pool/libvirt
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Update to libvirt 1.1.4

Browse Source 
- Add support for AArch64 architecture
  - Various improvements on test code and test driver
  - Don't link virt-login-shell against libvirt.so
  - Close all non-stdio FDs in virt-login-shell
  - Only allow 'stderr' log output when running setuid
  - Fix perms for virConnectDomainXML{To,From}Native
  - Many incremental improvements and bug fixes, see
    http://libvirt.org/news.html
  - Drop upstream patches: e7f400a1-CVE-2013-4296.patch,
    2dba0323-CVE-2013-4297.patch, db7a5688-CVE-2013-4311.patch,
    e65667c0-CVE-2013-4311.patch, 922b7fda-CVE-2013-4311.patch,
    e4697b92-CVE-2013-4311.patch, 8294aa0c-CVE-2013-4399.patch,
    484cc321-fix-spice-migration.patch,
    79552754-libvirtd-chardev-crash.patch,
    57687fd6-CVE-2013-4401.patch, ae53e5d1-CVE-2013-4400.patch,
    8c3586ea-CVE-2013-4400.patch, b7fcc799a-CVE-2013-4400.patch,
    3e2f27e1-CVE-2013-4400.patch, 5a0ea4b7-CVE-2013-4400.patch,
    843bdb2f-CVE-2013-4400.patch,
    bd773e74-lxc-terminate-machine.patch,
    e350826c-python-fix-fd-passing.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=329
This commit is contained in:
James Fehlig 2013-11-20 20:02:26 +00:00 committed by Git OBS Bridge
parent 26dd4e5d14
commit a58c0b5ccc
37 changed files with 200 additions and 1859 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
2dba0323-CVE-2013-4297.patch
View File

@ -1,21 +0,0 @@
commit 2dba0323ff0cec31bdcea9dd3b2428af297401f2
Author: Michal Privoznik <mprivozn@redhat.com>
Date: Tue Sep 3 18:56:06 2013 +0200
virFileNBDDeviceAssociate: Avoid use of uninitialized variable
The @qemunbd variable can be used uninitialized.
Index: libvirt-1.1.2/src/util/virfile.c
===================================================================
--- libvirt-1.1.2.orig/src/util/virfile.c
+++ libvirt-1.1.2/src/util/virfile.c
@@ -732,7 +732,7 @@ int virFileNBDDeviceAssociate(const char
char **dev)
{
char *nbddev;
- char *qemunbd;
+ char *qemunbd = NULL;
virCommandPtr cmd = NULL;
int ret = -1;
const char *fmtstr = NULL;

354
3e2f27e1-CVE-2013-4400.patch
View File

@ -1,354 +0,0 @@
commit 3e2f27e13b94f7302ad948bcacb5e02c859a25fc
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Thu Oct 10 13:09:08 2013 +0100
Don't link virt-login-shell against libvirt.so (CVE-2013-4400)
The libvirt.so library has far too many library deps to allow
linking against it from setuid programs. Those libraries can
do stuff in __attribute__((constructor) functions which is
not setuid safe.
The virt-login-shell needs to link directly against individual
files that it uses, with all library deps turned off except
for libxml2 and libselinux.
Create a libvirt-setuid-rpc-client.la library which is linked
to by virt-login-shell. A config-post.h file allows this library
to disable all external deps except libselinux and libxml2.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.1.2/Makefile.am
===================================================================
--- libvirt-1.1.2.orig/Makefile.am
+++ libvirt-1.1.2/Makefile.am
@@ -31,6 +31,7 @@ XML_EXAMPLES = \
test/*.xml storage/*.xml)))
EXTRA_DIST = \
+ config-post.h \
ChangeLog-old \
libvirt.spec libvirt.spec.in \
mingw-libvirt.spec.in \
Index: libvirt-1.1.2/config-post.h
===================================================================
--- /dev/null
+++ libvirt-1.1.2/config-post.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2013 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>.
+ */
+
+/*
+ * Since virt-login-shell will be setuid, we must do everything
+ * we can to avoid linking to other libraries. Many of them do
+ * unsafe things in functions marked __atttribute__((constructor)).
+ * The only way avoid to avoid such deps is to re-compile the
+ * functions with the code in question disabled, and for that we
+ * must override the main config.h rules. Hence this file :-(
+ */
+
+#ifdef LIBVIRT_SETUID_RPC_CLIENT
+# undef HAVE_LIBDEVMAPPER_H
+# undef HAVE_LIBNL
+# undef HAVE_LIBNL3
+# undef HAVE_LIBSASL2
+# undef WITH_CAPNG
+# undef WITH_CURL
+# undef WITH_DTRACE_PROBES
+# undef WITH_GNUTLS
+# undef WITH_MACVTAP
+# undef WITH_NUMACTL
+# undef WITH_SASL
+# undef WITH_SSH2
+# undef WITH_VIRTUALPORT
+# undef WITH_YAJL
+# undef WITH_YAJL2
+#endif
Index: libvirt-1.1.2/configure.ac
===================================================================
--- libvirt-1.1.2.orig/configure.ac
+++ libvirt-1.1.2/configure.ac
@@ -20,6 +20,7 @@ AC_INIT([libvirt], [1.1.2], [libvir-list
AC_CONFIG_SRCDIR([src/libvirt.c])
AC_CONFIG_AUX_DIR([build-aux])
AC_CONFIG_HEADERS([config.h])
+AH_BOTTOM([#include <config-post.h>])
AC_CONFIG_MACRO_DIR([m4])
dnl Make automake keep quiet about wildcards & other GNUmake-isms
AM_INIT_AUTOMAKE([-Wno-portability tar-ustar])
Index: libvirt-1.1.2/daemon/Makefile.am
===================================================================
--- libvirt-1.1.2.orig/daemon/Makefile.am
+++ libvirt-1.1.2/daemon/Makefile.am
@@ -18,6 +18,7 @@
INCLUDES = \
-I$(top_builddir)/gnulib/lib -I$(top_srcdir)/gnulib/lib \
+ -I$(top_srcdir) \
-I$(top_builddir)/include -I$(top_srcdir)/include \
-I$(top_builddir)/src -I$(top_srcdir)/src \
-I$(top_srcdir)/src/util \
Index: libvirt-1.1.2/examples/domain-events/events-c/Makefile.am
===================================================================
--- libvirt-1.1.2.orig/examples/domain-events/events-c/Makefile.am
+++ libvirt-1.1.2/examples/domain-events/events-c/Makefile.am
@@ -15,7 +15,8 @@
## <http://www.gnu.org/licenses/>.
INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include \
- -I$(top_builddir)/gnulib/lib -I$(top_srcdir)/gnulib/lib
+ -I$(top_builddir)/gnulib/lib -I$(top_srcdir)/gnulib/lib \
+ -I$(top_srcdir)
noinst_PROGRAMS = event-test
event_test_CFLAGS = $(WARN_CFLAGS)
event_test_SOURCES = event-test.c
Index: libvirt-1.1.2/examples/hellolibvirt/Makefile.am
===================================================================
--- libvirt-1.1.2.orig/examples/hellolibvirt/Makefile.am
+++ libvirt-1.1.2/examples/hellolibvirt/Makefile.am
@@ -14,7 +14,7 @@
## License along with this library. If not, see
## <http://www.gnu.org/licenses/>.
-INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include
+INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include -I$(top_srcdir)
noinst_PROGRAMS = hellolibvirt
hellolibvirt_CFLAGS = $(WARN_CFLAGS)
hellolibvirt_SOURCES = hellolibvirt.c
Index: libvirt-1.1.2/examples/openauth/Makefile.am
===================================================================
--- libvirt-1.1.2.orig/examples/openauth/Makefile.am
+++ libvirt-1.1.2/examples/openauth/Makefile.am
@@ -14,7 +14,7 @@
## License along with this library. If not, see
## <http://www.gnu.org/licenses/>.
-INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include
+INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include -I$(top_srcdir)
noinst_PROGRAMS = openauth
openauth_CFLAGS = $(WARN_CFLAGS)
openauth_SOURCES = openauth.c
Index: libvirt-1.1.2/gnulib/lib/Makefile.am
===================================================================
--- libvirt-1.1.2.orig/gnulib/lib/Makefile.am
+++ libvirt-1.1.2/gnulib/lib/Makefile.am
@@ -27,4 +27,4 @@ noinst_LTLIBRARIES =
include gnulib.mk
-INCLUDES = $(GETTEXT_CPPFLAGS)
+INCLUDES = -I$(top_srcdir) $(GETTEXT_CPPFLAGS)
Index: libvirt-1.1.2/python/Makefile.am
===================================================================
--- libvirt-1.1.2.orig/python/Makefile.am
+++ libvirt-1.1.2/python/Makefile.am
@@ -20,6 +20,7 @@ INCLUDES = \
$(PYTHON_INCLUDES) \
-I$(top_builddir)/gnulib/lib \
-I$(top_srcdir)/gnulib/lib \
+ -I$(top_srcdir) \
-I$(top_builddir)/src \
-I$(top_srcdir)/src \
-I$(top_srcdir)/src/util \
Index: libvirt-1.1.2/src/Makefile.am
===================================================================
--- libvirt-1.1.2.orig/src/Makefile.am
+++ libvirt-1.1.2/src/Makefile.am
@@ -21,6 +21,7 @@
# that actually use them. Also keep GETTEXT_CPPFLAGS at the end.
INCLUDES = -I../gnulib/lib \
-I$(top_srcdir)/gnulib/lib \
+ -I$(top_srcdir) \
-I../include \
-I$(top_srcdir)/include \
-I$(top_srcdir)/src/util \
@@ -1917,6 +1918,77 @@ libvirt_lxc_la_LDFLAGS = \
libvirt_lxc_la_CFLAGS = $(AM_CFLAGS)
libvirt_lxc_la_LIBADD = libvirt.la $(CYGWIN_EXTRA_LIBADD)
+# Since virt-login-shell will be setuid, we must do everything
+# we can to avoid linking to other libraries. Many of them do
+# unsafe things in functions marked __atttribute__((constructor)).
+# This library is built to include the bare minimum required to
+# have a RPC client for local UNIX socket access only. We use
+# the ../config-post.h header to disable all external deps that
+# we don't want
+if WITH_LXC
+noinst_LTLIBRARIES += libvirt-setuid-rpc-client.la
+
+libvirt_setuid_rpc_client_la_SOURCES = \
+ util/viralloc.c \
+ util/virbitmap.c \
+ util/virbuffer.c \
+ util/vircommand.c \
+ util/virconf.c \
+ util/virerror.c \
+ util/virevent.c \
+ util/vireventpoll.c \
+ util/virfile.c \
+ util/virhash.c \
+ util/virhashcode.c \
+ util/virjson.c \
+ util/virlog.c \
+ util/virobject.c \
+ util/virpidfile.c \
+ util/virprocess.c \
+ util/virrandom.c \
+ util/virsocketaddr.c \
+ util/virstoragefile.c \
+ util/virstring.c \
+ util/virtime.c \
+ util/virthread.c \
+ util/virtypedparam.c \
+ util/viruri.c \
+ util/virutil.c \
+ util/viruuid.c \
+ conf/domain_event.c \
+ rpc/virnetsocket.c \
+ rpc/virnetsocket.h \
+ rpc/virnetmessage.h \
+ rpc/virnetmessage.c \
+ rpc/virkeepalive.c \
+ rpc/virkeepalive.h \
+ rpc/virnetclient.c \
+ rpc/virnetclientprogram.c \
+ rpc/virnetclientstream.c \
+ rpc/virnetprotocol.c \
+ remote/remote_driver.c \
+ remote/remote_protocol.c \
+ remote/qemu_protocol.c \
+ remote/lxc_protocol.c \
+ datatypes.c \
+ libvirt.c \
+ libvirt-lxc.c \
+ $(NULL)
+
+libvirt_setuid_rpc_client_la_LDFLAGS = \
+ $(AM_LDFLAGS) \
+ $(LIBXML_LIBS) \
+ $(SELINUX_LIBS) \
+ $(NULL)
+libvirt_setuid_rpc_client_la_CFLAGS = \
+ -DLIBVIRT_SETUID_RPC_CLIENT \
+ -I$(top_srcdir)/src/conf \
+ -I$(top_srcdir)/src/rpc \
+ $(AM_CFLAGS) \
+ $(SELINUX_CFLAGS) \
+ $(NULL)
+endif WITH_LXC
+
lockdriverdir = $(libdir)/libvirt/lock-driver
lockdriver_LTLIBRARIES =
Index: libvirt-1.1.2/src/libvirt.c
===================================================================
--- libvirt-1.1.2.orig/src/libvirt.c
+++ libvirt-1.1.2/src/libvirt.c
@@ -446,40 +446,46 @@ virGlobalInit(void)
goto error;
/*
+ * Note we must avoid everything except 'remote' driver
+ * for virt-login-shell usage
+ */
+#ifndef LIBVIRT_SETUID_RPC_CLIENT
+ /*
* Note that the order is important: the first ones have a higher
* priority when calling virConnectOpen.
*/
-#ifdef WITH_TEST
+# ifdef WITH_TEST
if (testRegister() == -1)
goto error;
-#endif
-#ifdef WITH_OPENVZ
+# endif
+# ifdef WITH_OPENVZ
if (openvzRegister() == -1)
goto error;
-#endif
-#ifdef WITH_VMWARE
+# endif
+# ifdef WITH_VMWARE
if (vmwareRegister() == -1)
goto error;
-#endif
-#ifdef WITH_PHYP
+# endif
+# ifdef WITH_PHYP
if (phypRegister() == -1)
goto error;
-#endif
-#ifdef WITH_ESX
+# endif
+# ifdef WITH_ESX
if (esxRegister() == -1)
goto error;
-#endif
-#ifdef WITH_HYPERV
+# endif
+# ifdef WITH_HYPERV
if (hypervRegister() == -1)
goto error;
-#endif
-#ifdef WITH_XENAPI
+# endif
+# ifdef WITH_XENAPI
if (xenapiRegister() == -1)
goto error;
-#endif
-#ifdef WITH_PARALLELS
+# endif
+# ifdef WITH_PARALLELS
if (parallelsRegister() == -1)
goto error;
+# endif
#endif
#ifdef WITH_REMOTE
if (remoteRegister() == -1)
Index: libvirt-1.1.2/tools/Makefile.am
===================================================================
--- libvirt-1.1.2.orig/tools/Makefile.am
+++ libvirt-1.1.2/tools/Makefile.am
@@ -149,6 +149,11 @@ virt_host_validate_CFLAGS = \
$(COVERAGE_CFLAGS) \
$(NULL)
+# Since virt-login-shell will be setuid, we must do everything
+# we can to avoid linking to other libraries. Many of them do
+# unsafe things in functions marked __atttribute__((constructor)).
+# This we statically link to a library containing only the minimal
+# libvirt client code, not libvirt.so itself.
virt_login_shell_SOURCES = \
virt-login-shell.c
@@ -159,11 +164,11 @@ virt_login_shell_LDFLAGS = \
virt_login_shell_LDADD = \
$(STATIC_BINARIES) \
$(PIE_LDFLAGS) \
- ../src/libvirt.la \
- ../src/libvirt-lxc.la \
+ ../src/libvirt-setuid-rpc-client.la \
../gnulib/lib/libgnu.la
virt_login_shell_CFLAGS = \
+ -DLIBVIRT_SETUID_RPC_CLIENT \
$(WARN_CFLAGS) \
$(PIE_CFLAGS) \
$(COVERAGE_CFLAGS)

