Accepting request 204842 from Virtualization
Sorry for the delay. Quite some work to get libvirt in shape for RC2. Lots of bug fixes, and most importantly fixes for CVE-2013-{4400,4401}. Pretty please copy to 13.1 :) - libxl driver: fix initialization of VNC and SDL info for HVM domains libxl-hvm-vnc.patch bnc#847566 - Allow libvirtd apparmor profile to access /etc/xen/scripts/* - Fix file descriptor passing in python bindings e350826c-python-fix-fd-passing.patch rhb#1021434 - Have systemd terminate the machine as a workaround of fdo#68370 bd773e74-lxc-terminate-machine.patch bnc#842834 - Spec file fixes to only package libvirt-login-shell when building the LXC driver - CVE-2013-4400: Unsantized use of env variables allows privilege escalation via virt-login-shell ae53e5d1-CVE-2013-4400.patch, 8c3586ea-CVE-2013-4400.patch, b7fcc799a-CVE-2013-4400.patch, 3e2f27e1-CVE-2013-4400.patch, 5a0ea4b7-CVE-2013-4400.patch, 843bdb2f-CVE-2013-4400.patch bnc#837609 - CVE-2013-4401: Fix perms for virConnectDomainXML{To,From}Native 57687fd6-CVE-2013-4401.patch bnc#845704 - Move hypervisor-specific files out of libvirt-daemon package and into libvirt-daemon-<hypervisor> subpackage bnc#845851 OBS-URL: https://build.opensuse.org/request/show/204842 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvirt?expand=0&rev=133
This commit is contained in:
commit
e794784ea4
354
3e2f27e1-CVE-2013-4400.patch
Normal file
354
3e2f27e1-CVE-2013-4400.patch
Normal file
@ -0,0 +1,354 @@
|
||||
commit 3e2f27e13b94f7302ad948bcacb5e02c859a25fc
|
||||
Author: Daniel P. Berrange <berrange@redhat.com>
|
||||
Date: Thu Oct 10 13:09:08 2013 +0100
|
||||
|
||||
Don't link virt-login-shell against libvirt.so (CVE-2013-4400)
|
||||
|
||||
The libvirt.so library has far too many library deps to allow
|
||||
linking against it from setuid programs. Those libraries can
|
||||
do stuff in __attribute__((constructor) functions which is
|
||||
not setuid safe.
|
||||
|
||||
The virt-login-shell needs to link directly against individual
|
||||
files that it uses, with all library deps turned off except
|
||||
for libxml2 and libselinux.
|
||||
|
||||
Create a libvirt-setuid-rpc-client.la library which is linked
|
||||
to by virt-login-shell. A config-post.h file allows this library
|
||||
to disable all external deps except libselinux and libxml2.
|
||||
|
||||
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
||||
|
||||
Index: libvirt-1.1.2/Makefile.am
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/Makefile.am
|
||||
+++ libvirt-1.1.2/Makefile.am
|
||||
@@ -31,6 +31,7 @@ XML_EXAMPLES = \
|
||||
test/*.xml storage/*.xml)))
|
||||
|
||||
EXTRA_DIST = \
|
||||
+ config-post.h \
|
||||
ChangeLog-old \
|
||||
libvirt.spec libvirt.spec.in \
|
||||
mingw-libvirt.spec.in \
|
||||
Index: libvirt-1.1.2/config-post.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ libvirt-1.1.2/config-post.h
|
||||
@@ -0,0 +1,44 @@
|
||||
+/*
|
||||
+ * Copyright (C) 2013 Red Hat, Inc.
|
||||
+ *
|
||||
+ * This library is free software; you can redistribute it and/or
|
||||
+ * modify it under the terms of the GNU Lesser General Public
|
||||
+ * License as published by the Free Software Foundation; either
|
||||
+ * version 2.1 of the License, or (at your option) any later version.
|
||||
+ *
|
||||
+ * This library is distributed in the hope that it will be useful,
|
||||
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+ * Lesser General Public License for more details.
|
||||
+ *
|
||||
+ * You should have received a copy of the GNU Lesser General Public
|
||||
+ * License along with this library. If not, see
|
||||
+ * <http://www.gnu.org/licenses/>.
|
||||
+ */
|
||||
+
|
||||
+/*
|
||||
+ * Since virt-login-shell will be setuid, we must do everything
|
||||
+ * we can to avoid linking to other libraries. Many of them do
|
||||
+ * unsafe things in functions marked __atttribute__((constructor)).
|
||||
+ * The only way avoid to avoid such deps is to re-compile the
|
||||
+ * functions with the code in question disabled, and for that we
|
||||
+ * must override the main config.h rules. Hence this file :-(
|
||||
+ */
|
||||
+
|
||||
+#ifdef LIBVIRT_SETUID_RPC_CLIENT
|
||||
+# undef HAVE_LIBDEVMAPPER_H
|
||||
+# undef HAVE_LIBNL
|
||||
+# undef HAVE_LIBNL3
|
||||
+# undef HAVE_LIBSASL2
|
||||
+# undef WITH_CAPNG
|
||||
+# undef WITH_CURL
|
||||
+# undef WITH_DTRACE_PROBES
|
||||
+# undef WITH_GNUTLS
|
||||
+# undef WITH_MACVTAP
|
||||
+# undef WITH_NUMACTL
|
||||
+# undef WITH_SASL
|
||||
+# undef WITH_SSH2
|
||||
+# undef WITH_VIRTUALPORT
|
||||
+# undef WITH_YAJL
|
||||
+# undef WITH_YAJL2
|
||||
+#endif
|
||||
Index: libvirt-1.1.2/configure.ac
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/configure.ac
|
||||
+++ libvirt-1.1.2/configure.ac
|
||||
@@ -20,6 +20,7 @@ AC_INIT([libvirt], [1.1.2], [libvir-list
|
||||
AC_CONFIG_SRCDIR([src/libvirt.c])
|
||||
AC_CONFIG_AUX_DIR([build-aux])
|
||||
AC_CONFIG_HEADERS([config.h])
|
||||
+AH_BOTTOM([#include <config-post.h>])
|
||||
AC_CONFIG_MACRO_DIR([m4])
|
||||
dnl Make automake keep quiet about wildcards & other GNUmake-isms
|
||||
AM_INIT_AUTOMAKE([-Wno-portability tar-ustar])
|
||||
Index: libvirt-1.1.2/daemon/Makefile.am
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/daemon/Makefile.am
|
||||
+++ libvirt-1.1.2/daemon/Makefile.am
|
||||
@@ -18,6 +18,7 @@
|
||||
|
||||
INCLUDES = \
|
||||
-I$(top_builddir)/gnulib/lib -I$(top_srcdir)/gnulib/lib \
|
||||
+ -I$(top_srcdir) \
|
||||
-I$(top_builddir)/include -I$(top_srcdir)/include \
|
||||
-I$(top_builddir)/src -I$(top_srcdir)/src \
|
||||
-I$(top_srcdir)/src/util \
|
||||
Index: libvirt-1.1.2/examples/domain-events/events-c/Makefile.am
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/examples/domain-events/events-c/Makefile.am
|
||||
+++ libvirt-1.1.2/examples/domain-events/events-c/Makefile.am
|
||||
@@ -15,7 +15,8 @@
|
||||
## <http://www.gnu.org/licenses/>.
|
||||
|
||||
INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include \
|
||||
- -I$(top_builddir)/gnulib/lib -I$(top_srcdir)/gnulib/lib
|
||||
+ -I$(top_builddir)/gnulib/lib -I$(top_srcdir)/gnulib/lib \
|
||||
+ -I$(top_srcdir)
|
||||
noinst_PROGRAMS = event-test
|
||||
event_test_CFLAGS = $(WARN_CFLAGS)
|
||||
event_test_SOURCES = event-test.c
|
||||
Index: libvirt-1.1.2/examples/hellolibvirt/Makefile.am
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/examples/hellolibvirt/Makefile.am
|
||||
+++ libvirt-1.1.2/examples/hellolibvirt/Makefile.am
|
||||
@@ -14,7 +14,7 @@
|
||||
## License along with this library. If not, see
|
||||
## <http://www.gnu.org/licenses/>.
|
||||
|
||||
-INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include
|
||||
+INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include -I$(top_srcdir)
|
||||
noinst_PROGRAMS = hellolibvirt
|
||||
hellolibvirt_CFLAGS = $(WARN_CFLAGS)
|
||||
hellolibvirt_SOURCES = hellolibvirt.c
|
||||
Index: libvirt-1.1.2/examples/openauth/Makefile.am
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/examples/openauth/Makefile.am
