| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(CVE-2011-4127, RHBZ#757071)
CVE-2011-4127 is a serious qemu & kernel privilege escalation bug
found by Paolo Bonzini.
http://seclists.org/oss-sec/2011/q4/536
An untrusted guest kernel is able to issue special SG_IO ioctls on
virtio devices which qemu passes through to the host kernel without
filtering or sanitizing. These ioctls allow raw sectors from the
underlying host device to be read and written. Significantly, neither
qemu nor the host kernel checks that the range of sectors is within
the partition / LV assigned to the guest. For example, if the guest
is assigned host partition /dev/sda3, it would be able to read or
write any part of /dev/sda including other partitions and the boot
sector. Exploits through LVs passed to the guest are also possible,
with some limitations. File-backed virtual block devices are not
vulnerable. Non-virtio block devices are not vulnerable.
This patch mitigates the problem by disabling the SG_IO ioctl
passthrough in qemu. Thus if libguestfs is examining an untrusted
guest and the libguestfs appliance/daemon is compromised (eg. by
executing guest commands, or through some other compromise), then the
compromised appliance will not be able to issue the above SG_IO ioctls
and exploit the host.
Note that this is just mitigation for libguestfs. Users will still
want to fully update their host kernel, qemu/KVM and libvirt, in order
to prevent other (non-libguestfs) routes to compromise.
The following versions of libguestfs (will/have) this patch applied.
libguestfs >= 1.15.13
libguestfs >= 1.14.8
libguestfs >= 1.12.11
libguestfs >= 1.10.12
libguestfs >= 1.8.16
Earlier versions may be vulnerable unless a downstream packager has
applied this patch.
Cc: Hilko Bengen <bengen@hilluzination.de>
(cherry picked from commit 9a5f784d511a8f00a8386f316eab41fe660430db)
|
| |
|
|
|
|
|
|
| |
Also add this option, if necessary, when testing for virtio-serial
support.
When the workaround is enabled, we specify machine type 'pc'.
(cherry picked from commit 3814680423984b3c46c2f99e944c2a71862bde9f)
|
| |
|
|
| |
(cherry picked from commit 138e118d62046b197b715462072256082ecfc0f7)
|
| |
|
|
|
|
|
|
|
|
| |
See:
https://bugzilla.redhat.com/show_bug.cgi?id=502058#c15
https://bugzilla.redhat.com/show_bug.cgi?id=698842#c8
This updates commit 79e66f89e2f6c27486476d7857da58feb491bf5c.
(cherry picked from commit 322106521f546d7c70c5a38255db7d243a456a6b)
|
| |
|
|
|
|
| |
Note that errno is probably not set to a useful value here, so there
is not much point recording it.
(cherry picked from commit f15961911316460f7d45342d63c2d784a483f0d1)
|
| |
|
|
|
| |
In particular pclose returns a status > 0 if the command fails.
(cherry picked from commit a24652c7b27e8494268ccb6c9a5a2e5541ba5efd)
|
| |
|
|
| |
(cherry picked from commit 2ace9be4cd69e84cd88e5b0fd74de861a4973c91)
|
| |
|
|
|
|
| |
This refactors the code in test_qemu slightly to ensure that
FILE *fp is not leaked on error paths.
(cherry picked from commit 08e77ad8cb4e8ac70d4217ebd5d236eba81645b5)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This function was used to print the qemu and
febootstrap-supermin-helper command lines.
Unfortunately in the qemu case it was used incorrectly: it called the
internal debug function (ie. event API callback) from the forked qemu
subprocess, which meant that higher level event callbacks might have
been invoked from the child process.
To fix this, convert the qemu case into a new function called
print_qemu_command line which just prints the command line directly to
stderr. This is called after stderr has been redirected into the pipe
to the main process. Thus the qemu command line will be marshalled
into the event API along with other qemu and appliance output.
After fixing this, only one use of guestfs___print_timestamped_argv
remained, for printing the febootstrap-supermin-helper command line.
This is converted to a local function print_febootstrap_command_line.
Also print_febootstrap_command_line is now called before we fork
febootstrap-supermin-helper, so that messages no longer overlap.
