From nobody Mon Feb  9 16:33:05 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1550179786947627.7038155430104;
 Thu, 14 Feb 2019 13:29:46 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com
 [10.5.11.22])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id EDC83CD660;
	Thu, 14 Feb 2019 21:29:44 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id BB6EE1019601;
	Thu, 14 Feb 2019 21:29:44 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 6A8DE3F608;
	Thu, 14 Feb 2019 21:29:44 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com
	[10.5.11.22])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id x1ELTLZV003066 for <libvir-list@listman.util.phx.redhat.com>;
	Thu, 14 Feb 2019 16:29:21 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 871261019601; Thu, 14 Feb 2019 21:29:21 +0000 (UTC)
Received: from blue.redhat.com (ovpn-116-127.phx2.redhat.com [10.3.116.127])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 3E8EA1001F5E;
	Thu, 14 Feb 2019 21:29:21 +0000 (UTC)
From: Eric Blake <eblake@redhat.com>
To: libvir-list@redhat.com
Date: Thu, 14 Feb 2019 15:29:12 -0600
Message-Id: <20190214212916.25180-2-eblake@redhat.com>
In-Reply-To: <20190214212916.25180-1-eblake@redhat.com>
References: <20190214212916.25180-1-eblake@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
X-loop: libvir-list@redhat.com
Subject: [libvirt] [PATCH v2 1/5] domain: Fix unknown flags diagnosis in
	virDomainGetXMLDesc
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]);
 Thu, 14 Feb 2019 21:29:45 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"

Many drivers had a comment that they did not validate the incoming
'flags' to virDomainGetXMLDesc() because they were relying on
virDomainDefFormat() to do it instead. This used to be the case,
but regressed in commit 0ecd6851 (1.2.12), when all of the drivers
were changed to pass 'flags' through the new helper
virDomainDefFormatConvertXMLFlags(). Since this helper silently
ignores unknown flags, we need to implement flag checking in each
driver instead.

Annoyingly, this means that any new flag values added will silently
be ignored when targeting an older libvirt, rather than our usual
practice of loudly diagnosing an unsupported flag.  We'll have to
be extra vigilant that any future added flags do not cause a security
hole when sent from a newer libvirt client that expects the flag
to do one thing, but where the older server silently ignores it
instead.

Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
---
 src/conf/domain_conf.h     | 3 +++
 src/bhyve/bhyve_driver.c   | 2 ++
 src/conf/domain_conf.c     | 2 ++
 src/esx/esx_driver.c       | 2 +-
 src/hyperv/hyperv_driver.c | 2 +-
 src/libxl/libxl_driver.c   | 2 +-
 src/lxc/lxc_driver.c       | 2 +-
 src/openvz/openvz_driver.c | 2 +-
 src/phyp/phyp_driver.c     | 2 +-
 src/qemu/qemu_driver.c     | 3 ++-
 src/test/test_driver.c     | 2 +-
 src/vbox/vbox_common.c     | 2 +-
 src/vmware/vmware_driver.c | 2 +-
 src/vz/vz_driver.c         | 2 +-
 14 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 2bc3f879f7..324fc247b6 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -3110,6 +3110,9 @@ virDomainIOThreadIDDefPtr virDomainIOThreadIDAdd(virD=
omainDefPtr def,
                                                  unsigned int iothread_id);
 void virDomainIOThreadIDDel(virDomainDefPtr def, unsigned int iothread_id);

+# define VIR_DOMAIN_XML_COMMON_FLAGS \
+    (VIR_DOMAIN_XML_SECURE | VIR_DOMAIN_XML_INACTIVE | \
+     VIR_DOMAIN_XML_MIGRATABLE)
 unsigned int virDomainDefFormatConvertXMLFlags(unsigned int flags);

 char *virDomainDefFormat(virDomainDefPtr def,
diff --git a/src/bhyve/bhyve_driver.c b/src/bhyve/bhyve_driver.c
index 912797cfcf..3e192284cc 100644
--- a/src/bhyve/bhyve_driver.c
+++ b/src/bhyve/bhyve_driver.c
@@ -484,6 +484,8 @@ bhyveDomainGetXMLDesc(virDomainPtr domain, unsigned int=
 flags)
     virCapsPtr caps =3D NULL;
     char *ret =3D NULL;

+    virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);
+
     if (!(vm =3D bhyveDomObjFromDomain(domain)))
         goto cleanup;

diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 5d49f4388c..37bbf211c5 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -28996,6 +28996,8 @@ virDomainDefFormatInternal(virDomainDefPtr def,
     return -1;
 }

+/* Converts VIR_DOMAIN_XML_COMMON_FLAGS into VIR_DOMAIN_DEF_FORMAT_* flags,
+ * and silently ignores any other flags.  */
 unsigned int virDomainDefFormatConvertXMLFlags(unsigned int flags)
 {
     unsigned int formatFlags =3D 0;
diff --git a/src/esx/esx_driver.c b/src/esx/esx_driver.c
index b1af646155..379c2bae73 100644
--- a/src/esx/esx_driver.c
+++ b/src/esx/esx_driver.c
@@ -2604,7 +2604,7 @@ esxDomainGetXMLDesc(virDomainPtr domain, unsigned int=
 flags)
     virDomainDefPtr def =3D NULL;
     char *xml =3D NULL;

