qemu-ga: add a whitelist for fsfreeze-safe commands

Currently we rely on fsfreeze/thaw commands disabling/enabling logging
then having other commands check whether logging is disabled to avoid
executing if they aren't safe for running while a filesystem is frozen.

Instead, have an explicit whitelist of fsfreeze-safe commands, and
consolidate logging and command enablement/disablement into a pair
of helper functions: ga_set_frozen()/ga_unset_frozen()

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
diff --git a/qapi/qmp-core.h b/qapi/qmp-core.h
index 3bb3acb..431ddbb 100644
--- a/qapi/qmp-core.h
+++ b/qapi/qmp-core.h
@@ -38,6 +38,7 @@
 QmpCommand *qmp_find_command(const char *name);
 QObject *qmp_dispatch(QObject *request);
 void qmp_disable_command(const char *name);
+void qmp_enable_command(const char *name);
 bool qmp_command_is_enabled(const char *name);
 char **qmp_get_command_list(void);
 
diff --git a/qapi/qmp-registry.c b/qapi/qmp-registry.c
index 25c89ad..43d5cde 100644
--- a/qapi/qmp-registry.c
+++ b/qapi/qmp-registry.c
@@ -40,18 +40,28 @@
     return NULL;
 }
 
-void qmp_disable_command(const char *name)
+static void qmp_toggle_command(const char *name, bool enabled)
 {
     QmpCommand *cmd;
 
     QTAILQ_FOREACH(cmd, &qmp_commands, node) {
         if (strcmp(cmd->name, name) == 0) {
-            cmd->enabled = false;
+            cmd->enabled = enabled;
             return;
         }
     }
 }
 
+void qmp_disable_command(const char *name)
+{
+    qmp_toggle_command(name, false);
+}
+
+void qmp_enable_command(const char *name)
+{
+    qmp_toggle_command(name, true);
+}
+
 bool qmp_command_is_enabled(const char *name)
 {
     QmpCommand *cmd;
diff --git a/qemu-ga.c b/qemu-ga.c
index 74a1b02..ac29b73 100644
--- a/qemu-ga.c
+++ b/qemu-ga.c
@@ -56,10 +56,22 @@
     GAService service;
 #endif
     bool delimit_response;
+    bool frozen;
+    GList *blacklist;
 };
 
 struct GAState *ga_state;
 
+/* commands that are safe to issue while filesystems are frozen */
+static const char *ga_freeze_whitelist[] = {
+    "guest-ping",
+    "guest-info",
+    "guest-sync",
+    "guest-fsfreeze-status",
+    "guest-fsfreeze-thaw",
+    NULL
+};
+
 #ifdef _WIN32
 DWORD WINAPI service_ctrl_handler(DWORD ctrl, DWORD type, LPVOID data,
                                   LPVOID ctx);
@@ -68,6 +80,15 @@
 
 static void quit_handler(int sig)
 {
+    /* if we're frozen, don't exit unless we're absolutely forced to,
+     * because it's basically impossible for graceful exit to complete
+     * unless all log/pid files are on unfreezable filesystems. there's
+     * also a very likely chance killing the agent before unfreezing
+     * the filesystems is a mistake (or will be viewed as one later).
+     */
+    if (ga_is_frozen(ga_state)) {
+        return;
+    }
     g_debug("received signal num %d, quitting", sig);
 
     if (g_main_loop_is_running(ga_state->main_loop)) {
@@ -206,6 +227,87 @@
     s->delimit_response = true;
 }
 
