pool/libvirt
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 542717 from Virtualization

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/542717
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvirt?expand=0&rev=240
This commit is contained in:
Dominique Leuenberger 2017-11-21 14:22:54 +00:00 committed by Git OBS Bridge
commit ddf6f32942
4 changed files with 167 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

115
8056721c-qemu-null-storage-source.patch Normal file
View File

@ -0,0 +1,115 @@
commit 8056721cbb75a717604a1f7971440726d9d85045
Author: Peter Krempa <pkrempa@redhat.com>
Date: Thu Nov 9 12:51:25 2017 +0100
qemu: Tolerate storage source private data being NULL
In some cases it does not make sense to pursue that the private data
will be allocated (especially when we don't need to put anything in it).
Ensure that the code works without it.
This also fixes few crashes pointed out in
https://bugzilla.redhat.com/show_bug.cgi?id=1510323
Index: libvirt-3.9.0/src/qemu/qemu_command.c
===================================================================
--- libvirt-3.9.0.orig/src/qemu/qemu_command.c
+++ libvirt-3.9.0/src/qemu/qemu_command.c
@@ -1362,12 +1362,17 @@ qemuBuildDriveSourceStr(virDomainDiskDef
{
int actualType = virStorageSourceGetActualType(disk->src);
qemuDomainStorageSourcePrivatePtr srcpriv = QEMU_DOMAIN_STORAGE_SOURCE_PRIVATE(disk->src);
- qemuDomainSecretInfoPtr secinfo = srcpriv->secinfo;
- qemuDomainSecretInfoPtr encinfo = srcpriv->encinfo;
+ qemuDomainSecretInfoPtr secinfo = NULL;
+ qemuDomainSecretInfoPtr encinfo = NULL;
virJSONValuePtr srcprops = NULL;
char *source = NULL;
int ret = -1;
+ if (srcpriv) {
+ secinfo = srcpriv->secinfo;
+ encinfo = srcpriv->encinfo;
+ }
+
if (qemuDiskSourceNeedsProps(disk->src) &&
!(srcprops = qemuDiskSourceGetProps(disk->src)))
goto cleanup;
@@ -2239,8 +2244,13 @@ qemuBuildDiskDriveCommandLine(virCommand
bool driveBoot = false;
virDomainDiskDefPtr disk = def->disks[i];
qemuDomainStorageSourcePrivatePtr srcPriv = QEMU_DOMAIN_STORAGE_SOURCE_PRIVATE(disk->src);
- qemuDomainSecretInfoPtr secinfo = srcPriv->secinfo;
- qemuDomainSecretInfoPtr encinfo = srcPriv->encinfo;
+ qemuDomainSecretInfoPtr secinfo = NULL;
+ qemuDomainSecretInfoPtr encinfo = NULL;
+
+ if (srcPriv) {
+ secinfo = srcPriv->secinfo;
+ encinfo = srcPriv->encinfo;
+ }
if (disk->info.bootIndex) {
bootindex = disk->info.bootIndex;
Index: libvirt-3.9.0/src/qemu/qemu_hotplug.c
===================================================================
--- libvirt-3.9.0.orig/src/qemu/qemu_hotplug.c
+++ libvirt-3.9.0/src/qemu/qemu_hotplug.c
@@ -259,6 +259,7 @@ qemuDomainChangeEjectableMedia(virQEMUDr
qemuDomainObjPrivatePtr priv = vm->privateData;
qemuDomainDiskPrivatePtr diskPriv = QEMU_DOMAIN_DISK_PRIVATE(disk);
qemuDomainStorageSourcePrivatePtr srcPriv = QEMU_DOMAIN_STORAGE_SOURCE_PRIVATE(disk->src);
+ qemuDomainSecretInfoPtr secinfo = NULL;
const char *format = NULL;
char *sourcestr = NULL;
@@ -268,6 +269,9 @@ qemuDomainChangeEjectableMedia(virQEMUDr
goto cleanup;
}
+ if (srcPriv)
+ secinfo = srcPriv->secinfo;
+
if (disk->device != VIR_DOMAIN_DISK_DEVICE_FLOPPY &&
disk->device != VIR_DOMAIN_DISK_DEVICE_CDROM) {
virReportError(VIR_ERR_INTERNAL_ERROR,
@@ -300,7 +304,7 @@ qemuDomainChangeEjectableMedia(virQEMUDr
}
if (!virStorageSourceIsEmpty(newsrc)) {
- if (qemuGetDriveSourceString(newsrc, srcPriv->secinfo, &sourcestr) < 0)
+ if (qemuGetDriveSourceString(newsrc, secinfo, &sourcestr) < 0)
goto error;
if (virStorageSourceGetActualType(newsrc) != VIR_STORAGE_TYPE_DIR) {
@@ -371,8 +375,8 @@ qemuDomainAttachDiskGeneric(virConnectPt
virJSONValuePtr secobjProps = NULL;
virJSONValuePtr encobjProps = NULL;
qemuDomainStorageSourcePrivatePtr srcPriv;
- qemuDomainSecretInfoPtr secinfo;
- qemuDomainSecretInfoPtr encinfo;
+ qemuDomainSecretInfoPtr secinfo = NULL;
+ qemuDomainSecretInfoPtr encinfo = NULL;
if (qemuDomainPrepareDisk(driver, vm, disk, NULL, false) < 0)
goto cleanup;
@@ -384,13 +388,16 @@ qemuDomainAttachDiskGeneric(virConnectPt
goto error;
srcPriv = QEMU_DOMAIN_STORAGE_SOURCE_PRIVATE(disk->src);
- secinfo = srcPriv->secinfo;
+ if (srcPriv) {
+ secinfo = srcPriv->secinfo;
+ encinfo = srcPriv->encinfo;
+ }
+
if (secinfo && secinfo->type == VIR_DOMAIN_SECRET_INFO_TYPE_AES) {
if (qemuBuildSecretInfoProps(secinfo, &secobjProps) < 0)
goto error;
}
- encinfo = srcPriv->encinfo;
if (encinfo && qemuBuildSecretInfoProps(encinfo, &encobjProps) < 0)
goto error;

