diff --git a/2dba0323-CVE-2013-4297.patch b/2dba0323-CVE-2013-4297.patch deleted file mode 100644 index 430c4a2..0000000 --- a/2dba0323-CVE-2013-4297.patch +++ /dev/null @@ -1,21 +0,0 @@ -commit 2dba0323ff0cec31bdcea9dd3b2428af297401f2 -Author: Michal Privoznik -Date: Tue Sep 3 18:56:06 2013 +0200 - - virFileNBDDeviceAssociate: Avoid use of uninitialized variable - - The @qemunbd variable can be used uninitialized. - -Index: libvirt-1.1.2/src/util/virfile.c -=================================================================== ---- libvirt-1.1.2.orig/src/util/virfile.c -+++ libvirt-1.1.2/src/util/virfile.c -@@ -732,7 +732,7 @@ int virFileNBDDeviceAssociate(const char - char **dev) - { - char *nbddev; -- char *qemunbd; -+ char *qemunbd = NULL; - virCommandPtr cmd = NULL; - int ret = -1; - const char *fmtstr = NULL; diff --git a/3e2f27e1-CVE-2013-4400.patch b/3e2f27e1-CVE-2013-4400.patch deleted file mode 100644 index 9be1c8c..0000000 --- a/3e2f27e1-CVE-2013-4400.patch +++ /dev/null @@ -1,354 +0,0 @@ -commit 3e2f27e13b94f7302ad948bcacb5e02c859a25fc -Author: Daniel P. Berrange -Date: Thu Oct 10 13:09:08 2013 +0100 - - Don't link virt-login-shell against libvirt.so (CVE-2013-4400) - - The libvirt.so library has far too many library deps to allow - linking against it from setuid programs. Those libraries can - do stuff in __attribute__((constructor) functions which is - not setuid safe. - - The virt-login-shell needs to link directly against individual - files that it uses, with all library deps turned off except - for libxml2 and libselinux. - - Create a libvirt-setuid-rpc-client.la library which is linked - to by virt-login-shell. A config-post.h file allows this library - to disable all external deps except libselinux and libxml2. - - Signed-off-by: Daniel P. Berrange - -Index: libvirt-1.1.2/Makefile.am -=================================================================== ---- libvirt-1.1.2.orig/Makefile.am -+++ libvirt-1.1.2/Makefile.am -@@ -31,6 +31,7 @@ XML_EXAMPLES = \ - test/*.xml storage/*.xml))) - - EXTRA_DIST = \ -+ config-post.h \ - ChangeLog-old \ - libvirt.spec libvirt.spec.in \ - mingw-libvirt.spec.in \ -Index: libvirt-1.1.2/config-post.h -=================================================================== ---- /dev/null -+++ libvirt-1.1.2/config-post.h -@@ -0,0 +1,44 @@ -+/* -+ * Copyright (C) 2013 Red Hat, Inc. -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library. If not, see -+ * . -+ */ -+ -+/* -+ * Since virt-login-shell will be setuid, we must do everything -+ * we can to avoid linking to other libraries. Many of them do -+ * unsafe things in functions marked __atttribute__((constructor)). -+ * The only way avoid to avoid such deps is to re-compile the -+ * functions with the code in question disabled, and for that we -+ * must override the main config.h rules. Hence this file :-( -+ */ -+ -+#ifdef LIBVIRT_SETUID_RPC_CLIENT -+# undef HAVE_LIBDEVMAPPER_H -+# undef HAVE_LIBNL -+# undef HAVE_LIBNL3 -+# undef HAVE_LIBSASL2 -+# undef WITH_CAPNG -+# undef WITH_CURL -+# undef WITH_DTRACE_PROBES -+# undef WITH_GNUTLS -+# undef WITH_MACVTAP -+# undef WITH_NUMACTL -+# undef WITH_SASL -+# undef WITH_SSH2 -+# undef WITH_VIRTUALPORT -+# undef WITH_YAJL -+# undef WITH_YAJL2 -+#endif -Index: libvirt-1.1.2/configure.ac -=================================================================== ---- libvirt-1.1.2.orig/configure.ac -+++ libvirt-1.1.2/configure.ac -@@ -20,6 +20,7 @@ AC_INIT([libvirt], [1.1.2], [libvir-list - AC_CONFIG_SRCDIR([src/libvirt.c]) - AC_CONFIG_AUX_DIR([build-aux]) - AC_CONFIG_HEADERS([config.h]) -+AH_BOTTOM([#include ]) - AC_CONFIG_MACRO_DIR([m4]) - dnl Make automake keep quiet about wildcards & other GNUmake-isms - AM_INIT_AUTOMAKE([-Wno-portability tar-ustar]) -Index: libvirt-1.1.2/daemon/Makefile.am -=================================================================== ---- libvirt-1.1.2.orig/daemon/Makefile.am -+++ libvirt-1.1.2/daemon/Makefile.am -@@ -18,6 +18,7 @@ - - INCLUDES = \ - -I$(top_builddir)/gnulib/lib -I$(top_srcdir)/gnulib/lib \ -+ -I$(top_srcdir) \ - -I$(top_builddir)/include -I$(top_srcdir)/include \ - -I$(top_builddir)/src -I$(top_srcdir)/src \ - -I$(top_srcdir)/src/util \ -Index: libvirt-1.1.2/examples/domain-events/events-c/Makefile.am -=================================================================== ---- libvirt-1.1.2.orig/examples/domain-events/events-c/Makefile.am -+++ libvirt-1.1.2/examples/domain-events/events-c/Makefile.am -@@ -15,7 +15,8 @@ - ## . - - INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include \ -- -I$(top_builddir)/gnulib/lib -I$(top_srcdir)/gnulib/lib -+ -I$(top_builddir)/gnulib/lib -I$(top_srcdir)/gnulib/lib \ -+ -I$(top_srcdir) - noinst_PROGRAMS = event-test - event_test_CFLAGS = $(WARN_CFLAGS) - event_test_SOURCES = event-test.c -Index: libvirt-1.1.2/examples/hellolibvirt/Makefile.am -=================================================================== ---- libvirt-1.1.2.orig/examples/hellolibvirt/Makefile.am -+++ libvirt-1.1.2/examples/hellolibvirt/Makefile.am -@@ -14,7 +14,7 @@ - ## License along with this library. If not, see - ## . - --INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include -+INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include -I$(top_srcdir) - noinst_PROGRAMS = hellolibvirt - hellolibvirt_CFLAGS = $(WARN_CFLAGS) - hellolibvirt_SOURCES = hellolibvirt.c -Index: libvirt-1.1.2/examples/openauth/Makefile.am -=================================================================== ---- libvirt-1.1.2.orig/examples/openauth/Makefile.am -+++ libvirt-1.1.2/examples/openauth/Makefile.am -@@ -14,7 +14,7 @@ - ## License along with this library. If not, see - ## . - --INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include -+INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include -I$(top_srcdir) - noinst_PROGRAMS = openauth - openauth_CFLAGS = $(WARN_CFLAGS) - openauth_SOURCES = openauth.c -Index: libvirt-1.1.2/gnulib/lib/Makefile.am -=================================================================== ---- libvirt-1.1.2.orig/gnulib/lib/Makefile.am -+++ libvirt-1.1.2/gnulib/lib/Makefile.am -@@ -27,4 +27,4 @@ noinst_LTLIBRARIES = - - include gnulib.mk - --INCLUDES = $(GETTEXT_CPPFLAGS) -+INCLUDES = -I$(top_srcdir) $(GETTEXT_CPPFLAGS) -Index: libvirt-1.1.2/python/Makefile.am -=================================================================== ---- libvirt-1.1.2.orig/python/Makefile.am -+++ libvirt-1.1.2/python/Makefile.am -@@ -20,6 +20,7 @@ INCLUDES = \ - $(PYTHON_INCLUDES) \ - -I$(top_builddir)/gnulib/lib \ - -I$(top_srcdir)/gnulib/lib \ -+ -I$(top_srcdir) \ - -I$(top_builddir)/src \ - -I$(top_srcdir)/src \ - -I$(top_srcdir)/src/util \ -Index: libvirt-1.1.2/src/Makefile.am -=================================================================== ---- libvirt-1.1.2.orig/src/Makefile.am -+++ libvirt-1.1.2/src/Makefile.am -@@ -21,6 +21,7 @@ - # that actually use them. Also keep GETTEXT_CPPFLAGS at the end. - INCLUDES = -I../gnulib/lib \ - -I$(top_srcdir)/gnulib/lib \ -+ -I$(top_srcdir) \ - -I../include \ - -I$(top_srcdir)/include \ - -I$(top_srcdir)/src/util \ -@@ -1917,6 +1918,77 @@ libvirt_lxc_la_LDFLAGS = \ - libvirt_lxc_la_CFLAGS = $(AM_CFLAGS) - libvirt_lxc_la_LIBADD = libvirt.la $(CYGWIN_EXTRA_LIBADD) - -+# Since virt-login-shell will be setuid, we must do everything -+# we can to avoid linking to other libraries. Many of them do -+# unsafe things in functions marked __atttribute__((constructor)). -+# This library is built to include the bare minimum required to -+# have a RPC client for local UNIX socket access only. We use -+# the ../config-post.h header to disable all external deps that -+# we don't want -+if WITH_LXC -+noinst_LTLIBRARIES += libvirt-setuid-rpc-client.la -+ -+libvirt_setuid_rpc_client_la_SOURCES = \ -+ util/viralloc.c \ -+ util/virbitmap.c \ -+ util/virbuffer.c \ -+ util/vircommand.c \ -+ util/virconf.c \ -+ util/virerror.c \ -+ util/virevent.c \ -+ util/vireventpoll.c \ -+ util/virfile.c \ -+ util/virhash.c \ -+ util/virhashcode.c \ -+ util/virjson.c \ -+ util/virlog.c \ -+ util/virobject.c \ -+ util/virpidfile.c \ -+ util/virprocess.c \ -+ util/virrandom.c \ -+ util/virsocketaddr.c \ -+ util/virstoragefile.c \ -+ util/virstring.c \ -+ util/virtime.c \ -+ util/virthread.c \ -+ util/virtypedparam.c \ -+ util/viruri.c \ -+ util/virutil.c \ -+ util/viruuid.c \ -+ conf/domain_event.c \ -+ rpc/virnetsocket.c \ -+ rpc/virnetsocket.h \ -+ rpc/virnetmessage.h \ -+ rpc/virnetmessage.c \ -+ rpc/virkeepalive.c \ -+ rpc/virkeepalive.h \ -+ rpc/virnetclient.c \ -+ rpc/virnetclientprogram.c \ -+ rpc/virnetclientstream.c \ -+ rpc/virnetprotocol.c \ -+ remote/remote_driver.c \ -+ remote/remote_protocol.c \ -+ remote/qemu_protocol.c \ -+ remote/lxc_protocol.c \ -+ datatypes.c \ -+ libvirt.c \ -+ libvirt-lxc.c \ -+ $(NULL) -+ -+libvirt_setuid_rpc_client_la_LDFLAGS = \ -+ $(AM_LDFLAGS) \ -+ $(LIBXML_LIBS) \ -+ $(SELINUX_LIBS) \ -+ $(NULL) -+libvirt_setuid_rpc_client_la_CFLAGS = \ -+ -DLIBVIRT_SETUID_RPC_CLIENT \ -+ -I$(top_srcdir)/src/conf \ -+ -I$(top_srcdir)/src/rpc \ -+ $(AM_CFLAGS) \ -+ $(SELINUX_CFLAGS) \ -+ $(NULL) -+endif WITH_LXC -+ - lockdriverdir = $(libdir)/libvirt/lock-driver - lockdriver_LTLIBRARIES = - -Index: libvirt-1.1.2/src/libvirt.c -=================================================================== ---- libvirt-1.1.2.orig/src/libvirt.c -+++ libvirt-1.1.2/src/libvirt.c -@@ -446,40 +446,46 @@ virGlobalInit(void) - goto error; - - /* -+ * Note we must avoid everything except 'remote' driver -+ * for virt-login-shell usage -+ */ -+#ifndef LIBVIRT_SETUID_RPC_CLIENT -+ /* - * Note that the order is important: the first ones have a higher - * priority when calling virConnectOpen. - */ --#ifdef WITH_TEST -+# ifdef WITH_TEST - if (testRegister() == -1) - goto error; --#endif --#ifdef WITH_OPENVZ -+# endif -+# ifdef WITH_OPENVZ - if (openvzRegister() == -1) - goto error; --#endif --#ifdef WITH_VMWARE -+# endif -+# ifdef WITH_VMWARE - if (vmwareRegister() == -1) - goto error; --#endif --#ifdef WITH_PHYP -+# endif -+# ifdef WITH_PHYP - if (phypRegister() == -1) - goto error; --#endif --#ifdef WITH_ESX -+# endif -+# ifdef WITH_ESX - if (esxRegister() == -1) - goto error; --#endif --#ifdef WITH_HYPERV -+# endif -+# ifdef WITH_HYPERV - if (hypervRegister() == -1) - goto error; --#endif --#ifdef WITH_XENAPI -+# endif -+# ifdef WITH_XENAPI - if (xenapiRegister() == -1) - goto error; --#endif --#ifdef WITH_PARALLELS -+# endif -+# ifdef WITH_PARALLELS - if (parallelsRegister() == -1) - goto error; -+# endif - #endif - #ifdef WITH_REMOTE - if (remoteRegister() == -1) -Index: libvirt-1.1.2/tools/Makefile.am -=================================================================== ---- libvirt-1.1.2.orig/tools/Makefile.am -+++ libvirt-1.1.2/tools/Makefile.am -@@ -149,6 +149,11 @@ virt_host_validate_CFLAGS = \ - $(COVERAGE_CFLAGS) \ - $(NULL) - -+# Since virt-login-shell will be setuid, we must do everything -+# we can to avoid