From: Richard W.M. Jones Date: Wed, 20 Oct 2010 10:34:57 +0000 (+0100) Subject: generator: Optional arguments, add-drive-opts (RHBZ#642934,CVE-2010-3851). X-Git-Tag: 1.5.23~7 X-Git-Url: http://git.annexia.org/?a=commitdiff_plain;h=14490c3e1aac61c6ac90f28828896683f64f0dc9;p=libguestfs.git generator: Optional arguments, add-drive-opts (RHBZ#642934,CVE-2010-3851). This large commit changes the generator so that optional arguments can be supported for functions. The model for arguments (known as the "style") is changed from (ret, args) to (ret, args, optargs) where optargs is a more limited list of arguments. One function has been added which takes optional arguments, it is "add-drive-opts", modelled as: (RErr, [String "filename"], #required [Bool "readonly"; String "format"; String "iface"]) #optional Note that this function is processed in the library (does not go over the RPC protocol to the daemon). This has allowed us to simplify the current implementation by omitting changes related to RPC or the daemon, although we plan to add these at some point in the future. From C this function can be called in 3 different ways as in these examples: guestfs_add_drive_opts (g, filename, GUESTFS_ADD_DRIVE_OPTS_READONLY, 1, GUESTFS_ADD_DRIVE_OPTS_FORMAT, "raw", -1); (the argument(s) between 'filename' and '-1' are the optional ones). guestfs_add_drive_opts_va (g, filename, args); where 'args' is a va_list. This works like the first version. struct guestfs_add_drive_opts_argv optargs = { .bitmask = GUESTFS_ADD_DRIVE_OPTS_READONLY_BITMASK, .readonly = 1, } guestfs_add_drive_opts_argv (g, filename, &optargs); This last form lets you construct lists of optional arguments, and is used by guestfish and the language bindings. In guestfish optional arguments are used like this: add-drive-opts filename readonly:true In OCaml these are mapped naturally to OCaml optional arguments, eg: g#add_drive_opts ~readonly:true filename; In Perl these are mapped to extra arguments, eg: $g->add_drive_opts ($filename, readonly => 1); In Python these are mapped to optional arguments, eg: g.add_drive_opts ("file", readonly = 1, format = "qcow2") In Ruby these are mapped to a final hash argument, eg: g.add_drive_opts("file", {}) g.add_drive_opts("file", :readonly => 1) g.add_drive_opts("file", :readonly => 1, :iface => "virtio") In PHP these are mapped to extra parameters. This is not quite accurate since you cannot omit arbitrary optional parameters, but there's not much than can be done within the limitations of PHP as a language. Unimplemented in: Haskell, C#, Java. --- diff --git a/.gitignore b/.gitignore index f21ac09..bddbe25 100644 --- a/.gitignore +++ b/.gitignore @@ -177,6 +177,7 @@ ocaml/t/guestfs_010_launch ocaml/t/guestfs_050_lvcreate ocaml/t/guestfs_060_readdir ocaml/t/guestfs_070_threads +ocaml/t/guestfs_080_optargs ocaml/t/guestfs_400_progress perl/bindtests.pl perl/blib diff --git a/configure.ac b/configure.ac index 455ffd1..94e65b4 100644 --- a/configure.ac +++ b/configure.ac @@ -266,7 +266,7 @@ the --with-qemu option. fi fi -dnl Set drive interface used by the guestfs_add_drive{,_ro} calls +dnl Set default drive interface used by the guestfs_add_drive_opts call dnl ('-drive ...,if=...' option to qemu). dnl dnl If you encounter performance problems with virtio (RHBZ#509383) diff --git a/examples/hello.c b/examples/hello.c index b4d5d8c..b3d36e6 100644 --- a/examples/hello.c +++ b/examples/hello.c @@ -24,11 +24,14 @@ main (int argc, char *argv[]) if (!