31
484cc321-fix-spice-migration.patch
View File

@ -1,31 +0,0 @@
commit 484cc3217b73b865f00bf42a9c12187b37200699
Author: Martin Kletzander <mkletzan@redhat.com>
Date: Fri Sep 20 16:40:20 2013 +0200
qemu: Fix seamless SPICE migration
Since the wait is done during migration (still inside
QEMU_ASYNC_JOB_MIGRATION_OUT), the code should enter the monitor as such
in order to prohibit all other jobs from interfering in the meantime.
This patch fixes bug #1009886 in which qemuDomainGetBlockInfo was
waiting on the monitor condition and after GetSpiceMigrationStatus
mangled its internal data, the daemon crashed.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1009886
Index: libvirt-1.1.2/src/qemu/qemu_migration.c
===================================================================
--- libvirt-1.1.2.orig/src/qemu/qemu_migration.c
+++ libvirt-1.1.2/src/qemu/qemu_migration.c
@@ -1598,7 +1598,10 @@ qemuMigrationWaitForSpice(virQEMUDriverP
/* Poll every 50ms for progress & to allow cancellation */
struct timespec ts = { .tv_sec = 0, .tv_nsec = 50 * 1000 * 1000ull };
- qemuDomainObjEnterMonitor(driver, vm);
+ if (qemuDomainObjEnterMonitorAsync(driver, vm,
+ QEMU_ASYNC_JOB_MIGRATION_OUT) < 0)
+ return -1;
+
if (qemuMonitorGetSpiceMigrationStatus(priv->mon,
&spice_migrated) < 0) {
qemuDomainObjExitMonitor(driver, vm);

52
57687fd6-CVE-2013-4401.patch
View File

@ -1,52 +0,0 @@
commit 57687fd6bf7f6e1b3662c52f3f26c06ab19dc96c
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Thu Oct 3 16:37:57 2013 +0100
Fix perms for virConnectDomainXML{To,From}Native (CVE-2013-4401)
The virConnectDomainXMLToNative API should require 'connect:write'
not 'connect:read', since it will trigger execution of the QEMU
binaries listed in the XML.
Also make virConnectDomainXMLFromNative API require a full
read-write connection and 'connect:write' permission. Although the
current impl doesn't trigger execution of QEMU, we should not
rely on that impl detail from an API permissioning POV.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.1.2/src/libvirt.c
===================================================================
--- libvirt-1.1.2.orig/src/libvirt.c
+++ libvirt-1.1.2/src/libvirt.c
@@ -4606,6 +4606,10 @@ char *virConnectDomainXMLFromNative(virC
virDispatchError(NULL);
return NULL;
}
+ if (conn->flags & VIR_CONNECT_RO) {
+ virLibDomainError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+ goto error;
+ }
virCheckNonNullArgGoto(nativeFormat, error);
virCheckNonNullArgGoto(nativeConfig, error);
Index: libvirt-1.1.2/src/remote/remote_protocol.x
===================================================================
--- libvirt-1.1.2.orig/src/remote/remote_protocol.x
+++ libvirt-1.1.2/src/remote/remote_protocol.x
@@ -3812,13 +3812,13 @@ enum remote_procedure {
/**
* @generate: both
- * @acl: connect:read
+ * @acl: connect:write
*/
REMOTE_PROC_CONNECT_DOMAIN_XML_FROM_NATIVE = 135,
/**
* @generate: both
- * @acl: connect:read
+ * @acl: connect:write
*/
REMOTE_PROC_CONNECT_DOMAIN_XML_TO_NATIVE = 136,

103
5a0ea4b7-CVE-2013-4400.patch
View File

@ -1,103 +0,0 @@
commit 5a0ea4b7b9af2231ed161b94f9af65375c6ee9c2
Author: Jim Fehlig <jfehlig@suse.com>
Date: Mon Oct 21 15:36:11 2013 -0600
build: fix linking virt-login-shell
After commit 3e2f27e1, I've noticed build failures of virt-login-shell
when libapparmor-devel is installed on the build host
CCLD virt-login-shell
../src/.libs/libvirt-setuid-rpc-client.a(libvirt_setuid_rpc_client_la-vircommand.o):
In function `virExec':
/home/jfehlig/virt/upstream/libvirt/src/util/vircommand.c:653: undefined
reference to `aa_change_profile'
collect2: error: ld returned 1 exit status
I was about to commit an easy fix under the build-breaker rule
(build-fix-1.patch), but thought to extend the notion of SECDRIVER_LIBS
to SECDRIVER_CFLAGS, and use both throughout src/Makefile.am where it
makes sense (build-fix-2.patch).
Should I just stick with the simple fix, or is something along the lines
of patch 2 preferred?
Regards,
Jim
>From a0f35945f3127ab70d051101037e821b1759b4bb Mon Sep 17 00:00:00 2001
From: Jim Fehlig <jfehlig@suse.com>
Date: Mon, 21 Oct 2013 15:30:02 -0600
Subject: [PATCH] build: fix virt-login-shell build with apparmor
With libapparmor-devel installed, virt-login-shell fails to link
CCLD virt-login-shell
../src/.libs/libvirt-setuid-rpc-client.a(libvirt_setuid_rpc_client_la-vircommand.o): In function `virExec':
/home/jfehlig/virt/upstream/libvirt/src/util/vircommand.c:653: undefined reference to `aa_change_profile'
collect2: error: ld returned 1 exit status
Fix by linking libvirt_setuid_rpc_client with previously determined
SECDRIVER_LIBS in src/Makefile.am. While at it, introduce SECDRIVER_CFLAGS
and use both throughout src/Makefile.am where it makes sense.
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Index: libvirt-1.1.2/src/Makefile.am
===================================================================
--- libvirt-1.1.2.orig/src/Makefile.am
+++ libvirt-1.1.2/src/Makefile.am
@@ -49,11 +49,14 @@ nodist_conf_DATA =
THREAD_LIBS = $(LIB_PTHREAD) $(LTLIBMULTITHREAD)
+SECDRIVER_CFLAGS =
SECDRIVER_LIBS =
if WITH_SECDRIVER_SELINUX
+SECDRIVER_CFLAGS += $(SELINUX_CFLAGS)
SECDRIVER_LIBS += $(SELINUX_LIBS)
endif
if WITH_SECDRIVER_APPARMOR
+SECDRIVER_CFLAGS += $(APPARMOR_CFLAGS)
SECDRIVER_LIBS += $(APPARMOR_LIBS)
endif
@@ -1978,14 +1981,14 @@ libvirt_setuid_rpc_client_la_SOURCES =
libvirt_setuid_rpc_client_la_LDFLAGS = \
$(AM_LDFLAGS) \
$(LIBXML_LIBS) \
- $(SELINUX_LIBS) \
+ $(SECDRIVER_LIBS) \
$(NULL)
libvirt_setuid_rpc_client_la_CFLAGS = \
-DLIBVIRT_SETUID_RPC_CLIENT \
-I$(top_srcdir)/src/conf \
-I$(top_srcdir)/src/rpc \
$(AM_CFLAGS) \
- $(SELINUX_CFLAGS) \
+ $(SECDRIVER_CFLAGS) \
$(NULL)
endif WITH_LXC
@@ -2268,6 +2271,7 @@ libvirt_net_rpc_la_LDFLAGS = \
$(GNUTLS_LIBS) \
$(SASL_LIBS) \
$(SSH2_LIBS)\
+ $(SECDRIVER_LIBS) \
$(AM_LDFLAGS) \
$(CYGWIN_EXTRA_LDFLAGS) \
$(MINGW_EXTRA_LDFLAGS)
@@ -2410,12 +2414,7 @@ if WITH_BLKID
libvirt_lxc_CFLAGS += $(BLKID_CFLAGS)
libvirt_lxc_LDADD += $(BLKID_LIBS)
endif
-if WITH_SECDRIVER_SELINUX
-libvirt_lxc_CFLAGS += $(SELINUX_CFLAGS)
-endif
-if WITH_SECDRIVER_APPARMOR
-libvirt_lxc_CFLAGS += $(APPARMOR_CFLAGS)
-endif
+libvirt_lxc_CFLAGS += $(SECDRIVER_CFLAGS)
endif
endif
EXTRA_DIST += $(LXC_CONTROLLER_SOURCES)

87
79552754-libvirtd-chardev-crash.patch
View File

@ -1,87 +0,0 @@
commit 795527548fea79902ea4ce32747e069944cf3e61
Author: Peter Krempa <pkrempa@redhat.com>
Date: Thu Sep 26 08:12:39 2013 +0200
conf: Don't crash on invalid chardev source definition of RNGs and other
Since commit 297c99a5 an invalid source definition XML of a character
device that is used as backend for RNG devices, smartcards and redirdevs
causes crash of the daemon when parsing such a definition.
The device types mentioned above are not a part of a regular character
device but are backends for other types. Thus when parsing such device
NULL is passed as the argument @chr_def. Later when checking the
validity of the definition @chr_def was dereferenced when parsing a UNIX
socket backend with missing path of the socket and crashed the daemon.
Sample offending configuration:
<devices>
...
<rng model='virtio'>
<backend model='egd' type='unix'>
<source mode='bind' service='1024'/>
</backend>
</rng>
</devices>
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1012196
Index: libvirt-1.1.2/src/conf/domain_conf.c
===================================================================
--- libvirt-1.1.2.orig/src/conf/domain_conf.c
+++ libvirt-1.1.2/src/conf/domain_conf.c
@@ -7026,7 +7026,8 @@ virDomainChrSourceDefParseXML(virDomainC
case VIR_DOMAIN_CHR_TYPE_UNIX:
/* path can be auto generated */
if (!path &&
- chr_def->targetType != VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO) {
+ (!chr_def ||
+ chr_def->targetType != VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO)) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
_("Missing source path attribute for char device"));
goto error;
Index: libvirt-1.1.2/tests/qemuxml2argvdata/qemuxml2argv-virtio-rng-egd-crash.xml
===================================================================
--- /dev/null
+++ libvirt-1.1.2/tests/qemuxml2argvdata/qemuxml2argv-virtio-rng-egd-crash.xml
@@ -0,0 +1,27 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219100</memory>
+ <currentMemory unit='KiB'>219100</currentMemory>
+ <vcpu placement='static' cpuset='1-4,8-20,525'>1</vcpu>
+ <os>
+ <type arch='i686' machine='pc'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu</emulator>
+ <controller type='usb' index='0'/>
+ <controller type='pci' index='0' model='pci-root'/>
+ <memballoon model='virtio'/>
+ <rng model='virtio'>
+ <backend model='egd' type='unix'>
+ <!-- https://bugzilla.redhat.com/show_bug.cgi?id=1012196 -->
+ <source mode='connect' host='1.2.3.4' service='1234'/>
+ </backend>
+ </rng>
+ </devices>
+</domain>
Index: libvirt-1.1.2/tests/qemuxml2argvtest.c
===================================================================
--- libvirt-1.1.2.orig/tests/qemuxml2argvtest.c
+++ libvirt-1.1.2/tests/qemuxml2argvtest.c
@@ -973,6 +973,8 @@ mymain(void)
QEMU_CAPS_OBJECT_RNG_RANDOM);
DO_TEST("virtio-rng-egd", QEMU_CAPS_DEVICE, QEMU_CAPS_DEVICE_VIRTIO_RNG,
QEMU_CAPS_OBJECT_RNG_EGD);
+ DO_TEST_PARSE_ERROR("virtio-rng-egd-crash", QEMU_CAPS_DEVICE,
+ QEMU_CAPS_DEVICE_VIRTIO_RNG, QEMU_CAPS_OBJECT_RNG_EGD);
DO_TEST("virtio-rng-ccw",
QEMU_CAPS_DEVICE, QEMU_CAPS_CHARDEV, QEMU_CAPS_NODEFCONFIG,
QEMU_CAPS_DRIVE, QEMU_CAPS_BOOTINDEX, QEMU_CAPS_VIRTIO_CCW,