linking to other libraries. Many of them do -+# unsafe things in functions marked __atttribute__((constructor)). -+# This we statically link to a library containing only the minimal -+# libvirt client code, not libvirt.so itself. - virt_login_shell_SOURCES = \ - virt-login-shell.c - -@@ -159,11 +164,11 @@ virt_login_shell_LDFLAGS = \ - virt_login_shell_LDADD = \ - $(STATIC_BINARIES) \ - $(PIE_LDFLAGS) \ -- ../src/libvirt.la \ -- ../src/libvirt-lxc.la \ -+ ../src/libvirt-setuid-rpc-client.la \ - ../gnulib/lib/libgnu.la - - virt_login_shell_CFLAGS = \ -+ -DLIBVIRT_SETUID_RPC_CLIENT \ - $(WARN_CFLAGS) \ - $(PIE_CFLAGS) \ - $(COVERAGE_CFLAGS) diff --git a/484cc321-fix-spice-migration.patch b/484cc321-fix-spice-migration.patch deleted file mode 100644 index 84b7bab..0000000 --- a/484cc321-fix-spice-migration.patch +++ /dev/null @@ -1,31 +0,0 @@ -commit 484cc3217b73b865f00bf42a9c12187b37200699 -Author: Martin Kletzander -Date: Fri Sep 20 16:40:20 2013 +0200 - - qemu: Fix seamless SPICE migration - - Since the wait is done during migration (still inside - QEMU_ASYNC_JOB_MIGRATION_OUT), the code should enter the monitor as such - in order to prohibit all other jobs from interfering in the meantime. - This patch fixes bug #1009886 in which qemuDomainGetBlockInfo was - waiting on the monitor condition and after GetSpiceMigrationStatus - mangled its internal data, the daemon crashed. - - Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1009886 - -Index: libvirt-1.1.2/src/qemu/qemu_migration.c -=================================================================== ---- libvirt-1.1.2.orig/src/qemu/qemu_migration.c -+++ libvirt-1.1.2/src/qemu/qemu_migration.c -@@ -1598,7 +1598,10 @@ qemuMigrationWaitForSpice(virQEMUDriverP - /* Poll every 50ms for progress & to allow cancellation */ - struct timespec ts = { .tv_sec = 0, .tv_nsec = 50 * 1000 * 1000ull }; - -- qemuDomainObjEnterMonitor(driver, vm); -+ if (qemuDomainObjEnterMonitorAsync(driver, vm, -+ QEMU_ASYNC_JOB_MIGRATION_OUT) < 0) -+ return -1; -+ - if (qemuMonitorGetSpiceMigrationStatus(priv->mon, - &spice_migrated) < 0) { - qemuDomainObjExitMonitor(driver, vm); diff --git a/57687fd6-CVE-2013-4401.patch b/57687fd6-CVE-2013-4401.patch deleted file mode 100644 index 81b7b45..0000000 --- a/57687fd6-CVE-2013-4401.patch +++ /dev/null @@ -1,52 +0,0 @@ -commit 57687fd6bf7f6e1b3662c52f3f26c06ab19dc96c -Author: Daniel P. Berrange -Date: Thu Oct 3 16:37:57 2013 +0100 - - Fix perms for virConnectDomainXML{To,From}Native (CVE-2013-4401) - - The virConnectDomainXMLToNative API should require 'connect:write' - not 'connect:read', since it will trigger execution of the QEMU - binaries listed in the XML. - - Also make virConnectDomainXMLFromNative API require a full - read-write connection and 'connect:write' permission. Although the - current impl doesn't trigger execution of QEMU, we should not - rely on that impl detail from an API permissioning POV. - - Signed-off-by: Daniel P. Berrange - -Index: libvirt-1.1.2/src/libvirt.c -=================================================================== ---- libvirt-1.1.2.orig/src/libvirt.c -+++ libvirt-1.1.2/src/libvirt.c -@@ -4606,6 +4606,10 @@ char *virConnectDomainXMLFromNative(virC - virDispatchError(NULL); - return NULL; - } -+ if (conn->flags & VIR_CONNECT_RO) { -+ virLibDomainError(VIR_ERR_OPERATION_DENIED, __FUNCTION__); -+ goto error; -+ } - - virCheckNonNullArgGoto(nativeFormat, error); - virCheckNonNullArgGoto(nativeConfig, error); -Index: libvirt-1.1.2/src/remote/remote_protocol.x -=================================================================== ---- libvirt-1.1.2.orig/src/remote/remote_protocol.x -+++ libvirt-1.1.2/src/remote/remote_protocol.x -@@ -3812,13 +3812,13 @@ enum remote_procedure { - - /** - * @generate: both -- * @acl: connect:read -+ * @acl: connect:write - */ - REMOTE_PROC_CONNECT_DOMAIN_XML_FROM_NATIVE = 135, - - /** - * @generate: both -- * @acl: connect:read -+ * @acl: connect:write - */ - REMOTE_PROC_CONNECT_DOMAIN_XML_TO_NATIVE = 136, - diff --git a/5a0ea4b7-CVE-2013-4400.patch b/5a0ea4b7-CVE-2013-4400.patch deleted file mode 100644 index 409add3..0000000 --- a/5a0ea4b7-CVE-2013-4400.patch +++ /dev/null @@ -1,103 +0,0 @@ -commit 5a0ea4b7b9af2231ed161b94f9af65375c6ee9c2 -Author: Jim Fehlig -Date: Mon Oct 21 15:36:11 2013 -0600 - - build: fix linking virt-login-shell - - After commit 3e2f27e1, I've noticed build failures of virt-login-shell - when libapparmor-devel is installed on the build host - - CCLD virt-login-shell - ../src/.libs/libvirt-setuid-rpc-client.a(libvirt_setuid_rpc_client_la-vircommand.o): - In function `virExec': - /home/jfehlig/virt/upstream/libvirt/src/util/vircommand.c:653: undefined - reference to `aa_change_profile' - collect2: error: ld returned 1 exit status - - I was about to commit an easy fix under the build-breaker rule - (build-fix-1.patch), but thought to extend the notion of SECDRIVER_LIBS - to SECDRIVER_CFLAGS, and use both throughout src/Makefile.am where it - makes sense (build-fix-2.patch). - - Should I just stick with the simple fix, or is something along the lines - of patch 2 preferred? - - Regards, - Jim - - >From a0f35945f3127ab70d051101037e821b1759b4bb Mon Sep 17 00:00:00 2001 - From: Jim Fehlig - Date: Mon, 21 Oct 2013 15:30:02 -0600 - Subject: [PATCH] build: fix virt-login-shell build with apparmor - - With libapparmor-devel installed, virt-login-shell fails to link - - CCLD virt-login-shell - ../src/.libs/libvirt-setuid-rpc-client.a(libvirt_setuid_rpc_client_la-vircommand.o): In function `virExec': - /home/jfehlig/virt/upstream/libvirt/src/util/vircommand.c:653: undefined reference to `aa_change_profile' - collect2: error: ld returned 1 exit status - - Fix by linking libvirt_setuid_rpc_client with previously determined - SECDRIVER_LIBS in src/Makefile.am. While at it, introduce SECDRIVER_CFLAGS - and use both throughout src/Makefile.am where it makes sense. - - Signed-off-by: Jim Fehlig - -Index: libvirt-1.1.2/src/Makefile.am -=================================================================== ---- libvirt-1.1.2.orig/src/Makefile.am -+++ libvirt-1.1.2/src/Makefile.am -@@ -49,11 +49,14 @@ nodist_conf_DATA = - - THREAD_LIBS = $(LIB_PTHREAD) $(LTLIBMULTITHREAD) - -+SECDRIVER_CFLAGS = - SECDRIVER_LIBS = - if WITH_SECDRIVER_SELINUX -+SECDRIVER_CFLAGS += $(SELINUX_CFLAGS) - SECDRIVER_LIBS += $(SELINUX_LIBS) - endif - if WITH_SECDRIVER_APPARMOR -+SECDRIVER_CFLAGS += $(APPARMOR_CFLAGS) - SECDRIVER_LIBS += $(APPARMOR_LIBS) - endif - -@@ -1978,14 +1981,14 @@ libvirt_setuid_rpc_client_la_SOURCES = - libvirt_setuid_rpc_client_la_LDFLAGS = \ - $(AM_LDFLAGS) \ - $(LIBXML_LIBS) \ -- $(SELINUX_LIBS) \ -+ $(SECDRIVER_LIBS) \ - $(NULL) - libvirt_setuid_rpc_client_la_CFLAGS = \ - -DLIBVIRT_SETUID_RPC_CLIENT \ - -I$(top_srcdir)/src/conf \ - -I$(top_srcdir)/src/rpc \ - $(AM_CFLAGS) \ -- $(SELINUX_CFLAGS) \ -+ $(SECDRIVER_CFLAGS) \ - $(NULL) - endif WITH_LXC - -@@ -2268,6 +2271,7 @@ libvirt_net_rpc_la_LDFLAGS = \ - $(GNUTLS_LIBS) \ - $(SASL_LIBS) \ - $(SSH2_LIBS)\ -+ $(SECDRIVER_LIBS) \ - $(AM_LDFLAGS) \ - $(CYGWIN_EXTRA_LDFLAGS) \ - $(MINGW_EXTRA_LDFLAGS) -@@ -2410,12 +2414,7 @@ if WITH_BLKID - libvirt_lxc_CFLAGS += $(BLKID_CFLAGS) - libvirt_lxc_LDADD += $(BLKID_LIBS) - endif --if WITH_SECDRIVER_SELINUX --libvirt_lxc_CFLAGS += $(SELINUX_CFLAGS) --endif --if WITH_SECDRIVER_APPARMOR --libvirt_lxc_CFLAGS += $(APPARMOR_CFLAGS) --endif -+libvirt_lxc_CFLAGS += $(SECDRIVER_CFLAGS) - endif - endif - EXTRA_DIST += $(LXC_CONTROLLER_SOURCES) diff --git a/79552754-libvirtd-chardev-crash.patch b/79552754-libvirtd-chardev-crash.patch deleted file mode 100644 index dfe5e97..0000000 --- a/79552754-libvirtd-chardev-crash.patch +++ /dev/null @@ -1,87 +0,0 @@ -commit 795527548fea79902ea4ce32747e069944cf3e61 -Author: Peter Krempa -Date: Thu Sep 26 08:12:39 2013 +0200 - - conf: Don't crash on invalid chardev source definition of RNGs and other - - Since commit 297c99a5 an invalid source definition XML of a character - device that is used as backend for RNG devices, smartcards and redirdevs - causes crash of the daemon when parsing such a definition. - - The device types mentioned above are not a part of a regular character - device but are backends for other types. Thus when parsing such device - NULL is passed as the argument @chr_def. Later when checking the - validity of the definition @chr_def was dereferenced when parsing a UNIX - socket backend with missing path of the socket and crashed the daemon. - - Sample offending configuration: - - ... - - - - - - - - Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1012196 - -Index: libvirt-1.1.2/src/conf/domain_conf.c -=================================================================== ---- libvirt-1.1.2.orig/src/conf/domain_conf.c -+++ libvirt-1.1.2/src/conf/domain_conf.c -@@ -7026,7 +7026,8 @@ virDomainChrSourceDefParseXML(virDomainC - case VIR_DOMAIN_CHR_TYPE_UNIX: - /* path can be auto generated */ - if (!path && -- chr_def->targetType != VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO) { -+ (!chr_def || -+ chr_def->targetType != VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO)) { - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("Missing source path attribute for char device")); - goto error; -Index: libvirt-1.1.2/tests/qemuxml2argvdata/qemuxml2argv-virtio-rng-egd-crash.xml -=================================================================== ---- /dev/null -+++ libvirt-1.1.2/tests/qemuxml2argvdata/qemuxml2argv-virtio-rng-egd-crash.xml -@@ -0,0 +1,27 @@ -+ -+ QEMUGuest1 -+ c7a5fdbd-edaf-9455-926a-d65c16db1809 -+ 219100 -+ 219100 -+ 1 -+ -+ hvm -+ -+ -+ -+ destroy -+ restart -+ destroy -+ -+ /usr/bin/qemu -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -Index: libvirt-1.1.2/tests/qemuxml2argvtest.c -=================================================================== ---- libvirt-1.1.2.orig/tests/qemuxml2argvtest.c -+++ libvirt-1.1.2/tests/qemuxml2argvtest.c -@@ -973,6 +973,8 @@ mymain(void) - QEMU_CAPS_OBJECT_RNG_RANDOM); - DO_TEST("virtio-rng-egd", QEMU_CAPS_DEVICE, QEMU_CAPS_DEVICE_VIRTIO_RNG, - QEMU_CAPS_OBJECT_RNG_EGD); -+ DO_TEST_PARSE_ERROR("virtio-rng-egd-crash", QEMU_CAPS_DEVICE, -+ QEMU_CAPS_DEVICE_VIRTIO_RNG, QEMU_CAPS_OBJECT_RNG_EGD); - DO_TEST("virtio-rng-ccw", - QEMU_CAPS_DEVICE, QEMU_CAPS_CHARDEV, QEMU_CAPS_NODEFCONFIG, - QEMU_CAPS_DRIVE, QEMU_CAPS_BOOTINDEX, QEMU_CAPS_VIRTIO_CCW, diff --git a/8294aa0c-CVE-2013-4399.patch b/8294aa0c-CVE-2013-4399.patch deleted file mode 100644 index a472fb9..0000000 --- a/8294aa0c-CVE-2013-4399.patch +++ /dev/null @@ -1,48 +0,0 @@ -commit 8294aa0c1750dcb49d6345cd9bd97bf421580d8b -Author: Daniel P. Berrange -Date: Fri Sep 27 15:46:07 2013 +0100 - - Fix crash in libvirtd when events are registered & ACLs active - - When a client disconnects from libvirtd, all event callbacks - must be removed. This involves running the public API - - virConnectDomainEventDeregisterAny - - This code does not run in normal