This API can be used to execute arbitrary emulators.
Forbid it on read-only connections.

Fixes: CVE-2019-10167
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 8afa68ba)
Signed-off-by: Ján Tomko <jtomko@redhat.com>

The virDomainManagedSaveDefineXML can be used to alter the domain's
config used for managedsave or even execute arbitrary emulator binaries.
Forbid it on read-only connections.

Fixes: CVE-2019-10166
Reported-by: Matthias Gerstner <mgerstner@suse.de>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit db0b7845)
Signed-off-by: Ján Tomko <jtomko@redhat.com>

The virDomainSaveImageGetXMLDesc API is taking a path parameter,
which can point to any path on the system. This file will then be
read and parsed by libvirtd running with root privileges.

Forbid it on read-only connections.

Fixes: CVE-2019-10161
Reported-by: Matthias Gerstner <mgerstner@suse.de>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit aed6a032)
Signed-off-by: Ján Tomko <jtomko@redhat.com>

Conflicts:
  src/libvirt-domain.c
  src/remote/remote_protocol.x

Upstream commit 12a51f37 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
alias for VIR_DOMAIN_XML_SECURE is not backported.
Just skip the commit since we now disallow the whole API on read-only
connections, regardless of the flag.

Signed-off-by: Ján Tomko <jtomko@redhat.com>

The virtlogd daemon's only intended client is the libvirtd daemon. As
such it should never allow clients from other user accounts to connect.
The code already enforces this and drops clients from other UIDs, but
we can get earlier (and thus stronger) protection against DoS by setting
the socket permissions to 0600

Fixes CVE-2019-10132

Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit e37bd65f)

The virtlockd daemon's only intended client is the libvirtd daemon. As
such it should never allow clients from other user accounts to connect.
The code already enforces this and drops clients from other UIDs, but
we can get earlier (and thus stronger) protection against DoS by setting
the socket permissions to 0600

Fixes CVE-2019-10132

Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit f111e094)

The admin protocol RPC messages are only intended for use by the user
running the daemon. As such they should not be allowed for any client
UID that does not match the server UID.

Fixes CVE-2019-10132

Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 96f41cd7)

* docs/news.xml: updated
* po/*.po*: regenerated

Signed-off-by: Daniel Veillard <veillard@redhat.com>

Chen Hanxiao authored 7 years ago and John Ferlan committed 7 years ago

commit b4b5c82c forgot to add this.

Signed-off-by: Chen Hanxiao <chenhanxiao@gmail.com>

When removing a conditional in:

  commit da1ade7a
  Author: Daniel P. Berrangé <berrange@redhat.com>
  Date:   Fri Mar 23 10:50:59 2018 +0000

    remote: remove some __sun conditionals

the corresponding comment was mistakenly left behind.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

Some of the indents were only 2 spaces, make consistent w/ 4 spaces.
Also some indents didn't align properly. Fix them all up.

Signed-off-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Marc Hartmayer <mhartmay@linux.vnet.ibm.com>

If someone set a user alias or pcihole64 on an implicit controller,
we need to format it to migrate the domain properly.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reported-by: Joseph Richard <Joseph.Richard@windriver.com>

Do not crash in virDomainDeviceInfoParseXML if someone provides
an 'alias' element without a 'name' attribute.

Signed-off-by: Ján Tomko <jtomko@redhat.com>

Commit 2499d1a0 was too eager and possibly enabled polkit
on all platforms with D-Bus, regardless of whether they use polkit.

Reintroduce the usage of pkcheck as a witness for --with-polkit=check,
but do not require it for --with-polkit=yes.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reported-by: Jiří Denemark <jdenemar@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>

Rainer Müller authored 7 years ago and Jano Tomko committed 7 years ago

After validation against XHTML 1.0 was dropped in f802c9de,
the XML_CATALOG_FILE is not in use anymore. Therefore the checks in
configure can be removed.

Signed-off-by: Rainer Müller <raimue@codingfarm.de>

When GIC support was introduced (QEMU 2.6 timeframe) we needed
to make sure both GICv2 hardware and GICv3 hardware were handled
correctly, and that was achieved by having separate capabilities
data for each.

Now that we have capabilities data for several QEMU versions we
can stop storing data for GICv2 and GICv3 hardware separately,
and instead have GICv2 data for QEMU <= 2.10 and GICv3 data for
QEMU >= 2.12, without losing any coverage.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>

Signed-off-by: Andrea Bolognani <abologna@redhat.com>

Test cases in qemucapabilitiestest are ordered by architecture
first, then by QEMU version. Use the same order here.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>

Farhan Ali authored 7 years ago and Jano Tomko committed 7 years ago

Document support for the virtio-gpu-ccw and
virtio-{keyboard, mouse, tablet}-ccw devices.

Signed-off-by: Farhan Ali <alifm@linux.vnet.ibm.com>
Reviewed-by: Boris Fiuczynski <fiuczy@linux.vnet.ibm.com>

Farhan Ali authored 7 years ago and Jano Tomko committed 7 years ago

QEMU on S390 (since v2.11) can support virtio input ccw devices.
So build the qemu command line for ccw devices.

Also add test cases for virtio-{keyboard, mouse, tablet}-ccw.

