diff options
author | Laurent Léonard <laurent@open-minds.org> | 2010-11-14 00:11:17 +0100 |
---|---|---|
committer | Laurent Léonard <laurent@open-minds.org> | 2010-11-14 00:11:17 +0100 |
commit | 802e65869571c43bff4dd6431f8f6d6811e0d5e9 (patch) | |
tree | 55c6c548b24cc5ea3758e3702cbfca7ae75dff3a /daemon | |
parent | 49a581bba85a74041977c0222b3b54ca840c63df (diff) |
Imported Upstream version 0.8.5
Diffstat (limited to 'daemon')
-rw-r--r-- | daemon/Makefile.am | 30 | ||||
-rw-r--r-- | daemon/Makefile.in | 170 | ||||
-rw-r--r-- | daemon/libvirtd.aug | 4 | ||||
-rw-r--r-- | daemon/libvirtd.c | 268 | ||||
-rw-r--r-- | daemon/libvirtd.conf | 19 | ||||
-rw-r--r-- | daemon/libvirtd.h | 28 | ||||
-rw-r--r-- | daemon/libvirtd.stp | 65 | ||||
-rw-r--r-- | daemon/probes.d | 12 | ||||
-rw-r--r-- | daemon/remote.c | 434 | ||||
-rw-r--r-- | daemon/remote_dispatch_args.h | 4 | ||||
-rw-r--r-- | daemon/remote_dispatch_prototypes.h | 32 | ||||
-rw-r--r-- | daemon/remote_dispatch_ret.h | 2 | ||||
-rw-r--r-- | daemon/remote_dispatch_table.h | 20 | ||||
-rw-r--r-- | daemon/test_libvirtd.aug | 6 |
14 files changed, 837 insertions, 257 deletions
diff --git a/daemon/Makefile.am b/daemon/Makefile.am index b020b7708..88082269b 100644 --- a/daemon/Makefile.am +++ b/daemon/Makefile.am @@ -1,5 +1,7 @@ ## Process this file with automake to produce Makefile.in +CLEANFILES = + DAEMON_SOURCES = \ event.c event.h \ libvirtd.c libvirtd.h \ @@ -36,6 +38,7 @@ EXTRA_DIST = \ test_libvirtd.aug \ THREADING.txt \ libvirtd.pod.in \ + libvirtd.stp \ $(AVAHI_SOURCES) \ $(DAEMON_SOURCES) @@ -99,11 +102,9 @@ libvirtd_LDADD = \ $(SASL_LIBS) \ $(POLKIT_LIBS) -libvirtd_LDADD += ../src/libvirt_util.la ../src/libvirt-qemu.la +libvirtd_LDADD += ../src/libvirt-qemu.la -if WITH_DRIVER_MODULES - libvirtd_LDADD += ../src/libvirt_driver.la -else +if ! WITH_DRIVER_MODULES if WITH_QEMU libvirtd_LDADD += ../src/libvirt_driver_qemu.la endif @@ -163,6 +164,25 @@ libvirtd_CFLAGS += $(AVAHI_CFLAGS) libvirtd_LDADD += $(AVAHI_LIBS) endif +EXTRA_DIST += probes.d libvirtd.stp + +if WITH_DTRACE +libvirtd_LDADD += probes.o +nodist_libvirtd_SOURCES = probes.h + +BUILT_SOURCES += probes.h + +tapsetdir = $(datadir)/systemtap/tapsets +tapset_DATA = libvirtd.stp + +probes.h: probes.d + $(AM_V_GEN)$(DTRACE) -o $@ -h -s $< + +probes.o: probes.d + $(AM_V_GEN)$(DTRACE) -o $@ -G -s $< + +CLEANFILES += probes.h probes.o +endif install-data-local: install-init install-data-sasl install-data-polkit \ install-logrotate @@ -319,5 +339,5 @@ uninstall-data-sasl: endif -CLEANFILES = $(BUILT_SOURCES) $(man_MANS) libvirtd.pod +CLEANFILES += $(BUILT_SOURCES) $(man_MANS) libvirtd.pod CLEANFILES += *.cov *.gcov .libs/*.gcda .libs/*.gcno *.gcno *.gcda diff --git a/daemon/Makefile.in b/daemon/Makefile.in index ac74bd0d6..000a1f866 100644 --- a/daemon/Makefile.in +++ b/daemon/Makefile.in @@ -36,22 +36,25 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @WITH_LIBVIRTD_TRUE@sbin_PROGRAMS = libvirtd$(EXEEXT) -@WITH_DRIVER_MODULES_TRUE@@WITH_LIBVIRTD_TRUE@am__append_1 = ../src/libvirt_driver.la -@WITH_DRIVER_MODULES_FALSE@@WITH_LIBVIRTD_TRUE@@WITH_QEMU_TRUE@am__append_2 = ../src/libvirt_driver_qemu.la -@WITH_DRIVER_MODULES_FALSE@@WITH_LIBVIRTD_TRUE@@WITH_LXC_TRUE@am__append_3 = ../src/libvirt_driver_lxc.la -@WITH_DRIVER_MODULES_FALSE@@WITH_LIBVIRTD_TRUE@@WITH_UML_TRUE@am__append_4 = ../src/libvirt_driver_uml.la -@WITH_DRIVER_MODULES_FALSE@@WITH_LIBVIRTD_TRUE@@WITH_ONE_TRUE@am__append_5 = ../src/libvirt_driver_one.la -@WITH_DRIVER_MODULES_FALSE@@WITH_LIBVIRTD_TRUE@@WITH_STORAGE_DIR_TRUE@am__append_6 = ../src/libvirt_driver_storage.la -@WITH_DRIVER_MODULES_FALSE@@WITH_LIBVIRTD_TRUE@@WITH_NETWORK_TRUE@am__append_7 = ../src/libvirt_driver_network.la -@WITH_DRIVER_MODULES_FALSE@@WITH_LIBVIRTD_TRUE@@WITH_NETCF_TRUE@am__append_8 = ../src/libvirt_driver_interface.la -@WITH_DRIVER_MODULES_FALSE@@WITH_LIBVIRTD_TRUE@@WITH_NODE_DEVICES_TRUE@am__append_9 = ../src/libvirt_driver_nodedev.la -@WITH_DRIVER_MODULES_FALSE@@WITH_LIBVIRTD_TRUE@@WITH_SECRETS_TRUE@am__append_10 = ../src/libvirt_driver_secret.la -@WITH_DRIVER_MODULES_FALSE@@WITH_LIBVIRTD_TRUE@@WITH_NWFILTER_TRUE@am__append_11 = ../src/libvirt_driver_nwfilter.la -@HAVE_AVAHI_TRUE@@WITH_LIBVIRTD_TRUE@am__append_12 = $(AVAHI_SOURCES) -@HAVE_AVAHI_TRUE@@WITH_LIBVIRTD_TRUE@am__append_13 = $(AVAHI_CFLAGS) -@HAVE_AVAHI_TRUE@@WITH_LIBVIRTD_TRUE@am__append_14 = $(AVAHI_LIBS) -@WITH_LIBVIRTD_TRUE@am__append_15 = $(LOGROTATE_CONFS) -@LIBVIRT_INIT_SCRIPT_RED_HAT_TRUE@@WITH_LIBVIRTD_TRUE@am__append_16 = libvirtd.init +@WITH_DRIVER_MODULES_FALSE@@WITH_LIBVIRTD_TRUE@@WITH_QEMU_TRUE@am__append_1 = ../src/libvirt_driver_qemu.la +@WITH_DRIVER_MODULES_FALSE@@WITH_LIBVIRTD_TRUE@@WITH_LXC_TRUE@am__append_2 = ../src/libvirt_driver_lxc.la +@WITH_DRIVER_MODULES_FALSE@@WITH_LIBVIRTD_TRUE@@WITH_UML_TRUE@am__append_3 = ../src/libvirt_driver_uml.la +@WITH_DRIVER_MODULES_FALSE@@WITH_LIBVIRTD_TRUE@@WITH_ONE_TRUE@am__append_4 = ../src/libvirt_driver_one.la +@WITH_DRIVER_MODULES_FALSE@@WITH_LIBVIRTD_TRUE@@WITH_STORAGE_DIR_TRUE@am__append_5 = ../src/libvirt_driver_storage.la +@WITH_DRIVER_MODULES_FALSE@@WITH_LIBVIRTD_TRUE@@WITH_NETWORK_TRUE@am__append_6 = ../src/libvirt_driver_network.la +@WITH_DRIVER_MODULES_FALSE@@WITH_LIBVIRTD_TRUE@@WITH_NETCF_TRUE@am__append_7 = ../src/libvirt_driver_interface.la +@WITH_DRIVER_MODULES_FALSE@@WITH_LIBVIRTD_TRUE@@WITH_NODE_DEVICES_TRUE@am__append_8 = ../src/libvirt_driver_nodedev.la +@WITH_DRIVER_MODULES_FALSE@@WITH_LIBVIRTD_TRUE@@WITH_SECRETS_TRUE@am__append_9 = ../src/libvirt_driver_secret.la +@WITH_DRIVER_MODULES_FALSE@@WITH_LIBVIRTD_TRUE@@WITH_NWFILTER_TRUE@am__append_10 = ../src/libvirt_driver_nwfilter.la +@HAVE_AVAHI_TRUE@@WITH_LIBVIRTD_TRUE@am__append_11 = $(AVAHI_SOURCES) +@HAVE_AVAHI_TRUE@@WITH_LIBVIRTD_TRUE@am__append_12 = $(AVAHI_CFLAGS) +@HAVE_AVAHI_TRUE@@WITH_LIBVIRTD_TRUE@am__append_13 = $(AVAHI_LIBS) +@WITH_LIBVIRTD_TRUE@am__append_14 = probes.d libvirtd.stp +@WITH_DTRACE_TRUE@@WITH_LIBVIRTD_TRUE@am__append_15 = probes.o +@WITH_DTRACE_TRUE@@WITH_LIBVIRTD_TRUE@am__append_16 = probes.h +@WITH_DTRACE_TRUE@@WITH_LIBVIRTD_TRUE@am__append_17 = probes.h probes.o +@WITH_LIBVIRTD_TRUE@am__append_18 = $(LOGROTATE_CONFS) +@LIBVIRT_INIT_SCRIPT_RED_HAT_TRUE@@WITH_LIBVIRTD_TRUE@am__append_19 = libvirtd.init subdir = daemon DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -79,6 +82,7 @@ am__aclocal_m4_deps = $(top_srcdir)/gnulib/m4/00gnulib.m4 \ $(top_srcdir)/gnulib/m4/getdelim.m4 \ $(top_srcdir)/gnulib/m4/gethostname.m4 \ $(top_srcdir)/gnulib/m4/getline.m4 \ + $(top_srcdir)/gnulib/m4/getpagesize.m4 \ $(top_srcdir)/gnulib/m4/getpass.m4 \ $(top_srcdir)/gnulib/m4/gettimeofday.m4 \ $(top_srcdir)/gnulib/m4/gnulib-common.m4 \ @@ -108,6 +112,7 @@ am__aclocal_m4_deps = $(top_srcdir)/gnulib/m4/00gnulib.m4 \ $(top_srcdir)/gnulib/m4/perror.m4 \ $(top_srcdir)/gnulib/m4/physmem.m4 \ $(top_srcdir)/gnulib/m4/po.m4 $(top_srcdir)/gnulib/m4/poll.m4 \ + $(top_srcdir)/gnulib/m4/poll_h.m4 \ $(top_srcdir)/gnulib/m4/posix-shell.m4 \ $(top_srcdir)/gnulib/m4/printf.m4 \ $(top_srcdir)/gnulib/m4/pthread.m4 \ @@ -120,6 +125,7 @@ am__aclocal_m4_deps = $(top_srcdir)/gnulib/m4/00gnulib.m4 \ $(top_srcdir)/gnulib/m4/servent.m4 \ $(top_srcdir)/gnulib/m4/sleep.m4 \ $(top_srcdir)/gnulib/m4/snprintf.m4 \ + $(top_srcdir)/gnulib/m4/socketlib.m4 \ $(top_srcdir)/gnulib/m4/sockets.m4 \ $(top_srcdir)/gnulib/m4/socklen.m4 \ $(top_srcdir)/gnulib/m4/sockpfaf.m4 \ @@ -152,6 +158,7 @@ am__aclocal_m4_deps = $(top_srcdir)/gnulib/m4/00gnulib.m4 \ $(top_srcdir)/gnulib/m4/sys_utsname_h.m4 \ $(top_srcdir)/gnulib/m4/sys_wait_h.m4 \ $(top_srcdir)/gnulib/m4/tempname.m4 \ + $(top_srcdir)/gnulib/m4/termios_h.m4 \ $(top_srcdir)/gnulib/m4/time_h.m4 \ $(top_srcdir)/gnulib/m4/time_r.m4 \ $(top_srcdir)/gnulib/m4/timegm.m4 \ @@ -182,7 +189,7 @@ CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)" \ "$(DESTDIR)$(augeasdir)" "$(DESTDIR)$(augeastestsdir)" \ - "$(DESTDIR)$(confdir)" + "$(DESTDIR)$(confdir)" "$(DESTDIR)$(tapsetdir)" PROGRAMS = $(sbin_PROGRAMS) am__libvirtd_SOURCES_DIST = event.c event.h libvirtd.c libvirtd.h \ remote.c remote.h dispatch.c dispatch.h stream.c stream.h \ @@ -200,7 +207,8 @@ am__objects_2 = libvirtd-mdns.