From 8af0df1210909b7d78b46ff8b2e20a9bd61ae62a48a777b6193f68bc9aea326a Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Fri, 28 Aug 2015 20:30:35 +0000 Subject: [PATCH] Accepting request 327805 from home:jfehlig:branches:Virtualization Add fixes from SLE12 SP1 to Factory libvirt package. - Replace local libxl patches with upstream variants Dropped: 0003-libxl-fix-ref-counting-of-libxlMigrationDstArgs.patch 0004-libxl-don-t-attempt-to-resume-domain-when-suspend-fa.patch 0005-libxl-acquire-a-job-when-receiving-a-migrating-domai.patch Added: 44a54eb0-libxl-fix-refcnt-MigrationDstArgs.patch 15120b8c-libxl-no-resume-on-suspend-fail.patch e80b84a7-libxl-acquire-job-on-migrate.patch bsc#936185 - Added another virt-aa-helper upstream patch 52970dec-virt-aa-helper-improve-valid-path.patch lp#1483071 - Added upstream patch to fix libvirt-tck memory balloon test failure on Xen 60acb38-revert-curmem-inactive-dom.patch - Fix generated apparmor profile to allow access to ovmf and nvram. 26c5fa3a-virt-aa-helper-missing-doc.patch 2f01cfdf-virt-aa-helper-allow-ovmf.patch 91fdcefa-virt-aa-helper-allow-nvram.patch d25a5e08-virt-aa-helper-simplify-restriction-logic.patch lp#1483071 OBS-URL: https://build.opensuse.org/request/show/327805 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=479 --- ...0b8c-libxl-no-resume-on-suspend-fail.patch | 22 +++-- 26c5fa3a-virt-aa-helper-missing-doc.patch | 28 ++++++ 2f01cfdf-virt-aa-helper-allow-ovmf.patch | 30 +++++++ ...b0-libxl-fix-refcnt-MigrationDstArgs.patch | 77 ++++++++--------- ...ec-virt-aa-helper-improve-valid-path.patch | 85 +++++++++++++++++++ 60acb38-revert-curmem-inactive-dom.patch | 53 ++++++++++++ 91fdcefa-virt-aa-helper-allow-nvram.patch | 35 ++++++++ ...aa-helper-simplify-restriction-logic.patch | 65 ++++++++++++++ ...80b84a7-libxl-acquire-job-on-migrate.patch | 24 +++--- libvirt.changes | 30 +++++++ libvirt.spec | 24 ++++-- 11 files changed, 404 insertions(+), 69 deletions(-) rename 0004-libxl-don-t-attempt-to-resume-domain-when-suspend-fa.patch => 15120b8c-libxl-no-resume-on-suspend-fail.patch (75%) create mode 100644 26c5fa3a-virt-aa-helper-missing-doc.patch create mode 100644 2f01cfdf-virt-aa-helper-allow-ovmf.patch rename 0003-libxl-fix-ref-counting-of-libxlMigrationDstArgs.patch => 44a54eb0-libxl-fix-refcnt-MigrationDstArgs.patch (53%) create mode 100644 52970dec-virt-aa-helper-improve-valid-path.patch create mode 100644 60acb38-revert-curmem-inactive-dom.patch create mode 100644 91fdcefa-virt-aa-helper-allow-nvram.patch create mode 100644 d25a5e08-virt-aa-helper-simplify-restriction-logic.patch rename 0005-libxl-acquire-a-job-when-receiving-a-migrating-domai.patch => e80b84a7-libxl-acquire-job-on-migrate.patch (70%) diff --git a/0004-libxl-don-t-attempt-to-resume-domain-when-suspend-fa.patch b/15120b8c-libxl-no-resume-on-suspend-fail.patch similarity index 75% rename from 0004-libxl-don-t-attempt-to-resume-domain-when-suspend-fa.patch rename to 15120b8c-libxl-no-resume-on-suspend-fail.patch index bea44e7..e79b9ff 100644 --- a/0004-libxl-don-t-attempt-to-resume-domain-when-suspend-fa.patch +++ b/15120b8c-libxl-no-resume-on-suspend-fail.patch @@ -1,16 +1,14 @@ -From 13d53b7763d3d93339cc33a19845bdd623524b81 Mon Sep 17 00:00:00 2001 -From: Jim Fehlig -Date: Thu, 16 Jul 2015 14:51:31 -0600 -Subject: libxl: don't attempt to resume domain when suspend fails +commit 15120b8c61014a9263cb53314076da9a44e39621 +Author: Jim Fehlig +Date: Wed Jul 15 17:29:15 2015 -0600 -Failure of libxl_domain_suspend() does not leave the domain in -a suspended state, so no need to call libxl_domain_resume(), -which btw will fail with "domain not suspended". - -Signed-off-by: Jim Fehlig ---- - src/libxl/libxl_migration.c | 14 -------------- - 1 file changed, 14 deletions(-) + libxl: don't attempt to resume domain when suspend fails + + Failure of libxl_domain_suspend() does not leave the domain in + a suspended state, so no need to call libxl_domain_resume(), + which btw will fail with "domain not suspended". + + Signed-off-by: Jim Fehlig Index: libvirt-1.2.18/src/libxl/libxl_migration.c =================================================================== diff --git a/26c5fa3a-virt-aa-helper-missing-doc.patch b/26c5fa3a-virt-aa-helper-missing-doc.patch new file mode 100644 index 0000000..cb50130 --- /dev/null +++ b/26c5fa3a-virt-aa-helper-missing-doc.patch @@ -0,0 +1,28 @@ +From 26c5fa3a9bd37624ddd1509daf7d6a84268f089e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Guido=20G=C3=BCnther?= +Date: Fri, 21 Aug 2015 12:29:25 +0200 +Subject: [PATCH 1/4] virt-aa-helper: document --probing and --dry-run + +--- + src/security/virt-aa-helper.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: libvirt-1.2.18/src/security/virt-aa-helper.c +=================================================================== +--- libvirt-1.2.18.orig/src/security/virt-aa-helper.c ++++ libvirt-1.2.18/src/security/virt-aa-helper.c +@@ -107,12 +107,14 @@ vah_usage(void) + " Options:\n" + " -a | --add load profile\n" + " -c | --create create profile from template\n" ++ " -d | --dry-run dry run\n" + " -D | --delete unload and delete profile\n" + " -f | --add-file add file to profile\n" + " -F | --append-file append file to profile\n" + " -r | --replace reload profile\n" + " -R | --remove unload profile\n" + " -h | --help this help\n" ++ " -p | --probing [0|1] allow disk format probing\n" + " -u | --uuid uuid (profile name)\n" + "\n"), progname); + diff --git a/2f01cfdf-virt-aa-helper-allow-ovmf.patch b/2f01cfdf-virt-aa-helper-allow-ovmf.patch new file mode 100644 index 0000000..3f94432 --- /dev/null +++ b/2f01cfdf-virt-aa-helper-allow-ovmf.patch @@ -0,0 +1,30 @@ +From 2f01cfdf05448513d150ff1914d3444161c531b9 Mon Sep 17 00:00:00 2001 +From: intrigeri +Date: Fri, 21 Aug 2015 10:52:52 +0200 +Subject: [PATCH 3/4] virt-aa-helper: allow access to /usr/share/ovmf/ + +We forbid access to /usr/share/, but (at least on Debian-based systems) +the Open Virtual Machine Firmware files needed for booting UEFI virtual +machines in QEMU live in /usr/share/ovmf/. Therefore, we need to add +that directory to the list of read only paths. + +A similar patch was suggested by Jamie Strandboge +on https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1483071. +--- + src/security/virt-aa-helper.