- Devel - libvirt List Archives

[libvirt] [PATCH] build: avoid spurious compiler warning
by Eric Blake 11 Jan '12

11 Jan '12

For some weird reason, i686-pc-mingw32-gcc version 4.6.1 at -O2 complained: ../../src/conf/nwfilter_params.c: In function 'virNWFilterVarCombIterCreate': ../../src/conf/nwfilter_params.c:346:23: error: 'minValue' may be used uninitialized in this function [-Werror=uninitialized] ../../src/conf/nwfilter_params.c:319:28: note: 'minValue' was declared here ../../src/conf/nwfilter_params.c:344:23: error: 'maxValue' may be used uninitialized in this function [-Werror=uninitialized] ../../src/conf/nwfilter_params.c:319:18: note: 'maxValue' was declared here cc1: all warnings being treated as errors even though all paths of the preceding switch statement either assign the variables or return. * src/conf/nwfilter_params.c (virNWFilterVarCombIterAddVariable): Initialize variables. --- Pushing under the build-breaker rule. src/conf/nwfilter_params.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/conf/nwfilter_params.c b/src/conf/nwfilter_params.c index 8949b95..7400fa0 100644 --- a/src/conf/nwfilter_params.c +++ b/src/conf/nwfilter_params.c @@ -1,7 +1,7 @@ /* * nwfilter_params.c: parsing and data maintenance of filter parameters * - * Copyright (C) 2011 Red Hat, Inc. + * Copyright (C) 2011-2012 Red Hat, Inc. * Copyright (C) 2010 IBM Corporation * * This library is free software; you can redistribute it and/or @@ -316,7 +316,7 @@ virNWFilterVarCombIterAddVariable(virNWFilterVarCombIterEntryPtr cie, const virNWFilterVarAccessPtr varAccess) { virNWFilterVarValuePtr varValue; - unsigned int maxValue, minValue; + unsigned int maxValue = 0, minValue = 0; const char *varName = virNWFilterVarAccessGetVarName(varAccess); varValue = virHashLookup(hash->hashTable, varName); -- 1.7.7.5

1 0

[libvirt] [BUG, PATCH-RFC] libvirt localtime and rtc_timeoffset handling in xen-sexpr/sxpr/sxp
by Philipp Hahn 11 Jan '12

11 Jan '12

Hello, I'm currently tracking a problem in libvirt regarding Xens handling of localtime and rtc_timeoffset. My current understanding (Xen-3.4.3 and Xen-4.1.2 under Linux) of Xend (the depcrecated Python one still used by libvirt) is as this: - for HV domains, the RTC gets setup to either UTC or localtime depending on "/domain/image/hvm/localtime" ± "/domain/image/hvm/rtc_offset". - if the OS of a domU changes its RTC, the rtc_offset gets adjusted and is saved in XenStore as "/vm/$UUID/rtc/timeoffset". - if the dom0 accesses its RTC, is accesses the real HW-RTC. - the Xen-Hypervisor initially read the HW-RTC to setup its Wallclock once, which is than used to simulate the domU RTCs. (The HW-RTC is otherwise only accessed on (ACPI-)Suspend and Resume, and with NTP-drift-correction from dom0). - on shut-down the rtc_offset is stored by Xend in the "/var/lib/xend/domains/$uuid/config.sxp" file in "/domain/image/hvm/rtc_timeoffset", from where it is loaded again on next start. - since PV domains don't have a RTC, they somehow(?) get either initialized to the localtime or UTC time depending on "/domain/image/linux/localtime". @xen: Did I figure out that correct? @xen: Is there some documentation on the Xen-sxp domain configuration? For the Python based xen-xm format, I found (and updated) <http://wiki.xen.org/wiki/XenConfigurationFileOptions>, but for Xen-sxp I so far found no documentation, especially on what changed between xen-1, xen-2, xen-3.x, xen-4.x. @libvirt: Comparing Xend handling to <http://libvirt.org/formatdomain.html#elementsTime> the current translation done by libvirt looks wrong; I think is mandates back to the time when Xen supported only PV-domUs: libvirt translates the Xen configuration to "localtime" and "utc" ignoring the "rtc_offset", which exists for HV domains. For localtime=0 this translates to libvirts offset="variable"-case, but for localtime=1 there is no matching mapping in libvirt. Since for PV domains no rtc_timeoffset is tracked, there the mapping to "utc" and "localtime" looks right. For libvirt there was a patch <http://www.redhat.com/archives/libvir-list/2009-January/msg00757.html> which added some special handling for "localtime" to be either placed in "/domain/localtime" or "/domain/image/{hvm,linux}/localtime". Xend from 3.4.3 und 4.1.2 seems to accept either one, but /domain/image/hvm/localtime is preferred and overwrites the first one. When reading back the configuration the setting is always returned as /domain/image/{hvm,linux}/localtime. @John: Is there a case, where /domain/localtime is returned or is that key always translated to /domain/linux/{hvm,linux}/localtime? As you had a sun.com email address, was this some special case when using Xen with Solaris? @libvirt: The attached patch (for 0.8.7) would change the implementation to match the following: 1. For Xen-PV-domUs, use clock/@offset='utc' and clock/@offset='localtime'. 2. For Xen-HV-domUs, use clock/@offset='variable'. 3. For backward compatibility with old libvirt-XML-files convert clock/@offset='utc' → (localtime 0)(rtc_timeoffset 0) and clock/@offset='localtime' → (localtime 1)(rtc_timeosset 0). On readback that will be returned as clock/@offset='variable'! 4. For Xen-HV-domUs with (localtime=1)(rtc_timeoffset≠0) print a warning that there is no mapping to libvirts XML. 5. Always put the (localtime)(rtc_offset)-SEXPRs in "(image ({linux,hvm})", since this is where Xend-3.4 and Xend-4.1 return them. I also checked Xen-3.2, where this is okay, but the I don't have any older versions of Xen available (and running), the I can't verify that it still works there. Which leads me to a another question: Which versions of Xen are still supported by libvirt (and must be checked for regressions)? I don't want so actively remove the code for old Xen versions, but it gets harder and harder to maintain all those versions. So a statement like "Xen-3.x and Xen-4.y are actively supported by libvirt-0.a.b; older versions might still work (by accident ;-)" Before I forward-port that change to 0.9.10 I'd like to get some comments. Thanks in advance. Sincerely Philipp Hahn -- Philipp Hahn Open Source Software Engineer hahn(a)univention.de Univention GmbH Linux for Your Business fon: +49 421 22 232- 0 Mary-Somerville-Str.1 D-28359 Bremen fax: +49 421 22 232-99 http://www.univention.de/

2 2

[libvirt] ALERT Virtualization Automatic Builder
by berrange＠redhat.com 11 Jan '12

11 Jan '12

Overall status: failed Start date: Wed Jan 11 2012 Start time: 11:29:22 UTC / 06:29:22 EST Build counter: 1326281362 Build timestamp: 1326281362 URL: http://builder.virt-tools.org/index.html Module: libvirt Status: failed URL: http://builder.virt-tools.org/module-libvirt.html

1 0

[libvirt] [PATCH 2/3][TCK] nwfilter: test access via iterators
by Stefan Berger 11 Jan '12

11 Jan '12

Test access to variables using different iterators. --- scripts/nwfilter/nwfilter2vmtest.sh | 6 scripts/nwfilter/nwfilterxml2fwallout/iter-test2.fwall | 193 +++++++++++++++++ scripts/nwfilter/nwfilterxml2xmlin/iter-test2.xml | 23 ++ 3 files changed, 222 insertions(+) Index: libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilter2vmtest.sh +++ libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh @@ -348,9 +348,15 @@ createVM() { <parameter name='A' value='1.1.1.1'/> <parameter name='A' value='2.2.2.2'/> <parameter name='A' value='3.3.3.3'/> + <parameter name='A' value='3.3.3.3'/> <parameter name='B' value='80'/> <parameter name='B' value='90'/> <parameter name='B' value='80'/> + <parameter name='B' value='80'/> + <parameter name='C' value='1080'/> + <parameter name='C' value='1090'/> + <parameter name='C' value='1100'/> + <parameter name='C' value='1110'/> </filterref> <target dev='${vmname}'/> </interface> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/iter-test2.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/iter-test2.fwall @@ -0,0 +1,193 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x01tcp spt:80 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x01tcp spt:90 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x01tcp spt:80 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x02udp spt:80 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x02udp spt:80 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x02udp spt:80 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x02udp spt:90 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x02udp spt:90 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x02udp spt:90 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x03sctp spt:90 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x03sctp spt:90 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x03sctp spt:90 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 1.1.1.1 1.1.1.1 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 2.2.2.2 1.1.1.1 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 3.3.3.3 1.1.1.1 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 1.1.1.1 2.2.2.2 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 2.2.2.2 2.2.2.2 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 3.3.3.3 2.2.2.2 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 1.1.1.1 3.3.3.3 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 2.2.2.2 3.3.3.3 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 3.3.3.3 3.3.3.3 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 1.1.1.1 1.1.1.1 DSCP match 0x06state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 2.2.2.2 2.2.2.2 DSCP match 0x06state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 3.3.3.3 3.3.3.3 DSCP match 0x06state NEW,ESTABLISHED ctdir REPLY +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x01tcp dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x01tcp dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x01tcp dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x02udp dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x02udp dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x02udp dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x02udp dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x02udp dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x02udp dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x03sctp spt:1080 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x03sctp spt:1080 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x03sctp spt:1080 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x03sctp spt:1090 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x03sctp spt:1090 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x03sctp spt:1090 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x03sctp spt:1100 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x03sctp spt:1100 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x03sctp spt:1100 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x03sctp spt:1110 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x03sctp spt:1110 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x03sctp spt:1110 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x04tcp spt:1080 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x04tcp spt:1080 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x04tcp spt:1080 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x04tcp spt:1080 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x04tcp spt:1080 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x04tcp spt:1080 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x04tcp spt:1090 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x04tcp spt:1090 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x04tcp spt:1090 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x04tcp spt:1090 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x04tcp spt:1090 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x04tcp spt:1090 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x04tcp spt:1100 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x04tcp spt:1100 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x04tcp spt:1100 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x04tcp spt:1100 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x04tcp spt:1100 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x04tcp spt:1100 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x04tcp spt:1110 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x04tcp spt:1110 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x04tcp spt:1110 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x04tcp spt:1110 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x04tcp spt:1110 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x04tcp spt:1110 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 1.1.1.1 1.1.1.1 DSCP match 0x05state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 1.1.1.1 2.2.2.2 DSCP match 0x05state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 1.1.1.1 3.3.3.3 DSCP match 0x05state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 2.2.2.2 1.1.1.1 DSCP match 0x05state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 2.2.2.2 2.2.2.2 DSCP match 0x05state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 2.2.2.2 3.3.3.3 DSCP match 0x05state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 3.3.3.3 1.1.1.1 DSCP match 0x05state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 3.3.3.3 2.2.2.2 DSCP match 0x05state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 3.3.3.3 3.3.3.3 DSCP match 0x05state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 1.1.1.1 1.1.1.1 DSCP match 0x06state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 2.2.2.2 2.2.2.2 DSCP match 0x06state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 3.3.3.3 3.3.3.3 DSCP match 0x06state ESTABLISHED ctdir ORIGINAL +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x01tcp spt:80 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x01tcp spt:90 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x01tcp spt:80 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x02udp spt:80 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x02udp spt:80 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x02udp spt:80 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x02udp spt:90 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x02udp spt:90 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x02udp spt:90 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x03sctp spt:90 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x03sctp spt:90 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x03sctp spt:90 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 1.1.1.1 1.1.1.1 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 2.2.2.2 1.1.1.1 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 3.3.3.3 1.1.1.1 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 1.1.1.1 2.2.2.2 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 2.2.2.2 2.2.2.2 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 3.3.3.3 2.2.2.2 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 1.1.1.1 3.3.3.3 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 2.2.2.2 3.3.3.3 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 3.3.3.3 3.3.3.3 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 1.1.1.1 1.1.1.1 DSCP match 0x06state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 2.2.2.2 2.2.2.2 DSCP match 0x06state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 3.3.3.3 3.3.3.3 DSCP match 0x06state NEW,ESTABLISHED ctdir REPLY +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 +#iptables -L FORWARD -n --line-number | grep libvirt +1 libvirt-in all -- 0.0.0.0/0 0.0.0.0/0 +2 libvirt-out all -- 0.0.0.0/0 0.0.0.0/0 +3 libvirt-in-post all -- 0.0.0.0/0 0.0.0.0/0 + Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/iter-test2.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/iter-test2.xml @@ -0,0 +1,23 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <tcp srcipaddr='$A' srcportstart='$B[@0]' dscp='1'/> + </rule> + <rule action='accept' direction='out'> + <udp srcipaddr='$A[@1]' srcportstart='$B[@2]' dscp='2'/> + </rule> + <rule action='accept' direction='out'> + <sctp srcipaddr='$A[@1]' srcportstart='$B[@2]' dstportstart='$C[@2]' + dscp='3'/> + </rule> + <rule action='accept' direction='out'> + <tcp srcipaddr='$A[@1]' srcportstart='$B[@2]' dstportstart='$C[@3]' + dscp='4'/> + </rule> + <rule action='accept' direction='out'> + <udp srcipaddr='$A[@1]' dstipaddr='$A[@2]' dscp='5'/> + </rule> + <rule action='accept' direction='out'> + <sctp srcipaddr='$A' dstipaddr='$A' dscp='6'/> + </rule> +</filter>