$(OBJEXT) @HAVE_AVAHI_TRUE@@WITH_LIBVIRTD_TRUE@am__objects_3 = $(am__objects_2) @WITH_LIBVIRTD_TRUE@am_libvirtd_OBJECTS = $(am__objects_1) \ @WITH_LIBVIRTD_TRUE@ $(am__objects_3) -libvirtd_OBJECTS = $(am_libvirtd_OBJECTS) +nodist_libvirtd_OBJECTS = +libvirtd_OBJECTS = $(am_libvirtd_OBJECTS) $(nodist_libvirtd_OBJECTS) am__DEPENDENCIES_1 = @HAVE_AVAHI_TRUE@@WITH_LIBVIRTD_TRUE@am__DEPENDENCIES_2 = \ @HAVE_AVAHI_TRUE@@WITH_LIBVIRTD_TRUE@ $(am__DEPENDENCIES_1) @@ -208,14 +216,13 @@ am__DEPENDENCIES_1 = @WITH_LIBVIRTD_TRUE@ $(am__DEPENDENCIES_1) \ @WITH_LIBVIRTD_TRUE@ $(am__DEPENDENCIES_1) \ @WITH_LIBVIRTD_TRUE@ $(am__DEPENDENCIES_1) \ -@WITH_LIBVIRTD_TRUE@ ../src/libvirt_util.la \ @WITH_LIBVIRTD_TRUE@ ../src/libvirt-qemu.la $(am__append_1) \ @WITH_LIBVIRTD_TRUE@ $(am__append_2) $(am__append_3) \ @WITH_LIBVIRTD_TRUE@ $(am__append_4) $(am__append_5) \ @WITH_LIBVIRTD_TRUE@ $(am__append_6) $(am__append_7) \ @WITH_LIBVIRTD_TRUE@ $(am__append_8) $(am__append_9) \ -@WITH_LIBVIRTD_TRUE@ $(am__append_10) $(am__append_11) \ -@WITH_LIBVIRTD_TRUE@ ../src/libvirt.la $(am__DEPENDENCIES_2) \ +@WITH_LIBVIRTD_TRUE@ $(am__append_10) ../src/libvirt.la \ +@WITH_LIBVIRTD_TRUE@ $(am__DEPENDENCIES_2) $(am__append_15) \ @WITH_LIBVIRTD_TRUE@ ../gnulib/lib/libgnu.la \ @WITH_LIBVIRTD_TRUE@ $(am__DEPENDENCIES_1) AM_V_lt = $(am__v_lt_$(V)) @@ -250,7 +257,7 @@ am__v_CCLD_0 = @echo " CCLD " $@; AM_V_GEN = $(am__v_GEN_$(V)) am__v_GEN_ = $(am__v_GEN_$(AM_DEFAULT_VERBOSITY)) am__v_GEN_0 = @echo " GEN " $@; -SOURCES = $(libvirtd_SOURCES) +SOURCES = $(libvirtd_SOURCES) $(nodist_libvirtd_SOURCES) DIST_SOURCES = $(am__libvirtd_SOURCES_DIST) am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ @@ -276,7 +283,7 @@ am__base_list = \ man8dir = $(mandir)/man8 NROFF = nroff MANS = $(man_MANS) -DATA = $(augeas_DATA) $(augeastests_DATA) $(conf_DATA) +DATA = $(augeas_DATA) $(augeastests_DATA) $(conf_DATA) $(tapset_DATA) ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -291,6 +298,8 @@ APPLE_UNIVERSAL_BUILD = @APPLE_UNIVERSAL_BUILD@ AR = @AR@ AS = @AS@ ASM_SYMBOL_PREFIX = @ASM_SYMBOL_PREFIX@ +AUDIT_CFLAGS = @AUDIT_CFLAGS@ +AUDIT_LIBS = @AUDIT_LIBS@ AUGPARSE = @AUGPARSE@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ @@ -328,6 +337,7 @@ DNSMASQ = @DNSMASQ@ DRIVER_MODULE_CFLAGS = @DRIVER_MODULE_CFLAGS@ DRIVER_MODULE_LIBS = @DRIVER_MODULE_LIBS@ DSYMUTIL = @DSYMUTIL@ +DTRACE = @DTRACE@ DUMPBIN = @DUMPBIN@ EBTABLES_PATH = @EBTABLES_PATH@ ECHO_C = @ECHO_C@ @@ -456,6 +466,7 @@ GNULIB_OPEN = @GNULIB_OPEN@ GNULIB_OPENAT = @GNULIB_OPENAT@ GNULIB_PERROR = @GNULIB_PERROR@ GNULIB_PIPE2 = @GNULIB_PIPE2@ +GNULIB_POLL = @GNULIB_POLL@ GNULIB_POPEN = @GNULIB_POPEN@ GNULIB_PREAD = @GNULIB_PREAD@ GNULIB_PRINTF = @GNULIB_PRINTF@ @@ -512,6 +523,8 @@ GNULIB_STRTOULL = @GNULIB_STRTOULL@ GNULIB_STRVERSCMP = @GNULIB_STRVERSCMP@ GNULIB_SYMLINK = @GNULIB_SYMLINK@ GNULIB_SYMLINKAT = @GNULIB_SYMLINKAT@ +GNULIB_SYSTEM_POSIX = @GNULIB_SYSTEM_POSIX@ +GNULIB_TCGETSID = @GNULIB_TCGETSID@ GNULIB_TIMEGM = @GNULIB_TIMEGM@ GNULIB_TIME_R = @GNULIB_TIME_R@ GNULIB_TMPFILE = @GNULIB_TMPFILE@ @@ -533,6 +546,7 @@ GNULIB_VPRINTF = @GNULIB_VPRINTF@ GNULIB_VPRINTF_POSIX = @GNULIB_VPRINTF_POSIX@ GNULIB_VSNPRINTF = @GNULIB_VSNPRINTF@ GNULIB_VSPRINTF_POSIX = @GNULIB_VSPRINTF_POSIX@ +GNULIB_WAITPID = @GNULIB_WAITPID@ GNULIB_WCRTOMB = @GNULIB_WCRTOMB@ GNULIB_WCSNRTOMBS = @GNULIB_WCSNRTOMBS@ GNULIB_WCSRTOMBS = @GNULIB_WCSRTOMBS@ @@ -634,7 +648,12 @@ HAVE_NETINET_IN_H = @HAVE_NETINET_IN_H@ HAVE_OPENAT = @HAVE_OPENAT@ HAVE_OS_H = @HAVE_OS_H@ HAVE_PIPE2 = @HAVE_PIPE2@ +HAVE_POLL = @HAVE_POLL@ +HAVE_POLL_H = @HAVE_POLL_H@ HAVE_PREAD = @HAVE_PREAD@ +HAVE_PTHREAD_H = @HAVE_PTHREAD_H@ +HAVE_PTHREAD_SPINLOCK_T = @HAVE_PTHREAD_SPINLOCK_T@ +HAVE_PTHREAD_T = @HAVE_PTHREAD_T@ HAVE_PTSNAME = @HAVE_PTSNAME@ HAVE_PWRITE = @HAVE_PWRITE@ HAVE_RANDOM_H = @HAVE_RANDOM_H@ @@ -683,6 +702,8 @@ HAVE_SYS_SOCKET_H = @HAVE_SYS_SOCKET_H@ HAVE_SYS_TIME_H = @HAVE_SYS_TIME_H@ HAVE_SYS_TYPES_H = @HAVE_SYS_TYPES_H@ HAVE_SYS_UTSNAME_H = @HAVE_SYS_UTSNAME_H@ +HAVE_TCGETSID = @HAVE_TCGETSID@ +HAVE_TERMIOS_H = @HAVE_TERMIOS_H@ HAVE_TIMEGM = @HAVE_TIMEGM@ HAVE_TTYNAME_R = @HAVE_TTYNAME_R@ HAVE_UNAME = @HAVE_UNAME@ @@ -770,7 +791,6 @@ MODPROBE = @MODPROBE@ MOUNT = @MOUNT@ MSGFMT = @MSGFMT@ MSGMERGE = @MSGMERGE@ -MV = @MV@ NETCF_CFLAGS = @NETCF_CFLAGS@ NETCF_LIBS = @NETCF_LIBS@ NETINET_IN_H = @NETINET_IN_H@ @@ -781,6 +801,8 @@ NEXT_AS_FIRST_DIRECTIVE_FCNTL_H = @NEXT_AS_FIRST_DIRECTIVE_FCNTL_H@ NEXT_AS_FIRST_DIRECTIVE_FLOAT_H = @NEXT_AS_FIRST_DIRECTIVE_FLOAT_H@ NEXT_AS_FIRST_DIRECTIVE_NETDB_H = @NEXT_AS_FIRST_DIRECTIVE_NETDB_H@ NEXT_AS_FIRST_DIRECTIVE_NETINET_IN_H = @NEXT_AS_FIRST_DIRECTIVE_NETINET_IN_H@ +NEXT_AS_FIRST_DIRECTIVE_POLL_H = @NEXT_AS_FIRST_DIRECTIVE_POLL_H@ +NEXT_AS_FIRST_DIRECTIVE_PTHREAD_H = @NEXT_AS_FIRST_DIRECTIVE_PTHREAD_H@ NEXT_AS_FIRST_DIRECTIVE_SCHED_H = @NEXT_AS_FIRST_DIRECTIVE_SCHED_H@ NEXT_AS_FIRST_DIRECTIVE_STDDEF_H = @NEXT_AS_FIRST_DIRECTIVE_STDDEF_H@ NEXT_AS_FIRST_DIRECTIVE_STDINT_H = @NEXT_AS_FIRST_DIRECTIVE_STDINT_H@ @@ -795,6 +817,7 @@ NEXT_AS_FIRST_DIRECTIVE_SYS_STAT_H = @NEXT_AS_FIRST_DIRECTIVE_SYS_STAT_H@ NEXT_AS_FIRST_DIRECTIVE_SYS_TIME_H = @NEXT_AS_FIRST_DIRECTIVE_SYS_TIME_H@ NEXT_AS_FIRST_DIRECTIVE_SYS_UTSNAME_H = @NEXT_AS_FIRST_DIRECTIVE_SYS_UTSNAME_H@ NEXT_AS_FIRST_DIRECTIVE_SYS_WAIT_H = @NEXT_AS_FIRST_DIRECTIVE_SYS_WAIT_H@ +NEXT_AS_FIRST_DIRECTIVE_TERMIOS_H = @NEXT_AS_FIRST_DIRECTIVE_TERMIOS_H@ NEXT_AS_FIRST_DIRECTIVE_TIME_H = @NEXT_AS_FIRST_DIRECTIVE_TIME_H@ NEXT_AS_FIRST_DIRECTIVE_UNISTD_H = @NEXT_AS_FIRST_DIRECTIVE_UNISTD_H@ NEXT_AS_FIRST_DIRECTIVE_WCHAR_H = @NEXT_AS_FIRST_DIRECTIVE_WCHAR_H@ @@ -803,6 +826,8 @@ NEXT_FCNTL_H = @NEXT_FCNTL_H@ NEXT_FLOAT_H = @NEXT_FLOAT_H@ NEXT_NETDB_H = @NEXT_NETDB_H@ NEXT_NETINET_IN_H = @NEXT_NETINET_IN_H@ +NEXT_POLL_H = @NEXT_POLL_H@ +NEXT_PTHREAD_H = @NEXT_PTHREAD_H@ NEXT_SCHED_H = @NEXT_SCHED_H@ NEXT_STDDEF_H = @NEXT_STDDEF_H@ NEXT_STDINT_H = @NEXT_STDINT_H@ @@ -817,6 +842,7 @@ NEXT_SYS_STAT_H = @NEXT_SYS_STAT_H@ NEXT_SYS_TIME_H = @NEXT_SYS_TIME_H@ NEXT_SYS_UTSNAME_H = @NEXT_SYS_UTSNAME_H@ NEXT_SYS_WAIT_H = @NEXT_SYS_WAIT_H@ +NEXT_TERMIOS_H = @NEXT_TERMIOS_H@ NEXT_TIME_H = @NEXT_TIME_H@ NEXT_UNISTD_H = @NEXT_UNISTD_H@ NEXT_WCHAR_H = @NEXT_WCHAR_H@ @@ -833,6 +859,7 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PARTED = @PARTED@ PATH_SEPARATOR = @PATH_SEPARATOR@ @@ -843,9 +870,9 @@ PKG_CONFIG = @PKG_CONFIG@ POLKIT_AUTH = @POLKIT_AUTH@ POLKIT_CFLAGS = @POLKIT_CFLAGS@ POLKIT_LIBS = @POLKIT_LIBS@ -POLL_H = @POLL_H@ POSIX_SHELL = @POSIX_SHELL@ POSUB = @POSUB@ +PRAGMA_COLUMNS = @PRAGMA_COLUMNS@ PRAGMA_SYSTEM_HEADER = @PRAGMA_SYSTEM_HEADER@ PREFERABLY_POSIX_SHELL = @PREFERABLY_POSIX_SHELL@ PTHREAD_H = @PTHREAD_H@ @@ -919,6 +946,7 @@ REPLACE_OBSTACK_PRINTF = @REPLACE_OBSTACK_PRINTF@ REPLACE_OPEN = @REPLACE_OPEN@ REPLACE_OPENAT = @REPLACE_OPENAT@ REPLACE_PERROR = @REPLACE_PERROR@ +REPLACE_POLL = @REPLACE_POLL@ REPLACE_POPEN = @REPLACE_POPEN@ REPLACE_PREAD = @REPLACE_PREAD@ REPLACE_PRINTF = @REPLACE_PRINTF@ @@ -970,7 +998,6 @@ REPLACE_WCSRTOMBS = @REPLACE_WCSRTOMBS@ REPLACE_WCTOB = @REPLACE_WCTOB@ REPLACE_WCWIDTH = @REPLACE_WCWIDTH@ REPLACE_WRITE = @REPLACE_WRITE@ -RM = @RM@ RPCGEN = @RPCGEN@ SASL_CFLAGS = @SASL_CFLAGS@ SASL_LIBS = @SASL_LIBS@ @@ -992,7 +1019,6 @@ STRIP = @STRIP@ SYS_IOCTL_H_HAVE_WINSOCK2_H = @SYS_IOCTL_H_HAVE_WINSOCK2_H@ SYS_IOCTL_H_HAVE_WINSOCK2_H_AND_USE_SOCKETS = @SYS_IOCTL_H_HAVE_WINSOCK2_H_AND_USE_SOCKETS@ SYS_TIME_H_DEFINES_STRUCT_TIMESPEC = @SYS_TIME_H_DEFINES_STRUCT_TIMESPEC@ -TAR = @TAR@ TIME_H_DEFINES_STRUCT_TIMESPEC = @TIME_H_DEFINES_STRUCT_TIMESPEC@ U = @U@ UDEVADM = @UDEVADM@ @@ -1026,6 +1052,7 @@ XMLCATALOG = @XMLCATALOG@ XMLLINT = @XMLLINT@ XMLRPC_CFLAGS = @XMLRPC_CFLAGS@ XMLRPC_LIBS = @XMLRPC_LIBS@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ XSLTPROC = @XSLTPROC@ YAJL_CFLAGS = @YAJL_CFLAGS@ YAJL_LIBS = @YAJL_LIBS@ @@ -1071,7 +1098,6 @@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ -lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -1091,6 +1117,9 @@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ +CLEANFILES = $(am__append_17) $(BUILT_SOURCES) $(man_MANS) \ + libvirtd.pod *.cov *.gcov .libs/*.gcda .libs/*.gcno *.gcno \ + *.gcda DAEMON_SOURCES = \ event.c event.h \ libvirtd.c libvirtd.h \ @@ -1112,25 +1141,13 @@ AVAHI_SOURCES = \ mdns.c mdns.h DISTCLEANFILES = -EXTRA_DIST = \ - remote_generate_stubs.pl \ - libvirtd.conf \ - libvirtd.init.in \ - libvirtd.policy-0 \ - libvirtd.policy-1 \ - libvirtd.sasl \ - libvirtd.sysconf \ - libvirtd.aug \ - libvirtd.qemu.logrotate.in \ - libvirtd.lxc.logrotate.in \ - libvirtd.uml.logrotate.in \ - test_libvirtd.aug \ - THREADING.txt \ - libvirtd.pod.in \ - $(AVAHI_SOURCES) \ - $(DAEMON_SOURCES) - -BUILT_SOURCES = $(am__append_15) $(am__append_16) +EXTRA_DIST = remote_generate_stubs.pl libvirtd.conf libvirtd.init.in \ + libvirtd.policy-0 libvirtd.policy-1 libvirtd.sasl \ + libvirtd.sysconf libvirtd.aug libvirtd.qemu.logrotate.in \ + libvirtd.lxc.logrotate.in libvirtd.uml.logrotate.in \ + test_libvirtd.aug THREADING.txt libvirtd.pod.in libvirtd.stp \ + $(AVAHI_SOURCES) $(DAEMON_SOURCES) $(am__append_14) +BUILT_SOURCES = $(am__append_16) $(am__append_18) $(am__append_19) @WITH_LIBVIRTD_TRUE@man_MANS = libvirtd.8 @WITH_LIBVIRTD_TRUE@confdir = $(sysconfdir)/libvirt/ @WITH_LIBVIRTD_TRUE@conf_DATA = libvirtd.conf @@ -1142,7 +1159,7 @@ BUILT_SOURCES = $(am__append_15) $(am__append_16) @WITH_LIBVIRTD_TRUE@ -r "$(PACKAGE)-$(VERSION)" -s 8 @WITH_LIBVIRTD_TRUE@libvirtd_SOURCES = $(DAEMON_SOURCES) \ -@WITH_LIBVIRTD_TRUE@ $(am__append_12) +@WITH_LIBVIRTD_TRUE@ $(am__append_11) #-D_XOPEN_SOURCE=600 -D_XOPEN_SOURCE_EXTENDED=1 -D_POSIX_C_SOURCE=199506L @WITH_LIBVIRTD_TRUE@libvirtd_CFLAGS = -I$(top_srcdir)/gnulib/lib \ @@ -1161,7 +1178,7 @@ BUILT_SOURCES = $(am__append_15) $(am__append_16) @WITH_LIBVIRTD_TRUE@ -DQEMUD_PID_FILE="\"$(QEMUD_PID_FILE)\"" \ @WITH_LIBVIRTD_TRUE@ -DREMOTE_PID_FILE="\"$(REMOTE_PID_FILE)\"" \ @WITH_LIBVIRTD_TRUE@ -DGETTEXT_PACKAGE=\"$(PACKAGE)\" \ -@WITH_LIBVIRTD_TRUE@ $(am__append_13) +@WITH_LIBVIRTD_TRUE@ $(am__append_12) @WITH_LIBVIRTD_TRUE@libvirtd_LDFLAGS = \ @WITH_LIBVIRTD_TRUE@ $(WARN_CFLAGS) \ @WITH_LIBVIRTD_TRUE@ $(COVERAGE_LDFLAGS) @@ -1171,26 +1188,26 @@ BUILT_SOURCES = $(am__append_15) $(am__append_16) # are used by nearly every other library. @WITH_LIBVIRTD_TRUE@libvirtd_LDADD = $(LIBXML_LIBS) $(GNUTLS_LIBS) \ @WITH_LIBVIRTD_TRUE@ $(SASL_LIBS) $(POLKIT_LIBS) \ -@WITH_LIBVIRTD_TRUE@ ../src/libvirt_util.la \ @WITH_LIBVIRTD_TRUE@ ../src/libvirt-qemu.la $(am__append_1) \ @WITH_LIBVIRTD_TRUE@ $(am__append_2) $(am__append_3) \ @WITH_LIBVIRTD_TRUE@ $(am__append_4) $(am__append_5) \ @WITH_LIBVIRTD_TRUE@ $(am__append_6) $(am__append_7) \ @WITH_LIBVIRTD_TRUE@ $(am__append_8) $(am__append_9) \ -@WITH_LIBVIRTD_TRUE@ $(am__append_10) $(am__append_11) \ -@WITH_LIBVIRTD_TRUE@ ../src/libvirt.la $(am__append_14) \ +@WITH_LIBVIRTD_TRUE@ $(am__append_10) ../src/libvirt.la \ +@WITH_LIBVIRTD_TRUE@ $(am__append_13) $(am__append_15) \ @WITH_LIBVIRTD_TRUE@ ../gnulib/lib/libgnu.la $(LIBSOCKET) @HAVE_POLKIT0_FALSE@@HAVE_POLKIT_TRUE@@WITH_LIBVIRTD_TRUE@policydir = $(datadir)/polkit-1/actions @HAVE_POLKIT0_TRUE@@HAVE_POLKIT_TRUE@@WITH_LIBVIRTD_TRUE@policydir = $(datadir)/PolicyKit/policy @HAVE_POLKIT0_FALSE@@HAVE_POLKIT_TRUE@@WITH_LIBVIRTD_TRUE@policyfile = libvirtd.policy-1 @HAVE_POLKIT0_TRUE@@HAVE_POLKIT_TRUE@@WITH_LIBVIRTD_TRUE@policyfile = libvirtd.policy-0 +@WITH_DTRACE_TRUE@@WITH_LIBVIRTD_TRUE@nodist_libvirtd_SOURCES = probes.h +@WITH_DTRACE_TRUE@@WITH_LIBVIRTD_TRUE@tapsetdir = $(datadir)/systemtap/tapsets +@WITH_DTRACE_TRUE@@WITH_LIBVIRTD_TRUE@tapset_DATA = libvirtd.stp @WITH_LIBVIRTD_TRUE@REMOTE_PROTOCOL = $(top_srcdir)/src/remote/remote_protocol.x @WITH_LIBVIRTD_TRUE@QEMU_PROTOCOL = $(top_srcdir)/src/remote/qemu_protocol.x @WITH_LIBVIRTD_TRUE@LOGROTATE_CONFS = libvirtd.qemu.logrotate libvirtd.lxc.logrotate \ @WITH_LIBVIRTD_TRUE@ libvirtd.uml.logrotate -CLEANFILES = $(BUILT_SOURCES) $(man_MANS) libvirtd.pod *.cov *.gcov \ - .libs/*.gcda .libs/*.gcno *.gcno *.gcda all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-am @@ -1543,6 +1560,26 @@ uninstall-confDATA: test -n "$$files" || exit 0; \ echo " ( cd '$(DESTDIR)$(confdir)' && rm -f" $$files ")"; \ cd "$(DESTDIR)$(confdir)" && rm -f $$files +install-tapsetDATA: $(tapset_DATA) + @$(NORMAL_INSTALL) + test -z "$(tapsetdir)" || $(MKDIR_P) "$(DESTDIR)$(tapsetdir)" + @list='$(tapset_DATA)'; test -n "$(tapsetdir)" || list=; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(tapsetdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(tapsetdir)" || exit $$?; \ + done + +uninstall-tapsetDATA: + @$(NORMAL_UNINSTALL) + @list='$(tapset_DATA)'; test -n "$(tapsetdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + test -n "$$files" || exit 0; \ + echo " ( cd '$(DESTDIR)$(tapsetdir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(tapsetdir)" && rm -f $$files ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ @@ -1647,7 +1684,7 @@ check: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) check-am all-am: Makefile $(PROGRAMS) $(MANS) $(DATA) installdirs: - for dir in "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(augeasdir)" "$(DESTDIR)$(augeastestsdir)" "$(DESTDIR)$(confdir)"; do \ + for dir in "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(augeasdir)" "$(DESTDIR)$(augeastestsdir)" "$(DESTDIR)$(confdir)" "$(DESTDIR)$(tapsetdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: $(BUILT_SOURCES) @@ -1703,7 +1740,8 @@ info: info-am info-am: install-data-am: install-augeasDATA install-augeastestsDATA \ - install-confDATA install-data-local install-man + install-confDATA install-data-local install-man \ + install-tapsetDATA install-dvi: install-dvi-am @@ -1751,7 +1789,7 @@ ps-am: uninstall-am: uninstall-augeasDATA uninstall-augeastestsDATA \ uninstall-confDATA uninstall-local uninstall-man \ - uninstall-sbinPROGRAMS + uninstall-sbinPROGRAMS uninstall-tapsetDATA uninstall-man: uninstall-man8 @@ -1767,13 +1805,13 @@ uninstall-man: uninstall-man8 install-exec-am install-html install-html-am install-info \ install-info-am install-man install-man8 install-pdf \ install-pdf-am install-ps install-ps-am install-sbinPROGRAMS \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags uninstall uninstall-am \ - uninstall-augeasDATA uninstall-augeastestsDATA \ + install-strip install-tapsetDATA installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \ + uninstall-am uninstall-augeasDATA uninstall-augeastestsDATA \ uninstall-confDATA uninstall-local uninstall-man \ - uninstall-man8 uninstall-sbinPROGRAMS + uninstall-man8 uninstall-sbinPROGRAMS uninstall-tapsetDATA @WITH_LIBVIRTD_TRUE@libvirtd.pod: libvirtd.pod.in @@ -1787,6 +1825,12 @@ uninstall-man: uninstall-man8 @WITH_LIBVIRTD_TRUE@libvirtd.8: libvirtd.pod @WITH_LIBVIRTD_TRUE@ $(AM_V_GEN)$(POD2MAN) $< $@ +@WITH_DTRACE_TRUE@@WITH_LIBVIRTD_TRUE@probes.h: probes.d +@WITH_DTRACE_TRUE@@WITH_LIBVIRTD_TRUE@ $(AM_V_GEN)$(DTRACE) -o $@ -h -s $< + +@WITH_DTRACE_TRUE@@WITH_LIBVIRTD_TRUE@probes.o: probes.d +@WITH_DTRACE_TRUE@@WITH_LIBVIRTD_TRUE@ $(AM_V_GEN)$(DTRACE) -o $@ -G -s $< + @WITH_LIBVIRTD_TRUE@install-data-local: install-init install-data-sasl install-data-polkit \ @WITH_LIBVIRTD_TRUE@ install-logrotate @WITH_LIBVIRTD_TRUE@ mkdir -p $(DESTDIR)$(localstatedir)/log/libvirt diff --git a/daemon/libvirtd.aug b/daemon/libvirtd.aug index 7406d238f..0e061425d 100644 --- a/daemon/libvirtd.aug +++ b/daemon/libvirtd.aug @@ -61,6 +61,9 @@ module Libvirtd = | str_entry "log_filters" | str_entry "log_outputs" + let auditing_entry = int_entry "audit_level" + | bool_entry "audit_logging" + (* Each enty in the config is one of the following three ... *) let entry = network_entry | sock_acl_entry @@ -69,6 +72,7 @@ module Libvirtd = | authorization_entry | processing_entry | logging_entry + | auditing_entry let comment = [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ] let empty = [ label "#empty" . eol ] diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c index 711360b63..d3f003ebb 100644 --- a/daemon/libvirtd.c +++ b/daemon/libvirtd.c @@ -64,6 +64,7 @@ #include "memory.h" #include "stream.h" #include "hooks.h" +#include "virtaudit.h" #ifdef HAVE_AVAHI # include "mdns.h" #endif @@ -187,6 +188,9 @@ static int max_requests = 20; /* Total number of 'in-process' RPC calls allowed by a single client*/ static int max_client_requests = 5; +static int audit_level = 1; +static int audit_logging = 0; + #define DH_BITS 1024 static sig_atomic_t sig_errors = 0; @@ -203,6 +207,7 @@ enum { VIR_DAEMON_ERR_NETWORK, VIR_DAEMON_ERR_CONFIG, VIR_DAEMON_ERR_HOOKS, + VIR_DAEMON_ERR_AUDIT, VIR_DAEMON_ERR_LAST }; @@ -217,7 +222,8 @@ VIR_ENUM_IMPL(virDaemonErr, VIR_DAEMON_ERR_LAST, "Unable to drop privileges", "Unable to initialize network sockets", "Unable to load configuration file", - "Unable to look for hook scripts") + "Unable to look for hook scripts", + "Unable to initialize audit system") static void sig_handler(int sig, siginfo_t * siginfo, void* context ATTRIBUTE_UNUSED) { @@ -535,7 +541,6 @@ static int qemudWritePidFile(const char *pidFile) { static int qemudListenUnix(struct qemud_server *server, char *path, int readonly, int auth) { struct qemud_socket *sock; - struct sockaddr_un addr; mode_t oldmask; gid_t oldgrp; char ebuf[1024]; @@ -546,10 +551,15 @@ static int qemudListenUnix(struct qemud_server *server, } sock->readonly = readonly; - sock->port = -1; sock->type = QEMUD_SOCK_TYPE_UNIX; sock->auth = auth; sock->path = path; + sock->addr.len = sizeof(sock->addr.data.un); + if (!