From 9292a4637e8f4d534f4dde70e8e5451f61ad0162 Mon Sep 17 00:00:00 2001

From: "Richard W.M. Jones" <rjones@redhat.com>

Date: Tue, 19 Jan 2021 14:22:33 +0000

Subject: [PATCH] Update common/ submodule to latest upstream.

Only for RHEL AV 8.4.0, allowing this branch to be compiled

from git with libguestfs 1.44.

---

 common | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

Submodule common 9338df5e...be09523d:

diff --git a/common/mlcustomize/SELinux_relabel.ml b/common/mlcustomize/SELinux_relabel.ml

index 44995df6..5ecf7bd7 100644

--- a/common/mlcustomize/SELinux_relabel.ml

+++ b/common/mlcustomize/SELinux_relabel.ml

@@ -28,65 +28,80 @@ module G = Guestfs

 let array_find a l =

   List.mem a (Array.to_list l)

-let relabel (g : G.guestfs) =

-  (* Is the guest using SELinux? *)

-  if g#is_file ~followsymlinks:true "/usr/sbin/load_policy" &&

-     g#is_file ~followsymlinks:true "/etc/selinux/config" then (

-    (* Is setfiles / SELinux relabelling functionality available? *)

-    if g#feature_available [| "selinuxrelabel" |] then (

-      (* Use Augeas to parse /etc/selinux/config. *)

-      g#aug_init "/" (16+32) (* AUG_SAVE_NOOP | AUG_NO_LOAD *);

-      (* See: https://bugzilla.redhat.com/show_bug.cgi?id=975412#c0 *)

-      ignore (g#aug_rm "/augeas/load/*[\"/etc/selinux/config/\" !~ regexp('^') + glob(incl) + regexp('/.*')]");

-      g#aug_load ();

-      debug_augeas_errors g;

-

-      (* Get the SELinux policy name, eg. "targeted", "minimum".

-       * Use "targeted" if not specified, just like libselinux does.

-       *)

-      let policy =

-        let config_path = "/files/etc/selinux/config" in

-        let selinuxtype_path = config_path ^ "/SELINUXTYPE" in

-        let keys = g#aug_ls config_path in

-        if array_find selinuxtype_path keys then

-          g#aug_get selinuxtype_path

-        else

-          "targeted" in

-

-      g#aug_close ();

-

-      (* Get the spec file name. *)

-      let specfile =

-        sprintf "/etc/selinux/%s/contexts/files/file_contexts" policy in

-

-      (* RHEL 6.2 - 6.5 had a malformed specfile that contained the

-       * invalid regular expression "/var/run/spice-vdagentd.\pid"

-       * (instead of "\.p").  This stops setfiles from working on

-       * the guest.

-       *

-       * Because an SELinux relabel writes all over the filesystem,

-       * it seems reasonable to fix this problem in the specfile

-       * at the same time.  (RHBZ#1374232)

-       *)

-      if g#grep ~fixed:true "vdagentd.\\pid" specfile <> [||] then (

-        debug "fixing invalid regular expression in %s" specfile;

-        let old_specfile = specfile ^ "~" in

-        g#mv specfile old_specfile;

-        let content = g#read_file old_specfile in

-        let content =

-          String.replace content "vdagentd.\\pid" "vdagentd\\.pid" in

-        g#write specfile content;

-        g#copy_attributes ~all:true old_specfile specfile

-      );

-

-      (* Relabel everything. *)

-      g#selinux_relabel ~force:true specfile "/";

-

-      (* If that worked, we don't need to autorelabel. *)

+let rec relabel (g : G.guestfs) =

+  (* Is the guest using SELinux?  (Otherwise this is a no-op). *)

+  if is_selinux_guest g then (

+    try

+      use_setfiles g;

+      (* That worked, so we don't need to autorelabel. *)

       g#rm_f "/.autorelabel"

-    )

-    else (

-      (* SELinux guest, but not SELinux host.  Fallback to this. *)

+    with Failure _ ->

+      (* This is the fallback in case something in the setfiles

+       * method didn't work.  That includes the case where a non-SELinux

+       * host is processing an SELinux guest, and other things.