48
8294aa0c-CVE-2013-4399.patch
View File

@ -1,48 +0,0 @@
commit 8294aa0c1750dcb49d6345cd9bd97bf421580d8b
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Fri Sep 27 15:46:07 2013 +0100
Fix crash in libvirtd when events are registered & ACLs active
When a client disconnects from libvirtd, all event callbacks
must be removed. This involves running the public API
virConnectDomainEventDeregisterAny
This code does not run in normal API dispatch context, so no
identity was set. The result was that the access control drivers
denied the attempt to deregister callbacks. The callbacks thus
continued to trigger after the client was free'd causing fairly
predictable use of free memory & a crash.
This can be triggered by any client with readonly access when
the ACL drivers are active.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.1.2/daemon/remote.c
===================================================================
--- libvirt-1.1.2.orig/daemon/remote.c
+++ libvirt-1.1.2/daemon/remote.c
@@ -666,8 +666,11 @@ void remoteClientFreeFunc(void *data)
/* Deregister event delivery callback */
if (priv->conn) {
+ virIdentityPtr sysident = virIdentityGetSystem();
size_t i;
+ virIdentitySetCurrent(sysident);
+
for (i = 0; i < VIR_DOMAIN_EVENT_ID_LAST; i++) {
if (priv->domainEventCallbackID[i] != -1) {
VIR_DEBUG("Deregistering to relay remote events %zu", i);
@@ -678,6 +681,9 @@ void remoteClientFreeFunc(void *data)
}
virConnectClose(priv->conn);
+
+ virIdentitySetCurrent(NULL);
+ virObjectUnref(sysident);
}
VIR_FREE(priv);

27
843bdb2f-CVE-2013-4400.patch
View File

@ -1,27 +0,0 @@
commit 843bdb2f8a3364637cda2911624149525188843f
Author: Jim Fehlig <jfehlig@suse.com>
Date: Mon Oct 21 23:12:22 2013 -0600
build: fix build of virt-login-shell on systems with older gnutls
On systems where gnutls uses libgcrypt, I'm seeing the following
build failure
libvirt.c:314: error: variable 'virTLSThreadImpl' has initializer but incomplete type
libvirt.c:319: error: 'GCRY_THREAD_OPTION_PTHREAD' undeclared here (not in a function)
...
Fix by undefining WITH_GNUTLS_GCRYPT in config-post.h
Index: libvirt-1.1.2/config-post.h
===================================================================
--- libvirt-1.1.2.orig/config-post.h
+++ libvirt-1.1.2/config-post.h
@@ -34,6 +34,7 @@
# undef WITH_CURL
# undef WITH_DTRACE_PROBES
# undef WITH_GNUTLS
+# undef WITH_GNUTLS_GCRYPT
# undef WITH_MACVTAP
# undef WITH_NUMACTL
# undef WITH_SASL

61
8c3586ea-CVE-2013-4400.patch
View File

@ -1,61 +0,0 @@
commit 8c3586ea755c40d5e01b22cb7b5c1e668cdec994
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Wed Oct 9 10:59:36 2013 +0100
Only allow 'stderr' log output when running setuid (CVE-2013-4400)
We must not allow file/syslog/journald log outputs when running
setuid since they can be abused to do bad things. In particular
the 'file' output can be used to overwrite files.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.1.2/src/util/virlog.c
===================================================================
--- libvirt-1.1.2.orig/src/util/virlog.c
+++ libvirt-1.1.2/src/util/virlog.c
@@ -1318,6 +1318,9 @@ int virLogPriorityFromSyslog(int priorit
* Multiple output can be defined in a single @output, they just need to be
* separated by spaces.
*
+ * If running in setuid mode, then only the 'stderr' output will
+ * be allowed
+ *
* Returns the number of output parsed and installed or -1 in case of error
*/
int
@@ -1329,6 +1332,7 @@ virLogParseOutputs(const char *outputs)
virLogPriority prio;
int ret = -1;
int count = 0;
+ bool isSUID = virIsSUID();
if (cur == NULL)
return -1;
@@ -1348,6 +1352,8 @@ virLogParseOutputs(const char *outputs)
if (virLogAddOutputToStderr(prio) == 0)
count++;
} else if (STREQLEN(cur, "syslog", 6)) {
+ if (isSUID)
+ goto cleanup;
cur += 6;
if (*cur != ':')
goto cleanup;
@@ -1365,6 +1371,8 @@ virLogParseOutputs(const char *outputs)
VIR_FREE(name);
#endif /* HAVE_SYSLOG_H */
} else if (STREQLEN(cur, "file", 4)) {
+ if (isSUID)
+ goto cleanup;
cur += 4;
if (*cur != ':')
goto cleanup;
@@ -1385,6 +1393,8 @@ virLogParseOutputs(const char *outputs)
VIR_FREE(name);
VIR_FREE(abspath);
} else if (STREQLEN(cur, "journald", 8)) {
+ if (isSUID)
+ goto cleanup;
cur += 8;
#if USE_JOURNALD
if (virLogAddOutputToJournald(prio) == 0)

171
922b7fda-CVE-2013-4311.patch
View File

@ -1,171 +0,0 @@
commit 922b7fda77b094dbf022d625238262ea05335666
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Wed Aug 28 15:25:40 2013 +0100
Add support for using 3-arg pkcheck syntax for process (CVE-2013-4311)
With the existing pkcheck (pid, start time) tuple for identifying
the process, there is a race condition, where a process can make
a libvirt RPC call and in another thread exec a setuid application,
causing it to change to effective UID 0. This in turn causes polkit
to do its permission check based on the wrong UID.
To address this, libvirt must get the UID the caller had at time
of connect() (from SO_PEERCRED) and pass a (pid, start time, uid)
triple to the pkcheck program.
This fix requires that libvirt is re-built against a version of
polkit that has the fix for its CVE-2013-4288, so that libvirt
can see 'pkg-config --variable pkcheck_supports_uid polkit-gobject-1'
Signed-off-by: Colin Walters <walters@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.1.2/configure.ac
===================================================================
--- libvirt-1.1.2.orig/configure.ac
+++ libvirt-1.1.2/configure.ac
@@ -1184,6 +1184,14 @@ if test "x$with_polkit" = "xyes" || test
AC_PATH_PROG([PKCHECK_PATH],[pkcheck], [], [/usr/sbin:$PATH])
if test "x$PKCHECK_PATH" != "x" ; then
AC_DEFINE_UNQUOTED([PKCHECK_PATH],["$PKCHECK_PATH"],[Location of pkcheck program])
+ AC_MSG_CHECKING([whether pkcheck supports uid value])
+ pkcheck_supports_uid=`$PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1`
+ if test "x$pkcheck_supports_uid" = "xtrue"; then
+ AC_MSG_RESULT([yes])
+ AC_DEFINE_UNQUOTED([PKCHECK_SUPPORTS_UID], 1, [Pass uid to pkcheck])
+ else
+ AC_MSG_RESULT([no])
+ fi
AC_DEFINE_UNQUOTED([WITH_POLKIT], 1,
[use PolicyKit for UNIX socket access checks])
AC_DEFINE_UNQUOTED([WITH_POLKIT1], 1,
Index: libvirt-1.1.2/daemon/remote.c
===================================================================
--- libvirt-1.1.2.orig/daemon/remote.c
+++ libvirt-1.1.2/daemon/remote.c
@@ -2738,10 +2738,12 @@ remoteDispatchAuthPolkit(virNetServerPtr
int status = -1;
char *ident = NULL;
bool authdismissed = 0;
+ bool supportsuid = false;
char *pkout = NULL;
struct daemonClientPrivate *priv =
virNetServerClientGetPrivateData(client);
virCommandPtr cmd = NULL;
+ static bool polkitInsecureWarned;
virMutexLock(&priv->lock);
action = virNetServerClientGetReadonly(client) ?
@@ -2763,14 +2765,28 @@ remoteDispatchAuthPolkit(virNetServerPtr
goto authfail;
}
+ if (timestamp == 0) {
+ VIR_WARN("Failing polkit auth due to missing client (pid=%lld) start time",
+ (long long)callerPid);
+ goto authfail;
+ }
+
VIR_INFO("Checking PID %lld running as %d",
(long long) callerPid, callerUid);
virCommandAddArg(cmd, "--process");
- if (timestamp != 0) {
- virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp);
+# ifdef PKCHECK_SUPPORTS_UID
+ supportsuid = true;
+# endif
+ if (supportsuid) {
+ virCommandAddArgFormat(cmd, "%lld,%llu,%lu",
+ (long long) callerPid, timestamp, (unsigned long) callerUid);
} else {
- virCommandAddArgFormat(cmd, "%lld", (long long) callerPid);
+ if (!polkitInsecureWarned) {
+ VIR_WARN("No support for caller UID with pkcheck. This deployment is known to be insecure.");
+ polkitInsecureWarned = true;
+ }
+ virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp);
}
virCommandAddArg(cmd, "--allow-user-interaction");
Index: libvirt-1.1.2/libvirt.spec.in
===================================================================
--- libvirt-1.1.2.orig/libvirt.spec.in
+++ libvirt-1.1.2/libvirt.spec.in
@@ -508,8 +508,7 @@ BuildRequires: cyrus-sasl-devel
%endif
%if %{with_polkit}
%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
-# Only need the binary, not -devel
-BuildRequires: polkit >= 0.93
+BuildRequires: polkit-devel >= 0.93
%else
BuildRequires: PolicyKit-devel >= 0.6
%endif
Index: libvirt-1.1.2/src/access/viraccessdriverpolkit.c
===================================================================
--- libvirt-1.1.2.orig/src/access/viraccessdriverpolkit.c
+++ libvirt-1.1.2/src/access/viraccessdriverpolkit.c
@@ -72,8 +72,12 @@ static char *
virAccessDriverPolkitFormatProcess(const char *actionid)
{
virIdentityPtr identity = virIdentityGetCurrent();
- const char *process = NULL;
+ const char *callerPid = NULL;
+ const char *callerTime = NULL;
+ const char *callerUid = NULL;
char *ret = NULL;
+ bool supportsuid = false;
+ static bool polkitInsecureWarned;
if (!identity) {
virAccessError(VIR_ERR_ACCESS_DENIED,
@@ -81,17 +85,43 @@ virAccessDriverPolkitFormatProcess(const
actionid);
return NULL;
}
- if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, &process) < 0)
+ if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, &callerPid) < 0)
+ goto cleanup;
+ if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME, &callerTime) < 0)
+ goto cleanup;
+ if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_USER_ID, &callerUid) < 0)
goto cleanup;
- if (!process) {
+ if (!callerPid) {
virAccessError(VIR_ERR_INTERNAL_ERROR, "%s",
_("No UNIX process ID available"));
goto cleanup;
}
-
- if (VIR_STRDUP(ret, process) < 0)
+ if (!callerTime) {
+ virAccessError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("No UNIX process start time available"));
+ goto cleanup;
+ }
+ if (!callerUid) {
+ virAccessError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("No UNIX caller UID available"));
goto cleanup;
+ }
+
+#ifdef PKCHECK_SUPPORTS_UID
+ supportsuid = true;
+#endif
+ if (supportsuid) {
+ if (virAsprintf(&ret, "%s,%s,%s", callerPid, callerTime, callerUid) < 0)
+ goto cleanup;
+ } else {
+ if (!polkitInsecureWarned) {
+ VIR_WARN("No support for caller UID with pkcheck. This deployment is known to be insecure.");
+ polkitInsecureWarned = true;
+ }
+ if (virAsprintf(&ret, "%s,%s", callerPid, callerTime) < 0)
+ goto cleanup;
+ }
cleanup:
virObjectUnref(identity);