(sock->addrstr = strdup(path))) { + VIR_ERROR(_("Failed to copy socket address: %s"), + virStrerror(errno, ebuf, sizeof ebuf)); + goto cleanup; + } if ((sock->fd = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) { VIR_ERROR(_("Failed to create socket: %s"), @@ -561,14 +571,13 @@ static int qemudListenUnix(struct qemud_server *server, virSetNonBlock(sock->fd) < 0) goto cleanup; - memset(&addr, 0, sizeof(addr)); - addr.sun_family = AF_UNIX; - if (virStrcpyStatic(addr.sun_path, path) == NULL) { + sock->addr.data.un.sun_family = AF_UNIX; + if (virStrcpyStatic(sock->addr.data.un.sun_path, path) == NULL) { VIR_ERROR(_("Path %s too long for unix socket"), path); goto cleanup; } - if (addr.sun_path[0] == '@') - addr.sun_path[0] = '\0'; + if (sock->addr.data.un.sun_path[0] == '@') + sock->addr.data.un.sun_path[0] = '\0'; oldgrp = getgid(); oldmask = umask(readonly ? ~unix_sock_ro_mask : ~unix_sock_rw_mask); @@ -577,7 +586,7 @@ static int qemudListenUnix(struct qemud_server *server, goto cleanup; } - if (bind(sock->fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) { + if (bind(sock->fd, &sock->addr.data.sa, sock->addr.len) < 0) { VIR_ERROR(_("Failed to bind socket to '%s': %s"), path, virStrerror(errno, ebuf, sizeof ebuf)); goto cleanup; @@ -686,16 +695,7 @@ remoteListenTCP (struct qemud_server *server, return -1; for (i = 0; i < nfds; ++i) { - union { - struct sockaddr_storage sa_stor; - struct sockaddr sa; - struct sockaddr_in sa_in; -#ifdef AF_INET6 - struct sockaddr_in6 sa_in6; -#endif - } s; char ebuf[1024]; - socklen_t salen = sizeof(s); if (VIR_ALLOC(sock) < 0) { VIR_ERROR(_("remoteListenTCP: calloc: %s"), @@ -703,6 +703,7 @@ remoteListenTCP (struct qemud_server *server, goto cleanup; } + sock->addr.len = sizeof(sock->addr.data.stor); sock->readonly = 0; sock->next = server->sockets; server->sockets = sock; @@ -712,17 +713,11 @@ remoteListenTCP (struct qemud_server *server, sock->type = type; sock->auth = auth; - if (getsockname(sock->fd, &s.sa, &salen) < 0) + if (getsockname(sock->fd, &sock->addr.data.sa, &sock->addr.len) < 0) goto cleanup; - if (s.sa.sa_family == AF_INET) { - sock->port = htons(s.sa_in.sin_port); -#ifdef AF_INET6 - } else if (s.sa.sa_family == AF_INET6) - sock->port = htons(s.sa_in6.sin6_port); -#endif - else - sock->port = -1; + if (!(sock->addrstr = virSocketFormatAddrFull(&sock->addr, true, ";"))) + goto cleanup; if (virSetCloseExec(sock->fd) < 0 || virSetNonBlock(sock->fd) < 0) @@ -1037,8 +1032,9 @@ static int qemudNetworkInit(struct qemud_server *server) { */ sock = server->sockets; while (sock) { - if (sock->port != -1 && sock->type == QEMUD_SOCK_TYPE_TLS) { - port = sock->port; + if (virSocketGetPort(&sock->addr) != -1 && + sock->type == QEMUD_SOCK_TYPE_TLS) { + port = virSocketGetPort(&sock->addr); break; } sock = sock->next; @@ -1116,19 +1112,9 @@ remoteInitializeTLSSession (void) /* Check DN is on tls_allowed_dn_list. */ static int -remoteCheckDN (gnutls_x509_crt_t cert) +remoteCheckDN (const char *dname) { - char name[256]; - size_t namesize = sizeof name; char **wildcards; - int err; - - err = gnutls_x509_crt_get_dn (cert, name, &namesize); - if (err != 0) { - VIR_ERROR(_("remoteCheckDN: gnutls_x509_cert_get_dn: %s"), - gnutls_strerror (err)); - return 0; - } /* If the list is not set, allow any DN. */ wildcards = tls_allowed_dn_list; @@ -1136,62 +1122,62 @@ remoteCheckDN (gnutls_x509_crt_t cert) return 1; while (*wildcards) { - if (fnmatch (*wildcards, name, 0) == 0) + if (fnmatch (*wildcards, dname, 0) == 0) return 1; wildcards++; } /* Print the client's DN. */ - DEBUG(_("remoteCheckDN: failed: client DN is %s"), name); + DEBUG(_("remoteCheckDN: failed: client DN is %s"), dname); return 0; // Not found. } static int -remoteCheckCertificate (gnutls_session_t session) +remoteCheckCertificate(struct qemud_client *client) { int ret; unsigned int status; const gnutls_datum_t *certs; unsigned int nCerts, i; time_t now; + char name[256]; + size_t namesize = sizeof name; + + memset(name, 0, namesize); - if ((ret = gnutls_certificate_verify_peers2 (session, &status)) < 0){ - VIR_ERROR(_("remoteCheckCertificate: verify failed: %s"), + if ((ret = gnutls_certificate_verify_peers2 (client->tlssession, &status)) < 0){ + VIR_ERROR(_("Failed to verify certificate peers: %s"), gnutls_strerror (ret)); - return -1; + goto authdeny; } if (status != 0) { if (status & GNUTLS_CERT_INVALID) - VIR_ERROR0(_("remoteCheckCertificate: " - "the client certificate is not trusted.")); + VIR_ERROR0(_("The client certificate is not trusted.")); if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) - VIR_ERROR0(_("remoteCheckCertificate: the client " - "certificate has unknown issuer.")); + VIR_ERROR0(_("The client certificate has unknown issuer.")); if (status & GNUTLS_CERT_REVOKED) - VIR_ERROR0(_("remoteCheckCertificate: " - "the client certificate has been revoked.")); + VIR_ERROR0(_("The client certificate has been revoked.")); #ifndef GNUTLS_1_0_COMPAT if (status & GNUTLS_CERT_INSECURE_ALGORITHM) - VIR_ERROR0(_("remoteCheckCertificate: the client certificate" - " uses an insecure algorithm.")); + VIR_ERROR0(_("The client certificate uses an insecure algorithm.")); #endif - return -1; + goto authdeny; } - if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) { - VIR_ERROR0(_("remoteCheckCertificate: certificate is not X.509")); - return -1; + if (gnutls_certificate_type_get(client->tlssession) != GNUTLS_CRT_X509) { + VIR_ERROR0(_("Only x509 certificates are supported")); + goto authdeny; } - if (!(certs = gnutls_certificate_get_peers(session, &nCerts))) { - VIR_ERROR0(_("remoteCheckCertificate: no peers")); - return -1; + if (!(certs = gnutls_certificate_get_peers(client->tlssession, &nCerts))) { + VIR_ERROR0(_("The certificate has no peers")); + goto authdeny; } now = time (NULL); @@ -1200,40 +1186,60 @@ remoteCheckCertificate (gnutls_session_t session) gnutls_x509_crt_t cert; if (gnutls_x509_crt_init (&cert) < 0) { - VIR_ERROR0(_("remoteCheckCertificate: gnutls_x509_crt_init failed")); - return -1; + VIR_ERROR0(_("Unable to initialize certificate")); + goto authfail; } if (gnutls_x509_crt_import(cert, &certs[i], GNUTLS_X509_FMT_DER) < 0) { + VIR_ERROR0(_("Unable to load certificate")); gnutls_x509_crt_deinit (cert); - return -1; + goto authfail; + } + + if (i == 0) { + ret = gnutls_x509_crt_get_dn (cert, name, &namesize); + if (ret != 0) { + VIR_ERROR(_("Failed to get certificate distinguished name: %s"), + gnutls_strerror(ret)); + gnutls_x509_crt_deinit (cert); + goto authfail; + } + + if (!remoteCheckDN (name)) { + /* This is the most common error: make it informative. */ + VIR_ERROR0(_("Client's Distinguished Name is not on the list " + "of allowed clients (tls_allowed_dn_list). Use " + "'certtool -i --infile clientcert.pem' to view the" + "Distinguished Name field in the client certificate," + "or run this daemon with --verbose option.")); + gnutls_x509_crt_deinit (cert); + goto authdeny; + } } if (gnutls_x509_crt_get_expiration_time (cert) < now) { - VIR_ERROR0(_("remoteCheckCertificate: " - "the client certificate has expired")); + VIR_ERROR0(_("The client certificate has expired")); gnutls_x509_crt_deinit (cert); - return -1; + goto authdeny; } if (gnutls_x509_crt_get_activation_time (cert) > now) { - VIR_ERROR0(_("remoteCheckCertificate: the client " - "certificate is not yet activated")); + VIR_ERROR0(_("The client certificate is not yet active")); gnutls_x509_crt_deinit (cert); - return -1; - } - - if (i == 0) { - if (!remoteCheckDN (cert)) { - /* This is the most common error: make it informative. */ - VIR_ERROR0(_("remoteCheckCertificate: client's Distinguished Name is not on the list of allowed clients (tls_allowed_dn_list). Use 'openssl x509 -in clientcert.pem -text' to view the Distinguished Name field in the client certificate, or run this daemon with --verbose option.")); - gnutls_x509_crt_deinit (cert); - return -1; - } + goto authdeny; } } + PROBE(CLIENT_TLS_ALLOW, "fd=%d, name=%s", client->fd, (char *)name); return 0; + +authdeny: + PROBE(CLIENT_TLS_DENY, "fd=%d, name=%s", client->fd, (char *)name); + return -1; + +authfail: + PROBE(CLIENT_TLS_FAIL, "fd=%d", client->fd); + return -1; } /* Check the client's access. */ @@ -1243,7 +1249,7 @@ remoteCheckAccess (struct qemud_client *client) struct qemud_client_message *confirm; /* Verify client certificate. */ - if (remoteCheckCertificate (client->tlssession) == -1) { + if (remoteCheckCertificate (client) == -1) { VIR_ERROR0(_("remoteCheckCertificate: " "failed to verify client's certificate")); if (!tls_no_verify_certificate) return -1; @@ -1299,13 +1305,14 @@ int qemudGetSocketIdentity(int fd, uid_t *uid, pid_t *pid) { static int qemudDispatchServer(struct qemud_server *server, struct qemud_socket *sock) { int fd; - struct sockaddr_storage addr; - socklen_t addrlen = (socklen_t) (sizeof addr); - struct qemud_client *client; + virSocketAddr addr; + char *addrstr = NULL; + struct qemud_client *client = NULL; int no_slow_start = 1; int i; - if ((fd = accept(sock->fd, (struct sockaddr *)&addr, &addrlen)) < 0) { + addr.len = sizeof(addr.data.stor); + if ((fd = accept(sock->fd, &addr.data.sa, &addr.len)) < 0) { char ebuf[1024]; if (errno == EAGAIN) return 0; @@ -1313,17 +1320,23 @@ static int qemudDispatchServer(struct qemud_server *server, struct qemud_socket virStrerror(errno, ebuf, sizeof ebuf)); return -1; } + if (!