This patch adds the posibility to filter out certain devices from redirecion.
To use this pass the filter property to -device usb-redir. The filter
property takes a string consisting of filter rules, the format for a rule is:
<class>:<vendor>:<product>:<version>:<allow>
-1 can be used to allow any value for a field.
Muliple rules can be concatonated using | as a separator. Note that if
a device matches none of the passed in rules, redirecting it will not be
allowed!
Example:
-device usb-redir,filter='-1:0x0781:0x5567👎0|0x08👎-1👎1'
This example will deny the Sandisk Cruzer Blade being redirected, as it
has a usb id of 0781:5567, it will allow any other usb mass storage devices,
and it will deny any other devices (the default for devices not matching any
of the rules.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
The most common use of -net tap is to connect a tap device to a bridge. This
requires the use of a script and running qemu as root in order to allocate a
tap device to pass to the script.
This model is great for portability and flexibility but it's incredibly
difficult to eliminate the need to run qemu as root. The only really viable
mechanism is to use tunctl to create a tap device, attach it to a bridge as
root, and then hand that tap device to qemu. The problem with this mechanism
is that it requires administrator intervention whenever a user wants to create
a guest.
By essentially writing a helper that implements the most common qemu-ifup
script that can be safely given cap_net_admin, we can dramatically simplify
things for non-privileged users. We still support existing -net tap options
as a mechanism for advanced users and backwards compatibility.
Currently, this is very Linux centric but there's really no reason why it
couldn't be extended for other Unixes.
A typical invocation would be similar to one of the following:
qemu linux.img -net bridge -net nic,model=virtio
qemu linux.img -net tap,helper="/usr/local/libexec/qemu-bridge-helper"
-net nic,model=virtio
qemu linux.img -netdev bridge,id=hn0
-device virtio-net-pci,netdev=hn0,id=nic1
qemu linux.img -netdev tap,helper="/usr/local/libexec/qemu-bridge-helper",id=hn0
-device virtio-net-pci,netdev=hn0,id=nic1
The default bridge that we attach to is br0. The thinking is that a distro
could preconfigure such an interface to allow out-of-the-box bridged networking.
Alternatively, if a user wants to use a different bridge, a typical invocation
would be simliar to one of the following:
qemu linux.img -net bridge,br=qemubr0 -net nic,model=virtio
qemu linux.img -net tap,helper="/usr/local/libexec/qemu-bridge-helper --br=qemubr0"
-net nic,model=virtio
qemu linux.img -netdev bridge,br=qemubr0,id=hn0
-device virtio-net-pci,netdev=hn0,id=nic1
qemu linux.img -netdev tap,helper="/usr/local/libexec/qemu-bridge-helper --br=qemubr0",id=hn0
-device virtio-net-pci,netdev=hn0,id=nic1
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Signed-off-by: Richa Marwaha <rmarwah@linux.vnet.ibm.com>
Signed-off-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
The ideal way to use qemu-bridge-helper is to give it an fscap of using:
setcap cap_net_admin=ep qemu-bridge-helper
Unfortunately, most distros still do not have a mechanism to package files
with fscaps applied. This means they'll have to SUID the qemu-bridge-helper
binary.
To improve security, use libcap to reduce our capability set to just
cap_net_admin, then reduce privileges down to the calling user. This is
hopefully close to equivalent to fscap support from a security perspective.
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Signed-off-by: Richa Marwaha <rmarwah@linux.vnet.ibm.com>
Signed-off-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
This patch adds a helper that can be used to create a tap device attached to
a bridge device. Since this helper is minimal in what it does, it can be
given CAP_NET_ADMIN which allows qemu to avoid running as root while still
satisfying the majority of what users tend to want to do with tap devices.
The way this all works is that qemu launches this helper passing a bridge
name and the name of an inherited file descriptor. The descriptor is one
end of a socketpair() of domain sockets. This domain socket is used to
transmit a file descriptor of the opened tap device from the helper to qemu.
The helper can then exit and let qemu use the tap device.