96
ae53e5d1-CVE-2013-4400.patch
View File

@ -1,96 +0,0 @@
commit ae53e5d10e434e07079d7e3ba11ec654ba6a256e
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Wed Oct 9 10:52:39 2013 +0100
Add helpers for getting env vars in a setuid environment
Care must be taken accessing env variables when running
setuid. Introduce a virGetEnvAllowSUID for env vars which
are safe to use in a setuid environment, and another
virGetEnvBlockSUID for vars which are not safe. Also add
a virIsSUID helper method for any other non-env var code
to use.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.1.2/src/libvirt_private.syms
===================================================================
--- libvirt-1.1.2.orig/src/libvirt_private.syms
+++ libvirt-1.1.2/src/libvirt_private.syms
@@ -2042,6 +2042,8 @@ virFindFCHostCapableVport;
virFormatIntDecimal;
virGetDeviceID;
virGetDeviceUnprivSGIO;
+virGetEnvAllowSUID;
+virGetEnvBlockSUID;
virGetFCHostNameByWWN;
virGetGroupID;
virGetGroupList;
@@ -2060,6 +2062,7 @@ virIndexToDiskName;
virIsCapableFCHost;
virIsCapableVport;
virIsDevMapperDevice;
+virIsSUID;
virManageVport;
virParseNumber;
virParseOwnershipIds;
Index: libvirt-1.1.2/src/util/virutil.c
===================================================================
--- libvirt-1.1.2.orig/src/util/virutil.c
+++ libvirt-1.1.2/src/util/virutil.c
@@ -2116,3 +2116,42 @@ cleanup:
return rc;
}
+
+
+/**
+ * virGetEnvBlockSUID:
+ * @name: the environment variable name
+ *
+ * Obtain an environment variable which is unsafe to
+ * use when running setuid. If running setuid, a NULL
+ * value will be returned
+ */
+const char *virGetEnvBlockSUID(const char *name)
+{
+ return secure_getenv(name);
+}
+
+
+/**
+ * virGetEnvBlockSUID:
+ * @name: the environment variable name
+ *
+ * Obtain an environment variable which is safe to
+ * use when running setuid. The value will be returned
+ * even when running setuid
+ */
+const char *virGetEnvAllowSUID(const char *name)
+{
+ return getenv(name);
+}
+
+
+/**
+ * virIsSUID:
+ * Return a true value if running setuid. Does not
+ * check for elevated capabilities bits.
+ */
+bool virIsSUID(void)
+{
+ return getuid() != geteuid();
+}
Index: libvirt-1.1.2/src/util/virutil.h
===================================================================
--- libvirt-1.1.2.orig/src/util/virutil.h
+++ libvirt-1.1.2/src/util/virutil.h
@@ -172,4 +172,8 @@ int virCompareLimitUlong(unsigned long l
int virParseOwnershipIds(const char *label, uid_t *uidPtr, gid_t *gidPtr);
+const char *virGetEnvBlockSUID(const char *name);
+const char *virGetEnvAllowSUID(const char *name);
+bool virIsSUID(void);
+
#endif /* __VIR_UTIL_H__ */

36
b7fcc799a-CVE-2013-4400.patch
View File

@ -1,36 +0,0 @@
commit b7fcc799ad5d8f3e55b89b94e599903e3c092467
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Wed Oct 9 15:14:34 2013 +0100
Close all non-stdio FDs in virt-login-shell (CVE-2013-4400)
We don't want to inherit any FDs in the new namespace
except for the stdio FDs. Explicitly close them all,
just in case some do not have the close-on-exec flag
set.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.1.2/tools/virt-login-shell.c
===================================================================
--- libvirt-1.1.2.orig/tools/virt-login-shell.c
+++ libvirt-1.1.2/tools/virt-login-shell.c
@@ -313,6 +313,18 @@ main(int argc, char **argv)
if (cpid == 0) {
pid_t ccpid;
+ int openmax = sysconf(_SC_OPEN_MAX);
+ int fd;
+ if (openmax < 0) {
+ virReportSystemError(errno, "%s",
+ _("sysconf(_SC_OPEN_MAX) failed"));
+ return EXIT_FAILURE;
+ }
+ for (fd = 3; fd < openmax; fd++) {
+ int tmpfd = fd;
+ VIR_MASS_CLOSE(tmpfd);
+ }
+
/* Fork once because we don't want to affect
* virt-login-shell's namespace itself
*/

247
bd773e74-lxc-terminate-machine.patch
View File

@ -1,247 +0,0 @@
commit bd773e74f0d1d1b9ebbfcaa645178316b4f2265c
Author: Cédric Bosdonnat <cbosdonnat@suse.com>
Date: Mon Sep 30 16:46:29 2013 +0200
LXC: workaround machined uncleaned data with containers running systemd.
The problem is described by [0] but its effect on libvirt is that
starting a container with a full distro running systemd after having
stopped it simply fails.
The container cleanup now calls the machined Terminate function to make
sure that everything is in order for the next run.
[0]: https://bugs.freedesktop.org/show_bug.cgi?id=68370
Index: libvirt-1.1.2/src/libvirt_private.syms
===================================================================
--- libvirt-1.1.2.orig/src/libvirt_private.syms
+++ libvirt-1.1.2/src/libvirt_private.syms
@@ -1940,8 +1940,10 @@ virSysinfoSetup;
# util/virsystemd.h
virSystemdCreateMachine;
+virSystemdMakeMachineName;
virSystemdMakeScopeName;
virSystemdMakeSliceName;
+virSystemdTerminateMachine;
# util/virthread.h
Index: libvirt-1.1.2/src/lxc/lxc_process.c
===================================================================
--- libvirt-1.1.2.orig/src/lxc/lxc_process.c
+++ libvirt-1.1.2/src/lxc/lxc_process.c
@@ -50,6 +50,7 @@
#include "virstring.h"
#include "viratomic.h"
#include "virprocess.h"
+#include "virsystemd.h"
#define VIR_FROM_THIS VIR_FROM_LXC
@@ -210,6 +211,13 @@ static void virLXCProcessCleanup(virLXCD
virCgroupFree(&priv->cgroup);
}
+ /* Get machined to terminate the machine as it may not have cleaned it
+ * properly. See https://bugs.freedesktop.org/show_bug.cgi?id=68370 for
+ * the bug we are working around here.
+ */
+ virSystemdTerminateMachine(vm->def->name, "lxc", true);
+
+
/* now that we know it's stopped call the hook if present */
if (virHookPresent(VIR_HOOK_DRIVER_LXC)) {
char *xml = virDomainDefFormat(vm->def, 0);
Index: libvirt-1.1.2/src/util/virsystemd.c
===================================================================
--- libvirt-1.1.2.orig/src/util/virsystemd.c
+++ libvirt-1.1.2/src/util/virsystemd.c
@@ -116,6 +116,27 @@ char *virSystemdMakeSliceName(const char
return virBufferContentAndReset(&buf);
}
+char *virSystemdMakeMachineName(const char *name,
+ const char *drivername,
+ bool privileged)
+{
+ char *machinename = NULL;
+ char *username = NULL;
+ if (privileged) {
+ if (virAsprintf(&machinename, "%s-%s", drivername, name) < 0)
+ goto cleanup;
+ } else {
+ if (!(username = virGetUserName(geteuid())))
+ goto cleanup;
+ if (virAsprintf(&machinename, "%s-%s-%s", username, drivername, name) < 0)
+ goto cleanup;
+ }
+
+cleanup:
+ VIR_FREE(username);
+
+ return machinename;
+}
/**
* virSystemdCreateMachine:
@@ -142,7 +163,6 @@ int virSystemdCreateMachine(const char *
DBusConnection *conn;
char *machinename = NULL;
char *creatorname = NULL;
- char *username = NULL;
char *slicename = NULL;
if (!virDBusHasSystemBus())
@@ -150,15 +170,8 @@ int virSystemdCreateMachine(const char *
conn = virDBusGetSystemBus();
- if (privileged) {
- if (virAsprintf(&machinename, "%s-%s", drivername, name) < 0)
- goto cleanup;
- } else {
- if (!(username = virGetUserName(geteuid())))
- goto cleanup;
- if (virAsprintf(&machinename, "%s-%s-%s", username, drivername, name) < 0)
- goto cleanup;
- }
+ if (!(machinename = virSystemdMakeMachineName(name, drivername, privileged)))
+ goto cleanup;
if (virAsprintf(&creatorname, "libvirt-%s", drivername) < 0)
goto cleanup;
@@ -241,8 +254,52 @@ int virSystemdCreateMachine(const char *
ret = 0;
cleanup:
- VIR_FREE(username);
VIR_FREE(creatorname);
VIR_FREE(machinename);
return ret;
}
+
+int virSystemdTerminateMachine(const char *name,
+ const char *drivername,
+ bool privileged)
+{
+ int ret;
+ DBusConnection *conn;
+ char *machinename = NULL;
+
+ if(!virDBusHasSystemBus())
+ return -2;
+
+ conn = virDBusGetSystemBus();
+
+ ret = -1;
+ if (!(machinename = virSystemdMakeMachineName(name, drivername, privileged)))
+ goto cleanup;
+
+ /*
+ * The systemd DBus API we're invoking has the
+ * following signature
+ *
+ * TerminateMachine(in s name);
+ *
+ * @name a host unique name for the machine. shows up
+ * in 'ps' listing & similar
+ */
+
+ VIR_DEBUG("Attempting to terminate machine via systemd");
+ if (virDBusCallMethod(conn,
+ NULL,
+ "org.freedesktop.machine1",
+ "/org/freedesktop/machine1",
+ "org.freedesktop.machine1.Manager",
+ "TerminateMachine",
+ "s",
+ machinename) < 0)
+ goto cleanup;
+
+ ret = 0;
+
+cleanup:
+ VIR_FREE(machinename);
+ return ret;
+}
Index: libvirt-1.1.2/src/util/virsystemd.h
===================================================================
--- libvirt-1.1.2.orig/src/util/virsystemd.h
+++ libvirt-1.1.2/src/util/virsystemd.h
@@ -29,6 +29,10 @@ char *virSystemdMakeScopeName(const char
const char *slicename);
char *virSystemdMakeSliceName(const char *partition);
+char *virSystemdMakeMachineName(const char *name,
+ const char *drivername,
+ bool privileged);
+
int virSystemdCreateMachine(const char *name,
const char *drivername,
bool privileged,
@@ -38,4 +42,8 @@ int virSystemdCreateMachine(const char *
bool iscontainer,
const char *partition);
+int virSystemdTerminateMachine(const char *name,
+ const char *drivername,
+ bool privileged);
+
#endif /* __VIR_SYSTEMD_H__ */
Index: libvirt-1.1.2/tests/virsystemdtest.c
===================================================================
--- libvirt-1.1.2.orig/tests/virsystemdtest.c
+++ libvirt-1.1.2/tests/virsystemdtest.c
@@ -51,6 +51,18 @@ static int testCreateContainer(const voi
return 0;
}
+static int testTerminateContainer(const void *opaque ATTRIBUTE_UNUSED)
+{
+ if (virSystemdTerminateMachine("demo",
+ "lxc",
+ true) < 0) {
+ fprintf(stderr, "%s", "Failed to terminate LXC machine\n");
+ return -1;
+ }
+
+ return 0;
+}
+
static int testCreateMachine(const void *opaque ATTRIBUTE_UNUSED)
{
unsigned char uuid[VIR_UUID_BUFLEN] = {
@@ -74,6 +86,18 @@ static int testCreateMachine(const void
return 0;
}
+static int testTerminateMachine(const void *opaque ATTRIBUTE_UNUSED)
+{
+ if (virSystemdTerminateMachine("demo",
+ "qemu",
+ false) < 0) {
+ fprintf(stderr, "%s", "Failed to terminate KVM machine\n");
+ return -1;
+ }
+
+ return 0;
+}
+
static int testCreateNoSystemd(const void *opaque ATTRIBUTE_UNUSED)
{
unsigned char uuid[VIR_UUID_BUFLEN] = {
@@ -177,8 +201,12 @@ mymain(void)
if (virtTestRun("Test create container ", 1, testCreateContainer, NULL) < 0)
ret = -1;
+ if (virtTestRun("Test terminate container ", 1, testTerminateContainer, NULL) < 0)
+ ret = -1;
if (virtTestRun("Test create machine ", 1, testCreateMachine, NULL) < 0)
ret = -1;
+ if (virtTestRun("Test terminate machine ", 1, testTerminateMachine, NULL) < 0)
+ ret = -1;
if (virtTestRun("Test create no systemd ", 1, testCreateNoSystemd, NULL) < 0)
ret = -1;
if (virtTestRun("Test create bad systemd ", 1, testCreateBadSystemd, NULL) < 0)