1 0

[libvirt] [PATCH 1/3][TCK] nwfilter: test access to 2 lists in one rule
by Stefan Berger 11 Jan '12

11 Jan '12

Test access to 2 lists in one rule --- scripts/nwfilter/nwfilter2vmtest.sh | 6 +++ scripts/nwfilter/nwfilterxml2fwallout/iter-test1.fwall | 31 +++++++++++++++++ scripts/nwfilter/nwfilterxml2xmlin/iter-test1.xml | 6 +++ 3 files changed, 43 insertions(+) Index: libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilter2vmtest.sh +++ libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh @@ -345,6 +345,12 @@ createVM() { <source bridge='virbr0'/> <filterref filter='${filtername}'> <parameter name='IP' value='${ipaddr}'/> + <parameter name='A' value='1.1.1.1'/> + <parameter name='A' value='2.2.2.2'/> + <parameter name='A' value='3.3.3.3'/> + <parameter name='B' value='80'/> + <parameter name='B' value='90'/> + <parameter name='B' value='80'/> </filterref> <target dev='${vmname}'/> </interface> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/iter-test1.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/iter-test1.fwall @@ -0,0 +1,31 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x02tcp spt:80 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x02tcp spt:90 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x02tcp spt:80 state NEW,ESTABLISHED ctdir REPLY +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x02tcp dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x02tcp dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x02tcp dpt:80 state ESTABLISHED ctdir ORIGINAL +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x02tcp spt:80 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x02tcp spt:90 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x02tcp spt:80 state NEW,ESTABLISHED ctdir REPLY +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 +#iptables -L FORWARD -n --line-number | grep libvirt +1 libvirt-in all -- 0.0.0.0/0 0.0.0.0/0 +2 libvirt-out all -- 0.0.0.0/0 0.0.0.0/0 +3 libvirt-in-post all -- 0.0.0.0/0 0.0.0.0/0 + Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/iter-test1.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/iter-test1.xml @@ -0,0 +1,6 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <tcp srcipaddr='$A' srcportstart='$B' dscp='2'/> + </rule> +</filter>

1 0

[libvirt] [PATCH v2 0/6] nwfilter: Enable access to variables via iterator or index
by Stefan Berger 11 Jan '12

11 Jan '12

This patch enables access to variables in filters using indep. iterators ($TEST[$@2]) or via index ($TEST[1]). Three test cases are added that are also being used for libvirt-TCK to check that the instantiation of the filtering rules is correct. v1 -> v2: - addressed Eric Blake's comments Regards, Stefan

2 9

[libvirt] [PATCH] virsh: improve doMigrate function docs
by ajia＠redhat.com 11 Jan '12

11 Jan '12

From: Alex Jia <ajia(a)redhat.com> When running virsh migrate with --xml option and actual xml file doesn't exist, virsh hasn't output any error information, although return value is 1. * tools/virsh.c: Raising a appropriate error information when operation fails. * How to reproduce? % virsh migrate <domain> --live qemu+ssh://<target host>/system --xml non-existent.xml % echo $? * Fixed result: error: file 'non-existent.xml' doesn't exist Signed-off-by: Alex Jia <ajia(a)redhat.com> --- tools/virsh.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/virsh.c b/tools/virsh.c index e4b812e..020e7b5 100644 --- a/tools/virsh.c +++ b/tools/virsh.c @@ -6338,9 +6338,10 @@ doMigrate (void *opaque) flags |= VIR_MIGRATE_CHANGE_PROTECTION; if (xmlfile && - virFileReadAll(xmlfile, 8192, &xml) < 0) + virFileReadAll(xmlfile, 8192, &xml) < 0) { + vshError(ctl, _("file '%s' doesn't exist"), xmlfile); goto out; - + } if ((flags & VIR_MIGRATE_PEER2PEER) || vshCommandOptBool (cmd, "direct")) { -- 1.7.1

2 1

[libvirt] [PATCH] Change security driver APIs to use virDomainDefPtr instead of virDomainObjPtr
by Daniel P. Berrange 11 Jan '12

