From 9049faae46719ac6a634ef2bff972b14ae09155769bf589c57c16ee7bee88723 Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Tue, 19 Nov 2013 20:17:39 +0000 Subject: [PATCH 01/14] - Require libvirt-daemon- in the main libvirt package for each supported hypervisor bnc#850882 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=327 --- libvirt.changes | 7 +++++++ libvirt.spec | 17 +++++++---------- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/libvirt.changes b/libvirt.changes index 235bdb8..615ec3d 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Nov 19 13:09:31 MST 2013 - jfehlig@suse.com + +- Require libvirt-daemon- in the main libvirt package + for each supported hypervisor + bnc#850882 + ------------------------------------------------------------------- Mon Nov 4 15:44:39 MST 2013 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index 69a23d6..804a4ab 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -236,25 +236,22 @@ Requires: libvirt-daemon = %{version}-%{release} %if %{with_nwfilter} Requires: libvirt-daemon-config-nwfilter = %{version}-%{release} %endif -%if %{with_driver_modules} -%if %{with_libxl} -Requires: libvirt-daemon-driver-libxl = %{version}-%{release} +%if %{with_libxl} || %{with_xen} +Requires: libvirt-daemon-xen %endif %if %{with_lxc} -Requires: libvirt-daemon-driver-lxc = %{version}-%{release} +Requires: libvirt-daemon-lxc %endif %if %{with_qemu} -Requires: libvirt-daemon-driver-qemu = %{version}-%{release} +Requires: libvirt-daemon-qemu %endif %if %{with_uml} -Requires: libvirt-daemon-driver-uml = %{version}-%{release} -%endif -%if %{with_xen} -Requires: libvirt-daemon-driver-xen = %{version}-%{release} +Requires: libvirt-daemon-uml %endif %if %{with_vbox} -Requires: libvirt-daemon-driver-vbox = %{version}-%{release} +Requires: libvirt-daemon-vbox %endif +%if %{with_driver_modules} %if %{with_nwfilter} Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release} %endif From 26dd4e5d149b95de463a2f9d6cc654c240468fb508323d9a330af962c4ef81fb Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Tue, 19 Nov 2013 21:25:55 +0000 Subject: [PATCH 02/14] - Allow execution of Xen binaries in /usr/lib{,64}/xen/bin in libvirtd AppArmor profile bnc#849524 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=328 --- install-apparmor-profiles.patch | 4 ++-- libvirt.changes | 7 +++++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/install-apparmor-profiles.patch b/install-apparmor-profiles.patch index ac53408..b021306 100644 --- a/install-apparmor-profiles.patch +++ b/install-apparmor-profiles.patch @@ -244,8 +244,8 @@ Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in + /sbin/* Ux, + /usr/bin/* Ux, + /usr/sbin/* Ux, -+ /usr/lib/xen/bin/qemu-dm Ux, -+ /usr/lib/xen/bin/qemu-system-i386 Ux, ++ /usr/lib/xen/bin/* Ux, ++ /usr/lib64/xen/bin/* Ux, + /usr/lib/PolicyKit/polkit-read-auth-helper Px, + + # force the use of virt-aa-helper diff --git a/libvirt.changes b/libvirt.changes index 615ec3d..afe5298 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Nov 19 14:23:27 MST 2013 - jfehlig@suse.com + +- Allow execution of Xen binaries in /usr/lib{,64}/xen/bin in + libvirtd AppArmor profile + bnc#849524 + ------------------------------------------------------------------- Tue Nov 19 13:09:31 MST 2013 - jfehlig@suse.com From a58c0b5ccc82fa0b3f59cc828c1314d52263890baf531a516ac8908d1ee287cd Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Wed, 20 Nov 2013 20:02:26 +0000 Subject: [PATCH 03/14] - Update to libvirt 1.1.4 - Add support for AArch64 architecture - Various improvements on test code and test driver - Don't link virt-login-shell against libvirt.so - Close all non-stdio FDs in virt-login-shell - Only allow 'stderr' log output when running setuid - Fix perms for virConnectDomainXML{To,From}Native - Many incremental improvements and bug fixes, see http://libvirt.org/news.html - Drop upstream patches: e7f400a1-CVE-2013-4296.patch, 2dba0323-CVE-2013-4297.patch, db7a5688-CVE-2013-4311.patch, e65667c0-CVE-2013-4311.patch, 922b7fda-CVE-2013-4311.patch, e4697b92-CVE-2013-4311.patch, 8294aa0c-CVE-2013-4399.patch, 484cc321-fix-spice-migration.patch, 79552754-libvirtd-chardev-crash.patch, 57687fd6-CVE-2013-4401.patch, ae53e5d1-CVE-2013-4400.patch, 8c3586ea-CVE-2013-4400.patch, b7fcc799a-CVE-2013-4400.patch, 3e2f27e1-CVE-2013-4400.patch, 5a0ea4b7-CVE-2013-4400.patch, 843bdb2f-CVE-2013-4400.patch, bd773e74-lxc-terminate-machine.patch, e350826c-python-fix-fd-passing.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=329 --- 2dba0323-CVE-2013-4297.patch | 21 -- 3e2f27e1-CVE-2013-4400.patch | 354 -------------------------- 484cc321-fix-spice-migration.patch | 31 --- 57687fd6-CVE-2013-4401.patch | 52 ---- 5a0ea4b7-CVE-2013-4400.patch | 103 -------- 79552754-libvirtd-chardev-crash.patch | 87 ------- 8294aa0c-CVE-2013-4399.patch | 48 ---- 843bdb2f-CVE-2013-4400.patch | 27 -- 8c3586ea-CVE-2013-4400.patch | 61 ----- 922b7fda-CVE-2013-4311.patch | 171 ------------- ae53e5d1-CVE-2013-4400.patch | 96 ------- b7fcc799a-CVE-2013-4400.patch | 36 --- bd773e74-lxc-terminate-machine.patch | 247 ------------------ clone.patch | 6 +- db7a5688-CVE-2013-4311.patch | 149 ----------- e350826c-python-fix-fd-passing.patch | 26 -- e4697b92-CVE-2013-4311.patch | 35 --- e65667c0-CVE-2013-4311.patch | 65 ----- e7f400a1-CVE-2013-4296.patch | 35 --- fix-pci-attach-xen-driver.patch | 10 +- install-apparmor-profiles.patch | 30 +-- libvirt-1.1.2.tar.bz2 | 3 - libvirt-1.1.4.tar.bz2 | 3 + libvirt-guests-init-script.patch | 18 +- libvirt-suse-netcontrol.patch | 82 +++--- libvirt.changes | 25 ++ libvirt.spec | 126 ++++----- libvirtd-defaults.patch | 12 +- libvirtd-init-script.patch | 6 +- libxl-hvm-nic.patch | 10 +- libxl-hvm-vnc.patch | 10 +- support-managed-pci-xen-driver.patch | 22 +- suse-qemu-conf.patch | 10 +- systemd-service-xen.patch | 6 +- virtlockd-init-script.patch | 12 +- xen-name-for-devid.patch | 14 +- xen-pv-cdrom.patch | 10 +- 37 files changed, 200 insertions(+), 1859 deletions(-) delete mode 100644 2dba0323-CVE-2013-4297.patch delete mode 100644 3e2f27e1-CVE-2013-4400.patch delete mode 100644 484cc321-fix-spice-migration.patch delete mode 100644 57687fd6-CVE-2013-4401.patch delete mode 100644 5a0ea4b7-CVE-2013-4400.patch delete mode 100644 79552754-libvirtd-chardev-crash.patch delete mode 100644 8294aa0c-CVE-2013-4399.patch delete mode 100644 843bdb2f-CVE-2013-4400.patch delete mode 100644 8c3586ea-CVE-2013-4400.patch delete mode 100644 922b7fda-CVE-2013-4311.patch delete mode 100644 ae53e5d1-CVE-2013-4400.patch delete mode 100644 b7fcc799a-CVE-2013-4400.patch delete mode 100644 bd773e74-lxc-terminate-machine.patch delete mode 100644 db7a5688-CVE-2013-4311.patch delete mode 100644 e350826c-python-fix-fd-passing.patch delete mode 100644 e4697b92-CVE-2013-4311.patch delete mode 100644 e65667c0-CVE-2013-4311.patch delete mode 100644 e7f400a1-CVE-2013-4296.patch delete mode 100644 libvirt-1.1.2.tar.bz2 create mode 100644 libvirt-1.1.4.tar.bz2 diff --git a/2dba0323-CVE-2013-4297.patch b/2dba0323-CVE-2013-4297.patch deleted file mode 100644 index 430c4a2..0000000 --- a/2dba0323-CVE-2013-4297.patch +++ /dev/null @@ -1,21 +0,0 @@ -commit 2dba0323ff0cec31bdcea9dd3b2428af297401f2 -Author: Michal Privoznik -Date: Tue Sep 3 18:56:06 2013 +0200 - - virFileNBDDeviceAssociate: Avoid use of uninitialized variable - - The @qemunbd variable can be used uninitialized. - -Index: libvirt-1.1.2/src/util/virfile.c -=================================================================== ---- libvirt-1.1.2.orig/src/util/virfile.c -+++ libvirt-1.1.2/src/util/virfile.c -@@ -732,7 +732,7 @@ int virFileNBDDeviceAssociate(const char - char **dev) - { - char *nbddev; -- char *qemunbd; -+ char *qemunbd = NULL; - virCommandPtr cmd = NULL; - int ret = -1; - const char *fmtstr = NULL; diff --git a/3e2f27e1-CVE-2013-4400.patch b/3e2f27e1-CVE-2013-4400.patch deleted file mode 100644 index 9be1c8c..0000000 --- a/3e2f27e1-CVE-2013-4400.patch +++ /dev/null @@ -1,354 +0,0 @@ -commit 3e2f27e13b94f7302ad948bcacb5e02c859a25fc -Author: Daniel P. Berrange -Date: Thu Oct 10 13:09:08 2013 +0100 - - Don't link virt-login-shell against libvirt.so (CVE-2013-4400) - - The libvirt.so library has far too many library deps to allow - linking against it from setuid programs. Those libraries can - do stuff in __attribute__((constructor) functions which is - not setuid safe. - - The virt-login-shell needs to link directly against individual - files that it uses, with all library deps turned off except - for libxml2 and libselinux. - - Create a libvirt-setuid-rpc-client.la library which is linked - to by virt-login-shell. A config-post.h file allows this library - to disable all external deps except libselinux and libxml2. - - Signed-off-by: Daniel P. Berrange - -Index: libvirt-1.1.2/Makefile.am -=================================================================== ---- libvirt-1.1.2.orig/Makefile.am -+++ libvirt-1.1.2/Makefile.am -@@ -31,6 +31,7 @@ XML_EXAMPLES = \ - test/*.xml storage/*.xml))) - - EXTRA_DIST = \ -+ config-post.h \ - ChangeLog-old \ - libvirt.spec libvirt.spec.in \ - mingw-libvirt.spec.in \ -Index: libvirt-1.1.2/config-post.h -=================================================================== ---- /dev/null -+++ libvirt-1.1.2/config-post.h -@@ -0,0 +1,44 @@ -+/* -+ * Copyright (C) 2013 Red Hat, Inc. -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library. If not, see -+ * . -+ */ -+ -+/* -+ * Since virt-login-shell will be setuid, we must do everything -+ * we can to avoid linking to other libraries. Many of them do -+ * unsafe things in functions marked __atttribute__((constructor)). -+ * The only way avoid to avoid such deps is to re-compile the -+ * functions with the code in question disabled, and for that we -+ * must override the main config.h rules. Hence this file :-( -+ */ -+ -+#ifdef LIBVIRT_SETUID_RPC_CLIENT -+# undef HAVE_LIBDEVMAPPER_H -+# undef HAVE_LIBNL -+# undef HAVE_LIBNL3 -+# undef HAVE_LIBSASL2 -+# undef WITH_CAPNG -+# undef WITH_CURL -+# undef WITH_DTRACE_PROBES -+# undef WITH_GNUTLS -+# undef WITH_MACVTAP -+# undef WITH_NUMACTL -+# undef WITH_SASL -+# undef WITH_SSH2 -+# undef WITH_VIRTUALPORT -+# undef WITH_YAJL -+# undef WITH_YAJL2 -+#endif -Index: libvirt-1.1.2/configure.ac -=================================================================== ---- libvirt-1.1.2.orig/configure.ac -+++ libvirt-1.1.2/configure.ac -@@ -20,6 +20,7 @@ AC_INIT([libvirt], [1.1.2], [libvir-list - AC_CONFIG_SRCDIR([src/libvirt.c]) - AC_CONFIG_AUX_DIR([build-aux]) - AC_CONFIG_HEADERS([config.h]) -+AH_BOTTOM([#include ]) - AC_CONFIG_MACRO_DIR([m4]) - dnl Make automake keep quiet about wildcards & other GNUmake-isms - AM_INIT_AUTOMAKE([-Wno-portability tar-ustar]) -Index: libvirt-1.1.2/daemon/Makefile.am -=================================================================== ---- libvirt-1.1.2.orig/daemon/Makefile.am -+++ libvirt-1.1.2/daemon/Makefile.am -@@ -18,6 +18,7 @@ - - INCLUDES = \ - -I$(top_builddir)/gnulib/lib -I$(top_srcdir)/gnulib/lib \ -+ -I$(top_srcdir) \ - -I$(top_builddir)/include -I$(top_srcdir)/include \ - -I$(top_builddir)/src -I$(top_srcdir)/src \ - -I$(top_srcdir)/src/util \ -Index: libvirt-1.1.2/examples/domain-events/events-c/Makefile.am -=================================================================== ---- libvirt-1.1.2.orig/examples/domain-events/events-c/Makefile.am -+++ libvirt-1.1.2/examples/domain-events/events-c/Makefile.am -@@ -15,7 +15,8 @@ - ## . - - INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include \ -- -I$(top_builddir)/gnulib/lib -I$(top_srcdir)/gnulib/lib -+ -I$(top_builddir)/gnulib/lib -I$(top_srcdir)/gnulib/lib \ -+ -I$(top_srcdir) - noinst_PROGRAMS = event-test - event_test_CFLAGS = $(WARN_CFLAGS) - event_test_SOURCES = event-test.c -Index: libvirt-1.1.2/examples/hellolibvirt/Makefile.am -=================================================================== ---- libvirt-1.1.2.orig/examples/hellolibvirt/Makefile.am -+++ libvirt-1.1.2/examples/hellolibvirt/Makefile.am -@@ -14,7 +14,7 @@ - ## License along with this library. If not, see - ## . - --INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include -+INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include -I$(top_srcdir) - noinst_PROGRAMS = hellolibvirt - hellolibvirt_CFLAGS = $(WARN_CFLAGS) - hellolibvirt_SOURCES = hellolibvirt.c -Index: libvirt-1.1.2/examples/openauth/Makefile.am -=================================================================== ---- libvirt-1.1.2.orig/examples/openauth/Makefile.am -+++ libvirt-1.1.2/examples/openauth/Makefile.am -@@ -14,7 +14,7 @@ - ## License along with this library. If not, see - ## . - --INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include -+INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include -I$(top_srcdir) - noinst_PROGRAMS = openauth - openauth_CFLAGS = $(WARN_CFLAGS) - openauth_SOURCES = openauth.c -Index: libvirt-1.1.2/gnulib/lib/Makefile.am -=================================================================== ---- libvirt-1.1.2.orig/gnulib/lib/Makefile.am -+++ libvirt-1.1.2/gnulib/lib/Makefile.am -@@ -27,4 +27,4 @@ noinst_LTLIBRARIES = - - include gnulib.mk - --INCLUDES = $(GETTEXT_CPPFLAGS) -+INCLUDES = -I$(top_srcdir) $(GETTEXT_CPPFLAGS) -Index: libvirt-1.1.2/python/Makefile.am -=================================================================== ---- libvirt-1.1.2.orig/python/Makefile.am -+++ libvirt-1.1.2/python/Makefile.am -@@ -20,6 +20,7 @@ INCLUDES = \ - $(PYTHON_INCLUDES) \ - -I$(top_builddir)/gnulib/lib \ - -I$(top_srcdir)/gnulib/lib \ -+ -I$(top_srcdir) \ - -I$(top_builddir)/src \ - -I$(top_srcdir)/src \ - -I$(top_srcdir)/src/util \ -Index: libvirt-1.1.2/src/Makefile.am -=================================================================== ---- libvirt-1.1.2.orig/src/Makefile.am -+++ libvirt-1.1.2/src/Makefile.am -@@ -21,6 +21,7 @@ - # that actually use them. Also keep GETTEXT_CPPFLAGS at the end. - INCLUDES = -I../gnulib/lib \ - -I$(top_srcdir)/gnulib/lib \ -+ -I$(top_srcdir) \ - -I../include \ - -I$(top_srcdir)/include \ - -I$(top_srcdir)/src/util \ -@@ -1917,6 +1918,77 @@ libvirt_lxc_la_LDFLAGS = \ - libvirt_lxc_la_CFLAGS = $(AM_CFLAGS) - libvirt_lxc_la_LIBADD = libvirt.la $(CYGWIN_EXTRA_LIBADD) - -+# Since virt-login-shell will be setuid, we must do everything -+# we can to avoid linking to other libraries. Many of them do -+# unsafe things in functions marked __atttribute__((constructor)). -+# This library is built to include the bare minimum required to -+# have a RPC client for local UNIX socket access only. We use -+# the ../config-post.h header to disable all external deps that -+# we don't want -+if WITH_LXC -+noinst_LTLIBRARIES += libvirt-setuid-rpc-client.la -+ -+libvirt_setuid_rpc_client_la_SOURCES = \ -+ util/viralloc.c \ -+ util/virbitmap.c \ -+ util/virbuffer.c \ -+ util/vircommand.c \ -+ util/virconf.c \ -+ util/virerror.c \ -+ util/virevent.c \ -+ util/vireventpoll.c \ -+ util/virfile.c \ -+ util/virhash.c \ -+ util/virhashcode.c \ -+ util/virjson.c \ -+ util/virlog.c \ -+ util/virobject.c \ -+ util/virpidfile.c \ -+ util/virprocess.c \ -+ util/virrandom.c \ -+ util/virsocketaddr.c \ -+ util/virstoragefile.c \ -+ util/virstring.c \ -+ util/virtime.c \ -+ util/virthread.c \ -+ util/virtypedparam.c \ -+ util/viruri.c \ -+ util/virutil.c \ -+ util/viruuid.c \ -+ conf/domain_event.c \ -+ rpc/virnetsocket.c \ -+ rpc/virnetsocket.h \ -+ rpc/virnetmessage.h \ -+ rpc/virnetmessage.c \ -+ rpc/virkeepalive.c \ -+ rpc/virkeepalive.h \ -+ rpc/virnetclient.c \ -+ rpc/virnetclientprogram.c \ -+ rpc/virnetclientstream.c \ -+ rpc/virnetprotocol.c \ -+ remote/remote_driver.c \ -+ remote/remote_protocol.c \ -+ remote/qemu_protocol.c \ -+ remote/lxc_protocol.c \ -+ datatypes.c \ -+ libvirt.c \ -+ libvirt-lxc.c \ -+ $(NULL) -+ -+libvirt_setuid_rpc_client_la_LDFLAGS = \ -+ $(AM_LDFLAGS) \ -+ $(LIBXML_LIBS) \ -+ $(SELINUX_LIBS) \ -+ $(NULL) -+libvirt_setuid_rpc_client_la_CFLAGS = \ -+ -DLIBVIRT_SETUID_RPC_CLIENT \ -+ -I$(top_srcdir)/src/conf \ -+ -I$(top_srcdir)/src/rpc \ -+ $(AM_CFLAGS) \ -+ $(SELINUX_CFLAGS) \ -+ $(NULL) -+endif WITH_LXC -+ - lockdriverdir = $(libdir)/libvirt/lock-driver - lockdriver_LTLIBRARIES = - -Index: libvirt-1.1.2/src/libvirt.c -=================================================================== ---- libvirt-1.1.2.orig/src/libvirt.c -+++ libvirt-1.1.2/src/libvirt.c -@@ -446,40 +446,46 @@ virGlobalInit(void) - goto error; - - /* -+ * Note we must avoid everything except 'remote' driver -+ * for virt-login-shell usage -+ */ -+#ifndef LIBVIRT_SETUID_RPC_CLIENT -+ /* - * Note that the order is important: the first ones have a higher - * priority when calling virConnectOpen. - */ --#ifdef WITH_TEST -+# ifdef WITH_TEST - if (testRegister() == -1) - goto error; --#endif --#ifdef WITH_OPENVZ -+# endif -+# ifdef WITH_OPENVZ - if (openvzRegister() == -1) - goto error; --#endif --#ifdef WITH_VMWARE -+# endif -+# ifdef WITH_VMWARE - if (vmwareRegister() == -1) - goto error; --#endif --#ifdef WITH_PHYP -+# endif -+# ifdef WITH_PHYP - if (phypRegister() == -1) - goto error; --#endif --#ifdef WITH_ESX -+# endif -+# ifdef WITH_ESX - if (esxRegister() == -1) - goto error; --#endif --#ifdef WITH_HYPERV -+# endif -+# ifdef WITH_HYPERV - if (hypervRegister() == -1) - goto error; --#endif --#ifdef WITH_XENAPI -+# endif -+# ifdef WITH_XENAPI - if (xenapiRegister() == -1) - goto error; --#endif --#ifdef WITH_PARALLELS -+# endif -+# ifdef WITH_PARALLELS - if (parallelsRegister() == -1) - goto error; -+# endif - #endif - #ifdef WITH_REMOTE - if (remoteRegister() == -1) -Index: libvirt-1.1.2/tools/Makefile.am -=================================================================== ---- libvirt-1.1.2.orig/tools/Makefile.am -+++ libvirt-1.1.2/tools/Makefile.am -@@ -149,6 +149,11 @@ virt_host_validate_CFLAGS = \ - $(COVERAGE_CFLAGS) \ - $(NULL) - -+# Since virt-login-shell will be setuid, we must do everything -+# we can to avoid linking to other libraries. Many of them do -+# unsafe things in functions marked __atttribute__((constructor)). -+# This we statically link to a library containing only the minimal -+# libvirt client code, not libvirt.so itself. - virt_login_shell_SOURCES = \ - virt-login-shell.c - -@@ -159,11 +164,11 @@ virt_login_shell_LDFLAGS = \ - virt_login_shell_LDADD = \ - $(STATIC_BINARIES) \ - $(PIE_LDFLAGS) \ -- ../src/libvirt.la \ -- ../src/libvirt-lxc.la \ -+ ../src/libvirt-setuid-rpc-client.la \ - ../gnulib/lib/libgnu.la - - virt_login_shell_CFLAGS = \ -+ -DLIBVIRT_SETUID_RPC_CLIENT \ - $(WARN_CFLAGS) \ - $(PIE_CFLAGS) \ - $(COVERAGE_CFLAGS) diff --git a/484cc321-fix-spice-migration.patch b/484cc321-fix-spice-migration.patch deleted file mode 100644 index 84b7bab..0000000 --- a/484cc321-fix-spice-migration.patch +++ /dev/null @@ -1,31 +0,0 @@ -commit 484cc3217b73b865f00bf42a9c12187b37200699 -Author: Martin Kletzander -Date: Fri Sep 20 16:40:20 2013 +0200 - - qemu: Fix seamless SPICE migration - - Since the wait is done during migration (still inside - QEMU_ASYNC_JOB_MIGRATION_OUT), the code should enter the monitor as such - in order to prohibit all other jobs from interfering in the meantime. - This patch fixes bug #1009886 in which qemuDomainGetBlockInfo was - waiting on the monitor condition and after GetSpiceMigrationStatus - mangled its internal data, the daemon crashed. - - Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1009886 - -Index: libvirt-1.1.2/src/qemu/qemu_migration.c -=================================================================== ---- libvirt-1.1.2.orig/src/qemu/qemu_migration.c -+++ libvirt-1.1.2/src/qemu/qemu_migration.c -@@ -1598,7 +1598,10 @@ qemuMigrationWaitForSpice(virQEMUDriverP - /* Poll every 50ms for progress & to allow cancellation */ - struct timespec ts = { .tv_sec = 0, .tv_nsec = 50 * 1000 * 1000ull }; - -- qemuDomainObjEnterMonitor(driver, vm); -+ if (qemuDomainObjEnterMonitorAsync(driver, vm, -+ QEMU_ASYNC_JOB_MIGRATION_OUT) < 0) -+ return -1; -+ - if (qemuMonitorGetSpiceMigrationStatus(priv->mon, - &spice_migrated) < 0) { - qemuDomainObjExitMonitor(driver, vm); diff --git a/57687fd6-CVE-2013-4401.patch b/57687fd6-CVE-2013-4401.patch deleted file mode 100644 index 81b7b45..0000000 --- a/57687fd6-CVE-2013-4401.patch +++ /dev/null @@ -1,52 +0,0 @@ -commit 57687fd6bf7f6e1b3662c52f3f26c06ab19dc96c -Author: Daniel P. Berrange -Date: Thu Oct 3 16:37:57 2013 +0100 - - Fix perms for virConnectDomainXML{To,From}Native (CVE-2013-4401) - - The virConnectDomainXMLToNative API should require 'connect:write' - not 'connect:read', since it will trigger execution of the QEMU - binaries listed in the XML. - - Also make virConnectDomainXMLFromNative API require a full - read-write connection and 'connect:write' permission. Although the - current impl doesn't trigger execution of QEMU, we should not - rely on that impl detail from an API permissioning POV. - - Signed-off-by: Daniel P. Berrange - -Index: libvirt-1.1.2/src/libvirt.c -=================================================================== ---- libvirt-1.1.2.orig/src/libvirt.c -+++ libvirt-1.1.2/src/libvirt.c -@@ -4606,6 +4606,10 @@ char *virConnectDomainXMLFromNative(virC - virDispatchError(NULL); - return NULL; - } -+ if (conn->flags & VIR_CONNECT_RO) { -+ virLibDomainError(VIR_ERR_OPERATION_DENIED, __FUNCTION__); -+ goto error; -+ } - - virCheckNonNullArgGoto(nativeFormat, error); - virCheckNonNullArgGoto(nativeConfig, error); -Index: libvirt-1.1.2/src/remote/remote_protocol.x -=================================================================== ---- libvirt-1.1.2.orig/src/remote/remote_protocol.x -+++ libvirt-1.1.2/src/remote/remote_protocol.x -@@ -3812,13 +3812,13 @@ enum remote_procedure { - - /** - * @generate: both -- * @acl: connect:read -+ * @acl: connect:write - */ - REMOTE_PROC_CONNECT_DOMAIN_XML_FROM_NATIVE = 135, - - /** - * @generate: both -- * @acl: connect:read -+ * @acl: connect:write - */ - REMOTE_PROC_CONNECT_DOMAIN_XML_TO_NATIVE = 136, - diff --git a/5a0ea4b7-CVE-2013-4400.patch b/5a0ea4b7-CVE-2013-4400.patch deleted file mode 100644 index 409add3..0000000 --- a/5a0ea4b7-CVE-2013-4400.patch +++ /dev/null @@ -1,103 +0,0 @@ -commit 5a0ea4b7b9af2231ed161b94f9af65375c6ee9c2 -Author: Jim Fehlig -Date: Mon Oct 21 15:36:11 2013 -0600 - - build: fix linking virt-login-shell - - After commit 3e2f27e1, I've noticed build failures of virt-login-shell - when libapparmor-devel is installed on the build host - - CCLD virt-login-shell - ../src/.libs/libvirt-setuid-rpc-client.a(libvirt_setuid_rpc_client_la-vircommand.o): - In function `virExec': - /home/jfehlig/virt/upstream/libvirt/src/util/vircommand.c:653: undefined - reference to `aa_change_profile' - collect2: error: ld returned 1 exit status - - I was about to commit an easy fix under the build-breaker rule - (build-fix-1.patch), but thought to extend the notion of SECDRIVER_LIBS - to SECDRIVER_CFLAGS, and use both throughout src/Makefile.am where it - makes sense (build-fix-2.patch). - - Should I just stick with the simple fix, or is something along the lines - of patch 2 preferred? - - Regards, - Jim - - >From a0f35945f3127ab70d051101037e821b1759b4bb Mon Sep 17 00:00:00 2001 - From: Jim Fehlig - Date: Mon, 21 Oct 2013 15:30:02 -0600 - Subject: [PATCH] build: fix virt-login-shell build with apparmor - - With libapparmor-devel installed, virt-login-shell fails to link - - CCLD virt-login-shell - ../src/.libs/libvirt-setuid-rpc-client.a(libvirt_setuid_rpc_client_la-vircommand.o): In function `virExec': - /home/jfehlig/virt/upstream/libvirt/src/util/vircommand.c:653: undefined reference to `aa_change_profile' - collect2: error: ld returned 1 exit status - - Fix by linking libvirt_setuid_rpc_client with previously determined - SECDRIVER_LIBS in src/Makefile.am. While at it, introduce SECDRIVER_CFLAGS - and use both throughout src/Makefile.am where it makes sense. - - Signed-off-by: Jim Fehlig - -Index: libvirt-1.1.2/src/Makefile.am -=================================================================== ---- libvirt-1.1.2.orig/src/Makefile.am -+++ libvirt-1.1.2/src/Makefile.am -@@ -49,11 +49,14 @@ nodist_conf_DATA = - - THREAD_LIBS = $(LIB_PTHREAD) $(LTLIBMULTITHREAD) - -+SECDRIVER_CFLAGS = - SECDRIVER_LIBS = - if WITH_SECDRIVER_SELINUX -+SECDRIVER_CFLAGS += $(SELINUX_CFLAGS) - SECDRIVER_LIBS += $(SELINUX_LIBS) - endif - if WITH_SECDRIVER_APPARMOR -+SECDRIVER_CFLAGS += $(APPARMOR_CFLAGS) - SECDRIVER_LIBS += $(APPARMOR_LIBS) - endif - -@@ -1978,14 +1981,14 @@ libvirt_setuid_rpc_client_la_SOURCES = - libvirt_setuid_rpc_client_la_LDFLAGS = \ - $(AM_LDFLAGS) \ - $(LIBXML_LIBS) \ -- $(SELINUX_LIBS) \ -+ $(SECDRIVER_LIBS) \ - $(NULL) - libvirt_setuid_rpc_client_la_CFLAGS = \ - -DLIBVIRT_SETUID_RPC_CLIENT \ - -I$(top_srcdir)/src/conf \ - -I$(top_srcdir)/src/rpc \ - $(AM_CFLAGS) \ -- $(SELINUX_CFLAGS) \ -+ $(SECDRIVER_CFLAGS) \ - $(NULL) - endif WITH_LXC - -@@ -2268,6 +2271,7 @@ libvirt_net_rpc_la_LDFLAGS = \ - $(GNUTLS_LIBS) \ - $(SASL_LIBS) \ - $(SSH2_LIBS)\ -+ $(SECDRIVER_LIBS) \ - $(AM_LDFLAGS) \ - $(CYGWIN_EXTRA_LDFLAGS) \ - $(MINGW_EXTRA_LDFLAGS) -@@ -2410,12 +2414,7 @@ if WITH_BLKID - libvirt_lxc_CFLAGS += $(BLKID_CFLAGS) - libvirt_lxc_LDADD += $(BLKID_LIBS) - endif --if WITH_SECDRIVER_SELINUX --libvirt_lxc_CFLAGS += $(SELINUX_CFLAGS) --endif --if WITH_SECDRIVER_APPARMOR --libvirt_lxc_CFLAGS += $(APPARMOR_CFLAGS) --endif -+libvirt_lxc_CFLAGS += $(SECDRIVER_CFLAGS) - endif - endif - EXTRA_DIST += $(LXC_CONTROLLER_SOURCES) diff --git a/79552754-libvirtd-chardev-crash.patch b/79552754-libvirtd-chardev-crash.patch deleted file mode 100644 index dfe5e97..0000000 --- a/79552754-libvirtd-chardev-crash.patch +++ /dev/null @@ -1,87 +0,0 @@ -commit 795527548fea79902ea4ce32747e069944cf3e61 -Author: Peter Krempa -Date: Thu Sep 26 08:12:39 2013 +0200 - - conf: Don't crash on invalid chardev source definition of RNGs and other - - Since commit 297c99a5 an invalid source definition XML of a character - device that is used as backend for RNG devices, smartcards and redirdevs - causes crash of the daemon when parsing such a definition. - - The device types mentioned above are not a part of a regular character - device but are backends for other types. Thus when parsing such device - NULL is passed as the argument @chr_def. Later when checking the - validity of the definition @chr_def was dereferenced when parsing