6
clone.patch
View File

@ -32,7 +32,7 @@ Index: src/lxc/lxc_container.c
VIR_FREE(stack);
if (cpid < 0) {
virReportSystemError(errno, "%s",
@@ -1893,7 +1901,11 @@ int lxcContainerStart(virDomainDefPtr de
@@ -2034,7 +2042,11 @@ int lxcContainerStart(virDomainDefPtr de
cflags |= CLONE_NEWNET;
}
@ -44,7 +44,7 @@ Index: src/lxc/lxc_container.c
VIR_FREE(stack);
VIR_DEBUG("clone() completed, new container PID is %d", pid);
@@ -1919,6 +1931,7 @@ int lxcContainerAvailable(int features)
@@ -2060,6 +2072,7 @@ int lxcContainerAvailable(int features)
int cpid;
char *childStack;
char *stack;
@ -52,7 +52,7 @@ Index: src/lxc/lxc_container.c
if (features & LXC_CONTAINER_FEATURE_USER)
flags |= CLONE_NEWUSER;
@@ -1926,14 +1939,21 @@ int lxcContainerAvailable(int features)
@@ -2067,14 +2080,21 @@ int lxcContainerAvailable(int features)
if (features & LXC_CONTAINER_FEATURE_NET)
flags |= CLONE_NEWNET;

149
db7a5688-CVE-2013-4311.patch
View File

@ -1,149 +0,0 @@
commit db7a5688c05f3fd60d9d2b74c72427eb9ee9c176
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Thu Aug 22 16:00:01 2013 +0100
Also store user & group ID values in virIdentity
Future improvements to the polkit code will require access to
the numeric user ID, not merely user name.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.1.2/src/rpc/virnetserverclient.c
===================================================================
--- libvirt-1.1.2.orig/src/rpc/virnetserverclient.c
+++ libvirt-1.1.2/src/rpc/virnetserverclient.c
@@ -652,7 +652,9 @@ virNetServerClientCreateIdentity(virNetS
char *processid = NULL;
char *processtime = NULL;
char *username = NULL;
+ char *userid = NULL;
char *groupname = NULL;
+ char *groupid = NULL;
#if WITH_SASL
char *saslname = NULL;
#endif
@@ -672,8 +674,12 @@ virNetServerClientCreateIdentity(virNetS
if (!(username = virGetUserName(uid)))
goto cleanup;
+ if (virAsprintf(&userid, "%d", (int)uid) < 0)
+ goto cleanup;
if (!(groupname = virGetGroupName(gid)))
goto cleanup;
+ if (virAsprintf(&userid, "%d", (int)gid) < 0)
+ goto cleanup;
if (virAsprintf(&processid, "%llu",
(unsigned long long)pid) < 0)
goto cleanup;
@@ -710,11 +716,21 @@ virNetServerClientCreateIdentity(virNetS
VIR_IDENTITY_ATTR_UNIX_USER_NAME,
username) < 0)
goto error;
+ if (userid &&
+ virIdentitySetAttr(ret,
+ VIR_IDENTITY_ATTR_UNIX_USER_ID,
+ userid) < 0)
+ goto error;
if (groupname &&
virIdentitySetAttr(ret,
VIR_IDENTITY_ATTR_UNIX_GROUP_NAME,
groupname) < 0)
goto error;
+ if (groupid &&
+ virIdentitySetAttr(ret,
+ VIR_IDENTITY_ATTR_UNIX_GROUP_ID,
+ groupid) < 0)
+ goto error;
if (processid &&
virIdentitySetAttr(ret,
VIR_IDENTITY_ATTR_UNIX_PROCESS_ID,
@@ -745,7 +761,9 @@ virNetServerClientCreateIdentity(virNetS
cleanup:
VIR_FREE(username);
+ VIR_FREE(userid);
VIR_FREE(groupname);
+ VIR_FREE(groupid);
VIR_FREE(processid);
VIR_FREE(processtime);
VIR_FREE(seccontext);
Index: libvirt-1.1.2/src/util/viridentity.c
===================================================================
--- libvirt-1.1.2.orig/src/util/viridentity.c
+++ libvirt-1.1.2/src/util/viridentity.c
@@ -133,7 +133,9 @@ int virIdentitySetCurrent(virIdentityPtr
virIdentityPtr virIdentityGetSystem(void)
{
char *username = NULL;
+ char *userid = NULL;
char *groupname = NULL;
+ char *groupid = NULL;
char *seccontext = NULL;
virIdentityPtr ret = NULL;
#if WITH_SELINUX
@@ -147,8 +149,13 @@ virIdentityPtr virIdentityGetSystem(void
if (!(username = virGetUserName(getuid())))
goto cleanup;
+ if (virAsprintf(&userid, "%d", (int)getuid()) < 0)
+ goto cleanup;
+
if (!(groupname = virGetGroupName(getgid())))
goto cleanup;
+ if (virAsprintf(&groupid, "%d", (int)getgid()) < 0)
+ goto cleanup;
#if WITH_SELINUX
if (getcon(&con) < 0) {
@@ -166,16 +173,22 @@ virIdentityPtr virIdentityGetSystem(void
if (!(ret = virIdentityNew()))
goto cleanup;
- if (username &&
- virIdentitySetAttr(ret,
+ if (virIdentitySetAttr(ret,
VIR_IDENTITY_ATTR_UNIX_USER_NAME,
username) < 0)
goto error;
- if (groupname &&
- virIdentitySetAttr(ret,
+ if (virIdentitySetAttr(ret,
+ VIR_IDENTITY_ATTR_UNIX_USER_ID,
+ userid) < 0)
+ goto error;
+ if (virIdentitySetAttr(ret,
VIR_IDENTITY_ATTR_UNIX_GROUP_NAME,
groupname) < 0)
goto error;
+ if (virIdentitySetAttr(ret,
+ VIR_IDENTITY_ATTR_UNIX_GROUP_ID,
+ groupid) < 0)
+ goto error;
if (seccontext &&
virIdentitySetAttr(ret,
VIR_IDENTITY_ATTR_SELINUX_CONTEXT,
@@ -188,7 +201,9 @@ virIdentityPtr virIdentityGetSystem(void
cleanup:
VIR_FREE(username);
+ VIR_FREE(userid);
VIR_FREE(groupname);
+ VIR_FREE(groupid);
VIR_FREE(seccontext);
VIR_FREE(processid);
return ret;
Index: libvirt-1.1.2/src/util/viridentity.h
===================================================================
--- libvirt-1.1.2.orig/src/util/viridentity.h
+++ libvirt-1.1.2/src/util/viridentity.h
@@ -29,7 +29,9 @@ typedef virIdentity *virIdentityPtr;
typedef enum {
VIR_IDENTITY_ATTR_UNIX_USER_NAME,
+ VIR_IDENTITY_ATTR_UNIX_USER_ID,
VIR_IDENTITY_ATTR_UNIX_GROUP_NAME,
+ VIR_IDENTITY_ATTR_UNIX_GROUP_ID,
VIR_IDENTITY_ATTR_UNIX_PROCESS_ID,
VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME,
VIR_IDENTITY_ATTR_SASL_USER_NAME,

26
e350826c-python-fix-fd-passing.patch
View File

@ -1,26 +0,0 @@
commit e350826c653b20dd271ab99075d2f224c7451356
Author: Marian Neagul <marian@info.uvt.ro>
Date: Tue Oct 22 16:03:39 2013 +0100
python: Fix Create*WithFiles filefd passing
Commit d76227be added functions virDomainCreateWithFiles and
virDomainCreateXMLWithFiles, but there was a little piece missing in
python bindings. This patch fixes proper passing of file descriptors
in the overwrites of these functions.
Index: libvirt-1.1.2/python/libvirt-override.c
===================================================================
--- libvirt-1.1.2.orig/python/libvirt-override.c
+++ libvirt-1.1.2/python/libvirt-override.c
@@ -7149,6 +7149,10 @@ libvirt_virDomainCreateXMLWithFiles(PyOb
if (libvirt_intUnwrap(pyfd, &fd) < 0)
goto cleanup;
+
+ files[i] = fd;
+
+ files[i] = fd;
}
LIBVIRT_BEGIN_ALLOW_THREADS;

35
e4697b92-CVE-2013-4311.patch
View File

@ -1,35 +0,0 @@
commit e4697b92abaad16e8e6b41a1e55be9b084d48d5a
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Mon Sep 23 12:46:25 2013 +0100
Fix typo in identity code which is pre-requisite for CVE-2013-4311
The fix for CVE-2013-4311 had a pre-requisite enhancement
to the identity code
commit db7a5688c05f3fd60d9d2b74c72427eb9ee9c176
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Thu Aug 22 16:00:01 2013 +0100
Also store user & group ID values in virIdentity
This had a typo which caused the group ID to overwrite the
user ID string. This meant any checks using this would have
the wrong ID value. This only affected the ACL code, not the
initial polkit auth. It also leaked memory.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.1.2/src/rpc/virnetserverclient.c
===================================================================
--- libvirt-1.1.2.orig/src/rpc/virnetserverclient.c
+++ libvirt-1.1.2/src/rpc/virnetserverclient.c
@@ -678,7 +678,7 @@ virNetServerClientCreateIdentity(virNetS
goto cleanup;
if (!(groupname = virGetGroupName(gid)))
goto cleanup;
- if (virAsprintf(&userid, "%d", (int)gid) < 0)
+ if (virAsprintf(&groupid, "%d", (int)gid) < 0)
goto cleanup;
if (virAsprintf(&processid, "%llu",
(unsigned long long)pid) < 0)

65
e65667c0-CVE-2013-4311.patch
View File

@ -1,65 +0,0 @@
commit e65667c0c6e016d42abea077e31628ae43f57b74
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Wed Aug 28 15:22:05 2013 +0100
Ensure system identity includes process start time
The polkit access driver will want to use the process start
time field. This was already set for network identities, but
not for the system identity.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.1.2/src/util/viridentity.c
===================================================================
--- libvirt-1.1.2.orig/src/util/viridentity.c
+++ libvirt-1.1.2/src/util/viridentity.c
@@ -35,6 +35,7 @@
#include "virthread.h"
#include "virutil.h"
#include "virstring.h"
+#include "virprocess.h"
#define VIR_FROM_THIS VIR_FROM_IDENTITY
@@ -142,11 +143,20 @@ virIdentityPtr virIdentityGetSystem(void
security_context_t con;
#endif
char *processid = NULL;
+ unsigned long long timestamp;
+ char *processtime = NULL;
if (virAsprintf(&processid, "%llu",
(unsigned long long)getpid()) < 0)
goto cleanup;
+ if (virProcessGetStartTime(getpid(), &timestamp) < 0)
+ goto cleanup;
+
+ if (timestamp != 0 &&
+ virAsprintf(&processtime, "%llu", timestamp) < 0)
+ goto cleanup;
+
if (!(username = virGetUserName(getuid())))
goto cleanup;
if (virAsprintf(&userid, "%d", (int)getuid()) < 0)
@@ -198,6 +208,11 @@ virIdentityPtr virIdentityGetSystem(void
VIR_IDENTITY_ATTR_UNIX_PROCESS_ID,
processid) < 0)
goto error;
+ if (processtime &&
+ virIdentitySetAttr(ret,
+ VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME,
+ processtime) < 0)
+ goto error;
cleanup:
VIR_FREE(username);
@@ -206,6 +221,7 @@ cleanup:
VIR_FREE(groupid);
VIR_FREE(seccontext);
VIR_FREE(processid);
+ VIR_FREE(processtime);
return ret;
error:

35
e7f400a1-CVE-2013-4296.patch
View File

@ -1,35 +0,0 @@
commit e7f400a110e2e3673b96518170bfea0855dd82c0
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Tue Sep 3 16:52:06 2013 +0100
Fix crash in remoteDispatchDomainMemoryStats (CVE-2013-4296)
The 'stats' variable was not initialized to NULL, so if some
early validation of the RPC call fails, it is possible to jump
to the 'cleanup' label and VIR_FREE an uninitialized pointer.
This is a security flaw, since the API can be called from a
readonly connection which can trigger the validation checks.
This was introduced in release v0.9.1 onwards by
commit 158ba8730e44b7dd07a21ab90499996c5dec080a
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Wed Apr 13 16:21:35 2011 +0100
Merge all returns paths from dispatcher into single path
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.1.2/daemon/remote.c
===================================================================
--- libvirt-1.1.2.orig/daemon/remote.c
+++ libvirt-1.1.2/daemon/remote.c
@@ -1146,7 +1146,7 @@ remoteDispatchDomainMemoryStats(virNetSe
remote_domain_memory_stats_ret *ret)
{
virDomainPtr dom = NULL;
- struct _virDomainMemoryStat *stats;
+ struct _virDomainMemoryStat *stats = NULL;
int nr_stats;
size_t i;
int rv = -1;