+static gint ga_strcmp(gconstpointer str1, gconstpointer str2)
+{
+    return strcmp(str1, str2);
+}
+
+/* disable commands that aren't safe for fsfreeze */
+static void ga_disable_non_whitelisted(void)
+{
+    char **list_head, **list;
+    bool whitelisted;
+    int i;
+
+    list_head = list = qmp_get_command_list();
+    while (*list != NULL) {
+        whitelisted = false;
+        i = 0;
+        while (ga_freeze_whitelist[i] != NULL) {
+            if (strcmp(*list, ga_freeze_whitelist[i]) == 0) {
+                whitelisted = true;
+            }
+            i++;
+        }
+        if (!whitelisted) {
+            g_debug("disabling command: %s", *list);
+            qmp_disable_command(*list);
+        }
+        g_free(*list);
+        list++;
+    }
+    g_free(list_head);
+}
+
+/* [re-]enable all commands, except those explictly blacklisted by user */
+static void ga_enable_non_blacklisted(GList *blacklist)
+{
+    char **list_head, **list;
+
+    list_head = list = qmp_get_command_list();
+    while (*list != NULL) {
+        if (g_list_find_custom(blacklist, *list, ga_strcmp) == NULL &&
+            !qmp_command_is_enabled(*list)) {
+            g_debug("enabling command: %s", *list);
+            qmp_enable_command(*list);
+        }
+        g_free(*list);
+        list++;
+    }
+    g_free(list_head);
+}
+
+bool ga_is_frozen(GAState *s)
+{
+    return s->frozen;
+}
+
+void ga_set_frozen(GAState *s)
+{
+    if (ga_is_frozen(s)) {
+        return;
+    }
+    /* disable all non-whitelisted (for frozen state) commands */
+    ga_disable_non_whitelisted();
+    g_warning("disabling logging due to filesystem freeze");
+    ga_disable_logging(s);
+    s->frozen = true;
+}
+
+void ga_unset_frozen(GAState *s)
+{
+    if (!ga_is_frozen(s)) {
+        return;
+    }
+
+    ga_enable_logging(s);
+    g_warning("logging re-enabled");
+
+    /* enable all disabled, non-blacklisted commands */
+    ga_enable_non_blacklisted(s->blacklist);
+    s->frozen = false;
+}
+
 #ifndef _WIN32
 static void become_daemon(const char *pidfile)
 {
@@ -513,12 +615,13 @@
         { "blacklist", 1, NULL, 'b' },
 #ifdef _WIN32
         { "service", 1, NULL, 's' },
-#endif        
+#endif
         { NULL, 0, NULL, 0 }
     };
     int opt_ind = 0, ch, daemonize = 0, i, j, len;
     GLogLevelFlags log_level = G_LOG_LEVEL_ERROR | G_LOG_LEVEL_CRITICAL;
     FILE *log_file = stderr;
+    GList *blacklist = NULL;
     GAState *s;
 
     module_call_init(MODULE_INIT_QAPI);
@@ -568,14 +671,12 @@
             for (j = 0, i = 0, len = strlen(optarg); i < len; i++) {
                 if (optarg[i] == ',') {
                     optarg[i] = 0;
-                    qmp_disable_command(&optarg[j]);
-                    g_debug("disabling command: %s", &optarg[j]);
+                    blacklist = g_list_append(blacklist, &optarg[j]);
                     j = i + 1;
                 }
             }
             if (j < i) {
-                qmp_disable_command(&optarg[j]);
-                g_debug("disabling command: %s", &optarg[j]);
+                blacklist = g_list_append(blacklist, &optarg[j]);
             }
             break;
         }
@@ -615,6 +716,15 @@
     g_log_set_default_handler(ga_log, s);
     g_log_set_fatal_mask(NULL, G_LOG_LEVEL_ERROR);
     s->logging_enabled = true;
+    s->frozen = false;
+    if (blacklist) {
+        s->blacklist = blacklist;
+        do {
+            g_debug("disabling command: %s", (char *)blacklist->data);
+            qmp_disable_command(blacklist->data);
+            blacklist = g_list_next(blacklist);
+        } while (blacklist);
+    }
     s->command_state = ga_command_state_new();
     ga_command_state_init(s, s->command_state);
     ga_command_state_init_all(s->command_state);
diff --git a/qga/commands-posix.c b/qga/commands-posix.c
index 869d6ee..d58730a 100644
--- a/qga/commands-posix.c
+++ b/qga/commands-posix.c
@@ -316,16 +316,6 @@
 
