libvirt/suse-libvirtd-disable-tls.patch

Disable TLS by default

On SUSE distros, the default is for libvirtd to listen only on the
Unix Domain Socket. The libvirt client still provides remote access
via a SSH tunnel.
Index: libvirt-5.2.0/src/remote/libvirtd.conf
===================================================================
--- libvirt-5.2.0.orig/src/remote/libvirtd.conf
+++ libvirt-5.2.0/src/remote/libvirtd.conf
@@ -18,8 +18,8 @@
 # It is necessary to setup a CA and issue server certificates before
 # using this capability.
 #
-# This is enabled by default, uncomment this to disable it
-#listen_tls = 0
+# This is disabled by default, uncomment this to enable it
+#listen_tls = 1
 
 # Listen for unencrypted TCP connections on the public TCP/IP port.
 # NB, must pass the --listen flag to the libvirtd process for this to
Index: libvirt-5.2.0/src/remote/remote_daemon_config.c
===================================================================
--- libvirt-5.2.0.orig/src/remote/remote_daemon_config.c
+++ libvirt-5.2.0/src/remote/remote_daemon_config.c
@@ -108,7 +108,7 @@ daemonConfigNew(bool privileged ATTRIBUT
     if (VIR_ALLOC(data) < 0)
         return NULL;
 
-    data->listen_tls = 1;
+    data->listen_tls = 0;
     data->listen_tcp = 0;
 
     if (VIR_STRDUP(data->tls_port, LIBVIRTD_TLS_PORT) < 0 ||
Index: libvirt-5.2.0/src/remote/test_libvirtd.aug.in
===================================================================
--- libvirt-5.2.0.orig/src/remote/test_libvirtd.aug.in
+++ libvirt-5.2.0/src/remote/test_libvirtd.aug.in
@@ -2,7 +2,7 @@ module Test_libvirtd =
    ::CONFIG::
 
    test Libvirtd.lns get conf =
-        { "listen_tls" = "0" }
+        { "listen_tls" = "1" }
         { "listen_tcp" = "1" }
         { "tls_port" = "16514" }
         { "tcp_port" = "16509" }
Accepting request 514264 from home:jfehlig:branches:Virtualization - Update to libvirt 3.6.0 - Many incremental improvements and bug fixes, see http://libvirt.org/news.html - Fix unit tests on s390x and ppc64 8982f3ab-util-hash-header.patch, 0b1ecf7b-virHashCodeGen-mockable.patch. f536b0dd-tests-arch-independent-hash.patch - Patch cleanup - Renamed libvirtd-defaults.patch to suse-libvirtd-disable-tls.patch - Renamed libvirtd-init-script.patch to suse-libvirtd-sysconfig-settings.patch - Renamed virtlockd-init-script.patch to suse-virtlockd-sysconfig-settings.patch - Renamed virtlogd-init-script.patch to suse-virtlogd-sysconfig-settings.patch - Renamed libvirt-guests-init-script.patch to suse-libvirt-guests-service.patch - Combined suse-libvirtd-service.patch and systemd-service-xen.patch to suse-libvirtd-service-xen.patch since both patches add Xen support to libvirtd service file - Pull OVMF-related changes from suse-qemu-conf.patch into a new suse-ovmf-paths.patch - Add a supportconfig plugin libvirt-supportconfig FATE#323661 OBS-URL: https://build.opensuse.org/request/show/514264 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=615 2017-08-03 17:28:59 +00:00			`Disable TLS by default`