-    /* Flags checked by virDomainDefFormat */
+    virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);

     memset(&data, 0, sizeof(data));

diff --git a/src/hyperv/hyperv_driver.c b/src/hyperv/hyperv_driver.c
index f41cd1c939..0e2c6c55ef 100644
--- a/src/hyperv/hyperv_driver.c
+++ b/src/hyperv/hyperv_driver.c
@@ -754,7 +754,7 @@ hypervDomainGetXMLDesc(virDomainPtr domain, unsigned in=
t flags)
     Msvm_ProcessorSettingData *processorSettingData =3D NULL;
     Msvm_MemorySettingData *memorySettingData =3D NULL;

-    /* Flags checked by virDomainDefFormat */
+    virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);

     if (!(def =3D virDomainDefNew()))
         goto cleanup;
diff --git a/src/libxl/libxl_driver.c b/src/libxl/libxl_driver.c
index 7981ccaf21..31b842aeee 100644
--- a/src/libxl/libxl_driver.c
+++ b/src/libxl/libxl_driver.c
@@ -2621,7 +2621,7 @@ libxlDomainGetXMLDesc(virDomainPtr dom, unsigned int =
flags)
     virDomainDefPtr def;
     char *ret =3D NULL;

-    /* Flags checked by virDomainDefFormat */
+    virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);

     if (!(vm =3D libxlDomObjFromDomain(dom)))
         goto cleanup;
diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
index c48f6d9067..516a6b4de3 100644
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -987,7 +987,7 @@ static char *lxcDomainGetXMLDesc(virDomainPtr dom,
     virDomainObjPtr vm;
     char *ret =3D NULL;

-    /* Flags checked by virDomainDefFormat */
+    virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);

     if (!(vm =3D lxcDomObjFromDomain(dom)))
         goto cleanup;
diff --git a/src/openvz/openvz_driver.c b/src/openvz/openvz_driver.c
index 06950ce9ed..39eeb2c12e 100644
--- a/src/openvz/openvz_driver.c
+++ b/src/openvz/openvz_driver.c
@@ -519,7 +519,7 @@ static char *openvzDomainGetXMLDesc(virDomainPtr dom, u=
nsigned int flags) {
     virDomainObjPtr vm;
     char *ret =3D NULL;

-    /* Flags checked by virDomainDefFormat */
+    virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);

     if (!(vm =3D openvzDomObjFromDomain(driver, dom->uuid)))
         return NULL;
diff --git a/src/phyp/phyp_driver.c b/src/phyp/phyp_driver.c
index dc082b1d08..e54799dbb4 100644
--- a/src/phyp/phyp_driver.c
+++ b/src/phyp/phyp_driver.c
@@ -3214,7 +3214,7 @@ phypDomainGetXMLDesc(virDomainPtr dom, unsigned int f=
lags)
     unsigned long long memory;
     unsigned int vcpus;

-    /* Flags checked by virDomainDefFormat */
+    virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);

     memset(&def, 0, sizeof(virDomainDef));

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 971f915619..b039675d1a 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -7342,7 +7342,8 @@ static char
     virDomainObjPtr vm;
     char *ret =3D NULL;

-    /* Flags checked by virDomainDefFormat */
+    virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS | VIR_DOMAIN_XML_UPDATE_CPU,
+                  NULL);

     if (!(vm =3D qemuDomObjFromDomain(dom)))
         goto cleanup;
diff --git a/src/test/test_driver.c b/src/test/test_driver.c
index c1faff46ff..cde9e3d417 100644
--- a/src/test/test_driver.c
+++ b/src/test/test_driver.c
@@ -2628,7 +2628,7 @@ static char *testDomainGetXMLDesc(virDomainPtr domain=
, unsigned int flags)
     virDomainObjPtr privdom;
     char *ret =3D NULL;

-    /* Flags checked by virDomainDefFormat */
+    virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);

     if (!(privdom =3D testDomObjFromDomain(domain)))
         return NULL;
diff --git a/src/vbox/vbox_common.c b/src/vbox/vbox_common.c
index 664650f217..d95fe7c7ae 100644
--- a/src/vbox/vbox_common.c
+++ b/src/vbox/vbox_common.c
@@ -4052,7 +4052,7 @@ static char *vboxDomainGetXMLDesc(virDomainPtr dom, u=
nsigned int flags)
     if (!data->vboxObj)
         return ret;

-    /* Flags checked by virDomainDefFormat */
+    virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);

     if (openSessionForMachine(data, dom->uuid, &iid, &machine) < 0)
         goto cleanup;
diff --git a/src/vmware/vmware_driver.c b/src/vmware/vmware_driver.c
index f94b3252fe..f4b0989afd 100644
--- a/src/vmware/vmware_driver.c
+++ b/src/vmware/vmware_driver.c
@@ -932,7 +932,7 @@ vmwareDomainGetXMLDesc(virDomainPtr dom, unsigned int f=
lags)
     virDomainObjPtr vm;
     char *ret =3D NULL;

-    /* Flags checked by virDomainDefFormat */
+    virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);

     if (!(vm =3D vmwareDomObjFromDomain(driver, dom->uuid)))
         return NULL;
diff --git a/src/vz/vz_driver.c b/src/vz/vz_driver.c
index b22a44d6ad..f99ade82b6 100644
--- a/src/vz/vz_driver.c
+++ b/src/vz/vz_driver.c
@@ -724,7 +724,7 @@ vzDomainGetXMLDesc(virDomainPtr domain, unsigned int fl=
ags)
     virDomainObjPtr dom;
     char *ret =3D NULL;

-    /* Flags checked by virDomainDefFormat */
+    virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS, NULL);

     if (!(dom =3D vzDomObjFromDomain(domain)))
         return NULL;
--=20
2.20.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list