(g = guestfs_create ())) exit (EXIT_FAILURE); - if (guestfs_add_drive (g, argv[1]) == -1) exit (EXIT_FAILURE); + if (guestfs_add_drive_opts (g, argv[1], + GUESTFS_ADD_DRIVE_OPTS_FORMAT, "raw", + -1) == -1) + exit (EXIT_FAILURE); if (guestfs_launch (g) == -1) exit (EXIT_FAILURE); - if (guestfs_mount (g, argv[2], "/") == -1) exit (EXIT_FAILURE); + if (guestfs_mount_options (g, "", argv[2], "/") == -1) exit (EXIT_FAILURE); if (guestfs_touch (g, "/hello") == -1) exit (EXIT_FAILURE); diff --git a/examples/to-xml.c b/examples/to-xml.c index 537ae91..45994cb 100644 --- a/examples/to-xml.c +++ b/examples/to-xml.c @@ -48,7 +48,9 @@ main (int argc, char *argv[]) } for (i = 1; i < argc; ++i) - CALL (guestfs_add_drive (g, argv[i]), -1); + CALL (guestfs_add_drive_opts (g, argv[i], + GUESTFS_ADD_DRIVE_OPTS_FORMAT, "raw", + -1), -1); CALL (guestfs_launch (g), -1); diff --git a/fish/guestfish.pod b/fish/guestfish.pod index fc32d0a..c92953b 100644 --- a/fish/guestfish.pod +++ b/fish/guestfish.pod @@ -381,6 +381,21 @@ must be escaped with a backslash. command "/bin/echo 'foo bar'" command "/bin/echo \'foo\'" +=head1 OPTIONAL ARGUMENTS + +Some commands take optional arguments. These arguments appear in this +documentation as C<[argname:..]>. You can use them as in these +examples: + + add-drive-opts filename + + add-drive-opts filename readonly:true + + add-drive-opts filename format:qcow2 readonly:false + +Each optional argument can appear at most once. All optional +arguments must appear after the required ones. + =head1 NUMBERS This section applies to all commands which can take integers diff --git a/generator/generator_actions.ml b/generator/generator_actions.ml index c9890a6..695a73d 100644 --- a/generator/generator_actions.ml +++ b/generator/generator_actions.ml @@ -58,7 +58,7 @@ let test_all_rets = [ ] let test_functions = [ - ("test0", (RErr, test_all_args), -1, [NotInFish; NotInDocs], + ("test0", (RErr, test_all_args, []), -1, [NotInFish; NotInDocs], [], "internal test function - do not use", "\ @@ -72,7 +72,7 @@ You probably don't want to call this function."); ] @ List.flatten ( List.map ( fun (name, ret) -> - [(name, (ret, [String "val"]), -1, [NotInFish; NotInDocs], + [(name, (ret, [String "val"], []), -1, [NotInFish; NotInDocs], [], "internal test function - do not use", "\ @@ -83,7 +83,7 @@ return type correctly. It converts string C to the return type. You probably don't want to call this function."); - (name ^ "err", (ret, []), -1, [NotInFish; NotInDocs], + (name ^ "err", (ret, [], []), -1, [NotInFish; NotInDocs], [], "internal test function - do not use", "\ @@ -103,7 +103,7 @@ You probably don't want to call this function.")] *) let non_daemon_functions = test_functions @ [ - ("launch", (RErr, []), -1, [FishAlias "run"], + ("launch", (RErr, [], []), -1, [FishAlias "run"], [], "launch the qemu subprocess", "\ @@ -113,7 +113,7 @@ using L. You should call this after configuring the handle (eg. adding drives) but before performing any actions."); - ("wait_ready", (RErr, []), -1, [NotInFish], + ("wait_ready", (RErr, [], []), -1, [NotInFish], [], "wait until the qemu subprocess launches (no op)", "\ @@ -128,44 +128,28 @@ If you see any calls to this function in code then you can just remove them, unless you want to retain compatibility with older versions of the API."); - ("kill_subprocess", (RErr, []), -1, [], + ("kill_subprocess", (RErr, [], []), -1, [], [], "kill the qemu subprocess", "\ This kills the qemu subprocess. You should never need to call this."); - ("add_drive", (RErr, [String "filename"]), -1, [FishAlias "add"], + ("add_drive", (RErr, [String "filename"], []), -1, [], [], "add an image to examine or modify", "\ -This function adds a virtual machine disk image C to the -guest. The first time you call this function, the disk appears as IDE -disk 0 (C) in the guest, the second time as C, and -so on. +This function is the equivalent of calling C +with no optional parameters, so the disk is added writable, with +the format being detected automatically. -You don't necessarily need to be root when using libguestfs. However -you obviously do need sufficient permissions to access the filename -for whatever operations you want to perform (ie. read access if you -just want to read the image or write access if you want to modify the -image). +Automatic detection of the format opens you up to a potential +security hole when dealing with untrusted raw-format images. +See CVE-2010-3851 and RHBZ#642934. Specifying the format closes +this security hole. Therefore you should think about replacing +calls to this function with calls to C, +and specifying the format."); -This is equivalent to the qemu parameter -C<-drive file=filename,cache=off,if=...