			`On SUSE distros, the default is for libvirtd to listen only on the`
			`Unix Domain Socket. The libvirt client still provides remote access`
			`via a SSH tunnel.`
Accepting request 692393 from home:jfehlig:branches:Virtualization - CVE-2019-3886: disallow virDomainGetHostname and virDomainGetTime for read-only connections and users CVE-2019-3886-api.patch, CVE-2019-3886-remote.patch bsc#1131595 - spec: BuildRequires rpcgen since CVE-2019-3886-remote.patch touches remote_protocol.x - Update to libvirt 5.2.0 - Many incremental improvements and bug fixes, see http://libvirt.org/news.html - Dropped patches: 4ec3cf9a-apparmor-rules.patch, f38ef0fa-no-RDMA-check.patch, 411cdaf8-apparmor-check-profile-name.patch, 696239ba-qemu-fix-query-cpus-fast.patch, 09eb1ae0-conf-add-xenbus-controller.patch, fb059757-libxl-add-xenbus-controller.patch, ec5a1191-libxl-support-max-grant-frames.patch, 5a64c202-xenconfig-support-max-grant-frames.patch - Added patches: ff376c62-tests-fix-mocking-stat-lstat.patch, mprivozn-test-fix-proposal.patch OBS-URL: https://build.opensuse.org/request/show/692393 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=745 2019-04-08 22:27:41 +00:00			`Index: libvirt-5.2.0/src/remote/libvirtd.conf`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvirt?expand=0&rev=20 2008-09-01 15:06:07 +00:00			`===================================================================`
Accepting request 692393 from home:jfehlig:branches:Virtualization - CVE-2019-3886: disallow virDomainGetHostname and virDomainGetTime for read-only connections and users CVE-2019-3886-api.patch, CVE-2019-3886-remote.patch bsc#1131595 - spec: BuildRequires rpcgen since CVE-2019-3886-remote.patch touches remote_protocol.x - Update to libvirt 5.2.0 - Many incremental improvements and bug fixes, see http://libvirt.org/news.html - Dropped patches: 4ec3cf9a-apparmor-rules.patch, f38ef0fa-no-RDMA-check.patch, 411cdaf8-apparmor-check-profile-name.patch, 696239ba-qemu-fix-query-cpus-fast.patch, 09eb1ae0-conf-add-xenbus-controller.patch, fb059757-libxl-add-xenbus-controller.patch, ec5a1191-libxl-support-max-grant-frames.patch, 5a64c202-xenconfig-support-max-grant-frames.patch - Added patches: ff376c62-tests-fix-mocking-stat-lstat.patch, mprivozn-test-fix-proposal.patch OBS-URL: https://build.opensuse.org/request/show/692393 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=745 2019-04-08 22:27:41 +00:00			`--- libvirt-5.2.0.orig/src/remote/libvirtd.conf`
			`+++ libvirt-5.2.0/src/remote/libvirtd.conf`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvirt?expand=0&rev=35 2009-01-29 00:42:42 +00:00			`@@ -18,8 +18,8 @@`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvirt?expand=0&rev=20 2008-09-01 15:06:07 +00:00			`# It is necessary to setup a CA and issue server certificates before`
			`# using this capability.`
			`#`
			`-# This is enabled by default, uncomment this to disable it`
			`-#listen_tls = 0`
			`+# This is disabled by default, uncomment this to enable it`
			`+#listen_tls = 1`