|
||||
+++ libvirt-1.1.2/examples/openauth/Makefile.am
|
||||
@@ -14,7 +14,7 @@
|
||||
## License along with this library. If not, see
|
||||
## <http://www.gnu.org/licenses/>.
|
||||
|
||||
-INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include
|
||||
+INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include -I$(top_srcdir)
|
||||
noinst_PROGRAMS = openauth
|
||||
openauth_CFLAGS = $(WARN_CFLAGS)
|
||||
openauth_SOURCES = openauth.c
|
||||
Index: libvirt-1.1.2/gnulib/lib/Makefile.am
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/gnulib/lib/Makefile.am
|
||||
+++ libvirt-1.1.2/gnulib/lib/Makefile.am
|
||||
@@ -27,4 +27,4 @@ noinst_LTLIBRARIES =
|
||||
|
||||
include gnulib.mk
|
||||
|
||||
-INCLUDES = $(GETTEXT_CPPFLAGS)
|
||||
+INCLUDES = -I$(top_srcdir) $(GETTEXT_CPPFLAGS)
|
||||
Index: libvirt-1.1.2/python/Makefile.am
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/python/Makefile.am
|
||||
+++ libvirt-1.1.2/python/Makefile.am
|
||||
@@ -20,6 +20,7 @@ INCLUDES = \
|
||||
$(PYTHON_INCLUDES) \
|
||||
-I$(top_builddir)/gnulib/lib \
|
||||
-I$(top_srcdir)/gnulib/lib \
|
||||
+ -I$(top_srcdir) \
|
||||
-I$(top_builddir)/src \
|
||||
-I$(top_srcdir)/src \
|
||||
-I$(top_srcdir)/src/util \
|
||||
Index: libvirt-1.1.2/src/Makefile.am
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/src/Makefile.am
|
||||
+++ libvirt-1.1.2/src/Makefile.am
|
||||
@@ -21,6 +21,7 @@
|
||||
# that actually use them. Also keep GETTEXT_CPPFLAGS at the end.
|
||||
INCLUDES = -I../gnulib/lib \
|
||||
-I$(top_srcdir)/gnulib/lib \
|
||||
+ -I$(top_srcdir) \
|
||||
-I../include \
|
||||
-I$(top_srcdir)/include \
|
||||
-I$(top_srcdir)/src/util \
|
||||
@@ -1917,6 +1918,77 @@ libvirt_lxc_la_LDFLAGS = \
|
||||
libvirt_lxc_la_CFLAGS = $(AM_CFLAGS)
|
||||
libvirt_lxc_la_LIBADD = libvirt.la $(CYGWIN_EXTRA_LIBADD)
|
||||
|
||||
+# Since virt-login-shell will be setuid, we must do everything
|
||||
+# we can to avoid linking to other libraries. Many of them do
|
||||
+# unsafe things in functions marked __atttribute__((constructor)).
|
||||
+# This library is built to include the bare minimum required to
|
||||
+# have a RPC client for local UNIX socket access only. We use
|
||||
+# the ../config-post.h header to disable all external deps that
|
||||
+# we don't want
|
||||
+if WITH_LXC
|
||||
+noinst_LTLIBRARIES += libvirt-setuid-rpc-client.la
|
||||
+
|
||||
+libvirt_setuid_rpc_client_la_SOURCES = \
|
||||
+ util/viralloc.c \
|
||||
+ util/virbitmap.c \
|
||||
+ util/virbuffer.c \
|
||||
+ util/vircommand.c \
|
||||
+ util/virconf.c \
|
||||
+ util/virerror.c \
|
||||
+ util/virevent.c \
|
||||
+ util/vireventpoll.c \
|
||||
+ util/virfile.c \
|
||||
+ util/virhash.c \
|
||||
+ util/virhashcode.c \
|
||||
+ util/virjson.c \
|
||||
+ util/virlog.c \
|
||||
+ util/virobject.c \
|
||||
+ util/virpidfile.c \
|
||||
+ util/virprocess.c \
|
||||
+ util/virrandom.c \
|
||||
+ util/virsocketaddr.c \
|
||||
+ util/virstoragefile.c \
|
||||
+ util/virstring.c \
|
||||
+ util/virtime.c \
|
||||
+ util/virthread.c \
|
||||
+ util/virtypedparam.c \
|
||||
+ util/viruri.c \
|
||||
+ util/virutil.c \
|
||||
+ util/viruuid.c \
|
||||
+ conf/domain_event.c \
|
||||
+ rpc/virnetsocket.c \
|
||||
+ rpc/virnetsocket.h \
|
||||
+ rpc/virnetmessage.h \
|
||||
+ rpc/virnetmessage.c \
|
||||
+ rpc/virkeepalive.c \
|
||||
+ rpc/virkeepalive.h \
|
||||
+ rpc/virnetclient.c \
|
||||
+ rpc/virnetclientprogram.c \
|
||||
+ rpc/virnetclientstream.c \
|
||||
+ rpc/virnetprotocol.c \
|
||||
+ remote/remote_driver.c \
|
||||
+ remote/remote_protocol.c \
|
||||
+ remote/qemu_protocol.c \
|
||||
+ remote/lxc_protocol.c \
|
||||
+ datatypes.c \
|
||||
+ libvirt.c \
|
||||
+ libvirt-lxc.c \
|
||||
+ $(NULL)
|
||||
+
|
||||
+libvirt_setuid_rpc_client_la_LDFLAGS = \
|
||||
+ $(AM_LDFLAGS) \
|
||||
+ $(LIBXML_LIBS) \
|
||||
+ $(SELINUX_LIBS) \
|
||||
+ $(NULL)
|
||||
+libvirt_setuid_rpc_client_la_CFLAGS = \
|
||||
+ -DLIBVIRT_SETUID_RPC_CLIENT \
|
||||
+ -I$(top_srcdir)/src/conf \
|
||||
+ -I$(top_srcdir)/src/rpc \
|
||||
+ $(AM_CFLAGS) \
|
||||
+ $(SELINUX_CFLAGS) \
|
||||
+ $(NULL)
|
||||
+endif WITH_LXC
|
||||
+
|
||||
lockdriverdir = $(libdir)/libvirt/lock-driver
|
||||
lockdriver_LTLIBRARIES =
|
||||
|
||||
Index: libvirt-1.1.2/src/libvirt.c
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/src/libvirt.c
|
||||
+++ libvirt-1.1.2/src/libvirt.c
|
||||
@@ -446,40 +446,46 @@ virGlobalInit(void)
|
||||
goto error;
|
||||
|
||||
/*
|
||||
+ * Note we must avoid everything except 'remote' driver
|
||||
+ * for virt-login-shell usage
|
||||
+ */
|
||||
+#ifndef LIBVIRT_SETUID_RPC_CLIENT
|
||||
+ /*
|
||||
* Note that the order is important: the first ones have a higher
|
||||
* priority when calling virConnectOpen.
|
||||
*/
|
||||
-#ifdef WITH_TEST
|
||||
+# ifdef WITH_TEST
|
||||
if (testRegister() == -1)
|
||||
goto error;
|
||||
-#endif
|
||||
-#ifdef WITH_OPENVZ
|
||||
+# endif
|
||||
+# ifdef WITH_OPENVZ
|
||||
if (openvzRegister() == -1)
|
||||
goto error;
|
||||
-#endif
|
||||
-#ifdef WITH_VMWARE
|
||||
+# endif
|
||||
+# ifdef WITH_VMWARE
|
||||
if (vmwareRegister() == -1)
|
||||
goto error;
|
||||
-#endif
|
||||
-#ifdef WITH_PHYP
|
||||
+# endif
|
||||
+# ifdef WITH_PHYP
|
||||
if (phypRegister() == -1)
|
||||
goto error;
|
||||
-#endif
|
||||
-#ifdef WITH_ESX
|
||||
+# endif
|
||||
+# ifdef WITH_ESX
|
||||
if (esxRegister() == -1)
|
||||
goto error;
|
||||
-#endif
|
||||
-#ifdef WITH_HYPERV
|
||||
+# endif
|
||||
+# ifdef WITH_HYPERV
|
||||
if (hypervRegister() == -1)
|
||||
goto error;
|
||||
-#endif
|
||||
-#ifdef WITH_XENAPI
|
||||
+# endif
|
||||
+# ifdef WITH_XENAPI
|
||||
if (xenapiRegister() == -1)
|
||||
goto error;
|
||||
-#endif
|
||||
-#ifdef WITH_PARALLELS
|
||||
+# endif
|
||||
+# ifdef WITH_PARALLELS
|
||||
if (parallelsRegister() == -1)
|
||||
goto error;
|
||||
+# endif
|
||||
#endif
|
||||
#ifdef WITH_REMOTE
|
||||
if (remoteRegister() == -1)
|
||||
Index: libvirt-1.1.2/tools/Makefile.am
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/tools/Makefile.am
|
||||
+++ libvirt-1.1.2/tools/Makefile.am
|
||||
@@ -149,6 +149,11 @@ virt_host_validate_CFLAGS = \
|
||||
$(COVERAGE_CFLAGS) \
|
||||
$(NULL)
|
||||
|
||||
+# Since virt-login-shell will be setuid, we must do everything
|
||||
+# we can to avoid linking to other libraries. Many of them do
|
||||
+# unsafe things in functions marked __atttribute__((constructor)).
|
||||
+# This we statically link to a library containing only the minimal
|
||||
+# libvirt client code, not libvirt.so itself.