11 Jan '12

From: "Daniel P. Berrange" <berrange(a)redhat.com> When sVirt is integrated with the LXC driver, it will be neccessary to invoke the security driver APIs using only a virDomainDefPtr since the lxc_container.c code has no virDomainObjPtr available. Aside from two functions which want obj->pid, every bit of the security driver code only touches obj->def. So we don't need to pass a virDomainObjPtr into the security drivers, a virDomainDefPtr is sufficient. Two functions also gain a 'pid_t pid' argument. * src/qemu/qemu_driver.c, src/qemu/qemu_hotplug.c, src/qemu/qemu_migration.c, src/qemu/qemu_process.c, src/security/security_apparmor.c, src/security/security_dac.c, src/security/security_driver.h, src/security/security_manager.c, src/security/security_manager.h, src/security/security_nop.c, src/security/security_selinux.c, src/security/security_stack.c: Change all security APIs to use a virDomainDefPtr instead of virDomainObjPtr --- src/qemu/qemu_driver.c | 10 +- src/qemu/qemu_hotplug.c | 28 ++-- src/qemu/qemu_migration.c | 12 +- src/qemu/qemu_process.c | 24 ++-- src/security/security_apparmor.c | 136 ++++++++++---------- src/security/security_dac.c | 91 +++++++------- src/security/security_driver.h | 36 +++--- src/security/security_manager.c | 40 +++--- src/security/security_manager.h | 36 +++--- src/security/security_nop.c | 36 +++--- src/security/security_selinux.c | 260 +++++++++++++++++++------------------- src/security/security_stack.c | 44 ++++--- 12 files changed, 381 insertions(+), 372 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 6cfdd1d..6e001ce 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -3096,7 +3096,7 @@ qemuDomainScreenshot(virDomainPtr dom, } unlink_tmp = true; - virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm, tmp); + virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm->def, tmp); qemuDomainObjEnterMonitor(driver, vm); if (qemuMonitorScreendump(priv->mon, tmp) < 0) { @@ -3868,7 +3868,7 @@ static int qemudDomainGetSecurityLabel(virDomainPtr dom, virSecurityLabelPtr sec */ if (virDomainObjIsActive(vm)) { if (virSecurityManagerGetProcessLabel(driver->securityManager, - vm, seclabel) < 0) { + vm->def, vm->pid, seclabel) < 0) { qemuReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("Failed to get security label")); goto cleanup; @@ -4167,7 +4167,7 @@ qemuDomainSaveImageStartVM(virConnectPtr conn, out: virCommandFree(cmd); if (virSecurityManagerRestoreSavedStateLabel(driver->securityManager, - vm, path) < 0) + vm->def, path) < 0) VIR_WARN("failed to restore save state label on %s", path); return ret; @@ -7584,7 +7584,7 @@ qemudDomainMemoryPeek (virDomainPtr dom, goto endjob; } - virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm, tmp); + virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm->def, tmp); priv = vm->privateData; qemuDomainObjEnterMonitor(driver, vm); @@ -9064,7 +9064,7 @@ qemuDomainSnapshotCreateSingleDiskActive(struct qemud_driver *driver, if (virDomainLockDiskAttach(driver->lockManager, vm, disk) < 0) goto cleanup; - if (virSecurityManagerSetImageLabel(driver->securityManager, vm, + if (virSecurityManagerSetImageLabel(driver->securityManager, vm->def, disk) < 0) { if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) VIR_WARN("Unable to release lock on %s", source); diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index 96c0070..684fede 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -88,7 +88,7 @@ int qemuDomainChangeEjectableMedia(struct qemud_driver *driver, return -1; if (virSecurityManagerSetImageLabel(driver->securityManager, - vm, disk) < 0) { + vm->def, disk) < 0) { if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) VIR_WARN("Unable to release lock on %s", disk->src); return -1; @@ -120,7 +120,7 @@ int qemuDomainChangeEjectableMedia(struct qemud_driver *driver, goto error; if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, origdisk) < 0) + vm->def, origdisk) < 0) VIR_WARN("Unable to restore security label on ejected image %s", origdisk->src); if (virDomainLockDiskDetach(driver->lockManager, vm, origdisk) < 0) @@ -141,7 +141,7 @@ error: VIR_FREE(driveAlias); if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, disk) < 0) + vm->def, disk) < 0) VIR_WARN("Unable to restore security label on new media %s", disk->src); if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) @@ -209,7 +209,7 @@ int qemuDomainAttachPciDiskDevice(virConnectPtr conn, return -1; if (virSecurityManagerSetImageLabel(driver->securityManager, - vm, disk) < 0) { + vm->def, disk) < 0) { if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) VIR_WARN("Unable to release lock on %s", disk->src); return -1; @@ -283,7 +283,7 @@ error: VIR_WARN("Unable to release PCI address on %s", disk->src); if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, disk) < 0) + vm->def, disk) < 0) VIR_WARN("Unable to restore security label on %s", disk->src); if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) @@ -439,7 +439,7 @@ int qemuDomainAttachSCSIDisk(virConnectPtr conn, return -1; if (virSecurityManagerSetImageLabel(driver->securityManager, - vm, disk) < 0) { + vm->def, disk) < 0) { if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) VIR_WARN("Unable to release lock on %s", disk->src); return -1; @@ -530,7 +530,7 @@ error: VIR_FREE(drivestr); if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, disk) < 0) + vm->def, disk) < 0) VIR_WARN("Unable to restore security label on %s", disk->src); if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) @@ -562,7 +562,7 @@ int qemuDomainAttachUsbMassstorageDevice(virConnectPtr conn, return -1; if (virSecurityManagerSetImageLabel(driver->securityManager, - vm, disk) < 0) { + vm->def, disk) < 0) { if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) VIR_WARN("Unable to release lock on %s", disk->src); return -1; @@ -623,7 +623,7 @@ error: VIR_FREE(drivestr); if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, disk) < 0) + vm->def, disk) < 0) VIR_WARN("Unable to restore security label on %s", disk->src); if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) @@ -1112,7 +1112,7 @@ int qemuDomainAttachHostDevice(struct qemud_driver *driver, if (virSecurityManagerSetHostdevLabel(driver->securityManager, - vm, hostdev) < 0) + vm->def, hostdev) < 0) return -1; switch (hostdev->source.subsys.type) { @@ -1139,7 +1139,7 @@ int qemuDomainAttachHostDevice(struct qemud_driver *driver, error: if (virSecurityManagerRestoreHostdevLabel(driver->securityManager, - vm, hostdev) < 0) + vm->def, hostdev) < 0) VIR_WARN("Unable to restore host device labelling on hotplug fail"); return -1; @@ -1572,7 +1572,7 @@ int qemuDomainDetachPciDiskDevice(struct qemud_driver *driver, virDomainDiskDefFree(detach); if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, dev->data.disk) < 0) + vm->def, dev->data.disk) < 0) VIR_WARN("Unable to restore security label on %s", dev->data.disk->src); if (cgroup != NULL) { @@ -1654,7 +1654,7 @@ int qemuDomainDetachDiskDevice(struct qemud_driver *driver, virDomainDiskDefFree(detach); if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, dev->data.disk) < 0) + vm->def, dev->data.disk) < 0) VIR_WARN("Unable to restore security label on %s", dev->data.disk->src); if (cgroup != NULL) { @@ -2162,7 +2162,7 @@ int qemuDomainDetachHostDevice(struct qemud_driver *driver, } if (virSecurityManagerRestoreHostdevLabel(driver->securityManager, - vm, dev->data.hostdev) < 0) + vm->def, dev->data.hostdev) < 0) VIR_WARN("Failed to restore host device labelling"); return ret; diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 8ae989a..b3ef894 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -1749,13 +1749,13 @@ static int doNativeMigrate(struct qemud_driver *driver, virReportOOMError(); goto cleanup; } - if (virSecurityManagerSetSocketLabel(driver->securityManager, vm) < 0) + if (virSecurityManagerSetSocketLabel(driver->securityManager, vm->def) < 0) goto cleanup; if (virNetSocketNewConnectTCP(uribits->server, tmp, &sock) == 0) { spec.dest.fd.qemu = virNetSocketDupFD(sock, true); virNetSocketFree(sock); } - if (virSecurityManagerClearSocketLabel(driver->securityManager, vm) < 0 || + if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0 || spec.dest.fd.qemu == -1) goto cleanup; } else { @@ -1822,7 +1822,7 @@ static int doTunnelMigrate(struct qemud_driver *driver, spec.dest.fd.local = fds[0]; } if (spec.dest.fd.qemu == -1 || - virSecurityManagerSetImageFDLabel(driver->securityManager, vm, + virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def, spec.dest.fd.qemu) < 0) { virReportSystemError(errno, "%s", _("cannot create pipe for tunnelled migration")); @@ -2842,7 +2842,7 @@ qemuMigrationToFile(struct qemud_driver *driver, virDomainObjPtr vm, * doesn't have to open() the file, so while we still have to * grant SELinux access, we can do it on fd and avoid cleanup * later, as well as skip futzing with cgroup. */ - if (virSecurityManagerSetImageFDLabel(driver->securityManager, vm, + if (virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def, compressor ? pipeFD[1] : fd) < 0) goto cleanup; bypassSecurityDriver = true; @@ -2876,7 +2876,7 @@ qemuMigrationToFile(struct qemud_driver *driver, virDomainObjPtr vm, } if ((!bypassSecurityDriver) && virSecurityManagerSetSavedStateLabel(driver->securityManager, - vm, path) < 0) + vm->def, path) < 0) goto cleanup; restoreLabel = true; } @@ -2951,7 +2951,7 @@ cleanup: virCommandFree(cmd); if (restoreLabel && (!bypassSecurityDriver) && virSecurityManagerRestoreSavedStateLabel(driver->securityManager, - vm, path) < 0) + vm->def, path) < 0) VIR_WARN("failed to restore save state label on %s", path); if (cgroup != NULL) { diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 2563f97..58ce333 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -839,7 +839,7 @@ qemuConnectMonitor(struct qemud_driver *driver, virDomainObjPtr vm) qemuMonitorPtr mon = NULL; if (virSecurityManagerSetDaemonSocketLabel(driver->securityManager, - vm) < 0) { + vm->def) < 0) { VIR_ERROR(_("Failed to set security context for monitor for %s"), vm->def->name); goto error; @@ -872,7 +872,7 @@ qemuConnectMonitor(struct qemud_driver *driver, virDomainObjPtr vm) } priv->mon = mon; - if (virSecurityManagerClearSocketLabel(driver->securityManager, vm) < 0) { + if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0) { VIR_ERROR(_("Failed to clear security context for monitor for %s"), vm->def->name); goto error; @@ -2163,7 +2163,7 @@ static int qemuProcessHook(void *data) * sockets the lock driver opens that we don't want * labelled. So far we're ok though. */ - if (virSecurityManagerSetSocketLabel(h->driver->securityManager, h->vm) < 0) + if (virSecurityManagerSetSocketLabel(h->driver->securityManager, h->vm->def) < 0) goto cleanup; if (virDomainLockProcessStart(h->driver->lockManager, h->vm, @@ -2171,7 +2171,7 @@ static int qemuProcessHook(void *data) true, &fd) < 0) goto cleanup; - if (virSecurityManagerClearSocketLabel(h->driver->securityManager, h->vm) < 0) + if (virSecurityManagerClearSocketLabel(h->driver->securityManager, h->vm->def) < 0) goto cleanup; if (qemuProcessLimits(h->driver) < 0) @@ -2194,7 +2194,7 @@ static int qemuProcessHook(void *data) return -1; VIR_DEBUG("Setting up security labelling"); - if (virSecurityManagerSetProcessLabel(h->driver->securityManager, h->vm) < 0) + if (virSecurityManagerSetProcessLabel(h->driver->securityManager, h->vm->def) < 0) goto cleanup; ret = 0; @@ -2656,7 +2656,7 @@ qemuProcessReconnect(void *opaque) goto error; } - if (virSecurityManagerReserveLabel(driver->securityManager, obj) < 0) + if (virSecurityManagerReserveLabel(driver->securityManager, obj->def, obj->pid) < 0) goto error; if (qemuProcessNotifyNets(obj->def) < 0) @@ -2894,7 +2894,7 @@ int qemuProcessStart(virConnectPtr conn, /* If you are using a SecurityDriver with dynamic labelling, then generate a security label for isolation */ VIR_DEBUG("Generating domain security label (if required)"); - if (virSecurityManagerGenLabel(driver->securityManager, vm) < 0) { + if (virSecurityManagerGenLabel(driver->securityManager, vm->def) < 0) { virDomainAuditSecurityLabel(vm, false); goto cleanup; } @@ -3128,7 +3128,7 @@ int qemuProcessStart(virConnectPtr conn, VIR_DEBUG("Setting domain security labels"); if (virSecurityManagerSetAllLabel(driver->securityManager, - vm, stdin_path) < 0) + vm->def, stdin_path) < 0) goto cleanup; if (stdin_fd != -1) { @@ -3145,7 +3145,7 @@ int qemuProcessStart(virConnectPtr conn, goto cleanup; } if (S_ISFIFO(stdin_sb.st_mode) && - virSecurityManagerSetImageFDLabel(driver->securityManager, vm, stdin_fd) < 0) + virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def, stdin_fd) < 0) goto cleanup; } @@ -3398,8 +3398,8 @@ void qemuProcessStop(struct qemud_driver *driver, /* Reset Security Labels */ virSecurityManagerRestoreAllLabel(driver->securityManager, - vm, migrated); - virSecurityManagerReleaseLabel(driver->securityManager, vm); + vm->def, migrated); + virSecurityManagerReleaseLabel(driver->securityManager, vm->def); /* Clear out dynamically assigned labels */ if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) { @@ -3548,7 +3548,7 @@ int qemuProcessAttach(virConnectPtr conn ATTRIBUTE_UNUSED, if (VIR_ALLOC(seclabel) < 0) goto no_memory; if (virSecurityManagerGetProcessLabel(driver->securityManager, - vm, seclabel) < 0) + vm->def, vm->pid, seclabel) < 0) goto cleanup; if (!