aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2010-06-22virtio-9p: Implement Security model for mksock using mknod.Venkateswararao Jujjuri (JV)3-47/+2
This patch uses mknod to create socket. On Host/Fileserver: -rw-------. 1 virfsuid virtfsgid 0 2010-05-11 09:57 asocket1 On Guest/Client: srwxr-xr-x 1 guestuser guestuser 0 2010-05-11 12:57 asocket1 Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2010-06-22virtio-9p: Implement Security model for mknodVenkateswararao Jujjuri (JV)3-7/+43
Mapped mode stores extended attributes in the user space of the extended attributes. Given that the user space extended attributes are available to regular files only, special files are created as regular files on the fileserver and appropriate mode bits are added to the extended attributes. This method presents all special files and symlinks as regular files on the fileserver while they are represented as special files on the guest mount. On Host/Fileserver: -rw-------. 1 virfsuid virtfsgid 0 2010-05-11 09:36 afifo -rw-------. 1 virfsuid virtfsgid 0 2010-05-11 09:32 blkdev -rw-------. 1 virfsuid virtfsgid 0 2010-05-11 09:33 chardev On Guest/Client: prw-r--r-- 1 guestuser guestuser 0 2010-05-11 12:36 afifo brw-r--r-- 1 guestuser guestuser 0, 0 2010-05-11 12:32 blkdev crw-r--r-- 1 guestuser guestuser 4, 5 2010-05-11 12:33 chardev In the passthrough securit model, specifal files are directly created on the fileserver. But the user credential Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2010-06-22virtio-9p: Security model for symlink and readlinkVenkateswararao Jujjuri (JV)3-11/+79
Mapped mode stores extended attributes in the user space of the extended attributes. Given that the user space extended attributes are available to regular files only, special files are created as regular files on the fileserver and appropriate mode bits are added to the extended attributes. This method presents all special files and symlinks as regular files on the fileserver while they are represented as special files on the guest mount. Implemntation of symlink in mapped security model: A regular file is created and the link target is written to it. readlink() reads it back from the file. On Guest/Client: lrwxrwxrwx 1 root root 6 2010-05-11 12:20 asymlink -> afile On Host/Fileserver: -rw-------. 1 root root 6 2010-05-11 09:20 asymlink afile Under passthrough model, it just calls underlying symlink() readlink() system calls are used. Under both security models, client user credentials are changed after the filesystem objec creation. Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2010-06-22virtio-9p: Security model for mkdirVenkateswararao Jujjuri (JV)3-6/+43
Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2010-06-22virtio-9p: Security model for create/open2Venkateswararao Jujjuri (JV)3-8/+61
In the mapped security model, VirtFS server intercepts and maps the file object create and get/set attribute requests. Files on the fileserver will be created with VirtFS servers (QEMU) user credentials and the client-users credentials are stored in extended attributes. On the request to get attributes, server extracts the client-users credentials from extended attributes and sends them to the client. On Host/Fileserver: -rw-------. 2 virfsuid virtfsgid 0 2010-05-11 09:19 afile On Guest/Client: -rw-r--r-- 2 guestuser guestuser 0 2010-05-11 12:19 afile Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2010-06-22virtio-9p: Implemented Security model for lstat and fstatVenkateswararao Jujjuri (JV)1-4/+58
Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2010-06-22virtio-9p: Security model for chownVenkateswararao Jujjuri (JV)3-5/+15
mapped model changes the owner in the extended attributes. passthrough model does the change through lchown() as the server don't need to follow the link and client will send the actual filesystem object. Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2010-06-22virtio-9p: Security model for chmodVenkateswararao Jujjuri (JV)3-6/+12
Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2010-06-22virtio-9p: Make infrastructure for the new security model.Venkateswararao Jujjuri (JV)8-52/+113
This patch adds required infrastructure for the new security model. - A new configure option for attr/xattr. - if CONFIG_VIRTFS will be defined if both CONFIG_LINUX and CONFIG_ATTR defined. - Defines routines related to both security models. Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2010-06-22virtio-9p: Introduces an option to specify the security model.Venkateswararao Jujjuri (JV)6-8/+50