API dispatch context, so no - identity was set. The result was that the access control drivers - denied the attempt to deregister callbacks. The callbacks thus - continued to trigger after the client was free'd causing fairly - predictable use of free memory & a crash. - - This can be triggered by any client with readonly access when - the ACL drivers are active. - - Signed-off-by: Daniel P. Berrange - -Index: libvirt-1.1.2/daemon/remote.c -=================================================================== ---- libvirt-1.1.2.orig/daemon/remote.c -+++ libvirt-1.1.2/daemon/remote.c -@@ -666,8 +666,11 @@ void remoteClientFreeFunc(void *data) - - /* Deregister event delivery callback */ - if (priv->conn) { -+ virIdentityPtr sysident = virIdentityGetSystem(); - size_t i; - -+ virIdentitySetCurrent(sysident); -+ - for (i = 0; i < VIR_DOMAIN_EVENT_ID_LAST; i++) { - if (priv->domainEventCallbackID[i] != -1) { - VIR_DEBUG("Deregistering to relay remote events %zu", i); -@@ -678,6 +681,9 @@ void remoteClientFreeFunc(void *data) - } - - virConnectClose(priv->conn); -+ -+ virIdentitySetCurrent(NULL); -+ virObjectUnref(sysident); - } - - VIR_FREE(priv); diff --git a/843bdb2f-CVE-2013-4400.patch b/843bdb2f-CVE-2013-4400.patch deleted file mode 100644 index 8daa299..0000000 --- a/843bdb2f-CVE-2013-4400.patch +++ /dev/null @@ -1,27 +0,0 @@ -commit 843bdb2f8a3364637cda2911624149525188843f -Author: Jim Fehlig -Date: Mon Oct 21 23:12:22 2013 -0600 - - build: fix build of virt-login-shell on systems with older gnutls - - On systems where gnutls uses libgcrypt, I'm seeing the following - build failure - - libvirt.c:314: error: variable 'virTLSThreadImpl' has initializer but incomplete type - libvirt.c:319: error: 'GCRY_THREAD_OPTION_PTHREAD' undeclared here (not in a function) - ... - - Fix by undefining WITH_GNUTLS_GCRYPT in config-post.h - -Index: libvirt-1.1.2/config-post.h -=================================================================== ---- libvirt-1.1.2.orig/config-post.h -+++ libvirt-1.1.2/config-post.h -@@ -34,6 +34,7 @@ - # undef WITH_CURL - # undef WITH_DTRACE_PROBES - # undef WITH_GNUTLS -+# undef WITH_GNUTLS_GCRYPT - # undef WITH_MACVTAP - # undef WITH_NUMACTL - # undef WITH_SASL diff --git a/8c3586ea-CVE-2013-4400.patch b/8c3586ea-CVE-2013-4400.patch deleted file mode 100644 index 8e94fb4..0000000 --- a/8c3586ea-CVE-2013-4400.patch +++ /dev/null @@ -1,61 +0,0 @@ -commit 8c3586ea755c40d5e01b22cb7b5c1e668cdec994 -Author: Daniel P. Berrange -Date: Wed Oct 9 10:59:36 2013 +0100 - - Only allow 'stderr' log output when running setuid (CVE-2013-4400) - - We must not allow file/syslog/journald log outputs when running - setuid since they can be abused to do bad things. In particular - the 'file' output can be used to overwrite files. - - Signed-off-by: Daniel P. Berrange - -Index: libvirt-1.1.2/src/util/virlog.c -=================================================================== ---- libvirt-1.1.2.orig/src/util/virlog.c -+++ libvirt-1.1.2/src/util/virlog.c -@@ -1318,6 +1318,9 @@ int virLogPriorityFromSyslog(int priorit - * Multiple output can be defined in a single @output, they just need to be - * separated by spaces. - * -+ * If running in setuid mode, then only the 'stderr' output will -+ * be allowed -+ * - * Returns the number of output parsed and installed or -1 in case of error - */ - int -@@ -1329,6 +1332,7 @@ virLogParseOutputs(const char *outputs) - virLogPriority prio; - int ret = -1; - int count = 0; -+ bool isSUID = virIsSUID(); - - if (cur == NULL) - return -1; -@@ -1348,6 +1352,8 @@ virLogParseOutputs(const char *outputs) - if (virLogAddOutputToStderr(prio) == 0) - count++; - } else if (STREQLEN(cur, "syslog", 6)) { -+ if (isSUID) -+ goto cleanup; - cur += 6; - if (*cur != ':') - goto cleanup; -@@ -1365,6 +1371,8 @@ virLogParseOutputs(const char *outputs) - VIR_FREE(name); - #endif /* HAVE_SYSLOG_H */ - } else if (STREQLEN(cur, "file", 4)) { -+ if (isSUID) -+ goto cleanup; - cur += 4; - if (*cur != ':') - goto cleanup; -@@ -1385,6 +1393,8 @@ virLogParseOutputs(const char *outputs) - VIR_FREE(name); - VIR_FREE(abspath); - } else if (STREQLEN(cur, "journald", 8)) { -+ if (isSUID) -+ goto cleanup; - cur += 8; - #if USE_JOURNALD - if (virLogAddOutputToJournald(prio) == 0) diff --git a/922b7fda-CVE-2013-4311.patch b/922b7fda-CVE-2013-4311.patch deleted file mode 100644 index e6bd11d..0000000 --- a/922b7fda-CVE-2013-4311.patch +++ /dev/null @@ -1,171 +0,0 @@ -commit 922b7fda77b094dbf022d625238262ea05335666 -Author: Daniel P. Berrange -Date: Wed Aug 28 15:25:40 2013 +0100 - - Add support for using 3-arg pkcheck syntax for process (CVE-2013-4311) - - With the existing pkcheck (pid, start time) tuple for identifying - the process, there is a race condition, where a process can make - a libvirt RPC call and in another thread exec a setuid application, - causing it to change to effective UID 0. This in turn causes polkit - to do its permission check based on the wrong UID. - - To address this, libvirt must get the UID the caller had at time - of connect() (from SO_PEERCRED) and pass a (pid, start time, uid) - triple to the pkcheck program. - - This fix requires that libvirt is re-built against a version of - polkit that has the fix for its CVE-2013-4288, so that libvirt - can see 'pkg-config --variable pkcheck_supports_uid polkit-gobject-1' - - Signed-off-by: Colin Walters - Signed-off-by: Daniel P. Berrange - -Index: libvirt-1.1.2/configure.ac -=================================================================== ---- libvirt-1.1.2.orig/configure.ac -+++ libvirt-1.1.2/configure.ac -@@ -1184,6 +1184,14 @@ if test "x$with_polkit" = "xyes" || test - AC_PATH_PROG([PKCHECK_PATH],[pkcheck], [], [/usr/sbin:$PATH]) - if test "x$PKCHECK_PATH" != "x" ; then - AC_DEFINE_UNQUOTED([PKCHECK_PATH],["$PKCHECK_PATH"],[Location of pkcheck program]) -+ AC_MSG_CHECKING([whether pkcheck supports uid value]) -+ pkcheck_supports_uid=`$PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1` -+ if test "x$pkcheck_supports_uid" = "xtrue"; then -+ AC_MSG_RESULT([yes]) -+ AC_DEFINE_UNQUOTED([PKCHECK_SUPPORTS_UID], 1, [Pass uid to pkcheck]) -+ else -+ AC_MSG_RESULT([no]) -+ fi - AC_DEFINE_UNQUOTED([WITH_POLKIT], 1, - [use PolicyKit for UNIX socket access checks]) - AC_DEFINE_UNQUOTED([WITH_POLKIT1], 1, -Index: libvirt-1.1.2/daemon/remote.c -=================================================================== ---- libvirt-1.1.2.orig/daemon/remote.c -+++ libvirt-1.1.2/daemon/remote.c -@@ -2738,10 +2738,12 @@ remoteDispatchAuthPolkit(virNetServerPtr - int status = -1; - char *ident = NULL; - bool authdismissed = 0; -+ bool supportsuid = false; - char *pkout = NULL; - struct daemonClientPrivate *priv = - virNetServerClientGetPrivateData(client); - virCommandPtr cmd = NULL; -+ static bool polkitInsecureWarned; - - virMutexLock(&priv->lock); - action = virNetServerClientGetReadonly(client) ? -@@ -2763,14 +2765,28 @@ remoteDispatchAuthPolkit(virNetServerPtr - goto authfail; - } - -+ if (timestamp == 0) { -+ VIR_WARN("Failing polkit auth due to missing client (pid=%lld) start time", -+ (long long)callerPid); -+ goto authfail; -+ } -+ - VIR_INFO("Checking PID %lld running as %d", - (long long) callerPid, callerUid); - - virCommandAddArg(cmd, "--process"); -- if (timestamp != 0) { -- virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp); -+# ifdef PKCHECK_SUPPORTS_UID -+ supportsuid = true; -+# endif -+ if (supportsuid) { -+ virCommandAddArgFormat(cmd, "%lld,%llu,%lu", -+ (long long) callerPid, timestamp, (unsigned long) callerUid); - } else { -- virCommandAddArgFormat(cmd, "%lld", (long long) callerPid); -+ if (!polkitInsecureWarned) { -+ VIR_WARN("No support for caller UID with pkcheck. This deployment is known to be insecure."); -+ polkitInsecureWarned = true; -+ } -+ virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp); - } - virCommandAddArg(cmd, "--allow-user-interaction"); - -Index: libvirt-1.1.2/libvirt.spec.in -=================================================================== ---- libvirt-1.1.2.orig/libvirt.spec.in -+++ libvirt-1.1.2/libvirt.spec.in -@@ -508,8 +508,7 @@ BuildRequires: cyrus-sasl-devel - %endif - %if %{with_polkit} - %if 0%{?fedora} >= 12 || 0%{?rhel} >= 6 --# Only need the binary, not -devel --BuildRequires: polkit >= 0.93 -+BuildRequires: polkit-devel >= 0.93 - %else - BuildRequires: PolicyKit-devel >= 0.6 - %endif -Index: libvirt-1.1.2/src/access/viraccessdriverpolkit.c -=================================================================== ---- libvirt-1.1.2.orig/src/access/viraccessdriverpolkit.c -+++ libvirt-1.1.2/src/access/viraccessdriverpolkit.c -@@ -72,8 +72,12 @@ static char * - virAccessDriverPolkitFormatProcess(const char *actionid) - { - virIdentityPtr identity = virIdentityGetCurrent(); -- const char *process = NULL; -+ const char *callerPid = NULL; -+ const char *callerTime = NULL; -+ const char *callerUid = NULL; - char *ret = NULL; -+ bool supportsuid = false; -+ static bool polkitInsecureWarned; - - if (!identity) { - virAccessError(VIR_ERR_ACCESS_DENIED, -@@ -81,17 +85,43 @@ virAccessDriverPolkitFormatProcess(const - actionid); - return NULL; - } -- if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, &process) < 0) -+ if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, &callerPid) < 0) -+ goto cleanup; -+ if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME, &callerTime) < 0) -+ goto cleanup; -+ if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_USER_ID, &callerUid) < 0) - goto cleanup; - -- if (!process) { -+ if (!callerPid) { - virAccessError(VIR_ERR_INTERNAL_ERROR, "%s", - _("No UNIX process ID available")); - goto cleanup; - } -- -- if (VIR_STRDUP(ret, process) < 0) -+ if (!callerTime) { -+ virAccessError(VIR_ERR_INTERNAL_ERROR, "%s", -+ _("No UNIX process start time available")); -+ goto cleanup; -+ } -+ if (!callerUid) { -+ virAccessError(VIR_ERR_INTERNAL_ERROR, "%s", -+ _("No UNIX caller UID available")); - goto cleanup; -+ } -+ -+#ifdef PKCHECK_SUPPORTS_UID -+ supportsuid = true; -+#endif -+ if (supportsuid) { -+ if (virAsprintf(&ret, "%s,%s,%s", callerPid, callerTime, callerUid) < 0) -+ goto cleanup; -+ } else { -+ if (!polkitInsecureWarned) { -+ VIR_WARN("No support for caller UID with pkcheck. This deployment is known to be insecure."); -+ polkitInsecureWarned = true; -+ } -+ if (virAsprintf(&ret, "%s,%s", callerPid, callerTime) < 0) -+ goto cleanup; -+ } - - cleanup: - virObjectUnref(identity); diff --git a/ae53e5d1-CVE-2013-4400.patch b/ae53e5d1-CVE-2013-4400.patch deleted file mode 100644 index 175d9bd..0000000 --- a/ae53e5d1-CVE-2013-4400.patch +++ /dev/null @@ -1,96 +0,0 @@ -commit ae53e5d10e434e07079d7e3ba11ec654ba6a256e -Author: Daniel P. Berrange -Date: Wed Oct 9 10:52:39 2013 +0100 - - Add helpers for getting env vars in a setuid environment - - Care must be taken accessing env variables when running - setuid. Introduce a virGetEnvAllowSUID for env vars which - are safe to use