(addrstr = virSocketFormatAddrFull(&addr, true, ";"))) { + VIR_ERROR0(_("Failed to format addresss: out of memory")); + goto error; + } + + PROBE(CLIENT_CONNECT, "fd=%d, readonly=%d localAddr=%s remoteAddr=%s", + fd, sock->readonly, sock->addrstr, addrstr); if (server->nclients >= max_clients) { - VIR_ERROR(_("Too many active clients (%d), dropping connection"), max_clients); - close(fd); - return -1; + VIR_ERROR(_("Too many active clients (%d), dropping connection from %s"), + max_clients, addrstr); + goto error; } if (VIR_REALLOC_N(server->clients, server->nclients+1) < 0) { VIR_ERROR0(_("Out of memory allocating clients")); - close(fd); - return -1; + goto error; } #ifdef __sun @@ -1335,14 +1348,12 @@ static int qemudDispatchServer(struct qemud_server *server, struct qemud_socket (privs = ucred_getprivset (ucred, PRIV_EFFECTIVE)) == NULL) { if (ucred != NULL) ucred_free (ucred); - close (fd); - return -1; + goto error; } if (!priv_ismember (privs, PRIV_VIRT_MANAGE)) { ucred_free (ucred); - close (fd); - return -1; + goto error; } ucred_free (ucred); @@ -1355,16 +1366,14 @@ static int qemudDispatchServer(struct qemud_server *server, struct qemud_socket if (virSetCloseExec(fd) < 0 || virSetNonBlock(fd) < 0) { - close(fd); - return -1; + goto error; } if (VIR_ALLOC(client) < 0) - goto cleanup; + goto error; if (virMutexInit(&client->lock) < 0) { VIR_ERROR0(_("cannot initialize mutex")); - VIR_FREE(client); - goto cleanup; + goto error; } client->magic = QEMUD_CLIENT_MAGIC; @@ -1372,8 +1381,9 @@ static int qemudDispatchServer(struct qemud_server *server, struct qemud_socket client->readonly = sock->readonly; client->type = sock->type; client->auth = sock->auth; - memcpy (&client->addr, &addr, sizeof addr); - client->addrlen = addrlen; + client->addr = addr; + client->addrstr = addrstr; + addrstr = NULL; for (i = 0 ; i < VIR_DOMAIN_EVENT_ID_LAST ; i++) { client->domainEventCallbackID[i] = -1; @@ -1381,7 +1391,7 @@ static int qemudDispatchServer(struct qemud_server *server, struct qemud_socket /* Prepare one for packet receive */ if (VIR_ALLOC(client->rx) < 0) - goto cleanup; + goto error; client->rx->bufferLength = REMOTE_MESSAGE_HEADER_XDR_LEN; @@ -1395,11 +1405,12 @@ static int qemudDispatchServer(struct qemud_server *server, struct qemud_socket pid_t pid; if (qemudGetSocketIdentity(client->fd, &uid, &pid) < 0) - goto cleanup; + goto error; /* Client is running as root, so disable auth */ if (uid == 0) { - VIR_INFO(_("Turn off polkit auth for privileged client %d"), pid); + VIR_INFO(_("Turn off polkit auth for privileged client pid %d from %s"), + pid, addrstr); client->auth = REMOTE_AUTH_NONE; } } @@ -1408,13 +1419,13 @@ static int qemudDispatchServer(struct qemud_server *server, struct qemud_socket if (client->type != QEMUD_SOCK_TYPE_TLS) { /* Plain socket, so prepare to read first message */ if (qemudRegisterClientEvent (server, client) < 0) - goto cleanup; + goto error; } else { int ret; client->tlssession = remoteInitializeTLSSession (); if (client->tlssession == NULL) - goto cleanup; + goto error; gnutls_transport_set_ptr (client->tlssession, (gnutls_transport_ptr_t) (long) fd); @@ -1426,21 +1437,22 @@ static int qemudDispatchServer(struct qemud_server *server, struct qemud_socket /* Unlikely, but ... Next step is to check the certificate. */ if (remoteCheckAccess (client) == -1) - goto cleanup; + goto error; /* Handshake & cert check OK, so prepare to read first message */ if (qemudRegisterClientEvent(server, client) < 0) - goto cleanup; + goto error; } else if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) { /* Most likely, need to do more handshake data */ client->handshake = 1; if (qemudRegisterClientEvent (server, client) < 0) - goto cleanup; + goto error; } else { - VIR_ERROR(_("TLS handshake failed: %s"), - gnutls_strerror (ret)); - goto cleanup; + PROBE(CLIENT_TLS_FAIL, "fd=%d", client->fd); + VIR_ERROR(_("TLS handshake failed for client %s: %s"), + addrstr, gnutls_strerror (ret)); + goto error; } } @@ -1461,13 +1473,18 @@ static int qemudDispatchServer(struct qemud_server *server, struct qemud_socket return 0; - cleanup: - if (client && - client->tlssession) gnutls_deinit (client->tlssession); +error: + if (client) { + if (client->tlssession) gnutls_deinit (client->tlssession); + if (client) { + VIR_FREE(client->addrstr); + VIR_FREE(client->rx); + } + VIR_FREE(client); + } + VIR_FREE(addrstr); close (fd); - if (client) - VIR_FREE(client->rx); - VIR_FREE(client); + PROBE(CLIENT_DISCONNECT, "fd=%d", fd); return -1; } @@ -1511,9 +1528,11 @@ void qemudDispatchClientFailure(struct qemud_client *client) { client->tlssession = NULL; } if (client->fd != -1) { + PROBE(CLIENT_DISCONNECT, "fd=%d", client->fd); close(client->fd); client->fd = -1; } + VIR_FREE(client->addrstr); } @@ -2071,6 +2090,7 @@ qemudDispatchClientHandshake(struct qemud_client *client) { direction has changed */ qemudUpdateClientEvent (client); } else { + PROBE(CLIENT_TLS_FAIL, "fd=%d", client->fd); /* Fatal error in handshake */ VIR_ERROR(_("TLS handshake failed: %s"), gnutls_strerror (ret)); @@ -2431,6 +2451,7 @@ static void qemudCleanup(struct qemud_server *server) { sock->path[0] != '@') unlink(sock->path); VIR_FREE(sock->path); + VIR_FREE(sock->addrstr); VIR_FREE(sock); sock = next; @@ -2852,6 +2873,9 @@ remoteReadConfigFile (struct qemud_server *server, const char *filename) GET_CONF_INT (conf, filename, max_requests); GET_CONF_INT (conf, filename, max_client_requests); + GET_CONF_INT (conf, filename, audit_level); + GET_CONF_INT (conf, filename, audit_logging); + GET_CONF_STR (conf, filename, host_uuid); if (virSetHostUUIDStr(host_uuid)) { VIR_ERROR(_("invalid host UUID: %s"), host_uuid); @@ -3192,6 +3216,16 @@ int main(int argc, char **argv) { goto error; } + if (audit_level) { + if (virAuditOpen() < 0) { + if (audit_level > 1) { + ret = VIR_DAEMON_ERR_AUDIT; + goto error; + } + } + } + virAuditLog(audit_logging); + /* setup the hooks if any */ if (virHookInitialize() < 0) { ret = VIR_DAEMON_ERR_HOOKS; diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf index d11c0fb08..163a80fb0 100644 --- a/daemon/libvirtd.conf +++ b/daemon/libvirtd.conf @@ -313,6 +313,25 @@ # log_outputs="3:syslog:libvirtd" # to log all warnings and errors to syslog under the libvirtd ident + +################################################################## +# +# Auditing +# +# This setting allows usage of the auditing subsystem to be altered: +# +# audit_level == 0 -> disable all auditing +# audit_level == 1 -> enable auditing, only if enabled on host (default) +# audit_level == 2 -> enable auditing, and exit if disabled on host +# +#audit_level = 2 +# +# If set to 1, then audit messages will also be sent +# via libvirt logging infrastructure. Defaults to 0 +# +#audit_logging = 1 + +################################################################### # UUID of the host: # Provide the UUID of the host here in case the command # 'dmidecode -s system-uuid' does not provide a valid uuid. In case diff --git a/daemon/libvirtd.h b/daemon/libvirtd.h index 3f13fb11a..785ac07c2 100644 --- a/daemon/libvirtd.h +++ b/daemon/libvirtd.h @@ -48,6 +48,24 @@ # include "qemu_protocol.h" # include "logging.h" # include "threads.h" +# include "network.h" + +# if WITH_DTRACE +# ifndef LIBVIRTD_PROBES_H +# define LIBVIRTD_PROBES_H +# include "probes.h" +# endif /* LIBVIRTD_PROBES_H */ +# define PROBE(NAME, FMT, ...) \ + VIR_DEBUG_INT("trace." __FILE__ , __func__, __LINE__, \ + #NAME ": " FMT, __VA_ARGS__); \ + if (LIBVIRTD_ ## NAME ## _ENABLED()) { \ + LIBVIRTD_ ## NAME(__VA_ARGS__); \ + } +# else +# define PROBE(NAME, FMT, ...) \ + VIR_DEBUG_INT("trace." __FILE__, __func__, __LINE__, \ + #NAME ": " FMT, __VA_ARGS__); +# endif # ifdef __GNUC__ # ifdef HAVE_ANSIDECL_H @@ -180,8 +198,8 @@ struct qemud_client { unsigned int closing :1; int domainEventCallbackID[VIR_DOMAIN_EVENT_ID_LAST]; - struct sockaddr_storage addr; - socklen_t addrlen; + virSocketAddr addr; + const char *addrstr; int type; /* qemud_sock_type */ gnutls_session_t tlssession; @@ -235,12 +253,16 @@ struct qemud_client { struct qemud_socket { char *path; + + virSocketAddr