The new option is: -fsdev fstype,id=myid,path=/share_path/,security_model=[mapped|passthrough] -virtfs fstype,path=/share_path/,security_model=[mapped|passthrough],mnt_tag=tag In the case of mapped security model, files are created with QEMU user credentials and the client-user's credentials are saved in extended attributes. Whereas in the case of passthrough security model, files on the filesystem are directly created with client-user's credentials. Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2010-06-22virtio-9p: Rearrange fileop structuresVenkateswararao Jujjuri (JV)2-139/+138
This patch rearranges the fileop structures by moving the structure definitions from virtio-9p.c to virtio-9p.h file. No functional changes. Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2010-06-22Flush the debug message out to the log file.Venkateswararao Jujjuri (JV)1-0/+2
This patch fluesh the debug messages to the log file at the end of each debug message. Changes from V1: Used fflush instead fseek for the flush. Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2010-06-22give some useful error messages when tap openMichael Tokarev1-3/+5
In net/tap-linux.c, when manipulation of /dev/net/tun fails, it prints (with fprintf) something like this: warning: could not open /dev/net/tun: no virtual network emulation this has 2 issues: 1) it is not a warning really, it's a fatal error (kvm exits after that), 2) there's no indication as of what's actually wrong: printing errno there is helpful. The patch below removes the "warning" prefix, uses %m (since it's linux, %m is available as format modifier), and changes fprintf() to %qemu_error(). Now it prints something like this instead: could not configure /dev/net/tun: Device or resource busy (there are 2 messages like that in the same function) This fixes Debian bug #578154, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=578154 Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2010-06-22Extra scan codes for missing keysBernhard M. Wiedemann1-1/+6
The code comes from http://lists.gnu.org/archive/html/qemu-devel/2010-05/msg02788.html Without this patch it is not possible to send at least 10 special characters (\|'"`~:;[]{}) via the monitor sendkey command. Signed-off-by: Bernhard M. Wiedemann <qemudevbmw@lsmod.de> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2010-06-22qcow2: Don't try to check tables that couldn't be loadedKevin Wolf1-0/+1
Trying to check them leads to a second error message which is more confusing than helpful: Can't get refcount for cluster 0: Invalid argument ERROR cluster 0 refcount=-22 reference=1 Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2010-06-22qcow2: Fix qemu-img check segfault on corrupted imagesKevin Wolf1-3/+11
With corrupted images, we can easily get an cluster index that exceeds the array size of the temporary refcount table. Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2010-06-22virtio-blk: fix the list operation in virtio_blk_load().Yoshiaki Tamura1-1/+1
Although it is really rare to get in to the while loop, the list operation in the loop is obviously wrong. Signed-off-by: Yoshiaki Tamura <tamura.yoshiaki@lab.ntt.co.jp> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2010-06-22qemu-io: check registered fds in command_loop()MORITA Kazutaka1-3/+30
Some block drivers use an aio handler and do I/O completion routines in it. However, the handler is not invoked if we only do aio_read/write, because registered fds are not checked at all. This patch registers an aio handler of STDIO to checks whether we can read a command without blocking, and calls qemu_aio_wait() in command_loop(). Any other handlers can be invoked when user input is idle. Signed-off-by: MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2010-06-22vpc: Use bdrv_(p)write_sync for metadata writesKevin Wolf1-4/+5
Use bdrv_(p)write_sync to ensure metadata integrity in case of a crash. Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2010-06-22vmdk: Use bdrv_(p)write_sync for metadata writesKevin Wolf1-5/+5
Use bdrv_(p)write_sync to ensure metadata integrity in case of a crash. Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2010-06-22qcow2: Use bdrv_(p)write_sync for metadata writesKevin Wolf4-41/+40
Use bdrv_(p)write_sync to ensure metadata integrity in case of a crash. Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2010-06-22qcow: Use bdrv_(p)write_sync for metadata writesKevin Wolf1-8/+10