in a setuid environment, and another - virGetEnvBlockSUID for vars which are not safe. Also add - a virIsSUID helper method for any other non-env var code - to use. - - Signed-off-by: Daniel P. Berrange - -Index: libvirt-1.1.2/src/libvirt_private.syms -=================================================================== ---- libvirt-1.1.2.orig/src/libvirt_private.syms -+++ libvirt-1.1.2/src/libvirt_private.syms -@@ -2042,6 +2042,8 @@ virFindFCHostCapableVport; - virFormatIntDecimal; - virGetDeviceID; - virGetDeviceUnprivSGIO; -+virGetEnvAllowSUID; -+virGetEnvBlockSUID; - virGetFCHostNameByWWN; - virGetGroupID; - virGetGroupList; -@@ -2060,6 +2062,7 @@ virIndexToDiskName; - virIsCapableFCHost; - virIsCapableVport; - virIsDevMapperDevice; -+virIsSUID; - virManageVport; - virParseNumber; - virParseOwnershipIds; -Index: libvirt-1.1.2/src/util/virutil.c -=================================================================== ---- libvirt-1.1.2.orig/src/util/virutil.c -+++ libvirt-1.1.2/src/util/virutil.c -@@ -2116,3 +2116,42 @@ cleanup: - - return rc; - } -+ -+ -+/** -+ * virGetEnvBlockSUID: -+ * @name: the environment variable name -+ * -+ * Obtain an environment variable which is unsafe to -+ * use when running setuid. If running setuid, a NULL -+ * value will be returned -+ */ -+const char *virGetEnvBlockSUID(const char *name) -+{ -+ return secure_getenv(name); -+} -+ -+ -+/** -+ * virGetEnvBlockSUID: -+ * @name: the environment variable name -+ * -+ * Obtain an environment variable which is safe to -+ * use when running setuid. The value will be returned -+ * even when running setuid -+ */ -+const char *virGetEnvAllowSUID(const char *name) -+{ -+ return getenv(name); -+} -+ -+ -+/** -+ * virIsSUID: -+ * Return a true value if running setuid. Does not -+ * check for elevated capabilities bits. -+ */ -+bool virIsSUID(void) -+{ -+ return getuid() != geteuid(); -+} -Index: libvirt-1.1.2/src/util/virutil.h -=================================================================== ---- libvirt-1.1.2.orig/src/util/virutil.h -+++ libvirt-1.1.2/src/util/virutil.h -@@ -172,4 +172,8 @@ int virCompareLimitUlong(unsigned long l - - int virParseOwnershipIds(const char *label, uid_t *uidPtr, gid_t *gidPtr); - -+const char *virGetEnvBlockSUID(const char *name); -+const char *virGetEnvAllowSUID(const char *name); -+bool virIsSUID(void); -+ - #endif /* __VIR_UTIL_H__ */ diff --git a/b7fcc799a-CVE-2013-4400.patch b/b7fcc799a-CVE-2013-4400.patch deleted file mode 100644 index 1568934..0000000 --- a/b7fcc799a-CVE-2013-4400.patch +++ /dev/null @@ -1,36 +0,0 @@ -commit b7fcc799ad5d8f3e55b89b94e599903e3c092467 -Author: Daniel P. Berrange -Date: Wed Oct 9 15:14:34 2013 +0100 - - Close all non-stdio FDs in virt-login-shell (CVE-2013-4400) - - We don't want to inherit any FDs in the new namespace - except for the stdio FDs. Explicitly close them all, - just in case some do not have the close-on-exec flag - set. - - Signed-off-by: Daniel P. Berrange - -Index: libvirt-1.1.2/tools/virt-login-shell.c -=================================================================== ---- libvirt-1.1.2.orig/tools/virt-login-shell.c -+++ libvirt-1.1.2/tools/virt-login-shell.c -@@ -313,6 +313,18 @@ main(int argc, char **argv) - if (cpid == 0) { - pid_t ccpid; - -+ int openmax = sysconf(_SC_OPEN_MAX); -+ int fd; -+ if (openmax < 0) { -+ virReportSystemError(errno, "%s", -+ _("sysconf(_SC_OPEN_MAX) failed")); -+ return EXIT_FAILURE; -+ } -+ for (fd = 3; fd < openmax; fd++) { -+ int tmpfd = fd; -+ VIR_MASS_CLOSE(tmpfd); -+ } -+ - /* Fork once because we don't want to affect - * virt-login-shell's namespace itself - */ diff --git a/bd773e74-lxc-terminate-machine.patch b/bd773e74-lxc-terminate-machine.patch deleted file mode 100644 index 4417f6d..0000000 --- a/bd773e74-lxc-terminate-machine.patch +++ /dev/null @@ -1,247 +0,0 @@ -commit bd773e74f0d1d1b9ebbfcaa645178316b4f2265c -Author: Cédric Bosdonnat -Date: Mon Sep 30 16:46:29 2013 +0200 - - LXC: workaround machined uncleaned data with containers running systemd. - - The problem is described by [0] but its effect on libvirt is that - starting a container with a full distro running systemd after having - stopped it simply fails. - - The container cleanup now calls the machined Terminate function to make - sure that everything is in order for the next run. - - [0]: https://bugs.freedesktop.org/show_bug.cgi?id=68370 - -Index: libvirt-1.1.2/src/libvirt_private.syms -=================================================================== ---- libvirt-1.1.2.orig/src/libvirt_private.syms -+++ libvirt-1.1.2/src/libvirt_private.syms -@@ -1940,8 +1940,10 @@ virSysinfoSetup; - - # util/virsystemd.h - virSystemdCreateMachine; -+virSystemdMakeMachineName; - virSystemdMakeScopeName; - virSystemdMakeSliceName; -+virSystemdTerminateMachine; - - - # util/virthread.h -Index: libvirt-1.1.2/src/lxc/lxc_process.c -=================================================================== ---- libvirt-1.1.2.orig/src/lxc/lxc_process.c -+++ libvirt-1.1.2/src/lxc/lxc_process.c -@@ -50,6 +50,7 @@ - #include "virstring.h" - #include "viratomic.h" - #include "virprocess.h" -+#include "virsystemd.h" - - #define VIR_FROM_THIS VIR_FROM_LXC - -@@ -210,6 +211,13 @@ static void virLXCProcessCleanup(virLXCD - virCgroupFree(&priv->cgroup); - } - -+ /* Get machined to terminate the machine as it may not have cleaned it -+ * properly. See https://bugs.freedesktop.org/show_bug.cgi?id=68370 for -+ * the bug we are working around here. -+ */ -+ virSystemdTerminateMachine(vm->def->name, "lxc", true); -+ -+ - /* now that we know it's stopped call the hook if present */ - if (virHookPresent(VIR_HOOK_DRIVER_LXC)) { - char *xml = virDomainDefFormat(vm->def, 0); -Index: libvirt-1.1.2/src/util/virsystemd.c -=================================================================== ---- libvirt-1.1.2.orig/src/util/virsystemd.c -+++ libvirt-1.1.2/src/util/virsystemd.c -@@ -116,6 +116,27 @@ char *virSystemdMakeSliceName(const char - return virBufferContentAndReset(&buf); - } - -+char *virSystemdMakeMachineName(const char *name, -+ const char *drivername, -+ bool privileged) -+{ -+ char *machinename = NULL; -+ char *username = NULL; -+ if (privileged) { -+ if (virAsprintf(&machinename, "%s-%s", drivername, name) < 0) -+ goto cleanup; -+ } else { -+ if (!(username = virGetUserName(geteuid()))) -+ goto cleanup; -+ if (virAsprintf(&machinename, "%s-%s-%s", username, drivername, name) < 0) -+ goto cleanup; -+ } -+ -+cleanup: -+ VIR_FREE(username); -+ -+ return machinename; -+} - - /** - * virSystemdCreateMachine: -@@ -142,7 +163,6 @@ int virSystemdCreateMachine(const char * - DBusConnection *conn; - char *machinename = NULL; - char *creatorname = NULL; -- char *username = NULL; - char *slicename = NULL; - - if (!virDBusHasSystemBus()) -@@ -150,15 +170,8 @@ int virSystemdCreateMachine(const char * - - conn = virDBusGetSystemBus(); - -- if (privileged) { -- if (virAsprintf(&machinename, "%s-%s", drivername, name) < 0) -- goto cleanup; -- } else { -- if (!(username = virGetUserName(geteuid()))) -- goto cleanup; -- if (virAsprintf(&machinename, "%s-%s-%s", username, drivername, name) < 0) -- goto cleanup; -- } -+ if (!(machinename = virSystemdMakeMachineName(name, drivername, privileged))) -+ goto cleanup; - - if (virAsprintf(&creatorname, "libvirt-%s", drivername) < 0) - goto cleanup; -@@ -241,8 +254,52 @@ int virSystemdCreateMachine(const char * - ret = 0; - - cleanup: -- VIR_FREE(username); - VIR_FREE(creatorname); - VIR_FREE(machinename); - return ret; - } -+ -+int virSystemdTerminateMachine(const char *name, -+ const char *drivername, -+ bool privileged) -+{ -+ int ret; -+ DBusConnection *conn; -+ char *machinename = NULL; -+ -+ if(!virDBusHasSystemBus()) -+ return -2; -+ -+ conn = virDBusGetSystemBus(); -+ -+ ret = -1; -+ if (!(machinename = virSystemdMakeMachineName(name, drivername, privileged))) -+ goto cleanup; -+ -+ /* -+ * The systemd DBus API we're invoking has the -+ * following signature -+ * -+ * TerminateMachine(in s name); -+ * -+ * @name a host unique name for the machine. shows up -+ * in 'ps' listing & similar -+ */ -+ -+ VIR_DEBUG("Attempting to terminate machine via systemd"); -+ if (virDBusCallMethod(conn, -+ NULL, -+ "org.freedesktop.machine1", -+ "/org/freedesktop/machine1", -+ "org.freedesktop.machine1.Manager", -+ "TerminateMachine", -+ "s", -+ machinename) < 0) -+ goto cleanup; -+ -+ ret = 0; -+ -+cleanup: -+ VIR_FREE(machinename); -+ return ret; -+} -Index: libvirt-1.1.2/src/util/virsystemd.h -=================================================================== ---- libvirt-1.1.2.orig/src/util/virsystemd.h -+++ libvirt-1.1.2/src/util/virsystemd.h -@@ -29,6 +29,10 @@ char *virSystemdMakeScopeName(const char - const char *slicename); - char *virSystemdMakeSliceName(const char *partition); - -+char *virSystemdMakeMachineName(const char *name, -+ const char *drivername, -+ bool privileged); -+ - int virSystemdCreateMachine(const char *name, - const char *drivername, - bool privileged, -@@ -38,4 +42,8 @@ int virSystemdCreateMachine(const char * - bool iscontainer, - const char *partition); - -+int virSystemdTerminateMachine(const char *name, -+ const char *drivername, -+ bool privileged); -+ - #endif /* __VIR_SYSTEMD_H__ */ -Index: libvirt-1.1.2/tests/virsystemdtest.c -=================================================================== ---- libvirt-1.1.2.orig/tests/virsystemdtest.c -+++ libvirt-1.1.2/tests/virsystemdtest.c -@@ -51,6 +51,18 @@ static int testCreateContainer(const voi - return 0; - } - -+static int testTerminateContainer(const void *opaque ATTRIBUTE_UNUSED) -+{ -+ if (virSystemdTerminateMachine("demo", -+ "lxc", -+ true) < 0) { -+ fprintf(stderr, "%s", "Failed to terminate LXC machine\n"); -+ return -1; -+ } -+ -+ return 0; -+} -+ - static int testCreateMachine(const void *opaque ATTRIBUTE_UNUSED) - { - unsigned char uuid[VIR_UUID_BUFLEN] = { -@@ -74,6 +86,18 @@ static int testCreateMachine(const void - return 0; - } - -+static int testTerminateMachine(const void *opaque ATTRIBUTE_UNUSED) -+{ -+ if (virSystemdTerminateMachine("demo", -+ "qemu", -+ false) < 0) { -+ fprintf(stderr, "%s", "Failed to terminate KVM machine\n"); -+ return -1; -+ } -+ -+ return 0; -+} -+ - static int testCreateNoSystemd(const void *opaque ATTRIBUTE_UNUSED) - { - unsigned char uuid[VIR_UUID_BUFLEN] = { -@@ -177,8 +201,12 @@ mymain(void) - - if (virtTestRun("Test create container ", 1, testCreateContainer, NULL) < 0) - ret = -1; -+ if (virtTestRun("Test terminate container ", 1, testTerminateContainer, NULL) < 0) -+ ret = -1; - if (virtTestRun("Test create machine ", 1, testCreateMachine, NULL) < 0) - ret = -1; -+ if (virtTestRun("Test terminate machine ", 1, testTerminateMachine, NULL) < 0) -+ ret = -1; - if (virtTestRun("Test create no systemd ", 1, testCreateNoSystemd, NULL) < 0) - ret = -1; - if (virtTestRun("Test create bad systemd ", 1, testCreateBadSystemd, NULL) < 0) diff --git a/clone.patch