Signed-off-by: Farhan Ali <alifm@linux.vnet.ibm.com>
Signed-off-by: Boris Fiuczynski <fiuczy@linux.vnet.ibm.com>

Farhan Ali authored 7 years ago and Jano Tomko committed 7 years ago

QEMU on S390 (since v2.11) can support virtio input ccw devices.
Introduce qemu capabilities for these devices.

Signed-off-by: Farhan Ali <alifm@linux.vnet.ibm.com>
Signed-off-by: Boris Fiuczynski <fiuczy@linux.vnet.ibm.com>

Farhan Ali authored 7 years ago and Jano Tomko committed 7 years ago

S390 guests can only support a virtio-gpu-ccw device as a video
device. So set default video model type to VIR_DOMAIN_VIDEO_TYPE_VIRTIO
for S390 guests.

Signed-off-by: Farhan Ali <alifm@linux.vnet.ibm.com>

Farhan Ali authored 7 years ago and Jano Tomko committed 7 years ago

QEMU on S390 (since v2.11) can support the virtio-gpu-ccw device,
which can be used as a video device.

Signed-off-by: Farhan Ali <alifm@linux.vnet.ibm.com>

Farhan Ali authored 7 years ago and Jano Tomko committed 7 years ago

QEMU on S390 (since v2.11) can support virtio-gpu-ccw device.
Let's introduce a new qemu capability for the device.

Signed-off-by: Farhan Ali <alifm@linux.vnet.ibm.com>
Signed-off-by: Boris Fiuczynski <fiuczy@linux.vnet.ibm.com>

In previous releases all these methods were a no-op if the network
driver is disabled. These helper methods are called unconditionally for
all types of network interface, so must be no-ops if missing. Other code
will already generate an error if the network driver is disabled and a
NIC with type=network is used.

Reviewed-by: Laine Stump <laine@laine.org>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

The libvirtd daemon has some arbitrary logic to drop privileges, but
only on Solaris platforms. This was added during Xen days, when Xen was
the only driver running in libvirtd. There's no expectation or testing
that this works with the new libxl stack, nor whether dropping
privileges breaks any of the secondary drivers. Finally, we'll be
splitting drivers out into their own independant daemons, so this won't
be applicable to libvirtd in future anyway.

The remote driver client meanwhile arbitrarily disables daemon
auto-spawn when connecting as non-root, breaking a key feature of
libvirt unprivileged connections.

Since we've not had any contributions for Solaris since circa 2012
and we don't do any CI testing we should consider this platform
unmaintained and thus reasonable to remove this cruft. If someone steps
forward to maintain Solaris again, this code would need re-evaluating to
come up with something more targetted.

There's various __sun conditionals in the Xen driver code, but those are
not touched. This is all for the legacy Xen driver, which will be
entirely removed at some point in future, so not benefit to hacking out
just the Solaris parts.

Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

https://bugzilla.redhat.com/show_bug.cgi?id=1558317



Similarly to b133fac3 we need to look up alias of CCID
controller when constructing smartcard command line instead of
relying on broken assumption it will always be 'ccid0'. After
user aliases it can be anything.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>

Starting with commit id 'fab9d6e1' the formatting of:

{ "command-name", QEMU_CAPS_NAME },

was altered to:

{ "command-name", QEMU_CAPS_NAME},

and then commit id 'e2b05c9a' altered that to:

{ "command-name", QEMU_CAPS_NAME}

So, let's just fix that up to make things consistent with the
rest of the structures.

Signed-off-by: John Ferlan <jferlan@redhat.com>

There is no such function in our code. Commit abca72fa added it
spuriously.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>

The 'simple' monitor tests were quite useless, since the code did not
even check whether the correct command was called.

This patch uses the QAPI schema validator to validate that the arguments
are in format according to the schema.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>

Add infrastructure that will allow testing schema of the commands we
pass to the fake monitor object, so that we can make sure that it
actually does something.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>

Prepare for testing of the schema of used commands by changing few
arguments to values which will not be rejected.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>

Add a function which will allow to test whether a JSON object conforms
to the QAPI schema. This greatly helps when developing formatters for
new JSON objects and will help make sure that the code will not break in
cases which have unit tests but were actually not function-tested
(mostly various disk access protocols).

Signed-off-by: Peter Krempa <pkrempa@redhat.com>

Add the QAPI schema (returned by 'query-qmp-schema' command) which will
be used for QAPI schema testing in upcoming patches.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>

virQEMUQAPISchemaTraverse would return previous-to-last queried item on
a query. It would not be a problem if checking if the given path exists
since error reporting works properly but if the caller is interested in
the result, it would be wrong.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>

Signed-off-by: Peter Krempa <pkrempa@redhat.com>

The JSON array was processed to the hash table used by the query apis in
the monitor code. Move it to a new helper in qemu_qapi.c.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>

Change the prefix of the functions to 'virQEMUQapi' and rename the two
public APIs so that the verb is put last.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>

Extract the code into qemu_qapi.c/h so that we separate it from various
parts of the code.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>

Most other buffer APIs tolerate the buffer being NULL.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>

Prafull authored 7 years ago and Daniel P. Berrangé committed 7 years ago

The code that calls VIR_WARN after a function fails, doesn't
report the error message raised by the failing function.
Such error messages are now reported in lxc/lxc_driver.c

Signed-off-by: Prafullkumar Tale <talep158@gmail.com>