From 6aecdae0d27737ad4fc2069e2e0ad1bf626da7608060687814ea37718078f56c Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Mon, 14 Oct 2013 20:02:22 +0000 Subject: [PATCH 1/7] - libvirtd apparmor profile was denying access to /usr/lib/xen/bin/qemu-system-i386, which is now the default emulator used with Xen guests Updated install-apparmor-profiles.patch bnc#845648 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=304 --- install-apparmor-profiles.patch | 3 ++- libvirt.changes | 9 +++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/install-apparmor-profiles.patch b/install-apparmor-profiles.patch index 1cc53e2..5cb6574 100644 --- a/install-apparmor-profiles.patch +++ b/install-apparmor-profiles.patch @@ -202,7 +202,7 @@ Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in =================================================================== --- /dev/null +++ libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in -@@ -0,0 +1,58 @@ +@@ -0,0 +1,59 @@ +# Last Modified: Fri Aug 19 11:20:36 2011 +#include +@{LIBVIRT}="libvirt" @@ -244,6 +244,7 @@ Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in + /usr/bin/* Ux, + /usr/sbin/* Ux, + /usr/lib/xen/bin/qemu-dm Ux, ++ /usr/lib/xen/bin/qemu-system-i386 Ux, + /usr/lib/PolicyKit/polkit-read-auth-helper Px, + + # force the use of virt-aa-helper diff --git a/libvirt.changes b/libvirt.changes index 29f615d..73c4675 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Mon Oct 14 13:46:14 MDT 2013 - jfehlig@suse.com + +- libvirtd apparmor profile was denying access to + /usr/lib/xen/bin/qemu-system-i386, which is now the default + emulator used with Xen guests + Updated install-apparmor-profiles.patch + bnc#845648 + ------------------------------------------------------------------- Thu Oct 3 11:04:26 MDT 2013 - jfehlig@suse.com From ec267e5c8faa3cf0661aeff4b154fa314b7e6ac607cd8bb990534b98c5de562c Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Mon, 14 Oct 2013 22:04:45 +0000 Subject: [PATCH 2/7] - virt-aa-helper apparmor profile was denying read access to /proc/$PID/*. Give read accesss to these files. Updated install-apparmor-profiles.patch bnc#841720 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=305 --- install-apparmor-profiles.patch | 3 ++- libvirt.changes | 8 ++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/install-apparmor-profiles.patch b/install-apparmor-profiles.patch index 5cb6574..b3a7bcb 100644 --- a/install-apparmor-profiles.patch +++ b/install-apparmor-profiles.patch @@ -57,7 +57,7 @@ Index: libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in =================================================================== --- /dev/null +++ libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in -@@ -0,0 +1,40 @@ +@@ -0,0 +1,41 @@ +# Last Modified: Fri Aug 19 11:21:48 2011 +#include + @@ -71,6 +71,7 @@ Index: libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in + # needed for when disk is on a network filesystem + network inet, + ++ @{PROC}/[0-9]** r, + deny @{PROC}/[0-9]*/mounts r, + @{PROC}/filesystems r, + diff --git a/libvirt.changes b/libvirt.changes index 73c4675..7532647 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Mon Oct 14 16:01:46 MDT 2013 - jfehlig@suse.com + +- virt-aa-helper apparmor profile was denying read access to + /proc/$PID/*. Give read accesss to these files. + Updated install-apparmor-profiles.patch + bnc#841720 + ------------------------------------------------------------------- Mon Oct 14 13:46:14 MDT 2013 - jfehlig@suse.com From 2b3f0e149997640fab214377f281bd149eabf3ee916b10996649069761c2145f Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Mon, 14 Oct 2013 22:51:07 +0000 Subject: [PATCH 3/7] - Update the stale gettext BuildRequires and Requires dependencies