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Signed-off-by: Richa Marwaha <rmarwah@linux.vnet.ibm.com>
Signed-off-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Current './configure --static && make' fails for me:
LINK qemu-nbd
/usr/lib/gcc/x86_64-pc-linux-gnu/4.5.3/../../../../x86_64-pc-linux-gnu/bin/ld: cannot find -lssl3
/usr/lib/gcc/x86_64-pc-linux-gnu/4.5.3/../../../../x86_64-pc-linux-gnu/bin/ld: cannot find -lsmime3
/usr/lib/gcc/x86_64-pc-linux-gnu/4.5.3/../../../../x86_64-pc-linux-gnu/bin/ld: cannot find -lnssutil3
/usr/lib/gcc/x86_64-pc-linux-gnu/4.5.3/../../../../x86_64-pc-linux-gnu/bin/ld: cannot find -lnss3
/usr/lib/gcc/x86_64-pc-linux-gnu/4.5.3/../../../../x86_64-pc-linux-gnu/bin/ld: cannot find -lplds4
/usr/lib/gcc/x86_64-pc-linux-gnu/4.5.3/../../../../x86_64-pc-linux-gnu/bin/ld: cannot find -lplc4
/usr/lib/gcc/x86_64-pc-linux-gnu/4.5.3/../../../../x86_64-pc-linux-gnu/bin/ld: cannot find -lnspr4
My system does not provide static libraries for nss, so
fix autoconfiguration by link checking.
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
CC: qemu-trivial <qemu-trivial@nongnu.org>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Added wrapper around pkg-config to allow:
- safe options injection via ${QEMU_PKG_CONFIG_FLAGS}
- spaces in path to pkg-config
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
CC: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
This class provides the main building block for QEMU Object Model and is
extensively documented in the header file. It is largely inspired by GObject.
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
---
v1 -> v2
- remove printf() in type registration
- fix typo in comment (Paolo)
- make Interface private
- move object into a new directory and move header into include/qemu/
- don't make object.h depend on qemu-common.h
- remove Type and replace it with TypeImpl * (Paolo)
- use hash table to store types (Paolo)
- aggressively cache parent type (Paolo)
- make a type_register and use it with interfaces (Paolo)
- fix interface cast comment (Paolo)
- add a few more functions required in later series
More KVM-specific devices will come, so let's start with moving the
kvmclock into a dedicated folder.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Reversing the order of the warning options and -Werror is important
when clang is used instead of gcc. It changes nothing for gcc.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
* stefanha/trivial-patches:
qemu-nbd: drop loop which can never loop
Make python mandatory
net/socket.c: Fix fd leak in net_socket_listen_init() error paths
gdbstub: Fix fd leak in gdbserver_open() error path
configure: Fix test for supported host CPU type
configure: CONFIG_QEMU_INTERP_PREFIX only for user mode
scsi virtio-blk usb-msd: Clean up device init error messages
Strip trailing '\n' from error_report()'s first argument (again)
qemu-options.hx: fix tls-channel help text
The QEMU build depends on Python so make it an explicit requirement.
Reviewed-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Sebastian Herbszt <herbszt@gmx.de>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
The test for whether the host CPU is supported had several problems:
* the attempt to fall back to TCI was done as a duplicate
test, very late (so "--cpu foo" would fail early but "--cpu unicore32"
would fail late, differently, and after configure had already
printed a lot of output)
* a number of CPUs only supported as guests were included in the
list of CPUs we would accept as valid hosts, which would result
in a late compile failure on those systems rather than a
configure failure or fallback to TCI
* bailing out for an unsupported CPU happened before the main
option parsing, so "configure --help" wouldn't work
Fix these by folding the setting of ARCH into the first test for
supported host CPU, removing spurious guest-only CPU names from it,
and moving the "fall back to TCI" code earlier.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Provide root privilege access to QEMU 9p proxy filesystem using socket
communication.
Proxy helper is started by root user as:
~ # virtfs-proxy-helper -f|--fd <socket descriptor> -p|--path <path-to-share>
Signed-off-by: M. Mohan Kumar <mohan@in.ibm.com>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
With this patch, it only takes one test (instead of four)
to detect that there is no Xen support at all.
For most build hosts, this will reduce the time configure needs.
It will also reduce noisy output in config.log.
Build hosts with Xen now need up to five (instead of up to four)
tests. They get improved diagnostics when Xen support fails.