10
fix-pci-attach-xen-driver.patch
View File

@ -8,11 +8,11 @@ uses the 'device_configure' RPC.
This patch changes the xend driver to always call 'device_configure' for
PCI devices to be consistent with the usage in the xen tools.
Index: libvirt-1.1.2/src/xen/xend_internal.c
Index: libvirt-1.1.4/src/xen/xend_internal.c
===================================================================
--- libvirt-1.1.2.orig/src/xen/xend_internal.c
+++ libvirt-1.1.2/src/xen/xend_internal.c
@@ -2206,6 +2206,7 @@ xenDaemonAttachDeviceFlags(virConnectPtr
--- libvirt-1.1.4.orig/src/xen/xend_internal.c
+++ libvirt-1.1.4/src/xen/xend_internal.c
@@ -2207,6 +2207,7 @@ xenDaemonAttachDeviceFlags(virConnectPtr
virBuffer buf = VIR_BUFFER_INITIALIZER;
char class[8], ref[80];
char *target = NULL;
@ -20,7 +20,7 @@ Index: libvirt-1.1.2/src/xen/xend_internal.c
virCheckFlags(VIR_DOMAIN_AFFECT_LIVE | VIR_DOMAIN_AFFECT_CONFIG, -1);
@@ -2304,8 +2305,18 @@ xenDaemonAttachDeviceFlags(virConnectPtr
@@ -2305,8 +2306,18 @@ xenDaemonAttachDeviceFlags(virConnectPtr
}
sexpr = virBufferContentAndReset(&buf);

30
install-apparmor-profiles.patch
View File

@ -1,7 +1,7 @@
Index: libvirt-1.1.2/examples/apparmor/Makefile.am
Index: libvirt-1.1.4/examples/apparmor/Makefile.am
===================================================================
--- libvirt-1.1.2.orig/examples/apparmor/Makefile.am
+++ libvirt-1.1.2/examples/apparmor/Makefile.am
--- libvirt-1.1.4.orig/examples/apparmor/Makefile.am
+++ libvirt-1.1.4/examples/apparmor/Makefile.am
@@ -14,8 +14,45 @@
## License along with this library. If not, see
## <http://www.gnu.org/licenses/>.
@ -53,10 +53,10 @@ Index: libvirt-1.1.2/examples/apparmor/Makefile.am
+ rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/libvirt/TEMPLATE
+
+endif
Index: libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
Index: libvirt-1.1.4/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
===================================================================
--- /dev/null
+++ libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ libvirt-1.1.4/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -0,0 +1,41 @@
+# Last Modified: Fri Aug 19 11:21:48 2011
+#include <tunables/global>
@ -99,9 +99,9 @@ Index: libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
+ /var/lib/kvm/images/ r,
+ /var/lib/kvm/images/** r,
+}
Index: libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper
Index: libvirt-1.1.4/examples/apparmor/usr.lib.libvirt.virt-aa-helper
===================================================================
--- libvirt-1.1.2.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper
--- libvirt-1.1.4.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ /dev/null
@@ -1,38 +0,0 @@
-# Last Modified: Mon Apr 5 15:10:27 2010
@ -142,9 +142,9 @@ Index: libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper
- /var/lib/libvirt/images/ r,
- /var/lib/libvirt/images/** r,
-}
Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd
Index: libvirt-1.1.4/examples/apparmor/usr.sbin.libvirtd
===================================================================
--- libvirt-1.1.2.orig/examples/apparmor/usr.sbin.libvirtd
--- libvirt-1.1.4.orig/examples/apparmor/usr.sbin.libvirtd
+++ /dev/null
@@ -1,52 +0,0 @@
-# Last Modified: Mon Apr 5 15:03:58 2010
@ -199,10 +199,10 @@ Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd
- change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
-
-}
Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in
Index: libvirt-1.1.4/examples/apparmor/usr.sbin.libvirtd.in
===================================================================
--- /dev/null
+++ libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in
+++ libvirt-1.1.4/examples/apparmor/usr.sbin.libvirtd.in
@@ -0,0 +1,60 @@
+# Last Modified: Fri Aug 19 11:20:36 2011
+#include <tunables/global>
@ -264,9 +264,9 @@ Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in
+ change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+
+}
Index: libvirt-1.1.2/examples/apparmor/libvirt-qemu
Index: libvirt-1.1.4/examples/apparmor/libvirt-qemu
===================================================================
--- libvirt-1.1.2.orig/examples/apparmor/libvirt-qemu
--- libvirt-1.1.4.orig/examples/apparmor/libvirt-qemu
+++ /dev/null
@@ -1,129 +0,0 @@
-# Last Modified: Fri Mar 9 14:43:22 2012
@ -398,10 +398,10 @@ Index: libvirt-1.1.2/examples/apparmor/libvirt-qemu
-
- /usr/libexec/qemu-bridge-helper rmix,
- }
Index: libvirt-1.1.2/examples/apparmor/libvirt-qemu.in
Index: libvirt-1.1.4/examples/apparmor/libvirt-qemu.in
===================================================================
--- /dev/null
+++ libvirt-1.1.2/examples/apparmor/libvirt-qemu.in
+++ libvirt-1.1.4/examples/apparmor/libvirt-qemu.in
@@ -0,0 +1,132 @@
+# Last Modified: Fri Mar 9 14:43:22 2012
+

3
libvirt-1.1.2.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:9aa2fd6d2e7737323c846092cb2f8bf95e0b622c570b29ee4060eed634409cf4
size 18774400

3
libvirt-1.1.4.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:407a9b7602e86bcec457d95dcf97ff806544850b05b9bab9854dcce76e10c1ae
size 19319071

18
libvirt-guests-init-script.patch
View File

@ -1,9 +1,9 @@
Adjust libvirt-guests init files to conform to SUSE standards
Index: libvirt-1.1.2/tools/libvirt-guests.init.in
Index: libvirt-1.1.4/tools/libvirt-guests.init.in
===================================================================
--- libvirt-1.1.2.orig/tools/libvirt-guests.init.in
+++ libvirt-1.1.2/tools/libvirt-guests.init.in
--- libvirt-1.1.4.orig/tools/libvirt-guests.init.in
+++ libvirt-1.1.4/tools/libvirt-guests.init.in
@@ -3,15 +3,15 @@
# the following is the LSB init header
#
@ -28,10 +28,10 @@ Index: libvirt-1.1.2/tools/libvirt-guests.init.in
### END INIT INFO
# the following is chkconfig init header
Index: libvirt-1.1.2/tools/libvirt-guests.sh.in
Index: libvirt-1.1.4/tools/libvirt-guests.sh.in
===================================================================
--- libvirt-1.1.2.orig/tools/libvirt-guests.sh.in
+++ libvirt-1.1.2/tools/libvirt-guests.sh.in
--- libvirt-1.1.4.orig/tools/libvirt-guests.sh.in
+++ libvirt-1.1.4/tools/libvirt-guests.sh.in
@@ -16,14 +16,13 @@
# License along with this library. If not, see
# <http://www.gnu.org/licenses/>.
@ -189,10 +189,10 @@ Index: libvirt-1.1.2/tools/libvirt-guests.sh.in
esac
-exit $RETVAL
+rc_exit
Index: libvirt-1.1.2/tools/libvirt-guests.sysconf
Index: libvirt-1.1.4/tools/libvirt-guests.sysconf
===================================================================
--- libvirt-1.1.2.orig/tools/libvirt-guests.sysconf
+++ libvirt-1.1.2/tools/libvirt-guests.sysconf
--- libvirt-1.1.4.orig/tools/libvirt-guests.sysconf
+++ libvirt-1.1.4/tools/libvirt-guests.sysconf
@@ -1,19 +1,29 @@
+## Path: System/Virtualization/libvirt-guests
+

82
libvirt-suse-netcontrol.patch
View File

@ -1,8 +1,8 @@
Index: libvirt-1.1.2/configure.ac
Index: libvirt-1.1.4/configure.ac
===================================================================
--- libvirt-1.1.2.orig/configure.ac
+++ libvirt-1.1.2/configure.ac
@@ -174,6 +174,7 @@ LIBVIRT_CHECK_DBUS
--- libvirt-1.1.4.orig/configure.ac
+++ libvirt-1.1.4/configure.ac
@@ -230,6 +230,7 @@ LIBVIRT_CHECK_DBUS
LIBVIRT_CHECK_FUSE
LIBVIRT_CHECK_HAL
LIBVIRT_CHECK_NETCF
@ -10,7 +10,7 @@ Index: libvirt-1.1.2/configure.ac
LIBVIRT_CHECK_NUMACTL
LIBVIRT_CHECK_OPENWSMAN
LIBVIRT_CHECK_PCIACCESS
@@ -2297,11 +2298,12 @@ if test "$with_libvirtd" = "no" ; then
@@ -2375,11 +2376,12 @@ if test "$with_libvirtd" = "no" ; then
with_interface=no
fi
@ -26,7 +26,7 @@ Index: libvirt-1.1.2/configure.ac
esac
if test "$with_interface" = "yes" ; then
@@ -2609,6 +2611,7 @@ LIBVIRT_RESULT_DBUS
@@ -2694,6 +2696,7 @@ LIBVIRT_RESULT_DBUS
LIBVIRT_RESULT_FUSE
LIBVIRT_RESULT_HAL
LIBVIRT_RESULT_NETCF
@ -34,14 +34,14 @@ Index: libvirt-1.1.2/configure.ac
LIBVIRT_RESULT_NUMACTL
LIBVIRT_RESULT_OPENWSMAN
LIBVIRT_RESULT_PCIACCESS
Index: libvirt-1.1.2/src/Makefile.am
Index: libvirt-1.1.4/src/Makefile.am
===================================================================
--- libvirt-1.1.2.orig/src/Makefile.am
+++ libvirt-1.1.2/src/Makefile.am
@@ -754,6 +754,10 @@ if WITH_NETCF
--- libvirt-1.1.4.orig/src/Makefile.am
+++ libvirt-1.1.4/src/Makefile.am
@@ -780,6 +780,10 @@ if WITH_NETCF
INTERFACE_DRIVER_SOURCES += \
interface/interface_backend_netcf.c
endif
endif WITH_NETCF
+if WITH_NETCONTROL
+INTERFACE_DRIVER_SOURCES += \
+ interface/interface_backend_netcf.c
@ -49,28 +49,27 @@ Index: libvirt-1.1.2/src/Makefile.am
if WITH_UDEV
INTERFACE_DRIVER_SOURCES += \
interface/interface_backend_udev.c
@@ -1314,11 +1318,16 @@ if WITH_NETCF
@@ -1342,10 +1346,15 @@ if WITH_NETCF
libvirt_driver_interface_la_CFLAGS += $(NETCF_CFLAGS)
libvirt_driver_interface_la_LIBADD += $(NETCF_LIBS)
else
else ! WITH_NETCF
+if WITH_NETCONTROL
+libvirt_driver_interface_la_CFLAGS += $(NETCONTROL_CFLAGS)
+libvirt_driver_interface_la_LIBADD += $(NETCONTROL_LIBS)
+else
+else ! WITH_NETCONTROL
if WITH_UDEV
libvirt_driver_interface_la_CFLAGS += $(UDEV_CFLAGS)
libvirt_driver_interface_la_LIBADD += $(UDEV_LIBS)
endif
endif
+endif
endif WITH_UDEV
+endif ! WITH_NETCONTROL
endif ! WITH_NETCF
if WITH_DRIVER_MODULES
libvirt_driver_interface_la_LIBADD += ../gnulib/lib/libgnu.la
libvirt_driver_interface_la_LDFLAGS += -module -avoid-version
Index: libvirt-1.1.2/tools/virsh.c
Index: libvirt-1.1.4/tools/virsh.c
===================================================================
--- libvirt-1.1.2.orig/tools/virsh.c
+++ libvirt-1.1.2/tools/virsh.c
@@ -2864,6 +2864,8 @@ vshShowVersion(vshControl *ctl ATTRIBUTE
--- libvirt-1.1.4.orig/tools/virsh.c
+++ libvirt-1.1.4/tools/virsh.c
@@ -3026,6 +3026,8 @@ vshShowVersion(vshControl *ctl ATTRIBUTE
vshPrint(ctl, " Interface");
# if defined(WITH_NETCF)
vshPrint(ctl, " netcf");
@ -79,10 +78,10 @@ Index: libvirt-1.1.2/tools/virsh.c
# elif defined(WITH_UDEV)
vshPrint(ctl, " udev");
# endif
Index: libvirt-1.1.2/src/interface/interface_backend_netcf.c
Index: libvirt-1.1.4/src/interface/interface_backend_netcf.c
===================================================================
--- libvirt-1.1.2.orig/src/interface/interface_backend_netcf.c
+++ libvirt-1.1.2/src/interface/interface_backend_netcf.c
--- libvirt-1.1.4.orig/src/interface/interface_backend_netcf.c
+++ libvirt-1.1.4/src/interface/interface_backend_netcf.c
@@ -23,7 +23,12 @@
#include <config.h>
@ -97,9 +96,9 @@ Index: libvirt-1.1.2/src/interface/interface_backend_netcf.c
#include "virerror.h"
#include "datatypes.h"
@@ -54,6 +59,38 @@ static void interfaceDriverUnlock(struct
virMutexUnlock(&driver->lock);
}
@@ -63,6 +68,37 @@ VIR_ONCE_GLOBAL_INIT(virNetcfDriverState
static virNetcfDriverStatePtr driverState = NULL;
+#ifdef WITH_NETCONTROL
+static void
@ -132,25 +131,24 @@ Index: libvirt-1.1.2/src/interface/interface_backend_netcf.c
+ virLogMessage(VIR_LOG_FROM_FILE, vp, file, line, func, 0, "%s", msg);
+}
+#endif
+
/*
* Get a minimal virInterfaceDef containing enough metadata
* for access control checks to be performed. Currently
@@ -164,6 +201,10 @@ static virDrvOpenStatus netcfInterfaceOp
goto mutex_error;
}
static void
virNetcfDriverStateDispose(void *obj)
@@ -85,6 +121,10 @@ netcfStateInitialize(bool privileged ATT
if (!(driverState = virObjectLockableNew(virNetcfDriverStateClass)))
return -1;
+#ifdef WITH_NETCONTROL
+ nc_logger_redirect_to(interface_nc_log_driver);
+#endif
+
/* open netcf */
if (ncf_init(&driverState->netcf, NULL) != 0)
{
Index: libvirt-1.1.2/src/interface/interface_driver.c
if (ncf_init(&driverState->netcf, NULL) != 0) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
Index: libvirt-1.1.4/src/interface/interface_driver.c
===================================================================
--- libvirt-1.1.2.orig/src/interface/interface_driver.c
+++ libvirt-1.1.2/src/interface/interface_driver.c
--- libvirt-1.1.4.orig/src/interface/interface_driver.c
+++ libvirt-1.1.4/src/interface/interface_driver.c
@@ -28,8 +28,15 @@ interfaceRegister(void) {
if (netcfIfaceRegister() == 0)
return 0;
@ -168,10 +166,10 @@ Index: libvirt-1.1.2/src/interface/interface_driver.c
if (udevIfaceRegister() == 0)
return 0;
#endif /* WITH_UDEV */
Index: libvirt-1.1.2/m4/virt-netcontrol.m4
Index: libvirt-1.1.4/m4/virt-netcontrol.m4
===================================================================
--- /dev/null
+++ libvirt-1.1.2/m4/virt-netcontrol.m4
+++ libvirt-1.1.4/m4/virt-netcontrol.m4
@@ -0,0 +1,35 @@
+dnl The libnetcontrol library
+dnl