in the spec file bnc#841325 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=306 --- libvirt.changes | 7 +++++++ libvirt.spec | 5 ++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/libvirt.changes b/libvirt.changes index 7532647..84d977c 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Oct 14 16:40:25 MDT 2013 - jfehlig@suse.com + +- Update the stale gettext BuildRequires and Requires dependencies + in the spec file + bnc#841325 + ------------------------------------------------------------------- Mon Oct 14 16:01:46 MDT 2013 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index 00ea56f..58ab4d4 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -273,7 +273,7 @@ Requires: libvirt-client = %{version}-%{release} # listed against each sub-RPM BuildRequires: autoconf BuildRequires: automake -BuildRequires: gettext-devel +BuildRequires: gettext-tools BuildRequires: libtool %if %{with_systemd} BuildRequires: systemd @@ -282,7 +282,6 @@ BuildRequires: systemd BuildRequires: xen-devel %endif BuildRequires: fdupes -BuildRequires: gettext BuildRequires: libattr-devel BuildRequires: libgcrypt-devel BuildRequires: libgnutls-devel @@ -849,7 +848,7 @@ Requires: readline # (client invokes 'nc' against the UNIX socket on the server) Requires: netcat-openbsd # Needed by libvirt-guests init script. -Requires: gettext +Requires: gettext-runtime # Needed by virt-pki-validate script. Requires: gnutls # Needed for probing the power management features of the host. From 4f9e403a4175e347ea50329b0dd65289480050455ac95f2b875571017a7ee5e0 Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Tue, 15 Oct 2013 02:35:05 +0000 Subject: [PATCH 4/7] - CVE-2013-4399: Fix crash in libvirtd when events are registered and ACLs active 8294aa0c-CVE-2013-4399.patch bnc#844052 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=307 --- 8294aa0c-CVE-2013-4399.patch | 48 ++++++++++++++++++++++++++++++++++++ libvirt.changes | 8 ++++++ libvirt.spec | 2 ++ 3 files changed, 58 insertions(+) create mode 100644 8294aa0c-CVE-2013-4399.patch diff --git a/8294aa0c-CVE-2013-4399.patch b/8294aa0c-CVE-2013-4399.patch new file mode 100644 index 0000000..a472fb9 --- /dev/null +++ b/8294aa0c-CVE-2013-4399.patch @@ -0,0 +1,48 @@ +commit 8294aa0c1750dcb49d6345cd9bd97bf421580d8b +Author: Daniel P. Berrange +Date: Fri Sep 27 15:46:07 2013 +0100 + + Fix crash in libvirtd when events are registered & ACLs active + + When a client disconnects from libvirtd, all event callbacks + must be removed. This involves running the public API + + virConnectDomainEventDeregisterAny + + This code does not run in normal API dispatch context, so no + identity was set. The result was that the access control drivers + denied the attempt to deregister callbacks. The callbacks thus + continued to trigger after the client was free'd causing fairly + predictable use of free memory & a crash. + + This can be triggered by any client with readonly access when + the ACL drivers are active. + + Signed-off-by: Daniel P. Berrange + +Index: libvirt-1.1.2/daemon/remote.c +=================================================================== +--- libvirt-1.1.2.orig/daemon/remote.c ++++ libvirt-1.1.2/daemon/remote.c +@@ -666,8 +666,11 @@ void remoteClientFreeFunc(void *data) + + /* Deregister event delivery callback */ + if (priv->conn) { ++ virIdentityPtr sysident = virIdentityGetSystem(); + size_t i; + ++ virIdentitySetCurrent(sysident); ++ + for (i = 0; i < VIR_DOMAIN_EVENT_ID_LAST; i++) { + if (priv->domainEventCallbackID[i] != -1) { + VIR_DEBUG("Deregistering to relay remote events %zu", i); +@@ -678,6 +681,9 @@ void remoteClientFreeFunc(void *data) + } + + virConnectClose(priv->conn); ++ ++ virIdentitySetCurrent(NULL); ++ virObjectUnref(sysident); + } + + VIR_FREE(priv); diff --git a/libvirt.changes b/libvirt.changes index 84d977c..cfa2319 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Mon Oct 14 20:33:43 MDT 2013 - jfehlig@suse.com + +- CVE-2013-4399: Fix crash in libvirtd when events are registered + and ACLs active + 8294aa0c-CVE-2013-4399.patch + bnc#844052 + ------------------------------------------------------------------- Mon Oct 14 16:40:25 MDT 2013 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index 58ab4d4..9a42ba3 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -409,6 +409,7 @@ Patch2: db7a5688-CVE-2013-4311.patch Patch3: e65667c0-CVE-2013-4311.patch Patch4: 922b7fda-CVE-2013-4311.patch Patch5: e4697b92-CVE-2013-4311.patch +Patch6: 8294aa0c-CVE-2013-4399.patch # Need to go upstream Patch100: xen-name-for-devid.patch Patch101: clone.patch @@ -913,6 +914,7 @@ of recent versions of Linux (and other OSes). %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %patch100 -p1 %patch101 %patch102 -p1 From 17e6200a6a20074465b73ca59f349969eced368a0425b8d3c55b10222378c741 Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Tue, 15 Oct 2013 02:48:48 +0000 Subject: [PATCH 5/7] Also reference bnc#842300 in changelog OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=308 --- libvirt.changes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libvirt.changes b/libvirt.changes index cfa2319..d248742 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -4,7 +4,7 @@ Mon Oct 14 20:33:43 MDT 2013 - jfehlig@suse.com - CVE-2013-4399: Fix crash in libvirtd when events are registered and ACLs active 8294aa0c-CVE-2013-4399.patch - bnc#844052 + bnc#844052, bnc#842300 ------------------------------------------------------------------- Mon Oct 14 16:40:25 MDT 2013 - jfehlig@suse.com From 2df984b272a1e4f36473f50b2fc202ed12dcd2698e27989d0a0843b1ce8f55b2 Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Tue, 15 Oct 2013 03:27:06 +0000 Subject: [PATCH 6/7] - qemu: Fix seamless SPICE migration 484cc321-fix-spice-migration.patch bnc#842301 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=309 --- 484cc321-fix-spice-migration.patch | 31 ++++++++++++++++++++++++++++++ libvirt.changes | 7 +++++++ libvirt.spec | 2 ++ 3 files changed, 40 insertions(+) create mode 100644 484cc321-fix-spice-migration.patch diff --git a/484cc321-fix-spice-migration.patch b/484cc321-fix-spice-migration.patch new file mode 100644 index 0000000..84b7bab --- /dev/null +++ b/484cc321-fix-spice-migration.patch @@ -0,0 +1,31 @@ +commit 484cc3217b73b865f00bf42a9c12187b37200699 +Author: Martin Kletzander +Date: Fri Sep 20 16:40:20 2013 +0200 + + qemu: Fix seamless SPICE migration + + Since the wait is done during migration (still inside + QEMU_ASYNC_JOB_MIGRATION_OUT), the code should enter the monitor as such + in order to prohibit all other jobs from interfering in the meantime. + This patch fixes bug #1009886 in which qemuDomainGetBlockInfo was + waiting on the monitor condition and after GetSpiceMigrationStatus + mangled its internal data, the daemon crashed. + + Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1009886 + +Index: libvirt-1.1.2/src/qemu/qemu_migration.c +=================================================================== +--- libvirt-1.1.2.orig/src/qemu/qemu_migration.c ++++ libvirt-1.1.2/src/qemu/qemu_migration.c +@@ -1598,7 +1598,10 @@ qemuMigrationWaitForSpice(virQEMUDriverP + /* Poll every 50ms for progress & to allow cancellation */ + struct timespec ts = { .tv_sec = 0, .tv_nsec = 50 * 1000 * 1000ull }; + +- qemuDomainObjEnterMonitor(driver, vm); ++ if (qemuDomainObjEnterMonitorAsync(driver, vm, ++ QEMU_ASYNC_JOB_MIGRATION_OUT) < 0) ++ return -1; ++ + if (qemuMonitorGetSpiceMigrationStatus(priv->mon, + &spice_migrated) < 