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: libvirt-1.2.18/src/security/virt-aa-helper.c +=================================================================== +--- libvirt-1.2.18.orig/src/security/virt-aa-helper.c ++++ libvirt-1.2.18/src/security/virt-aa-helper.c +@@ -572,7 +572,8 @@ valid_path(const char *path, const bool + "/boot/", + "/vmlinuz", + "/initrd", +- "/initrd.img" ++ "/initrd.img", ++ "/usr/share/ovmf/" /* for OVMF images */ + }; + /* override the above with these */ + const char * const override[] = { diff --git a/0003-libxl-fix-ref-counting-of-libxlMigrationDstArgs.patch b/44a54eb0-libxl-fix-refcnt-MigrationDstArgs.patch similarity index 53% rename from 0003-libxl-fix-ref-counting-of-libxlMigrationDstArgs.patch rename to 44a54eb0-libxl-fix-refcnt-MigrationDstArgs.patch index 39e9ea8..0e497d7 100644 --- a/0003-libxl-fix-ref-counting-of-libxlMigrationDstArgs.patch +++ b/44a54eb0-libxl-fix-refcnt-MigrationDstArgs.patch @@ -1,49 +1,50 @@ -From 68ccc0077c7f5af07ccf6992192bfc924d0fdd83 Mon Sep 17 00:00:00 2001 -From: Jim Fehlig -Date: Thu, 16 Jul 2015 14:51:30 -0600 -Subject: libxl: fix ref counting of libxlMigrationDstArgs +commit 44a54eb073d2ae52ebf1661ae73bb1f0f98599f9 +Author: Jim Fehlig +Date: Wed Jul 15 16:35:50 2015 -0600 -This patch fixes some flawed logic around ref counting the -libxlMigrationDstArgs object. - -First, when adding sockets to the event loop with -virNetSocketAddIOCallback(), the generic virObjectFreeCallback() -was registered as a free function, with libxlMigrationDstArgs as -its parameter. A reference was also taken on -libxlMigrationDstArgs for each successful call to -virNetSocketAddIOCallback(). The rational behind this logic was -that the libxlMigrationDstArgs object had to out-live the socket -objects. But virNetSocketAddIOCallback() already takes a -reference on socket objects, ensuring their life until removed -from the event loop and unref'ed in virNetSocketEventFree(). We -only need to ensure libxlMigrationDstArgs lives until -libxlDoMigrateReceive() finishes, which can be done by simply -unref'ing libxlMigrationDstArgs at the end of -libxlDoMigrateReceive(). - -The second flaw was unref'ing the sockets in the failure path of -libxlMigrateReceive() and at the end of libxlDoMigrateReceive(). -As mentioned above, the sockets are already unref'ed by -virNetSocketEventFree() when removed from the event loop. -Attempting to unref the socket a second time resulted in a -libvirtd crash since the socket was previously unref'ed and -disposed. - -Signed-off-by: Jim Fehlig ---- - src/libxl/libxl_migration.c | 18 +++++------------- - 1 file changed, 5 insertions(+), 13 deletions(-) + libxl: fix ref counting of libxlMigrationDstArgs + + This patch fixes some flawed logic around ref counting the + libxlMigrationDstArgs object. + + First, when adding sockets to the event loop with + virNetSocketAddIOCallback(), the generic virObjectFreeCallback() + was registered as a free function, with libxlMigrationDstArgs as + its parameter. A reference was also taken on + libxlMigrationDstArgs for each successful call to + virNetSocketAddIOCallback(). The rational behind this logic was + that the libxlMigrationDstArgs object had to out-live the socket + objects. But virNetSocketAddIOCallback() already takes a + reference on socket objects, ensuring their life until removed + from the event loop and unref'ed in virNetSocketEventFree(). We + only need to ensure libxlMigrationDstArgs lives until + libxlDoMigrateReceive() finishes, which can be done by simply + unref'ing libxlMigrationDstArgs at the end of + libxlDoMigrateReceive(). + + The second flaw was unref'ing the sockets in the failure path of + libxlMigrateReceive() and at the end of libxlDoMigrateReceive(). + As mentioned above, the sockets are already unref'ed by + virNetSocketEventFree() when removed from the event loop. + Attempting to unref the socket a second time resulted in a + libvirtd crash since the socket was previously unref'ed and + disposed. + + Signed-off-by: Jim Fehlig Index: libvirt-1.2.18/src/libxl/libxl_migration.c =================================================================== --- libvirt-1.2.18.orig/src/libxl/libxl_migration.c +++ libvirt-1.2.18/src/libxl/libxl_migration.c -@@ -112,11 +112,11 @@ libxlDoMigrateReceive(void *opaque) - virNetSocketUpdateIOCallback(socks[i], 0); +@@ -109,7 +109,6 @@ libxlDoMigrateReceive(void *opaque) + + /* Remove all listen socks from event handler, and close them. */ + for (i = 0; i < nsocks; i++) { +- virNetSocketUpdateIOCallback(socks[i], 0); virNetSocketRemoveIOCallback(socks[i]); virNetSocketClose(socks[i]); -- virObjectUnref(socks[i]); - socks[i] = NULL; + virObjectUnref(socks[i]); +@@ -117,6 +116,7 @@ libxlDoMigrateReceive(void *opaque) } args->nsocks = 0; VIR_FORCE_CLOSE(recvfd); diff --git a/52970dec-virt-aa-helper-improve-valid-path.patch b/52970dec-virt-aa-helper-improve-valid-path.patch new file mode 100644 index 0000000..d9cacf2 --- /dev/null +++ b/52970dec-virt-aa-helper-improve-valid-path.patch @@ -0,0 +1,85 @@ +commit 52970dec5b4d0fd1a9baa593b46a33bd7eeaf6b8 +Author: Michal Privoznik +Date: Thu Aug 27 02:50:21 2015 +0200 + + virt-aa-helper: Improve valid_path + + So, after some movement in virt-aa-helper, I've noticed the + virt-aa-helper-test failing. I've ran gdb (it took me a while to + realize how to do that) and this showed up immediately: + + Program received signal SIGSEGV, Segmentation fault. + strlen () at ../sysdeps/x86_64/strlen.S:106 + 106 ../sysdeps/x86_64/strlen.S: No such file or directory. + (gdb) bt + #0 strlen () at ../sysdeps/x86_64/strlen.S:106 + #1 0x0000555555561a13 in array_starts_with (str=0x5555557ce910 "/tmp/tmp.6nI2Fkv0KL/1.img", arr=0x7fffffffd160, size=-1540438016) at security/virt-aa-helper.c:525 + #2 0x0000555555561d49 in valid_path (path=0x5555557ce910 "/tmp/tmp.6nI2Fkv0KL/1.img", readonly=false) at security/virt-aa-helper.c:617 + #3 0x0000555555562506 in vah_add_path (buf=0x7fffffffd3e0, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", perms=0x555555581585 "rw", recursive=false) at security/virt-aa-helper.c:823 + #4 0x0000555555562693 in vah_add_file (buf=0x7fffffffd3e0, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", perms=0x555555581585 "rw") at security/virt-aa-helper.c:854 + #5 0x0000555555562918 in add_file_path (disk=0x5555557d4440, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", depth=0, opaque=0x7fffffffd3e0) at security/virt-aa-helper.c:931 + #6 0x00007ffff78f18b1 in virDomainDiskDefForeachPath (disk=0x5555557d4440, ignoreOpenFailure=true, iter=0x5555555628a6 , opaque=0x7fffffffd3e0) at conf/domain_conf.c:23286 + #7 