b/clone.patch index 033ad0c..4e01402 100644 --- a/clone.patch +++ b/clone.patch @@ -32,7 +32,7 @@ Index: src/lxc/lxc_container.c VIR_FREE(stack); if (cpid < 0) { virReportSystemError(errno, "%s", -@@ -1893,7 +1901,11 @@ int lxcContainerStart(virDomainDefPtr de +@@ -2034,7 +2042,11 @@ int lxcContainerStart(virDomainDefPtr de cflags |= CLONE_NEWNET; } @@ -44,7 +44,7 @@ Index: src/lxc/lxc_container.c VIR_FREE(stack); VIR_DEBUG("clone() completed, new container PID is %d", pid); -@@ -1919,6 +1931,7 @@ int lxcContainerAvailable(int features) +@@ -2060,6 +2072,7 @@ int lxcContainerAvailable(int features) int cpid; char *childStack; char *stack; @@ -52,7 +52,7 @@ Index: src/lxc/lxc_container.c if (features & LXC_CONTAINER_FEATURE_USER) flags |= CLONE_NEWUSER; -@@ -1926,14 +1939,21 @@ int lxcContainerAvailable(int features) +@@ -2067,14 +2080,21 @@ int lxcContainerAvailable(int features) if (features & LXC_CONTAINER_FEATURE_NET) flags |= CLONE_NEWNET; diff --git a/db7a5688-CVE-2013-4311.patch b/db7a5688-CVE-2013-4311.patch deleted file mode 100644 index f537e6d..0000000 --- a/db7a5688-CVE-2013-4311.patch +++ /dev/null @@ -1,149 +0,0 @@ -commit db7a5688c05f3fd60d9d2b74c72427eb9ee9c176 -Author: Daniel P. Berrange -Date: Thu Aug 22 16:00:01 2013 +0100 - - Also store user & group ID values in virIdentity - - Future improvements to the polkit code will require access to - the numeric user ID, not merely user name. - - Signed-off-by: Daniel P. Berrange - -Index: libvirt-1.1.2/src/rpc/virnetserverclient.c -=================================================================== ---- libvirt-1.1.2.orig/src/rpc/virnetserverclient.c -+++ libvirt-1.1.2/src/rpc/virnetserverclient.c -@@ -652,7 +652,9 @@ virNetServerClientCreateIdentity(virNetS - char *processid = NULL; - char *processtime = NULL; - char *username = NULL; -+ char *userid = NULL; - char *groupname = NULL; -+ char *groupid = NULL; - #if WITH_SASL - char *saslname = NULL; - #endif -@@ -672,8 +674,12 @@ virNetServerClientCreateIdentity(virNetS - - if (!(username = virGetUserName(uid))) - goto cleanup; -+ if (virAsprintf(&userid, "%d", (int)uid) < 0) -+ goto cleanup; - if (!(groupname = virGetGroupName(gid))) - goto cleanup; -+ if (virAsprintf(&userid, "%d", (int)gid) < 0) -+ goto cleanup; - if (virAsprintf(&processid, "%llu", - (unsigned long long)pid) < 0) - goto cleanup; -@@ -710,11 +716,21 @@ virNetServerClientCreateIdentity(virNetS - VIR_IDENTITY_ATTR_UNIX_USER_NAME, - username) < 0) - goto error; -+ if (userid && -+ virIdentitySetAttr(ret, -+ VIR_IDENTITY_ATTR_UNIX_USER_ID, -+ userid) < 0) -+ goto error; - if (groupname && - virIdentitySetAttr(ret, - VIR_IDENTITY_ATTR_UNIX_GROUP_NAME, - groupname) < 0) - goto error; -+ if (groupid && -+ virIdentitySetAttr(ret, -+ VIR_IDENTITY_ATTR_UNIX_GROUP_ID, -+ groupid) < 0) -+ goto error; - if (processid && - virIdentitySetAttr(ret, - VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, -@@ -745,7 +761,9 @@ virNetServerClientCreateIdentity(virNetS - - cleanup: - VIR_FREE(username); -+ VIR_FREE(userid); - VIR_FREE(groupname); -+ VIR_FREE(groupid); - VIR_FREE(processid); - VIR_FREE(processtime); - VIR_FREE(seccontext); -Index: libvirt-1.1.2/src/util/viridentity.c -=================================================================== ---- libvirt-1.1.2.orig/src/util/viridentity.c -+++ libvirt-1.1.2/src/util/viridentity.c -@@ -133,7 +133,9 @@ int virIdentitySetCurrent(virIdentityPtr - virIdentityPtr virIdentityGetSystem(void) - { - char *username = NULL; -+ char *userid = NULL; - char *groupname = NULL; -+ char *groupid = NULL; - char *seccontext = NULL; - virIdentityPtr ret = NULL; - #if WITH_SELINUX -@@ -147,8 +149,13 @@ virIdentityPtr virIdentityGetSystem(void - - if (!(username = virGetUserName(getuid()))) - goto cleanup; -+ if (virAsprintf(&userid, "%d", (int)getuid()) < 0) -+ goto cleanup; -+ - if (!(groupname = virGetGroupName(getgid()))) - goto cleanup; -+ if (virAsprintf(&groupid, "%d", (int)getgid()) < 0) -+ goto cleanup; - - #if WITH_SELINUX - if (getcon(&con) < 0) { -@@ -166,16 +173,22 @@ virIdentityPtr virIdentityGetSystem(void - if (!(ret = virIdentityNew())) - goto cleanup; - -- if (username && -- virIdentitySetAttr(ret, -+ if (virIdentitySetAttr(ret, - VIR_IDENTITY_ATTR_UNIX_USER_NAME, - username) < 0) - goto error; -- if (groupname && -- virIdentitySetAttr(ret, -+ if (virIdentitySetAttr(ret, -+ VIR_IDENTITY_ATTR_UNIX_USER_ID, -+ userid) < 0) -+ goto error; -+ if (virIdentitySetAttr(ret, - VIR_IDENTITY_ATTR_UNIX_GROUP_NAME, - groupname) < 0) - goto error; -+ if (virIdentitySetAttr(ret, -+ VIR_IDENTITY_ATTR_UNIX_GROUP_ID, -+ groupid) < 0) -+ goto error; - if (seccontext && - virIdentitySetAttr(ret, - VIR_IDENTITY_ATTR_SELINUX_CONTEXT, -@@ -188,7 +201,9 @@ virIdentityPtr virIdentityGetSystem(void - - cleanup: - VIR_FREE(username); -+ VIR_FREE(userid); - VIR_FREE(groupname); -+ VIR_FREE(groupid); - VIR_FREE(seccontext); - VIR_FREE(processid); - return ret; -Index: libvirt-1.1.2/src/util/viridentity.h -=================================================================== ---- libvirt-1.1.2.orig/src/util/viridentity.h -+++ libvirt-1.1.2/src/util/viridentity.h -@@ -29,7 +29,9 @@ typedef virIdentity *virIdentityPtr; - - typedef enum { - VIR_IDENTITY_ATTR_UNIX_USER_NAME, -+ VIR_IDENTITY_ATTR_UNIX_USER_ID, - VIR_IDENTITY_ATTR_UNIX_GROUP_NAME, -+ VIR_IDENTITY_ATTR_UNIX_GROUP_ID, - VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, - VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME, - VIR_IDENTITY_ATTR_SASL_USER_NAME, diff --git a/e350826c-python-fix-fd-passing.patch b/e350826c-python-fix-fd-passing.patch deleted file mode 100644 index ea9289b..0000000 --- a/e350826c-python-fix-fd-passing.patch +++ /dev/null @@ -1,26 +0,0 @@ -commit e350826c653b20dd271ab99075d2f224c7451356 -Author: Marian Neagul -Date: Tue Oct 22 16:03:39 2013 +0100 - - python: Fix Create*WithFiles filefd passing - - Commit d76227be added functions virDomainCreateWithFiles and - virDomainCreateXMLWithFiles, but there was a little piece missing in - python bindings. This patch fixes proper passing of file descriptors - in the overwrites of these functions. - -Index: libvirt-1.1.2/python/libvirt-override.c -=================================================================== ---- libvirt-1.1.2.orig/python/libvirt-override.c -+++ libvirt-1.1.2/python/libvirt-override.c -@@ -7149,6 +7149,10 @@ libvirt_virDomainCreateXMLWithFiles(PyOb - - if (libvirt_intUnwrap(pyfd, &fd) < 0) - goto cleanup; -+ -+ files[i] = fd; -+ -+ files[i] = fd; - } - - LIBVIRT_BEGIN_ALLOW_THREADS; diff --git a/e4697b92-CVE-2013-4311.patch b/e4697b92-CVE-2013-4311.patch deleted file mode 100644 index 7698d4c..0000000 --- a/e4697b92-CVE-2013-4311.patch +++ /dev/null @@ -1,35 +0,0 @@ -commit e4697b92abaad16e8e6b41a1e55be9b084d48d5a -Author: Daniel P. Berrange -Date: Mon Sep 23 12:46:25 2013 +0100 - - Fix typo in identity code which is pre-requisite for CVE-2013-4311 - - The fix for CVE-2013-4311 had a pre-requisite enhancement - to the identity code - - commit db7a5688c05f3fd60d9d2b74c72427eb9ee9c176 - Author: Daniel P. Berrange - Date: Thu Aug 22 16:00:01 2013 +0100 - - Also store user & group ID values in virIdentity - - This had a typo which caused the group ID to overwrite the - user ID string. This meant any checks using this would have - the wrong ID value. This only affected the ACL code, not the - initial polkit auth. It also leaked memory. - - Signed-off-by: Daniel P. Berrange - -Index: libvirt-1.1.2/src/rpc/virnetserverclient.c -=================================================================== ---- libvirt-1.1.2.orig/src/rpc/virnetserverclient.c -+++ libvirt-1.1.2/src/rpc/virnetserverclient.c -@@ -678,7 +678,7 @@ virNetServerClientCreateIdentity(virNetS - goto cleanup; - if (!(groupname = virGetGroupName(gid))) - goto cleanup; -- if (virAsprintf(&userid, "%d", (int)gid) < 0) -+ if (virAsprintf(&groupid, "%d", (int)gid) < 0) - goto cleanup; - if (virAsprintf(&processid, "%llu", - (unsigned long long)pid) < 0) diff --git a/e65667c0-CVE-2013-4311.patch b/e65667c0-CVE-2013-4311.patch deleted file mode 100644 index f89b81f..0000000 --- a/e65667c0-CVE-2013-4311.patch +++ /dev/null @@ -1,65 +0,0 @@ -commit e65667c0c6e016d42abea077e31628ae43f57b74 -Author: Daniel P. Berrange -Date: Wed Aug 28 15:22:05 2013 +0100 - - Ensure system identity includes process start time - - The polkit access driver will want to use the process start - time field. This was already set for network identities, but - not for the system identity. - - Signed-off-by: Daniel P. Berrange - -Index: libvirt-1.1.2/src/util/viridentity.c -=================================================================== ---- libvirt-1.1.2.orig/src/util/viridentity.c -+++ libvirt-1.1.2/src/util/viridentity.c -@@ -35,6 +35,7 @@ - #include "virthread.h" - #include "virutil.h" - #include "virstring.h" -+#include "virprocess.h" - - #define VIR_FROM_THIS VIR_FROM_IDENTITY - -@@ -142,11 +143,20 @@ virIdentityPtr virIdentityGetSystem(void - security_context_t con; - #endif - char *processid = NULL; -+ unsigned long long timestamp; -+ char *processtime = NULL; - - if (virAsprintf(&processid, "%llu", - (unsigned long long)getpid()) < 0) - goto cleanup; - -+ if (virProcessGetStartTime(getpid(), ×tamp) < 0) -+ goto cleanup; -+ -+ if (timestamp != 0 && -+ virAsprintf(&processtime, "%llu", timestamp) < 0) -+ goto cleanup; -+ - if (!