+       *)

       g#touch "/.autorelabel"

-    )

   )

+

+and is_selinux_guest g =

+  g#is_file ~followsymlinks:true "/usr/sbin/load_policy" &&

+  g#is_file ~followsymlinks:true "/etc/selinux/config"

+

+and use_setfiles g =

+  (* Is setfiles / SELinux relabelling functionality available? *)

+  if not (g#feature_available [| "selinuxrelabel" |]) then

+    failwith "no selinux relabel feature";

+

+  (* Use Augeas to parse /etc/selinux/config. *)

+  g#aug_init "/" (16+32) (* AUG_SAVE_NOOP | AUG_NO_LOAD *);

+  (* See: https://bugzilla.redhat.com/show_bug.cgi?id=975412#c0 *)

+  ignore (g#aug_rm "/augeas/load/*[\"/etc/selinux/config/\" !~ regexp('^') + glob(incl) + regexp('/.*')]");

+  g#aug_load ();

+  debug_augeas_errors g;

+

+  (* Get the SELinux policy name, eg. "targeted", "minimum".

+   * Use "targeted" if not specified, just like libselinux does.

+   *)

+  let policy =

+    let config_path = "/files/etc/selinux/config" in

+    let selinuxtype_path = config_path ^ "/SELINUXTYPE" in

+    let keys = g#aug_ls config_path in

+    if array_find selinuxtype_path keys then

+      g#aug_get selinuxtype_path

+    else

+      "targeted" in

+

+  g#aug_close ();

+

+  (* Get the spec file name. *)

+  let specfile =

+    sprintf "/etc/selinux/%s/contexts/files/file_contexts" policy in

+

+  (* If the spec file doesn't exist then fall back to using

+   * autorelabel (RHBZ#1828952).

+   *)

+  if not (g#is_file ~followsymlinks:true specfile) then

+    failwith "no spec file";

+

+  (* RHEL 6.2 - 6.5 had a malformed specfile that contained the

+   * invalid regular expression "/var/run/spice-vdagentd.\pid"

+   * (instead of "\.p").  This stops setfiles from working on

+   * the guest.

+   *

+   * Because an SELinux relabel writes all over the filesystem,

+   * it seems reasonable to fix this problem in the specfile

+   * at the same time.  (RHBZ#1374232)

+   *)

+  if g#grep ~fixed:true "vdagentd.\\pid" specfile <> [||] then (

+    debug "fixing invalid regular expression in %s" specfile;

+    let old_specfile = specfile ^ "~" in

+    g#mv specfile old_specfile;

+    let content = g#read_file old_specfile in

+    let content =

+      String.replace content "vdagentd.\\pid" "vdagentd\\.pid" in

+    g#write specfile content;

+    g#copy_attributes ~all:true old_specfile specfile

+  );

+

+  (* Relabel everything. *)

+  g#selinux_relabel ~force:true specfile "/"

diff --git a/common/mltools/Makefile.am b/common/mltools/Makefile.am

index 3b4172db..aea2dce9 100644

--- a/common/mltools/Makefile.am

+++ b/common/mltools/Makefile.am

@@ -95,6 +95,7 @@ libmltools_a_CPPFLAGS = \

 	-I$(shell $(OCAMLC) -where) \

 	-I$(top_srcdir)/common/utils \

 	-I$(top_srcdir)/lib \

+	$(INCLUDE_DIRECTORY) \

 	-I$(top_srcdir)/common/options \

 	-I$(top_srcdir)/common/mlgettext \

 	-I$(top_srcdir)/common/mlpcre \

diff --git a/common/mltools/tools_utils.ml b/common/mltools/tools_utils.ml

index 12718022..d54ec581 100644

--- a/common/mltools/tools_utils.ml

+++ b/common/mltools/tools_utils.ml

@@ -679,3 +679,53 @@ let with_timeout op timeout ?(sleep = 2) fn =

        loop ()

   in

   loop ()

+

+let run_in_guest_command g root ?logfile ?incompatible_fn cmd =

+  (* Is the host_cpu compatible with the guest arch?  ie. Can we

+   * run commands in this guest?