 #if defined(CONFIG_FSFREEZE)
 
-static void disable_logging(void)
-{
-    ga_disable_logging(ga_state);
-}
-
-static void enable_logging(void)
-{
-    ga_enable_logging(ga_state);
-}
-
 typedef struct GuestFsfreezeMount {
     char *dirname;
     char *devtype;
@@ -334,10 +324,6 @@
 
 typedef QTAILQ_HEAD(, GuestFsfreezeMount) GuestFsfreezeMountList;
 
-struct {
-    GuestFsfreezeStatus status;
-} guest_fsfreeze_state;
-
 static void guest_fsfreeze_free_mount_list(GuestFsfreezeMountList *mounts)
 {
      GuestFsfreezeMount *mount, *temp;
@@ -400,7 +386,11 @@
  */
 GuestFsfreezeStatus qmp_guest_fsfreeze_status(Error **err)
 {
-    return guest_fsfreeze_state.status;
+    if (ga_is_frozen(ga_state)) {
+        return GUEST_FSFREEZE_STATUS_FROZEN;
+    }
+
+    return GUEST_FSFREEZE_STATUS_THAWED;
 }
 
 /*
@@ -424,7 +414,7 @@
     }
 
     /* cannot risk guest agent blocking itself on a write in this state */
-    disable_logging();
+    ga_set_frozen(ga_state);
 
     QTAILQ_FOREACH(mount, &mounts, next) {
         fd = qemu_open(mount->dirname, O_RDONLY);
@@ -459,7 +449,6 @@
         close(fd);
     }
 
-    guest_fsfreeze_state.status = GUEST_FSFREEZE_STATUS_FROZEN;
     guest_fsfreeze_free_mount_list(&mounts);
     return i;
 
@@ -519,23 +508,17 @@
         close(fd);
     }
 
-    guest_fsfreeze_state.status = GUEST_FSFREEZE_STATUS_THAWED;
-    enable_logging();
+    ga_unset_frozen(ga_state);
     guest_fsfreeze_free_mount_list(&mounts);
     return i;
 }
 
-static void guest_fsfreeze_init(void)
-{
-    guest_fsfreeze_state.status = GUEST_FSFREEZE_STATUS_THAWED;
-}
-
 static void guest_fsfreeze_cleanup(void)
 {
     int64_t ret;
     Error *err = NULL;
 
-    if (guest_fsfreeze_state.status == GUEST_FSFREEZE_STATUS_FROZEN) {
+    if (ga_is_frozen(ga_state) == GUEST_FSFREEZE_STATUS_FROZEN) {
         ret = qmp_guest_fsfreeze_thaw(&err);
         if (ret < 0 || err) {
             slog("failed to clean up frozen filesystems");
@@ -964,7 +947,7 @@
 void ga_command_state_init(GAState *s, GACommandState *cs)
 {
 #if defined(CONFIG_FSFREEZE)
-    ga_command_state_add(cs, guest_fsfreeze_init, guest_fsfreeze_cleanup);
+    ga_command_state_add(cs, NULL, guest_fsfreeze_cleanup);
 #endif
     ga_command_state_add(cs, guest_file_init, NULL);
 }
diff --git a/qga/guest-agent-core.h b/qga/guest-agent-core.h
index 304525d..bbb8b9b 100644
--- a/qga/guest-agent-core.h
+++ b/qga/guest-agent-core.h
@@ -32,3 +32,6 @@
 void ga_enable_logging(GAState *s);
 void slog(const gchar *fmt, ...);
 void ga_set_response_delimited(GAState *s);
+bool ga_is_frozen(GAState *s);
+void ga_set_frozen(GAState *s);
+void ga_unset_frozen(GAState *s);