(username = virGetUserName(getuid()))) - goto cleanup; - if (virAsprintf(&userid, "%d", (int)getuid()) < 0) -@@ -198,6 +208,11 @@ virIdentityPtr virIdentityGetSystem(void - VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, - processid) < 0) - goto error; -+ if (processtime && -+ virIdentitySetAttr(ret, -+ VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME, -+ processtime) < 0) -+ goto error; - - cleanup: - VIR_FREE(username); -@@ -206,6 +221,7 @@ cleanup: - VIR_FREE(groupid); - VIR_FREE(seccontext); - VIR_FREE(processid); -+ VIR_FREE(processtime); - return ret; - - error: diff --git a/e7f400a1-CVE-2013-4296.patch b/e7f400a1-CVE-2013-4296.patch deleted file mode 100644 index 5ff4da4..0000000 --- a/e7f400a1-CVE-2013-4296.patch +++ /dev/null @@ -1,35 +0,0 @@ -commit e7f400a110e2e3673b96518170bfea0855dd82c0 -Author: Daniel P. Berrange -Date: Tue Sep 3 16:52:06 2013 +0100 - - Fix crash in remoteDispatchDomainMemoryStats (CVE-2013-4296) - - The 'stats' variable was not initialized to NULL, so if some - early validation of the RPC call fails, it is possible to jump - to the 'cleanup' label and VIR_FREE an uninitialized pointer. - This is a security flaw, since the API can be called from a - readonly connection which can trigger the validation checks. - - This was introduced in release v0.9.1 onwards by - - commit 158ba8730e44b7dd07a21ab90499996c5dec080a - Author: Daniel P. Berrange - Date: Wed Apr 13 16:21:35 2011 +0100 - - Merge all returns paths from dispatcher into single path - - Signed-off-by: Daniel P. Berrange - -Index: libvirt-1.1.2/daemon/remote.c -=================================================================== ---- libvirt-1.1.2.orig/daemon/remote.c -+++ libvirt-1.1.2/daemon/remote.c -@@ -1146,7 +1146,7 @@ remoteDispatchDomainMemoryStats(virNetSe - remote_domain_memory_stats_ret *ret) - { - virDomainPtr dom = NULL; -- struct _virDomainMemoryStat *stats; -+ struct _virDomainMemoryStat *stats = NULL; - int nr_stats; - size_t i; - int rv = -1; diff --git a/fix-pci-attach-xen-driver.patch b/fix-pci-attach-xen-driver.patch index b010e3b..f2cd6df 100644 --- a/fix-pci-attach-xen-driver.patch +++ b/fix-pci-attach-xen-driver.patch @@ -8,11 +8,11 @@ uses the 'device_configure' RPC. This patch changes the xend driver to always call 'device_configure' for PCI devices to be consistent with the usage in the xen tools. -Index: libvirt-1.1.2/src/xen/xend_internal.c +Index: libvirt-1.1.4/src/xen/xend_internal.c =================================================================== ---- libvirt-1.1.2.orig/src/xen/xend_internal.c -+++ libvirt-1.1.2/src/xen/xend_internal.c -@@ -2206,6 +2206,7 @@ xenDaemonAttachDeviceFlags(virConnectPtr +--- libvirt-1.1.4.orig/src/xen/xend_internal.c ++++ libvirt-1.1.4/src/xen/xend_internal.c +@@ -2207,6 +2207,7 @@ xenDaemonAttachDeviceFlags(virConnectPtr virBuffer buf = VIR_BUFFER_INITIALIZER; char class[8], ref[80]; char *target = NULL; @@ -20,7 +20,7 @@ Index: libvirt-1.1.2/src/xen/xend_internal.c virCheckFlags(VIR_DOMAIN_AFFECT_LIVE | VIR_DOMAIN_AFFECT_CONFIG, -1); -@@ -2304,8 +2305,18 @@ xenDaemonAttachDeviceFlags(virConnectPtr +@@ -2305,8 +2306,18 @@ xenDaemonAttachDeviceFlags(virConnectPtr } sexpr = virBufferContentAndReset(&buf); diff --git a/install-apparmor-profiles.patch b/install-apparmor-profiles.patch index b021306..d5e027c 100644 --- a/install-apparmor-profiles.patch +++ b/install-apparmor-profiles.patch @@ -1,7 +1,7 @@ -Index: libvirt-1.1.2/examples/apparmor/Makefile.am +Index: libvirt-1.1.4/examples/apparmor/Makefile.am =================================================================== ---- libvirt-1.1.2.orig/examples/apparmor/Makefile.am -+++ libvirt-1.1.2/examples/apparmor/Makefile.am +--- libvirt-1.1.4.orig/examples/apparmor/Makefile.am ++++ libvirt-1.1.4/examples/apparmor/Makefile.am @@ -14,8 +14,45 @@ ## License along with this library. If not, see ## . @@ -53,10 +53,10 @@ Index: libvirt-1.1.2/examples/apparmor/Makefile.am + rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/libvirt/TEMPLATE + +endif -Index: libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in +Index: libvirt-1.1.4/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in =================================================================== --- /dev/null -+++ libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in ++++ libvirt-1.1.4/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -0,0 +1,41 @@ +# Last Modified: Fri Aug 19 11:21:48 2011 +#include @@ -99,9 +99,9 @@ Index: libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in + /var/lib/kvm/images/ r, + /var/lib/kvm/images/** r, +} -Index: libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper +Index: libvirt-1.1.4/examples/apparmor/usr.lib.libvirt.virt-aa-helper =================================================================== ---- libvirt-1.1.2.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper +--- libvirt-1.1.4.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper +++ /dev/null @@ -1,38 +0,0 @@ -# Last Modified: Mon Apr 5 15:10:27 2010 @@ -142,9 +142,9 @@ Index: libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper - /var/lib/libvirt/images/ r, - /var/lib/libvirt/images/** r, -} -Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd +Index: libvirt-1.1.4/examples/apparmor/usr.sbin.libvirtd =================================================================== ---- libvirt-1.1.2.orig/examples/apparmor/usr.sbin.libvirtd +--- libvirt-1.1.4.orig/examples/apparmor/usr.sbin.libvirtd +++ /dev/null @@ -1,52 +0,0 @@ -# Last Modified: Mon Apr 5 15:03:58 2010 @@ -199,10 +199,10 @@ Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd - change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, - -} -Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in +Index: libvirt-1.1.4/examples/apparmor/usr.sbin.libvirtd.in =================================================================== --- /dev/null -+++ libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in ++++ libvirt-1.1.4/examples/apparmor/usr.sbin.libvirtd.in @@ -0,0 +1,60 @@ +# Last Modified: Fri Aug 19 11:20:36 2011 +#include @@ -264,9 +264,9 @@ Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in + change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, + +} -Index: libvirt-1.1.2/examples/apparmor/libvirt-qemu +Index: libvirt-1.1.4/examples/apparmor/libvirt-qemu =================================================================== ---- libvirt-1.1.2.orig/examples/apparmor/libvirt-qemu +--- libvirt-1.1.4.orig/examples/apparmor/libvirt-qemu +++ /dev/null @@ -1,129 +0,0 @@ -# Last Modified: Fri Mar 9 14:43:22 2012 @@ -398,10 +398,10 @@ Index: libvirt-1.1.2/examples/apparmor/libvirt-qemu - - /usr/libexec/qemu-bridge-helper rmix, - } -Index: libvirt-1.1.2/examples/apparmor/libvirt-qemu.in +Index: libvirt-1.1.4/examples/apparmor/libvirt-qemu.in =================================================================== --- /dev/null -+++ libvirt-1.1.2/examples/apparmor/libvirt-qemu.in ++++ libvirt-1.1.4/examples/apparmor/libvirt-qemu.in @@ -0,0 +1,132 @@ +# Last Modified: Fri Mar 9 14:43:22 2012 + diff --git a/libvirt-1.1.2.tar.bz2 b/libvirt-1.1.2.tar.bz2 deleted file mode 100644 index c7e7877..0000000 --- a/libvirt-1.1.2.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9aa2fd6d2e7737323c846092cb2f8bf95e0b622c570b29ee4060eed634409cf4 -size 18774400 diff --git a/libvirt-1.1.4.tar.bz2 b/libvirt-1.1.4.tar.bz2 new file mode 100644 index 0000000..dd63173 --- /dev/null +++ b/libvirt-1.1.4.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:407a9b7602e86bcec457d95dcf97ff806544850b05b9bab9854dcce76e10c1ae +size 19319071 diff --git a/libvirt-guests-init-script.patch b/libvirt-guests-init-script.patch index 6c8970a..5f81453 100644 --- a/libvirt-guests-init-script.patch +++ b/libvirt-guests-init-script.patch @@ -1,9 +1,9 @@ Adjust libvirt-guests init files to conform to SUSE standards -Index: libvirt-1.1.2/tools/libvirt-guests.init.in +Index: libvirt-1.1.4/tools/libvirt-guests.init.in =================================================================== ---- libvirt-1.1.2.orig/tools/libvirt-guests.init.in -+++ libvirt-1.1.2/tools/libvirt-guests.init.in +--- libvirt-1.1.4.orig/tools/libvirt-guests.init.in ++++ libvirt-1.1.4/tools/libvirt-guests.init.in @@ -3,15 +3,15 @@ # the following is the LSB init header # @@ -28,10 +28,10 @@ Index: libvirt-1.1.2/tools/libvirt-guests.init.in ### END INIT INFO # the following is chkconfig init header -Index: libvirt-1.1.2/tools/libvirt-guests.sh.in +Index: libvirt-1.1.4/tools/libvirt-guests.sh.in =================================================================== ---- libvirt-1.1.2.orig/tools/libvirt-guests.sh.in -+++ libvirt-1.1.2/tools/libvirt-guests.sh.in +--- libvirt-1.1.4.orig/tools/libvirt-guests.sh.in ++++ libvirt-1.1.4/tools/libvirt-guests.sh.in @@ -16,14 +16,13 @@ # License along with this library. If not, see # . @@ -189,10 +189,10 @@ Index: libvirt-1.1.2/tools/libvirt-guests.sh.in esac -exit $RETVAL +rc_exit -Index: libvirt-1.1.2/tools/libvirt-guests.sysconf +Index: libvirt-1.1.4/tools/libvirt-guests.sysconf =================================================================== ---- libvirt-1.1.2.orig/tools/libvirt-guests.sysconf -+++ libvirt-1.1.2/tools/libvirt-guests.sysconf +--- libvirt-1.1.4.orig/tools/libvirt-guests.sysconf ++++ libvirt-1.1.4/tools/libvirt-guests.sysconf @@ -1,19 +1,29 @@ +## Path: System/Virtualization/libvirt-guests + diff --git a/libvirt-suse-netcontrol.patch b/libvirt-suse-netcontrol.patch index cb32f6e..f316295 100644 --- a/libvirt-suse-netcontrol.patch +++ b/libvirt-suse-netcontrol.patch @@ -1,8 +1,8 @@ -Index: libvirt-1.1.2/configure.ac +Index: libvirt-1.1.4/configure.ac =================================================================== ---- libvirt-1.1.2.orig/configure.ac -+++ libvirt-1.1.2/configure.ac -@@ -174,6 +174,7 @@ LIBVIRT_CHECK_DBUS +--- libvirt-1.1.4.orig/configure.ac ++++ libvirt-1.1.4/configure.ac +@@ -230,6 +230,7 @@ LIBVIRT_CHECK_DBUS LIBVIRT_CHECK_FUSE LIBVIRT_CHECK_HAL LIBVIRT_CHECK_NETCF @@ -10,7 +10,7 @@ Index: libvirt-1.1.2/configure.ac LIBVIRT_CHECK_NUMACTL LIBVIRT_CHECK_OPENWSMAN LIBVIRT_CHECK_PCIACCESS -@@ -2297,11 +2298,12 @@ if test "$with_libvirtd" = "no" ; then +@@ -2375,11 +2376,12 @@ if test "$with_libvirtd" = "no" ; then with_interface=no fi @@ -26,7 +26,7 @@ Index: libvirt-1.1.2/configure.ac esac if test "$with_interface" = "yes" ; then -@@ -2609,6 +2611,7 @@ LIBVIRT_RESULT_DBUS +@@ -2694,6 +2696,7 @@ LIBVIRT_RESULT_DBUS LIBVIRT_RESULT_FUSE LIBVIRT_RESULT_HAL LIBVIRT_RESULT_NETCF @@ -34,14 +34,14 @@ Index: libvirt-1.1.2/configure.ac LIBVIRT_RESULT_NUMACTL LIBVIRT_RESULT_OPENWSMAN LIBVIRT_RESULT_PCIACCESS -Index: libvirt-1.1.2/src/Makefile.am +Index: libvirt-1.1.4/src/Makefile.am =================================================================== ---- libvirt-1.1.2.orig/src/Makefile.am -+++ libvirt-1.1.2/src/Makefile.am -@@ -754,6 +754,10 @@ if WITH_NETCF +--- libvirt-1.1.4.orig/src/Makefile.am ++++ libvirt-1.1.4/src/Makefile.am +@@ -780,6 +780,10 @@ if WITH_NETCF INTERFACE_DRIVER_SOURCES += \ interface/interface_backend_netcf.c - endif + endif WITH_NETCF +if WITH_NETCONTROL +INTERFACE_DRIVER_SOURCES += \ + interface/interface_backend_netcf.c @@ -49,28 +49,27 @@ Index: libvirt-1.1.2/src/Makefile.am if WITH_UDEV INTERFACE_DRIVER_SOURCES += \ interface/interface_backend_udev.c -@@ -1314,11 +1318,16 @@ if WITH_NETCF +@@ -1342,10 +1346,15 @@ if WITH_NETCF libvirt_driver_interface_la_CFLAGS += $(NETCF_CFLAGS) libvirt_driver_interface_la_LIBADD += $(NETCF_LIBS) - else + else ! WITH_NETCF +if WITH_NETCONTROL +libvirt_driver_interface_la_CFLAGS += $(NETCONTROL_CFLAGS) +libvirt_driver_interface_la_LIBADD += $(NETCONTROL_LIBS) -+else ++else ! WITH_NETCONTROL if WITH_UDEV libvirt_driver_interface_la_CFLAGS += $(UDEV_CFLAGS) libvirt_driver_interface_la_LIBADD += $(UDEV_LIBS) - endif - endif -+endif + endif WITH_UDEV ++endif ! WITH_NETCONTROL + endif ! WITH_NETCF if WITH_DRIVER_MODULES libvirt_driver_interface_la_LIBADD += ../gnulib/lib/libgnu.la - libvirt_driver_interface_la_LDFLAGS += -module -avoid-version -Index: libvirt-1.1.2/tools/virsh.c +Index: libvirt-1.1.4/tools/virsh.c =================================================================== ---- libvirt-1.1.2.orig/tools/virsh.c -+++ libvirt-1.1.2/tools/virsh.c -@@ -2864,6 +2864,8 @@ vshShowVersion(vshControl *ctl ATTRIBUTE +--- libvirt-1.1.4.orig/tools/virsh.c ++++ libvirt-1.1.4/tools/virsh.c +@@ -3026,6 +3026,8 @@ vshShowVersion(vshControl *ctl ATTRIBUTE vshPrint(ctl, " Interface"); # if defined(WITH_NETCF) vshPrint(ctl, " netcf"); @@ -79,10 +78,10 @@ Index: libvirt-1.1.2/tools/virsh.c # elif defined(WITH_UDEV) vshPrint(ctl, " udev"); # endif -Index: libvirt-1.1.2/src/interface/interface_backend_netcf.c +Index: libvirt-1.1.4/src/interface/interface_backend_netcf.c =================================================================== ---- libvirt-1.1.2.orig/src/interface/interface_backend_netcf.c -+++ libvirt-1.1.2/src/interface/interface_backend_netcf.c +--- libvirt-1.1.4.orig/src/interface/interface_backend_netcf.c ++++ libvirt-1.1.4/src/interface/interface_backend_netcf.c @@ -23,7 +23,12 @@ #include @@ -97,9 +96,9 @@ Index: libvirt-1.1.2/src/interface/interface_backend_netcf.c #include "virerror.h" #include "datatypes.h" -@@ -54,6 +59,38 @@ static void interfaceDriverUnlock(struct - virMutexUnlock(&driver->lock); - } +@@ -63,6 +68,37 @@ VIR_ONCE_GLOBAL_INIT(virNetcfDriverState + + static virNetcfDriverStatePtr driverState = NULL; +#ifdef WITH_NETCONTROL +static void @@ -132,25 +131,24 @@ Index: libvirt-1.1.2/src/interface/interface_backend_netcf.c + virLogMessage(VIR_LOG_FROM_FILE, vp, file, line, func, 0, "%s", msg); +} +#endif -+ - /* - * Get a minimal virInterfaceDef containing enough metadata - * for access control checks to be performed. Currently -@@ -164,6 +201,10 @@ static virDrvOpenStatus netcfInterfaceOp - goto mutex_error; - } + + static void + virNetcfDriverStateDispose(void *obj) +@@ -85,6 +121,10 @@ netcfStateInitialize(bool privileged ATT + if (!