(vm->def->seclabel.model = strdup(driver->caps->host.secModel.model))) goto no_memory; diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index 299dcc6..4848d85 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -47,7 +47,7 @@ /* Data structure to pass to *FileIterate so we have everything we need */ struct SDPDOP { virSecurityManagerPtr mgr; - virDomainObjPtr vm; + virDomainDefPtr def; }; /* @@ -159,7 +159,7 @@ profile_status_file(const char *str) static int load_profile(virSecurityManagerPtr mgr, const char *profile, - virDomainObjPtr vm, + virDomainDefPtr def, const char *fn, bool append) { @@ -170,7 +170,7 @@ load_profile(virSecurityManagerPtr mgr, const char *probe = virSecurityManagerGetAllowDiskFormatProbing(mgr) ? "1" : "0"; - xml = virDomainDefFormat(vm->def, VIR_DOMAIN_XML_SECURE); + xml = virDomainDefFormat(def, VIR_DOMAIN_XML_SECURE); if (!xml) goto clean; @@ -212,12 +212,12 @@ remove_profile(const char *profile) } static char * -get_profile_name(virDomainObjPtr vm) +get_profile_name(virDomainDefPtr def) { char uuidstr[VIR_UUID_STRING_BUFLEN]; char *name = NULL; - virUUIDFormat(vm->def->uuid, uuidstr); + virUUIDFormat(def->uuid, uuidstr); if (virAsprintf(&name, "%s%s", AA_PREFIX, uuidstr) < 0) { virReportOOMError(); return NULL; @@ -257,23 +257,23 @@ cleanup: */ static int reload_profile(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *fn, bool append) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int rc = -1; char *profile_name = NULL; if (secdef->norelabel) return 0; - if ((profile_name = get_profile_name(vm)) == NULL) + if ((profile_name = get_profile_name(def)) == NULL) return rc; /* Update the profile only if it is loaded */ if (profile_loaded(secdef->imagelabel) >= 0) { - if (load_profile(mgr, secdef->imagelabel, vm, fn, append) < 0) { + if (load_profile(mgr, secdef->imagelabel, def, fn, append) < 0) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot update AppArmor profile " "\'%s\'"), @@ -294,10 +294,10 @@ AppArmorSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED, const char *file, void *opaque) { struct SDPDOP *ptr = opaque; - virDomainObjPtr vm = ptr->vm; + virDomainDefPtr def = ptr->def; - if (reload_profile(ptr->mgr, vm, file, true) < 0) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + if (reload_profile(ptr->mgr, def, file, true) < 0) { + const virSecurityLabelDefPtr secdef = &def->seclabel; virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot update AppArmor profile " "\'%s\'"), @@ -312,10 +312,10 @@ AppArmorSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED, const char *file, void *opaque) { struct SDPDOP *ptr = opaque; - virDomainObjPtr vm = ptr->vm; + virDomainDefPtr def = ptr->def; - if (reload_profile(ptr->mgr, vm, file, true) < 0) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + if (reload_profile(ptr->mgr, def, file, true) < 0) { + const virSecurityLabelDefPtr secdef = &def->seclabel; virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot update AppArmor profile " "\'%s\'"), @@ -390,56 +390,56 @@ AppArmorSecurityManagerGetDOI(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED) */ static int AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm) + virDomainDefPtr def) { int rc = -1; char *profile_name = NULL; - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) + if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) return 0; - if (vm->def->seclabel.baselabel) { + if (def->seclabel.baselabel) { virSecurityReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", _("Cannot set a base label with AppArmour")); return rc; } - if ((vm->def->seclabel.label) || - (vm->def->seclabel.model) || (vm->def->seclabel.imagelabel)) { + if ((def->seclabel.label) || + (def->seclabel.model) || (def->seclabel.imagelabel)) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("security label already defined for VM")); return rc; } - if ((profile_name = get_profile_name(vm)) == NULL) + if ((profile_name = get_profile_name(def)) == NULL) return rc; - vm->def->seclabel.label = strndup(profile_name, strlen(profile_name)); - if (!vm->def->seclabel.label) { + def->seclabel.label = strndup(profile_name, strlen(profile_name)); + if (!def->seclabel.label) { virReportOOMError(); goto clean; } /* set imagelabel the same as label (but we won't use it) */ - vm->def->seclabel.imagelabel = strndup(profile_name, + def->seclabel.imagelabel = strndup(profile_name, strlen(profile_name)); - if (!vm->def->seclabel.imagelabel) { + if (!def->seclabel.imagelabel) { virReportOOMError(); goto err; } - vm->def->seclabel.model = strdup(SECURITY_APPARMOR_NAME); - if (!vm->def->seclabel.model) { + def->seclabel.model = strdup(SECURITY_APPARMOR_NAME); + if (!def->seclabel.model) { virReportOOMError(); goto err; } /* Now that we have a label, load the profile into the kernel. */ - if (load_profile(mgr, vm->def->seclabel.label, vm, NULL, false) < 0) { + if (load_profile(mgr, def->seclabel.label, def, NULL, false) < 0) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot load AppArmor profile " - "\'%s\'"), vm->def->seclabel.label); + "\'%s\'"), def->seclabel.label); goto err; } @@ -447,9 +447,9 @@ AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, goto clean; err: - VIR_FREE(vm->def->seclabel.label); - VIR_FREE(vm->def->seclabel.imagelabel); - VIR_FREE(vm->def->seclabel.model); + VIR_FREE(def->seclabel.label); + VIR_FREE(def->seclabel.imagelabel); + VIR_FREE(def->seclabel.model); clean: VIR_FREE(profile_name); @@ -459,15 +459,15 @@ AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int AppArmorSetSecurityAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, const char *stdin_path) + virDomainDefPtr def, const char *stdin_path) { - if (vm->def->seclabel.norelabel) + if (def->seclabel.norelabel) return 0; /* Reload the profile if stdin_path is specified. Note that GenSecurityLabel() will have already been run. */ if (stdin_path) - return reload_profile(mgr, vm, stdin_path, true); + return reload_profile(mgr, def, stdin_path, true); return 0; } @@ -477,13 +477,14 @@ AppArmorSetSecurityAllLabel(virSecurityManagerPtr mgr, */ static int AppArmorGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, + pid_t pid, virSecurityLabelPtr sec) { int rc = -1; char *profile_name = NULL; - if ((profile_name = get_profile_name(vm)) == NULL) + if ((profile_name = get_profile_name(def)) == NULL) return rc; if (virStrcpy(sec->label, profile_name, @@ -511,9 +512,9 @@ AppArmorGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, */ static int AppArmorReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm) + virDomainDefPtr def) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; VIR_FREE(secdef->model); VIR_FREE(secdef->label); @@ -525,10 +526,10 @@ AppArmorReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int AppArmorRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, int migrated ATTRIBUTE_UNUSED) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int rc = 0; if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) { @@ -545,13 +546,13 @@ AppArmorRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, * LOCALSTATEDIR/log/libvirt/qemu/<vm name>.log */ static int -AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr, virDomainObjPtr vm) +AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr, virDomainDefPtr def) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int rc = -1; char *profile_name = NULL; - if ((profile_name = get_profile_name(vm)) == NULL) + if ((profile_name = get_profile_name(def)) == NULL) return rc; if (STRNEQ(virSecurityManagerGetModel(mgr), secdef->model)) { @@ -579,21 +580,21 @@ AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr, virDomainObjPtr vm) static int AppArmorSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr vm ATTRIBUTE_UNUSED) { return 0; } static int AppArmorSetSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { return 0; } static int AppArmorClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { return 0; } @@ -602,18 +603,18 @@ AppArmorClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, /* Called when hotplugging */ static int AppArmorRestoreSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk ATTRIBUTE_UNUSED) { - return reload_profile(mgr, vm, NULL, false); + return reload_profile(mgr, def, NULL, false); } /* Called when hotplugging */ static int AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, virDomainDiskDefPtr disk) + virDomainDefPtr def, virDomainDiskDefPtr disk) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int rc = -1; char *profile_name; @@ -631,12 +632,12 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr, return rc; } - if ((profile_name = get_profile_name(vm)) == NULL) + if ((profile_name = get_profile_name(def)) == NULL) return rc; /* update the profile only if it is loaded */ if (profile_loaded(secdef->imagelabel) >= 0) { - if (load_profile(mgr, secdef->imagelabel, vm, disk->src, + if (load_profile(mgr, secdef->imagelabel, def, disk->src, false) < 0) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot update AppArmor profile " @@ -673,7 +674,8 @@ AppArmorSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int AppArmorReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED, + pid_t pid ATTRIBUTE_UNUSED) { /* NOOP. Nothing to reserve with AppArmor */ return 0; @@ -681,11 +683,11 @@ AppArmorReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; struct SDPDOP *ptr; int ret = -1; @@ -701,7 +703,7 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr, if (VIR_ALLOC(ptr) < 0) return -1; ptr->mgr = mgr; - ptr->vm = vm; + ptr->def = def; switch (dev->source.subsys.type) { case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: { @@ -743,44 +745,44 @@ done: static int AppArmorRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->norelabel) return 0; - return reload_profile(mgr, vm, NULL, false); + return reload_profile(mgr, def, NULL, false); } static int AppArmorSetSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile) { - return reload_profile(mgr, vm, savefile, true); + return reload_profile(mgr, def, savefile, true); } static int AppArmorRestoreSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile ATTRIBUTE_UNUSED) { - return reload_profile(mgr, vm, NULL, false); + return reload_profile(mgr, def, NULL, false); } static int AppArmorSetImageFDLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, int fd) { int rc = -1; char *proc = NULL; char *fd_path = NULL; - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->imagelabel == NULL) return 0; @@ -796,7 +798,7 @@ AppArmorSetImageFDLabel(virSecurityManagerPtr mgr, return rc; } - return reload_profile(mgr, vm, fd_path, true); + return reload_profile(mgr, def, fd_path, true); } virSecurityDriver virAppArmorSecurityDriver = { diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 0e75319..9c0017b 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -171,7 +171,7 @@ virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED, static int virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, virDomainDiskDefPtr disk) { @@ -190,7 +190,7 @@ virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr, static int virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, virDomainDiskDefPtr disk, int migrated) { @@ -235,10 +235,10 @@ virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr, static int virSecurityDACRestoreSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk) { - return virSecurityDACRestoreSecurityImageLabelInt(mgr, vm, disk, 0); + return virSecurityDACRestoreSecurityImageLabelInt(mgr, def, disk, 0); } @@ -268,7 +268,7 @@ virSecurityDACSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED, static int virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, virDomainHostdevDefPtr dev) { virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -338,7 +338,7 @@ virSecurityDACRestoreSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED, static int virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, virDomainHostdevDefPtr dev) { @@ -489,7 +489,7 @@ virSecurityDACRestoreChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, static int virSecurityDACRestoreSecurityAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, int migrated) { virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -501,34 +501,34 @@ virSecurityDACRestoreSecurityAllLabel(virSecurityManagerPtr mgr, VIR_DEBUG("Restoring security label on %s migrated=%d", - vm->def->name, migrated); + def->name, migrated); - for (i = 0 ; i < vm->def->nhostdevs ; i++) { + for (i = 0 ; i < def->nhostdevs ; i++) { if (virSecurityDACRestoreSecurityHostdevLabel(mgr, - vm, - vm->def->hostdevs[i]) < 0) + def, + def->hostdevs[i]) < 0) rc = -1; } - for (i = 0 ; i < vm->def->ndisks ; i++) { + for (i = 0 ; i < def->ndisks ; i++) { if (virSecurityDACRestoreSecurityImageLabelInt(mgr, - vm, - vm->def->disks[i], + def, + def->disks[i], migrated) < 0) rc = -1; } - if (virDomainChrDefForeach(vm->def, + if (virDomainChrDefForeach(def, false, virSecurityDACRestoreChardevCallback, mgr) < 0) rc = -1; - if (vm->def->os.kernel && - virSecurityDACRestoreSecurityFileLabel(vm->def->os.kernel) < 0) + if (def->os.kernel && + virSecurityDACRestoreSecurityFileLabel(def->os.kernel) < 0) rc = -1; - if (vm->def->os.initrd && - virSecurityDACRestoreSecurityFileLabel(vm->def->os.initrd) < 0) + if (def->os.initrd && + virSecurityDACRestoreSecurityFileLabel(def->os.initrd) < 0) rc = -1; return rc; @@ -548,7 +548,7 @@ virSecurityDACSetChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, static int virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *stdin_path ATTRIBUTE_UNUSED) { virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -557,36 +557,36 @@ virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr, if (!priv->dynamicOwnership) return 0; - for (i = 0 ; i < vm->def->ndisks ; i++) { + for (i = 0 ; i < def->ndisks ; i++) { /* XXX fixme - we need to recursively label the entire tree :-( */ - if (vm->def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) + if (def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) continue; if (virSecurityDACSetSecurityImageLabel(mgr, - vm, - vm->def->disks[i]) < 0) + def, + def->disks[i]) < 0) return -1; } - for (i = 0 ; i < vm->def->nhostdevs ; i++) { + for (i = 0 ; i < def->nhostdevs ; i++) { if (virSecurityDACSetSecurityHostdevLabel(mgr, - vm, - vm->def->hostdevs[i]) < 0) + def, + def->hostdevs[i]) < 0) return -1; } - if (virDomainChrDefForeach(vm->def, + if (virDomainChrDefForeach(def, true, virSecurityDACSetChardevCallback, mgr) < 0) return -1; - if (vm->def->os.kernel && - virSecurityDACSetOwnership(vm->def->os.kernel, + if (def->os.kernel && + virSecurityDACSetOwnership(def->os.kernel, priv->user, priv->group) < 0) return -1; - if (vm->def->os.initrd && - virSecurityDACSetOwnership(vm->def->os.initrd, + if (def->os.initrd && + virSecurityDACSetOwnership(def->os.initrd, priv->user, priv->group) < 0) return -1; @@ -597,7 +597,7 @@ virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr, static int virSecurityDACSetSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, const char *savefile) { virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -608,7 +608,7 @@ virSecurityDACSetSavedStateLabel(virSecurityManagerPtr mgr, static int virSecurityDACRestoreSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, const char *savefile) { virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -622,11 +622,11 @@ virSecurityDACRestoreSavedStateLabel(virSecurityManagerPtr mgr, static int virSecurityDACSetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); - VIR_DEBUG("Dropping privileges of VM to %u:%u", + VIR_DEBUG("Dropping privileges of DEF to %u:%u", (unsigned int) priv->user, (unsigned int) priv->group); if (virSetUIDGID(priv->user, priv->group) < 0) @@ -645,28 +645,30 @@ virSecurityDACVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDACGenLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDACReleaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDACReserveLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED, + pid_t pid ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDACGetProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, + pid_t pid ATTRIBUTE_UNUSED, virSecurityLabelPtr seclabel ATTRIBUTE_UNUSED) { return 0; @@ -674,7 +676,7 @@ virSecurityDACGetProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr vm ATTRIBUTE_UNUSED) { return 0; } @@ -682,7 +684,7 @@ virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { return 0; } @@ -690,20 +692,19 @@ virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDACClearSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDACSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, int fd ATTRIBUTE_UNUSED) { return 0; } - virSecurityDriver virSecurityDriverDAC = { sizeof(virSecurityDACData), "virDAC", diff --git a/src/security/security_driver.h b/src/security/security_driver.h index aea90b0..f0ace1c 100644 --- a/src/security/security_driver.h +++ b/src/security/security_driver.h @@ -39,50 +39,52 @@ typedef const char *(*virSecurityDriverGetModel) (virSecurityManagerPtr mgr); typedef const char *(*virSecurityDriverGetDOI) (virSecurityManagerPtr mgr); typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk); typedef int (*virSecurityDomainSetDaemonSocketLabel)(virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr vm); typedef int (*virSecurityDomainSetSocketLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr def); typedef int (*virSecurityDomainClearSocketLabel)(virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr def); typedef int (*virSecurityDomainSetImageLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk); typedef int (*virSecurityDomainRestoreHostdevLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev); typedef int (*virSecurityDomainSetHostdevLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev); typedef int (*virSecurityDomainSetSavedStateLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile); typedef int (*virSecurityDomainRestoreSavedStateLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile); typedef int (*virSecurityDomainGenLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr sec); + virDomainDefPtr sec); typedef int (*virSecurityDomainReserveLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr sec); + virDomainDefPtr sec, + pid_t pid); typedef int (*virSecurityDomainReleaseLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr sec); + virDomainDefPtr sec); typedef int (*virSecurityDomainSetAllLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr sec, + virDomainDefPtr sec, const char *stdin_path); typedef int (*virSecurityDomainRestoreAllLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, int migrated); typedef int (*virSecurityDomainGetProcessLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, + pid_t pid, virSecurityLabelPtr sec); typedef int (*virSecurityDomainSetProcessLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr def); typedef int (*virSecurityDomainSecurityVerify) (virSecurityManagerPtr mgr, virDomainDefPtr def); typedef int (*virSecurityDomainSetImageFDLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, int fd); struct _virSecurityDriver { diff --git a/src/security/security_manager.c b/src/security/security_manager.c index cae9b83..2e4956a 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -150,7 +150,7 @@ bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr) } int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainDiskDefPtr disk) { if (mgr->drv->domainRestoreSecurityImageLabel) @@ -161,7 +161,7 @@ int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr, } int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { if (mgr->drv->domainSetSecurityDaemonSocketLabel) return mgr->drv->domainSetSecurityDaemonSocketLabel(mgr, vm); @@ -171,7 +171,7 @@ int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr, } int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { if (mgr->drv->domainSetSecuritySocketLabel) return mgr->drv->domainSetSecuritySocketLabel(mgr, vm); @@ -181,7 +181,7 @@ int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr, } int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { if (mgr->drv->domainClearSecuritySocketLabel) return mgr->drv->domainClearSecuritySocketLabel(mgr, vm); @@ -191,7 +191,7 @@ int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr, } int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainDiskDefPtr disk) { if (mgr->drv->domainSetSecurityImageLabel) @@ -202,7 +202,7 @@ int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr, } int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainHostdevDefPtr dev) { if (mgr->drv->domainRestoreSecurityHostdevLabel) @@ -213,7 +213,7 @@ int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr, } int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainHostdevDefPtr dev) { if (mgr->drv->domainSetSecurityHostdevLabel) @@ -224,7 +224,7 @@ int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr, } int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, const char *savefile) { if (mgr->drv->domainSetSavedStateLabel) @@ -235,7 +235,7 @@ int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr, } int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, const char *savefile) { if (mgr->drv->domainRestoreSavedStateLabel) @@ -246,7 +246,7 @@ int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr, } int virSecurityManagerGenLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { if (mgr->drv->domainGenSecurityLabel) return mgr->drv->domainGenSecurityLabel(mgr, vm); @@ -256,17 +256,18 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr, } int virSecurityManagerReserveLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm, + pid_t pid) { if (mgr->drv->domainReserveSecurityLabel) - return mgr->drv->domainReserveSecurityLabel(mgr, vm); + return mgr->drv->domainReserveSecurityLabel(mgr, vm, pid); virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__); return -1; } int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { if (mgr->drv->domainReleaseSecurityLabel) return mgr->drv->domainReleaseSecurityLabel(mgr, vm); @@ -276,7 +277,7 @@ int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr, } int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, const char *stdin_path) { if (mgr->drv->domainSetSecurityAllLabel) @@ -287,7 +288,7 @@ int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr, } int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, int migrated) { if (mgr->drv->domainRestoreSecurityAllLabel) @@ -298,18 +299,19 @@ int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr, } int virSecurityManagerGetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, + pid_t pid, virSecurityLabelPtr sec) { if (mgr->drv->domainGetSecurityProcessLabel) - return mgr->drv->domainGetSecurityProcessLabel(mgr, vm, sec); + return mgr->drv->domainGetSecurityProcessLabel(mgr, vm, pid, sec); virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__); return -1; } int virSecurityManagerSetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { if (mgr->drv->domainSetSecurityProcessLabel) return mgr->drv->domainSetSecurityProcessLabel(mgr, vm); @@ -337,7 +339,7 @@ int virSecurityManagerVerify(virSecurityManagerPtr mgr, } int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, int fd) { if (mgr->drv->domainSetSecurityImageFDLabel) diff --git a/src/security/security_manager.h b/src/security/security_manager.h index 12cd498..6731d59 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -51,50 +51,52 @@ const char *virSecurityManagerGetModel(virSecurityManagerPtr mgr); bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr); int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk); int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr vm); int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr def); int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr def); int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk); int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev); int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev); int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile); int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile); int virSecurityManagerGenLabel(virSecurityManagerPtr mgr, - virDomainObjPtr sec); + virDomainDefPtr sec); int virSecurityManagerReserveLabel(virSecurityManagerPtr mgr, - virDomainObjPtr sec); + virDomainDefPtr sec, + pid_t pid); int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr, - virDomainObjPtr sec); + virDomainDefPtr sec); int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr sec, + virDomainDefPtr sec, const char *stdin_path); int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, int migrated); int virSecurityManagerGetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, + pid_t pid, virSecurityLabelPtr sec); int virSecurityManagerSetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr def); int virSecurityManagerVerify(virSecurityManagerPtr mgr, virDomainDefPtr def); int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, int fd); #endif /* VIR_SECURITY_MANAGER_H__ */ diff --git a/src/security/security_nop.c b/src/security/security_nop.c index a68a6c0..c3bd426 100644 --- a/src/security/security_nop.c +++ b/src/security/security_nop.c @@ -47,104 +47,106 @@ static const char * virSecurityDriverGetDOINop(virSecurityManagerPtr mgr ATTRIBU } static int virSecurityDomainRestoreImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, virDomainDiskDefPtr disk ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetDaemonSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr vm ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr vm ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainClearSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr vm ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, virDomainDiskDefPtr disk ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainRestoreHostdevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetHostdevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetSavedStateLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, const char *savefile ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainRestoreSavedStateLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, const char *savefile ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainGenLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr sec ATTRIBUTE_UNUSED) + virDomainDefPtr sec ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainReserveLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr sec ATTRIBUTE_UNUSED) + virDomainDefPtr sec ATTRIBUTE_UNUSED, + pid_t pid ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainReleaseLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr sec ATTRIBUTE_UNUSED) + virDomainDefPtr sec ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetAllLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr sec ATTRIBUTE_UNUSED, + virDomainDefPtr sec ATTRIBUTE_UNUSED, const char *stdin_path ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainRestoreAllLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, int migrated ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainGetProcessLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, + pid_t pid ATTRIBUTE_UNUSED, virSecurityLabelPtr sec ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetProcessLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr vm ATTRIBUTE_UNUSED) { return 0; } @@ -156,7 +158,7 @@ static int virSecurityDomainVerifyNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED } static int virSecurityDomainSetFDLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr sec ATTRIBUTE_UNUSED, + virDomainDefPtr sec ATTRIBUTE_UNUSED, int fd ATTRIBUTE_UNUSED) { return 0; diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 78c0d45..8b7c0ed 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -162,7 +162,7 @@ SELinuxInitialize(void) static int SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm) + virDomainDefPtr def) { int rc = -1; char *mcs = NULL; @@ -171,40 +171,40 @@ SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, int c2 = 0; context_t ctx = NULL; - if ((vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) && - !vm->def->seclabel.baselabel && - vm->def->seclabel.model) { + if ((def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) && + !def->seclabel.baselabel && + def->seclabel.model) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("security model already defined for VM")); return rc; } - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC && - vm->def->seclabel.label) { + if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC && + def->seclabel.label) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("security label already defined for VM")); return rc; } - if (vm->def->seclabel.imagelabel) { + if (def->seclabel.imagelabel) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("security image label already defined for VM")); return rc; } - if (vm->def->seclabel.model && - STRNEQ(vm->def->seclabel.model, SECURITY_SELINUX_NAME)) { + if (def->seclabel.model && + STRNEQ(def->seclabel.model, SECURITY_SELINUX_NAME)) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("security label model %s is not supported with selinux"), - vm->def->seclabel.model); + def->seclabel.model); return rc; } - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) { - if (!(ctx = context_new(vm->def->seclabel.label)) ) { + if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) { + if (!(ctx = context_new(def->seclabel.label)) ) { virReportSystemError(errno, _("unable to allocate socket security context '%s'"), - vm->def->seclabel.label); + def->seclabel.label); return rc; } @@ -237,25 +237,25 @@ SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, } } while (mcsAdd(mcs) == -1); - vm->def->seclabel.label = - SELinuxGenNewContext(vm->def->seclabel.baselabel ? - vm->def->seclabel.baselabel : + def->seclabel.label = + SELinuxGenNewContext(def->seclabel.baselabel ? + def->seclabel.baselabel : default_domain_context, mcs); - if (! vm->def->seclabel.label) { + if (! def->seclabel.label) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot generate selinux context for %s"), mcs); goto cleanup; } } - vm->def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs); - if (!vm->def->seclabel.imagelabel) { + def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs); + if (!def->seclabel.imagelabel) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot generate selinux context for %s"), mcs); goto cleanup; } - if (!vm->def->seclabel.model && - !(vm->def->seclabel.model = strdup(SECURITY_SELINUX_NAME))) { + if (!def->seclabel.model && + !(def->seclabel.model = strdup(SECURITY_SELINUX_NAME))) { virReportOOMError(); goto cleanup; } @@ -264,12 +264,12 @@ SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, cleanup: if (rc != 0) { - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) - VIR_FREE(vm->def->seclabel.label); - VIR_FREE(vm->def->seclabel.imagelabel); - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC && - !vm->def->seclabel.baselabel) - VIR_FREE(vm->def->seclabel.model); + if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) + VIR_FREE(def->seclabel.label); + VIR_FREE(def->seclabel.imagelabel); + if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC && + !def->seclabel.baselabel) + VIR_FREE(def->seclabel.model); } if (ctx) @@ -278,28 +278,29 @@ cleanup: VIR_FREE(mcs); VIR_DEBUG("model=%s label=%s imagelabel=%s baselabel=%s", - NULLSTR(vm->def->seclabel.model), - NULLSTR(vm->def->seclabel.label), - NULLSTR(vm->def->seclabel.imagelabel), - NULLSTR(vm->def->seclabel.baselabel)); + NULLSTR(def->seclabel.model), + NULLSTR(def->seclabel.label), + NULLSTR(def->seclabel.imagelabel), + NULLSTR(def->seclabel.baselabel)); return rc; } static int SELinuxReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm) + virDomainDefPtr def, + pid_t pid) { security_context_t pctx; context_t ctx = NULL; const char *mcs; - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) + if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) return 0; - if (getpidcon(vm->pid, &pctx) == -1) { + if (getpidcon(pid, &pctx) == -1) { virReportSystemError(errno, - _("unable to get PID %d security context"), vm->pid); + _("unable to get PID %d security context"), pid); return -1; } @@ -360,15 +361,16 @@ static const char *SELinuxSecurityGetDOI(virSecurityManagerPtr mgr ATTRIBUTE_UNU static int SELinuxGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def ATTRIBUTE_UNUSED, + pid_t pid, virSecurityLabelPtr sec) { security_context_t ctx; - if (getpidcon(vm->pid, &ctx) == -1) { + if (getpidcon(pid, &ctx) == -1) { virReportSystemError(errno, _("unable to get PID %d security context"), - vm->pid); + pid); return -1; } @@ -543,11 +545,11 @@ err: static int SELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk, int migrated) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->norelabel) return 0; @@ -588,10 +590,10 @@ SELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int SELinuxRestoreSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk) { - return SELinuxRestoreSecurityImageLabelInt(mgr, vm, disk, 0); + return SELinuxRestoreSecurityImageLabelInt(mgr, def, disk, 0); } @@ -626,11 +628,11 @@ SELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk, static int SELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; bool allowDiskFormatProbing = virSecurityManagerGetAllowDiskFormatProbing(mgr); if (secdef->norelabel) @@ -648,8 +650,8 @@ static int SELinuxSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED, const char *file, void *opaque) { - virDomainObjPtr vm = opaque; - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + virDomainDefPtr def = opaque; + const virSecurityLabelDefPtr secdef = &def->seclabel; return SELinuxSetFilecon(file, secdef->imagelabel); } @@ -658,19 +660,19 @@ static int SELinuxSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED, const char *file, void *opaque) { - virDomainObjPtr vm = opaque; - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + virDomainDefPtr def = opaque; + const virSecurityLabelDefPtr secdef = &def->seclabel; return SELinuxSetFilecon(file, secdef->imagelabel); } static int SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int ret = -1; if (secdef->norelabel) @@ -687,7 +689,7 @@ SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, if (!usb) goto done; - ret = usbDeviceFileIterate(usb, SELinuxSetSecurityUSBLabel, vm); + ret = usbDeviceFileIterate(usb, SELinuxSetSecurityUSBLabel, def); usbFreeDevice(usb); break; } @@ -701,7 +703,7 @@ SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, if (!pci) goto done; - ret = pciDeviceFileIterate(pci, SELinuxSetSecurityPCILabel, vm); + ret = pciDeviceFileIterate(pci, SELinuxSetSecurityPCILabel, def); pciFreeDevice(pci); break; @@ -735,11 +737,11 @@ SELinuxRestoreSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED, static int SELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int ret = -1; if (secdef->norelabel) @@ -788,11 +790,11 @@ done: static int -SELinuxSetSecurityChardevLabel(virDomainObjPtr vm, +SELinuxSetSecurityChardevLabel(virDomainDefPtr def, virDomainChrSourceDefPtr dev) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; char *in = NULL, *out = NULL; int ret = -1; @@ -834,11 +836,11 @@ done: } static int -SELinuxRestoreSecurityChardevLabel(virDomainObjPtr vm, +SELinuxRestoreSecurityChardevLabel(virDomainDefPtr def, virDomainChrSourceDefPtr dev) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; char *in = NULL, *out = NULL; int ret = -1; @@ -882,27 +884,24 @@ done: static int -SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, +SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def, virDomainChrDefPtr dev, - void *opaque) + void *opaque ATTRIBUTE_UNUSED) { - virDomainObjPtr vm = opaque; - /* This is taken care of by processing of def->serials */ if (dev->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE && dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL) return 