943270 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -1775,6 +1775,16 @@ qemuDomainPCIBusFullyReserved(virDomainPCIAddressBusPtr bus)
}
+static int
+qemuAssignDevicePCISlots(virDomainDefPtr def,
+ virQEMUCapsPtr qemuCaps,
+ virDomainPCIAddressSetPtr addrs);
+static int
+qemuDomainAssignPCIAddresses(virDomainDefPtr def,
+ virQEMUCapsPtr qemuCaps,
+ virDomainObjPtr obj);
+
+
int qemuDomainAssignAddresses(virDomainDefPtr def,
virQEMUCapsPtr qemuCaps,
virDomainObjPtr obj)
@@ -1801,7 +1811,7 @@ int qemuDomainAssignAddresses(virDomainDefPtr def,
}
-virDomainPCIAddressSetPtr
+static virDomainPCIAddressSetPtr
qemuDomainPCIAddressSetCreate(virDomainDefPtr def,
unsigned int nbuses,
bool dryRun)
@@ -2238,7 +2248,7 @@ qemuValidateDevicePCISlotsChipsets(virDomainDefPtr def,
return 0;
}
-int
+static int
qemuDomainAssignPCIAddresses(virDomainDefPtr def,
virQEMUCapsPtr qemuCaps,
virDomainObjPtr obj)
@@ -2451,7 +2461,7 @@ qemuDomainAssignPCIAddresses(virDomainDefPtr def,
* function must only try to reserve addresses if info.type == NONE and
* skip over info.type == PCI
*/
-int
+static int
qemuAssignDevicePCISlots(virDomainDefPtr def,
virQEMUCapsPtr qemuCaps,
virDomainPCIAddressSetPtr addrs)
diff --git a/src/qemu/qemu_command.h b/src/qemu/qemu_command.h
index a96e57d..53bfda5 100644
--- a/src/qemu/qemu_command.h
+++ b/src/qemu/qemu_command.h
@@ -274,17 +274,6 @@ void qemuDomainReleaseDeviceAddress(virDomainObjPtr vm,
const char *devstr);
-int qemuDomainAssignPCIAddresses(virDomainDefPtr def,
- virQEMUCapsPtr qemuCaps,
- virDomainObjPtr obj);
-virDomainPCIAddressSetPtr qemuDomainPCIAddressSetCreate(virDomainDefPtr def,
- unsigned int nbuses,
- bool dryRun);
-
-int qemuAssignDevicePCISlots(virDomainDefPtr def,
- virQEMUCapsPtr qemuCaps,
- virDomainPCIAddressSetPtr addrs);
-
int qemuAssignDeviceAliases(virDomainDefPtr def, virQEMUCapsPtr qemuCaps);
int qemuDomainNetVLAN(virDomainNetDefPtr def);
int qemuAssignDeviceNetAlias(virDomainDefPtr def, virDomainNetDefPtr net, int idx);
diff --git a/src/qemu/qemu_process.h b/src/qemu/qemu_process.h
index c674111..cb5cee1 100644
--- a/src/qemu/qemu_process.h
+++ b/src/qemu/qemu_process.h
@@ -42,8 +42,6 @@ int qemuProcessStopCPUs(virQEMUDriverPtr driver,
void qemuProcessAutostartAll(virQEMUDriverPtr driver);
void qemuProcessReconnectAll(virConnectPtr conn, virQEMUDriverPtr driver);
-int qemuProcessAssignPCIAddresses(virDomainDefPtr def);
-
typedef struct _qemuProcessIncomingDef qemuProcessIncomingDef;
typedef qemuProcessIncomingDef *qemuProcessIncomingDefPtr;
struct _qemuProcessIncomingDef {
--
2.5.0
8 years, 7 months
[libvirt] [PATCH] include: Handle case when builddir == srcdir
by Michal Privoznik
In my previous commit a70f3b1c779120129 I've tried to fix case
when building from VPATH and a file wasn't being installed.
However, my fix broke non-VPATH build.