(driverState = virObjectLockableNew(virNetcfDriverStateClass))) + return -1; +#ifdef WITH_NETCONTROL + nc_logger_redirect_to(interface_nc_log_driver); +#endif + /* open netcf */ - if (ncf_init(&driverState->netcf, NULL) != 0) - { -Index: libvirt-1.1.2/src/interface/interface_driver.c + if (ncf_init(&driverState->netcf, NULL) != 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", +Index: libvirt-1.1.4/src/interface/interface_driver.c =================================================================== ---- libvirt-1.1.2.orig/src/interface/interface_driver.c -+++ libvirt-1.1.2/src/interface/interface_driver.c +--- libvirt-1.1.4.orig/src/interface/interface_driver.c ++++ libvirt-1.1.4/src/interface/interface_driver.c @@ -28,8 +28,15 @@ interfaceRegister(void) { if (netcfIfaceRegister() == 0) return 0; @@ -168,10 +166,10 @@ Index: libvirt-1.1.2/src/interface/interface_driver.c if (udevIfaceRegister() == 0) return 0; #endif /* WITH_UDEV */ -Index: libvirt-1.1.2/m4/virt-netcontrol.m4 +Index: libvirt-1.1.4/m4/virt-netcontrol.m4 =================================================================== --- /dev/null -+++ libvirt-1.1.2/m4/virt-netcontrol.m4 ++++ libvirt-1.1.4/m4/virt-netcontrol.m4 @@ -0,0 +1,35 @@ +dnl The libnetcontrol library +dnl diff --git a/libvirt.changes b/libvirt.changes index afe5298..a6b7ead 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,28 @@ +------------------------------------------------------------------- +Wed Nov 20 10:57:57 MST 2013 - jfehlig@suse.com + +- Update to libvirt 1.1.4 + - Add support for AArch64 architecture + - Various improvements on test code and test driver + - Don't link virt-login-shell against libvirt.so + - Close all non-stdio FDs in virt-login-shell + - Only allow 'stderr' log output when running setuid + - Fix perms for virConnectDomainXML{To,From}Native + - Many incremental improvements and bug fixes, see + http://libvirt.org/news.html + - Drop upstream patches: e7f400a1-CVE-2013-4296.patch, + 2dba0323-CVE-2013-4297.patch, db7a5688-CVE-2013-4311.patch, + e65667c0-CVE-2013-4311.patch, 922b7fda-CVE-2013-4311.patch, + e4697b92-CVE-2013-4311.patch, 8294aa0c-CVE-2013-4399.patch, + 484cc321-fix-spice-migration.patch, + 79552754-libvirtd-chardev-crash.patch, + 57687fd6-CVE-2013-4401.patch, ae53e5d1-CVE-2013-4400.patch, + 8c3586ea-CVE-2013-4400.patch, b7fcc799a-CVE-2013-4400.patch, + 3e2f27e1-CVE-2013-4400.patch, 5a0ea4b7-CVE-2013-4400.patch, + 843bdb2f-CVE-2013-4400.patch, + bd773e74-lxc-terminate-machine.patch, + e350826c-python-fix-fd-passing.patch + ------------------------------------------------------------------- Tue Nov 19 14:23:27 MST 2013 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index 804a4ab..47d3cfc 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -42,10 +42,10 @@ %define with_lxc 0%{!?_without_lxc:%{server_drivers}} %define with_uml 0%{!?_without_uml:%{server_drivers}} %define with_libxl 0%{!?_without_libxl:%{server_drivers}} +%define with_vbox 0%{!?_without_vbox:%{server_drivers}} # Then the hypervisor drivers that run outside libvirtd, in libvirt.so %define with_openvz 0%{!?_without_openvz:1} -%define with_vbox 0%{!?_without_vbox:1} %define with_vmware 0%{!?_without_vmware:1} %define with_phyp 0%{!?_without_phyp:0} %define with_esx 0%{!?_without_esx:1} @@ -225,7 +225,7 @@ Name: libvirt Url: http://libvirt.org/ -Version: 1.1.2 +Version: 1.1.4 Release: 0 Summary: Library providing a simple virtualization API License: LGPL-2.1+ @@ -337,7 +337,7 @@ BuildRequires: cyrus-sasl-devel %endif %if %{with_polkit} %if 0%{?suse_version} > 1110 -BuildRequires: polkit >= 0.9 +BuildRequires: polkit-devel >= 0.9 %else BuildRequires: PolicyKit-devel >= 0.6 %endif @@ -400,24 +400,6 @@ Source1: libvirtd.init Source2: libvirtd-relocation-server.fw Source99: baselibs.conf # Upstream patches -Patch0: e7f400a1-CVE-2013-4296.patch -Patch1: 2dba0323-CVE-2013-4297.patch -Patch2: db7a5688-CVE-2013-4311.patch -Patch3: e65667c0-CVE-2013-4311.patch -Patch4: 922b7fda-CVE-2013-4311.patch -Patch5: e4697b92-CVE-2013-4311.patch -Patch6: 8294aa0c-CVE-2013-4399.patch -Patch7: 484cc321-fix-spice-migration.patch -Patch8: 79552754-libvirtd-chardev-crash.patch -Patch9: 57687fd6-CVE-2013-4401.patch -Patch10: ae53e5d1-CVE-2013-4400.patch -Patch11: 8c3586ea-CVE-2013-4400.patch -Patch12: b7fcc799a-CVE-2013-4400.patch -Patch13: 3e2f27e1-CVE-2013-4400.patch -Patch14: 5a0ea4b7-CVE-2013-4400.patch -Patch15: 843bdb2f-CVE-2013-4400.patch -Patch16: bd773e74-lxc-terminate-machine.patch -Patch17: e350826c-python-fix-fd-passing.patch # Need to go upstream Patch100: xen-name-for-devid.patch Patch101: clone.patch @@ -484,16 +466,6 @@ Requires: bridge-utils Requires: iproute Requires: logrotate -%if %{with_network} -Requires: dnsmasq >= 2.41 -Requires: radvd -%endif -%if %{with_network} || %{with_nwfilter} -Requires: iptables -%endif -%if %{with_nwfilter} -Requires: ebtables -%endif %if %{with_udev} Requires: udev >= 145 %endif @@ -504,39 +476,6 @@ Recommends: polkit >= 0.93 Recommends: PolicyKit >= 0.6 %endif %endif -%if %{with_storage_fs} -Requires: nfs-utils -# For mkfs -Requires: util-linux -%endif -%if %{with_qemu} -# From QEMU RPMs -Requires: /usr/bin/qemu-img -# For image compression -Requires: bzip2 -Requires: gzip -Requires: xz -%if 0%{?suse_version} > 1210 -Requires: lzop -%endif -%endif -%if %{with_storage_lvm} -# For LVM drivers -Requires: lvm2 -%endif -%if %{with_storage_iscsi} -# For ISCSI driver -Requires: open-iscsi -%endif -%if %{with_storage_disk} -# For disk driver -Requires: device-mapper -Requires: parted -%endif -%if %{with_storage_mpath} -# For multipath support -Requires: device-mapper -%endif %if %{with_cgconfig} Requires: libcgroup1 %endif @@ -573,7 +512,11 @@ cleaning guest network traffic. %package daemon-driver-network Summary: Network driver plugin for the libvirtd daemon Group: Development/Libraries/C and C++ +Requires: dnsmasq >= 2.41 +Requires: iptables +# TODO Requires: iptables-ipv6 Requires: libvirt-daemon = %{version}-%{release} +Requires: radvd %description daemon-driver-network The network driver plugin for the libvirtd daemon, providing @@ -586,6 +529,9 @@ bridge capabilities. %package daemon-driver-nwfilter Summary: A nwfilter driver plugin for the libvirtd daemon Group: Development/Libraries/C and C++ +Requires: ebtables +Requires: iptables +# TODO Requires: iptables-ipv6 Requires: libvirt-daemon = %{version}-%{release} %description daemon-driver-nwfilter @@ -635,6 +581,32 @@ an implementation of the secret key APIs. Summary: Storage driver plugin for the libvirtd daemon Group: Development/Libraries/C and C++ Requires: libvirt-daemon = %{version}-%{release} +%if %{with_storage_fs} +Requires: nfs-utils +# For mkfs +Requires: util-linux +%endif +%if %{with_qemu} +# From QEMU RPMs +Requires: /usr/bin/qemu-img +%endif +%if %{with_storage_lvm} +# For LVM drivers +Requires: lvm2 +%endif +%if %{with_storage_iscsi} +# For ISCSI driver +Requires: open-iscsi +%endif +%if %{with_storage_disk} +# For disk driver +Requires: device-mapper +Requires: parted +%endif +%if %{with_storage_mpath} +# For multipath support +Requires: device-mapper +%endif %description daemon-driver-storage The storage driver plugin for the libvirtd daemon, providing @@ -649,7 +621,15 @@ Summary: Qemu driver plugin for the libvirtd daemon Group: Development/Libraries/C and C++ Requires: libvirt-daemon = %{version}-%{release} # There really is a hard cross-driver dependency here +Requires: /usr/bin/qemu-img Requires: libvirt-daemon-driver-network = %{version}-%{release} +# For image compression +Requires: bzip2 +Requires: gzip +Requires: xz +%if 0%{?suse_version} > 1210 +Requires: lzop +%endif %description daemon-driver-qemu The qemu driver plugin for the libvirtd daemon, providing @@ -931,24 +911,6 @@ of recent versions of Linux (and other OSes). %prep %setup -q -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 -%patch16 -p1 -%patch17 -p1 %patch100 -p1 %patch101 %patch102 -p1 diff --git a/libvirtd-defaults.patch b/libvirtd-defaults.patch index cf61b17..ad52bcc 100644 --- a/libvirtd-defaults.patch +++ b/libvirtd-defaults.patch @@ -1,7 +1,7 @@ -Index: libvirt-1.1.2/daemon/libvirtd.conf +Index: libvirt-1.1.4/daemon/libvirtd.conf =================================================================== ---- libvirt-1.1.2.orig/daemon/libvirtd.conf -+++ libvirt-1.1.2/daemon/libvirtd.conf +--- libvirt-1.1.4.orig/daemon/libvirtd.conf ++++ libvirt-1.1.4/daemon/libvirtd.conf @@ -18,8 +18,8 @@ # It is necessary to setup a CA and issue server certificates before # using this capability. @@ -13,10 +13,10 @@ Index: libvirt-1.1.2/daemon/libvirtd.conf # Listen for unencrypted TCP connections on the public TCP/IP port. # NB, must pass the --listen flag to the libvirtd process for this to -Index: libvirt-1.1.2/daemon/libvirtd-config.c +Index: libvirt-1.1.4/daemon/libvirtd-config.c =================================================================== ---- libvirt-1.1.2.orig/daemon/libvirtd-config.c -+++ libvirt-1.1.2/daemon/libvirtd-config.c +--- libvirt-1.1.4.orig/daemon/libvirtd-config.c ++++ libvirt-1.1.4/daemon/libvirtd-config.c @@ -222,7 +222,7 @@ daemonConfigNew(bool privileged ATTRIBUT if (VIR_ALLOC(data) < 0) return NULL; diff --git a/libvirtd-init-script.patch b/libvirtd-init-script.patch index 810fba9..38431b6 100644 --- a/libvirtd-init-script.patch +++ b/libvirtd-init-script.patch @@ -1,9 +1,9 @@ Adjust libvirtd sysconfig file to conform to