|
||||
virt_login_shell_SOURCES = \
|
||||
virt-login-shell.c
|
||||
|
||||
@@ -159,11 +164,11 @@ virt_login_shell_LDFLAGS = \
|
||||
virt_login_shell_LDADD = \
|
||||
$(STATIC_BINARIES) \
|
||||
$(PIE_LDFLAGS) \
|
||||
- ../src/libvirt.la \
|
||||
- ../src/libvirt-lxc.la \
|
||||
+ ../src/libvirt-setuid-rpc-client.la \
|
||||
../gnulib/lib/libgnu.la
|
||||
|
||||
virt_login_shell_CFLAGS = \
|
||||
+ -DLIBVIRT_SETUID_RPC_CLIENT \
|
||||
$(WARN_CFLAGS) \
|
||||
$(PIE_CFLAGS) \
|
||||
$(COVERAGE_CFLAGS)
|
52
57687fd6-CVE-2013-4401.patch
Normal file
52
57687fd6-CVE-2013-4401.patch
Normal file
@ -0,0 +1,52 @@
|
||||
commit 57687fd6bf7f6e1b3662c52f3f26c06ab19dc96c
|
||||
Author: Daniel P. Berrange <berrange@redhat.com>
|
||||
Date: Thu Oct 3 16:37:57 2013 +0100
|
||||
|
||||
Fix perms for virConnectDomainXML{To,From}Native (CVE-2013-4401)
|
||||
|
||||
The virConnectDomainXMLToNative API should require 'connect:write'
|
||||
not 'connect:read', since it will trigger execution of the QEMU
|
||||
binaries listed in the XML.
|
||||
|
||||
Also make virConnectDomainXMLFromNative API require a full
|
||||
read-write connection and 'connect:write' permission. Although the
|
||||
current impl doesn't trigger execution of QEMU, we should not
|
||||
rely on that impl detail from an API permissioning POV.
|
||||
|
||||
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
||||
|
||||
Index: libvirt-1.1.2/src/libvirt.c
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/src/libvirt.c
|
||||
+++ libvirt-1.1.2/src/libvirt.c
|
||||
@@ -4606,6 +4606,10 @@ char *virConnectDomainXMLFromNative(virC
|
||||
virDispatchError(NULL);
|
||||
return NULL;
|
||||
}
|
||||
+ if (conn->flags & VIR_CONNECT_RO) {
|
||||
+ virLibDomainError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
|
||||
+ goto error;
|
||||
+ }
|
||||
|
||||
virCheckNonNullArgGoto(nativeFormat, error);
|
||||
virCheckNonNullArgGoto(nativeConfig, error);
|
||||
Index: libvirt-1.1.2/src/remote/remote_protocol.x
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/src/remote/remote_protocol.x
|
||||
+++ libvirt-1.1.2/src/remote/remote_protocol.x
|
||||
@@ -3812,13 +3812,13 @@ enum remote_procedure {
|
||||
|
||||
/**
|
||||
* @generate: both
|
||||
- * @acl: connect:read
|
||||
+ * @acl: connect:write
|
||||
*/
|
||||
REMOTE_PROC_CONNECT_DOMAIN_XML_FROM_NATIVE = 135,
|
||||
|
||||
/**
|
||||
* @generate: both
|
||||
- * @acl: connect:read
|
||||
+ * @acl: connect:write
|
||||
*/
|
||||
REMOTE_PROC_CONNECT_DOMAIN_XML_TO_NATIVE = 136,
|
||||
|
103
5a0ea4b7-CVE-2013-4400.patch
Normal file
103
5a0ea4b7-CVE-2013-4400.patch
Normal file
@ -0,0 +1,103 @@
|
||||
commit 5a0ea4b7b9af2231ed161b94f9af65375c6ee9c2
|
||||
Author: Jim Fehlig <jfehlig@suse.com>
|
||||
Date: Mon Oct 21 15:36:11 2013 -0600
|
||||
|
||||
build: fix linking virt-login-shell
|
||||
|
||||
After commit 3e2f27e1, I've noticed build failures of virt-login-shell
|
||||
when libapparmor-devel is installed on the build host
|
||||
|
||||
CCLD virt-login-shell
|
||||
../src/.libs/libvirt-setuid-rpc-client.a(libvirt_setuid_rpc_client_la-vircommand.o):
|
||||
In function `virExec':
|
||||
/home/jfehlig/virt/upstream/libvirt/src/util/vircommand.c:653: undefined
|
||||
reference to `aa_change_profile'
|
||||
collect2: error: ld returned 1 exit status
|
||||
|
||||
I was about to commit an easy fix under the build-breaker rule
|
||||
(build-fix-1.patch), but thought to extend the notion of SECDRIVER_LIBS
|
||||
to SECDRIVER_CFLAGS, and use both throughout src/Makefile.am where it
|
||||
makes sense (build-fix-2.patch).
|
||||
|
||||
Should I just stick with the simple fix, or is something along the lines
|
||||
of patch 2 preferred?
|
||||
|
||||
Regards,
|
||||
Jim
|
||||
|
||||
>From a0f35945f3127ab70d051101037e821b1759b4bb Mon Sep 17 00:00:00 2001
|
||||
From: Jim Fehlig <jfehlig@suse.com>
|
||||
Date: Mon, 21 Oct 2013 15:30:02 -0600
|
||||
Subject: [PATCH] build: fix virt-login-shell build with apparmor
|
||||
|
||||
With libapparmor-devel installed, virt-login-shell fails to link
|
||||
|
||||
CCLD virt-login-shell
|
||||
../src/.libs/libvirt-setuid-rpc-client.a(libvirt_setuid_rpc_client_la-vircommand.o): In function `virExec':
|
||||
/home/jfehlig/virt/upstream/libvirt/src/util/vircommand.c:653: undefined reference to `aa_change_profile'
|
||||
collect2: error: ld returned 1 exit status
|
||||
|
||||
Fix by linking libvirt_setuid_rpc_client with previously determined
|
||||
SECDRIVER_LIBS in src/Makefile.am. While at it, introduce SECDRIVER_CFLAGS
|
||||
and use both throughout src/Makefile.am where it makes sense.
|
||||
|
||||
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
|
||||
|
||||
Index: libvirt-1.1.2/src/Makefile.am
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/src/Makefile.am
|
||||
+++ libvirt-1.1.2/src/Makefile.am
|
||||
@@ -49,11 +49,14 @@ nodist_conf_DATA =
|
||||
|
||||
THREAD_LIBS = $(LIB_PTHREAD) $(LTLIBMULTITHREAD)
|
||||
|
||||
+SECDRIVER_CFLAGS =
|
||||
SECDRIVER_LIBS =
|
||||
if WITH_SECDRIVER_SELINUX
|
||||
+SECDRIVER_CFLAGS += $(SELINUX_CFLAGS)
|
||||
SECDRIVER_LIBS += $(SELINUX_LIBS)
|
||||
endif
|
||||
if WITH_SECDRIVER_APPARMOR
|
||||
+SECDRIVER_CFLAGS += $(APPARMOR_CFLAGS)
|
||||
SECDRIVER_LIBS += $(APPARMOR_LIBS)
|
||||
endif
|
||||
|
||||
@@ -1978,14 +1981,14 @@ libvirt_setuid_rpc_client_la_SOURCES =
|
||||
libvirt_setuid_rpc_client_la_LDFLAGS = \
|
||||
$(AM_LDFLAGS) \
|
||||
$(LIBXML_LIBS) \
|
||||
- $(SELINUX_LIBS) \
|
||||
+ $(SECDRIVER_LIBS) \
|
||||
$(NULL)
|
||||
libvirt_setuid_rpc_client_la_CFLAGS = \
|
||||
-DLIBVIRT_SETUID_RPC_CLIENT \
|
||||
-I$(top_srcdir)/src/conf \
|
||||
-I$(top_srcdir)/src/rpc \
|
||||
$(AM_CFLAGS) \
|
||||
- $(SELINUX_CFLAGS) \
|
||||
+ $(SECDRIVER_CFLAGS) \
|
||||
$(NULL)
|
||||
endif WITH_LXC
|
||||
|
||||
@@ -2268,6 +2271,7 @@ libvirt_net_rpc_la_LDFLAGS = \
|
||||
$(GNUTLS_LIBS) \
|
||||
$(SASL_LIBS) \
|
||||
$(SSH2_LIBS)\
|
||||
+ $(SECDRIVER_LIBS) \
|
||||
$(AM_LDFLAGS) \
|
||||
$(CYGWIN_EXTRA_LDFLAGS) \
|
||||
$(MINGW_EXTRA_LDFLAGS)
|
||||
@@ -2410,12 +2414,7 @@ if WITH_BLKID
|
||||
libvirt_lxc_CFLAGS += $(BLKID_CFLAGS)
|
||||
libvirt_lxc_LDADD += $(BLKID_LIBS)
|
||||
endif
|
||||
-if WITH_SECDRIVER_SELINUX
|
||||
-libvirt_lxc_CFLAGS += $(SELINUX_CFLAGS)
|
||||
-endif
|
||||
-if WITH_SECDRIVER_APPARMOR
|
||||
-libvirt_lxc_CFLAGS += $(APPARMOR_CFLAGS)
|
||||
-endif
|
||||
+libvirt_lxc_CFLAGS += $(SECDRIVER_CFLAGS)
|
||||
endif
|
||||
endif
|
||||
EXTRA_DIST += $(LXC_CONTROLLER_SOURCES)
|
87
79552754-libvirtd-chardev-crash.patch
Normal file
87
79552754-libvirtd-chardev-crash.patch
Normal file
@ -0,0 +1,87 @@
|
||||
commit 795527548fea79902ea4ce32747e069944cf3e61
|
||||
Author: Peter Krempa <pkrempa@redhat.com>
|
||||
Date: Thu Sep 26 08:12:39 2013 +0200
|
||||
|
||||
conf: Don't crash on invalid chardev source definition of RNGs and other
|
||||
|
||||
Since commit 297c99a5 an invalid source definition XML of a character
|
||||
device that is used as backend for RNG devices, smartcards and redirdevs
|
||||
causes crash of the daemon when parsing such a definition.