0x0000555555562b5f in get_files (ctl=0x7fffffffd670) at security/virt-aa-helper.c:982 + #8 0x0000555555564100 in vahParseArgv (ctl=0x7fffffffd670, argc=5, argv=0x7fffffffd7e8) at security/virt-aa-helper.c:1277 + #9 0x00005555555643d6 in main (argc=5, argv=0x7fffffffd7e8) at security/virt-aa-helper.c:1332 + + So I've taken look at valid_path() because it is obviously + calling array_starts_with() with malformed @size. And here's the + result: there are two variables to hold the size of three arrays + and their value is recalculated before each call of + array_starts_with(). What if we just use three variables, + initialize them and do not touch them afterwards? + + Signed-off-by: Michal Privoznik + +Index: libvirt-1.2.18/src/security/virt-aa-helper.c +=================================================================== +--- libvirt-1.2.18.orig/src/security/virt-aa-helper.c ++++ libvirt-1.2.18/src/security/virt-aa-helper.c +@@ -546,9 +546,6 @@ array_starts_with(const char *str, const + static int + valid_path(const char *path, const bool readonly) + { +- int npaths; +- int nropaths; +- + const char * const restricted[] = { + "/bin/", + "/etc/", +@@ -581,6 +578,10 @@ valid_path(const char *path, const bool + "/etc/libvirt-sandbox/services/" /* for virt-sandbox service config */ + }; + ++ const int nropaths = ARRAY_CARDINALITY(restricted); ++ const int nrwpaths = ARRAY_CARDINALITY(restricted_rw); ++ const int nopaths = ARRAY_CARDINALITY(override); ++ + if (path == NULL) { + vah_error(NULL, 0, _("bad pathname")); + return -1; +@@ -600,21 +601,18 @@ valid_path(const char *path, const bool + vah_warning(_("path does not exist, skipping file type checks")); + + /* overrides are always allowed */ +- npaths = sizeof(override)/sizeof(*(override)); +- if (array_starts_with(path, override, npaths) == 0) ++ if (array_starts_with(path, override, nopaths) == 0) + return 0; + + /* allow read only paths upfront */ + if (readonly) { +- nropaths = sizeof(restricted_rw)/sizeof(*(restricted_rw)); +- if (array_starts_with(path, restricted_rw, nropaths) == 0) ++ if (array_starts_with(path, restricted_rw, nrwpaths) == 0) + return 0; + } + + /* disallow RW acess to all paths in restricted and restriced_rw */ +- npaths = sizeof(restricted)/sizeof(*(restricted)); +- if ((array_starts_with(path, restricted, npaths) == 0 +- || array_starts_with(path, restricted_rw, nropaths) == 0)) ++ if ((array_starts_with(path, restricted, nropaths) == 0 || ++ array_starts_with(path, restricted_rw, nrwpaths) == 0)) + return 1; + + return 0; diff --git a/60acb38-revert-curmem-inactive-dom.patch b/60acb38-revert-curmem-inactive-dom.patch new file mode 100644 index 0000000..99ba50e --- /dev/null +++ b/60acb38-revert-curmem-inactive-dom.patch @@ -0,0 +1,53 @@ +commit 60acb38abbee1636a9cddf8d296f700d115c8f77 +Author: Jim Fehlig +Date: Mon Aug 10 12:49:55 2015 -0600 + + Revert "LXC: show used memory as 0 when domain is not active" + + This reverts commit 1ce7c1d20cfd5afb26d2dbc88201085d52415d0e, + which introduced a significant semantic change to the + virDomainGetInfo() API. Additionally, the change was only + made to 2 of the 15 virt drivers. + + Conflicts: + src/qemu/qemu_driver.c + + Signed-off-by: Jim Fehlig + +Index: libvirt-1.2.18/src/lxc/lxc_driver.c +=================================================================== +--- libvirt-1.2.18.orig/src/lxc/lxc_driver.c ++++ libvirt-1.2.18/src/lxc/lxc_driver.c +@@ -597,7 +597,7 @@ static int lxcDomainGetInfo(virDomainPtr + + if (!virDomainObjIsActive(vm)) { + info->cpuTime = 0; +- info->memory = 0; ++ info->memory = vm->def->mem.cur_balloon; + } else { + if (virCgroupGetCpuacctUsage(priv->cgroup, &(info->cpuTime)) < 0) { + virReportError(VIR_ERR_OPERATION_FAILED, +Index: libvirt-1.2.18/src/qemu/qemu_driver.c +=================================================================== +--- libvirt-1.2.18.orig/src/qemu/qemu_driver.c ++++ libvirt-1.2.18/src/qemu/qemu_driver.c +@@ -2641,13 +2641,13 @@ qemuDomainGetInfo(virDomainPtr dom, + goto cleanup; + } + +- if (virDomainObjIsActive(vm)) { +- if (VIR_ASSIGN_IS_OVERFLOW(info->memory, vm->def->mem.cur_balloon)) { +- virReportError(VIR_ERR_OVERFLOW, "%s", +- _("Current memory size too large")); +- goto cleanup; +- } ++ if (VIR_ASSIGN_IS_OVERFLOW(info->memory, vm->def->mem.cur_balloon)) { ++ virReportError(VIR_ERR_OVERFLOW, "%s", ++ _("Current memory size too large")); ++ goto cleanup; ++ } + ++ if (virDomainObjIsActive(vm)) { + if (qemuGetProcessInfo(&(info->cpuTime), NULL, NULL, vm->pid, 0) < 0) { + virReportError(VIR_ERR_OPERATION_FAILED, "%s", + _("cannot read cputime for domain")); diff --git a/91fdcefa-virt-aa-helper-allow-nvram.patch b/91fdcefa-virt-aa-helper-allow-nvram.patch new file mode 100644 index 0000000..a3b028b --- /dev/null +++ b/91fdcefa-virt-aa-helper-allow-nvram.patch @@ -0,0 +1,35 @@ +From 91fdcefa7f145c1c39acc8e9a44fbfbf11568e54 Mon Sep 17 00:00:00 2001 +From: Peter Kieser +Date: Thu, 20 Aug 2015 10:58:59 -0700 +Subject: [PATCH 4/4] virt-aa-helper: add NVRAM store file for read/write + +This is a cryptographically signed message in MIME format. + +Some UEFI firmwares may want to use a non-volatile memory to store some +variables. +If AppArmor is enabled, and NVRAM store file is set currently +virt-aa-helper does +not add the NVRAM store file to the template. Add this file for +read/write when +this functionality is defined in domain XML. + +Signed-off-by: Peter Kieser +--- + src/security/virt-aa-helper.c | 4 ++++ + 1 file changed, 4 insertions(+) + +Index: libvirt-1.2.18/src/security/virt-aa-helper.c +=================================================================== +--- libvirt-1.2.18.orig/src/security/virt-aa-helper.c ++++ libvirt-1.2.18/src/security/virt-aa-helper.c +@@ -1057,6 +1057,10 @@ get_files(vahControl * ctl) + if (vah_add_file(&buf, ctl->def->os.loader->path, "r") != 0) + goto cleanup; + ++ if (ctl->def->os.loader && ctl->def->os.loader->nvram) ++ if (vah_add_file(&buf, ctl->def->os.loader->nvram, "rw") != 0) ++ goto cleanup; ++ + for (i = 0; i < ctl->def->ngraphics; i++) { + if (ctl->def->graphics[i]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC && + ctl->def->graphics[i]->data.vnc.socket && diff --git a/d25a5e08-virt-aa-helper-simplify-restriction-logic.patch b/d25a5e08-virt-aa-helper-simplify-restriction-logic.patch new file mode 100644 index 0000000..a374e84 --- /dev/null +++ b/d25a5e08-virt-aa-helper-simplify-restriction-logic.patch @@ -0,0 +1,65 @@ +From d25a5e087ae10142d3d533ed193146736526b2ae Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Guido=20G=C3=BCnther?