SUSE standards -Index: libvirt-1.1.2/daemon/libvirtd.sysconf +Index: libvirt-1.1.4/daemon/libvirtd.sysconf =================================================================== ---- libvirt-1.1.2.orig/daemon/libvirtd.sysconf -+++ libvirt-1.1.2/daemon/libvirtd.sysconf +--- libvirt-1.1.4.orig/daemon/libvirtd.sysconf ++++ libvirt-1.1.4/daemon/libvirtd.sysconf @@ -1,16 +1,25 @@ +## Path: System/Virtualization/libvirt + diff --git a/libxl-hvm-nic.patch b/libxl-hvm-nic.patch index 74eb8e3..9b8b9c5 100644 --- a/libxl-hvm-nic.patch +++ b/libxl-hvm-nic.patch @@ -1,8 +1,8 @@ -Index: libvirt-1.1.2/src/libxl/libxl_conf.c +Index: libvirt-1.1.4/src/libxl/libxl_conf.c =================================================================== ---- libvirt-1.1.2.orig/src/libxl/libxl_conf.c -+++ libvirt-1.1.2/src/libxl/libxl_conf.c -@@ -846,8 +846,6 @@ libxlMakeNic(virDomainNetDefPtr l_nic, l +--- libvirt-1.1.4.orig/src/libxl/libxl_conf.c ++++ libvirt-1.1.4/src/libxl/libxl_conf.c +@@ -883,8 +883,6 @@ libxlMakeNic(virDomainNetDefPtr l_nic, l * x_nics[i].mtu = 1492; */ @@ -11,7 +11,7 @@ Index: libvirt-1.1.2/src/libxl/libxl_conf.c virMacAddrGetRaw(&l_nic->mac, x_nic->mac); if (l_nic->model && !STREQ(l_nic->model, "netfront")) { -@@ -892,6 +890,8 @@ libxlMakeNicList(virDomainDefPtr def, l +@@ -929,6 +927,8 @@ libxlMakeNicList(virDomainDefPtr def, l return -1; for (i = 0; i < nnics; i++) { diff --git a/libxl-hvm-vnc.patch b/libxl-hvm-vnc.patch index f6809ff..e4ecc65 100644 --- a/libxl-hvm-vnc.patch +++ b/libxl-hvm-vnc.patch @@ -1,8 +1,8 @@ -Index: libvirt-1.1.2/src/libxl/libxl_conf.c +Index: libvirt-1.1.4/src/libxl/libxl_conf.c =================================================================== ---- libvirt-1.1.2.orig/src/libxl/libxl_conf.c -+++ libvirt-1.1.2/src/libxl/libxl_conf.c -@@ -524,6 +524,30 @@ libxlMakeChrdevStr(virDomainChrDefPtr de +--- libvirt-1.1.4.orig/src/libxl/libxl_conf.c ++++ libvirt-1.1.4/src/libxl/libxl_conf.c +@@ -561,6 +561,30 @@ libxlMakeChrdevStr(virDomainChrDefPtr de } static int @@ -33,7 +33,7 @@ Index: libvirt-1.1.2/src/libxl/libxl_conf.c libxlMakeDomBuildInfo(virDomainObjPtr vm, libxl_domain_config *d_config) { virDomainDefPtr def = vm->def; -@@ -1025,6 +1049,9 @@ libxlBuildDomainConfig(libxlDriverPrivat +@@ -1176,6 +1200,9 @@ libxlBuildDomainConfig(libxlDriverPrivat if (libxlMakeVfbList(driver, def, d_config) < 0) return -1; diff --git a/support-managed-pci-xen-driver.patch b/support-managed-pci-xen-driver.patch index fd1ebe4..e190634 100644 --- a/support-managed-pci-xen-driver.patch +++ b/support-managed-pci-xen-driver.patch @@ -8,11 +8,11 @@ Subject: [PATCH] support managed pci devices in xen driver src/xenxs/xen_xm.c | 28 +++++++++++++++++++++++++++- 2 files changed, 35 insertions(+), 15 deletions(-) -Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c +Index: libvirt-1.1.4/src/xenxs/xen_sxpr.c =================================================================== ---- libvirt-1.1.2.orig/src/xenxs/xen_sxpr.c -+++ libvirt-1.1.2/src/xenxs/xen_sxpr.c -@@ -993,6 +993,7 @@ xenParseSxprPCI(virDomainDefPtr def, +--- libvirt-1.1.4.orig/src/xenxs/xen_sxpr.c ++++ libvirt-1.1.4/src/xenxs/xen_sxpr.c +@@ -996,6 +996,7 @@ xenParseSxprPCI(virDomainDefPtr def, int busID; int slotID; int funcID; @@ -20,7 +20,7 @@ Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c node = cur->u.s.car; if (!sexpr_lookup(node, "dev")) -@@ -1040,11 +1041,13 @@ xenParseSxprPCI(virDomainDefPtr def, +@@ -1043,11 +1044,13 @@ xenParseSxprPCI(virDomainDefPtr def, goto error; } @@ -35,7 +35,7 @@ Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c dev->source.subsys.type = VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI; dev->source.subsys.u.pci.addr.domain = domainID; dev->source.subsys.u.pci.addr.bus = busID; -@@ -1990,11 +1993,15 @@ static void +@@ -1991,11 +1994,15 @@ static void xenFormatSxprPCI(virDomainHostdevDefPtr def, virBufferPtr buf) { @@ -52,7 +52,7 @@ Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c } -@@ -2013,12 +2020,6 @@ xenFormatSxprOnePCI(virDomainHostdevDefP +@@ -2014,12 +2021,6 @@ xenFormatSxprOnePCI(virDomainHostdevDefP virBufferPtr buf, int detach) { @@ -65,7 +65,7 @@ Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c virBufferAddLit(buf, "(pci "); xenFormatSxprPCI(def, buf); if (detach) -@@ -2073,12 +2074,6 @@ xenFormatSxprAllPCI(virDomainDefPtr def, +@@ -2074,12 +2075,6 @@ xenFormatSxprAllPCI(virDomainDefPtr def, for (i = 0; i < def->nhostdevs; i++) { if (def->hostdevs[i]->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS && def->hostdevs[i]->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI) { @@ -78,10 +78,10 @@ Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c xenFormatSxprPCI(def->hostdevs[i], buf); } } -Index: libvirt-1.1.2/src/xenxs/xen_xm.c +Index: libvirt-1.1.4/src/xenxs/xen_xm.c =================================================================== ---- libvirt-1.1.2.orig/src/xenxs/xen_xm.c -+++ libvirt-1.1.2/src/xenxs/xen_xm.c +--- libvirt-1.1.4.orig/src/xenxs/xen_xm.c ++++ libvirt-1.1.4/src/xenxs/xen_xm.c @@ -802,6 +802,8 @@ xenParseXM(virConfPtr conf, int xendConf int busID; int slotID; diff --git a/suse-qemu-conf.patch b/suse-qemu-conf.patch index d2f5ac9..c8bf9f4 100644 --- a/suse-qemu-conf.patch +++ b/suse-qemu-conf.patch @@ -1,8 +1,8 @@ -Index: libvirt-1.1.2/src/qemu/qemu.conf +Index: libvirt-1.1.4/src/qemu/qemu.conf =================================================================== ---- libvirt-1.1.2.orig/src/qemu/qemu.conf -+++ libvirt-1.1.2/src/qemu/qemu.conf -@@ -175,7 +175,16 @@ +--- libvirt-1.1.4.orig/src/qemu/qemu.conf ++++ libvirt-1.1.4/src/qemu/qemu.conf +@@ -200,7 +200,16 @@ # a special value; security_driver can be set to that value in # isolation, but it cannot appear in a list of drivers. # @@ -19,7 +19,7 @@ Index: libvirt-1.1.2/src/qemu/qemu.conf # If set to non-zero, then the default security labeling # will make guests confined. If set to zero, then guests -@@ -371,6 +380,15 @@ +@@ -402,6 +411,15 @@ #allow_disk_format_probing = 1 diff --git a/systemd-service-xen.patch b/systemd-service-xen.patch index 4319f9d..1bfa0e5 100644 --- a/systemd-service-xen.patch +++ b/systemd-service-xen.patch @@ -1,7 +1,7 @@ -Index: libvirt-1.1.2/daemon/libvirtd.service.in +Index: libvirt-1.1.4/daemon/libvirtd.service.in =================================================================== ---- libvirt-1.1.2.orig/daemon/libvirtd.service.in -+++ libvirt-1.1.2/daemon/libvirtd.service.in +--- libvirt-1.1.4.orig/daemon/libvirtd.service.in ++++ libvirt-1.1.4/daemon/libvirtd.service.in @@ -9,6 +9,8 @@ Before=libvirt-guests.service After=network.target After=dbus.service diff --git a/virtlockd-init-script.patch b/virtlockd-init-script.patch index 356e3a9..bbf1051 100644 --- a/virtlockd-init-script.patch +++ b/virtlockd-init-script.patch @@ -1,9 +1,9 @@ Adjust virtlockd init files to conform to SUSE standards -Index: libvirt-1.1.2/src/locking/virtlockd.sysconf +Index: libvirt-1.1.4/src/locking/virtlockd.sysconf =================================================================== ---- libvirt-1.1.2.orig/src/locking/virtlockd.sysconf -+++ libvirt-1.1.2/src/locking/virtlockd.sysconf +--- libvirt-1.1.4.orig/src/locking/virtlockd.sysconf ++++ libvirt-1.1.4/src/locking/virtlockd.sysconf @@ -1,3 +1,7 @@ +## Path: System/Virtualization/virtlockd + @@ -12,10 +12,10 @@ Index: libvirt-1.1.2/src/locking/virtlockd.sysconf # # Pass extra arguments to virtlockd #VIRTLOCKD_ARGS= -Index: libvirt-1.1.2/src/locking/virtlockd.init.in +Index: libvirt-1.1.4/src/locking/virtlockd.init.in =================================================================== ---- libvirt-1.1.2.orig/src/locking/virtlockd.init.in -+++ libvirt-1.1.2/src/locking/virtlockd.init.in +--- libvirt-1.1.4.orig/src/locking/virtlockd.init.in ++++ libvirt-1.1.4/src/locking/virtlockd.init.in @@ -4,11 +4,13 @@ # http://www.linux-foundation.org/spec//booksets/LSB-Core-generic/LSB-Core-generic.html#INITSCRCOMCONV # diff --git a/xen-name-for-devid.patch b/xen-name-for-devid.patch index fd635ee..3390495 100644 --- a/xen-name-for-devid.patch +++ b/xen-name-for-devid.patch @@ -14,10 +14,10 @@ is inactive. We obviously can't search xenstore when the domain is inactive. -Index: libvirt-1.1.2/src/xen/xend_internal.c +Index: libvirt-1.1.4/src/xen/xend_internal.c =================================================================== ---- libvirt-1.1.2.orig/src/xen/xend_internal.c -+++ libvirt-1.1.2/src/xen/xend_internal.c +--- libvirt-1.1.4.orig/src/xen/xend_internal.c ++++ libvirt-1.1.4/src/xen/xend_internal.c @@ -70,7 +70,7 @@ #define XEND_RCV_BUF_MAX_LEN (256 * 1024) @@ -27,7 +27,7 @@ Index: libvirt-1.1.2/src/xen/xend_internal.c virDomainDeviceDefPtr dev, char *class, char *ref, int ref_len); -@@ -3314,18 +3314,18 @@ xenDaemonDomainBlockPeek(virConnectPtr c +@@ -3316,18 +3316,18 @@ xenDaemonDomainBlockPeek(virConnectPtr c * Returns 0 in case of success, -1 in case of failure. */ static int @@ -50,7 +50,7 @@ Index: libvirt-1.1.2/src/xen/xend_internal.c if (dev->data.disk->driverName && STREQ(dev->data.disk->driverName, "tap")) strcpy(class, "tap"); -@@ -3335,19 +3335,17 @@ virDomainXMLDevID(virConnectPtr conn, +@@ -3337,19 +3337,17 @@ virDomainXMLDevID(virConnectPtr conn, else strcpy(class, "vbd"); @@ -81,7 +81,7 @@ Index: libvirt-1.1.2/src/xen/xend_internal.c } else if (dev->type == VIR_DOMAIN_DEVICE_NET) { char mac[VIR_MAC_STRING_BUFLEN]; virDomainNetDefPtr netdef = dev->data.net; -@@ -3355,16 +3353,22 @@ virDomainXMLDevID(virConnectPtr conn, +@@ -3357,16 +3355,22 @@ virDomainXMLDevID(virConnectPtr conn, strcpy(class, "vif"); @@ -114,7 +114,7 @@ Index: libvirt-1.1.2/src/xen/xend_internal.c } else if (dev->type == VIR_DOMAIN_DEVICE_HOSTDEV && dev->data.hostdev->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS && dev->data.hostdev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI) { -@@ -3380,17 +3384,44 @@ virDomainXMLDevID(virConnectPtr conn, +@@ -3382,17 +3386,44 @@ virDomainXMLDevID(virConnectPtr conn, strcpy(class, "pci"); diff --git a/xen-pv-cdrom.patch b/xen-pv-cdrom.patch index 78cd3ac..d552804 100644 --- a/xen-pv-cdrom.patch +++ b/xen-pv-cdrom.patch @@ -1,8 +1,8 @@ -Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c +Index: libvirt-1.1.4/src/xenxs/xen_sxpr.c =================================================================== ---- libvirt-1.1.2.orig/src/xenxs/xen_sxpr.c -+++ libvirt-1.1.2/src/xenxs/xen_sxpr.c -@@ -327,7 +327,7 @@ error: +--- libvirt-1.1.4.orig/src/xenxs/xen_sxpr.c ++++ libvirt-1.1.4/src/xenxs/xen_sxpr.c +@@ -330,7 +330,7 @@ error: static int xenParseSxprDisks(virDomainDefPtr def, const struct sexpr *root, @@ -11,7 +11,7 @@ Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c int xendConfigVersion) { const struct sexpr *cur, *node; -@@ -378,7 +378,6 @@ xenParseSxprDisks(virDomainDefPtr def, +@@ -381,7 +381,6 @@ xenParseSxprDisks(virDomainDefPtr def, /* There is a case without the uname to the CD-ROM device */ offset = strchr(dst, ':'); if (!offset ||