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
include/Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/Makefile.am b/include/Makefile.am
index 6b0b41e..754c298 100644
--- a/include/Makefile.am
+++ b/include/Makefile.am
@@ -19,7 +19,7 @@
virincdir = $(includedir)/libvirt
allheaders = $(wildcard $(srcdir)/libvirt/*.h)
-virinc_HEADERS = $(filter-out $(srcdir)/libvirt/libvirt-admin.h, $(allheaders))
+virinc_HEADERS = $(filter-out $(srcdir)/libvirt/libvirt-admin.h $(srcdir)/libvirt/libvirt-common.h, $(allheaders))
virinc_HEADERS += libvirt/libvirt-common.h
EXTRA_DIST = libvirt/libvirt-common.h.in
--
2.4.10
8 years, 7 months
[libvirt] [PATCH] qemu: Align dump options for watchdog and on_crash events
by Boris Fiuczynski
Having on_crash set to either coredump-destroy or coredump-restart
creates core dumps with option memory-only in the directory specified
by auto_dump_path. When a watchdog is triggered with the action dump
the core dump is also placed into the directory specified by auto_dump_path
but is created without the option memory-only.
This patch sets the option memory-only also for core dumps created by the
watchdog event.
Signed-off-by: Boris Fiuczynski <fiuczy(a)linux.vnet.ibm.com>
Reviewed-by: Bjoern Walk <bwalk(a)linux.vnet.ibm.com>
Reviewed-by: Stefan Zimmermann <stzi(a)linux.vnet.ibm.com>
---
src/qemu/qemu_driver.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index f429832..88ecf48 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -3894,7 +3894,7 @@ static void processWatchdogEvent(virQEMUDriverPtr driver, virDomainObjPtr vm, in
case VIR_DOMAIN_WATCHDOG_ACTION_DUMP:
{
char *dumpfile;
- unsigned int flags = 0;
+ unsigned int flags = VIR_DUMP_MEMORY_ONLY;
if (virAsprintf(&dumpfile, "%s/%s-%u",
cfg->autoDumpPath,
--
2.3.0
8 years, 7 months
[libvirt] [PATCH v2] qemu: return -1 on error paths in qemuDomainSaveImageStartVM
by Nikolay Shirokovskiy
Error paths after sending the event that domain is started written as if ret = -1
which is set at the beginning of the function. It's common idioma to keep 'ret'
equal to -1 until the end of function where it is set to 0. But here we use ret
to keep result of restore operation too and thus breaks the idioma and its users :)
Let's use different variable to hold restore result.
Signed-off-by: Nikolay Shirokovskiy <nshirokovskiy(a)virtuozzo.com>
---
src/qemu/qemu_driver.c | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 351e529..ced105b 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -6732,6 +6732,7 @@ qemuDomainSaveImageStartVM(virConnectPtr conn,
qemuDomainAsyncJob asyncJob)
{
int ret = -1;
+ bool restored;
virObjectEventPtr event;
int intermediatefd = -1;
virCommandPtr cmd = NULL;
@@ -6758,13 +6759,13 @@ qemuDomainSaveImageStartVM(virConnectPtr conn,
}
/* Set the migration source and start it up. */
- ret = qemuProcessStart(conn, driver, vm, asyncJob,
- "stdio", *fd, path, NULL,
- VIR_NETDEV_VPORT_PROFILE_OP_RESTORE,
- VIR_QEMU_PROCESS_START_PAUSED);
+ restored = qemuProcessStart(conn, driver, vm, asyncJob,
+ "stdio", *fd, path, NULL,
+ VIR_NETDEV_VPORT_PROFILE_OP_RESTORE,
+ VIR_QEMU_PROCESS_START_PAUSED) >= 0;
if (intermediatefd != -1) {
- if (ret < 0) {
+ if (!restored) {
/* if there was an error setting up qemu, the intermediate
* process will wait forever to write to stdout, so we
* must manually kill it.