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
warning: ‘fd’ is used uninitialized in this function
warning: ‘id’ is used uninitialized in this function
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
warning: "_GNU_SOURCE" redefined
The macro is already defined on the command line.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
warning: null argument where non-null required (argument 1)
warning: null argument where non-null required (argument 3)
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
warning: return makes integer from pointer without a cast
v2: Removed type cast.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
warning: function declaration isn’t a prototype
In function ‘foo’:
warning: old-style function definition
The function name was changed, too, to avoid an additional warning.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Fix several "warning: control reaches end of non-void function".
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Since commit 1d14ffa97e (in 2005),
QEMU applications on W32 don't use the default SDL compiler flags:
Instead of a GUI application, a console application is created.
This has disadvantages (there is always an empty console window) and
no obvious reason, so this patch removes the strange flag modification.
The SDL GUI applications still can be run from a console window
and even send stdout and stderr to that console by setting environment
variable SDL_STDIO_REDIRECT=no.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
Enable build by default PIE / read-only relocation sections for the QEMU
binaries on OpenBSD amd64/i386.
Signed-off-by: Brad Smith <brad@comstyle.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
test-coroutine is listed as a libcheck test in the 'checks' variable. This
is not right because 'make check' won't run test-coroutine if libcheck
tests are not enabled (either because libcheck isn't detected or because
--disable-check-utests is passed).
Tests using the glib test framework are independent from libcheck and
afaik are always present (although having a configure switch to disable
them is probably worth it).
Untangle test-coroutine from the libcheck tests by introducing the
'test_progs' variable and using it to generate the test list used by
'make check'.
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
Pull the creation of the linux-headers/asm symlink out of the loop
so we don't pointlessly delete and recreate it once for each target.
Also move the setting of the includes variable up so that it is
in the same place as the other code which sets this variable.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Print a banner comment at the top of config.log identifying
when configure was run and the arguments used. This is occasionally
useful for debugging purposes.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Include the name of the #define being tested for in the compiler
error produced when a check_define test is run and fails. This
appears only in the config.log, but it does make it a little easier
to debug problems by inspecting config.log.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Drop the distinction between armv4l/armv4b in the $cpu variable
(ie host cpu type) in favour of calling everything 'arm'. This
makes it the same as the ARCH setting and removes some special
casing. The only thing we were using the distinction for was to
decide which endianness to use in cross compilation; do a cpp
define check there instead.
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrzej Zaborowski <andrew.zaborowski@intel.com>
--*dir) option pattern precede --{en,dis}able-usb-redir) patterns in the
option analysis switch, making the latter options have no effect.
There were some --*dir that are supported by Autoconf and not by QEMU configure.
The aim was to let QEMU packagers use the rpm (or similar) macro that overrides
directories for their distribution.
Replace --*dir with exact option names.
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Some toolchains don't support pie properly when tls variables are
in use. Disallow pie when such toolchains are detected.
Signed-off-by: Avi Kivity <avi@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Add check for the EFD_NONBLOCK and EFD_CLOEXEC flags to the
CONFIG_EVENTFD test.
This fixes the following build failure on Fedora 9:
CC event_notifier.o
event_notifier.c: In function `event_notifier_init':
event_notifier.c:21: error: `EFD_NONBLOCK' undeclared (first use in this function)
event_notifier.c:21: error: (Each undeclared identifier is reported only once
event_notifier.c:21: error: for each function it appears in.)
event_notifier.c:21: error: `EFD_CLOEXEC' undeclared (first use in this function)
make: *** [event_notifier.o] Error 1
Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Change the default on x86 Linux hosts to building PIE (position
independent executables); instead of restricting the option to
user-only targets, apply it to all targets.
In addition, set the relocation sections to read-only (relro) when
available; this reduces the attack surface by disallowing changes to
relocation tables at runtime.
While PIE reduces performance and relro increases load time, it
greatly improves security, with the potential to reduce a code
execution vulnerability to a self denial of service.
Non-x86 are not changed, as they require TCG changes; neither are
non-Linux, due to lack of test coverage.
Signed-off-by: Avi Kivity <avi@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
'sed -i' is not defined in POSIX. It doesn't work on Mac OS X the way
it's used in configure (without suffix argument). This patch implements
Peter Maydell's idea of xattr.h detection.
Cc: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