0; - return SELinuxRestoreSecurityChardevLabel(vm, &dev->source); + return SELinuxRestoreSecurityChardevLabel(def, &dev->source); } static int -SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, +SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def, virDomainSmartcardDefPtr dev, - void *opaque) + void *opaque ATTRIBUTE_UNUSED) { - virDomainObjPtr vm = opaque; const char *database; switch (dev->type) { @@ -916,7 +915,7 @@ SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, return SELinuxRestoreSecurityFileLabel(database); case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH: - return SELinuxRestoreSecurityChardevLabel(vm, &dev->data.passthru); + return SELinuxRestoreSecurityChardevLabel(def, &dev->data.passthru); default: virSecurityReportError(VIR_ERR_INTERNAL_ERROR, @@ -931,50 +930,50 @@ SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, static int SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, int migrated ATTRIBUTE_UNUSED) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int i; int rc = 0; - VIR_DEBUG("Restoring security label on %s", vm->def->name); + VIR_DEBUG("Restoring security label on %s", def->name); if (secdef->norelabel) return 0; - for (i = 0 ; i < vm->def->nhostdevs ; i++) { + for (i = 0 ; i < def->nhostdevs ; i++) { if (SELinuxRestoreSecurityHostdevLabel(mgr, - vm, - vm->def->hostdevs[i]) < 0) + def, + def->hostdevs[i]) < 0) rc = -1; } - for (i = 0 ; i < vm->def->ndisks ; i++) { + for (i = 0 ; i < def->ndisks ; i++) { if (SELinuxRestoreSecurityImageLabelInt(mgr, - vm, - vm->def->disks[i], + def, + def->disks[i], migrated) < 0) rc = -1; } - if (virDomainChrDefForeach(vm->def, + if (virDomainChrDefForeach(def, false, SELinuxRestoreSecurityChardevCallback, - vm) < 0) + NULL) < 0) rc = -1; - if (virDomainSmartcardDefForeach(vm->def, + if (virDomainSmartcardDefForeach(def, false, SELinuxRestoreSecuritySmartcardCallback, - vm) < 0) + NULL) < 0) rc = -1; - if (vm->def->os.kernel && - SELinuxRestoreSecurityFileLabel(vm->def->os.kernel) < 0) + if (def->os.kernel && + SELinuxRestoreSecurityFileLabel(def->os.kernel) < 0) rc = -1; - if (vm->def->os.initrd && - SELinuxRestoreSecurityFileLabel(vm->def->os.initrd) < 0) + if (def->os.initrd && + SELinuxRestoreSecurityFileLabel(def->os.initrd) < 0) rc = -1; return rc; @@ -982,9 +981,9 @@ SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int SELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm) + virDomainDefPtr def) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) { if (secdef->label != NULL) { @@ -1006,10 +1005,10 @@ SELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int SELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->norelabel) return 0; @@ -1020,10 +1019,10 @@ SELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int SELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->norelabel) return 0; @@ -1058,12 +1057,12 @@ SELinuxSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int SELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr def) { /* TODO: verify DOI */ - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; - if (vm->def->seclabel.label == NULL) + if (def->seclabel.label == NULL) return 0; if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) { @@ -1089,16 +1088,16 @@ SELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr, static int SELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr def) { /* TODO: verify DOI */ - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; context_t execcon = NULL; context_t proccon = NULL; security_context_t scon = NULL; int rc = -1; - if (vm->def->seclabel.label == NULL) + if (def->seclabel.label == NULL) return 0; if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) { @@ -1139,7 +1138,7 @@ SELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr, } VIR_DEBUG("Setting VM %s socket context %s", - vm->def->name, context_str(proccon)); + def->name, context_str(proccon)); if (setsockcreatecon(context_str(proccon)) == -1) { virReportSystemError(errno, _("unable to set socket security context '%s'"), @@ -1160,9 +1159,9 @@ done: static int SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &vm->seclabel; int rc = -1; if (secdef->label == NULL) @@ -1178,7 +1177,7 @@ SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr, } VIR_DEBUG("Setting VM %s socket context %s", - vm->def->name, secdef->label); + vm->name, secdef->label); if (setsockcreatecon(secdef->label) == -1) { virReportSystemError(errno, _("unable to set socket security context '%s'"), @@ -1197,12 +1196,12 @@ done: static int SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr def) { /* TODO: verify DOI */ - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; - if (vm->def->seclabel.label == NULL) + if (def->seclabel.label == NULL) return 0; if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) { @@ -1227,27 +1226,24 @@ SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr, static int -SELinuxSetSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, +SELinuxSetSecurityChardevCallback(virDomainDefPtr def, virDomainChrDefPtr dev, - void *opaque) + void *opaque ATTRIBUTE_UNUSED) { - virDomainObjPtr vm = opaque; - /* This is taken care of by processing of def->serials */ if (dev->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE && dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL) return 0; - return SELinuxSetSecurityChardevLabel(vm, &dev->source); + return SELinuxSetSecurityChardevLabel(def, &dev->source); } static int -SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, +SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def, virDomainSmartcardDefPtr dev, - void *opaque) + void *opaque ATTRIBUTE_UNUSED) { - virDomainObjPtr vm = opaque; const char *database; switch (dev->type) { @@ -1261,7 +1257,7 @@ SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, return SELinuxSetFilecon(database, default_content_context); case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH: - return SELinuxSetSecurityChardevLabel(vm, &dev->data.passthru); + return SELinuxSetSecurityChardevLabel(def, &dev->data.passthru); default: virSecurityReportError(VIR_ERR_INTERNAL_ERROR, @@ -1276,53 +1272,53 @@ SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, static int SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *stdin_path) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int i; if (secdef->norelabel) return 0; - for (i = 0 ; i < vm->def->ndisks ; i++) { + for (i = 0 ; i < def->ndisks ; i++) { /* XXX fixme - we need to recursively label the entire tree :-( */ - if (vm->def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) { + if (def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) { VIR_WARN("Unable to relabel directory tree %s for disk %s", - vm->def->disks[i]->src, vm->def->disks[i]->dst); + def->disks[i]->src, def->disks[i]->dst); continue; } if (SELinuxSetSecurityImageLabel(mgr, - vm, vm->def->disks[i]) < 0) + def, def->disks[i]) < 0) return -1; } - /* XXX fixme process vm->def->fss if relabel == true */ + /* XXX fixme process def->fss if relabel == true */ - for (i = 0 ; i < vm->def->nhostdevs ; i++) { + for (i = 0 ; i < def->nhostdevs ; i++) { if (SELinuxSetSecurityHostdevLabel(mgr, - vm, - vm->def->hostdevs[i]) < 0) + def, + def->hostdevs[i]) < 0) return -1; } - if (virDomainChrDefForeach(vm->def, + if (virDomainChrDefForeach(def, true, SELinuxSetSecurityChardevCallback, - vm) < 0) + NULL) < 0) return -1; - if (virDomainSmartcardDefForeach(vm->def, + if (virDomainSmartcardDefForeach(def, true, SELinuxSetSecuritySmartcardCallback, - vm) < 0) + NULL) < 0) return -1; - if (vm->def->os.kernel && - SELinuxSetFilecon(vm->def->os.kernel, default_content_context) < 0) + if (def->os.kernel && + SELinuxSetFilecon(def->os.kernel, default_content_context) < 0) return -1; - if (vm->def->os.initrd && - SELinuxSetFilecon(vm->def->os.initrd, default_content_context) < 0) + if (def->os.initrd && + SELinuxSetFilecon(def->os.initrd, default_content_context) < 0) return -1; if (stdin_path) { @@ -1337,10 +1333,10 @@ SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr, static int SELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, int fd) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->imagelabel == NULL) return 0; diff --git a/src/security/security_stack.c b/src/security/security_stack.c index 3f601c1..c82865f 100644 --- a/src/security/security_stack.c +++ b/src/security/security_stack.c @@ -106,7 +106,7 @@ virSecurityStackVerify(virSecurityManagerPtr mgr, static int virSecurityStackGenLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; @@ -131,7 +131,7 @@ virSecurityStackGenLabel(virSecurityManagerPtr mgr, static int virSecurityStackReleaseLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; @@ -150,16 +150,17 @@ virSecurityStackReleaseLabel(virSecurityManagerPtr mgr, static int virSecurityStackReserveLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm, + pid_t pid) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; - if (virSecurityManagerReserveLabel(priv->primary, vm) < 0) + if (virSecurityManagerReserveLabel(priv->primary, vm, pid) < 0) rc = -1; #if 0 /* XXX See note in GenLabel */ - if (virSecurityManagerReserveLabel(priv->secondary, vm) < 0) + if (virSecurityManagerReserveLabel(priv->secondary, vm, pid) < 0) rc = -1; #endif @@ -169,7 +170,7 @@ virSecurityStackReserveLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainDiskDefPtr disk) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -186,7 +187,7 @@ virSecurityStackSetSecurityImageLabel(virSecurityManagerPtr mgr, static int virSecurityStackRestoreSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainDiskDefPtr disk) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -203,7 +204,7 @@ virSecurityStackRestoreSecurityImageLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetSecurityHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainHostdevDefPtr dev) { @@ -221,7 +222,7 @@ virSecurityStackSetSecurityHostdevLabel(virSecurityManagerPtr mgr, static int virSecurityStackRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainHostdevDefPtr dev) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -238,7 +239,7 @@ virSecurityStackRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetSecurityAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, const char *stdin_path) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -255,7 +256,7 @@ virSecurityStackSetSecurityAllLabel(virSecurityManagerPtr mgr, static int virSecurityStackRestoreSecurityAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, int migrated) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -272,7 +273,7 @@ virSecurityStackRestoreSecurityAllLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, const char *savefile) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -289,7 +290,7 @@ virSecurityStackSetSavedStateLabel(virSecurityManagerPtr mgr, static int virSecurityStackRestoreSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, const char *savefile) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -306,7 +307,7 @@ virSecurityStackRestoreSavedStateLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; @@ -321,17 +322,18 @@ virSecurityStackSetProcessLabel(virSecurityManagerPtr mgr, static int virSecurityStackGetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, + pid_t pid, virSecurityLabelPtr seclabel) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; #if 0 - if (virSecurityManagerGetProcessLabel(priv->secondary, vm, seclabel) < 0) + if (virSecurityManagerGetProcessLabel(priv->secondary, vm, pid, seclabel) < 0) rc = -1; #endif - if (virSecurityManagerGetProcessLabel(priv->primary, vm, seclabel) < 0) + if (virSecurityManagerGetProcessLabel(priv->primary, vm, pid, seclabel) < 0) rc = -1; return rc; @@ -340,7 +342,7 @@ virSecurityStackGetProcessLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; @@ -356,7 +358,7 @@ virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; @@ -372,7 +374,7 @@ virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr, static int virSecurityStackClearSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; @@ -387,7 +389,7 @@ virSecurityStackClearSocketLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetImageFDLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, int fd) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); -- 1.7.6.4