Use bdrv_(p)write_sync to ensure metadata integrity in case of a crash. Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2010-06-22cow: Use bdrv_(p)write_sync for metadata writesKevin Wolf1-9/+11
Use bdrv_(p)write_sync to ensure metadata integrity in case of a crash. While at it, correct the wrong usage of errno. Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2010-06-22block: Add bdrv_(p)write_syncKevin Wolf2-0/+41
Add new functions that write and flush the written data to disk immediately. This is what needs to be used for image format metadata to maintain integrity for cache=... modes that don't use O_DSYNC. (Actually, we only need barriers, and therefore the functions are defined as such, but flushes is what is implemented in this patch - we can try to change that later) Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2010-06-22monitor: allow device to be ejected if no disk is insertedEduardo Habkost1-12/+10
This changes the monitor eject_device() function to not check for bdrv_is_inserted(). Example run where the bug manifests itself: (output of 'info block' is stripped to include only the CD-ROM device) (qemu) info block ide1-cd0: type=cdrom removable=1 locked=0 [not inserted] (qemu) change ide1-cd0 /dev/cdrom host_cdrom (qemu) info block ide1-cd0: type=cdrom removable=1 locked=0 file=/dev/cdrom ro=1 drv=host_cdrom encrypted=0 (qemu) eject ide1-cd0 (qemu) info block ide1-cd0: type=cdrom removable=1 locked=0 file=/dev/cdrom ro=1 drv=host_cdrom encrypted=0 # at this point, a disk was inserted on the host CD-ROM drive (qemu) info block ide1-cd0: type=cdrom removable=1 locked=0 file=/dev/cdrom ro=1 drv=host_cdrom encrypted=0 (qemu) eject ide1-cd0 (qemu) info block ide1-cd0: type=cdrom removable=1 locked=0 [not inserted] (qemu) The first eject command didn't work because the is_inserted() check failed. I have no clue why the code had the is_inserted() check, as it doesn't matter if there is a disk present at the host drive, when the user wants the virtual device to be disconnected from the host device. The is_inserted() check has another side effect: a memory leak if the "change" command is used multiple times, as do_change() calls eject_device() before re-opening the block device, but bdrv_close() is never called. Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2010-06-22block: fix physical_block_size calculationChristoph Hellwig1-1/+3
Both SCSI and virtio expect the physical block size relative to the logical block size. So get the factor first before calculating the log2. Reported-by: Mike Cao <bcao@redhat.com> Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2010-06-22scsi-bus: Add MAINTENANCE_IN and MAINTENANCE_OUT SCSIRequest xfer and mode ↵Nicholas Bellinger2-0/+12
assignments This patch updates hw/scsi-bus.c to add MAINTENANCE_IN and MAINTENANCE_OUT case in scsi_req_length() for TYPE_ROM with MMC commands. It also adds the MAINTENANCE_OUT case in scsi_req_xfer_mode() to set SCSI_XFER_TO_DEV for outgoing write data. Signed-off-by: Nicholas A. Bellinger <nab@linux-iscsi.org> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2010-06-22scsi-bus: Add PERSISTENT_RESERVE_OUT SCSIRequest->cmd.mode setupNicholas Bellinger1-0/+1
This patch updates hw/scsi-bus.c to add the PERSISTENT_RESERVE_OUT cdb case in scsi_req_xfer_mode() to set SCSI_XFER_TO_DEV for outgoing WRITE data. Signed-off-by: Nicholas A. Bellinger <nab@linux-iscsi.org> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2010-06-20Update OpenBIOS imagesBlue Swirl4-1/+1
Update PPC, Sparc32 and Sparc64 OpenBIOS images to R795. Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2010-06-19apic: qdev conversion cleanupBlue Swirl5-63/+82
Make APICState completely private to apic.c by using DeviceState in external APIs. Move apic_init() to pc.c. Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2010-06-19apic: convert to qdevBlue Swirl2-29/+61
Convert to qdev. Use an opaque CPUState pointer because of missing VMState implementation for CPUState. Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2010-06-19apic: avoid using CPUState internalsBlue Swirl5-39/+77
Move the actual CPUState contents handling to cpu.h and cpuid.c. Handle CPU reset and set env->halted in pc.c. Add a function to get the local APIC state of the current CPU for the MMIO. Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2010-06-19apic: avoid passing CPUState from CPU codeBlue Swirl5-42/+36
Pass only APICState when accessing APIC from CPU code. Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2010-06-19apic: avoid passing CPUState from devicesBlue Swirl3-25/+25