(cherry picked from commit 635af5be04265f845186b40e9a9fe7b102ad6909)
|
| |
|
|
| |
(cherry picked from commit 3cf31c2fe0b356ea5c04117c5235b0a3cfe34971)
|
| |
|
|
|
|
|
|
| |
This function is like qemu_supports, but allows us to grep
the help text using regular expressions.
Note the function is not used yet.
(cherry picked from commit 5d7dc0dfb65f367dab3560ee23e404fe21373f45)
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
If the pgroup flag is set in the handle, then the qemu and recovery
subprocesses are placed in separate process groups. The default is
false.
The purpose for setting up a process group is that ^C will not be
passed from the main process down to these processes (killing them).
This allows ^C and other keyboard events to be caught and handled in
the main process.
|
| | |
|
| |
|
|
|
|
|
|
| |
Because of the previous change to size_t, when pos == 0 the loop would
wrap around and cause a segmentation fault.
This fixes a regression introduced by
commit 10167cea98f93a74abe63f0a54d3a662997e7489.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit generates approximate progress messages during the
guestfs_launch call. Currently this code generates:
0 / 12: launch clock starts
3 / 12: appliance created
6 / 12: detected that guest kernel started
9 / 12: detected that /init script is running
12 / 12: launch completed successfully
(Note this is not an ABI and may be changed or removed in a future
version).
Progress messages are only generated at all if 5 seconds have elapsed
since the launch, and they are only generated for the ordinary
appliance (not if using attach-method to attach to an existing virtio
serial port).
|
| |
|
|
| |
This is just code motion.
|
| |
|
|
|
|
|
|
| |
No functional change; this simply makes the purpose of the
socket clearer.
Notes:
Labels: cleanup
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This API allows more than one callback to be registered for each
event, makes it possible to call the API from other languages, and
allows [nearly all] log, debug and trace messages to be rerouted from
stderr.
An older version of this API was discussed on the mailing list here:
https://www.redhat.com/archives/libguestfs/2010-December/msg00081.html
https://www.redhat.com/archives/libguestfs/2011-January/msg00012.html
This also updates guestfish to use the new API for its progress bars.
|
| |
|
|
| |
Signed-off-by: Angus Salkeld <asalkeld@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow connections to a Unix domain socket which is connected
(via virtio-serial) to a guestfsd running free in an existing
guest.
In order to use this you have to add the following element
to the libvirt XML:
<channel type='unix'>
<source mode='bind' path='/tmp/socket'/>
<target type='virtio' name='org.libguestfs.channel.0'/>
</channel>
(or perform the equivalent on the qemu command line).
Then in guestfish, you can do:
guestfish \
attach-method unix:/tmp/socket : \
run : \
ll /
(or any other commands as desired).
|
| |
|
|
| |
This is just code motion.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The FHS advises large files not to be stored in the root
filesystem[1], and that /var/tmp is persistent across reboots[2]
(whereas /tmp is possibly not[3]).
Therefore we should store the large cached supermin appliance in
/var/tmp instead of /tmp. /tmp is still used for all other temporary
files and directories.
In either case you can override this by setting $TMPDIR.
[1] http://www.pathname.com/fhs/pub/fhs-2.3.html#THEROOTFILESYSTEM
[2] http://www.pathname.com/fhs/pub/fhs-2.3.html#VARTMPTEMPORARYFILESPRESERVEDBETWEE
[3] http://www.pathname.com/fhs/pub/fhs-2.3.html#TMPTEMPORARYFILES
|
| |
|
|
| |
(Revealed by compiling under Debian where this is a warning).
|
| |
|
|
|
| |
This is an internal-only debugging API so may be changed or
removed at any time in the future.
|
| |
|
|
|
| |
This internal interface can be used to ensure that certain
operations are atomic.
|
| |
|
|
|
|
|
| |
This function generalises the existing print_cmdline used to output the qemu
command line to output any given command line, and exports it to other modules.
It also adds a timestamp to the old print_cmdline output for consistency with
guestfs___print_timestamped_message.
|
| |
|
|
|
|
|
|
|
|
| |
Commit 4963be85 re-introduced networking to the appliance,
but didn't configure the custom network the appliance expects
since we switched to link local addressing. This patch
configures QEMU to use the custom network again.
