Many drivers had a comment that they did not validate the incoming
'flags' to virDomainGetXMLDesc() because they were relying on
virDomainDefFormat() to do it instead. This used to be the case
(at least since
461e0f1a and friends in 0.9.4 added unknown flag
checking in general), but regressed in commit
0ecd6851 (1.2.12),
when all of the drivers were changed to pass 'flags' through the
new helper virDomainDefFormatConvertXMLFlags(). Since this helper
silently ignores unknown flags, we need to implement flag checking
in each driver instead.
Annoyingly, this means that any new flag values added will silently
be ignored when targeting an older libvirt, rather than our usual
practice of loudly diagnosing an unsupported flag. Add comments
in domain_conf.[ch] to remind us to be extra vigilant about the
impact when adding flags (a new flag to add data is safe if the
older server omitting the requested data doesn't break things in
the newer client; a new flag to suppress data rather than enhancing
the existing VIR_DOMAIN_XML_SECURE may form a data leak or even a
security hole).
In the qemu driver, there are multiple callers all funnelling to
qemuDomainDefFormatBufInternal(); many of them already validated
flags (and often only a subset of the full set of possible flags),
but for ease of maintenance, we can also check flags at the common
helper function.
Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
virCapsPtr caps = NULL;
char *ret = NULL;
+ virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);
+
if (!(vm = bhyveDomObjFromDomain(domain)))
goto cleanup;
return -1;
}
+/* Converts VIR_DOMAIN_XML_COMMON_FLAGS into VIR_DOMAIN_DEF_FORMAT_*
+ * flags, and silently ignores any other flags. Note that the caller
+ * should validate the set of flags it is willing to accept; see also
+ * the comment on VIR_DOMAIN_XML_COMMON_FLAGS about security
+ * considerations with adding new flags. */
unsigned int virDomainDefFormatConvertXMLFlags(unsigned int flags)
{
unsigned int formatFlags = 0;
unsigned int iothread_id);
void virDomainIOThreadIDDel(virDomainDefPtr def, unsigned int iothread_id);
+/* When extending this list, remember that libvirt 1.2.12-5.0.0 had a
+ * bug that silently ignored unknown flags. A new flag to add
+ * information is okay as long as clients still work when an older
+ * server omits the requested output, but a new flag to suppress
+ * information could result in a security hole when older libvirt
+ * supplies the sensitive information in spite of the flag. */
+# define VIR_DOMAIN_XML_COMMON_FLAGS \
+ (VIR_DOMAIN_XML_SECURE | VIR_DOMAIN_XML_INACTIVE | \
+ VIR_DOMAIN_XML_MIGRATABLE)
unsigned int virDomainDefFormatConvertXMLFlags(unsigned int flags);
char *virDomainDefFormat(virDomainDefPtr def,
virDomainDefPtr def = NULL;
char *xml = NULL;
- /* Flags checked by virDomainDefFormat */
+ virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);
memset(&data, 0, sizeof(data));
Msvm_ProcessorSettingData *processorSettingData = NULL;
Msvm_MemorySettingData *memorySettingData = NULL;
- /* Flags checked by virDomainDefFormat */
+ virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);
if (!(def = virDomainDefNew()))
goto cleanup;
virDomainDefPtr def;
char *ret = NULL;
- /* Flags checked by virDomainDefFormat */
+ virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);
if (!(vm = libxlDomObjFromDomain(dom)))
goto cleanup;
virDomainObjPtr vm;
char *ret = NULL;
- /* Flags checked by virDomainDefFormat */
+ virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);
if (!(vm = lxcDomObjFromDomain(dom)))
goto cleanup;
virDomainObjPtr vm;
char *ret = NULL;
- /* Flags checked by virDomainDefFormat */
+ virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);
if (!(vm = openvzDomObjFromDomain(driver, dom->uuid)))
return NULL;
unsigned long long memory;
unsigned int vcpus;
- /* Flags checked by virDomainDefFormat */
+ virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);
memset(&def, 0, sizeof(virDomainDef));
virCapsPtr caps = NULL;
virQEMUCapsPtr qemuCaps = NULL;
+ virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS | VIR_DOMAIN_XML_UPDATE_CPU, -1);
+
if (!(caps = virQEMUDriverGetCapabilities(driver, false)))
goto cleanup;
virDomainObjPtr vm;
char *ret = NULL;
- /* Flags checked by virDomainDefFormat */
+ virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS | VIR_DOMAIN_XML_UPDATE_CPU,
+ NULL);
if (!(vm = qemuDomObjFromDomain(dom)))
goto cleanup;
virDomainObjPtr privdom;
char *ret = NULL;
- /* Flags checked by virDomainDefFormat */
+ virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);
if (!(privdom = testDomObjFromDomain(domain)))
return NULL;
if (!data->vboxObj)
return ret;
- /* Flags checked by virDomainDefFormat */
+ virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);
if (openSessionForMachine(data, dom->uuid, &iid, &machine) < 0)
goto cleanup;
virDomainObjPtr vm;
char *ret = NULL;
- /* Flags checked by virDomainDefFormat */
+ virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);
if (!(vm = vmwareDomObjFromDomain(driver, dom->uuid)))
return NULL;
virDomainObjPtr dom;
char *ret = NULL;
- /* Flags checked by virDomainDefFormat */
+ virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);
if (!(dom = vzDomObjFromDomain(domain)))
return NULL;
projects / libvirt.git / commitdiff