25
libvirt.changes
View File

@ -1,3 +1,28 @@
-------------------------------------------------------------------
Wed Nov 20 10:57:57 MST 2013 - jfehlig@suse.com
- Update to libvirt 1.1.4
- Add support for AArch64 architecture
- Various improvements on test code and test driver
- Don't link virt-login-shell against libvirt.so
- Close all non-stdio FDs in virt-login-shell
- Only allow 'stderr' log output when running setuid
- Fix perms for virConnectDomainXML{To,From}Native
- Many incremental improvements and bug fixes, see
http://libvirt.org/news.html
- Drop upstream patches: e7f400a1-CVE-2013-4296.patch,
2dba0323-CVE-2013-4297.patch, db7a5688-CVE-2013-4311.patch,
e65667c0-CVE-2013-4311.patch, 922b7fda-CVE-2013-4311.patch,
e4697b92-CVE-2013-4311.patch, 8294aa0c-CVE-2013-4399.patch,
484cc321-fix-spice-migration.patch,
79552754-libvirtd-chardev-crash.patch,
57687fd6-CVE-2013-4401.patch, ae53e5d1-CVE-2013-4400.patch,
8c3586ea-CVE-2013-4400.patch, b7fcc799a-CVE-2013-4400.patch,
3e2f27e1-CVE-2013-4400.patch, 5a0ea4b7-CVE-2013-4400.patch,
843bdb2f-CVE-2013-4400.patch,
bd773e74-lxc-terminate-machine.patch,
e350826c-python-fix-fd-passing.patch
-------------------------------------------------------------------
Tue Nov 19 14:23:27 MST 2013 - jfehlig@suse.com

126
libvirt.spec
View File

@ -42,10 +42,10 @@
%define with_lxc 0%{!?_without_lxc:%{server_drivers}}
%define with_uml 0%{!?_without_uml:%{server_drivers}}
%define with_libxl 0%{!?_without_libxl:%{server_drivers}}
%define with_vbox 0%{!?_without_vbox:%{server_drivers}}
# Then the hypervisor drivers that run outside libvirtd, in libvirt.so
%define with_openvz 0%{!?_without_openvz:1}
%define with_vbox 0%{!?_without_vbox:1}
%define with_vmware 0%{!?_without_vmware:1}
%define with_phyp 0%{!?_without_phyp:0}
%define with_esx 0%{!?_without_esx:1}
@ -225,7 +225,7 @@
Name: libvirt
Url: http://libvirt.org/
Version: 1.1.2
Version: 1.1.4
Release: 0
Summary: Library providing a simple virtualization API
License: LGPL-2.1+
@ -337,7 +337,7 @@ BuildRequires: cyrus-sasl-devel
%endif
%if %{with_polkit}
%if 0%{?suse_version} > 1110
BuildRequires: polkit >= 0.9
BuildRequires: polkit-devel >= 0.9
%else
BuildRequires: PolicyKit-devel >= 0.6
%endif
@ -400,24 +400,6 @@ Source1: libvirtd.init
Source2: libvirtd-relocation-server.fw
Source99: baselibs.conf
# Upstream patches
Patch0: e7f400a1-CVE-2013-4296.patch
Patch1: 2dba0323-CVE-2013-4297.patch
Patch2: db7a5688-CVE-2013-4311.patch
Patch3: e65667c0-CVE-2013-4311.patch
Patch4: 922b7fda-CVE-2013-4311.patch
Patch5: e4697b92-CVE-2013-4311.patch
Patch6: 8294aa0c-CVE-2013-4399.patch
Patch7: 484cc321-fix-spice-migration.patch
Patch8: 79552754-libvirtd-chardev-crash.patch
Patch9: 57687fd6-CVE-2013-4401.patch
Patch10: ae53e5d1-CVE-2013-4400.patch
Patch11: 8c3586ea-CVE-2013-4400.patch
Patch12: b7fcc799a-CVE-2013-4400.patch
Patch13: 3e2f27e1-CVE-2013-4400.patch
Patch14: 5a0ea4b7-CVE-2013-4400.patch
Patch15: 843bdb2f-CVE-2013-4400.patch
Patch16: bd773e74-lxc-terminate-machine.patch
Patch17: e350826c-python-fix-fd-passing.patch
# Need to go upstream
Patch100: xen-name-for-devid.patch
Patch101: clone.patch
@ -484,16 +466,6 @@ Requires: bridge-utils
Requires: iproute
Requires: logrotate
%if %{with_network}
Requires: dnsmasq >= 2.41
Requires: radvd
%endif
%if %{with_network} || %{with_nwfilter}
Requires: iptables
%endif
%if %{with_nwfilter}
Requires: ebtables
%endif
%if %{with_udev}
Requires: udev >= 145
%endif
@ -504,39 +476,6 @@ Recommends: polkit >= 0.93
Recommends: PolicyKit >= 0.6
%endif
%endif
%if %{with_storage_fs}
Requires: nfs-utils
# For mkfs
Requires: util-linux
%endif
%if %{with_qemu}
# From QEMU RPMs
Requires: /usr/bin/qemu-img
# For image compression
Requires: bzip2
Requires: gzip
Requires: xz
%if 0%{?suse_version} > 1210
Requires: lzop
%endif
%endif
%if %{with_storage_lvm}
# For LVM drivers
Requires: lvm2
%endif
%if %{with_storage_iscsi}
# For ISCSI driver
Requires: open-iscsi
%endif
%if %{with_storage_disk}
# For disk driver
Requires: device-mapper
Requires: parted
%endif
%if %{with_storage_mpath}
# For multipath support
Requires: device-mapper
%endif
%if %{with_cgconfig}
Requires: libcgroup1
%endif
@ -573,7 +512,11 @@ cleaning guest network traffic.
%package daemon-driver-network
Summary: Network driver plugin for the libvirtd daemon
Group: Development/Libraries/C and C++
Requires: dnsmasq >= 2.41
Requires: iptables
# TODO Requires: iptables-ipv6
Requires: libvirt-daemon = %{version}-%{release}
Requires: radvd
%description daemon-driver-network
The network driver plugin for the libvirtd daemon, providing
@ -586,6 +529,9 @@ bridge capabilities.
%package daemon-driver-nwfilter
Summary: A nwfilter driver plugin for the libvirtd daemon
Group: Development/Libraries/C and C++
Requires: ebtables
Requires: iptables
# TODO Requires: iptables-ipv6
Requires: libvirt-daemon = %{version}-%{release}
%description daemon-driver-nwfilter
@ -635,6 +581,32 @@ an implementation of the secret key APIs.
Summary: Storage driver plugin for the libvirtd daemon
Group: Development/Libraries/C and C++
Requires: libvirt-daemon = %{version}-%{release}
%if %{with_storage_fs}
Requires: nfs-utils
# For mkfs
Requires: util-linux
%endif
%if %{with_qemu}
# From QEMU RPMs
Requires: /usr/bin/qemu-img
%endif
%if %{with_storage_lvm}
# For LVM drivers
Requires: lvm2
%endif
%if %{with_storage_iscsi}
# For ISCSI driver
Requires: open-iscsi
%endif
%if %{with_storage_disk}
# For disk driver
Requires: device-mapper
Requires: parted
%endif
%if %{with_storage_mpath}
# For multipath support
Requires: device-mapper
%endif
%description daemon-driver-storage
The storage driver plugin for the libvirtd daemon, providing
@ -649,7 +621,15 @@ Summary: Qemu driver plugin for the libvirtd daemon
Group: Development/Libraries/C and C++
Requires: libvirt-daemon = %{version}-%{release}
# There really is a hard cross-driver dependency here
Requires: /usr/bin/qemu-img
Requires: libvirt-daemon-driver-network = %{version}-%{release}
# For image compression
Requires: bzip2
Requires: gzip
Requires: xz
%if 0%{?suse_version} > 1210
Requires: lzop
%endif
%description daemon-driver-qemu
The qemu driver plugin for the libvirtd daemon, providing
@ -931,24 +911,6 @@ of recent versions of Linux (and other OSes).
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch100 -p1
%patch101
%patch102 -p1

12
libvirtd-defaults.patch
View File

@ -1,7 +1,7 @@
Index: libvirt-1.1.2/daemon/libvirtd.conf
Index: libvirt-1.1.4/daemon/libvirtd.conf
===================================================================
--- libvirt-1.1.2.orig/daemon/libvirtd.conf
+++ libvirt-1.1.2/daemon/libvirtd.conf
--- libvirt-1.1.4.orig/daemon/libvirtd.conf
+++ libvirt-1.1.4/daemon/libvirtd.conf
@@ -18,8 +18,8 @@
# It is necessary to setup a CA and issue server certificates before
# using this capability.
@ -13,10 +13,10 @@ Index: libvirt-1.1.2/daemon/libvirtd.conf
# Listen for unencrypted TCP connections on the public TCP/IP port.
# NB, must pass the --listen flag to the libvirtd process for this to
Index: libvirt-1.1.2/daemon/libvirtd-config.c
Index: libvirt-1.1.4/daemon/libvirtd-config.c
===================================================================
--- libvirt-1.1.2.orig/daemon/libvirtd-config.c
+++ libvirt-1.1.2/daemon/libvirtd-config.c
--- libvirt-1.1.4.orig/daemon/libvirtd-config.c
+++ libvirt-1.1.4/daemon/libvirtd-config.c
@@ -222,7 +222,7 @@ daemonConfigNew(bool privileged ATTRIBUT
if (VIR_ALLOC(data) < 0)
return NULL;

6
libvirtd-init-script.patch
View File

@ -1,9 +1,9 @@
Adjust libvirtd sysconfig file to conform to SUSE standards
Index: libvirt-1.1.2/daemon/libvirtd.sysconf
Index: libvirt-1.1.4/daemon/libvirtd.sysconf
===================================================================
--- libvirt-1.1.2.orig/daemon/libvirtd.sysconf
+++ libvirt-1.1.2/daemon/libvirtd.sysconf
--- libvirt-1.1.4.orig/daemon/libvirtd.sysconf
+++ libvirt-1.1.4/daemon/libvirtd.sysconf
@@ -1,16 +1,25 @@
+## Path: System/Virtualization/libvirt
+