|
||||
|
||||
The device types mentioned above are not a part of a regular character
|
||||
device but are backends for other types. Thus when parsing such device
|
||||
NULL is passed as the argument @chr_def. Later when checking the
|
||||
validity of the definition @chr_def was dereferenced when parsing a UNIX
|
||||
socket backend with missing path of the socket and crashed the daemon.
|
||||
|
||||
Sample offending configuration:
|
||||
<devices>
|
||||
...
|
||||
<rng model='virtio'>
|
||||
<backend model='egd' type='unix'>
|
||||
<source mode='bind' service='1024'/>
|
||||
</backend>
|
||||
</rng>
|
||||
</devices>
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1012196
|
||||
|
||||
Index: libvirt-1.1.2/src/conf/domain_conf.c
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/src/conf/domain_conf.c
|
||||
+++ libvirt-1.1.2/src/conf/domain_conf.c
|
||||
@@ -7026,7 +7026,8 @@ virDomainChrSourceDefParseXML(virDomainC
|
||||
case VIR_DOMAIN_CHR_TYPE_UNIX:
|
||||
/* path can be auto generated */
|
||||
if (!path &&
|
||||
- chr_def->targetType != VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO) {
|
||||
+ (!chr_def ||
|
||||
+ chr_def->targetType != VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO)) {
|
||||
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
||||
_("Missing source path attribute for char device"));
|
||||
goto error;
|
||||
Index: libvirt-1.1.2/tests/qemuxml2argvdata/qemuxml2argv-virtio-rng-egd-crash.xml
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ libvirt-1.1.2/tests/qemuxml2argvdata/qemuxml2argv-virtio-rng-egd-crash.xml
|
||||
@@ -0,0 +1,27 @@
|
||||
+<domain type='qemu'>
|
||||
+ <name>QEMUGuest1</name>
|
||||
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
|
||||
+ <memory unit='KiB'>219100</memory>
|
||||
+ <currentMemory unit='KiB'>219100</currentMemory>
|
||||
+ <vcpu placement='static' cpuset='1-4,8-20,525'>1</vcpu>
|
||||
+ <os>
|
||||
+ <type arch='i686' machine='pc'>hvm</type>
|
||||
+ <boot dev='hd'/>
|
||||
+ </os>
|
||||
+ <clock offset='utc'/>
|
||||
+ <on_poweroff>destroy</on_poweroff>
|
||||
+ <on_reboot>restart</on_reboot>
|
||||
+ <on_crash>destroy</on_crash>
|
||||
+ <devices>
|
||||
+ <emulator>/usr/bin/qemu</emulator>
|
||||
+ <controller type='usb' index='0'/>
|
||||
+ <controller type='pci' index='0' model='pci-root'/>
|
||||
+ <memballoon model='virtio'/>
|
||||
+ <rng model='virtio'>
|
||||
+ <backend model='egd' type='unix'>
|
||||
+ <!-- https://bugzilla.redhat.com/show_bug.cgi?id=1012196 -->
|
||||
+ <source mode='connect' host='1.2.3.4' service='1234'/>
|
||||
+ </backend>
|
||||
+ </rng>
|
||||
+ </devices>
|
||||
+</domain>
|
||||
Index: libvirt-1.1.2/tests/qemuxml2argvtest.c
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/tests/qemuxml2argvtest.c
|
||||
+++ libvirt-1.1.2/tests/qemuxml2argvtest.c
|
||||
@@ -973,6 +973,8 @@ mymain(void)
|
||||
QEMU_CAPS_OBJECT_RNG_RANDOM);
|
||||
DO_TEST("virtio-rng-egd", QEMU_CAPS_DEVICE, QEMU_CAPS_DEVICE_VIRTIO_RNG,
|
||||
QEMU_CAPS_OBJECT_RNG_EGD);
|
||||
+ DO_TEST_PARSE_ERROR("virtio-rng-egd-crash", QEMU_CAPS_DEVICE,
|
||||
+ QEMU_CAPS_DEVICE_VIRTIO_RNG, QEMU_CAPS_OBJECT_RNG_EGD);
|
||||
DO_TEST("virtio-rng-ccw",
|
||||
QEMU_CAPS_DEVICE, QEMU_CAPS_CHARDEV, QEMU_CAPS_NODEFCONFIG,
|
||||
QEMU_CAPS_DRIVE, QEMU_CAPS_BOOTINDEX, QEMU_CAPS_VIRTIO_CCW,
|
27
843bdb2f-CVE-2013-4400.patch
Normal file
27
843bdb2f-CVE-2013-4400.patch
Normal file
@ -0,0 +1,27 @@
|
||||
commit 843bdb2f8a3364637cda2911624149525188843f
|
||||
Author: Jim Fehlig <jfehlig@suse.com>
|
||||
Date: Mon Oct 21 23:12:22 2013 -0600
|
||||
|
||||
build: fix build of virt-login-shell on systems with older gnutls
|
||||
|
||||
On systems where gnutls uses libgcrypt, I'm seeing the following
|
||||
build failure
|
||||
|
||||
libvirt.c:314: error: variable 'virTLSThreadImpl' has initializer but incomplete type
|
||||
libvirt.c:319: error: 'GCRY_THREAD_OPTION_PTHREAD' undeclared here (not in a function)
|
||||
...
|
||||
|
||||
Fix by undefining WITH_GNUTLS_GCRYPT in config-post.h
|
||||
|
||||
Index: libvirt-1.1.2/config-post.h
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/config-post.h
|
||||
+++ libvirt-1.1.2/config-post.h
|
||||
@@ -34,6 +34,7 @@
|
||||
# undef WITH_CURL
|
||||
# undef WITH_DTRACE_PROBES
|
||||
# undef WITH_GNUTLS
|
||||
+# undef WITH_GNUTLS_GCRYPT
|
||||
# undef WITH_MACVTAP
|
||||
# undef WITH_NUMACTL
|
||||
# undef WITH_SASL
|
61
8c3586ea-CVE-2013-4400.patch
Normal file
61
8c3586ea-CVE-2013-4400.patch
Normal file
@ -0,0 +1,61 @@
|
||||
commit 8c3586ea755c40d5e01b22cb7b5c1e668cdec994
|
||||
Author: Daniel P. Berrange <berrange@redhat.com>
|
||||
Date: Wed Oct 9 10:59:36 2013 +0100
|
||||
|
||||
Only allow 'stderr' log output when running setuid (CVE-2013-4400)
|
||||
|
||||
We must not allow file/syslog/journald log outputs when running
|
||||
setuid since they can be abused to do bad things. In particular
|
||||
the 'file' output can be used to overwrite files.
|
||||
|
||||
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
||||
|
||||
Index: libvirt-1.1.2/src/util/virlog.c
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/src/util/virlog.c
|
||||
+++ libvirt-1.1.2/src/util/virlog.c
|
||||
@@ -1318,6 +1318,9 @@ int virLogPriorityFromSyslog(int priorit
|
||||
* Multiple output can be defined in a single @output, they just need to be
|
||||
* separated by spaces.
|
||||
*
|
||||
+ * If running in setuid mode, then only the 'stderr' output will
|
||||
+ * be allowed
|
||||
+ *
|
||||
* Returns the number of output parsed and installed or -1 in case of error
|
||||
*/
|
||||
int
|
||||
@@ -1329,6 +1332,7 @@ virLogParseOutputs(const char *outputs)
|
||||
virLogPriority prio;
|
||||
int ret = -1;
|
||||
int count = 0;
|
||||
+ bool isSUID = virIsSUID();
|
||||
|
||||
if (cur == NULL)
|
||||
return -1;
|
||||
@@ -1348,6 +1352,8 @@ virLogParseOutputs(const char *outputs)
|
||||
if (virLogAddOutputToStderr(prio) == 0)
|
||||
count++;
|
||||
} else if (STREQLEN(cur, "syslog", 6)) {
|
||||
+ if (isSUID)
|
||||
+ goto cleanup;
|
||||
cur += 6;
|
||||
if (*cur != ':')
|
||||
goto cleanup;
|
||||
@@ -1365,6 +1371,8 @@ virLogParseOutputs(const char *outputs)
|
||||
VIR_FREE(name);
|
||||
#endif /* HAVE_SYSLOG_H */
|
||||
} else if (STREQLEN(cur, "file", 4)) {
|
||||
+ if (isSUID)
|
||||
+ goto cleanup;
|
||||
cur += 4;
|
||||
if (*cur != ':')
|
||||
goto cleanup;
|
||||
@@ -1385,6 +1393,8 @@ virLogParseOutputs(const char *outputs)
|
||||
VIR_FREE(name);
|
||||
VIR_FREE(abspath);
|
||||
} else if (STREQLEN(cur, "journald", 8)) {
|
||||
+ if (isSUID)
|
||||
+ goto cleanup;
|
||||
cur += 8;
|
||||
#if USE_JOURNALD
|
||||
if (virLogAddOutputToJournald(prio) == 0)
|
96
ae53e5d1-CVE-2013-4400.patch
Normal file
96
ae53e5d1-CVE-2013-4400.patch
Normal file
@ -0,0 +1,96 @@
|
||||
commit ae53e5d10e434e07079d7e3ba11ec654ba6a256e
|
||||
Author: Daniel P. Berrange <berrange@redhat.com>
|
||||
Date: Wed Oct 9 10:52:39 2013 +0100
|
||||
|
||||
Add helpers for getting env vars in a setuid environment
|
||||
|
||||
Care must be taken accessing env variables when running
|
||||
setuid. Introduce a virGetEnvAllowSUID for env vars which
|
||||
are safe to use in a setuid environment, and another
|
||||
virGetEnvBlockSUID for vars which are not safe. Also add
|
||||
a virIsSUID helper method for any other non-env var code
|
||||
to use.