+   *)

+  let guest_arch = g#inspect_get_arch root in

+  let guest_arch_compatible = guest_arch_compatible guest_arch in

+  if not guest_arch_compatible then (

+    match incompatible_fn with

+    | None -> ()

+    | Some fn -> fn ()

+  )

+  else (

+    (* Add a prologue to the scripts:

+     * - Pass environment variables through from the host.

+     * - Optionally send stdout and stderr to a log file so we capture

+     *   all output in error messages.

+     * - Use setarch when running x86_64 host + i686 guest.

+     *)

+    let env_vars =

+      List.filter_map (

+        fun name ->

+          try Some (sprintf "export %s=%s" name (quote (Sys.getenv name)))

+          with Not_found -> None

+      ) [ "http_proxy"; "https_proxy"; "ftp_proxy"; "no_proxy" ] in

+    let env_vars = String.concat "\n" env_vars ^ "\n" in

+

+    let cmd =

+      match Guestfs_config.host_cpu, guest_arch with

+      | "x86_64", ("i386"|"i486"|"i586"|"i686") ->

+        sprintf "setarch i686 <<\"__EOCMD\"

+%s

+__EOCMD

+" cmd

+      | _ -> cmd in

+

+    let logfile_redirect =

+      match logfile with

+      | None -> ""

+      | Some logfile -> sprintf "exec >>%s 2>&1" (quote logfile) in

+

+    let cmd = sprintf "\

+%s

+%s

+%s

+" (logfile_redirect) env_vars cmd in

+

+    debug "running command:\n%s" cmd;

+    ignore (g#sh cmd)

+  )

diff --git a/common/mltools/tools_utils.mli b/common/mltools/tools_utils.mli

index ab70f583..1d1ac8a8 100644

--- a/common/mltools/tools_utils.mli

+++ b/common/mltools/tools_utils.mli

@@ -195,9 +195,8 @@ val is_btrfs_subvolume : Guestfs.guestfs -> string -> bool

 (** Checks if a filesystem is a btrfs subvolume. *)

 val inspect_decrypt : Guestfs.guestfs -> key_store -> unit

-(** Simple implementation of decryption: look for any [crypto_LUKS]

-    partitions and decrypt them, then rescan for VGs.  This only works

-    for Fedora whole-disk encryption. *)

+(** Simple implementation of decryption: look for any encrypted

+    partitions and decrypt them, then rescan for VGs. *)

 val with_timeout : string -> int -> ?sleep:int -> (unit -> 'a option) -> 'a

 (** [with_timeout op timeout ?sleep fn] implements a timeout loop.

@@ -212,3 +211,13 @@ val with_timeout : string -> int -> ?sleep:int -> (unit -> 'a option) -> 'a

     calls {!error} and the program exits.  The error message will

     contain the diagnostic string [op] to identify the operation

     which timed out. *)

+

+val run_in_guest_command : Guestfs.guestfs -> string -> ?logfile:string -> ?incompatible_fn:(unit -> unit) -> string -> unit

+(** [run_in_guest_command g root ?incompatible_archs_fn cmd]

+    runs a command in the guest, which is already mounted for the

+    specified [root].  The command is run directly in case the

+    architecture of the host and the guest are compatible, optionally

+    calling [?incompatible_fn] in case they are not.

+

+    [?logfile] is an optional file in the guest to where redirect

+    stdout and stderr of the command. *)

diff --git a/common/mlutils/unix_utils-c.c b/common/mlutils/unix_utils-c.c

index 33099611..8acf0395 100644

--- a/common/mlutils/unix_utils-c.c

+++ b/common/mlutils/unix_utils-c.c

@@ -77,6 +77,7 @@ extern value guestfs_int_mllib_mkdtemp (value val_pattern);

 extern value guestfs_int_mllib_realpath (value pathv);

 extern value guestfs_int_mllib_statvfs_statvfs (value pathv);

 extern value guestfs_int_mllib_statvfs_is_network_filesystem (value pathv);