= +Date: Fri, 21 Aug 2015 10:49:15 +0200 +Subject: [PATCH 2/4] virt-aa-helper: Simplify restriction logic + +First check overrides, then read only files then restricted access +itself. + +This allows us to mark files for read only access whose parents were +already restricted for read write. + +Based on a proposal by Martin Kletzander +--- + src/security/virt-aa-helper.c | 29 ++++++++++++++++++----------- + 1 file changed, 18 insertions(+), 11 deletions(-) + +Index: libvirt-1.2.18/src/security/virt-aa-helper.c +=================================================================== +--- libvirt-1.2.18.orig/src/security/virt-aa-helper.c ++++ libvirt-1.2.18/src/security/virt-aa-helper.c +@@ -546,7 +546,9 @@ array_starts_with(const char *str, const + static int + valid_path(const char *path, const bool readonly) + { +- int npaths, opaths; ++ int npaths; ++ int nropaths; ++ + const char * const restricted[] = { + "/bin/", + "/etc/", +@@ -596,18 +598,23 @@ valid_path(const char *path, const bool + if (!virFileExists(path)) + vah_warning(_("path does not exist, skipping file type checks")); + +- opaths = sizeof(override)/sizeof(*(override)); ++ /* overrides are always allowed */ ++ npaths = sizeof(override)/sizeof(*(override)); ++ if (array_starts_with(path, override, npaths) == 0) ++ return 0; ++ ++ /* allow read only paths upfront */ ++ if (readonly) { ++ nropaths = sizeof(restricted_rw)/sizeof(*(restricted_rw)); ++ if (array_starts_with(path, restricted_rw, nropaths) == 0) ++ return 0; ++ } + ++ /* disallow RW acess to all paths in restricted and restriced_rw */ + npaths = sizeof(restricted)/sizeof(*(restricted)); +- if (array_starts_with(path, restricted, npaths) == 0 && +- array_starts_with(path, override, opaths) != 0) +- return 1; +- +- npaths = sizeof(restricted_rw)/sizeof(*(restricted_rw)); +- if (!readonly) { +- if (array_starts_with(path, restricted_rw, npaths) == 0) +- return 1; +- } ++ if ((array_starts_with(path, restricted, npaths) == 0 ++ || array_starts_with(path, restricted_rw, nropaths) == 0)) ++ return 1; + + return 0; + } diff --git a/0005-libxl-acquire-a-job-when-receiving-a-migrating-domai.patch b/e80b84a7-libxl-acquire-job-on-migrate.patch similarity index 70% rename from 0005-libxl-acquire-a-job-when-receiving-a-migrating-domai.patch rename to e80b84a7-libxl-acquire-job-on-migrate.patch index bb91fda..a95d3b7 100644 --- a/0005-libxl-acquire-a-job-when-receiving-a-migrating-domai.patch +++ b/e80b84a7-libxl-acquire-job-on-migrate.patch @@ -1,17 +1,15 @@ -From 710088061fb3caaf3d56888b05ad2d331a740d07 Mon Sep 17 00:00:00 2001 -From: Jim Fehlig -Date: Thu, 16 Jul 2015 14:51:32 -0600 -Subject: libxl: acquire a job when receiving a migrating domain +commit e80b84a74324cd535ec7232c4e1653805af2103a +Author: Jim Fehlig +Date: Thu Jul 16 12:24:32 2015 -0600 -Commit f86ae403 moved acquiring a job from libxlDomainStart() -to its callers. One spot missed was in libxlDoMigrateReceive(). -Acquire a job in libxlDoMigrateReceive() before calling -libxlDomainStart(). - -Signed-off-by: Jim Fehlig ---- - src/libxl/libxl_migration.c | 20 +++++++++++++++++--- - 1 file changed, 17 