a UNIX - socket backend with missing path of the socket and crashed the daemon. - - Sample offending configuration: - - ... - - - - - - - - Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1012196 - -Index: libvirt-1.1.2/src/conf/domain_conf.c -=================================================================== ---- libvirt-1.1.2.orig/src/conf/domain_conf.c -+++ libvirt-1.1.2/src/conf/domain_conf.c -@@ -7026,7 +7026,8 @@ virDomainChrSourceDefParseXML(virDomainC - case VIR_DOMAIN_CHR_TYPE_UNIX: - /* path can be auto generated */ - if (!path && -- chr_def->targetType != VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO) { -+ (!chr_def || -+ chr_def->targetType != VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO)) { - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("Missing source path attribute for char device")); - goto error; -Index: libvirt-1.1.2/tests/qemuxml2argvdata/qemuxml2argv-virtio-rng-egd-crash.xml -=================================================================== ---- /dev/null -+++ libvirt-1.1.2/tests/qemuxml2argvdata/qemuxml2argv-virtio-rng-egd-crash.xml -@@ -0,0 +1,27 @@ -+ -+ QEMUGuest1 -+ c7a5fdbd-edaf-9455-926a-d65c16db1809 -+ 219100 -+ 219100 -+ 1 -+ -+ hvm -+ -+ -+ -+ destroy -+ restart -+ destroy -+ -+ /usr/bin/qemu -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -Index: libvirt-1.1.2/tests/qemuxml2argvtest.c -=================================================================== ---- libvirt-1.1.2.orig/tests/qemuxml2argvtest.c -+++ libvirt-1.1.2/tests/qemuxml2argvtest.c -@@ -973,6 +973,8 @@ mymain(void) - QEMU_CAPS_OBJECT_RNG_RANDOM); - DO_TEST("virtio-rng-egd", QEMU_CAPS_DEVICE, QEMU_CAPS_DEVICE_VIRTIO_RNG, - QEMU_CAPS_OBJECT_RNG_EGD); -+ DO_TEST_PARSE_ERROR("virtio-rng-egd-crash", QEMU_CAPS_DEVICE, -+ QEMU_CAPS_DEVICE_VIRTIO_RNG, QEMU_CAPS_OBJECT_RNG_EGD); - DO_TEST("virtio-rng-ccw", - QEMU_CAPS_DEVICE, QEMU_CAPS_CHARDEV, QEMU_CAPS_NODEFCONFIG, - QEMU_CAPS_DRIVE, QEMU_CAPS_BOOTINDEX, QEMU_CAPS_VIRTIO_CCW, diff --git a/8294aa0c-CVE-2013-4399.patch b/8294aa0c-CVE-2013-4399.patch deleted file mode 100644 index a472fb9..0000000 --- a/8294aa0c-CVE-2013-4399.patch +++ /dev/null @@ -1,48 +0,0 @@ -commit 8294aa0c1750dcb49d6345cd9bd97bf421580d8b -Author: Daniel P. Berrange -Date: Fri Sep 27 15:46:07 2013 +0100 - - Fix crash in libvirtd when events are registered & ACLs active - - When a client disconnects from libvirtd, all event callbacks - must be removed. This involves running the public API - - virConnectDomainEventDeregisterAny - - This code does not run in normal API dispatch context, so no - identity was set. The result was that the access control drivers - denied the attempt to deregister callbacks. The callbacks thus - continued to trigger after the client was free'd causing fairly - predictable use of free memory & a crash. - - This can be triggered by any client with readonly access when - the ACL drivers are active. - - Signed-off-by: Daniel P. Berrange - -Index: libvirt-1.1.2/daemon/remote.c -=================================================================== ---- libvirt-1.1.2.orig/daemon/remote.c -+++ libvirt-1.1.2/daemon/remote.c -@@ -666,8 +666,11 @@ void remoteClientFreeFunc(void *data) - - /* Deregister event delivery callback */ - if (priv->conn) { -+ virIdentityPtr sysident = virIdentityGetSystem(); - size_t i; - -+ virIdentitySetCurrent(sysident); -+ - for (i = 0; i < VIR_DOMAIN_EVENT_ID_LAST; i++) { - if (priv->domainEventCallbackID[i] != -1) { - VIR_DEBUG("Deregistering to relay remote events %zu", i); -@@ -678,6 +681,9 @@ void remoteClientFreeFunc(void *data) - } - - virConnectClose(priv->conn); -+ -+ virIdentitySetCurrent(NULL); -+ virObjectUnref(sysident); - } - - VIR_FREE(priv); diff --git a/843bdb2f-CVE-2013-4400.patch b/843bdb2f-CVE-2013-4400.patch deleted file mode 100644 index 8daa299..0000000 --- a/843bdb2f-CVE-2013-4400.patch +++ /dev/null @@ -1,27 +0,0 @@ -commit 843bdb2f8a3364637cda2911624149525188843f -Author: Jim Fehlig -Date: Mon Oct 21 23:12:22 2013 -0600 - - build: fix build of virt-login-shell on systems with older gnutls - - On systems where gnutls uses libgcrypt, I'm seeing the following - build failure - - libvirt.c:314: error: variable 'virTLSThreadImpl' has initializer but incomplete type - libvirt.c:319: error: 'GCRY_THREAD_OPTION_PTHREAD' undeclared here (not in a function) - ... - - Fix by undefining WITH_GNUTLS_GCRYPT in config-post.h - -Index: libvirt-1.1.2/config-post.h -=================================================================== ---- libvirt-1.1.2.orig/config-post.h -+++ libvirt-1.1.2/config-post.h -@@ -34,6 +34,7 @@ - # undef WITH_CURL - # undef WITH_DTRACE_PROBES - # undef WITH_GNUTLS -+# undef WITH_GNUTLS_GCRYPT - # undef WITH_MACVTAP - # undef WITH_NUMACTL - # undef WITH_SASL diff --git a/8c3586ea-CVE-2013-4400.patch b/8c3586ea-CVE-2013-4400.patch deleted file mode 100644 index 8e94fb4..0000000 --- a/8c3586ea-CVE-2013-4400.patch +++ /dev/null @@ -1,61 +0,0 @@ -commit 8c3586ea755c40d5e01b22cb7b5c1e668cdec994 -Author: Daniel P. Berrange -Date: Wed Oct 9 10:59:36 2013 +0100 - - Only allow 'stderr' log output when running setuid (CVE-2013-4400) - - We must not allow file/syslog/journald log outputs when running - setuid since they can be abused to do bad things. In particular - the 'file' output can be used to overwrite files. - - Signed-off-by: Daniel P. Berrange - -Index: libvirt-1.1.2/src/util/virlog.c -=================================================================== ---- libvirt-1.1.2.orig/src/util/virlog.c -+++ libvirt-1.1.2/src/util/virlog.c -@@ -1318,6 +1318,9 @@ int virLogPriorityFromSyslog(int priorit - * Multiple output can be defined in a single @output, they just need to be - * separated by spaces. - * -+ * If running in setuid mode, then only the 'stderr' output will -+ * be allowed -+ * - * Returns the number of output parsed and installed or -1 in case of error - */ - int -@@ -1329,6 +1332,7 @@ virLogParseOutputs(const char *outputs) - virLogPriority prio; - int ret = -1; - int count = 0; -+ bool isSUID = virIsSUID(); - - if (cur == NULL) - return -1; -@@ -1348,6 +1352,8 @@ virLogParseOutputs(const char *outputs) - if (virLogAddOutputToStderr(prio) == 0) - count++; - } else if (STREQLEN(cur, "syslog", 6)) { -+ if (isSUID) -+ goto cleanup; - cur += 6; - if (*cur != ':') - goto cleanup; -@@ -1365,6 +1371,8 @@ virLogParseOutputs(const char *outputs) - VIR_FREE(name); - #endif /* HAVE_SYSLOG_H */ - } else if (STREQLEN(cur, "file", 4)) { -+ if (isSUID) -+ goto cleanup; - cur += 4; - if (*cur != ':') - goto cleanup; -@@ -1385,6 +1393,8 @@ virLogParseOutputs(const char *outputs) - VIR_FREE(name); - VIR_FREE(abspath); - } else if (STREQLEN(cur, "journald", 8)) { -+ if (isSUID) -+ goto cleanup; - cur += 8; - #if USE_JOURNALD - if (virLogAddOutputToJournald(prio) == 0) diff --git a/922b7fda-CVE-2013-4311.patch b/922b7fda-CVE-2013-4311.patch deleted file mode 100644 index e6bd11d..0000000 --- a/922b7fda-CVE-2013-4311.patch +++ /dev/null @@ -1,171 +0,0 @@ -commit 922b7fda77b094dbf022d625238262ea05335666 -Author: Daniel P. Berrange -Date: Wed Aug 28 15:25:40 2013 +0100 - - Add support for using 3-arg pkcheck syntax for process (CVE-2013-4311) - - With the existing pkcheck (pid, start time) tuple for identifying - the process, there is a race condition, where a process can make - a libvirt RPC call and in another thread exec a setuid application, - causing it to change to effective UID 0. This in turn causes polkit - to do its permission check based on the wrong UID. - - To address this, libvirt must get the UID the caller had at time - of connect() (from SO_PEERCRED) and pass a (pid, start time, uid) - triple to the pkcheck program. - - This fix requires that libvirt is re-built against a version of - polkit that has the fix for its CVE-2013-4288, so that libvirt - can see 'pkg-config --variable pkcheck_supports_uid polkit-gobject-1' - - Signed-off-by: Colin Walters - Signed-off-by: Daniel P. Berrange - -Index: libvirt-1.1.2/configure.ac -=================================================================== ---- libvirt-1.1.2.orig/configure.ac -+++ libvirt-1.1.2/configure.ac -@@ -1184,6 +1184,14 @@ if test "x$with_polkit" = "xyes" || test - AC_PATH_PROG([PKCHECK_PATH],[pkcheck], [], [/usr/sbin:$PATH]) - if test "x$PKCHECK_PATH" != "x" ; then - AC_DEFINE_UNQUOTED([PKCHECK_PATH],["$PKCHECK_PATH"],[Location of pkcheck program]) -+ AC_MSG_CHECKING([whether pkcheck supports uid value]) -+ pkcheck_supports_uid=`$PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1` -+ if test "x$pkcheck_supports_uid" = "xtrue"; then -+ AC_MSG_RESULT([yes]) -+ AC_DEFINE_UNQUOTED([PKCHECK_SUPPORTS_UID], 1, [Pass uid to pkcheck]) -+ else -+ AC_MSG_RESULT([no]) -+ fi - AC_DEFINE_UNQUOTED([WITH_POLKIT], 1, - [use PolicyKit for UNIX socket access checks]) - AC_DEFINE_UNQUOTED([WITH_POLKIT1], 1, -Index: libvirt-1.1.2/daemon/remote.c -=================================================================== ---- libvirt-1.1.2.orig/daemon/remote.c -+++ libvirt-1.1.2/daemon/remote.c -@@ -2738,10 +2738,12 @@ remoteDispatchAuthPolkit(virNetServerPtr - int status = -1; - char *ident = NULL; - bool authdismissed = 0; -+ bool supportsuid = false; - char *pkout = NULL; - struct daemonClientPrivate *priv = - virNetServerClientGetPrivateData(client); - virCommandPtr cmd = NULL; -+ static bool polkitInsecureWarned; - - virMutexLock(&priv->lock); - action = virNetServerClientGetReadonly(client) ? -@@ -2763,14 +2765,28 @@ remoteDispatchAuthPolkit(virNetServerPtr - goto authfail; - } - -+ if (timestamp == 0) { -+ VIR_WARN("Failing polkit auth due to missing client (pid=%lld) start time", -+ (long long)callerPid); -+ goto authfail; -+ } -+ - VIR_INFO("Checking PID %lld running as %d", - (long long) callerPid, callerUid); - - virCommandAddArg(cmd, "--process"); -- if (timestamp != 0) { -- virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp); -+# ifdef PKCHECK_SUPPORTS_UID -+ supportsuid = true; -+# endif -+ if (supportsuid) { -+ virCommandAddArgFormat(cmd, "%lld,%llu,%lu", -+ (long long) callerPid, timestamp, (unsigned long) callerUid); - } else { -- virCommandAddArgFormat(cmd, "%lld", (long long) callerPid); -+ if (!polkitInsecureWarned) { -+ VIR_WARN("No support for caller UID with pkcheck. This deployment is known to be insecure."); -+ polkitInsecureWarned = true; -+ } -+ virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp); - } - virCommandAddArg(cmd, "--allow-user-interaction"); - -Index: libvirt-1.1.2/libvirt.spec.in -=================================================================== ---- libvirt-1.1.2.orig/libvirt.spec.in -+++ libvirt-1.1.2/libvirt.spec.in -@@ -508,8 +508,7 @@ BuildRequires: cyrus-sasl-devel - %endif - %if %{with_polkit} - %if 0%{?fedora} >= 12 || 0%{?rhel} >= 6 --# Only need the binary, not -devel --BuildRequires: polkit >= 0.93 -+BuildRequires: polkit-devel >= 0.93 - %else - BuildRequires: PolicyKit-devel >= 0.6 - %endif -Index: libvirt-1.1.2/src/access/viraccessdriverpolkit.c -=================================================================== ---- libvirt-1.1.2.orig/src/access/viraccessdriverpolkit.c -+++ libvirt-1.1.2/src/access/viraccessdriverpolkit.c -@@ -72,8 +72,12 @@ static char * - virAccessDriverPolkitFormatProcess(const char *actionid) - { - virIdentityPtr identity = virIdentityGetCurrent(); -- const char *process = NULL; -+ const char *callerPid = NULL; -+ const char *callerTime = NULL; -+ const char *callerUid = NULL; - char *ret = NULL; -+ bool supportsuid = false; -+ static bool polkitInsecureWarned; - - if (!identity) { - virAccessError(VIR_ERR_ACCESS_DENIED, -@@ -81,17 +85,43 @@ virAccessDriverPolkitFormatProcess(const - actionid); - return NULL; - } -- if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, &process) < 0) -+ if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, &callerPid) < 0) -+ goto cleanup; -+ if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME, &callerTime) < 0) -+ goto cleanup; -+ if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_USER_ID, &callerUid) < 0) - goto cleanup; - -- if (!process) { -+ if (!callerPid) { - virAccessError(VIR_ERR_INTERNAL_ERROR, "%s", - _("No UNIX process ID available")); - goto cleanup; - } -- -- if (VIR_STRDUP(ret, process) < 0) -+ if (!callerTime) { -+ virAccessError(VIR_ERR_INTERNAL_ERROR, "%s", -+ _("No UNIX process start time available")); -+ goto cleanup; -+ } -+ if (!callerUid) { -+ virAccessError(VIR_ERR_INTERNAL_ERROR, "%s", -+ _("No UNIX caller UID available")); - goto cleanup; -+ } -+ -+#ifdef PKCHECK_SUPPORTS_UID -+ supportsuid = true; -+#endif -+ if (supportsuid) { -+ if (virAsprintf(&ret, "%s,%s,%s", callerPid, callerTime, callerUid) < 0) -+ goto cleanup; -+ } else { -+ if (!polkitInsecureWarned) { -+ VIR_WARN("No support for caller UID with pkcheck. This deployment is known to be insecure."); -+ polkitInsecureWarned = true; -+ } -+ if (virAsprintf(&ret, "%s,%s", callerPid, callerTime) < 0) -+ goto cleanup; -+ } - - cleanup: - virObjectUnref(identity); diff --git a/ae53e5d1-CVE-2013-4400.patch b/ae53e5d1-CVE-2013-4400.patch deleted file mode 100644 index 175d9bd..0000000 --- a/ae53e5d1-CVE-2013-4400.patch +++ /dev/null @@ -1,96 +0,0 @@ -commit ae53e5d10e434e07079d7e3ba11ec654ba6a256e -Author: Daniel P. Berrange -Date: Wed Oct 9 10:52:39 2013 +0100 - - Add helpers for getting env vars in a setuid environment - - Care must be taken accessing env variables when running - setuid. Introduce a virGetEnvAllowSUID for env vars which - are safe to use in a setuid environment, and another - virGetEnvBlockSUID for vars which are not safe. Also add - a virIsSUID helper method for any other non-env var code - to use. - - Signed-off-by: Daniel P. Berrange - -Index: libvirt-1.1.2/src/libvirt_private.syms -=================================================================== ---- libvirt-1.1.2.orig/src/libvirt_private.syms -+++ libvirt-1.1.2/src/libvirt_private.syms -@@ -2042,6 +2042,8 @@ virFindFCHostCapableVport; - virFormatIntDecimal; - virGetDeviceID; - virGetDeviceUnprivSGIO; -+virGetEnvAllowSUID; -+virGetEnvBlockSUID; - virGetFCHostNameByWWN; - virGetGroupID; - virGetGroupList; -@@ -2060,6 +2062,7 @@ virIndexToDiskName; - virIsCapableFCHost; - virIsCapableVport; - virIsDevMapperDevice; -+virIsSUID; - virManageVport; - virParseNumber; - virParseOwnershipIds; -Index: libvirt-1.1.2/src/util/virutil.c -=================================================================== ---- libvirt-1.1.2.orig/src/util/virutil.c -+++ libvirt-1.1.2/src/util/virutil.c -@@ -2116,3 +2116,42 @@ cleanup: - - return rc; - } -+ -+ -+/** -+ * virGetEnvBlockSUID: -+ * @name: the environment variable name -+ * -+ * Obtain an environment variable which is unsafe to -+ * use when running setuid. If running setuid, a NULL -+ * value will be returned -+ */ -+const char *virGetEnvBlockSUID(const char *name) -+{ -+ return secure_getenv(name); -+} -+ -+ -+/** -+ * virGetEnvBlockSUID: -+ * @name: the environment variable name -+ * -+ * Obtain an environment variable which is safe to -+ * use when running setuid. The value will be returned -+ * even when running setuid -+ */ -+const char *virGetEnvAllowSUID(const char *name) -+{ -+ return getenv(name); -+} -+ -+ -+/** -+ * virIsSUID: -+ * Return a true value if running setuid. Does not -+ * check for elevated capabilities bits. -+ */ -+bool virIsSUID(void) -+{ -+ return getuid() != geteuid(); -+} -Index: libvirt-1.1.2/src/util/virutil.h -=================================================================== ---- libvirt-1.1.2.orig/src/util/virutil.h -+++ libvirt-1.1.2/src/util/virutil.h -@@ -172,4 +172,8 @@ int virCompareLimitUlong(unsigned long l - - int virParseOwnershipIds(const char *label, uid_t *uidPtr, gid_t *gidPtr); - -+const char *virGetEnvBlockSUID(const char *name); -+const char *virGetEnvAllowSUID(const char *name); -+bool virIsSUID(void); -+ - #endif /* __VIR_UTIL_H__ */ diff --git a/b7fcc799a-CVE-2013-4400.patch b/b7fcc799a-CVE-2013-4400.patch deleted file mode 100644 index 1568934..0000000 --- a/b7fcc799a-CVE-2013-4400.patch +++ /dev/null @@ -1,36 +0,0 @@ -commit b7fcc799ad5d8f3e55b89b94e599903e3c092467 -Author: Daniel P. Berrange -Date: Wed Oct 9 15:14:34 2013 +0100 - - Close all non-stdio FDs in virt-login-shell (CVE-2013-4400) - - We don't want to inherit any FDs in the new namespace - except for the stdio FDs. Explicitly close them all, - just in case some do not have the close-on-exec flag - set. - - Signed-off-by: Daniel P. Berrange - -Index: libvirt-1.1.2/tools/virt-login-shell.c -=================================================================== ---- libvirt-1.1.2.orig/tools/virt-login-shell.c -+++ libvirt-1.1.2/tools/virt-login-shell.c -@@ -313,6 +313,18 @@ main(int argc, char **argv) - if (cpid == 0) { - pid_t ccpid; - -+ int openmax = sysconf(_SC_OPEN_MAX); -+ int fd; -+ if (openmax < 0) { -+ virReportSystemError(errno, "%s", -+ _("sysconf(_SC_OPEN_MAX) failed")); -+ return EXIT_FAILURE; -+ } -+ for (fd = 3; fd < openmax; fd++) { -+ int tmpfd = fd; -+ VIR_MASS_CLOSE(tmpfd); -+ } -+ - /* Fork once because we don't want to affect - * virt-login-shell's namespace itself - */ diff --git a/bd773e74-lxc-terminate-machine.patch b/bd773e74-lxc-terminate-machine.patch deleted file mode 100644 index 4417f6d..0000000 --- a/bd773e74-lxc-terminate-machine.patch +++ /dev/null @@ -1,247 +0,0 @@ -commit bd773e74f0d1d1b9ebbfcaa645178316b4f2265c -Author: Cédric Bosdonnat -Date: Mon Sep 30 16:46:29 2013 +0200 - - LXC: workaround machined uncleaned data with containers running systemd. - - The problem is described by [0] but its effect on libvirt is that - starting a container with a full distro running systemd after having - stopped it simply fails. - - The container cleanup now calls the machined Terminate function to make - sure that everything is in order for the next run. - - [0]: https://bugs.freedesktop.org/show_bug.cgi?id=68370 - -Index: libvirt-1.1.2/src/libvirt_private.syms -=================================================================== ---- libvirt-1.1.2.orig/src/libvirt_private.syms -+++ libvirt-1.1.2/src/libvirt_private.syms -@@ -1940,8 +1940,10 @@ virSysinfoSetup; - - # util/virsystemd.h - virSystemdCreateMachine; -+virSystemdMakeMachineName; - virSystemdMakeScopeName; - virSystemdMakeSliceName; -+virSystemdTerminateMachine; - - - # util/virthread.h -Index: libvirt-1.1.2/src/lxc/lxc_process.c -=================================================================== ---- libvirt-1.1.2.orig/src/lxc/lxc_process.c -+++ libvirt-1.1.2/src/lxc/lxc_process.c -@@ -50,6 +50,7 @@ - #include "virstring.h" - #include "viratomic.h" - #include "virprocess.h" -+#include "virsystemd.h" - - #define VIR_FROM_THIS VIR_FROM_LXC - -@@ -210,6 +211,13 @@ static void virLXCProcessCleanup(virLXCD - virCgroupFree(&priv->cgroup); - } - -+ /* Get machined to terminate the machine as it may not have cleaned it -+ * properly. See https://bugs.freedesktop.org/show_bug.cgi?id=68370 for -+ * the bug we are working around here. -+ */ -+ virSystemdTerminateMachine(vm->def->name, "lxc", true); -+ -+ - /* now that we know it's stopped call the hook if present */ - if (virHookPresent(VIR_HOOK_DRIVER_LXC)) { - char *xml = virDomainDefFormat(vm->def, 0); -Index: libvirt-1.1.2/src/util/virsystemd.c -=================================================================== ---- libvirt-1.1.2.orig/src/util/virsystemd.c -+++ libvirt-1.1.2/src/util/virsystemd.c -@@ -116,6 +116,27 @@ char *virSystemdMakeSliceName(const char - return virBufferContentAndReset(&buf); - } - -+char *virSystemdMakeMachineName(const char *name, -+ const char *drivername, -+ bool privileged) -+{ -+ char *machinename = NULL; -+ char *username = NULL; -+ if (privileged) { -+ if (virAsprintf(&machinename, "%s-%s", drivername, name) < 0) -+ goto cleanup; -+ } else { -+ if (!(username = virGetUserName(geteuid()))) -+ goto cleanup; -+ if (virAsprintf(&machinename, "%s-%s-%s", username, drivername, name) < 0) -+ goto cleanup; -+ } -+ -+cleanup: -+ VIR_FREE(username); -+ -+ return machinename; -+} - - /** - * virSystemdCreateMachine: -@@ -142,7 +163,6 @@ int virSystemdCreateMachine(const char * - DBusConnection *conn; - char *machinename = NULL; - char *creatorname = NULL; -- char *username = NULL; - char *slicename = NULL; - - if (!virDBusHasSystemBus()) -@@ -150,15 +170,8 @@ int virSystemdCreateMachine(const char * - - conn = virDBusGetSystemBus(); - -- if (privileged) { -- if (virAsprintf(&machinename, "%s-%s", drivername, name) < 0) -- goto cleanup; -- } else { -- if (!(username = virGetUserName(geteuid()))) -- goto cleanup; -- if (virAsprintf(&machinename, "%s-%s-%s", username, drivername, name) < 0) -- goto cleanup; -- } -+ if (!(machinename = virSystemdMakeMachineName(name, drivername, privileged))) -+ goto cleanup; - - if (virAsprintf(&creatorname, "libvirt-%s", drivername) < 0) - goto cleanup; -@@ -241,8 +254,52 @@ int virSystemdCreateMachine(const char * - ret = 0; - - cleanup: -- VIR_FREE(username); - VIR_FREE(creatorname); - VIR_FREE(machinename); - return ret; - } -+ -+int virSystemdTerminateMachine(const char *name, -+ const char *drivername, -+ bool privileged) -+{ -+ int ret; -+ DBusConnection *conn; -+ char *machinename = NULL; -+ -+ if(!virDBusHasSystemBus()) -+ return -2; -+ -+ conn = virDBusGetSystemBus(); -+ -+ ret = -1; -+ if (!(machinename = virSystemdMakeMachineName(name, drivername, privileged))) -+ goto cleanup; -+ -+ /* -+ * The systemd DBus API we're invoking has the -+ * following signature -+ * -+ * TerminateMachine(in s name); -+ * -+ * @name a host unique name for the machine. shows up -+ * in 'ps' listing & similar -+ */ -+ -+ VIR_DEBUG("Attempting to terminate machine via systemd"); -+ if (virDBusCallMethod(conn, -+ NULL, -+ "org.freedesktop.machine1", -+ "/org/freedesktop/machine1", -+ "org.freedesktop.machine1.Manager", -+ "TerminateMachine", -+ "s", -+ machinename) < 0) -+ goto cleanup; -+ -+ ret = 0; -+ -+cleanup: -+ VIR_FREE(machinename); -+ return ret; -+} -Index: libvirt-1.1.2/src/util/virsystemd.h -=================================================================== ---- libvirt-1.1.2.orig/src/util/virsystemd.h -+++ libvirt-1.1.2/src/util/virsystemd.h -@@ -29,6 +29,10 @@ char *virSystemdMakeScopeName(const char - const char *slicename); - char *virSystemdMakeSliceName(const char *partition); - -+char *virSystemdMakeMachineName(const char *name, -+ const char *drivername, -+ bool privileged); -+ - int virSystemdCreateMachine(const char *name, - const char *drivername, - bool privileged, -@@ -38,4 +42,8 @@ int virSystemdCreateMachine(const char * - bool iscontainer, - const char *partition); - -+int virSystemdTerminateMachine(const char *name, -+ const char *drivername, -+ bool privileged); -+ - #endif /* __VIR_SYSTEMD_H__ */ -Index: libvirt-1.1.2/tests/virsystemdtest.c -=================================================================== ---- libvirt-1.1.2.orig/tests/virsystemdtest.c -+++ libvirt-1.1.2/tests/virsystemdtest.c -@@ -51,6 +51,18 @@ static int testCreateContainer(const voi - return 0; - } - -+static int testTerminateContainer(const void *opaque ATTRIBUTE_UNUSED) -+{ -+ if (virSystemdTerminateMachine("demo", -+ "lxc", -+ true) < 0) { -+ fprintf(stderr, "%s", "Failed to terminate LXC machine\n"); -+ return -1; -+ } -+ -+ return 0; -+} -+ - static int testCreateMachine(const void *opaque ATTRIBUTE_UNUSED) - { - unsigned char uuid[VIR_UUID_BUFLEN] = { -@@ -74,6 +86,18 @@ static int testCreateMachine(const void - return 0; - } - -+static int testTerminateMachine(const void *opaque ATTRIBUTE_UNUSED) -+{ -+ if (virSystemdTerminateMachine("demo", -+ "qemu", -+ false) < 0) { -+ fprintf(stderr, "%s", "Failed to terminate KVM machine\n"); -+ return -1; -+ } -+ -+ return 0; -+} -+ - static int testCreateNoSystemd(const void *opaque ATTRIBUTE_UNUSED) - { - unsigned char uuid[VIR_UUID_BUFLEN] = { -@@ -177,8 +201,12 @@ mymain(void) - - if (virtTestRun("Test create container ", 1, testCreateContainer, NULL) < 0) - ret = -1; -+ if (virtTestRun("Test terminate container ", 1, testTerminateContainer, NULL) < 0) -+ ret = -1; - if (virtTestRun("Test create machine ", 1, testCreateMachine, NULL) < 0) - ret = -1; -+ if (virtTestRun("Test terminate machine ", 1, testTerminateMachine, NULL) < 0) -+ ret = -1; - if (virtTestRun("Test create no systemd ", 1, testCreateNoSystemd, NULL) < 0) - ret = -1; - if (virtTestRun("Test create bad systemd ", 1, testCreateBadSystemd, NULL) < 0) diff --git a/clone.patch b/clone.patch index 033ad0c..4e01402 100644 --- a/clone.patch +++ b/clone.patch @@ -32,7 +32,7 @@ Index: src/lxc/lxc_container.c VIR_FREE(stack); if (cpid < 0) { virReportSystemError(errno, "%s", -@@ -1893,7 +1901,11 @@ int lxcContainerStart(virDomainDefPtr de +@@ -2034,7 +2042,11 @@ int lxcContainerStart(virDomainDefPtr de cflags |= CLONE_NEWNET; } @@ -44,7 +44,7 @@ Index: src/lxc/lxc_container.c VIR_FREE(stack); VIR_DEBUG("clone() completed, new container PID is %d", pid); -@@ -1919,6 +1931,7 @@ int lxcContainerAvailable(int features) +@@ -2060,6 +2072,7 @@ int lxcContainerAvailable(int features) int cpid; char *childStack; char *stack; @@ -52,7 +52,7 @@ Index: src/lxc/lxc_container.c if (features & LXC_CONTAINER_FEATURE_USER) flags |= CLONE_NEWUSER; -@@ -1926,14 +1939,21 @@ int lxcContainerAvailable(int features) +@@ -2067,14 +2080,21 @@ int lxcContainerAvailable(int features) if (features & LXC_CONTAINER_FEATURE_NET) flags |= CLONE_NEWNET; diff --git a/db7a5688-CVE-2013-4311.patch b/db7a5688-CVE-2013-4311.patch deleted file mode 100644 index f537e6d..0000000 --- a/db7a5688-CVE-2013-4311.patch +++ /dev/null @@ -1,149 +0,0 @@ -commit db7a5688c05f3fd60d9d2b74c72427eb9ee9c176 -Author: Daniel P. Berrange -Date: Thu Aug 22 16:00:01 2013 +0100 - - Also store user & group ID values in virIdentity - - Future improvements to the polkit code will require access to - the numeric user ID, not merely user name. - - Signed-off-by: Daniel P. Berrange - -Index: libvirt-1.1.2/src/rpc/virnetserverclient.c -=================================================================== ---- libvirt-1.1.2.orig/src/rpc/virnetserverclient.c -+++ libvirt-1.1.2/src/rpc/virnetserverclient.c -@@ -652,7 +652,9 @@ virNetServerClientCreateIdentity(virNetS - char *processid = NULL; - char *processtime = NULL; - char *username = NULL; -+ char *userid = NULL; - char *groupname = NULL; -+ char *groupid = NULL; - #if WITH_SASL - char *saslname = NULL; - #endif -@@ -672,8 +674,12 @@ virNetServerClientCreateIdentity(virNetS - - if (!