2 2

[libvirt] [PATCH 0/6] Enhancements in CPU selection
by Jiri Denemark 11 Jan '12

11 Jan '12

The main goal of this series is to provide an easy way to say that a guest CPU should match host. Details can be found in individual patches. Jiri Denemark (6): tests: Print XML file name in verbose CPU test cpu: Optionally forbid fallback CPU models Add support for cpu mode attribute cpu: Update guest CPU in host-* mode Taint domains configured with cpu mode=host-passthrough qemu: Add support for host CPU modes docs/formatdomain.html.in | 12 +- docs/schemas/domaincommon.rng | 32 +++ src/conf/capabilities.c | 2 +- src/conf/cpu_conf.c | 264 +++++++++++++++----- src/conf/cpu_conf.h | 38 +++- src/conf/domain_conf.c | 5 +- src/conf/domain_conf.h | 1 + src/cpu/cpu.c | 2 +- src/cpu/cpu_x86.c | 47 ++++- src/libvirt_private.syms | 3 + src/qemu/qemu_capabilities.c | 5 + src/qemu/qemu_capabilities.h | 1 + src/qemu/qemu_command.c | 96 +++++--- src/qemu/qemu_domain.c | 15 +- tests/cputest.c | 22 ++- tests/cputestdata/x86-baseline-1-result.xml | 4 +- tests/cputestdata/x86-baseline-2-result.xml | 4 +- .../cputestdata/x86-baseline-no-vendor-result.xml | 4 +- .../x86-baseline-some-vendors-result.xml | 4 +- tests/cputestdata/x86-guest-nofallback.xml | 18 ++ .../cputestdata/x86-host+guest,model486-result.xml | 4 +- .../x86-host+guest,models,Penryn-result.xml | 4 +- .../x86-host+guest,models,qemu64-result.xml | 4 +- tests/cputestdata/x86-host+guest,models-result.xml | 4 +- tests/cputestdata/x86-host+guest-result.xml | 4 +- tests/cputestdata/x86-host+guest.xml | 4 +- ...6-host+host+host-model,models,Penryn-result.xml | 19 ++ .../cputestdata/x86-host+host-model-nofallback.xml | 19 ++ tests/cputestdata/x86-host+host-model.xml | 18 ++ tests/cputestdata/x86-host+host-passthrough.xml | 18 ++ tests/cputestdata/x86-host+min.xml | 4 +- .../cputestdata/x86-host+nehalem-force-result.xml | 4 +- tests/cputestdata/x86-host+pentium3.xml | 4 +- .../x86-host+strict-force-extra-result.xml | 4 +- .../x86-host-better+pentium3,core2duo-result.xml | 4 +- .../x86-host-better+pentium3,pentium3-result.xml | 4 +- .../x86-host-better+pentium3-result.xml | 4 +- tests/cputestdata/x86-host-model-nofallback.xml | 4 + tests/cputestdata/x86-host-model.xml | 1 + tests/cputestdata/x86-host-passthrough.xml | 1 + tests/cputestdata/x86-host-worse+guest-result.xml | 4 +- tests/qemuhelptest.c | 21 +- tests/qemuxml2argvdata/qemu-lib.sh | 50 ++++ tests/qemuxml2argvdata/qemu-supported-cpus.sh | 15 ++ tests/qemuxml2argvdata/qemu.sh | 51 +---- tests/qemuxml2argvdata/qemuxml2argv-cpu-exact1.xml | 2 +- .../qemuxml2argv-cpu-exact2-nofallback.args | 4 + .../qemuxml2argv-cpu-exact2-nofallback.xml | 35 +++ .../qemuxml2argv-cpu-fallback.args | 19 ++ .../qemuxml2argvdata/qemuxml2argv-cpu-fallback.xml | 25 ++ .../qemuxml2argv-cpu-host-model-fallback.args | 19 ++ .../qemuxml2argv-cpu-host-model-fallback.xml | 19 ++ .../qemuxml2argv-cpu-host-model-nofallback.xml | 21 ++ .../qemuxml2argv-cpu-host-model.args | 19 ++ .../qemuxml2argv-cpu-host-model.xml | 19 ++ .../qemuxml2argv-cpu-host-passthrough.args | 19 ++ .../qemuxml2argv-cpu-host-passthrough.xml | 19 ++ .../qemuxml2argv-cpu-nofallback.xml | 25 ++ .../qemuxml2argv-cpu-qemu-host-passthrough.xml | 19 ++ tests/qemuxml2argvtest.c | 91 +++++--- .../qemuxml2xmlout-graphics-spice-timeout.xml | 86 +++++++ tests/qemuxml2xmltest.c | 2 +- tests/testutilsqemu.c | 2 + 63 files changed, 1053 insertions(+), 244 deletions(-) create mode 100644 tests/cputestdata/x86-guest-nofallback.xml create mode 100644 tests/cputestdata/x86-host+host+host-model,models,Penryn-result.xml create mode 100644 tests/cputestdata/x86-host+host-model-nofallback.xml create mode 100644 tests/cputestdata/x86-host+host-model.xml create mode 100644 tests/cputestdata/x86-host+host-passthrough.xml create mode 100644 tests/cputestdata/x86-host-model-nofallback.xml create mode 100644 tests/cputestdata/x86-host-model.xml create mode 100644 tests/cputestdata/x86-host-passthrough.xml create mode 100644 tests/qemuxml2argvdata/qemu-lib.sh create mode 100755 tests/qemuxml2argvdata/qemu-supported-cpus.sh create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-cpu-exact2-nofallback.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-cpu-exact2-nofallback.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-cpu-fallback.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-cpu-fallback.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-cpu-host-model-fallback.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-cpu-host-model-fallback.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-cpu-host-model-nofallback.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-cpu-host-model.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-cpu-host-model.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-cpu-host-passthrough.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-cpu-host-passthrough.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-cpu-nofallback.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-cpu-qemu-host-passthrough.xml create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-graphics-spice-timeout.xml -- 1.7.8.2

3 15

[libvirt] [PATCH][TCK] add test for get and define save image xml
by Xiaoqiang Hu 11 Jan '12

11 Jan '12

add test for get and define save image xml and there are types of save image file covered in the test: persistent, transient and invalid domain save image --- scripts/qemu/400-save-image-xml.t | 107 +++++++++++++++++++++++++++++++++++++ 1 files changed, 107 insertions(+), 0 deletions(-) create mode 100644 scripts/qemu/400-save-image-xml.t diff --git a/scripts/qemu/400-save-image-xml.t b/scripts/qemu/400-save-image-xml.t new file mode 100644 index 0000000..d584de1 --- /dev/null +++ b/scripts/qemu/400-save-image-xml.t @@ -0,0 +1,107 @@ +# -*- perl -*- +# +# Copyright (C) 2012-2013 Red Hat, Inc. +# Copyright (C) 2012-2013 Xiaoqiang Hu <xhu(a)redhat.com> +# +# This program is free software; You can redistribute it and/or modify +# it under the GNU General Public License as published by the Free +# Software Foundation; either version 2, or (at your option) any +# later version +# +# The file "LICENSE" distributed along with this file provides full +# details of the terms and conditions +# + +=pod + +=head1 NAME + +qemu/400-save-image-xml.t: test get and define xml from save image + +=head1 DESCRIPTION + +The test case validates that it is possible to define and get domain xml +from save image. There are three types of save image file covered in the +test: persistent, transient and invalid domain save image +=cut + +use strict; +use warnings; + +use Test::More tests => 10; + +use Sys::Virt::TCK; +use Test::Exception; + +my $tck = Sys::Virt::TCK->new(); +my $conn = eval { $tck->setup(); }; +BAIL_OUT "failed to setup test harness: $@" if $@; +END { + $tck->cleanup if $tck; + unlink "tck.img" if -f "tck.img"; +} + +SKIP:{ + skip "Only relevant to QEMU driver", 10 unless $conn->get_type() eq "QEMU"; + + # scenario 1 - get/define xml from transient domain save image + my $xml = $tck->generic_domain("tck")->as_xml; + diag "Creating a new transient domain"; + my $dom; + ok_domain(sub { $dom = $conn->create_domain($xml) }, "created transient domain object"); + + unlink "tck.img" if -f "tck.img"; + eval { $dom->save("tck.img"); }; + SKIP: { + skip "save/restore not implemented", 9 if $@ && err_not_implemented($@); + ok(!$@, "domain saved"); + die $@ if $@; + + my ($savedxmldesc, $savefile); + $savefile = "tck.img"; + diag "Checking that transient domain has gone away"; + ok_error(sub { $conn->get_domain_by_name("tck") }, "NO_DOMAIN error raised from missing domain", + Sys::Virt::Error::ERR_NO_DOMAIN); + eval { $savedxmldesc = $conn->get_save_image_xml_description($savefile, 0); }; + SKIP: { + skip "get/define save img xml not implemented", 7 if $@ && err_not_implemented($@); + $savedxmldesc = $conn->get_save_image_xml_description($savefile, 0); + $savedxmldesc =~ s/destroy/restart/g; + $conn->define_save_image_xml($savefile, $savedxmldesc, 0); + + $savedxmldesc = $conn->get_save_image_xml_description($savefile, 0); + ok(!($savedxmldesc =~ m/destroy/), "the transient domain save image xml has been updated"); + + # scenario 2 - get/define xml from persistent domain save image + my $xml = $tck->generic_domain("tck")->as_xml; + diag "Creating a new persistent domain"; + ok_domain(sub { $dom = $conn->define_domain($xml) }, "created persistent domain object"); + + unlink "tck.img" if -f "tck.img"; + diag "Starting inactive domain"; + $dom->create; + + $dom->save("tck.img"); + diag "Checking that persistent domain is stopped"; + ok_domain(sub { $conn->get_domain_by_name("tck") }, "persistent domain is still there", "tck"); + is($dom->get_id, -1, "running domain with ID == -1"); + + $savedxmldesc = $conn->get_save_image_xml_description($savefile, 0); + $savedxmldesc =~ s/destroy/restart/g; + $conn->define_save_image_xml($savefile, $savedxmldesc, 0); + + $savedxmldesc = $conn->get_save_image_xml_description($savefile, 0); + ok(!($savedxmldesc =~ m/destroy/), "the persistent save image xml has been updated"); + + # scenario 3 - get/define xml from invalid domain save image + unlink "tck.img" if -f "tck.img"; + diag "Creating an invalid save img file"; + `dd if=/dev/null of=tck.img bs=1M count=100 >& /dev/null 2>&1`; + ok($? == 0, "created 100M raw img file: test.img"); + $savefile = "tck.img"; + diag "Getting xml from invalid save image"; + ok_error(sub { $conn->get_save_image_xml_description($savefile, 0) }, "failed to get invalid domain save image xml" ); + } + } +} +# end -- 1.7.1

3 2