Augeas 0.10 depends on libxml2, so this is now required in the
appliance (in fact, it was already present).
However this exposed two bugs:
(1) In libguestfs we use a home-brewed recipe for Augeas flags,
resulting in this error:
/usr/include/augeas.h:24:25: fatal error: libxml/tree.h: No such file or directory
(2) Augeas's own augeas.pc didn't include the libxml2 flags, so
it was broken. This requires a patch to Augeas 0.10, see:
https://www.redhat.com/archives/augeas-devel/2011-December/msg00008.html
Change to using pkg-config to detect Augeas. It is still an optional
library.
Cherry picked from commit 615924abaa and
rebased for old libguestfs branches that had separate
daemon/configure.ac.
CVE-2011-4127 is a serious qemu & kernel privilege escalation bug
found by Paolo Bonzini.
http://seclists.org/oss-sec/2011/q4/536
An untrusted guest kernel is able to issue special SG_IO ioctls on
virtio devices which qemu passes through to the host kernel without
filtering or sanitizing. These ioctls allow raw sectors from the
underlying host device to be read and written. Significantly, neither
qemu nor the host kernel checks that the range of sectors is within
the partition / LV assigned to the guest. For example, if the guest
is assigned host partition /dev/sda3, it would be able to read or
write any part of /dev/sda including other partitions and the boot
sector. Exploits through LVs passed to the guest are also possible,
with some limitations. File-backed virtual block devices are not
vulnerable. Non-virtio block devices are not vulnerable.
This patch mitigates the problem by disabling the SG_IO ioctl
passthrough in qemu. Thus if libguestfs is examining an untrusted
guest and the libguestfs appliance/daemon is compromised (eg. by
executing guest commands, or through some other compromise), then the
compromised appliance will not be able to issue the above SG_IO ioctls
and exploit the host.
Note that this is just mitigation for libguestfs. Users will still
want to fully update their host kernel, qemu/KVM and libvirt, in order
to prevent other (non-libguestfs) routes to compromise.
The following versions of libguestfs (will/have) this patch applied.
libguestfs >= 1.15.13
libguestfs >= 1.14.8
libguestfs >= 1.12.11
libguestfs >= 1.10.12
libguestfs >= 1.8.16
Earlier versions may be vulnerable unless a downstream packager has
applied this patch.
Cc: Hilko Bengen <bengen@hilluzination.de>
(cherry picked from commit 9a5f784d51)
Although this doesn't matter for the ordinary (appliance) case, it
matters for the libguestfs live case. In that case it could cause the
guest to be exploited by a tmp/symlink attack.
(cherry picked from commit 6011b1f803)
Also add this option, if necessary, when testing for virtio-serial
support.
When the workaround is enabled, we specify machine type 'pc'.
(cherry picked from commit 3814680423)
This also improves the documentation for this call, pointing out
several pitfalls in using it.
This unfortunately breaks existing callers that might use
guestfs_grub_install without checking for this new group.
(cherry picked from commit 99624d2922)
The guestfs_ll command currently lists files in the appliance if you
prefix filenames with "/..". However this is a bug, not a feature,
and we should not be testing it.
(cherry picked from commit 8ab2b85b2a)
We partitioned the disk, and then tried to create a PV on the whole
disk. LVM gave the error:
Device /dev/vda not found (or ignored by filtering).
It is unclear how this bug persisted for so long. It might be due to
a change in LVM.
(cherry picked from commit 4fb3b23fb6)
errno is pretty much random on the error path back from guestfs_launch
so there is nothing useful to be gained by checking it.
We could do with a better way to detect if appliance launch failed.
(cherry picked from commit 00fef9eed6)
Intended use in Fedora and RHEL is to encode the release
string, eg.
./configure [...] --with-extra="-%{release}"
(cherry picked from commit a4db75521d)
There is another case where downloads of small files could fail if the
library side (writer) fails. In this case the library would send back
a cancellation, but it would be received after the daemon had finished
sending the whole file (because the file is small enough). The daemon
would reenter the main loop and immediately get an unexpected cancel
message, causing the daemon to die.
This commit also makes test-cancellation-download-librarycancels.sh
more robust. We use Monte-Carlo testing with a range of file sizes.
Small file sizes should trigger the error case.
(cherry picked from commit e4cba8f2b1)
The default event handler in libguestfs was simply writing all debug
output directly to stderr. However if the output contains
non-printable characters such as terminal control codes then these
would also be sent directly.
With newer SeaBIOS there is a lame attempt to implement a splash
screen using terminal control codes, thus when libguestfs tries to
display debugging output it would cause the screen to clear and debug
output to be lost.
This commit causes all non-printing characters to be escaped.
(\n and \r characters from the appliance are treated somewhat
specially).
Furthermore, instead of using write(2), use buffered stderr calls.
(cherry picked from commit 06019bc82e)
Previously any disk that had /autoexec.bat or /boot.ini or /ntldr
would be picked up as a candidate for a Windows root disk. If further
checking could not find any systemroot (eg. /windows) then this would
result in complete failure of inspection.
In particular, this got confused by Hp_recovery partitions which have
/autoexec.bat, but don't have a systemroot in one of the usual places
(they have /MiniNT instead).
What we do now is to properly investigate all possible systemroot
places before deciding this is a Windows systemroot, so the subsequent
failure cannot occur.
(Thanks to lorimar for reporting this bug).
Cherry picked from commit 2c57305f72
and backported to stable-1.10 branch.
This avoids conflicts with the globally installed libguestfs
appliance, or lets us build in multiple local directories at the same
time without conflicts.
Cherry picked from commit f7d18c84dd
and backported to stable-1.10 branch.
Calls to these functions are generated, so there is no need to declare
the functions by hand.
Cherry picked from commit 3064277680
and backported to stable-1.10 branch.