(username = virGetUserName(uid))) - goto cleanup; -+ if (virAsprintf(&userid, "%d", (int)uid) < 0) -+ goto cleanup; - if (!(groupname = virGetGroupName(gid))) - goto cleanup; -+ if (virAsprintf(&userid, "%d", (int)gid) < 0) -+ goto cleanup; - if (virAsprintf(&processid, "%llu", - (unsigned long long)pid) < 0) - goto cleanup; -@@ -710,11 +716,21 @@ virNetServerClientCreateIdentity(virNetS - VIR_IDENTITY_ATTR_UNIX_USER_NAME, - username) < 0) - goto error; -+ if (userid && -+ virIdentitySetAttr(ret, -+ VIR_IDENTITY_ATTR_UNIX_USER_ID, -+ userid) < 0) -+ goto error; - if (groupname && - virIdentitySetAttr(ret, - VIR_IDENTITY_ATTR_UNIX_GROUP_NAME, - groupname) < 0) - goto error; -+ if (groupid && -+ virIdentitySetAttr(ret, -+ VIR_IDENTITY_ATTR_UNIX_GROUP_ID, -+ groupid) < 0) -+ goto error; - if (processid && - virIdentitySetAttr(ret, - VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, -@@ -745,7 +761,9 @@ virNetServerClientCreateIdentity(virNetS - - cleanup: - VIR_FREE(username); -+ VIR_FREE(userid); - VIR_FREE(groupname); -+ VIR_FREE(groupid); - VIR_FREE(processid); - VIR_FREE(processtime); - VIR_FREE(seccontext); -Index: libvirt-1.1.2/src/util/viridentity.c -=================================================================== ---- libvirt-1.1.2.orig/src/util/viridentity.c -+++ libvirt-1.1.2/src/util/viridentity.c -@@ -133,7 +133,9 @@ int virIdentitySetCurrent(virIdentityPtr - virIdentityPtr virIdentityGetSystem(void) - { - char *username = NULL; -+ char *userid = NULL; - char *groupname = NULL; -+ char *groupid = NULL; - char *seccontext = NULL; - virIdentityPtr ret = NULL; - #if WITH_SELINUX -@@ -147,8 +149,13 @@ virIdentityPtr virIdentityGetSystem(void - - if (!(username = virGetUserName(getuid()))) - goto cleanup; -+ if (virAsprintf(&userid, "%d", (int)getuid()) < 0) -+ goto cleanup; -+ - if (!(groupname = virGetGroupName(getgid()))) - goto cleanup; -+ if (virAsprintf(&groupid, "%d", (int)getgid()) < 0) -+ goto cleanup; - - #if WITH_SELINUX - if (getcon(&con) < 0) { -@@ -166,16 +173,22 @@ virIdentityPtr virIdentityGetSystem(void - if (!(ret = virIdentityNew())) - goto cleanup; - -- if (username && -- virIdentitySetAttr(ret, -+ if (virIdentitySetAttr(ret, - VIR_IDENTITY_ATTR_UNIX_USER_NAME, - username) < 0) - goto error; -- if (groupname && -- virIdentitySetAttr(ret, -+ if (virIdentitySetAttr(ret, -+ VIR_IDENTITY_ATTR_UNIX_USER_ID, -+ userid) < 0) -+ goto error; -+ if (virIdentitySetAttr(ret, - VIR_IDENTITY_ATTR_UNIX_GROUP_NAME, - groupname) < 0) - goto error; -+ if (virIdentitySetAttr(ret, -+ VIR_IDENTITY_ATTR_UNIX_GROUP_ID, -+ groupid) < 0) -+ goto error; - if (seccontext && - virIdentitySetAttr(ret, - VIR_IDENTITY_ATTR_SELINUX_CONTEXT, -@@ -188,7 +201,9 @@ virIdentityPtr virIdentityGetSystem(void - - cleanup: - VIR_FREE(username); -+ VIR_FREE(userid); - VIR_FREE(groupname); -+ VIR_FREE(groupid); - VIR_FREE(seccontext); - VIR_FREE(processid); - return ret; -Index: libvirt-1.1.2/src/util/viridentity.h -=================================================================== ---- libvirt-1.1.2.orig/src/util/viridentity.h -+++ libvirt-1.1.2/src/util/viridentity.h -@@ -29,7 +29,9 @@ typedef virIdentity *virIdentityPtr; - - typedef enum { - VIR_IDENTITY_ATTR_UNIX_USER_NAME, -+ VIR_IDENTITY_ATTR_UNIX_USER_ID, - VIR_IDENTITY_ATTR_UNIX_GROUP_NAME, -+ VIR_IDENTITY_ATTR_UNIX_GROUP_ID, - VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, - VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME, - VIR_IDENTITY_ATTR_SASL_USER_NAME, diff --git a/e350826c-python-fix-fd-passing.patch b/e350826c-python-fix-fd-passing.patch deleted file mode 100644 index ea9289b..0000000 --- a/e350826c-python-fix-fd-passing.patch +++ /dev/null @@ -1,26 +0,0 @@ -commit e350826c653b20dd271ab99075d2f224c7451356 -Author: Marian Neagul -Date: Tue Oct 22 16:03:39 2013 +0100 - - python: Fix Create*WithFiles filefd passing - - Commit d76227be added functions virDomainCreateWithFiles and - virDomainCreateXMLWithFiles, but there was a little piece missing in - python bindings. This patch fixes proper passing of file descriptors - in the overwrites of these functions. - -Index: libvirt-1.1.2/python/libvirt-override.c -=================================================================== ---- libvirt-1.1.2.orig/python/libvirt-override.c -+++ libvirt-1.1.2/python/libvirt-override.c -@@ -7149,6 +7149,10 @@ libvirt_virDomainCreateXMLWithFiles(PyOb - - if (libvirt_intUnwrap(pyfd, &fd) < 0) - goto cleanup; -+ -+ files[i] = fd; -+ -+ files[i] = fd; - } - - LIBVIRT_BEGIN_ALLOW_THREADS; diff --git a/e4697b92-CVE-2013-4311.patch b/e4697b92-CVE-2013-4311.patch deleted file mode 100644 index 7698d4c..0000000 --- a/e4697b92-CVE-2013-4311.patch +++ /dev/null @@ -1,35 +0,0 @@ -commit e4697b92abaad16e8e6b41a1e55be9b084d48d5a -Author: Daniel P. Berrange -Date: Mon Sep 23 12:46:25 2013 +0100 - - Fix typo in identity code which is pre-requisite for CVE-2013-4311 - - The fix for CVE-2013-4311 had a pre-requisite enhancement - to the identity code - - commit db7a5688c05f3fd60d9d2b74c72427eb9ee9c176 - Author: Daniel P. Berrange - Date: Thu Aug 22 16:00:01 2013 +0100 - - Also store user & group ID values in virIdentity - - This had a typo which caused the group ID to overwrite the - user ID string. This meant any checks using this would have - the wrong ID value. This only affected the ACL code, not the - initial polkit auth. It also leaked memory. - - Signed-off-by: Daniel P. Berrange - -Index: libvirt-1.1.2/src/rpc/virnetserverclient.c -=================================================================== ---- libvirt-1.1.2.orig/src/rpc/virnetserverclient.c -+++ libvirt-1.1.2/src/rpc/virnetserverclient.c -@@ -678,7 +678,7 @@ virNetServerClientCreateIdentity(virNetS - goto cleanup; - if (!(groupname = virGetGroupName(gid))) - goto cleanup; -- if (virAsprintf(&userid, "%d", (int)gid) < 0) -+ if (virAsprintf(&groupid, "%d", (int)gid) < 0) - goto cleanup; - if (virAsprintf(&processid, "%llu", - (unsigned long long)pid) < 0) diff --git a/e65667c0-CVE-2013-4311.patch b/e65667c0-CVE-2013-4311.patch deleted file mode 100644 index f89b81f..0000000 --- a/e65667c0-CVE-2013-4311.patch +++ /dev/null @@ -1,65 +0,0 @@ -commit e65667c0c6e016d42abea077e31628ae43f57b74 -Author: Daniel P. Berrange -Date: Wed Aug 28 15:22:05 2013 +0100 - - Ensure system identity includes process start time - - The polkit access driver will want to use the process start - time field. This was already set for network identities, but - not for the system identity. - - Signed-off-by: Daniel P. Berrange - -Index: libvirt-1.1.2/src/util/viridentity.c -=================================================================== ---- libvirt-1.1.2.orig/src/util/viridentity.c -+++ libvirt-1.1.2/src/util/viridentity.c -@@ -35,6 +35,7 @@ - #include "virthread.h" - #include "virutil.h" - #include "virstring.h" -+#include "virprocess.h" - - #define VIR_FROM_THIS VIR_FROM_IDENTITY - -@@ -142,11 +143,20 @@ virIdentityPtr virIdentityGetSystem(void - security_context_t con; - #endif - char *processid = NULL; -+ unsigned long long timestamp; -+ char *processtime = NULL; - - if (virAsprintf(&processid, "%llu", - (unsigned long long)getpid()) < 0) - goto cleanup; - -+ if (virProcessGetStartTime(getpid(), ×tamp) < 0) -+ goto cleanup; -+ -+ if (timestamp != 0 && -+ virAsprintf(&processtime, "%llu", timestamp) < 0) -+ goto cleanup; -+ - if (!(username = virGetUserName(getuid()))) - goto cleanup; - if (virAsprintf(&userid, "%d", (int)getuid()) < 0) -@@ -198,6 +208,11 @@ virIdentityPtr virIdentityGetSystem(void - VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, - processid) < 0) - goto error; -+ if (processtime && -+ virIdentitySetAttr(ret, -+ VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME, -+ processtime) < 0) -+ goto error; - - cleanup: - VIR_FREE(username); -@@ -206,6 +221,7 @@ cleanup: - VIR_FREE(groupid); - VIR_FREE(seccontext); - VIR_FREE(processid); -+ VIR_FREE(processtime); - return ret; - - error: diff --git a/e7f400a1-CVE-2013-4296.patch b/e7f400a1-CVE-2013-4296.patch deleted file mode 100644 index 5ff4da4..0000000 --- a/e7f400a1-CVE-2013-4296.patch +++ /dev/null @@ -1,35 +0,0 @@ -commit e7f400a110e2e3673b96518170bfea0855dd82c0 -Author: Daniel P. Berrange -Date: Tue Sep 3 16:52:06 2013 +0100 - - Fix crash in remoteDispatchDomainMemoryStats (CVE-2013-4296) - - The 'stats' variable was not initialized to NULL, so if some - early validation of the RPC call fails, it is possible to jump - to the 'cleanup' label and VIR_FREE an uninitialized pointer. - This is a security flaw, since the API can be called from a - readonly connection which can trigger the validation checks. - - This was introduced in release v0.9.1 onwards by - - commit 158ba8730e44b7dd07a21ab90499996c5dec080a - Author: Daniel P. Berrange - Date: Wed Apr 13 16:21:35 2011 +0100 - - Merge all returns paths from dispatcher into single path - - Signed-off-by: Daniel P. Berrange - -Index: libvirt-1.1.2/daemon/remote.c -=================================================================== ---- libvirt-1.1.2.orig/daemon/remote.c -+++ libvirt-1.1.2/daemon/remote.c -@@ -1146,7 +1146,7 @@ remoteDispatchDomainMemoryStats(virNetSe - remote_domain_memory_stats_ret *ret) - { - virDomainPtr dom = NULL; -- struct _virDomainMemoryStat *stats; -+ struct _virDomainMemoryStat *stats = NULL; - int nr_stats; - size_t i; - int rv = -1; diff --git a/fix-pci-attach-xen-driver.patch b/fix-pci-attach-xen-driver.patch index b010e3b..f2cd6df 100644 --- a/fix-pci-attach-xen-driver.patch +++ b/fix-pci-attach-xen-driver.patch @@ -8,11 +8,11 @@ uses the 'device_configure' RPC. This patch changes the xend driver to always call 'device_configure' for PCI devices to be consistent with the usage in the xen tools. -Index: libvirt-1.1.2/src/xen/xend_internal.c +Index: libvirt-1.1.4/src/xen/xend_internal.c =================================================================== ---- libvirt-1.1.2.orig/src/xen/xend_internal.c -+++ libvirt-1.1.2/src/xen/xend_internal.c -@@ -2206,6 +2206,7 @@ xenDaemonAttachDeviceFlags(virConnectPtr +--- libvirt-1.1.4.orig/src/xen/xend_internal.c ++++ libvirt-1.1.4/src/xen/xend_internal.c +@@ -2207,6 +2207,7 @@ xenDaemonAttachDeviceFlags(virConnectPtr virBuffer buf = VIR_BUFFER_INITIALIZER; char class[8], ref[80]; char *target = NULL; @@ -20,7 +20,7 @@ Index: libvirt-1.1.2/src/xen/xend_internal.c virCheckFlags(VIR_DOMAIN_AFFECT_LIVE | VIR_DOMAIN_AFFECT_CONFIG, -1); -@@ -2304,8 +2305,18 @@ xenDaemonAttachDeviceFlags(virConnectPtr +@@ -2305,8 +2306,18 @@ xenDaemonAttachDeviceFlags(virConnectPtr } sexpr = virBufferContentAndReset(&buf); diff --git a/install-apparmor-profiles.patch b/install-apparmor-profiles.patch index b021306..d5e027c 100644 --- a/install-apparmor-profiles.patch +++ b/install-apparmor-profiles.patch @@ -1,7 +1,7 @@ -Index: libvirt-1.1.2/examples/apparmor/Makefile.am +Index: libvirt-1.1.4/examples/apparmor/Makefile.am =================================================================== ---- libvirt-1.1.2.orig/examples/apparmor/Makefile.am -+++ libvirt-1.1.2/examples/apparmor/Makefile.am +--- libvirt-1.1.4.orig/examples/apparmor/Makefile.am ++++ libvirt-1.1.4/examples/apparmor/Makefile.am @@ -14,8 +14,45 @@ ## License along with this library. If not, see ## . @@ -53,10 +53,10 @@ Index: libvirt-1.1.2/examples/apparmor/Makefile.am + rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/libvirt/TEMPLATE + +endif -Index: libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in +Index: libvirt-1.1.4/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in =================================================================== --- /dev/null -+++ libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in ++++ libvirt-1.1.4/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -0,0 +1,41 @@ +# Last Modified: Fri Aug 19 11:21:48 2011 +#include @@ -99,9 +99,9 @@ Index: libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in + /var/lib/kvm/images/ r, + /var/lib/kvm/images/** r, +} -Index: libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper +Index: libvirt-1.1.4/examples/apparmor/usr.lib.libvirt.virt-aa-helper =================================================================== ---- libvirt-1.1.2.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper +--- libvirt-1.1.4.