10
libxl-hvm-nic.patch
View File

@ -1,8 +1,8 @@
Index: libvirt-1.1.2/src/libxl/libxl_conf.c
Index: libvirt-1.1.4/src/libxl/libxl_conf.c
===================================================================
--- libvirt-1.1.2.orig/src/libxl/libxl_conf.c
+++ libvirt-1.1.2/src/libxl/libxl_conf.c
@@ -846,8 +846,6 @@ libxlMakeNic(virDomainNetDefPtr l_nic, l
--- libvirt-1.1.4.orig/src/libxl/libxl_conf.c
+++ libvirt-1.1.4/src/libxl/libxl_conf.c
@@ -883,8 +883,6 @@ libxlMakeNic(virDomainNetDefPtr l_nic, l
* x_nics[i].mtu = 1492;
*/
@ -11,7 +11,7 @@ Index: libvirt-1.1.2/src/libxl/libxl_conf.c
virMacAddrGetRaw(&l_nic->mac, x_nic->mac);
if (l_nic->model && !STREQ(l_nic->model, "netfront")) {
@@ -892,6 +890,8 @@ libxlMakeNicList(virDomainDefPtr def, l
@@ -929,6 +927,8 @@ libxlMakeNicList(virDomainDefPtr def, l
return -1;
for (i = 0; i < nnics; i++) {

10
libxl-hvm-vnc.patch
View File

@ -1,8 +1,8 @@
Index: libvirt-1.1.2/src/libxl/libxl_conf.c
Index: libvirt-1.1.4/src/libxl/libxl_conf.c
===================================================================
--- libvirt-1.1.2.orig/src/libxl/libxl_conf.c
+++ libvirt-1.1.2/src/libxl/libxl_conf.c
@@ -524,6 +524,30 @@ libxlMakeChrdevStr(virDomainChrDefPtr de
--- libvirt-1.1.4.orig/src/libxl/libxl_conf.c
+++ libvirt-1.1.4/src/libxl/libxl_conf.c
@@ -561,6 +561,30 @@ libxlMakeChrdevStr(virDomainChrDefPtr de
}
static int
@ -33,7 +33,7 @@ Index: libvirt-1.1.2/src/libxl/libxl_conf.c
libxlMakeDomBuildInfo(virDomainObjPtr vm, libxl_domain_config *d_config)
{
virDomainDefPtr def = vm->def;
@@ -1025,6 +1049,9 @@ libxlBuildDomainConfig(libxlDriverPrivat
@@ -1176,6 +1200,9 @@ libxlBuildDomainConfig(libxlDriverPrivat
if (libxlMakeVfbList(driver, def, d_config) < 0)
return -1;

22
support-managed-pci-xen-driver.patch
View File

@ -8,11 +8,11 @@ Subject: [PATCH] support managed pci devices in xen driver
src/xenxs/xen_xm.c | 28 +++++++++++++++++++++++++++-
2 files changed, 35 insertions(+), 15 deletions(-)
Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c
Index: libvirt-1.1.4/src/xenxs/xen_sxpr.c
===================================================================
--- libvirt-1.1.2.orig/src/xenxs/xen_sxpr.c
+++ libvirt-1.1.2/src/xenxs/xen_sxpr.c
@@ -993,6 +993,7 @@ xenParseSxprPCI(virDomainDefPtr def,
--- libvirt-1.1.4.orig/src/xenxs/xen_sxpr.c
+++ libvirt-1.1.4/src/xenxs/xen_sxpr.c
@@ -996,6 +996,7 @@ xenParseSxprPCI(virDomainDefPtr def,
int busID;
int slotID;
int funcID;
@ -20,7 +20,7 @@ Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c
node = cur->u.s.car;
if (!sexpr_lookup(node, "dev"))
@@ -1040,11 +1041,13 @@ xenParseSxprPCI(virDomainDefPtr def,
@@ -1043,11 +1044,13 @@ xenParseSxprPCI(virDomainDefPtr def,
goto error;
}
@ -35,7 +35,7 @@ Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c
dev->source.subsys.type = VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI;
dev->source.subsys.u.pci.addr.domain = domainID;
dev->source.subsys.u.pci.addr.bus = busID;
@@ -1990,11 +1993,15 @@ static void
@@ -1991,11 +1994,15 @@ static void
xenFormatSxprPCI(virDomainHostdevDefPtr def,
virBufferPtr buf)
{
@ -52,7 +52,7 @@ Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c
}
@@ -2013,12 +2020,6 @@ xenFormatSxprOnePCI(virDomainHostdevDefP
@@ -2014,12 +2021,6 @@ xenFormatSxprOnePCI(virDomainHostdevDefP
virBufferPtr buf,
int detach)
{
@ -65,7 +65,7 @@ Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c
virBufferAddLit(buf, "(pci ");
xenFormatSxprPCI(def, buf);
if (detach)
@@ -2073,12 +2074,6 @@ xenFormatSxprAllPCI(virDomainDefPtr def,
@@ -2074,12 +2075,6 @@ xenFormatSxprAllPCI(virDomainDefPtr def,
for (i = 0; i < def->nhostdevs; i++) {
if (def->hostdevs[i]->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS &&
def->hostdevs[i]->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI) {
@ -78,10 +78,10 @@ Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c
xenFormatSxprPCI(def->hostdevs[i], buf);
}
}
Index: libvirt-1.1.2/src/xenxs/xen_xm.c
Index: libvirt-1.1.4/src/xenxs/xen_xm.c
===================================================================
--- libvirt-1.1.2.orig/src/xenxs/xen_xm.c
+++ libvirt-1.1.2/src/xenxs/xen_xm.c
--- libvirt-1.1.4.orig/src/xenxs/xen_xm.c
+++ libvirt-1.1.4/src/xenxs/xen_xm.c
@@ -802,6 +802,8 @@ xenParseXM(virConfPtr conf, int xendConf
int busID;
int slotID;

10
suse-qemu-conf.patch
View File

@ -1,8 +1,8 @@
Index: libvirt-1.1.2/src/qemu/qemu.conf
Index: libvirt-1.1.4/src/qemu/qemu.conf
===================================================================
--- libvirt-1.1.2.orig/src/qemu/qemu.conf
+++ libvirt-1.1.2/src/qemu/qemu.conf
@@ -175,7 +175,16 @@
--- libvirt-1.1.4.orig/src/qemu/qemu.conf
+++ libvirt-1.1.4/src/qemu/qemu.conf
@@ -200,7 +200,16 @@
# a special value; security_driver can be set to that value in
# isolation, but it cannot appear in a list of drivers.
#
@ -19,7 +19,7 @@ Index: libvirt-1.1.2/src/qemu/qemu.conf
# If set to non-zero, then the default security labeling
# will make guests confined. If set to zero, then guests
@@ -371,6 +380,15 @@
@@ -402,6 +411,15 @@
#allow_disk_format_probing = 1

6
systemd-service-xen.patch
View File

@ -1,7 +1,7 @@
Index: libvirt-1.1.2/daemon/libvirtd.service.in
Index: libvirt-1.1.4/daemon/libvirtd.service.in
===================================================================
--- libvirt-1.1.2.orig/daemon/libvirtd.service.in
+++ libvirt-1.1.2/daemon/libvirtd.service.in
--- libvirt-1.1.4.orig/daemon/libvirtd.service.in
+++ libvirt-1.1.4/daemon/libvirtd.service.in
@@ -9,6 +9,8 @@ Before=libvirt-guests.service
After=network.target
After=dbus.service

12
virtlockd-init-script.patch
View File

@ -1,9 +1,9 @@
Adjust virtlockd init files to conform to SUSE standards
Index: libvirt-1.1.2/src/locking/virtlockd.sysconf
Index: libvirt-1.1.4/src/locking/virtlockd.sysconf
===================================================================
--- libvirt-1.1.2.orig/src/locking/virtlockd.sysconf
+++ libvirt-1.1.2/src/locking/virtlockd.sysconf
--- libvirt-1.1.4.orig/src/locking/virtlockd.sysconf
+++ libvirt-1.1.4/src/locking/virtlockd.sysconf
@@ -1,3 +1,7 @@
+## Path: System/Virtualization/virtlockd
+
@ -12,10 +12,10 @@ Index: libvirt-1.1.2/src/locking/virtlockd.sysconf
#
# Pass extra arguments to virtlockd
#VIRTLOCKD_ARGS=
Index: libvirt-1.1.2/src/locking/virtlockd.init.in
Index: libvirt-1.1.4/src/locking/virtlockd.init.in
===================================================================
--- libvirt-1.1.2.orig/src/locking/virtlockd.init.in
+++ libvirt-1.1.2/src/locking/virtlockd.init.in
--- libvirt-1.1.4.orig/src/locking/virtlockd.init.in
+++ libvirt-1.1.4/src/locking/virtlockd.init.in
@@ -4,11 +4,13 @@
# http://www.linux-foundation.org/spec//booksets/LSB-Core-generic/LSB-Core-generic.html#INITSCRCOMCONV
#

14
xen-name-for-devid.patch
View File

@ -14,10 +14,10 @@
is inactive. We obviously can't search xenstore when the domain is
inactive.
Index: libvirt-1.1.2/src/xen/xend_internal.c
Index: libvirt-1.1.4/src/xen/xend_internal.c
===================================================================
--- libvirt-1.1.2.orig/src/xen/xend_internal.c
+++ libvirt-1.1.2/src/xen/xend_internal.c
--- libvirt-1.1.4.orig/src/xen/xend_internal.c
+++ libvirt-1.1.4/src/xen/xend_internal.c
@@ -70,7 +70,7 @@
#define XEND_RCV_BUF_MAX_LEN (256 * 1024)
@ -27,7 +27,7 @@ Index: libvirt-1.1.2/src/xen/xend_internal.c
virDomainDeviceDefPtr dev, char *class,
char *ref, int ref_len);
@@ -3314,18 +3314,18 @@ xenDaemonDomainBlockPeek(virConnectPtr c
@@ -3316,18 +3316,18 @@ xenDaemonDomainBlockPeek(virConnectPtr c
* Returns 0 in case of success, -1 in case of failure.
*/
static int
@ -50,7 +50,7 @@ Index: libvirt-1.1.2/src/xen/xend_internal.c
if (dev->data.disk->driverName &&
STREQ(dev->data.disk->driverName, "tap"))
strcpy(class, "tap");
@@ -3335,19 +3335,17 @@ virDomainXMLDevID(virConnectPtr conn,
@@ -3337,19 +3337,17 @@ virDomainXMLDevID(virConnectPtr conn,
else
strcpy(class, "vbd");
@ -81,7 +81,7 @@ Index: libvirt-1.1.2/src/xen/xend_internal.c
} else if (dev->type == VIR_DOMAIN_DEVICE_NET) {
char mac[VIR_MAC_STRING_BUFLEN];
virDomainNetDefPtr netdef = dev->data.net;
@@ -3355,16 +3353,22 @@ virDomainXMLDevID(virConnectPtr conn,
@@ -3357,16 +3355,22 @@ virDomainXMLDevID(virConnectPtr conn,
strcpy(class, "vif");
@ -114,7 +114,7 @@ Index: libvirt-1.1.2/src/xen/xend_internal.c
} else if (dev->type == VIR_DOMAIN_DEVICE_HOSTDEV &&
dev->data.hostdev->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS &&
dev->data.hostdev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI) {
@@ -3380,17 +3384,44 @@ virDomainXMLDevID(virConnectPtr conn,
@@ -3382,17 +3386,44 @@ virDomainXMLDevID(virConnectPtr conn,
strcpy(class, "pci");

10
xen-pv-cdrom.patch
View File

@ -1,8 +1,8 @@
Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c
Index: libvirt-1.1.4/src/xenxs/xen_sxpr.c
===================================================================
--- libvirt-1.1.2.orig/src/xenxs/xen_sxpr.c
+++ libvirt-1.1.2/src/xenxs/xen_sxpr.c
@@ -327,7 +327,7 @@ error:
--- libvirt-1.1.4.orig/src/xenxs/xen_sxpr.c
+++ libvirt-1.1.4/src/xenxs/xen_sxpr.c
@@ -330,7 +330,7 @@ error:
static int
xenParseSxprDisks(virDomainDefPtr def,
const struct sexpr *root,
@ -11,7 +11,7 @@ Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c
int xendConfigVersion)
{
const struct sexpr *cur, *node;
@@ -378,7 +378,6 @@ xenParseSxprDisks(virDomainDefPtr def,
@@ -381,7 +381,6 @@ xenParseSxprDisks(virDomainDefPtr def,
/* There is a case without the uname to the CD-ROM device */
offset = strchr(dst, ':');
if (!offset ||