@@ -6775,7 +6776,7 @@ qemuDomainSaveImageStartVM(virConnectPtr conn,
if (virCommandWait(cmd, NULL) < 0) {
qemuProcessStop(driver, vm, VIR_DOMAIN_SHUTOFF_FAILED, 0);
- ret = -1;
+ restored = false;
}
VIR_DEBUG("Decompression binary stderr: %s", NULLSTR(errbuf));
}
@@ -6783,18 +6784,16 @@ qemuDomainSaveImageStartVM(virConnectPtr conn,
if (VIR_CLOSE(*fd) < 0) {
virReportSystemError(errno, _("cannot close file: %s"), path);
- ret = -1;
+ restored = false;
}
- if (ret < 0) {
- virDomainAuditStart(vm, "restored", false);
+ virDomainAuditStart(vm, "restored", restored);
+ if (!restored)
goto cleanup;
- }
event = virDomainEventLifecycleNewFromObj(vm,
VIR_DOMAIN_EVENT_STARTED,
VIR_DOMAIN_EVENT_STARTED_RESTORED);
- virDomainAuditStart(vm, "restored", true);
qemuDomainEventQueue(driver, event);
--
1.8.3.1
8 years, 7 months
[libvirt] [libvirt-perl][PATCH] Add VIR_STORAGE_VOL_WIPE_ALG_TRIM constant
by Michal Privoznik
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
Changes | 1 +
Virt.xs | 1 +
lib/Sys/Virt/StorageVol.pm | 4 ++++
3 files changed, 6 insertions(+)
diff --git a/Changes b/Changes
index cfcc640..cb57a4d 100644
--- a/Changes
+++ b/Changes
@@ -2,6 +2,7 @@ Revision history for perl module Sys::Virt
1.3.2 2016-02-00
+ - Add VIR_STORAGE_VOL_WIPE_ALG_TRIM constant
- Add VIR_FROM_XENXL constant
- Add VIR_DOMAIN_EVENT_ID_MIGRATION_ITERATION event
handling callback
diff --git a/Virt.xs b/Virt.xs
index e47d52e..06111b4 100644
--- a/Virt.xs
+++ b/Virt.xs
@@ -8187,6 +8187,7 @@ BOOT:
REGISTER_CONSTANT(VIR_STORAGE_VOL_WIPE_ALG_PFITZNER7, WIPE_ALG_PFITZNER7);
REGISTER_CONSTANT(VIR_STORAGE_VOL_WIPE_ALG_PFITZNER33, WIPE_ALG_PFITZNER33);
REGISTER_CONSTANT(VIR_STORAGE_VOL_WIPE_ALG_RANDOM, WIPE_ALG_RANDOM);
+ REGISTER_CONSTANT(VIR_STORAGE_VOL_WIPE_ALG_TRIM, WIPE_ALG_TRIM);
REGISTER_CONSTANT(VIR_STORAGE_VOL_RESIZE_ALLOCATE, RESIZE_ALLOCATE);
REGISTER_CONSTANT(VIR_STORAGE_VOL_RESIZE_DELTA, RESIZE_DELTA);
diff --git a/lib/Sys/Virt/StorageVol.pm b/lib/Sys/Virt/StorageVol.pm
index 84ba4e0..461a9fe 100644
--- a/lib/Sys/Virt/StorageVol.pm
+++ b/lib/Sys/Virt/StorageVol.pm
@@ -260,6 +260,10 @@ Cryptography" (1996)
1-pass, all zeroes
+=item Sys::Virt::StorageVol::WIPE_ALG_TRIM
+
+1-pass, trim all data on the volume by using TRIM or DISCARD
+
=back
VOLUME RESIZE CONSTANTS
--
2.4.10
8 years, 7 months
[libvirt] [PATCH] includes: Install libvirt-common.h
by Michal Privoznik
The libvirt-common.h is build time generated file from .in.
Obviously, it's generated into builddir and not srcdir. Problem
is, the list of header files to install, virinc_HEADERS contains
only $(srcdir)/*.h and this misses libvirt-common.h. This problem
is pretty obvious when doing a VPATH build.
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
Steps to reproduce:
1) make distclean
2) mkdir _build _install
3) cd _build
4) ../configure --prefix=$(pwd)/../_install
5) make && make install
6) find ../_install -name libvirt-common.h
include/Makefile.am | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/Makefile.am b/include/Makefile.am
index d626963..6b0b41e 100644
--- a/include/Makefile.am
+++ b/include/Makefile.am
@@ -20,6 +20,7 @@ virincdir = $(includedir)/libvirt
allheaders = $(wildcard $(srcdir)/libvirt/*.h)
virinc_HEADERS = $(filter-out $(srcdir)/libvirt/libvirt-admin.h, $(allheaders))
+virinc_HEADERS += libvirt/libvirt-common.h
EXTRA_DIST = libvirt/libvirt-common.h.in
--
2.4.10
8 years, 7 months