|
||||
|
||||
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
||||
|
||||
Index: libvirt-1.1.2/src/libvirt_private.syms
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/src/libvirt_private.syms
|
||||
+++ libvirt-1.1.2/src/libvirt_private.syms
|
||||
@@ -2042,6 +2042,8 @@ virFindFCHostCapableVport;
|
||||
virFormatIntDecimal;
|
||||
virGetDeviceID;
|
||||
virGetDeviceUnprivSGIO;
|
||||
+virGetEnvAllowSUID;
|
||||
+virGetEnvBlockSUID;
|
||||
virGetFCHostNameByWWN;
|
||||
virGetGroupID;
|
||||
virGetGroupList;
|
||||
@@ -2060,6 +2062,7 @@ virIndexToDiskName;
|
||||
virIsCapableFCHost;
|
||||
virIsCapableVport;
|
||||
virIsDevMapperDevice;
|
||||
+virIsSUID;
|
||||
virManageVport;
|
||||
virParseNumber;
|
||||
virParseOwnershipIds;
|
||||
Index: libvirt-1.1.2/src/util/virutil.c
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/src/util/virutil.c
|
||||
+++ libvirt-1.1.2/src/util/virutil.c
|
||||
@@ -2116,3 +2116,42 @@ cleanup:
|
||||
|
||||
return rc;
|
||||
}
|
||||
+
|
||||
+
|
||||
+/**
|
||||
+ * virGetEnvBlockSUID:
|
||||
+ * @name: the environment variable name
|
||||
+ *
|
||||
+ * Obtain an environment variable which is unsafe to
|
||||
+ * use when running setuid. If running setuid, a NULL
|
||||
+ * value will be returned
|
||||
+ */
|
||||
+const char *virGetEnvBlockSUID(const char *name)
|
||||
+{
|
||||
+ return secure_getenv(name);
|
||||
+}
|
||||
+
|
||||
+
|
||||
+/**
|
||||
+ * virGetEnvBlockSUID:
|
||||
+ * @name: the environment variable name
|
||||
+ *
|
||||
+ * Obtain an environment variable which is safe to
|
||||
+ * use when running setuid. The value will be returned
|
||||
+ * even when running setuid
|
||||
+ */
|
||||
+const char *virGetEnvAllowSUID(const char *name)
|
||||
+{
|
||||
+ return getenv(name);
|
||||
+}
|
||||
+
|
||||
+
|
||||
+/**
|
||||
+ * virIsSUID:
|
||||
+ * Return a true value if running setuid. Does not
|
||||
+ * check for elevated capabilities bits.
|
||||
+ */
|
||||
+bool virIsSUID(void)
|
||||
+{
|
||||
+ return getuid() != geteuid();
|
||||
+}
|
||||
Index: libvirt-1.1.2/src/util/virutil.h
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/src/util/virutil.h
|
||||
+++ libvirt-1.1.2/src/util/virutil.h
|
||||
@@ -172,4 +172,8 @@ int virCompareLimitUlong(unsigned long l
|
||||
|
||||
int virParseOwnershipIds(const char *label, uid_t *uidPtr, gid_t *gidPtr);
|
||||
|
||||
+const char *virGetEnvBlockSUID(const char *name);
|
||||
+const char *virGetEnvAllowSUID(const char *name);
|
||||
+bool virIsSUID(void);
|
||||
+
|
||||
#endif /* __VIR_UTIL_H__ */
|
36
b7fcc799a-CVE-2013-4400.patch
Normal file
36
b7fcc799a-CVE-2013-4400.patch
Normal file
@ -0,0 +1,36 @@
|
||||
commit b7fcc799ad5d8f3e55b89b94e599903e3c092467
|
||||
Author: Daniel P. Berrange <berrange@redhat.com>
|
||||
Date: Wed Oct 9 15:14:34 2013 +0100
|
||||
|
||||
Close all non-stdio FDs in virt-login-shell (CVE-2013-4400)
|
||||
|
||||
We don't want to inherit any FDs in the new namespace
|
||||
except for the stdio FDs. Explicitly close them all,
|
||||
just in case some do not have the close-on-exec flag
|
||||
set.
|
||||
|
||||
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
||||
|
||||
Index: libvirt-1.1.2/tools/virt-login-shell.c
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/tools/virt-login-shell.c
|
||||
+++ libvirt-1.1.2/tools/virt-login-shell.c
|
||||
@@ -313,6 +313,18 @@ main(int argc, char **argv)
|
||||
if (cpid == 0) {
|
||||
pid_t ccpid;
|
||||
|
||||
+ int openmax = sysconf(_SC_OPEN_MAX);
|
||||
+ int fd;
|
||||
+ if (openmax < 0) {
|
||||
+ virReportSystemError(errno, "%s",
|
||||
+ _("sysconf(_SC_OPEN_MAX) failed"));
|
||||
+ return EXIT_FAILURE;
|
||||
+ }
|
||||
+ for (fd = 3; fd < openmax; fd++) {
|
||||
+ int tmpfd = fd;
|
||||
+ VIR_MASS_CLOSE(tmpfd);
|
||||
+ }
|
||||
+
|
||||
/* Fork once because we don't want to affect
|
||||
* virt-login-shell's namespace itself
|
||||
*/
|
247
bd773e74-lxc-terminate-machine.patch
Normal file
247
bd773e74-lxc-terminate-machine.patch
Normal file
@ -0,0 +1,247 @@
|
||||
commit bd773e74f0d1d1b9ebbfcaa645178316b4f2265c
|
||||
Author: Cédric Bosdonnat <cbosdonnat@suse.com>
|
||||
Date: Mon Sep 30 16:46:29 2013 +0200
|
||||
|
||||
LXC: workaround machined uncleaned data with containers running systemd.
|
||||
|
||||
The problem is described by [0] but its effect on libvirt is that
|
||||
starting a container with a full distro running systemd after having
|
||||
stopped it simply fails.
|
||||
|
||||
The container cleanup now calls the machined Terminate function to make
|
||||
sure that everything is in order for the next run.
|
||||
|
||||
[0]: https://bugs.freedesktop.org/show_bug.cgi?id=68370
|
||||
|
||||
Index: libvirt-1.1.2/src/libvirt_private.syms
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/src/libvirt_private.syms
|
||||
+++ libvirt-1.1.2/src/libvirt_private.syms
|
||||
@@ -1940,8 +1940,10 @@ virSysinfoSetup;
|
||||
|
||||
# util/virsystemd.h
|
||||
virSystemdCreateMachine;
|
||||
+virSystemdMakeMachineName;
|
||||
virSystemdMakeScopeName;
|
||||
virSystemdMakeSliceName;
|
||||
+virSystemdTerminateMachine;
|
||||
|
||||
|
||||
# util/virthread.h
|
||||
Index: libvirt-1.1.2/src/lxc/lxc_process.c
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/src/lxc/lxc_process.c
|
||||
+++ libvirt-1.1.2/src/lxc/lxc_process.c
|
||||
@@ -50,6 +50,7 @@
|
||||
#include "virstring.h"
|
||||
#include "viratomic.h"
|
||||
#include "virprocess.h"
|
||||
+#include "virsystemd.h"
|
||||
|
||||
#define VIR_FROM_THIS VIR_FROM_LXC
|
||||
|
||||
@@ -210,6 +211,13 @@ static void virLXCProcessCleanup(virLXCD
|
||||
virCgroupFree(&priv->cgroup);
|
||||
}
|
||||
|
||||
+ /* Get machined to terminate the machine as it may not have cleaned it
|
||||
+ * properly. See https://bugs.freedesktop.org/show_bug.cgi?id=68370 for
|
||||
+ * the bug we are working around here.