insertions(+), 3 deletions(-) + libxl: acquire a job when receiving a migrating domain + + Commit f86ae403 moved acquiring a job from libxlDomainStart() + to its callers. One spot missed was in libxlDoMigrateReceive(). + Acquire a job in libxlDoMigrateReceive() before calling + libxlDomainStart(). + + Signed-off-by: Jim Fehlig Index: libvirt-1.2.18/src/libxl/libxl_migration.c =================================================================== diff --git a/libvirt.changes b/libvirt.changes index f5c5ff7..b49ac4a 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,33 @@ +------------------------------------------------------------------- +Fri Aug 28 17:41:30 UTC 2015 - jfehlig@suse.com + +- Replace local libxl patches with upstream variants + Dropped: + 0003-libxl-fix-ref-counting-of-libxlMigrationDstArgs.patch + 0004-libxl-don-t-attempt-to-resume-domain-when-suspend-fa.patch + 0005-libxl-acquire-a-job-when-receiving-a-migrating-domai.patch + Added: + 44a54eb0-libxl-fix-refcnt-MigrationDstArgs.patch + 15120b8c-libxl-no-resume-on-suspend-fail.patch + e80b84a7-libxl-acquire-job-on-migrate.patch + bsc#936185 +- Added another virt-aa-helper upstream patch + 52970dec-virt-aa-helper-improve-valid-path.patch + lp#1483071 +- Added upstream patch to fix libvirt-tck memory balloon test + failure on Xen + 60acb38-revert-curmem-inactive-dom.patch + +------------------------------------------------------------------- +Wed Aug 26 14:38:40 UTC 2015 - cbosdonnat@suse.com + +- Fix generated apparmor profile to allow access to ovmf and nvram. + 26c5fa3a-virt-aa-helper-missing-doc.patch + 2f01cfdf-virt-aa-helper-allow-ovmf.patch + 91fdcefa-virt-aa-helper-allow-nvram.patch + d25a5e08-virt-aa-helper-simplify-restriction-logic.patch + lp#1483071 + ------------------------------------------------------------------- Mon Aug 24 16:18:10 UTC 2015 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index 813a6d8..9544bdd 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -447,10 +447,16 @@ Source4: libvirtd-relocation-server.fw Source99: baselibs.conf # Upstream patches Patch0: 269d39af-storage-allocation-fix.patch +Patch1: 26c5fa3a-virt-aa-helper-missing-doc.patch +Patch2: d25a5e08-virt-aa-helper-simplify-restriction-logic.patch +Patch3: 2f01cfdf-virt-aa-helper-allow-ovmf.patch +Patch4: 91fdcefa-virt-aa-helper-allow-nvram.patch +Patch5: 52970dec-virt-aa-helper-improve-valid-path.patch +Patch6: 44a54eb0-libxl-fix-refcnt-MigrationDstArgs.patch +Patch7: 15120b8c-libxl-no-resume-on-suspend-fail.patch +Patch8: e80b84a7-libxl-acquire-job-on-migrate.patch +Patch9: 60acb38-revert-curmem-inactive-dom.patch # Patches pending upstream review -Patch100: 0003-libxl-fix-ref-counting-of-libxlMigrationDstArgs.patch -Patch101: 0004-libxl-don-t-attempt-to-resume-domain-when-suspend-fa.patch -Patch102: 0005-libxl-acquire-a-job-when-receiving-a-migrating-domai.patch # Need to go upstream Patch150: xen-pv-cdrom.patch Patch151: blockcopy-check-dst-identical-device.patch @@ -981,9 +987,15 @@ Provides a dissector for the libvirt RPC protocol to help debugging it. %prep %setup -q %patch0 -p1 -%patch100 -p1 -%patch101 -p1 -%patch102 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 %patch150 -p1 %patch151 -p1 %patch152 -p1