			`# Listen for unencrypted TCP connections on the public TCP/IP port.`
			`# NB, must pass the --listen flag to the libvirtd process for this to`
Accepting request 692393 from home:jfehlig:branches:Virtualization - CVE-2019-3886: disallow virDomainGetHostname and virDomainGetTime for read-only connections and users CVE-2019-3886-api.patch, CVE-2019-3886-remote.patch bsc#1131595 - spec: BuildRequires rpcgen since CVE-2019-3886-remote.patch touches remote_protocol.x - Update to libvirt 5.2.0 - Many incremental improvements and bug fixes, see http://libvirt.org/news.html - Dropped patches: 4ec3cf9a-apparmor-rules.patch, f38ef0fa-no-RDMA-check.patch, 411cdaf8-apparmor-check-profile-name.patch, 696239ba-qemu-fix-query-cpus-fast.patch, 09eb1ae0-conf-add-xenbus-controller.patch, fb059757-libxl-add-xenbus-controller.patch, ec5a1191-libxl-support-max-grant-frames.patch, 5a64c202-xenconfig-support-max-grant-frames.patch - Added patches: ff376c62-tests-fix-mocking-stat-lstat.patch, mprivozn-test-fix-proposal.patch OBS-URL: https://build.opensuse.org/request/show/692393 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=745 2019-04-08 22:27:41 +00:00			`Index: libvirt-5.2.0/src/remote/remote_daemon_config.c`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvirt?expand=0&rev=20 2008-09-01 15:06:07 +00:00			`===================================================================`
Accepting request 692393 from home:jfehlig:branches:Virtualization - CVE-2019-3886: disallow virDomainGetHostname and virDomainGetTime for read-only connections and users CVE-2019-3886-api.patch, CVE-2019-3886-remote.patch bsc#1131595 - spec: BuildRequires rpcgen since CVE-2019-3886-remote.patch touches remote_protocol.x - Update to libvirt 5.2.0 - Many incremental improvements and bug fixes, see http://libvirt.org/news.html - Dropped patches: 4ec3cf9a-apparmor-rules.patch, f38ef0fa-no-RDMA-check.patch, 411cdaf8-apparmor-check-profile-name.patch, 696239ba-qemu-fix-query-cpus-fast.patch, 09eb1ae0-conf-add-xenbus-controller.patch, fb059757-libxl-add-xenbus-controller.patch, ec5a1191-libxl-support-max-grant-frames.patch, 5a64c202-xenconfig-support-max-grant-frames.patch - Added patches: ff376c62-tests-fix-mocking-stat-lstat.patch, mprivozn-test-fix-proposal.patch OBS-URL: https://build.opensuse.org/request/show/692393 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=745 2019-04-08 22:27:41 +00:00			`--- libvirt-5.2.0.orig/src/remote/remote_daemon_config.c`
			`+++ libvirt-5.2.0/src/remote/remote_daemon_config.c`
Accepting request 666350 from home:jfehlig:branches:Virtualization - Update to libvirt 5.0.0 - Many incremental improvements and bug fixes, see http://libvirt.org/news.html - Remove UML hypervisor driver - Dropped patches: de09ae2f-libxl-support-openvswitch.patch, 0a1b5653-xenconfig-support-openvswitch.patch - FATE#320928, FATE#325817, FATE#326380, FATE#326698 OBS-URL: https://build.opensuse.org/request/show/666350 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=723 2019-01-15 23:46:12 +00:00			`@@ -108,7 +108,7 @@ daemonConfigNew(bool privileged ATTRIBUT`
- Update to libvirt 1.1.0 - Adding device removal or deletion events - Introduce new domain create APIs to pass pre-opened FDs to LXC - Add interface versions for Xen 4.3 - Add new public API virDomainSetMemoryStatsPeriod - Various LXC improvements - Many incremental improvements and bug fixes, see http://libvirt.org/news.html - Drop upstream patches: f38c8185-CVE-2013-2230.patch, fd2e3c4c-xen-sysctl-domctl.patch, dfc69235-CVE-2013-4153.patch, 96518d43-CVE-2013-4154.patch, fe89fd3b-storage-pool-deadlock.patch - Drop relax-qemu-usergroup-check.patch - no longer needed after hypervisor-specific daemon package split OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=290 2013-07-30 20:33:47 +00:00			`if (VIR_ALLOC(data) < 0)`
update to libvirt 0.9.3 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=134 2011-07-05 20:25:50 +00:00			`return NULL;`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvirt?expand=0&rev=20 2008-09-01 15:06:07 +00:00
update to libvirt 0.9.3 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=134 2011-07-05 20:25:50 +00:00			`- data->listen_tls = 1;`
			`+ data->listen_tls = 0;`
			`data->listen_tcp = 0;`