|
||||
+ */
|
||||
+ virSystemdTerminateMachine(vm->def->name, "lxc", true);
|
||||
+
|
||||
+
|
||||
/* now that we know it's stopped call the hook if present */
|
||||
if (virHookPresent(VIR_HOOK_DRIVER_LXC)) {
|
||||
char *xml = virDomainDefFormat(vm->def, 0);
|
||||
Index: libvirt-1.1.2/src/util/virsystemd.c
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/src/util/virsystemd.c
|
||||
+++ libvirt-1.1.2/src/util/virsystemd.c
|
||||
@@ -116,6 +116,27 @@ char *virSystemdMakeSliceName(const char
|
||||
return virBufferContentAndReset(&buf);
|
||||
}
|
||||
|
||||
+char *virSystemdMakeMachineName(const char *name,
|
||||
+ const char *drivername,
|
||||
+ bool privileged)
|
||||
+{
|
||||
+ char *machinename = NULL;
|
||||
+ char *username = NULL;
|
||||
+ if (privileged) {
|
||||
+ if (virAsprintf(&machinename, "%s-%s", drivername, name) < 0)
|
||||
+ goto cleanup;
|
||||
+ } else {
|
||||
+ if (!(username = virGetUserName(geteuid())))
|
||||
+ goto cleanup;
|
||||
+ if (virAsprintf(&machinename, "%s-%s-%s", username, drivername, name) < 0)
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+
|
||||
+cleanup:
|
||||
+ VIR_FREE(username);
|
||||
+
|
||||
+ return machinename;
|
||||
+}
|
||||
|
||||
/**
|
||||
* virSystemdCreateMachine:
|
||||
@@ -142,7 +163,6 @@ int virSystemdCreateMachine(const char *
|
||||
DBusConnection *conn;
|
||||
char *machinename = NULL;
|
||||
char *creatorname = NULL;
|
||||
- char *username = NULL;
|
||||
char *slicename = NULL;
|
||||
|
||||
if (!virDBusHasSystemBus())
|
||||
@@ -150,15 +170,8 @@ int virSystemdCreateMachine(const char *
|
||||
|
||||
conn = virDBusGetSystemBus();
|
||||
|
||||
- if (privileged) {
|
||||
- if (virAsprintf(&machinename, "%s-%s", drivername, name) < 0)
|
||||
- goto cleanup;
|
||||
- } else {
|
||||
- if (!(username = virGetUserName(geteuid())))
|
||||
- goto cleanup;
|
||||
- if (virAsprintf(&machinename, "%s-%s-%s", username, drivername, name) < 0)
|
||||
- goto cleanup;
|
||||
- }
|
||||
+ if (!(machinename = virSystemdMakeMachineName(name, drivername, privileged)))
|
||||
+ goto cleanup;
|
||||
|
||||
if (virAsprintf(&creatorname, "libvirt-%s", drivername) < 0)
|
||||
goto cleanup;
|
||||
@@ -241,8 +254,52 @@ int virSystemdCreateMachine(const char *
|
||||
ret = 0;
|
||||
|
||||
cleanup:
|
||||
- VIR_FREE(username);
|
||||
VIR_FREE(creatorname);
|
||||
VIR_FREE(machinename);
|
||||
return ret;
|
||||
}
|
||||
+
|
||||
+int virSystemdTerminateMachine(const char *name,
|
||||
+ const char *drivername,
|
||||
+ bool privileged)
|
||||
+{
|
||||
+ int ret;
|
||||
+ DBusConnection *conn;
|
||||
+ char *machinename = NULL;
|
||||
+
|
||||
+ if(!virDBusHasSystemBus())
|
||||
+ return -2;
|
||||
+
|
||||
+ conn = virDBusGetSystemBus();
|
||||
+
|
||||
+ ret = -1;
|
||||
+ if (!(machinename = virSystemdMakeMachineName(name, drivername, privileged)))
|
||||
+ goto cleanup;
|
||||
+
|
||||
+ /*
|
||||
+ * The systemd DBus API we're invoking has the
|
||||
+ * following signature
|
||||
+ *
|
||||
+ * TerminateMachine(in s name);
|
||||
+ *
|
||||
+ * @name a host unique name for the machine. shows up
|
||||
+ * in 'ps' listing & similar
|
||||
+ */
|
||||
+
|
||||
+ VIR_DEBUG("Attempting to terminate machine via systemd");
|
||||
+ if (virDBusCallMethod(conn,
|
||||
+ NULL,
|
||||
+ "org.freedesktop.machine1",
|
||||
+ "/org/freedesktop/machine1",
|
||||
+ "org.freedesktop.machine1.Manager",
|
||||
+ "TerminateMachine",
|
||||
+ "s",
|
||||
+ machinename) < 0)
|
||||
+ goto cleanup;
|
||||
+
|
||||
+ ret = 0;
|
||||
+
|
||||
+cleanup:
|
||||
+ VIR_FREE(machinename);
|
||||
+ return ret;
|
||||
+}
|
||||
Index: libvirt-1.1.2/src/util/virsystemd.h
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/src/util/virsystemd.h
|
||||
+++ libvirt-1.1.2/src/util/virsystemd.h
|
||||
@@ -29,6 +29,10 @@ char *virSystemdMakeScopeName(const char
|
||||
const char *slicename);
|
||||
char *virSystemdMakeSliceName(const char *partition);
|
||||
|
||||
+char *virSystemdMakeMachineName(const char *name,
|
||||
+ const char *drivername,
|
||||
+ bool privileged);
|
||||
+
|
||||
int virSystemdCreateMachine(const char *name,
|
||||
const char *drivername,
|
||||
bool privileged,
|
||||
@@ -38,4 +42,8 @@ int virSystemdCreateMachine(const char *
|
||||
bool iscontainer,
|
||||
const char *partition);
|
||||
|
||||
+int virSystemdTerminateMachine(const char *name,
|
||||
+ const char *drivername,
|
||||
+ bool privileged);
|
||||
+
|
||||
#endif /* __VIR_SYSTEMD_H__ */
|
||||
Index: libvirt-1.1.2/tests/virsystemdtest.c
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/tests/virsystemdtest.c
|
||||
+++ libvirt-1.1.2/tests/virsystemdtest.c
|
||||
@@ -51,6 +51,18 @@ static int testCreateContainer(const voi
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static int testTerminateContainer(const void *opaque ATTRIBUTE_UNUSED)
|
||||
+{
|
||||
+ if (virSystemdTerminateMachine("demo",
|
||||
+ "lxc",
|
||||
+ true) < 0) {
|
||||
+ fprintf(stderr, "%s", "Failed to terminate LXC machine\n");
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
static int testCreateMachine(const void *opaque ATTRIBUTE_UNUSED)
|
||||
{
|
||||
unsigned char uuid[VIR_UUID_BUFLEN] = {
|
||||
@@ -74,6 +86,18 @@ static int testCreateMachine(const void
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static int testTerminateMachine(const void *opaque ATTRIBUTE_UNUSED)
|
||||
+{
|
||||
+ if (virSystemdTerminateMachine("demo",
|
||||
+ "qemu",
|
||||
+ false) < 0) {
|
||||
+ fprintf(stderr, "%s", "Failed to terminate KVM machine\n");
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
static int testCreateNoSystemd(const void *opaque ATTRIBUTE_UNUSED)
|
||||
{
|
||||
unsigned char uuid[VIR_UUID_BUFLEN] = {
|
||||
@@ -177,8 +201,12 @@ mymain(void)
|
||||
|
||||
if (virtTestRun("Test create container ", 1, testCreateContainer, NULL) < 0)
|
||||
ret = -1;
|
||||
+ if (virtTestRun("Test terminate container ", 1, testTerminateContainer, NULL) < 0)
|
||||
+ ret = -1;
|
||||
if (virtTestRun("Test create machine ", 1, testCreateMachine, NULL) < 0)
|
||||
ret = -1;
|
||||
+ if (virtTestRun("Test terminate machine ", 1, testTerminateMachine, NULL) < 0)
|
||||
+ ret = -1;
|
||||
if (virtTestRun("Test create no systemd ", 1, testCreateNoSystemd, NULL) < 0)
|
||||
ret = -1;
|
||||
if (virtTestRun("Test create bad systemd ", 1, testCreateBadSystemd, NULL) < 0)
|
26
e350826c-python-fix-fd-passing.patch
Normal file
26
e350826c-python-fix-fd-passing.patch
Normal file
@ -0,0 +1,26 @@
|
||||
commit e350826c653b20dd271ab99075d2f224c7451356
|
||||
Author: Marian Neagul <marian@info.uvt.ro>
|
||||
Date: Tue Oct 22 16:03:39 2013 +0100
|
||||
|
||||
python: Fix Create*WithFiles filefd passing
|
||||
|
||||
Commit d76227be added functions virDomainCreateWithFiles and
|
||||
virDomainCreateXMLWithFiles, but there was a little piece missing in
|
||||
python bindings. This patch fixes proper passing of file descriptors
|
||||
in the overwrites of these functions.