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper +++ /dev/null @@ -1,38 +0,0 @@ -# Last Modified: Mon Apr 5 15:10:27 2010 @@ -142,9 +142,9 @@ Index: libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper - /var/lib/libvirt/images/ r, - /var/lib/libvirt/images/** r, -} -Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd +Index: libvirt-1.1.4/examples/apparmor/usr.sbin.libvirtd =================================================================== ---- libvirt-1.1.2.orig/examples/apparmor/usr.sbin.libvirtd +--- libvirt-1.1.4.orig/examples/apparmor/usr.sbin.libvirtd +++ /dev/null @@ -1,52 +0,0 @@ -# Last Modified: Mon Apr 5 15:03:58 2010 @@ -199,10 +199,10 @@ Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd - change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, - -} -Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in +Index: libvirt-1.1.4/examples/apparmor/usr.sbin.libvirtd.in =================================================================== --- /dev/null -+++ libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in ++++ libvirt-1.1.4/examples/apparmor/usr.sbin.libvirtd.in @@ -0,0 +1,60 @@ +# Last Modified: Fri Aug 19 11:20:36 2011 +#include @@ -264,9 +264,9 @@ Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in + change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, + +} -Index: libvirt-1.1.2/examples/apparmor/libvirt-qemu +Index: libvirt-1.1.4/examples/apparmor/libvirt-qemu =================================================================== ---- libvirt-1.1.2.orig/examples/apparmor/libvirt-qemu +--- libvirt-1.1.4.orig/examples/apparmor/libvirt-qemu +++ /dev/null @@ -1,129 +0,0 @@ -# Last Modified: Fri Mar 9 14:43:22 2012 @@ -398,10 +398,10 @@ Index: libvirt-1.1.2/examples/apparmor/libvirt-qemu - - /usr/libexec/qemu-bridge-helper rmix, - } -Index: libvirt-1.1.2/examples/apparmor/libvirt-qemu.in +Index: libvirt-1.1.4/examples/apparmor/libvirt-qemu.in =================================================================== --- /dev/null -+++ libvirt-1.1.2/examples/apparmor/libvirt-qemu.in ++++ libvirt-1.1.4/examples/apparmor/libvirt-qemu.in @@ -0,0 +1,132 @@ +# Last Modified: Fri Mar 9 14:43:22 2012 + diff --git a/libvirt-1.1.2.tar.bz2 b/libvirt-1.1.2.tar.bz2 deleted file mode 100644 index c7e7877..0000000 --- a/libvirt-1.1.2.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9aa2fd6d2e7737323c846092cb2f8bf95e0b622c570b29ee4060eed634409cf4 -size 18774400 diff --git a/libvirt-1.1.4.tar.bz2 b/libvirt-1.1.4.tar.bz2 new file mode 100644 index 0000000..dd63173 --- /dev/null +++ b/libvirt-1.1.4.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:407a9b7602e86bcec457d95dcf97ff806544850b05b9bab9854dcce76e10c1ae +size 19319071 diff --git a/libvirt-guests-init-script.patch b/libvirt-guests-init-script.patch index 6c8970a..5f81453 100644 --- a/libvirt-guests-init-script.patch +++ b/libvirt-guests-init-script.patch @@ -1,9 +1,9 @@ Adjust libvirt-guests init files to conform to SUSE standards -Index: libvirt-1.1.2/tools/libvirt-guests.init.in +Index: libvirt-1.1.4/tools/libvirt-guests.init.in =================================================================== ---- libvirt-1.1.2.orig/tools/libvirt-guests.init.in -+++ libvirt-1.1.2/tools/libvirt-guests.init.in +--- libvirt-1.1.4.orig/tools/libvirt-guests.init.in ++++ libvirt-1.1.4/tools/libvirt-guests.init.in @@ -3,15 +3,15 @@ # the following is the LSB init header # @@ -28,10 +28,10 @@ Index: libvirt-1.1.2/tools/libvirt-guests.init.in ### END INIT INFO # the following is chkconfig init header -Index: libvirt-1.1.2/tools/libvirt-guests.sh.in +Index: libvirt-1.1.4/tools/libvirt-guests.sh.in =================================================================== ---- libvirt-1.1.2.orig/tools/libvirt-guests.sh.in -+++ libvirt-1.1.2/tools/libvirt-guests.sh.in +--- libvirt-1.1.4.orig/tools/libvirt-guests.sh.in ++++ libvirt-1.1.4/tools/libvirt-guests.sh.in @@ -16,14 +16,13 @@ # License along with this library. If not, see # . @@ -189,10 +189,10 @@ Index: libvirt-1.1.2/tools/libvirt-guests.sh.in esac -exit $RETVAL +rc_exit -Index: libvirt-1.1.2/tools/libvirt-guests.sysconf +Index: libvirt-1.1.4/tools/libvirt-guests.sysconf =================================================================== ---- libvirt-1.1.2.orig/tools/libvirt-guests.sysconf -+++ libvirt-1.1.2/tools/libvirt-guests.sysconf +--- libvirt-1.1.4.orig/tools/libvirt-guests.sysconf ++++ libvirt-1.1.4/tools/libvirt-guests.sysconf @@ -1,19 +1,29 @@ +## Path: System/Virtualization/libvirt-guests + diff --git a/libvirt-suse-netcontrol.patch b/libvirt-suse-netcontrol.patch index cb32f6e..f316295 100644 --- a/libvirt-suse-netcontrol.patch +++ b/libvirt-suse-netcontrol.patch @@ -1,8 +1,8 @@ -Index: libvirt-1.1.2/configure.ac +Index: libvirt-1.1.4/configure.ac =================================================================== ---- libvirt-1.1.2.orig/configure.ac -+++ libvirt-1.1.2/configure.ac -@@ -174,6 +174,7 @@ LIBVIRT_CHECK_DBUS +--- libvirt-1.1.4.orig/configure.ac ++++ libvirt-1.1.4/configure.ac +@@ -230,6 +230,7 @@ LIBVIRT_CHECK_DBUS LIBVIRT_CHECK_FUSE LIBVIRT_CHECK_HAL LIBVIRT_CHECK_NETCF @@ -10,7 +10,7 @@ Index: libvirt-1.1.2/configure.ac LIBVIRT_CHECK_NUMACTL LIBVIRT_CHECK_OPENWSMAN LIBVIRT_CHECK_PCIACCESS -@@ -2297,11 +2298,12 @@ if test "$with_libvirtd" = "no" ; then +@@ -2375,11 +2376,12 @@ if test "$with_libvirtd" = "no" ; then with_interface=no fi @@ -26,7 +26,7 @@ Index: libvirt-1.1.2/configure.ac esac if test "$with_interface" = "yes" ; then -@@ -2609,6 +2611,7 @@ LIBVIRT_RESULT_DBUS +@@ -2694,6 +2696,7 @@ LIBVIRT_RESULT_DBUS LIBVIRT_RESULT_FUSE LIBVIRT_RESULT_HAL LIBVIRT_RESULT_NETCF @@ -34,14 +34,14 @@ Index: libvirt-1.1.2/configure.ac LIBVIRT_RESULT_NUMACTL LIBVIRT_RESULT_OPENWSMAN LIBVIRT_RESULT_PCIACCESS -Index: libvirt-1.1.2/src/Makefile.am +Index: libvirt-1.1.4/src/Makefile.am =================================================================== ---- libvirt-1.1.2.orig/src/Makefile.am -+++ libvirt-1.1.2/src/Makefile.am -@@ -754,6 +754,10 @@ if WITH_NETCF +--- libvirt-1.1.4.orig/src/Makefile.am ++++ libvirt-1.1.4/src/Makefile.am +@@ -780,6 +780,10 @@ if WITH_NETCF INTERFACE_DRIVER_SOURCES += \ interface/interface_backend_netcf.c - endif + endif WITH_NETCF +if WITH_NETCONTROL +INTERFACE_DRIVER_SOURCES += \ + interface/interface_backend_netcf.c @@ -49,28 +49,27 @@ Index: libvirt-1.1.2/src/Makefile.am if WITH_UDEV INTERFACE_DRIVER_SOURCES += \ interface/interface_backend_udev.c -@@ -1314,11 +1318,16 @@ if WITH_NETCF +@@ -1342,10 +1346,15 @@ if WITH_NETCF libvirt_driver_interface_la_CFLAGS += $(NETCF_CFLAGS) libvirt_driver_interface_la_LIBADD += $(NETCF_LIBS) - else + else ! WITH_NETCF +if WITH_NETCONTROL +libvirt_driver_interface_la_CFLAGS += $(NETCONTROL_CFLAGS) +libvirt_driver_interface_la_LIBADD += $(NETCONTROL_LIBS) -+else ++else ! WITH_NETCONTROL if WITH_UDEV libvirt_driver_interface_la_CFLAGS += $(UDEV_CFLAGS) libvirt_driver_interface_la_LIBADD += $(UDEV_LIBS) - endif - endif -+endif + endif WITH_UDEV ++endif ! WITH_NETCONTROL + endif ! WITH_NETCF if WITH_DRIVER_MODULES libvirt_driver_interface_la_LIBADD += ../gnulib/lib/libgnu.la - libvirt_driver_interface_la_LDFLAGS += -module -avoid-version -Index: libvirt-1.1.2/tools/virsh.c +Index: libvirt-1.1.4/tools/virsh.c =================================================================== ---- libvirt-1.1.2.orig/tools/virsh.c -+++ libvirt-1.1.2/tools/virsh.c -@@ -2864,6 +2864,8 @@ vshShowVersion(vshControl *ctl ATTRIBUTE +--- libvirt-1.1.4.orig/tools/virsh.c ++++ libvirt-1.1.4/tools/virsh.c +@@ -3026,6 +3026,8 @@ vshShowVersion(vshControl *ctl ATTRIBUTE vshPrint(ctl, " Interface"); # if defined(WITH_NETCF) vshPrint(ctl, " netcf"); @@ -79,10 +78,10 @@ Index: libvirt-1.1.2/tools/virsh.c # elif defined(WITH_UDEV) vshPrint(ctl, " udev"); # endif -Index: libvirt-1.1.2/src/interface/interface_backend_netcf.c +Index: libvirt-1.1.4/src/interface/interface_backend_netcf.c =================================================================== ---- libvirt-1.1.2.orig/src/interface/interface_backend_netcf.c -+++ libvirt-1.1.2/src/interface/interface_backend_netcf.c +--- libvirt-1.1.4.orig/src/interface/interface_backend_netcf.c ++++ libvirt-1.1.4/src/interface/interface_backend_netcf.c @@ -23,7 +23,12 @@ #include @@ -97,9 +96,9 @@ Index: libvirt-1.1.2/src/interface/interface_backend_netcf.c #include "virerror.h" #include "datatypes.h" -@@ -54,6 +59,38 @@ static void interfaceDriverUnlock(struct - virMutexUnlock(&driver->lock); - } +@@ -63,6 +68,37 @@ VIR_ONCE_GLOBAL_INIT(virNetcfDriverState + + static virNetcfDriverStatePtr driverState = NULL; +#ifdef WITH_NETCONTROL +static void @@ -132,25 +131,24 @@ Index: libvirt-1.1.2/src/interface/interface_backend_netcf.c + virLogMessage(VIR_LOG_FROM_FILE, vp, file, line, func, 0, "%s", msg); +} +#endif -+ - /* - * Get a minimal virInterfaceDef containing enough metadata - * for access control checks to be performed. Currently -@@ -164,6 +201,10 @@ static virDrvOpenStatus netcfInterfaceOp - goto mutex_error; - } + + static void + virNetcfDriverStateDispose(void *obj) +@@ -85,6 +121,10 @@ netcfStateInitialize(bool privileged ATT + if (!(driverState = virObjectLockableNew(virNetcfDriverStateClass))) + return -1; +#ifdef WITH_NETCONTROL + nc_logger_redirect_to(interface_nc_log_driver); +#endif + /* open netcf */ - if (ncf_init(&driverState->netcf, NULL) != 0) - { -Index: libvirt-1.1.2/src/interface/interface_driver.c + if (ncf_init(&driverState->netcf, NULL) != 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", +Index: libvirt-1.1.4/src/interface/interface_driver.c =================================================================== ---- libvirt-1.1.2.orig/src/interface/interface_driver.c -+++ libvirt-1.1.2/src/interface/interface_driver.c +--- libvirt-1.1.4.orig/src/interface/interface_driver.c ++++ libvirt-1.1.4/src/interface/interface_driver.c @@ -28,8 +28,15 @@ interfaceRegister(void) { if (netcfIfaceRegister() == 0) return 0; @@ -168,10 +166,10 @@ Index: libvirt-1.1.2/src/interface/interface_driver.c if (udevIfaceRegister() == 0) return 0; #endif /* WITH_UDEV */ -Index: libvirt-1.1.2/m4/virt-netcontrol.m4 +Index: libvirt-1.1.4/m4/virt-netcontrol.m4 =================================================================== --- /dev/null -+++ libvirt-1.1.2/m4/virt-netcontrol.m4 ++++ libvirt-1.1.4/m4/virt-netcontrol.m4 @@ -0,0 +1,35 @@ +dnl The libnetcontrol library +dnl diff --git a/libvirt.changes b/libvirt.changes index afe5298..a6b7ead 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,28 @@ +------------------------------------------------------------------- +Wed Nov 20 10:57:57 MST 2013 - jfehlig@suse.com + +- Update to libvirt 1.1.4 + - Add support for AArch64 architecture + - Various improvements on test code and test driver + - Don't link virt-login-shell against libvirt.so + - Close all non-stdio FDs in virt-login-shell + - Only allow 'stderr' log output when running setuid + - Fix perms for virConnectDomainXML{To,From}Native + - Many incremental improvements and bug fixes, see + http://libvirt.org/news.html + - Drop upstream patches: e7f400a1-CVE-2013-4296.patch, + 2dba0323-CVE-2013-4297.patch, db7a5688-CVE-2013-4311.patch, + e65667c0-CVE-2013-4311.patch, 922b7fda-CVE-2013-4311.patch, + e4697b92-CVE-2013-4311.patch, 8294aa0c-CVE-2013-4399.patch, + 484cc321-fix-spice-migration.patch, + 79552754-libvirtd-chardev-crash.patch, + 57687fd6-CVE-2013-4401.patch, ae53e5d1-CVE-2013-4400.patch, + 8c3586ea-CVE-2013-4400.patch, b7fcc799a-CVE-2013-4400.patch, + 3e2f27e1-CVE-2013-4400.patch, 5a0ea4b7-CVE-2013-4400.patch, + 843bdb2f-CVE-2013-4400.patch, + bd773e74-lxc-terminate-machine.patch, + e350826c-python-fix-fd-passing.patch + ------------------------------------------------------------------- Tue Nov 19 14:23:27 MST 2013 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index 804a4ab..47d3cfc 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -42,10 +42,10 @@ %define with_lxc 0%{!?_without_lxc:%{server_drivers}} %define with_uml 0%{!?_without_uml:%{server_drivers}} %define with_libxl 0%{!?_without_libxl:%{server_drivers}} +%define with_vbox 0%{!?_without_vbox:%{server_drivers}} # Then the hypervisor drivers that run outside libvirtd, in libvirt.so %define with_openvz 0%{!?_without_openvz:1} -%define with_vbox 0%{!?_without_vbox:1} %define with_vmware 0%{!?_without_vmware:1} %define with_phyp 0%{!?_without_phyp:0} %define with_esx 0%{!?