| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
This function does 'rm -rf <dir>' for temporary directories, safely
working if '<dir>' contains shell meta-characters.
Replace existing code for removing directories with this.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(CVE-2011-4127, RHBZ#757071)
CVE-2011-4127 is a serious qemu & kernel privilege escalation bug
found by Paolo Bonzini.
http://seclists.org/oss-sec/2011/q4/536
An untrusted guest kernel is able to issue special SG_IO ioctls on
virtio devices which qemu passes through to the host kernel without
filtering or sanitizing. These ioctls allow raw sectors from the
underlying host device to be read and written. Significantly, neither
qemu nor the host kernel checks that the range of sectors is within
the partition / LV assigned to the guest. For example, if the guest
is assigned host partition /dev/sda3, it would be able to read or
write any part of /dev/sda including other partitions and the boot
sector. Exploits through LVs passed to the guest are also possible,
with some limitations. File-backed virtual block devices are not
vulnerable. Non-virtio block devices are not vulnerable.
This patch mitigates the problem by disabling the SG_IO ioctl
passthrough in qemu. Thus if libguestfs is examining an untrusted
guest and the libguestfs appliance/daemon is compromised (eg. by
executing guest commands, or through some other compromise), then the
compromised appliance will not be able to issue the above SG_IO ioctls
and exploit the host.
Note that this is just mitigation for libguestfs. Users will still
want to fully update their host kernel, qemu/KVM and libvirt, in order
to prevent other (non-libguestfs) routes to compromise.
The following versions of libguestfs (will/have) this patch applied.
libguestfs >= 1.15.13
libguestfs >= 1.14.8
libguestfs >= 1.12.11
libguestfs >= 1.10.12
libguestfs >= 1.8.16
Earlier versions may be vulnerable unless a downstream packager has
applied this patch.
Cc: Hilko Bengen <bengen@hilluzination.de>
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
A NEW API blkid.
It can print the device attributes.
Use it after list-devices, we can list ower devices and the attributes
of each device.
Use it like:
blkid <device>
It's should be a usefull function.
Signed-off-by: Wanlong Gao <gaowanlong@cn.fujitsu.com>
|
| |
|
|
|
|
|
|
|
| |
This patch fixes inspection when fstab contains devices md devices
specified as /dev/mdN. The appliance creates these devices without reference to
the guest's mdadm.conf so, for e.g. /dev/md0 in the guest will often be created
as /dev/md127 in the appliance. With this patch, we match the uuids of detected
md devices against uuids specified in mdadm.conf, and map them appropriately
when we encounter them in fstab.
|
| |
|
|
|
|
|
|
| |
documentation
Since some modules (`getopt', for example) may copy files
into the build directory, `top_builddir/lib' is needed as well as
`top_srcdir/lib'. -- GNU Gnulib manual, section 2.2 Initial import
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Select non-comment labels using an augeas path to return the correct
nodes in the first instance, rather than applying a regular expression
to all results.
There is no functional change to the code.
RWMJ:
- Rebased to current HEAD.
- Move variable decls to top of function.
- Some whitespace changes.
- Remove check for errors from snprintf since it can never happen.
|
| | |
|
| | |
|
| |
|
|
|
| |
These tests are optional, and require a special environment and
tools to run.
|
| |
|
|
|
| |
If you enabled debugging (eg. LIBGUESTFS_DEBUG=1) then every
debug message printed would be leaked.
|
| |
|
|
|
|
|
|
| |
This API is used to stop a md device.
When we want to move a device to another md array, we should
stop the md device which contained this device first.
Signed-off-by: Wanlong Gao <gaowanlong@cn.fujitsu.com>
|
| |
|
|
| |
This change is in support of the addition of MD support to fstab inspection.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
This contains suggested manual tests that users can run.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Return a list of Linux MD devices detected in the guest.
This API complements list_devices, list_partitions, list_lvs and
list_dm_devices.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Previously we bound the 'tune2fs -l' command so that we could list out
the tunables of an ext2/3/4 filesystem. Also commands like
set_e2label and set_e2uuid used tune2fs.
This commit binds many of the tunables that can be set using tune2fs.
The coverage is not complete, but we can add more later because this
uses optional parameters so the call is extensible without breaking
ABI. The current change gives us enough for using libguestfs within
OpenStack.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This optional argument controls how <readonly/> disks in
the libvirt XML are handled. It can be set to one of:
"write" (default) - add them R/W
"read" - add them R/O
"error" - throw an error if asked to add them R/W
"ignore" - ignore these disks
I have added limited regression tests for this feature. However
libvirt's test:/// XML does not allow you to specify that a domain
starts off shut down, so we cannot fully test this. Instead I tested
it by hand.
|
| |
|
|
|
|
| |
This changes the private function guestfs___for_each_disk so that the
<readonly/> flag on libvirt disks is detected and passed through to
the callback function.
|
| |
|
|
|
|
|
|
|
|
|
| |
The four new APIs:
guestfs_copy_device_to_device,
guestfs_copy_device_to_file,
guestfs_copy_file_to_device, and
guestfs_copy_file_to_file
let you copy from a source to a destination, between files and
devices, optionally allowing source and destination offsets and size
to be specified.
|
| |
|
|
|
|
| |
This converts a partition device name (eg. /dev/sda1) to a partition
number (eg. 1). This is useful in conjunction with the parted APIs
that mostly take a disk device + partnum.
|
| |
|
|
|
|
|
| |
Also add this option, if necessary, when testing for virtio-serial
support.
When the workaround is enabled, we specify machine type 'pc'.
|
| | |
|
| |
|
|
| |
This is just code refactoring.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is possible for the pcre library to return a variable number of captures for
a single regular expression. e.g.:
^/dev/(cciss/c\d+d\d+)(?:p(\d+))?$
This will return either 1 or 2 captures depending on whether the device has a
partition suffix. The current match wrappers don't allow for this, and require
that a predictable number of matches are returned.
This change updates match, match1, match2, and match3 to ignore the specific
number of matches returned. Instead, any returned captures are assigned to the
given arguments, and any remaining arguments are set to NULL.
|
| |
|
|
|
|
|
|
|
|
|
| |
We currently use a heuristic to guess how drive names we find
referenced in the guest map to drive names in the appliance. If this
heuristic fails it can cause inspection to fail.
This change adds a new 'name' option to add_drive_opts, which allows
the user to explicitly pass the name of a drive to libguestfs if it is
known. This change also updates the fstab-parsing inspection code to
use this information if it is available.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a NFC on its own, but provides a place-holder for drive metadata which
can be used after launch.
Fixes by RWMJ:
- Fix the tests: this requires a new internal function 'debug-drives'
that dumps out the g->drives information so it can be checked in
two of the tests. Previously these tests used 'debug-cmdline'.
- Test file existence / use_cache_off in the add_drive_opts function,
not when launching qemu in the child process.
- Call free along error paths.
- Add comments.
|
| |
|
|
|
| |
The regular expression matching disk name assumed that there was only a single
letter suffix. This change handles a naming scheme for any number of disks.
|
| | |
|
| | |
|