- Update to libvirt 1.0.6 - Move VirtualBox driver into libvirtd - Support for static routes on a virtual bridge - Various improvement for hostdev SCSI support - Switch to VIR_STRDUP and VIR_STRNDUP - Various cleanups and improvement in Xen and LXC drivers - Many incremental improvements and bug fixes, see http://libvirt.org/news.html - Drop upstream patches: f493d83f-cgroup-swap-control.patch, 486a86eb-cgroups-docs.patch, 0ced83dc-cgroup-escape-dot.patch, bbe97ae9-no-cgroups.patch, c2cf5f1c-no-cgroups-fix.patch, 95c6cc34-selinux.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=268 2013-06-04 22:48:46 +00:00			`if (VIR_STRDUP(data->tls_port, LIBVIRTD_TLS_PORT) < 0 \|\|`
Accepting request 692393 from home:jfehlig:branches:Virtualization - CVE-2019-3886: disallow virDomainGetHostname and virDomainGetTime for read-only connections and users CVE-2019-3886-api.patch, CVE-2019-3886-remote.patch bsc#1131595 - spec: BuildRequires rpcgen since CVE-2019-3886-remote.patch touches remote_protocol.x - Update to libvirt 5.2.0 - Many incremental improvements and bug fixes, see http://libvirt.org/news.html - Dropped patches: 4ec3cf9a-apparmor-rules.patch, f38ef0fa-no-RDMA-check.patch, 411cdaf8-apparmor-check-profile-name.patch, 696239ba-qemu-fix-query-cpus-fast.patch, 09eb1ae0-conf-add-xenbus-controller.patch, fb059757-libxl-add-xenbus-controller.patch, ec5a1191-libxl-support-max-grant-frames.patch, 5a64c202-xenconfig-support-max-grant-frames.patch - Added patches: ff376c62-tests-fix-mocking-stat-lstat.patch, mprivozn-test-fix-proposal.patch OBS-URL: https://build.opensuse.org/request/show/692393 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=745 2019-04-08 22:27:41 +00:00			`Index: libvirt-5.2.0/src/remote/test_libvirtd.aug.in`
Accepting request 229020 from home:cbosdonnat:branches:Virtualization cleanup after upgrade to 1.2.3 OBS-URL: https://build.opensuse.org/request/show/229020 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=363 2014-04-04 13:07:17 +00:00			`===================================================================`
Accepting request 692393 from home:jfehlig:branches:Virtualization - CVE-2019-3886: disallow virDomainGetHostname and virDomainGetTime for read-only connections and users CVE-2019-3886-api.patch, CVE-2019-3886-remote.patch bsc#1131595 - spec: BuildRequires rpcgen since CVE-2019-3886-remote.patch touches remote_protocol.x - Update to libvirt 5.2.0 - Many incremental improvements and bug fixes, see http://libvirt.org/news.html - Dropped patches: 4ec3cf9a-apparmor-rules.patch, f38ef0fa-no-RDMA-check.patch, 411cdaf8-apparmor-check-profile-name.patch, 696239ba-qemu-fix-query-cpus-fast.patch, 09eb1ae0-conf-add-xenbus-controller.patch, fb059757-libxl-add-xenbus-controller.patch, ec5a1191-libxl-support-max-grant-frames.patch, 5a64c202-xenconfig-support-max-grant-frames.patch - Added patches: ff376c62-tests-fix-mocking-stat-lstat.patch, mprivozn-test-fix-proposal.patch OBS-URL: https://build.opensuse.org/request/show/692393 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=745 2019-04-08 22:27:41 +00:00			`--- libvirt-5.2.0.orig/src/remote/test_libvirtd.aug.in`
			`+++ libvirt-5.2.0/src/remote/test_libvirtd.aug.in`
Accepting request 229020 from home:cbosdonnat:branches:Virtualization cleanup after upgrade to 1.2.3 OBS-URL: https://build.opensuse.org/request/show/229020 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=363 2014-04-04 13:07:17 +00:00			`@@ -2,7 +2,7 @@ module Test_libvirtd =`
			`::CONFIG::`

			`test Libvirtd.lns get conf =`
			`- { "listen_tls" = "0" }`
			`+ { "listen_tls" = "1" }`
			`{ "listen_tcp" = "1" }`
			`{ "tls_port" = "16514" }`
			`{ "tcp_port" = "16509" }`