|
||||
|
||||
Index: libvirt-1.1.2/python/libvirt-override.c
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/python/libvirt-override.c
|
||||
+++ libvirt-1.1.2/python/libvirt-override.c
|
||||
@@ -7149,6 +7149,10 @@ libvirt_virDomainCreateXMLWithFiles(PyOb
|
||||
|
||||
if (libvirt_intUnwrap(pyfd, &fd) < 0)
|
||||
goto cleanup;
|
||||
+
|
||||
+ files[i] = fd;
|
||||
+
|
||||
+ files[i] = fd;
|
||||
}
|
||||
|
||||
LIBVIRT_BEGIN_ALLOW_THREADS;
|
@ -203,7 +203,7 @@ Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in
|
||||
@@ -0,0 +1,59 @@
|
||||
@@ -0,0 +1,60 @@
|
||||
+# Last Modified: Fri Aug 19 11:20:36 2011
|
||||
+#include <tunables/global>
|
||||
+@{LIBVIRT}="libvirt"
|
||||
@ -255,6 +255,7 @@ Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in
|
||||
+ audit deny /sys/kernel/security/apparmor/matching rwxl,
|
||||
+ audit deny /sys/kernel/security/apparmor/.* rwxl,
|
||||
+ /sys/kernel/security/apparmor/profiles r,
|
||||
+ /etc/xen/scripts/* rx,
|
||||
+ @libdir@/libvirt/* Pxr,
|
||||
+ @libdir@/libvirt/libvirt_parthelper Ux,
|
||||
+ @libdir@/libvirt/libvirt_iohelper Ux,
|
||||
|
@ -2,7 +2,7 @@ Index: libvirt-1.1.2/configure.ac
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/configure.ac
|
||||
+++ libvirt-1.1.2/configure.ac
|
||||
@@ -173,6 +173,7 @@ LIBVIRT_CHECK_DBUS
|
||||
@@ -174,6 +174,7 @@ LIBVIRT_CHECK_DBUS
|
||||
LIBVIRT_CHECK_FUSE
|
||||
LIBVIRT_CHECK_HAL
|
||||
LIBVIRT_CHECK_NETCF
|
||||
@ -10,7 +10,7 @@ Index: libvirt-1.1.2/configure.ac
|
||||
LIBVIRT_CHECK_NUMACTL
|
||||
LIBVIRT_CHECK_OPENWSMAN
|
||||
LIBVIRT_CHECK_PCIACCESS
|
||||
@@ -2296,11 +2297,12 @@ if test "$with_libvirtd" = "no" ; then
|
||||
@@ -2297,11 +2298,12 @@ if test "$with_libvirtd" = "no" ; then
|
||||
with_interface=no
|
||||
fi
|
||||
|
||||
@ -26,7 +26,7 @@ Index: libvirt-1.1.2/configure.ac
|
||||
esac
|
||||
|
||||
if test "$with_interface" = "yes" ; then
|
||||
@@ -2608,6 +2610,7 @@ LIBVIRT_RESULT_DBUS
|
||||
@@ -2609,6 +2611,7 @@ LIBVIRT_RESULT_DBUS
|
||||
LIBVIRT_RESULT_FUSE
|
||||
LIBVIRT_RESULT_HAL
|
||||
LIBVIRT_RESULT_NETCF
|
||||
@ -38,7 +38,7 @@ Index: libvirt-1.1.2/src/Makefile.am
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/src/Makefile.am
|
||||
+++ libvirt-1.1.2/src/Makefile.am
|
||||
@@ -750,6 +750,10 @@ if WITH_NETCF
|
||||
@@ -754,6 +754,10 @@ if WITH_NETCF
|
||||
INTERFACE_DRIVER_SOURCES += \
|
||||
interface/interface_backend_netcf.c
|
||||
endif
|
||||
@ -49,7 +49,7 @@ Index: libvirt-1.1.2/src/Makefile.am
|
||||
if WITH_UDEV
|
||||
INTERFACE_DRIVER_SOURCES += \
|
||||
interface/interface_backend_udev.c
|
||||
@@ -1310,11 +1314,16 @@ if WITH_NETCF
|
||||
@@ -1314,11 +1318,16 @@ if WITH_NETCF
|
||||
libvirt_driver_interface_la_CFLAGS += $(NETCF_CFLAGS)
|
||||
libvirt_driver_interface_la_LIBADD += $(NETCF_LIBS)
|
||||
else
|
||||
|
@ -1,3 +1,61 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Oct 25 13:10:27 MDT 2013 - jfehlig@suse.com
|
||||
|
||||
- libxl driver: fix initialization of VNC and SDL info for
|
||||
HVM domains
|
||||
libxl-hvm-vnc.patch
|
||||
bnc#847566
|
||||
- Allow libvirtd apparmor profile to access /etc/xen/scripts/*
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 22 21:37:08 MDT 2013 - jfehlig@suse.com
|
||||
|
||||
- Fix file descriptor passing in python bindings
|
||||
e350826c-python-fix-fd-passing.patch
|
||||
rhb#1021434
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 22 14:37:08 MDT 2013 - cbosdonnat@suse.com
|
||||
|
||||
- Have systemd terminate the machine as a workaround of fdo#68370
|
||||
bd773e74-lxc-terminate-machine.patch
|
||||
bnc#842834
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 22 12:28:03 MDT 2013 - jfehlig@suse.com
|
||||
|
||||
- Spec file fixes to only package libvirt-login-shell when
|
||||
building the LXC driver
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 21 11:33:03 MDT 2013 - jfehlig@suse.com
|
||||
|
||||
- CVE-2013-4400: Unsantized use of env variables allows privilege
|
||||
escalation via virt-login-shell
|
||||
ae53e5d1-CVE-2013-4400.patch, 8c3586ea-CVE-2013-4400.patch,
|
||||
b7fcc799a-CVE-2013-4400.patch, 3e2f27e1-CVE-2013-4400.patch,
|
||||
5a0ea4b7-CVE-2013-4400.patch, 843bdb2f-CVE-2013-4400.patch
|
||||
bnc#837609
|
||||
- CVE-2013-4401: Fix perms for virConnectDomainXML{To,From}Native
|
||||
57687fd6-CVE-2013-4401.patch
|
||||
bnc#845704
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Oct 18 14:42:39 MDT 2013 - jfehlig@suse.com
|
||||
|
||||
- Move hypervisor-specific files out of libvirt-daemon package
|
||||
and into libvirt-daemon-<hypervisor> subpackage
|
||||
bnc#845851
|
||||
- conf: Don't crash on invalid chardev source definition
|
||||
79552754-libvirtd-chardev-crash.patch
|
||||
bnc#845704, rhb#1012196
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Oct 17 14:14:46 MDT 2013 - jfehlig@suse.com
|
||||
|
||||
- Use newer libnl3 instead of libnl-1_1
|
||||
bnc#845540
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 14 22:20:41 MDT 2013 - jfehlig@suse.com
|
||||
|
||||
|
113
libvirt.spec
113
libvirt.spec
@ -314,7 +314,7 @@ BuildRequires: libpcap-devel
|
||||
%if 0%{?suse_version} < 1210
|
||||
BuildRequires: libnl-devel
|
||||
%else
|
||||
BuildRequires: libnl-1_1-devel
|
||||
BuildRequires: libnl3-devel
|
||||
%endif
|
||||
%endif
|
||||
%if %{with_avahi}
|
||||
@ -411,10 +411,21 @@ Patch4: 922b7fda-CVE-2013-4311.patch
|
||||
Patch5: e4697b92-CVE-2013-4311.patch
|
||||
Patch6: 8294aa0c-CVE-2013-4399.patch
|
||||
Patch7: 484cc321-fix-spice-migration.patch
|
||||
Patch8: 79552754-libvirtd-chardev-crash.patch
|
||||
Patch9: 57687fd6-CVE-2013-4401.patch
|
||||
Patch10: ae53e5d1-CVE-2013-4400.patch
|
||||
Patch11: 8c3586ea-CVE-2013-4400.patch
|
||||
Patch12: b7fcc799a-CVE-2013-4400.patch
|
||||
Patch13: 3e2f27e1-CVE-2013-4400.patch
|
||||
Patch14: 5a0ea4b7-CVE-2013-4400.patch
|
||||
Patch15: 843bdb2f-CVE-2013-4400.patch
|
||||
Patch16: bd773e74-lxc-terminate-machine.patch
|
||||
Patch17: e350826c-python-fix-fd-passing.patch
|
||||
# Need to go upstream
|
||||
Patch100: xen-name-for-devid.patch
|
||||
Patch101: clone.patch
|
||||
Patch102: xen-pv-cdrom.patch
|
||||
Patch103: libxl-hvm-vnc.patch
|
||||
# Our patches
|
||||
Patch200: libvirtd-defaults.patch
|
||||
Patch201: libvirtd-init-script.patch
|
||||
@ -892,14 +903,18 @@ Requires: augeas
|
||||
Includes the Sanlock lock manager plugin for the QEMU driver
|
||||
%endif
|
||||
|
||||
%if %{with_lxc}
|
||||
|
||||
%package login-shell
|
||||
Summary: Login shell for containers
|
||||
Summary: Login shell for connecting users to an LXC container
|
||||
Group: Development/Libraries/C and C++
|
||||
Requires: %{name}-client = %{version}-%{release}
|
||||
|
||||
%description login-shell
|
||||
Povides virt-login-shell, a tool to execute a shell within a container
|
||||
matching the users name
|
||||
Provides the set-uid virt-login-shell binary that is used to
|
||||
connect a user to an LXC container when they login, by switching
|
||||
namespaces.
|
||||
%endif
|
||||
|
||||
%if %{with_python}
|
||||
|
||||
@ -926,9 +941,20 @@ of recent versions of Linux (and other OSes).