>. - -C is omitted in cases where it is not supported by -the underlying filesystem. - -C is set at compile time by the configuration option -C<./configure --with-drive-if=...>. In the rare case where you -might need to change this at run time, use C -or C. - -Note that this call checks for the existence of C. This -stops you from specifying other types of drive which are supported -by qemu such as C and C URLs. To specify those, use -the general C call instead."); - - ("add_cdrom", (RErr, [String "filename"]), -1, [FishAlias "cdrom"], + ("add_cdrom", (RErr, [String "filename"], []), -1, [DeprecatedBy "add_drive_opts"], [], "add a CD-ROM disk image to examine", "\ @@ -192,33 +176,16 @@ should probably use C instead. =back"); - ("add_drive_ro", (RErr, [String "filename"]), -1, [FishAlias "add-ro"], + ("add_drive_ro", (RErr, [String "filename"], []), -1, [FishAlias "add-ro"], [], "add a drive in snapshot mode (read-only)", "\ -This adds a drive in snapshot mode, making it effectively -read-only. - -Note that writes to the device are allowed, and will be seen for -the duration of the guestfs handle, but they are written -to a temporary file which is discarded as soon as the guestfs -handle is closed. We don't currently have any method to enable -changes to be committed, although qemu can support this. - -This is equivalent to the qemu parameter -C<-drive file=filename,snapshot=on,if=...>. - -C is set at compile time by the configuration option -C<./configure --with-drive-if=...>. In the rare case where you -might need to change this at run time, use C -or C. - -Note that this call checks for the existence of C. This -stops you from specifying other types of drive which are supported -by qemu such as C and C URLs. To specify those, use -the general C call instead."); +This function is the equivalent of calling C +with the optional parameter C set to 1, +so the disk is added read-only, with the format being detected +automatically."); - ("config", (RErr, [String "qemuparam"; OptString "qemuvalue"]), -1, [], + ("config", (RErr, [String "qemuparam"; OptString "qemuvalue"], []), -1, [], [], "add qemu parameters", "\ @@ -231,7 +198,7 @@ The first character of C string must be a C<-> (dash). C can be NULL."); - ("set_qemu", (RErr, [OptString "qemu"]), -1, [FishAlias "qemu"], + ("set_qemu", (RErr, [OptString "qemu"], []), -1, [FishAlias "qemu"], [], "set the qemu binary", "\ @@ -253,7 +220,7 @@ so you might see inconsistent results. Using the environment variable C is safest of all since that picks the qemu binary at the same time as the handle is created."); - ("get_qemu", (RConstString "qemu", []), -1, [], + ("get_qemu", (RConstString "qemu", [], []), -1, [], [InitNone, Always, TestRun ( [["get_qemu"]])], "get the qemu binary", @@ -263,7 +230,7 @@ Return the current qemu binary. This is always non-NULL. If it wasn't set already, then this will return the default qemu binary name."); - ("set_path", (RErr, [OptString "searchpath"]), -1, [FishAlias "path"], + ("set_path", (RErr, [OptString "searchpath"], []), -1, [FishAlias "path"], [], "set the search path", "\ @@ -274,7 +241,7 @@ C environment variable. Setting C to C restores the default path."); - ("get_path", (RConstString "path", []), -1, [], + ("get_path", (RConstString "path", [], []), -1, [], [InitNone, Always, TestRun ( [["get_path"]])], "get the search path", @@ -284,7 +251,7 @@ Return the current search path. This is always non-NULL. If it wasn't set already, then this will return the default path."); - ("set_append", (RErr, [OptString "append"]), -1, [FishAlias "append"], + ("set_append", (RErr, [OptString "append"], []), -1, [FishAlias "append"], [], "add options to kernel command line", "\ @@ -297,7 +264,7 @@ C environment variable. Setting C to C means I additional options are passed (libguestfs always adds a few of its own)."); - ("get_append", (RConstOptString "append", []), -1, [], + ("get_append", (RConstOptString "append", [], []), -1, [], (* This cannot be tested with the current framework. The * function can return NULL in normal operations, which