+extern value guestfs_int_mllib_sysconf_nr_processors_online (value unitv);

 /* NB: This is a "noalloc" call. */

 value

@@ -368,3 +369,17 @@ guestfs_int_mllib_statvfs_is_network_filesystem (value pathv)

   return Val_bool (0);

 #endif

 }

+

+/* NB: This is a "noalloc" call. */

+value

+guestfs_int_mllib_sysconf_nr_processors_online (value unitv)

+{

+#ifdef _SC_NPROCESSORS_ONLN

+  long n;

+

+  n = sysconf (_SC_NPROCESSORS_ONLN);

+  if (n > 0) return Val_int (n);

+#endif

+  /* Return a safe value so that callers don't need to deal with errors. */

+  return Val_int (1);

+}

diff --git a/common/mlutils/unix_utils.ml b/common/mlutils/unix_utils.ml

index 52eb824d..2bdda12a 100644

--- a/common/mlutils/unix_utils.ml

+++ b/common/mlutils/unix_utils.ml

@@ -84,3 +84,8 @@ module StatVFS = struct

   external is_network_filesystem : string -> bool =

     "guestfs_int_mllib_statvfs_is_network_filesystem" "noalloc"

 end

+

+module Sysconf = struct

+  external nr_processors_online : unit -> int =

+    "guestfs_int_mllib_sysconf_nr_processors_online" "noalloc"

+end

diff --git a/common/mlutils/unix_utils.mli b/common/mlutils/unix_utils.mli

index 4fcea4a3..aead4df2 100644

--- a/common/mlutils/unix_utils.mli

+++ b/common/mlutils/unix_utils.mli

@@ -121,3 +121,12 @@ module StatVFS : sig

   (** [is_network_filesystem path] returns true if [path] is located on

       a network filesystem such as NFS or CIFS. *)

 end

+

+module Sysconf : sig

+  val nr_processors_online : unit -> int

+  (** [nr_processors_online ()] returns the number of processors

+      currently online, from [sysconf (_SC_NPROCESSORS_ONLN)].

+

+      Note this never fails.  In case we cannot get the number of

+      cores it returns 1. *)

+end

diff --git a/common/options/Makefile.am b/common/options/Makefile.am

index f7ea7493..162d143b 100644

--- a/common/options/Makefile.am

+++ b/common/options/Makefile.am

@@ -41,8 +41,9 @@ liboptions_la_SOURCES = \

 liboptions_la_CPPFLAGS = \

 	-DGUESTFS_NO_DEPRECATED=1 \

 	-I$(top_srcdir)/common/utils -I$(top_builddir)/common/utils \

+	-I$(top_srcdir)/gnulib/lib -I$(top_builddir)/gnulib/lib \

 	-I$(top_srcdir)/lib -I$(top_builddir)/lib \

-	-I$(top_srcdir)/gnulib/lib -I$(top_builddir)/gnulib/lib

+	$(INCLUDE_DIRECTORY)

 liboptions_la_CFLAGS = \

 	$(WARN_CFLAGS) $(WERROR_CFLAGS) \

 	$(LIBCONFIG_CFLAGS) \

diff --git a/common/options/decrypt.c b/common/options/decrypt.c

index 683cf5ed..434b7d58 100644

--- a/common/options/decrypt.c

+++ b/common/options/decrypt.c

@@ -25,6 +25,7 @@

 #include <stdio.h>

 #include <stdlib.h>

+#include <stdbool.h>

 #include <string.h>

 #include <libintl.h>

 #include <error.h>

@@ -38,18 +39,18 @@

 /**

  * Make a LUKS map name from the partition name,

- * eg. C<"/dev/vda2" =E<gt> "luksvda2">

+ * eg. C<"/dev/vda2" =E<gt> "cryptvda2">

  */

 static void

 make_mapname (const char *device, char *mapname, size_t len)

 {

   size_t i = 0;

-  if (len < 5)

+  if (len < 6)

     abort ();

-  strcpy (mapname, "luks");

-  mapname += 4;

-  len -= 4;

+  strcpy (mapname, "crypt");

+  mapname += 5;

+  len -= 5;

   if (STRPREFIX (device, "/dev/"))

     i = 5;

@@ -65,10 +66,8 @@ make_mapname (const char *device, char *mapname, size_t len)

 }

 /**

- * Simple implementation of decryption: look for any C<crypto_LUKS>

- * partitions and decrypt them, then rescan for VGs.  This only works

- * for Fedora whole-disk encryption.  WIP to make this work for other

- * encryption schemes.