0) { + qemuDomainObjExitMonitor(driver, vm); diff --git a/libvirt.changes b/libvirt.changes index d248742..af6f7f6 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Oct 14 21:25:49 MDT 2013 - jfehlig@suse.com + +- qemu: Fix seamless SPICE migration + 484cc321-fix-spice-migration.patch + bnc#842301 + ------------------------------------------------------------------- Mon Oct 14 20:33:43 MDT 2013 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index 9a42ba3..fd0d926 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -410,6 +410,7 @@ Patch3: e65667c0-CVE-2013-4311.patch Patch4: 922b7fda-CVE-2013-4311.patch Patch5: e4697b92-CVE-2013-4311.patch Patch6: 8294aa0c-CVE-2013-4399.patch +Patch7: 484cc321-fix-spice-migration.patch # Need to go upstream Patch100: xen-name-for-devid.patch Patch101: clone.patch @@ -915,6 +916,7 @@ of recent versions of Linux (and other OSes). %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 %patch100 -p1 %patch101 %patch102 -p1 From e9ae5f79666826aee0657ce1695682102f7439e240fa5167db8b0e81672b3fd0 Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Tue, 15 Oct 2013 04:28:21 +0000 Subject: [PATCH 7/7] - Move virt-login-shell to new subpackage libvirt-login-shell, requiring users to opt-in for this setuid binary. Note: For now, virt-login-shell will not have setuid permissions, pending resolution of bnc#837609 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=310 --- libvirt.changes | 8 ++++++++ libvirt.spec | 24 ++++++++++++++++++------ 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/libvirt.changes b/libvirt.changes index af6f7f6..86abbbd 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Mon Oct 14 22:20:41 MDT 2013 - jfehlig@suse.com + +- Move virt-login-shell to new subpackage libvirt-login-shell, + requiring users to opt-in for this setuid binary. Note: For now, + virt-login-shell will not have setuid permissions, pending + resolution of bnc#837609 + ------------------------------------------------------------------- Mon Oct 14 21:25:49 MDT 2013 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index fd0d926..f870a1d 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -892,6 +892,15 @@ Requires: augeas Includes the Sanlock lock manager plugin for the QEMU driver %endif +%package login-shell +Summary: Login shell for containers +Group: Development/Libraries/C and C++ +Requires: %{name}-client = %{version}-%{release} + +%description login-shell +Povides virt-login-shell, a tool to execute a shell within a container +matching the users name + %if %{with_python} %package python @@ -1597,17 +1606,11 @@ fi %doc %{_mandir}/man1/virt-xml-validate.1* %doc %{_mandir}/man1/virt-pki-validate.1* %doc %{_mandir}/man1/virt-host-validate.1* -%doc %{_mandir}/man1/virt-login-shell.1* %config(noreplace) %{_sysconfdir}/%{name}/libvirt.conf -%config(noreplace) %{_sysconfdir}/libvirt/virt-login-shell.conf %{_bindir}/virsh %{_bindir}/virt-xml-validate %{_bindir}/virt-pki-validate %{_bindir}/virt-host-validate -# setuid binary that needs security audit - bnc#837609 -# In the meantime, don't install setuid -#%attr(4755, root, root) %{_bindir}/virt-login-shell -%{_bindir}/virt-login-shell %dir %{_libdir}/%{name} %{_libdir}/lib*.so.* %attr(0755, root, root) %{_libdir}/%{name}/libvirt-guests.sh @@ -1687,6 +1690,15 @@ fi %attr(0755, root, root) %{_libdir}/%{name}/libvirt_sanlock_helper %endif +%files login-shell +%defattr(-, root, root) +%config(noreplace) %{_sysconfdir}/libvirt/virt-login-shell.conf +%doc %{_mandir}/man1/virt-login-shell.1* +# setuid binary that needs security audit - bnc#837609 +# In the meantime, don't install setuid +#%attr(4755, root, root) %{_bindir}/virt-login-shell +%{_bindir}/virt-login-shell + %if %{with_python} %files python