the * test framework interprets as an error. @@ -310,7 +277,7 @@ guest kernel command line. If C then no options are added."); - ("set_autosync", (RErr, [Bool "autosync"]), -1, [FishAlias "autosync"], + ("set_autosync", (RErr, [Bool "autosync"], []), -1, [FishAlias "autosync"], [], "set autosync mode", "\ @@ -322,14 +289,14 @@ C when the handle is closed This is disabled by default (except in guestfish where it is enabled by default)."); - ("get_autosync", (RBool "autosync", []), -1, [], + ("get_autosync", (RBool "autosync", [], []), -1, [], [InitNone, Always, TestRun ( [["get_autosync"]])], "get autosync mode", "\ Get the autosync flag."); - ("set_verbose", (RErr, [Bool "verbose"]), -1, [FishAlias "verbose"], + ("set_verbose", (RErr, [Bool "verbose"], []), -1, [FishAlias "verbose"], [], "set verbose mode", "\ @@ -338,13 +305,13 @@ If C is true, this turns on verbose messages (to C). Verbose messages are disabled unless the environment variable C is defined and set to C<1>."); - ("get_verbose", (RBool "verbose", []), -1, [], + ("get_verbose", (RBool "verbose", [], []), -1, [], [], "get verbose mode", "\ This returns the verbose messages flag."); - ("is_ready", (RBool "ready", []), -1, [], + ("is_ready", (RBool "ready", [], []), -1, [], [InitNone, Always, TestOutputTrue ( [["is_ready"]])], "is ready to accept commands", @@ -354,7 +321,7 @@ This returns true iff this handle is ready to accept commands For more information on states, see L."); - ("is_config", (RBool "config", []), -1, [], + ("is_config", (RBool "config", [], []), -1, [], [InitNone, Always, TestOutputFalse ( [["is_config"]])], "is in configuration state", @@ -364,7 +331,7 @@ This returns true iff this handle is being configured For more information on states, see L."); - ("is_launching", (RBool "launching", []), -1, [], + ("is_launching", (RBool "launching", [], []), -1, [], [InitNone, Always, TestOutputFalse ( [["is_launching"]])], "is launching subprocess", @@ -374,7 +341,7 @@ This returns true iff this handle is launching the subprocess For more information on states, see L."); - ("is_busy", (RBool "busy", []), -1, [], + ("is_busy", (RBool "busy", [], []), -1, [], [InitNone, Always, TestOutputFalse ( [["is_busy"]])], "is busy processing a command", @@ -384,7 +351,7 @@ This returns true iff this handle is busy processing a command For more information on states, see L."); - ("get_state", (RInt "state", []), -1, [], + ("get_state", (RInt "state", [], []), -1, [], [], "get the current state", "\ @@ -393,7 +360,7 @@ only useful for printing debug and internal error messages. For more information on states, see L."); - ("set_memsize", (RErr, [Int "memsize"]), -1, [FishAlias "memsize"], + ("set_memsize", (RErr, [Int "memsize"], []), -1, [FishAlias "memsize"], [InitNone, Always, TestOutputInt ( [["set_memsize"; "500"]; ["get_memsize"]], 500)], @@ -410,7 +377,7 @@ created. For more information on the architecture of libguestfs, see L."); - ("get_memsize", (RInt "memsize", []), -1, [], + ("get_memsize", (RInt "memsize", [], []), -1, [], [InitNone, Always, TestOutputIntOp ( [["get_memsize"]], ">=", 256)], "get memory allocated to the qemu subprocess", @@ -425,7 +392,7 @@ then this returns the compiled-in default value for memsize. For more information on the architecture of libguestfs, see L."); - ("get_pid", (RInt "pid", []), -1, [FishAlias "pid"], + ("get_pid", (RInt "pid", [], []), -1, [FishAlias "pid"], [InitNone, Always, TestOutputIntOp ( [["get_pid"]], ">=", 1)], "get PID of qemu subprocess", @@ -435,7 +402,7 @@ qemu subprocess, then this will return an error. This is an internal call used for debugging and testing."); - ("version", (RStruct ("version", "version"), []), -1, [], + ("version", (RStruct ("version", "version"), [], []), -1, [], [InitNone, Always, TestOutputStruct ( [["version"]], [CompareWithInt ("major", 1)])], "get the library version number", @@ -471,7 +438,7 @@ features from later versions into earlier versions, making this an unreliable way to test for features. Use C instead."); - ("set_selinux", (RErr, [Bool "selinux"]), -1, [FishAlias "selinux"], + ("set_selinux", (RErr, [Bool "selinux"], []), -1, [FishAlias "selinux"], [InitNone, Always, TestOutputTrue ( [["set_selinux"; "true"]; ["get_selinux"]])], @@ -486,7 +453,7 @@ Permissive mode (C). For more information on the architecture of libguestfs, see L."); - ("get_selinux", (RBool "selinux", []), -1, [], + ("get_selinux", (RBool "selinux", [], []), -1, [], [], "get SELinux enabled flag", "\ @@ -496,7 +463,7 @@ is passed to the appliance at boot time. See C. For more information on the architecture of libguestfs, see L."); - ("set_trace", (RErr, [Bool "trace"]), -1, [FishAlias "trace"], + ("set_trace", (RErr, [Bool "trace"], []), -1, [FishAlias "trace"], [InitNone, Always, TestOutputFalse ( [["set_trace"; "false"]; ["get_trace"]])], @@ -516,13 +483,13 @@ the external ltrace(1) command. Command traces are disabled unless the environment variable C is defined and set to C<1>."); - ("get_trace", (RBool "trace", []), -1, [], + ("get_trace", (RBool "trace", [], []), -1, [], [], "get command trace enabled flag", "\ Return the command trace flag."); - ("set_direct", (RErr, [Bool "direct"]), -1, [FishAlias "direct"], + ("set_direct", (RErr, [Bool "direct"], []), -1, [FishAlias "direct"], [InitNone, Always, TestOutputFalse ( [["set_direct"; "false"]; ["get_direct"]])], @@ -541,13 +508,13 @@ are doing. The default is disabled."); - ("get_direct", (RBool "direct", []), -1, [], + ("get_direct", (RBool "direct", [], []), -1, [], [], "get direct appliance mode flag", "\ Return the direct appliance mode flag."); - ("set_recovery_proc", (RErr, [Bool "recoveryproc"]), -1, [FishAlias "recovery-proc"], + ("set_recovery_proc", (RErr, [Bool "recoveryproc"], []), -1, [FishAlias "recovery-proc"], [InitNone, Always, TestOutputTrue ( [["set_recovery_proc"; "true"]; ["get_recovery_proc"]])], @@ -567,27 +534,27 @@ if the main process will fork itself into the background thinks that the main program has disappeared and so kills qemu, which is not very helpful."); - ("get_recovery_proc", (RBool "recoveryproc", []), -1, [], + ("get_recovery_proc", (RBool "recoveryproc", [], []), -1, [], [], "get recovery process enabled flag", "\ Return the recovery process enabled flag."); - ("add_drive_with_if", (RErr, [String "filename"; String "iface"]), -1, [], + ("add_drive_with_if", (RErr, [String "filename"; String "iface"], []), -1, [DeprecatedBy "add_drive_opts"], [], "add a drive specifying the QEMU block emulation to use", "\ This is the same as C but it allows you to specify the QEMU interface emulation to use at run time."); - ("add_drive_ro_with_if", (RErr, [String "filename"; String "iface"]), -1, [], + ("add_drive_ro_with_if", (RErr, [String "filename"; String "iface"], []), -1, [DeprecatedBy "add_drive_opts"], [], "add a drive read-only specifying the QEMU block emulation to use", "\ This is the same as C but it allows you to specify the QEMU interface emulation to use at run time."); - ("file_architecture", (RString "arch", [Pathname "filename"]), -1, [], + ("file_architecture", (RString "arch", [Pathname "filename"], []), -1, [], [InitISOFS, Always, TestOutput ( [["file_architecture"; "/bin-i586-dynamic"]], "i386"); InitISOFS, Always, TestOutput ( @@ -715,7 +682,7 @@ initrd or kernel module(s) instead. =back"); - ("inspect_os", (RStringList "roots", []), -1, [], + ("inspect_os", (RStringList "roots", [], []), -1, [], [], "inspect disk and return list of operating systems found", "\ @@ -751,7 +718,7 @@ Please read L for more details. See also C."); - ("inspect_get_type", (RString "name", [Device "root"]), -1, [], + ("inspect_get_type", (RString "name", [Device "root"], []), -1, [], [], "get type of inspected operating system", "\ @@ -782,7 +749,7 @@ The caller should be prepared to handle any string. Please read L for more details."); - ("inspect_get_arch", (RString "arch", [Device "root"]), -1, [], + ("inspect_get_arch", (RString "arch", [Device "root"], []), -1, [], [], "get architecture of inspected operating system", "\ @@ -798,7 +765,7 @@ string C is returned. Please read L for more details."); - ("inspect_get_distro", (RString "distro", [Device "root"]), -1, [], + ("inspect_get_distro", (RString "distro", [Device "root"], []), -1, [], [], "get distro of inspected operating system", "\ @@ -844,7 +811,7 @@ The caller should be prepared to handle any string. Please read L for more details."); - ("inspect_get_major_version", (RInt "major", [Device "root"]), -1, [], + ("inspect_get_major_version", (RInt "major", [Device "root"], []), -1, [], [], "get major version of inspected operating system", "\ @@ -865,7 +832,7 @@ If the version could not be determined, then C<0> is returned. Please read L for more details."); - ("inspect_get_minor_version", (RInt "minor", [Device "root"]), -1, [], + ("inspect_get_minor_version", (RInt "minor", [Device "root"], []), -1, [], [], "get minor version of inspected operating system", "\ @@ -880,7 +847,7 @@ If the version could not be determined, then C<0> is returned. Please read L for more details. See also C."); - ("inspect_get_product_name", (RString "product", [Device "root"]), -1, [], + ("inspect_get_product_name", (RString "product", [Device "root"], []), -1, [], [], "get product name of inspected operating system", "\ @@ -897,7 +864,7 @@ string C is returned. Please read L for more details."); - ("inspect_get_mountpoints", (RHashtable "mountpoints", [Device "root"]), -1, [], + ("inspect_get_mountpoints", (RHashtable "mountpoints", [Device "root"], []), -1, [], [], "get mountpoints of inspected operating system", "\ @@ -920,7 +887,7 @@ returned in this list. Please read L for more details. See also C."); - ("inspect_get_filesystems", (RStringList "filesystems", [Device "root"]), -1, [], + ("inspect_get_filesystems", (RStringList "filesystems", [Device "root"], []), -1, [], [], "get filesystems associated with inspected operating system", "\ @@ -938,7 +905,7 @@ for a filesystem to be shared between operating systems. Please read L for more details. See also C."); - ("set_network", (RErr, [Bool "network"]), -1, [FishAlias "network"], + ("set_network", (RErr, [Bool "network"], []), -1, [FishAlias "network"], [], "set enable network flag", "\ @@ -951,13 +918,13 @@ This affects whether commands are able to access the network You must call this before calling C, otherwise it has no effect."); - ("get_network", (RBool "network", []), -1, [], + ("get_network", (RBool "network", [], []), -1, [], [], "get enable network flag", "\ This returns the enable network flag."); - ("list_filesystems", (RHashtable "fses", []), -1, [], + ("list_filesystems", (RHashtable "fses", [], []), -1, [], [], "list filesystems", "\ @@ -990,6 +957,51 @@ be mountable but require special options. Filesystems may not all belong to a single logical operating system (use C to look for OSes)."); + ("add_drive_opts", (RErr, [String "filename"], [Bool "readonly"; String "format"; String "iface"]), -1, [FishAlias "add"], + [], + "add an image to examine or modify", + "\ +This function adds a virtual machine disk image C to +libguestfs. The first time you call this function, the disk +appears as C, the second time as C, and +so on. + +You don't necessarily need to be root when using libguestfs. However +you obviously do need sufficient permissions to access the filename +for whatever operations you want to perform (ie. read access if you +just want to read the image or write access if you want to modify the +image). + +This call checks that C exists. + +The optional arguments are: + +=over 4 + +=item C + +If true then the image is treated as read-only. Writes are still +allowed, but they are stored in a temporary snapshot overlay which +is discarded at the end. The disk that you add is not modified. + +=item C + +This forces the image format. If you omit this (or use C +or C) then the format is automatically detected. +Possible formats include C and C. + +Automatic detection of the format opens you up to a potential +security hole when dealing with untrusted raw-format images. +See CVE-2010-3851 and RHBZ#642934. Specifying the format closes +this security hole. + +=item C + +This rarely-used option lets you emulate the behaviour of the +deprecated C call (q.v.) + +=back"); + ] (* daemon_functions are any functions which cause some action @@ -997,7 +1009,7 @@ not all belong to a single logical operating system *) let daemon_functions = [ - ("mount", (RErr, [Device "device"; String "mountpoint"]), 1, [], + ("mount", (RErr, [Device "device"; String "mountpoint"], []), 1, [], [InitEmpty, Always, TestOutput ( [["part_disk"; "/dev/sda"; "mbr"]; ["mkfs"; "ext2"; "/dev/sda1"]; @@ -1030,7 +1042,7 @@ C in any code that needs performance, and instead use C (use an empty string for the first parameter if you don't want any options)."); - ("sync", (RErr, []), 2, [], + ("sync", (RErr, [], []), 2, [], [ InitEmpty, Always, TestRun [["sync"]]], "sync disks, writes are flushed through to the disk image", "\ @@ -1040,7 +1052,7 @@ underlying disk image. You should always call this if you have modified a disk image, before closing the handle."); - ("touch", (RErr, [Pathname "path"]), 3, [], + ("touch", (RErr, [Pathname "path"], []), 3, [], [InitBasicFS, Always, TestOutputTrue ( [["touch"; "/new"]; ["exists"; "/new"]])], @@ -1053,7 +1065,7 @@ to create a new zero-length file. This command only works on regular files, and will fail on other file types such as directories, symbolic links, block special etc."); - ("cat", (RString "content", [Pathname "path"]), 4, [ProtocolLimitWarning], + ("cat", (RString "content", [Pathname "path"], []), 4, [ProtocolLimitWarning], [InitISOFS, Always, TestOutput ( [["cat"; "/known-2"]], "abcdef\n")], "list the contents of a file", @@ -1065,7 +1077,7 @@ Note that this function cannot correctly handle binary files as end of string). For those you need to use the C or C functions which have a more complex interface."); - ("ll", (RString "listing", [Pathname "directory"]), 5, [], + ("ll", (RString "listing", [Pathname "directory"], []), 5, [], [], (* XXX Tricky to test because it depends on the exact format * of the 'ls -l' command, which changes between F10 and F11. *) @@ -1077,7 +1089,7 @@ there is no cwd) in the format of 'ls -la'. This command is mostly useful for interactive sessions. It is I intended that you try to parse the output string."); - ("ls", (RStringList "listing", [Pathname "directory"]), 6, [], + ("ls", (RStringList "listing", [Pathname "directory"], []), 6, [], [InitBasicFS, Always, TestOutputList ( [["touch"; "/new"]; ["touch"; "/newer"]; @@ -1092,7 +1104,7 @@ hidden files are shown. This command is mostly useful for interactive sessions. Programs should probably use C instead."); - ("list_devices", (RStringList "devices", []), 7, [], + ("list_devices", (RStringList "devices", [], []), 7, [], [InitEmpty, Always, TestOutputListOfDevices ( [["list_devices"]], ["/dev/sda"; "/dev/sdb"; "/dev/sdc"; "/dev/sdd"])], "list the block devices", @@ -1103,7 +1115,7 @@ The full block device names are returned, eg. C. See also C."); - ("list_partitions", (RStringList "partitions", []), 8, [], + ("list_partitions", (RStringList "partitions", [], []), 8, [], [InitBasicFS, Always, TestOutputListOfDevices ( [["list_partitions"]], ["/dev/sda1"]); InitEmpty, Always, TestOutputListOfDevices ( @@ -1120,7 +1132,7 @@ call C. See also C."); - ("pvs", (RStringList "physvols", []), 9, [Optional "lvm2"], + ("pvs", (RStringList "physvols", [], []), 9, [Optional "lvm2"], [InitBasicFSonLVM, Always, TestOutputListOfDevices ( [["pvs"]], ["/dev/sda1"]); InitEmpty, Always, TestOutputListOfDevices ( @@ -1139,7 +1151,7 @@ PVs (eg. C). See also C."); - ("vgs", (RStringList "volgroups", []), 10, [Optional "lvm2"], + ("vgs", (RStringList "volgroups", [], []), 10, [Optional "lvm2"], [InitBasicFSonLVM, Always, TestOutputList ( [["vgs"]], ["VG"]); InitEmpty, Always, TestOutputList ( @@ -1160,7 +1172,7 @@ detected (eg. C). See also C."); - ("lvs", (RStringList "logvols", []), 11, [Optional "lvm2"], + ("lvs", (RStringList "logvols", [], []), 11, [Optional "lvm2"], [InitBasicFSonLVM, Always, TestOutputList ( [["lvs"]], ["/dev/VG/LV"]); InitEmpty, Always, TestOutputList ( @@ -1184,28 +1196,28 @@ This returns a list of the logical volume device names See also C, C."); - ("pvs_full", (RStructList ("physvols", "lvm_pv"), []), 12, [Optional "lvm2"], + ("pvs_full", (RStructList ("physvols", "lvm_pv"), [], []), 12, [Optional "lvm2"], [], (* XXX how to test? *) "list the LVM physical volumes (PVs)", "\ List all the physical volumes detected. This is the equivalent of the L command. The \"full\" version includes all fields."); - ("vgs_full", (RStructList ("volgroups", "lvm_vg"), []), 13, [Optional "lvm2"], + ("vgs_full", (RStructList ("volgroups", "lvm_vg"), [], []), 13, [Optional "lvm2"], [], (* XXX how to test? *) "list the LVM volume groups (VGs)", "\ List all the volumes groups detected. This is the equivalent of the L command. The \"full\" version includes all fields."); - ("lvs_full", (RStructList ("logvols", "lvm_lv"), []), 14, [Optional "lvm2"], + ("lvs_full", (RStructList ("logvols", "lvm_lv"), [], []), 14, [Optional "lvm2"], [], (* XXX how to test? *) "list the LVM logical volumes (LVs)", "\ List all the logical volumes detected. This is the equivalent of the L command. The \"full\" version includes all fields."); - ("read_lines", (RStringList "lines", [Pathname "path"]), 15, [], + ("read_lines", (RStringList "lines", [Pathname "path"], []), 15, [], [InitISOFS, Always, TestOutputList ( [["read_lines"; "/known-4"]], ["abc"; "def"; "ghi"]); InitISOFS, Always, TestOutputList ( @@ -1222,7 +1234,7 @@ Note that this function cannot correctly handle binary files as end of line). For those you need to use the C function which has a more complex interface."); - ("aug_init", (RErr, [Pathname "root"; Int "flags"]), 16, [Optional "augeas"], + ("aug_init", (RErr, [Pathname "root"; Int "flags"], []), 16, [Optional "augeas"], [], (* XXX Augeas code needs tests. *) "create a new Augeas handle", "\ @@ -1273,7 +1285,7 @@ To close the handle, you can call C. To find out more about Augeas, see L."); - ("aug_close", (RErr, []), 26, [Optional "augeas"], + ("aug_close", (RErr, [], []), 26, [Optional "augeas"], [], (* XXX Augeas code needs tests. *) "close the current Augeas handle", "\ @@ -1282,7 +1294,7 @@ used by it. After calling this, you have to call C again before you can use any other Augeas functions."); - ("aug_defvar", (RInt "nrnodes", [String "name"; OptString "expr"]), 17, [Optional "augeas"], + ("aug_defvar", (RInt "nrnodes", [String "name"; OptString "expr"], []), 17, [Optional "augeas"], [], (* XXX Augeas code needs tests. *) "define an Augeas variable", "\ @@ -1293,7 +1305,7 @@ undefined. On success this returns the number of nodes in C, or C<0> if C evaluates to something which is not a nodeset."); - ("aug_defnode", (RStruct ("nrnodescreated", "int_bool"), [String "name"; String "expr"; String "val"]), 18, [Optional "augeas"], + ("aug_defnode", (RStruct ("nrnodescreated", "int_bool"), [String "name"; String "expr"; String "val"], []), 18, [Optional "augeas"], [], (* XXX Augeas code needs tests. *) "define an Augeas node", "\ @@ -1308,14 +1320,14 @@ On success this returns a pair containing the number of nodes in the nodeset, and a boolean flag if a node was created."); - ("aug_get", (RString "val", [String "augpath"]), 19, [Optional "augeas"], + ("aug_get", (RString "val", [String "augpath"], []), 19, [Optional "augeas"], [], (* XXX Augeas code needs tests. *) "look up the value of an Augeas path", "\ Look up the value associated with C. If C matches exactly one node, the C is returned."); - ("aug_set", (RErr, [String "augpath"; String "val"]), 20, [Optional "augeas"], + ("aug_set", (RErr, [String "augpath"; String "val"], []), 20, [Optional "augeas"], [], (* XXX Augeas code needs tests. *) "set Augeas path to value", "\ @@ -1326,7 +1338,7 @@ the value to NULL. Due to an oversight in the libguestfs API you cannot do that with this call. Instead you must use the C call."); - ("aug_insert", (RErr, [String "augpath"; String "label"; Bool "before"]), 21, [Optional "augeas"], + ("aug_insert", (RErr, [String "augpath"; String "label"; Bool "before"], []), 21, [Optional "augeas"], [], (* XXX Augeas code needs tests. *) "insert a sibling Augeas node", "\ @@ -1338,7 +1350,7 @@ C must match exactly one existing node in the tree, and C