addr; + const char *addrstr; + int fd; int watch; int readonly; int type; /* qemud_sock_type */ int auth; - int port; + struct qemud_socket *next; }; diff --git a/daemon/libvirtd.stp b/daemon/libvirtd.stp new file mode 100644 index 000000000..7406eebb7 --- /dev/null +++ b/daemon/libvirtd.stp @@ -0,0 +1,65 @@ +probe libvirt.daemon.client.connect = process("libvirtd").mark("client_connect") +{ + fd = $arg1; + readonly = $arg2; + localAddr = user_string($arg3); + remoteAddr = user_string($arg4); +} + +probe libvirt.daemon.client.disconnect = process("libvirtd").mark("client_disconnect") +{ + fd = $arg1; +} + + +probe libvirt.daemon.client.tls_allow = process("libvirtd").mark("client_tls_allow") +{ + fd = $arg1; + x509dname = user_string($arg2); +} + +probe libvirt.daemon.client.tls_deny = process("libvirtd").mark("client_tls_deny") +{ + fd = $arg1; + x509dname = user_string($arg2); +} + +probe libvirt.daemon.client.tls_fail = process("libvirtd").mark("client_tls_fail") +{ + fd = $arg1; +} + + +function authtype_to_string(authtype) { + if (authtype == 0) + return "none" + if (authtype == 1) + return "sasl" + if (authtype == 2) + return "polkit" + return "unknown" +} + + +probe libvirt.daemon.client.auth_allow = process("libvirtd").mark("client_auth_allow") +{ + fd = $arg1; + authtype = $arg2; + authname = authtype_to_string($arg2); + identity = user_string($arg3); +} + +probe libvirt.daemon.client.auth_deny = process("libvirtd").mark("client_auth_deny") +{ + fd = $arg1; + authtype = $arg2; + authname = authtype_to_string($arg2); + identity = user_string($arg3); +} + +probe libvirt.daemon.client.auth_fail = process("libvirtd").mark("client_auth_fail") +{ + fd = $arg1; + authtype = $arg2; + authname = authtype_to_string($arg2); +} diff --git a/daemon/probes.d b/daemon/probes.d new file mode 100644 index 000000000..d1050c074 --- /dev/null +++ b/daemon/probes.d @@ -0,0 +1,12 @@ +provider libvirtd { + probe client_connect(int fd, int readonly, const char *localAddr, const char *remoteAddr); + probe client_disconnect(int fd); + + probe client_auth_allow(int fd, int authtype, const char *identity); + probe client_auth_deny(int fd, int authtype, const char *identity); + probe client_auth_fail(int fd, int authtype); + + probe client_tls_allow(int fd, const char *x509dname); + probe client_tls_deny(int fd, const char *x509dname); + probe client_tls_fail(int fd); +}; diff --git a/daemon/remote.c b/daemon/remote.c index 118654c45..886d53db1 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -57,6 +57,8 @@ #include "memory.h" #include "util.h" #include "stream.h" +#include "uuid.h" +#include "network.h" #include "libvirt/libvirt-qemu.h" #define VIR_FROM_THIS VIR_FROM_REMOTE @@ -1751,6 +1753,33 @@ oom: } static int +remoteDispatchDomainGetVcpusFlags (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client ATTRIBUTE_UNUSED, + virConnectPtr conn, + remote_message_header *hdr ATTRIBUTE_UNUSED, + remote_error *rerr, + remote_domain_get_vcpus_flags_args *args, + remote_domain_get_vcpus_flags_ret *ret) +{ + virDomainPtr dom; + + dom = get_nonnull_domain (conn, args->dom); + if (dom == NULL) { + remoteDispatchConnError(rerr, conn); + return -1; + } + + ret->num = virDomainGetVcpusFlags (dom, args->flags); + if (ret->num == -1) { + virDomainFree(dom); + remoteDispatchConnError(rerr, conn); + return -1; + } + virDomainFree(dom); + return 0; +} + +static int remoteDispatchDomainMigratePrepare (struct qemud_server *server ATTRIBUTE_UNUSED, struct qemud_client *client ATTRIBUTE_UNUSED, virConnectPtr conn, @@ -2332,6 +2361,216 @@ remoteDispatchDomainSetMemory (struct qemud_server *server ATTRIBUTE_UNUSED, } static int +remoteDispatchDomainSetMemoryParameters(struct qemud_server *server + ATTRIBUTE_UNUSED, + struct qemud_client *client + ATTRIBUTE_UNUSED, + virConnectPtr conn, + remote_message_header * + hdr ATTRIBUTE_UNUSED, + remote_error * rerr, + remote_domain_set_memory_parameters_args + * args, void *ret ATTRIBUTE_UNUSED) +{ + virDomainPtr dom; + int i, r, nparams; + virMemoryParameterPtr params; + unsigned int flags; + + nparams = args->params.params_len; + flags = args->flags; + + if (nparams > REMOTE_DOMAIN_MEMORY_PARAMETERS_MAX) { + remoteDispatchFormatError(rerr, "%s", _("nparams too large")); + return -1; + } + if (VIR_ALLOC_N(params, nparams) < 0) { + remoteDispatchOOMError(rerr); + return -1; + } + + /* Deserialise parameters. */ + for (i = 0; i < nparams; ++i) { + if (virStrcpyStatic + (params[i].field, args->params.params_val[i].field) == NULL) { + remoteDispatchFormatError(rerr, + _ + ("Field %s too big for destination"), + args->params.params_val[i].field); + return -1; + } + params[i].type = args->params.params_val[i].value.type; + switch (params[i].type) { + case VIR_DOMAIN_MEMORY_PARAM_INT: + params[i].value.i = + args->params.params_val[i].value. + remote_memory_param_value_u.i; + break; + case VIR_DOMAIN_MEMORY_PARAM_UINT: + params[i].value.ui = + args->params.params_val[i].value. + remote_memory_param_value_u.ui; + break; + case VIR_DOMAIN_MEMORY_PARAM_LLONG: + params[i].value.l = + args->params.params_val[i].value. + remote_memory_param_value_u.l; + break; + case VIR_DOMAIN_MEMORY_PARAM_ULLONG: + params[i].value.ul = + args->params.params_val[i].value. + remote_memory_param_value_u.ul; + break; + case VIR_DOMAIN_MEMORY_PARAM_DOUBLE: + params[i].value.d = + args->params.params_val[i].value. + remote_memory_param_value_u.d; + break; + case VIR_DOMAIN_MEMORY_PARAM_BOOLEAN: + params[i].value.b = + args->params.params_val[i].value. + remote_memory_param_value_u.b; + break; + } + } + + dom = get_nonnull_domain(conn, args->dom); + if (dom == NULL) { + VIR_FREE(params); + remoteDispatchConnError(rerr, conn); + return -1; + } + + r = virDomainSetMemoryParameters(dom, params, nparams, flags); + virDomainFree(dom); + VIR_FREE(params); + if (r == -1) { + remoteDispatchConnError(rerr, conn); + return -1; + } + + return 0; +} + +static int +remoteDispatchDomainGetMemoryParameters(struct qemud_server *server + ATTRIBUTE_UNUSED, + struct qemud_client *client + ATTRIBUTE_UNUSED, + virConnectPtr conn, + remote_message_header * + hdr ATTRIBUTE_UNUSED, + remote_error * rerr, + remote_domain_get_memory_parameters_args + * args, + remote_domain_get_memory_parameters_ret + * ret) +{ + virDomainPtr dom; + virMemoryParameterPtr params; + int i, r, nparams; + unsigned int flags; + + nparams = args->nparams; + flags = args->flags; + + if (nparams > REMOTE_DOMAIN_MEMORY_PARAMETERS_MAX) { + remoteDispatchFormatError(rerr, "%s", _("nparams too large")); + return -1; + } + if (VIR_ALLOC_N(params, nparams) < 0) { + remoteDispatchOOMError(rerr); + return -1; + } + + dom = get_nonnull_domain(conn, args->dom); + if (dom == NULL) { + VIR_FREE(params); + remoteDispatchConnError(rerr, conn); + return -1; + } + + r = virDomainGetMemoryParameters(dom, params, &nparams, flags); + if (r == -1) { + virDomainFree(dom); + VIR_FREE(params); + remoteDispatchConnError(rerr, conn); + return -1; + } + /* In this case, we need to send back the number of parameters + * supported + */ + if (args->nparams == 0) { + ret->nparams = nparams; + goto success; + } + + /* Serialise the memory parameters. */ + ret->params.params_len = nparams; + if (VIR_ALLOC_N(ret->params.params_val, nparams) < 0) + goto oom; + + for (i = 0; i < nparams; ++i) { + // remoteDispatchClientRequest will free this: + ret->params.params_val[i].field = strdup(params[i].field); + if (ret->params.params_val[i].field == NULL) + goto oom; + + ret->params.params_val[i].value.type = params[i].type; + switch (params[i].type) { + case VIR_DOMAIN_MEMORY_PARAM_INT: + ret->params.params_val[i]. + value.remote_memory_param_value_u.i = + params[i].value.i; + break; + case VIR_DOMAIN_MEMORY_PARAM_UINT: + ret->params.params_val[i]. + value.remote_memory_param_value_u.ui = + params[i].value.ui; + break; + case VIR_DOMAIN_MEMORY_PARAM_LLONG: + ret->params.params_val[i]. + value.remote_memory_param_value_u.l = + params[i].value.l; + break; + case VIR_DOMAIN_MEMORY_PARAM_ULLONG: + ret->params.params_val[i]. + value.remote_memory_param_value_u.ul = + params[i].value.ul; + break; + case VIR_DOMAIN_MEMORY_PARAM_DOUBLE: + ret->params.params_val[i]. + value.remote_memory_param_value_u.d = + params[i].value.d; + break; + case VIR_DOMAIN_MEMORY_PARAM_BOOLEAN: + ret->params.params_val[i]. + value.remote_memory_param_value_u.b = + params[i].value.b; + break; + default: + remoteDispatchFormatError(rerr, "%s", _("unknown type")); + goto cleanup; + } + } + + success: + virDomainFree(dom); + VIR_FREE(params); + + return 0; + + oom: + remoteDispatchOOMError(rerr); + cleanup: + virDomainFree(dom); + for (i = 0; i < nparams; i++) + VIR_FREE(ret->params.params_val[i].field); + VIR_FREE(params); + return -1; +} + +static int remoteDispatchDomainSetVcpus (struct qemud_server *server ATTRIBUTE_UNUSED, struct qemud_client *client ATTRIBUTE_UNUSED, virConnectPtr conn, @@ -2358,6 +2597,32 @@ remoteDispatchDomainSetVcpus (struct qemud_server *server ATTRIBUTE_UNUSED, } static int +remoteDispatchDomainSetVcpusFlags (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client ATTRIBUTE_UNUSED, + virConnectPtr conn, + remote_message_header *hdr ATTRIBUTE_UNUSED, + remote_error *rerr, + remote_domain_set_vcpus_flags_args *args, + void *ret ATTRIBUTE_UNUSED) +{ + virDomainPtr dom; + + dom = get_nonnull_domain (conn, args->dom); + if (dom == NULL) { + remoteDispatchConnError(rerr, conn); + return -1; + } + + if (virDomainSetVcpusFlags (dom, args->nvcpus, args->flags) == -1) { + virDomainFree(dom); + remoteDispatchConnError(rerr, conn); + return -1; + } + virDomainFree(dom); + return 0; +} + +static int remoteDispatchDomainShutdown (struct qemud_server *server ATTRIBUTE_UNUSED, struct qemud_client *client ATTRIBUTE_UNUSED, virConnectPtr conn, @@ -3254,49 +3519,6 @@ remoteDispatchAuthList (struct qemud_server *server, #if HAVE_SASL /* - * NB, keep in sync with similar method in src/remote/remote_driver.c - */ -static char *addrToString(remote_error *rerr, - struct sockaddr_storage *ss, socklen_t salen) { - char host[NI_MAXHOST], port[NI_MAXSERV]; - char *addr; - int err; - struct sockaddr *sa = (struct sockaddr *)ss; - - if ((err = getnameinfo(sa, salen, - host, sizeof(host), - port, sizeof(port), - NI_NUMERICHOST | NI_NUMERICSERV)) != 0) { - char ip[INET6_ADDRSTRLEN]; - void *rawaddr; - - if (sa->sa_family == AF_INET) - rawaddr = &((struct sockaddr_in *)sa)->sin_addr; - else - rawaddr = &((struct sockaddr_in6 *)sa)->sin6_addr; - - if (inet_ntop(sa->sa_family, rawaddr, ip, sizeof ip)) { - remoteDispatchFormatError(rerr, - _("Cannot resolve address %s: %s"), - ip, gai_strerror(err)); - } else { - remoteDispatchFormatError(rerr, - _("Cannot resolve address: %s"), - gai_strerror(err)); - } - return NULL; - } - - if (virAsprintf(&addr, "%s;%s", host, port) == -1) { - virReportOOMError(); - return NULL; - } - - return addr; -} - - -/* * Initializes the SASL session in prepare for authentication * and gives the client a list of allowed mechanisms to choose * @@ -3305,7 +3527,7 @@ static char *addrToString(remote_error *rerr, static int remoteDispatchAuthSaslInit (struct qemud_server *server, struct qemud_client *client, - virConnectPtr conn ATTRIBUTE_UNUSED, + virConnectPtr conn, remote_message_header *hdr ATTRIBUTE_UNUSED, remote_error *rerr, void *args ATTRIBUTE_UNUSED, @@ -3314,8 +3536,7 @@ remoteDispatchAuthSaslInit (struct qemud_server *server, const char *mechlist = NULL; sasl_security_properties_t secprops; int err; - struct sockaddr_storage sa; - socklen_t salen; + virSocketAddr sa; char *localAddr, *remoteAddr; virMutexLock(&server->lock); @@ -3330,29 +3551,31 @@ remoteDispatchAuthSaslInit (struct qemud_server *server, } /* Get local address in form IPADDR:PORT */ - salen = sizeof(sa); - if (getsockname(client->fd, (struct sockaddr*)&sa, &salen) < 0) { + sa.len = sizeof(sa.data.stor); + if (getsockname(client->fd, &sa.data.sa, &sa.len) < 0) { char ebuf[1024]; remoteDispatchFormatError(rerr, _("failed to get sock address: %s"), virStrerror(errno, ebuf, sizeof ebuf)); goto error; } - if ((localAddr = addrToString(rerr, &sa, salen)) == NULL) { + if ((localAddr = virSocketFormatAddrFull(&sa, true, ";")) == NULL) { + remoteDispatchConnError(rerr, conn); goto error; } /* Get remote address in form IPADDR:PORT */ - salen = sizeof(sa); - if (getpeername(client->fd, (struct sockaddr*)&sa, &salen) < 0) { + sa.len = sizeof(sa.data.stor); + if (getpeername(client->fd, &sa.data.sa, &sa.len) < 0) { char ebuf[1024]; remoteDispatchFormatError(rerr, _("failed to get peer address: %s"), virStrerror(errno, ebuf, sizeof ebuf)); VIR_FREE(localAddr); goto error; } - if ((remoteAddr = addrToString(rerr, &sa, salen)) == NULL) { + if ((remoteAddr = virSocketFormatAddrFull(&sa, true, ";")) == NULL) { VIR_FREE(localAddr); + remoteDispatchConnError(rerr, conn); goto error; } @@ -3454,13 +3677,16 @@ remoteDispatchAuthSaslInit (struct qemud_server *server, authfail: remoteDispatchAuthError(rerr); error: + PROBE(CLIENT_AUTH_FAIL, "fd=%d, auth=%d", client->fd, REMOTE_AUTH_SASL); virMutexUnlock(&client->lock); return -1; } /* We asked for an SSF layer, so sanity check that we actually - * got what we asked for */ + * got what we asked for + * Returns 0 if ok, -1 on error, -2 if rejected + */ static int remoteSASLCheckSSF (struct qemud_client *client, remote_error *rerr) { @@ -3487,7 +3713,7 @@ remoteSASLCheckSSF (struct qemud_client *client, remoteDispatchAuthError(rerr); sasl_dispose(&client->saslconn); client->saslconn = NULL; - return -1; + return -2; } /* Only setup for read initially, because we're about to send an RPC @@ -3502,6 +3728,9 @@ remoteSASLCheckSSF (struct qemud_client *client, return 0; } +/* + * Returns 0 if ok, -1 on error, -2 if rejected + */ static int remoteSASLCheckAccess (struct qemud_server *server, struct qemud_client *client, @@ -3553,7 +3782,7 @@ remoteSASLCheckAccess (struct qemud_server *server, remoteDispatchAuthError(rerr); sasl_dispose(&client->saslconn); client->saslconn = NULL; - return -1; + return -2; } @@ -3625,14 +3854,18 @@ remoteDispatchAuthSaslStart (struct qemud_server *server, if (err == SASL_CONTINUE) { ret->complete = 0; } else { - if (remoteSASLCheckSSF(client, rerr) < 0) - goto error; - /* Check username whitelist ACL */ - if (remoteSASLCheckAccess(server, client, rerr) < 0) - goto error; + if ((err = remoteSASLCheckAccess(server, client, rerr)) < 0 || + (err = remoteSASLCheckSSF(client, rerr)) < 0) { + if (err == -2) + goto authdeny; + else + goto authfail; + } REMOTE_DEBUG("Authentication successful %d", client->fd); + PROBE(CLIENT_AUTH_ALLOW, "fd=%d, auth=%d, username=%s", + client->fd, REMOTE_AUTH_SASL, client->saslUsername); ret->complete = 1; client->auth = REMOTE_AUTH_NONE; } @@ -3641,7 +3874,15 @@ remoteDispatchAuthSaslStart (struct qemud_server *server, return 0; authfail: + PROBE(CLIENT_AUTH_FAIL, "fd=%d, auth=%d", client->fd, REMOTE_AUTH_SASL); remoteDispatchAuthError(rerr); + goto error; + +authdeny: + PROBE(CLIENT_AUTH_DENY, "fd=%d, auth=%d, username=%s", + client->fd, REMOTE_AUTH_SASL, client->saslUsername); + goto error; + error: virMutexUnlock(&client->lock); return -1; @@ -3714,14 +3955,18 @@ remoteDispatchAuthSaslStep (struct qemud_server *server, if (err == SASL_CONTINUE) { ret->complete = 0; } else { - if (remoteSASLCheckSSF(client, rerr) < 0) - goto error; - /* Check username whitelist ACL */ - if (remoteSASLCheckAccess(server, client, rerr) < 0) - goto error; + if ((err = remoteSASLCheckAccess(server, client, rerr)) < 0 || + (err = remoteSASLCheckSSF(client, rerr)) < 0) { + if (err == -2) + goto authdeny; + else + goto authfail; + } REMOTE_DEBUG("Authentication successful %d", client->fd); + PROBE(CLIENT_AUTH_ALLOW, "fd=%d, auth=%d, username=%s", + client->fd, REMOTE_AUTH_SASL, client->saslUsername); ret->complete = 1; client->auth = REMOTE_AUTH_NONE; } @@ -3730,7 +3975,15 @@ remoteDispatchAuthSaslStep (struct qemud_server *server, return 0; authfail: + PROBE(CLIENT_AUTH_FAIL, "fd=%d, auth=%d", client->fd, REMOTE_AUTH_SASL); remoteDispatchAuthError(rerr); + goto error; + +authdeny: + PROBE(CLIENT_AUTH_DENY, "fd=%d, auth=%d, username=%s", + client->fd, REMOTE_AUTH_SASL, client->saslUsername); + goto error; + error: virMutexUnlock(&client->lock); return -1; @@ -3748,6 +4001,7 @@ remoteDispatchAuthSaslInit (struct qemud_server *server ATTRIBUTE_UNUSED, remote_auth_sasl_init_ret *ret ATTRIBUTE_UNUSED) { VIR_ERROR0(_("client tried unsupported SASL init request")); + PROBE(CLIENT_AUTH_FAIL, "fd=%d, auth=%d", client->fd, REMOTE_AUTH_SASL); remoteDispatchAuthError(rerr); return -1; } @@ -3762,6 +4016,7 @@ remoteDispatchAuthSaslStart (struct qemud_server *server ATTRIBUTE_UNUSED, remote_auth_sasl_start_ret *ret ATTRIBUTE_UNUSED) { VIR_ERROR0(_("client tried unsupported SASL start request")); + PROBE(CLIENT_AUTH_FAIL, "fd=%d, auth=%d", client->fd, REMOTE_AUTH_SASL); remoteDispatchAuthError(rerr); return -1; } @@ -3776,6 +4031,7 @@ remoteDispatchAuthSaslStep (struct qemud_server *server ATTRIBUTE_UNUSED, remote_auth_sasl_step_ret *ret ATTRIBUTE_UNUSED) { VIR_ERROR0(_("client tried unsupported SASL step request")); + PROBE(CLIENT_AUTH_FAIL, "fd=%d, auth=%d", client->fd, REMOTE_AUTH_SASL); remoteDispatchAuthError(rerr); return -1; } @@ -3792,13 +4048,16 @@ remoteDispatchAuthPolkit (struct qemud_server *server, void *args ATTRIBUTE_UNUSED, remote_auth_polkit_ret *ret) { - pid_t callerPid; - uid_t callerUid; + pid_t callerPid = -1; + uid_t callerUid = -1; const char *action; int status = -1; char pidbuf[50]; + char ident[100]; int rv; + memset(ident, 0, sizeof ident); + virMutexLock(&server->lock); virMutexLock(&client->lock); virMutexUnlock(&server->lock); @@ -3834,6 +4093,12 @@ remoteDispatchAuthPolkit (struct qemud_server *server, goto authfail; } + rv = snprintf(ident, sizeof ident, "pid:%d,uid:%d", callerPid, callerUid); + if (rv < 0 || rv >= sizeof ident) { + VIR_ERROR(_("Caller identity was too large %d:%d"), callerPid, callerUid); + goto authfail; + } + if (virRun(pkcheck, &status) < 0) { VIR_ERROR(_("Cannot invoke %s"), PKCHECK_PATH); goto authfail; @@ -3841,8 +4106,10 @@ remoteDispatchAuthPolkit (struct qemud_server *server, if (status != 0) { VIR_ERROR(_("Policy kit denied action %s from pid %d, uid %d, result: %d"), action, callerPid, callerUid, status); - goto authfail; + goto authdeny; } + PROBE(CLIENT_AUTH_ALLOW, "fd=%d, auth=%d, username=%s", + client->fd, REMOTE_AUTH_POLKIT, (char *)ident); VIR_INFO(_("Policy allowed action %s from pid %d, uid %d"), action, callerPid, callerUid); ret->complete = 1; @@ -3852,6 +4119,15 @@ remoteDispatchAuthPolkit (struct qemud_server *server, return 0; authfail: + PROBE(CLIENT_AUTH_FAIL, "fd=%d, auth=%d", client->fd, REMOTE_AUTH_POLKIT); + goto error; + +authdeny: + PROBE(CLIENT_AUTH_DENY, "fd=%d, auth=%d, username=%s", + client->fd, REMOTE_AUTH_POLKIT, (char *)ident); + goto error; + +error: remoteDispatchAuthError(rerr); virMutexUnlock(&client->lock); return -1; @@ -3875,6 +4151,9 @@ remoteDispatchAuthPolkit (struct qemud_server *server, PolKitResult pkresult; DBusError err; const char *action; + char ident[100]; + + memset(ident, 0, sizeof ident); virMutexLock(&server->lock); virMutexLock(&client->lock); @@ -3895,6 +4174,12 @@ remoteDispatchAuthPolkit (struct qemud_server *server, goto authfail; } + rv = snprintf(ident, sizeof ident, "pid:%d,uid:%d", callerPid, callerUid); + if (rv < 0 || rv >= sizeof ident) { + VIR_ERROR(_("Caller identity was too large %d:%d"), callerPid, callerUid); + goto authfail; + } + VIR_INFO(_("Checking PID %d running as %d"), callerPid, callerUid); dbus_error_init(&err); if (!(pkcaller = polkit_caller_new_from_pid(server->sysbus, @@ -3951,8 +4236,10 @@ remoteDispatchAuthPolkit (struct qemud_server *server, VIR_ERROR(_("Policy kit denied action %s from pid %d, uid %d, result: %s"), action, callerPid, callerUid, polkit_result_to_string_representation(pkresult)); - goto authfail; + goto authdeny; } + PROBE(CLIENT_AUTH_ALLOW, "fd=%d, auth=%d, username=%s", + client->fd, REMOTE_AUTH_POLKIT, ident); VIR_INFO(_("Policy allowed action %s from pid %d, uid %d, result %s"), action, callerPid, callerUid, polkit_result_to_string_representation(pkresult)); @@ -3963,6 +4250,15 @@ remoteDispatchAuthPolkit (struct qemud_server *server, return 0; authfail: + PROBE(CLIENT_AUTH_FAIL, "fd=%d, auth=%d", client->fd, REMOTE_AUTH_POLKIT); + goto error; + +authdeny: + PROBE(CLIENT_AUTH_DENY, "fd=%d, auth=%d, username=%s", + client->fd, REMOTE_AUTH_POLKIT, ident); + goto error; + +error: remoteDispatchAuthError(rerr); virMutexUnlock(&client->lock); return -1; diff --git a/daemon/remote_dispatch_args.h b/daemon/remote_dispatch_args.h index ee9504370..9583e9c2b 100644 --- a/daemon/remote_dispatch_args.h +++ b/daemon/remote_dispatch_args.h @@ -165,3 +165,7 @@ remote_domain_snapshot_delete_args val_remote_domain_snapshot_delete_args; remote_domain_get_block_info_args val_remote_domain_get_block_info_args; remote_domain_create_with_flags_args val_remote_domain_create_with_flags_args; + remote_domain_set_memory_parameters_args val_remote_domain_set_memory_parameters_args; + remote_domain_get_memory_parameters_args val_remote_domain_get_memory_parameters_args; + remote_domain_set_vcpus_flags_args val_remote_domain_set_vcpus_flags_args; + remote_domain_get_vcpus_flags_args val_remote_domain_get_vcpus_flags_args; diff --git a/daemon/remote_dispatch_prototypes.h b/daemon/remote_dispatch_prototypes.h index cf1a0f944..6b358514d 100644 --- a/daemon/remote_dispatch_prototypes.h +++ b/daemon/remote_dispatch_prototypes.h @@ -258,6 +258,14 @@ static int remoteDispatchDomainGetMaxVcpus( remote_error *err, remote_domain_get_max_vcpus_args *args, remote_domain_get_max_vcpus_ret *ret); +static int remoteDispatchDomainGetMemoryParameters( + struct qemud_server *server, + struct qemud_client *client, + virConnectPtr conn, + remote_message_header *hdr, + remote_error *err, + remote_domain_get_memory_parameters_args *args, + remote_domain_get_memory_parameters_ret *ret); static int remoteDispatchDomainGetOsType( struct qemud_server *server, struct qemud_client *client, @@ -298,6 +306,14 @@ static int remoteDispatchDomainGetVcpus( remote_error *err, remote_domain_get_vcpus_args *args, remote_domain_get_vcpus_ret *ret); +static int remoteDispatchDomainGetVcpusFlags( + struct qemud_server *server, + struct qemud_client *client, + virConnectPtr conn, + remote_message_header *hdr, + remote_error *err, + remote_domain_get_vcpus_flags_args *args, + remote_domain_get_vcpus_flags_ret *ret); static int remoteDispatchDomainHasCurrentSnapshot( struct qemud_server *server, struct qemud_client *client, @@ -522,6 +538,14 @@ static int remoteDispatchDomainSetMemory( remote_error *err, remote_domain_set_memory_args *args, void *ret); +static int remoteDispatchDomainSetMemoryParameters( + struct qemud_server *server, + struct qemud_client *client, + virConnectPtr conn, + remote_message_header *hdr, + remote_error *err, + remote_domain_set_memory_parameters_args *args, + void *ret); static int remoteDispatchDomainSetSchedulerParameters( struct qemud_server *server, struct qemud_client *client, @@ -538,6 +562,14 @@ static int remoteDispatchDomainSetVcpus( remote_error *err, remote_domain_set_vcpus_args *args, void *ret); +static int remoteDispatchDomainSetVcpusFlags( + struct qemud_server *server, + struct qemud_client *client, + virConnectPtr conn, + remote_message_header *hdr, + remote_error *err, + remote_domain_set_vcpus_flags_args *args, + void *ret); static int remoteDispatchDomainShutdown( struct qemud_server *server, struct qemud_client *client, diff --git a/daemon/remote_dispatch_ret.h b/daemon/remote_dispatch_ret.h index 75ac0b2a4..3723b003e 100644 --- a/daemon/remote_dispatch_ret.h +++ b/daemon/remote_dispatch_ret.h @@ -135,3 +135,5 @@ remote_domain_snapshot_current_ret val_remote_domain_snapshot_current_ret; remote_domain_get_block_info_ret val_remote_domain_get_block_info_ret; remote_domain_create_with_flags_ret val_remote_domain_create_with_flags_ret; + remote_domain_get_memory_parameters_ret val_remote_domain_get_memory_parameters_ret; + remote_domain_get_vcpus_flags_ret val_remote_domain_get_vcpus_flags_ret; diff --git a/daemon/remote_dispatch_table.h b/daemon/remote_dispatch_table.h index ef00edd1b..dd2adc776 100644 --- a/daemon/remote_dispatch_table.h +++ b/daemon/remote_dispatch_table.h @@ -987,3 +987,23 @@ .args_filter = (xdrproc_t) xdr_remote_domain_create_with_flags_args, .ret_filter = (xdrproc_t) xdr_remote_domain_create_with_flags_ret, }, +{ /* DomainSetMemoryParameters => 197 */ + .fn = (dispatch_fn) remoteDispatchDomainSetMemoryParameters, + .args_filter = (xdrproc_t) xdr_remote_domain_set_memory_parameters_args, + .ret_filter = (xdrproc_t) xdr_void, +}, +{ /* DomainGetMemoryParameters => 198 */ + .fn = (dispatch_fn) remoteDispatchDomainGetMemoryParameters, + .args_filter = (xdrproc_t) xdr_remote_domain_get_memory_parameters_args, + .ret_filter = (xdrproc_t) xdr_remote_domain_get_memory_parameters_ret, +}, +{ /* DomainSetVcpusFlags => 199 */ + .fn = (dispatch_fn) remoteDispatchDomainSetVcpusFlags, + .args_filter = (xdrproc_t) xdr_remote_domain_set_vcpus_flags_args, + .ret_filter = (xdrproc_t) xdr_void, +}, +{ /* DomainGetVcpusFlags => 200 */ + .fn = (dispatch_fn) remoteDispatchDomainGetVcpusFlags, + .args_filter = (xdrproc_t) xdr_remote_domain_get_vcpus_flags_args, + .ret_filter = (xdrproc_t) xdr_remote_domain_get_vcpus_flags_ret, +}, diff --git a/daemon/test_libvirtd.aug b/daemon/test_libvirtd.aug index b8da28e01..5f8b64467 100644 --- a/daemon/test_libvirtd.aug +++ b/daemon/test_libvirtd.aug @@ -268,6 +268,9 @@ log_outputs=\"4:stderr\" # Logging filters: log_filters=\"a\" + +# Auditing: +audit_level = 2 " test Libvirtd.lns get conf = @@ -543,3 +546,6 @@ log_filters=\"a\" { "#empty" } { "#comment" = "Logging filters:" } { "log_filters" = "a" } + { "#empty" } + { "#comment" = "Auditing:" } + { "audit_level" = "2" } |