Note that you still need to use guestfs_set_network (g, 1)
to enable user networking.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This large commit changes the generator so that optional arguments
can be supported for functions.
The model for arguments (known as the "style") is changed from
(ret, args) to (ret, args, optargs) where optargs is a more limited
list of arguments.
One function has been added which takes optional arguments, it is
"add-drive-opts", modelled as:
(RErr, [String "filename"], #required
[Bool "readonly"; String "format"; String "iface"]) #optional
Note that this function is processed in the library (does not go over
the RPC protocol to the daemon). This has allowed us to simplify
the current implementation by omitting changes related to RPC or the
daemon, although we plan to add these at some point in the future.
From C this function can be called in 3 different ways as in these
examples:
guestfs_add_drive_opts (g, filename,
GUESTFS_ADD_DRIVE_OPTS_READONLY, 1,
GUESTFS_ADD_DRIVE_OPTS_FORMAT, "raw",
-1);
(the argument(s) between 'filename' and '-1' are the optional ones).
guestfs_add_drive_opts_va (g, filename, args);
where 'args' is a va_list. This works like the first version.
struct guestfs_add_drive_opts_argv optargs = {
.bitmask = GUESTFS_ADD_DRIVE_OPTS_READONLY_BITMASK,
.readonly = 1,
}
guestfs_add_drive_opts_argv (g, filename, &optargs);
This last form lets you construct lists of optional arguments, and
is used by guestfish and the language bindings.
In guestfish optional arguments are used like this:
add-drive-opts filename readonly:true
In OCaml these are mapped naturally to OCaml optional arguments, eg:
g#add_drive_opts ~readonly:true filename;
In Perl these are mapped to extra arguments, eg:
$g->add_drive_opts ($filename, readonly => 1);
In Python these are mapped to optional arguments, eg:
g.add_drive_opts ("file", readonly = 1, format = "qcow2")
In Ruby these are mapped to a final hash argument, eg:
g.add_drive_opts("file", {})
g.add_drive_opts("file", :readonly => 1)
g.add_drive_opts("file", :readonly => 1, :iface => "virtio")
In PHP these are mapped to extra parameters. This is not quite
accurate since you cannot omit arbitrary optional parameters, but
there's not much than can be done within the limitations of PHP
as a language.
Unimplemented in: Haskell, C#, Java.
|
| |
|
|
|
|
|
| |
Be more consistent in allowing the user to override use of the
temporary directory by specifying $TMPDIR. Also prefer P_tmpdir
macro (defined in <stdio.h>) if that is defined, rather than
hard-coding "/tmp" for the fallback location.
|
| |
|
|
|
|
|
| |
This frees the string containing the name of the appliance
which was previously being leaked during launch.
(Found by valgrind).
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Without this option, qemu will read some defaults from /etc/qemu/
configuration files.
|
| |
|
|
| |
guestfs_set_network (g, true) enables network support in the appliance.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This adds support for virtio-serial, and removes all other
vmchannel methods.
Virtio-serial is faster than other methods, and is now widely
available.
I tested this by using the guestfs_upload API on an 83 MB file:
before: 6.12 seconds (14.1 MB/sec)
after: 4.20 seconds (20.6 MB/sec)
(note this is with the current 8K chunk size)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This changes the method used to build the supermin appliance
to use the new ext2-based appliance supported by latest febootstrap.
The appliance can also be cached, so we avoid rebuilding it
each time it is used.
Mailing list discussion goes into the rationale and details:
https://www.redhat.com/archives/libguestfs/2010-August/msg00028.html
Requires febootstrap >= 2.8.
|
| |
|
|
| |
This is just code movement.
|
| |
|
|
| |
This is just code movement.
|
| |
|
|
|
|
|
| |
This is an update to commit 41f25ab3df5f306ac717fa7a6efd58328d30c1ae.
Internal functions should be named guestfs___* (3 underscores) to
avoid clashing with the implementation of actions (2 underscores).
|
|
|
We split the library code into these separate files:
- guestfs.c: creating handles, closing handles, handle-related variables
- actions.c: generated library-side stubs for each action
- bindtests.c: generated code to test bindings
- launch.c: launching the appliance
- proto.c: the library side of the daemon communications protocol
This is just code movement.
|