Pass only APICState from pc.c. Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2010-06-19ioapic: convert to qdevBlue Swirl4-19/+51
Convert to qdev. Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2010-06-17ioapic: unexport ioapic_set_irqBlue Swirl2-2/+1
There's no need to use ioapic_set_irq() outside of ioapic.c, so make it static. Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2010-06-16Usermode exec-stack fixPaul Brook4-0/+14
When loading a shared library that requires an executable stack, glibc uses the mprotext PROT_GROWSDOWN flag to achieve this. We don't support PROT_GROWSDOWN. Add a special case to handle changing the stack permissions in this way. Signed-off-by: Paul Brook <paul@codesourcery.com>
2010-06-16Strace mprotect flags.Paul Brook2-0/+9
Teach strace code about linux specific mprotect flags. Signed-off-by: Paul Brook <paul@codesourcery.com>
2010-06-16GDB exit status for semihostingPaul Brook4-15/+23
Report exit status to GDB when a semihosted application exits. Signed-off-by: Paul Brook <paul@codesourcery.com>
2010-06-16cris: Move sign extension.Edgar E. Iglesias1-13/+13
Move it in preparation for further changes. No functional change. Signed-off-by: Edgar E. Iglesias <edgar.iglesias@axis.com>
2010-06-16cris: Centralize fetchingEdgar E. Iglesias1-22/+44
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@gmail.com>
2010-06-16cris: Make the CRISv32 insn decoders return signed int.Edgar E. Iglesias1-86/+86
Prepare to return error from the individual decoders. Signed-off-by: Edgar E. Iglesias <edgar.iglesias@axis.com>
2010-06-16tcg: Optionally sign-extend 32-bit arguments for 64-bit hosts.Richard Henderson8-36/+193
Some hosts (amd64, ia64) have an ABI that ignores the high bits of the 64-bit register when passing 32-bit arguments. Others require the value to be properly sign-extended for the type. I.e. "int32_t" must be sign-extended and "uint32_t" must be zero-extended to 64-bits. To effect this, extend the "sizemask" parameter to tcg_gen_callN to include the signedness of the type of each parameter. If the tcg target requires it, extend each 32-bit argument into a 64-bit temp and pass that to the function call. This ABI feature is required by sparc64, ppc64 and s390x. Signed-off-by: Richard Henderson <rth@twiddle.net> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
2010-06-16Fix comparison which always returned falseStefan Weil1-2/+4
Comparing an 8 bit value with ~0 does not work as expected. Replace ~0 by UINT8_MAX in comparison and also in assignment (and fix coding style, too). Cc: Gleb Natapov <gleb@redhat.com> Cc: Anthony Liguori <aliguori@us.ibm.com> Signed-off-by: Stefan Weil <weil@mail.berlios.de> Signed-off-by: malc <av1474@comtv.ru>
2010-06-15xen: Fix build error due to missing includeJan Kiszka1-0/+1
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2010-06-15block: fix a warning and possible truncationBlue Swirl1-1/+2
Fix a warning from OpenBSD gcc (3.3.5 (propolice)): /src/qemu/block.c: In function `bdrv_info_stats_bs': /src/qemu/block.c:1548: warning: long long int format, long unsigned int arg (arg 6) There may be also truncation effects. Signed-off-by: Blue Swirl <blauwirbel@gmail.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2010-06-15Correct definitions for FD_CMD_SAVE and FD_CMD_RESTOREJes Sorensen1-2/+2
Correct definitions for FD_CMD_SAVE and FD_CMD_RESTORE in hw/fdc.c Per https://bugs.launchpad.net/qemu/+bug/424453 the correct values for FD_CMD_SAVE is 0x2e and FD_CMD_RESTORE is 0x4e. Verified against the Intel 82078 manual which can be found at: http://wiki.qemu.org/Documentation/HardwareManuals page 22. Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2010-06-15blockdev: Give drives internal linkageMarkus Armbruster2-3/+1
This is the list of drives defined with drive_init(). Hide it, so it doesn't get abused. Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2010-06-15block: Decouple savevm from DriveInfoMarkus Armbruster1-22/+18
We find snapshots by iterating over the list of drives defined with drive_init(). This misses host block devices defined by other means. Such means don't exist now, but will be introduced later in this series. Iterate over all host block devices instead, with bdrv_next(). Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2010-06-15block: New bdrv_next()Markus Armbruster2-0/+9
This is a more flexible alternative to bdrv_iterate(). Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>