+ * Simple implementation of decryption: look for any encrypted

+ * partitions and decrypt them, then rescan for VGs.

  */

 void

 inspect_do_decrypt (guestfs_h *g, struct key_store *ks)

@@ -82,12 +81,21 @@ inspect_do_decrypt (guestfs_h *g, struct key_store *ks)

   for (i = 0; partitions[i] != NULL; ++i) {

     CLEANUP_FREE char *type = guestfs_vfs_type (g, partitions[i]);

-    if (type && STREQ (type, "crypto_LUKS")) {

+    if (type &&

+        (STREQ (type, "crypto_LUKS") || STREQ (type, "BitLocker"))) {

+      bool is_bitlocker = STREQ (type, "BitLocker");

       char mapname[32];

       make_mapname (partitions[i], mapname, sizeof mapname);

 #ifdef GUESTFS_HAVE_LUKS_UUID

-      CLEANUP_FREE char *uuid = guestfs_luks_uuid (g, partitions[i]);

+      CLEANUP_FREE char *uuid = NULL;

+

+      /* This fails for Windows BitLocker disks because cryptsetup

+       * luksUUID cannot read a UUID (unclear if this is a limitation

+       * of the format or cryptsetup).

+       */

+      if (!is_bitlocker)

+        uuid = guestfs_luks_uuid (g, partitions[i]);

 #else

       const char *uuid = NULL;

 #endif

@@ -97,11 +105,15 @@ inspect_do_decrypt (guestfs_h *g, struct key_store *ks)

       /* Try each key in turn. */

       for (j = 0; keys[j] != NULL; ++j) {

-        /* XXX Should we call guestfs_luks_open_ro if readonly flag

+        /* XXX Should we set GUESTFS_CRYPTSETUP_OPEN_READONLY if readonly

          * is set?  This might break 'mount_ro'.

          */

         guestfs_push_error_handler (g, NULL, NULL);

+#ifdef GUESTFS_HAVE_CRYPTSETUP_OPEN

+        r = guestfs_cryptsetup_open (g, partitions[i], keys[j], mapname, -1);

+#else

         r = guestfs_luks_open (g, partitions[i], keys[j], mapname);

+#endif

         guestfs_pop_error_handler (g);

         if (r == 0)

           goto opened;

diff --git a/common/options/uri.c b/common/options/uri.c

index ac36bccb..6b696fc2 100644

--- a/common/options/uri.c

+++ b/common/options/uri.c

@@ -194,6 +194,7 @@ parse (const char *arg, char **path_ret, char **protocol_ret,

   if (path && path[0] == '/' &&

       (STREQ (uri->scheme, "gluster") ||

        STREQ (uri->scheme, "iscsi") ||

+       STREQ (uri->scheme, "nbd") ||

        STREQ (uri->scheme, "rbd") ||

        STREQ (uri->scheme, "sheepdog")))

     path++;

diff --git a/common/utils/guestfs-stringlists-utils.h b/common/utils/guestfs-stringlists-utils.h

index 0bac1587..ade3b6f3 100644

--- a/common/utils/guestfs-stringlists-utils.h

+++ b/common/utils/guestfs-stringlists-utils.h

@@ -21,7 +21,8 @@

 /* stringlists-utils.c */

 extern void guestfs_int_free_string_list (char **);

-extern size_t guestfs_int_count_strings (char *const *);

+extern size_t guestfs_int_count_strings (char *const *)

+  __attribute__((__nonnull__ (1)));

 extern char *guestfs_int_concat_strings (char *const *);

 extern char **guestfs_int_copy_string_list (char *const *);

 extern char *guestfs_int_join_strings (const char *sep, char *const *);