14
libvirt.changes
View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Fri Nov 17 21:59:28 UTC 2017 - jfehlig@suse.com
- apparmor: allow libvirtd to send signals to unconfined processes
suse-apparmor-signal.patch
boo#1065123
-------------------------------------------------------------------
Fri Nov 17 18:37:43 UTC 2017 - jfehlig@suse.com
- qemu: Tolerate storage source private data being NULL
8056721c-qemu-null-storage-source.patch
bsc#1068752
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Nov 8 21:10:34 UTC 2017 - jfehlig@suse.com Wed Nov 8 21:10:34 UTC 2017 - jfehlig@suse.com

20
libvirt.spec
View File

@ -300,6 +300,7 @@ Source4: libvirt-supportconfig
Source99: baselibs.conf Source99: baselibs.conf
Source100: %{name}-rpmlintrc Source100: %{name}-rpmlintrc
# Upstream patches # Upstream patches
Patch0: 8056721c-qemu-null-storage-source.patch
# Patches pending upstream review # Patches pending upstream review
Patch100: libxl-dom-reset.patch Patch100: libxl-dom-reset.patch
Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch
@ -322,14 +323,15 @@ Patch205: suse-libvirtd-service-xen.patch
Patch206: suse-qemu-conf.patch Patch206: suse-qemu-conf.patch
Patch207: suse-ovmf-paths.patch Patch207: suse-ovmf-paths.patch
Patch208: suse-apparmor-libnl-paths.patch Patch208: suse-apparmor-libnl-paths.patch
Patch209: support-managed-pci-xen-driver.patch Patch209: suse-apparmor-signal.patch
Patch210: xen-sxpr-disk-type.patch Patch210: support-managed-pci-xen-driver.patch
Patch211: libxl-support-block-script.patch Patch211: xen-sxpr-disk-type.patch
Patch212: apparmor-no-mount.patch Patch212: libxl-support-block-script.patch
Patch213: qemu-apparmor-screenshot.patch Patch213: apparmor-no-mount.patch
Patch214: libvirt-suse-netcontrol.patch Patch214: qemu-apparmor-screenshot.patch
Patch215: lxc-wait-after-eth-del.patch Patch215: libvirt-suse-netcontrol.patch
Patch216: libxl-qemu-emulator-caps.patch Patch216: lxc-wait-after-eth-del.patch
Patch217: libxl-qemu-emulator-caps.patch
# SLES-Only patches # SLES-Only patches
%if ! 0%{?is_opensuse} %if ! 0%{?is_opensuse}
Patch400: virt-create-rootfs.patch Patch400: virt-create-rootfs.patch
@ -876,6 +878,7 @@ libvirt plugin for NSS for translating domain names into IP addresses.
%prep %prep
%setup -q %setup -q
%patch0 -p1
%patch100 -p1 %patch100 -p1
%patch101 -p1 %patch101 -p1
%patch102 -p1 %patch102 -p1
@ -903,6 +906,7 @@ libvirt plugin for NSS for translating domain names into IP addresses.
%patch214 -p1 %patch214 -p1
%patch215 -p1 %patch215 -p1
%patch216 -p1 %patch216 -p1
%patch217 -p1
%if ! 0%{?is_opensuse} %if ! 0%{?is_opensuse}
%patch400 -p1 %patch400 -p1
%endif %endif

26
suse-apparmor-signal.patch Normal file
View File

@ -0,0 +1,26 @@
apparmor: allow libvirtd to send signals to unconfined processes
When confinement of QEMU/KVM domains is not enforced (security_default_confined = 0),
qemu processes run unconfined. Add a rule to the libvirtd apparmor profile allowing
sending signals to unconfined processes. Without the rule, libvirtd
is unable to signal QEMU/KVM domains. E.g. 'virsh destroy dom' results in the
following denial in audit.log
type=AVC msg=audit(1510951646.581:939): apparmor="DENIED" operation="signal"
profile="/usr/sbin/libvirtd" pid=18891 comm="libvirtd" requested_mask="send"
denied_mask="send" signal=term peer="unconfined"
Index: libvirt-3.9.0/examples/apparmor/usr.sbin.libvirtd
===================================================================
--- libvirt-3.9.0.orig/examples/apparmor/usr.sbin.libvirtd
+++ libvirt-3.9.0/examples/apparmor/usr.sbin.libvirtd
@@ -60,6 +60,9 @@
signal (send) peer=/usr/sbin/dnsmasq,
signal (read, send) peer=libvirt-*,
+ # When confinement is not enforced (security_default_confined = 0), qemu
+ # processes run unconfined, hence 'peer=unconfined'
+ signal send set=(hup,kill,term) peer=unconfined,
# Very lenient profile for libvirtd since we want to first focus on confining
# the guests. Guests will have a very restricted profile.