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
%patch100 -p1
|
||||
%patch101
|
||||
%patch102 -p1
|
||||
%patch103 -p1
|
||||
%patch200 -p1
|
||||
%patch201 -p1
|
||||
%patch202 -p1
|
||||
@ -1193,34 +1219,19 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/qemu/networks/autostart/default.xml
|
||||
rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/nwfilter
|
||||
rm -rf $RPM_BUILD_ROOT%{_libdir}/%{name}/connection-driver/libvirt_driver_nwfilter.so
|
||||
%endif
|
||||
%if %{with_lxc}
|
||||
cat > $RPM_BUILD_ROOT%{_docdir}/libvirt/libvirt-daemon-lxc.README << 'EOF'
|
||||
Any empty package encapsulating requirements for a libvirtd capable
|
||||
of managing LXC.
|
||||
EOF
|
||||
%else
|
||||
%if ! %{with_lxc}
|
||||
rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/lxc.conf
|
||||
rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/libvirtd_lxc.aug
|
||||
rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/tests/test_libvirtd_lxc.aug
|
||||
rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/libvirtd.lxc
|
||||
%endif
|
||||
%if %{with_qemu}
|
||||
cat > $RPM_BUILD_ROOT%{_docdir}/libvirt/libvirt-daemon-qemu.README << 'EOF'
|
||||
Any empty package encapsulating requirements for a libvirtd capable
|
||||
of managing QEMU/KVM.
|
||||
EOF
|
||||
%else
|
||||
%if ! %{with_qemu}
|
||||
rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/qemu.conf
|
||||
rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/libvirtd_qemu.aug
|
||||
rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/tests/test_libvirtd_qemu.aug
|
||||
rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/libvirtd.qemu
|
||||
%endif
|
||||
%if %{with_uml}
|
||||
cat > $RPM_BUILD_ROOT%{_docdir}/libvirt/libvirt-daemon-uml.README << 'EOF'
|
||||
Any empty package encapsulating requirements for a libvirtd capable
|
||||
of managing UML.
|
||||
EOF
|
||||
%else
|
||||
%if ! %{with_uml}
|
||||
rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/libvirtd.uml
|
||||
%endif
|
||||
%if %{with_vbox}
|
||||
@ -1414,36 +1425,6 @@ fi
|
||||
%{_datadir}/PolicyKit/policy/org.libvirt.unix.policy
|
||||
%endif
|
||||
%endif
|
||||
%if %{with_qemu}
|
||||
%config(noreplace) %{_sysconfdir}/libvirt/qemu.conf
|
||||
%config(noreplace) %{_sysconfdir}/libvirt/qemu-lockd.conf
|
||||
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu
|
||||
%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/
|
||||
%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/cache/libvirt/qemu/
|
||||
%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/
|
||||
%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/
|
||||
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/
|
||||
%{_datadir}/augeas/lenses/libvirtd_qemu.aug
|
||||
%{_datadir}/augeas/lenses/tests/test_libvirtd_qemu.aug
|
||||
%endif
|
||||
%if %{with_lxc}
|
||||
%config(noreplace) %{_sysconfdir}/libvirt/lxc.conf
|
||||
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.lxc
|
||||
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/lxc/
|
||||
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/lxc/
|
||||
%attr(0755, root, root) %{_libdir}/%{name}/libvirt_lxc
|
||||
%{_datadir}/augeas/lenses/libvirtd_lxc.aug
|
||||
%{_datadir}/augeas/lenses/tests/test_libvirtd_lxc.aug
|
||||
%endif
|
||||
%if %{with_uml}
|
||||
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.uml
|
||||
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/uml/
|
||||
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/uml/
|
||||
%endif
|
||||
%if %{with_libxl}
|
||||
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/libxl/
|
||||
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/libxl/
|
||||
%endif
|
||||
%if %{with_storage_disk}
|
||||
%attr(0755, root, root) %{_libdir}/%{name}/libvirt_parthelper
|
||||
%endif
|
||||
@ -1553,6 +1534,8 @@ fi
|
||||
%defattr(-, root, root)
|
||||
%dir %{_libdir}/%{name}/connection-driver
|
||||
%{_libdir}/%{name}/connection-driver/libvirt_driver_libxl.so
|
||||
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/libxl/
|
||||
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/libxl/
|
||||
%endif
|
||||
|
||||
%if %{with_vbox}
|
||||
@ -1567,21 +1550,38 @@ fi
|
||||
|
||||
%files daemon-qemu
|
||||
%defattr(-, root, root)
|
||||
%doc %{_docdir}/%{name}/libvirt-daemon-qemu.README
|
||||
%config(noreplace) %{_sysconfdir}/libvirt/qemu.conf
|
||||
%config(noreplace) %{_sysconfdir}/libvirt/qemu-lockd.conf
|
||||
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu
|
||||
%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/
|
||||
%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/cache/libvirt/qemu/
|
||||
%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/
|
||||
%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/
|
||||
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/
|
||||
%{_datadir}/augeas/lenses/libvirtd_qemu.aug
|
||||
%{_datadir}/augeas/lenses/tests/test_libvirtd_qemu.aug
|
||||
%endif
|
||||
|
||||
%if %{with_lxc}
|
||||
|
||||
%files daemon-lxc
|
||||
%defattr(-, root, root)
|
||||
%doc %{_docdir}/%{name}/libvirt-daemon-lxc.README
|
||||
%config(noreplace) %{_sysconfdir}/libvirt/lxc.conf
|
||||
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.lxc
|
||||
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/lxc/
|
||||
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/lxc/
|
||||
%attr(0755, root, root) %{_libdir}/%{name}/libvirt_lxc
|
||||
%{_datadir}/augeas/lenses/libvirtd_lxc.aug
|
||||
%{_datadir}/augeas/lenses/tests/test_libvirtd_lxc.aug
|
||||
%endif
|
||||
|
||||
%if %{with_uml}
|
||||
|
||||
%files daemon-uml
|
||||
%defattr(-, root, root)
|
||||
%doc %{_docdir}/%{name}/libvirt-daemon-uml.README
|
||||
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.uml
|
||||
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/uml/
|
||||
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/uml/
|
||||
%endif
|
||||
|
||||
%if %{with_xen} || %{with_libxl}
|
||||
@ -1690,6 +1690,8 @@ fi
|
||||
%attr(0755, root, root) %{_libdir}/%{name}/libvirt_sanlock_helper
|
||||
%endif
|
||||
|
||||
%if %{with_lxc}
|
||||
|
||||
%files login-shell
|
||||
%defattr(-, root, root)
|
||||
%config(noreplace) %{_sysconfdir}/libvirt/virt-login-shell.conf
|
||||
@ -1698,6 +1700,7 @@ fi
|
||||
# In the meantime, don't install setuid
|
||||
#%attr(4755, root, root) %{_bindir}/virt-login-shell
|
||||
%{_bindir}/virt-login-shell
|
||||
%endif
|
||||
|
||||
%if %{with_python}
|
||||
|
||||
|
45
libxl-hvm-vnc.patch
Normal file
45
libxl-hvm-vnc.patch
Normal file
@ -0,0 +1,45 @@
|
||||
Index: libvirt-1.1.2/src/libxl/libxl_conf.c
|
||||
===================================================================
|
||||
--- libvirt-1.1.2.orig/src/libxl/libxl_conf.c
|
||||
+++ libvirt-1.1.2/src/libxl/libxl_conf.c
|
||||
@@ -524,6 +524,30 @@ libxlMakeChrdevStr(virDomainChrDefPtr de
|
||||
}
|
||||
|
||||
static int
|
||||
+libxlFixupDomBuildInfo(virDomainDefPtr def, libxl_domain_config *d_config)
|
||||
+{
|
||||
+ libxl_domain_build_info *b_info = &d_config->b_info;
|
||||
+ int hvm = STREQ(def->os.type, "hvm");
|
||||
+ libxl_device_vfb vfb;
|
||||
+
|
||||
+ if (!hvm)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (d_config->num_vfbs) {
|
||||
+ vfb = d_config->vfbs[0];
|
||||
+ if (libxl_defbool_val(vfb.vnc.enable))
|
||||
+ memcpy(&b_info->u.hvm.vnc, &vfb.vnc, sizeof(libxl_vnc_info));
|
||||
+ else if (libxl_defbool_val(vfb.sdl.enable))
|
||||
+ memcpy(&b_info->u.hvm.sdl, &vfb.sdl, sizeof(libxl_sdl_info));
|
||||
+ else
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+
|
||||
+static int
|
||||
libxlMakeDomBuildInfo(virDomainObjPtr vm, libxl_domain_config *d_config)
|
||||
{
|
||||
virDomainDefPtr def = vm->def;
|
||||
@@ -1025,6 +1049,9 @@ libxlBuildDomainConfig(libxlDriverPrivat
|
||||
if (libxlMakeVfbList(driver, def, d_config) < 0)
|
||||
return -1;
|
||||
|
||||
+ if (libxlFixupDomBuildInfo(def, d_config) < 0)
|
||||
+ return -1;
|
||||
+
|
||||
d_config->on_reboot = def->onReboot;
|
||||
d_config->on_poweroff = def->onPoweroff;
|
||||
d_config->on_crash = def->onCrash;
|
Loading…
Reference in New Issue
Block a user