_without_esx:1} @@ -225,7 +225,7 @@ Name: libvirt Url: http://libvirt.org/ -Version: 1.1.2 +Version: 1.1.4 Release: 0 Summary: Library providing a simple virtualization API License: LGPL-2.1+ @@ -337,7 +337,7 @@ BuildRequires: cyrus-sasl-devel %endif %if %{with_polkit} %if 0%{?suse_version} > 1110 -BuildRequires: polkit >= 0.9 +BuildRequires: polkit-devel >= 0.9 %else BuildRequires: PolicyKit-devel >= 0.6 %endif @@ -400,24 +400,6 @@ Source1: libvirtd.init Source2: libvirtd-relocation-server.fw Source99: baselibs.conf # Upstream patches -Patch0: e7f400a1-CVE-2013-4296.patch -Patch1: 2dba0323-CVE-2013-4297.patch -Patch2: db7a5688-CVE-2013-4311.patch -Patch3: e65667c0-CVE-2013-4311.patch -Patch4: 922b7fda-CVE-2013-4311.patch -Patch5: e4697b92-CVE-2013-4311.patch -Patch6: 8294aa0c-CVE-2013-4399.patch -Patch7: 484cc321-fix-spice-migration.patch -Patch8: 79552754-libvirtd-chardev-crash.patch -Patch9: 57687fd6-CVE-2013-4401.patch -Patch10: ae53e5d1-CVE-2013-4400.patch -Patch11: 8c3586ea-CVE-2013-4400.patch -Patch12: b7fcc799a-CVE-2013-4400.patch -Patch13: 3e2f27e1-CVE-2013-4400.patch -Patch14: 5a0ea4b7-CVE-2013-4400.patch -Patch15: 843bdb2f-CVE-2013-4400.patch -Patch16: bd773e74-lxc-terminate-machine.patch -Patch17: e350826c-python-fix-fd-passing.patch # Need to go upstream Patch100: xen-name-for-devid.patch Patch101: clone.patch @@ -484,16 +466,6 @@ Requires: bridge-utils Requires: iproute Requires: logrotate -%if %{with_network} -Requires: dnsmasq >= 2.41 -Requires: radvd -%endif -%if %{with_network} || %{with_nwfilter} -Requires: iptables -%endif -%if %{with_nwfilter} -Requires: ebtables -%endif %if %{with_udev} Requires: udev >= 145 %endif @@ -504,39 +476,6 @@ Recommends: polkit >= 0.93 Recommends: PolicyKit >= 0.6 %endif %endif -%if %{with_storage_fs} -Requires: nfs-utils -# For mkfs -Requires: util-linux -%endif -%if %{with_qemu} -# From QEMU RPMs -Requires: /usr/bin/qemu-img -# For image compression -Requires: bzip2 -Requires: gzip -Requires: xz -%if 0%{?suse_version} > 1210 -Requires: lzop -%endif -%endif -%if %{with_storage_lvm} -# For LVM drivers -Requires: lvm2 -%endif -%if %{with_storage_iscsi} -# For ISCSI driver -Requires: open-iscsi -%endif -%if %{with_storage_disk} -# For disk driver -Requires: device-mapper -Requires: parted -%endif -%if %{with_storage_mpath} -# For multipath support -Requires: device-mapper -%endif %if %{with_cgconfig} Requires: libcgroup1 %endif @@ -573,7 +512,11 @@ cleaning guest network traffic. %package daemon-driver-network Summary: Network driver plugin for the libvirtd daemon Group: Development/Libraries/C and C++ +Requires: dnsmasq >= 2.41 +Requires: iptables +# TODO Requires: iptables-ipv6 Requires: libvirt-daemon = %{version}-%{release} +Requires: radvd %description daemon-driver-network The network driver plugin for the libvirtd daemon, providing @@ -586,6 +529,9 @@ bridge capabilities. %package daemon-driver-nwfilter Summary: A nwfilter driver plugin for the libvirtd daemon Group: Development/Libraries/C and C++ +Requires: ebtables +Requires: iptables +# TODO Requires: iptables-ipv6 Requires: libvirt-daemon = %{version}-%{release} %description daemon-driver-nwfilter @@ -635,6 +581,32 @@ an implementation of the secret key APIs. Summary: Storage driver plugin for the libvirtd daemon Group: Development/Libraries/C and C++ Requires: libvirt-daemon = %{version}-%{release} +%if %{with_storage_fs} +Requires: nfs-utils +# For mkfs +Requires: util-linux +%endif +%if %{with_qemu} +# From QEMU RPMs +Requires: /usr/bin/qemu-img +%endif +%if %{with_storage_lvm} +# For LVM drivers +Requires: lvm2 +%endif +%if %{with_storage_iscsi} +# For ISCSI driver +Requires: open-iscsi +%endif +%if %{with_storage_disk} +# For disk driver +Requires: device-mapper +Requires: parted +%endif +%if %{with_storage_mpath} +# For multipath support +Requires: device-mapper +%endif %description daemon-driver-storage The storage driver plugin for the libvirtd daemon, providing @@ -649,7 +621,15 @@ Summary: Qemu driver plugin for the libvirtd daemon Group: Development/Libraries/C and C++ Requires: libvirt-daemon = %{version}-%{release} # There really is a hard cross-driver dependency here +Requires: /usr/bin/qemu-img Requires: libvirt-daemon-driver-network = %{version}-%{release} +# For image compression +Requires: bzip2 +Requires: gzip +Requires: xz +%if 0%{?suse_version} > 1210 +Requires: lzop +%endif %description daemon-driver-qemu The qemu driver plugin for the libvirtd daemon, providing @@ -931,24 +911,6 @@ of recent versions of Linux (and other OSes). %prep %setup -q -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 -%patch16 -p1 -%patch17 -p1 %patch100 -p1 %patch101 %patch102 -p1 diff --git a/libvirtd-defaults.patch b/libvirtd-defaults.patch index cf61b17..ad52bcc 100644 --- a/libvirtd-defaults.patch +++ b/libvirtd-defaults.patch @@ -1,7 +1,7 @@ -Index: libvirt-1.1.2/daemon/libvirtd.conf +Index: libvirt-1.1.4/daemon/libvirtd.conf =================================================================== ---- libvirt-1.1.2.orig/daemon/libvirtd.conf -+++ libvirt-1.1.2/daemon/libvirtd.conf +--- libvirt-1.1.4.orig/daemon/libvirtd.conf ++++ libvirt-1.1.4/daemon/libvirtd.conf @@ -18,8 +18,8 @@ # It is necessary to setup a CA and issue server certificates before # using this capability. @@ -13,10 +13,10 @@ Index: libvirt-1.1.2/daemon/libvirtd.conf # Listen for unencrypted TCP connections on the public TCP/IP port. # NB, must pass the --listen flag to the libvirtd process for this to -Index: libvirt-1.1.2/daemon/libvirtd-config.c +Index: libvirt-1.1.4/daemon/libvirtd-config.c =================================================================== ---- libvirt-1.1.2.orig/daemon/libvirtd-config.c -+++ libvirt-1.1.2/daemon/libvirtd-config.c +--- libvirt-1.1.4.orig/daemon/libvirtd-config.c ++++ libvirt-1.1.4/daemon/libvirtd-config.c @@ -222,7 +222,7 @@ daemonConfigNew(bool privileged ATTRIBUT if (VIR_ALLOC(data) < 0) return NULL; diff --git a/libvirtd-init-script.patch b/libvirtd-init-script.patch index 810fba9..38431b6 100644 --- a/libvirtd-init-script.patch +++ b/libvirtd-init-script.patch @@ -1,9 +1,9 @@ Adjust libvirtd sysconfig file to conform to SUSE standards -Index: libvirt-1.1.2/daemon/libvirtd.sysconf +Index: libvirt-1.1.4/daemon/libvirtd.sysconf =================================================================== ---- libvirt-1.1.2.orig/daemon/libvirtd.sysconf -+++ libvirt-1.1.2/daemon/libvirtd.sysconf +--- libvirt-1.1.4.orig/daemon/libvirtd.sysconf ++++ libvirt-1.1.4/daemon/libvirtd.sysconf @@ -1,16 +1,25 @@ +## Path: System/Virtualization/libvirt + diff --git a/libxl-hvm-nic.patch b/libxl-hvm-nic.patch index 74eb8e3..9b8b9c5 100644 --- a/libxl-hvm-nic.patch +++ b/libxl-hvm-nic.patch @@ -1,8 +1,8 @@ -Index: libvirt-1.1.2/src/libxl/libxl_conf.c +Index: libvirt-1.1.4/src/libxl/libxl_conf.c =================================================================== ---- libvirt-1.1.2.orig/src/libxl/libxl_conf.c -+++ libvirt-1.1.2/src/libxl/libxl_conf.c -@@ -846,8 +846,6 @@ libxlMakeNic(virDomainNetDefPtr l_nic, l +--- libvirt-1.1.4.orig/src/libxl/libxl_conf.c ++++ libvirt-1.1.4/src/libxl/libxl_conf.c +@@ -883,8 +883,6 @@ libxlMakeNic(virDomainNetDefPtr l_nic, l * x_nics[i].mtu = 1492; */ @@ -11,7 +11,7 @@ Index: libvirt-1.1.2/src/libxl/libxl_conf.c virMacAddrGetRaw(&l_nic->mac, x_nic->mac); if (l_nic->model && !STREQ(l_nic->model, "netfront")) { -@@ -892,6 +890,8 @@ libxlMakeNicList(virDomainDefPtr def, l +@@ -929,6 +927,8 @@ libxlMakeNicList(virDomainDefPtr def, l return -1; for (i = 0; i < nnics; i++) { diff --git a/libxl-hvm-vnc.patch b/libxl-hvm-vnc.patch index f6809ff..e4ecc65 100644 --- a/libxl-hvm-vnc.patch +++ b/libxl-hvm-vnc.patch @@ -1,8 +1,8 @@ -Index: libvirt-1.1.2/src/libxl/libxl_conf.c +Index: libvirt-1.1.4/src/libxl/libxl_conf.c =================================================================== ---- libvirt-1.1.2.orig/src/libxl/libxl_conf.c -+++ libvirt-1.1.2/src/libxl/libxl_conf.c -@@ -524,6 +524,30 @@ libxlMakeChrdevStr(virDomainChrDefPtr de +--- libvirt-1.1.4.orig/src/libxl/libxl_conf.c ++++ libvirt-1.1.4/src/libxl/libxl_conf.c +@@ -561,6 +561,30 @@ libxlMakeChrdevStr(virDomainChrDefPtr de } static int @@ -33,7 +33,7 @@ Index: libvirt-1.1.2/src/libxl/libxl_conf.c libxlMakeDomBuildInfo(virDomainObjPtr vm, libxl_domain_config *d_config) { virDomainDefPtr def = vm->def; -@@ -1025,6 +1049,9 @@ libxlBuildDomainConfig(libxlDriverPrivat +@@ -1176,6 +1200,9 @@ libxlBuildDomainConfig(libxlDriverPrivat if (libxlMakeVfbList(driver, def, d_config) < 0) return -1; diff --git a/support-managed-pci-xen-driver.patch b/support-managed-pci-xen-driver.patch index fd1ebe4..e190634 100644 --- a/support-managed-pci-xen-driver.patch +++ b/support-managed-pci-xen-driver.patch @@ -8,11 +8,11 @@ Subject: [PATCH] support managed pci devices in xen driver src/xenxs/xen_xm.c | 28 +++++++++++++++++++++++++++- 2 files changed, 35 insertions(+), 15 deletions(-) -Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c +Index: libvirt-1.1.4/src/xenxs/xen_sxpr.c =================================================================== ---- libvirt-1.1.2.orig/src/xenxs/xen_sxpr.c -+++ libvirt-1.1.2/src/xenxs/xen_sxpr.c -@@ -993,6 +993,7 @@ xenParseSxprPCI(virDomainDefPtr def, +--- libvirt-1.1.4.orig/src/xenxs/xen_sxpr.c ++++ libvirt-1.1.4/src/xenxs/xen_sxpr.c +@@ -996,6 +996,7 @@ xenParseSxprPCI(virDomainDefPtr def, int busID; int slotID; int funcID; @@ -20,7 +20,7 @@ Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c node = cur->u.s.car; if (!sexpr_lookup(node, "dev")) -@@ -1040,11 +1041,13 @@ xenParseSxprPCI(virDomainDefPtr def, +@@ -1043,11 +1044,13 @@ xenParseSxprPCI(virDomainDefPtr def, goto error; } @@ -35,7 +35,7 @@ Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c dev->source.subsys.type = VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI; dev->source.subsys.u.pci.addr.domain = domainID; dev->source.subsys.u.pci.addr.bus = busID; -@@ -1990,11 +1993,15 @@ static void +@@ -1991,11 +1994,15 @@ static void xenFormatSxprPCI(virDomainHostdevDefPtr def, virBufferPtr buf) { @@ -52,7 +52,7 @@ Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c } -@@ -2013,12 +2020,6 @@ xenFormatSxprOnePCI(virDomainHostdevDefP +@@ -2014,12 +2021,6 @@ xenFormatSxprOnePCI(virDomainHostdevDefP virBufferPtr buf, int detach) { @@ -65,7 +65,7 @@ Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c virBufferAddLit(buf, "(pci "); xenFormatSxprPCI(def, buf); if (detach) -@@ -2073,12 +2074,6 @@ xenFormatSxprAllPCI(virDomainDefPtr def, +@@ -2074,12 +2075,6 @@ xenFormatSxprAllPCI(virDomainDefPtr def, for (i = 0; i < def->nhostdevs; i++) { if (def->hostdevs[i]->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS && def->hostdevs[i]->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI) { @@ -78,10 +78,10 @@ Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c xenFormatSxprPCI(def->hostdevs[i], buf); } } -Index: libvirt-1.1.2/src/xenxs/xen_xm.c +Index: libvirt-1.1.4/src/xenxs/xen_xm.c =================================================================== ---- libvirt-1.1.2.orig/src/xenxs/xen_xm.c -+++ libvirt-1.1.2/src/xenxs/xen_xm.c +--- libvirt-1.1.4.orig/src/xenxs/xen_xm.c ++++ libvirt-1.1.4/src/xenxs/xen_xm.c @@ -802,6 +802,8 @@ xenParseXM(virConfPtr conf, int xendConf int busID; int slotID; diff --git a/suse-qemu-conf.patch b/suse-qemu-conf.patch index d2f5ac9..c8bf9f4 100644 --- a/suse-qemu-conf.patch +++ b/suse-qemu-conf.patch @@ -1,8 +1,8 @@ -Index: libvirt-1.1.2/src/qemu/qemu.conf +Index: libvirt-1.1.4/src/qemu/qemu.conf =================================================================== ---- libvirt-1.1.2.orig/src/qemu/qemu.conf -+++ libvirt-1.1.2/src/qemu/qemu.conf -@@ -175,7 +175,16 @@ +--- libvirt-1.1.4.orig/src/qemu/qemu.conf ++++ libvirt-1.1.4/src/qemu/qemu.conf +@@ -200,7 +200,16 @@ # a special value; security_driver can be set to that value in # isolation, but it cannot appear in a list of drivers. # @@ -19,7 +19,7 @@ Index: libvirt-1.1.2/src/qemu/qemu.conf # If set to non-zero, then the default security labeling # will make guests confined. If set to zero, then guests -@@ -371,6 +380,15 @@ +@@ -402,6 +411,15 @@ #allow_disk_format_probing = 1 diff --git a/systemd-service-xen.patch b/systemd-service-xen.patch index 4319f9d..1bfa0e5 100644 --- a/systemd-service-xen.patch +++ b/systemd-service-xen.patch @@ -1,7 +1,7 @@ -Index: libvirt-1.1.2/daemon/libvirtd.service.in +Index: libvirt-1.1.4/daemon/libvirtd.service.in =================================================================== ---- libvirt-1.1.2.orig/daemon/libvirtd.service.in -+++ libvirt-1.1.2/daemon/libvirtd.service.in +--- libvirt-1.1.4.orig/daemon/libvirtd.service.in ++++ libvirt-1.1.4/daemon/libvirtd.service.in @@ -9,6 +9,8 @@ Before=libvirt-guests.service After=network.target After=dbus.service diff --git a/virtlockd-init-script.patch b/virtlockd-init-script.patch index 356e3a9..bbf1051 100644 --- a/virtlockd-init-script.patch +++ b/virtlockd-init-script.patch @@ -1,9 +1,9 @@ Adjust virtlockd init files to conform to SUSE standards -Index: libvirt-1.1.2/src/locking/virtlockd.sysconf +Index: libvirt-1.1.4/src/locking/virtlockd.sysconf =================================================================== ---- libvirt-1.1.2.orig/src/locking/virtlockd.sysconf -+++ libvirt-1.1.2/src/locking/virtlockd.sysconf +--- libvirt-1.1.4.orig/src/locking/virtlockd.sysconf ++++ libvirt-1.1.4/src/locking/virtlockd.sysconf @@ -1,3 +1,7 @@ +## Path: System/Virtualization/virtlockd + @@ -12,10 +12,10 @@ Index: libvirt-1.1.2/src/locking/virtlockd.sysconf # # Pass extra arguments to virtlockd #VIRTLOCKD_ARGS= -Index: libvirt-1.1.2/src/locking/virtlockd.init.in +Index: libvirt-1.1.4/src/locking/virtlockd.init.in =================================================================== ---- libvirt-1.1.2.orig/src/locking/virtlockd.init.in -+++ libvirt-1.1.2/src/locking/virtlockd.init.in +--- libvirt-1.1.4.orig/src/locking/virtlockd.init.in ++++ libvirt-1.1.4/src/locking/virtlockd.init.in @@ -4,11 +4,13 @@ # http://www.linux-foundation.org/spec//booksets/LSB-Core-generic/LSB-Core-generic.html#INITSCRCOMCONV # diff --git a/xen-name-for-devid.patch b/xen-name-for-devid.patch index fd635ee..3390495 100644 --- a/xen-name-for-devid.patch +++ b/xen-name-for-devid.patch @@ -14,10 +14,10 @@ is inactive. We obviously can't search xenstore when the domain is inactive. -Index: libvirt-1.1.2/src/xen/xend_internal.c +Index: libvirt-1.1.4/src/xen/xend_internal.c =================================================================== ---- libvirt-1.1.2.orig/src/xen/xend_internal.c -+++ libvirt-1.1.2/src/xen/xend_internal.c +--- libvirt-1.1.4.orig/src/xen/xend_internal.c ++++ libvirt-1.1.4/src/xen/xend_internal.c @@ -70,7 +70,7 @@ #define XEND_RCV_BUF_MAX_LEN (256 * 1024) @@ -27,7 +27,7 @@ Index: libvirt-1.1.2/src/xen/xend_internal.c virDomainDeviceDefPtr dev, char *class, char *ref, int ref_len); -@@ -3314,18 +3314,18 @@ xenDaemonDomainBlockPeek(virConnectPtr c +@@ -3316,18 +3316,18 @@ xenDaemonDomainBlockPeek(virConnectPtr c * Returns 0 in case of success, -1 in case of failure. */ static int @@ -50,7 +50,7 @@ Index: libvirt-1.1.2/src/xen/xend_internal.c if (dev->data.disk->driverName && STREQ(dev->data.disk->driverName, "tap")) strcpy(class, "tap"); -@@ -3335,19 +3335,17 @@ virDomainXMLDevID(virConnectPtr conn, +@@ -3337,19 +3337,17 @@ virDomainXMLDevID(virConnectPtr conn, else strcpy(class, "vbd"); @@ -81,7 +81,7 @@ Index: libvirt-1.1.2/src/xen/xend_internal.c } else if (dev->type == VIR_DOMAIN_DEVICE_NET) { char mac[VIR_MAC_STRING_BUFLEN]; virDomainNetDefPtr netdef = dev->data.net; -@@ -3355,16 +3353,22 @@ virDomainXMLDevID(virConnectPtr conn, +@@ -3357,16 +3355,22 @@ virDomainXMLDevID(virConnectPtr conn, strcpy(class, "vif"); @@ -114,7 +114,7 @@ Index: libvirt-1.1.2/src/xen/xend_internal.c } else if (dev->type == VIR_DOMAIN_DEVICE_HOSTDEV && dev->data.hostdev->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS && dev->data.hostdev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI) { -@@ -3380,17 +3384,44 @@ virDomainXMLDevID(virConnectPtr conn, +@@ -3382,17 +3386,44 @@ virDomainXMLDevID(virConnectPtr conn, strcpy(class, "pci"); diff --git a/xen-pv-cdrom.patch b/xen-pv-cdrom.patch index 78cd3ac..d552804 100644 --- a/xen-pv-cdrom.patch +++ b/xen-pv-cdrom.patch @@ -1,8 +1,8 @@ -Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c +Index: libvirt-1.1.4/src/xenxs/xen_sxpr.c =================================================================== ---- libvirt-1.1.2.orig/src/xenxs/xen_sxpr.c -+++ libvirt-1.1.2/src/xenxs/xen_sxpr.c -@@ -327,7 +327,7 @@ error: +--- libvirt-1.1.4.orig/src/xenxs/xen_sxpr.c ++++ libvirt-1.1.4/src/xenxs/xen_sxpr.c +@@ -330,7 +330,7 @@ error: static int xenParseSxprDisks(virDomainDefPtr def, const struct sexpr *root, @@ -11,7 +11,7 @@ Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c int xendConfigVersion) { const struct sexpr *cur, *node; -@@ -378,7 +378,6 @@ xenParseSxprDisks(virDomainDefPtr def, +@@ -381,7 +381,6 @@ xenParseSxprDisks(virDomainDefPtr def, /* There is a case without the uname to the CD-ROM device */ offset = strchr(dst, ':'); if (!offset || From c521110742d5a18f90199925158d0c1d5d936041f786ce44ef9f9286b1719df0 Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Tue, 26 Nov 2013 21:52:18 +0000 Subject: [PATCH 04/14] - Allow execution of libvirt hook scripts in /etc/libvirt/hooks/ in libvirtd AppArmor profile OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=330 --- install-apparmor-profiles.patch | 3 ++- libvirt.changes | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/install-apparmor-profiles.patch b/install-apparmor-profiles.patch index d5e027c..0d70823 100644 --- a/install-apparmor-profiles.patch +++ b/install-apparmor-profiles.patch @@ -203,7 +203,7 @@ Index: libvirt-1.1.4/examples/apparmor/usr.sbin.libvirtd.in =================================================================== --- /dev/null +++ libvirt-1.1.4/examples/apparmor/usr.sbin.libvirtd.in -@@ -0,0 +1,60 @@ +@@ -0,0 +1,61 @@ +# Last Modified: Fri Aug 19 11:20:36 2011 +#include +@{LIBVIRT}="libvirt" @@ -255,6 +255,7 @@ Index: libvirt-1.1.4/examples/apparmor/usr.sbin.libvirtd.in + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, ++ /etc/libvirt/hooks/* rix, + /etc/xen/scripts/* rix, + @libdir@/libvirt/* Pxr, + @libdir@/libvirt/libvirt_parthelper Ux, diff --git a/libvirt.changes b/libvirt.changes index a6b7ead..b12675d 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Nov 26 14:51:44 MST 2013 - jfehlig@suse.com + +- Allow execution of libvirt hook scripts in /etc/libvirt/hooks/ + in libvirtd AppArmor profile + ------------------------------------------------------------------- Wed Nov 20 10:57:57 MST 2013 - jfehlig@suse.com From 9521d830204807802969f070b251e9e856cfdd2308a847181b50f3afb90c1bec Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Wed, 27 Nov 2013 03:04:08 +0000 Subject: [PATCH 05/14] - Fix starting of libvirtd when NetworkManager is enabled Modified libvirt-suse-netcontrol.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=331 --- libvirt-suse-netcontrol.patch | 24 ++++++++++++++++++++++-- libvirt.changes | 6 ++++++ 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/libvirt-suse-netcontrol.patch b/libvirt-suse-netcontrol.patch index f316295..9998960 100644 --- a/libvirt-suse-netcontrol.patch +++ b/libvirt-suse-netcontrol.patch @@ -134,17 +134,37 @@ Index: libvirt-1.1.4/src/interface/interface_backend_netcf.c static void virNetcfDriverStateDispose(void *obj) -@@ -85,6 +121,10 @@ netcfStateInitialize(bool privileged ATT +@@ -85,7 +121,22 @@ netcfStateInitialize(bool privileged ATT if (!(driverState = virObjectLockableNew(virNetcfDriverStateClass))) return -1; +#ifdef WITH_NETCONTROL + nc_logger_redirect_to(interface_nc_log_driver); -+#endif + /* open netcf */ ++ /* Note: On SUSE, ncf_init will fail if Network Manager is enabled. Ignore ++ * the failure so libvirtd will still start. Connections to the driver will ++ * fail in netcfInterfaceOpen. This restores the behavior before ++ * commit 822fe136. ++ */ ++ if (ncf_init(&driverState->netcf, NULL) != 0) { ++ VIR_WARN("Failed to initialize netcontrol. Continuing with network " ++ "interface management features disabled"); ++ virObjectUnref(driverState); ++ driverState = NULL; ++ } ++#else if (ncf_init(&driverState->netcf, NULL) != 0) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("failed to initialize netcf")); +@@ -93,6 +144,7 @@ netcfStateInitialize(bool privileged ATT + driverState = NULL; + return -1; + } ++#endif + return 0; + } + Index: libvirt-1.1.4/src/interface/interface_driver.c =================================================================== --- libvirt-1.1.4.orig/src/interface/interface_driver.c diff --git a/libvirt.changes b/libvirt.changes index b12675d..b81d87c 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Nov 26 20:02:48 MST 2013 - jfehlig@suse.com + +- Fix starting of libvirtd when NetworkManager is enabled + Modified libvirt-suse-netcontrol.patch + ------------------------------------------------------------------- Tue Nov 26 14:51:44 MST 2013 - jfehlig@suse.com From e48979ae7d25786423171e4c83017c27e81454050c87acc6bd5642927349d035 Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Wed, 4 Dec 2013 17:44:31 +0000 Subject: [PATCH 06/14] - Add '/etc/sasl2' to libvirt-client file list to fix Factory build OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=332 --- libvirt.changes | 5 +++++ libvirt.spec | 1 + 2 files changed, 6 insertions(+) diff --git a/libvirt.changes b/libvirt.changes index b81d87c..7915ef3 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed Dec 4 10:43:28 MST 2013 - jfehlig@suse.com + +- Add '/etc/sasl2' to libvirt-client file list to fix Factory build + ------------------------------------------------------------------- Tue Nov 26 20:02:48 MST 2013 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index 47d3cfc..5ac4ebf 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -1603,6 +1603,7 @@ fi %{_datadir}/libvirt/cpu_map.xml %{_datadir}/libvirt/libvirtLogo.png %if %{with_sasl} +%dir %{_sysconfdir}/sasl2/ %config(noreplace) %{_sysconfdir}/sasl2/libvirt.conf %endif From 68aa91d2e570b7261fd136adc8ef0639988925137296d85d1da70845252faec5 Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Wed, 4 Dec 2013 21:31:09 +0000 Subject: [PATCH 07/14] - Link with same versions of libnl used by netcontrol to prevent crashing libvirtd on start OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=333 --- libvirt.changes | 6 ++++++ libvirt.spec | 10 +++++++--- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/libvirt.changes b/libvirt.changes index 7915ef3..681767d 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Dec 4 14:28:14 MST 2013 - jfehlig@suse.com + +- Link with same versions of libnl used by netcontrol to prevent + crashing libvirtd on start + ------------------------------------------------------------------- Wed Dec 4 10:43:28 MST 2013 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index 5ac4ebf..8a8d119 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -308,10 +308,14 @@ BuildRequires: sanlock-devel >= 2.4 BuildRequires: libpcap-devel %endif %if %{with_libnl} -%if 0%{?suse_version} < 1210 -BuildRequires: libnl-devel -%else +%if 0%{?suse_version} >= 1310 BuildRequires: libnl3-devel +%else +%if 0%{?suse_version} >= 1210 +BuildRequires: libnl-1_1-devel +%else +BuildRequires: libnl-devel +%endif %endif %endif %if %{with_avahi} From bfc56c341321bfe54f43ad4beb8e291a1eae78a0d9eba1d41ddcde3a3c854ac5 Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Fri, 6 Dec 2013 18:39:18 +0000 Subject: [PATCH 08/14] - Update to libvirt 1.2.0 - Add support for gluster pool - Separation of python binding - vbox: add support for 4.3 APIs - Many incremental improvements and bug fixes, see http://libvirt.org/news.html - Updated and renamed clone.patch to ia64-clone.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=334 --- fix-pci-attach-xen-driver.patch | 6 +-- clone.patch => ia64-clone.patch | 52 ++++++++------------- install-apparmor-profiles.patch | 30 ++++++------ libvirt-1.1.4.tar.bz2 | 3 -- libvirt-1.2.0.tar.bz2 | 3 ++ libvirt-guests-init-script.patch | 18 ++++---- libvirt-suse-netcontrol.patch | 50 ++++++++++---------- libvirt.changes | 11 +++++ libvirt.spec | 68 ++++++++++------------------ libvirtd-defaults.patch | 12 ++--- libvirtd-init-script.patch | 6 +-- libxl-hvm-nic.patch | 10 ++-- libxl-hvm-vnc.patch | 8 ++-- support-managed-pci-xen-driver.patch | 12 ++--- suse-qemu-conf.patch | 6 +-- systemd-service-xen.patch | 6 +-- virtlockd-init-script.patch | 12 ++--- xen-name-for-devid.patch | 6 +-- xen-pv-cdrom.patch | 6 +-- 19 files changed, 152 insertions(+), 173 deletions(-) rename clone.patch => ia64-clone.patch (51%) delete mode 100644 libvirt-1.1.4.tar.bz2 create mode 100644 libvirt-1.2.0.tar.bz2 diff --git a/fix-pci-attach-xen-driver.patch b/fix-pci-attach-xen-driver.patch index f2cd6df..bb2c39a 100644 --- a/fix-pci-attach-xen-driver.patch +++ b/fix-pci-attach-xen-driver.patch @@ -8,10 +8,10 @@ uses the 'device_configure' RPC. This patch changes the xend driver to always call 'device_configure' for PCI devices to be consistent with the usage in the xen tools. -Index: libvirt-1.1.4/src/xen/xend_internal.c +Index: libvirt-1.2.0/src/xen/xend_internal.c =================================================================== ---- libvirt-1.1.4.orig/src/xen/xend_internal.c -+++ libvirt-1.1.4/src/xen/xend_internal.c +--- libvirt-1.2.0.orig/src/xen/xend_internal.c ++++ libvirt-1.2.0/src/xen/xend_internal.c @@ -2207,6 +2207,7 @@ xenDaemonAttachDeviceFlags(virConnectPtr virBuffer buf = VIR_BUFFER_INITIALIZER; char class[8], ref[80]; diff --git a/clone.patch b/ia64-clone.patch similarity index 51% rename from clone.patch rename to ia64-clone.patch index 4e01402..d846172 100644 --- a/clone.patch +++ b/ia64-clone.patch @@ -1,28 +1,18 @@ -Index: src/lxc/lxc_container.c +Index: libvirt-1.2.0/src/lxc/lxc_container.c =================================================================== ---- src/lxc/lxc_container.c.orig -+++ src/lxc/lxc_container.c -@@ -144,6 +144,7 @@ int lxcContainerHasReboot(void) - int cmd, v; - int status; - char *tmp; -+ int stacksize = getpagesize() * 4; - - if (virFileReadAll("/proc/sys/kernel/ctrl-alt-del", 10, &buf) < 0) - return -1; -@@ -160,12 +161,19 @@ int lxcContainerHasReboot(void) +--- libvirt-1.2.0.orig/src/lxc/lxc_container.c ++++ libvirt-1.2.0/src/lxc/lxc_container.c +@@ -162,12 +162,19 @@ int lxcContainerHasReboot(void) VIR_FREE(buf); cmd = v ? LINUX_REBOOT_CMD_CAD_ON : LINUX_REBOOT_CMD_CAD_OFF; -- if (VIR_ALLOC_N(stack, getpagesize() * 4) < 0) +#ifdef __ia64__ + stacksize *= 2; +#endif -+ if (VIR_ALLOC_N(stack, stacksize) < 0) + if (VIR_ALLOC_N(stack, stacksize) < 0) return -1; -- childStack = stack + (getpagesize() * 4); -+ childStack = stack + stacksize; + childStack = stack + stacksize; +#ifdef __ia64__ + cpid = __clone2(lxcContainerRebootChild, childStack, stacksize, flags, &cmd); @@ -32,7 +22,17 @@ Index: src/lxc/lxc_container.c VIR_FREE(stack); if (cpid < 0) { virReportSystemError(errno, "%s", -@@ -2034,7 +2042,11 @@ int lxcContainerStart(virDomainDefPtr de +@@ -1985,6 +1992,9 @@ int lxcContainerStart(virDomainDefPtr de + .handshakefd = handshakefd + }; + ++#ifdef __ia64__ ++ stacksize *= 2; ++#endif + /* allocate a stack for the container */ + if (VIR_ALLOC_N(stack, stacksize) < 0) + return -1; +@@ -2010,7 +2020,11 @@ int lxcContainerStart(virDomainDefPtr de cflags |= CLONE_NEWNET; } @@ -44,29 +44,17 @@ Index: src/lxc/lxc_container.c VIR_FREE(stack); VIR_DEBUG("clone() completed, new container PID is %d", pid); -@@ -2060,6 +2072,7 @@ int lxcContainerAvailable(int features) - int cpid; - char *childStack; - char *stack; -+ int stacksize = getpagesize() * 4; - - if (features & LXC_CONTAINER_FEATURE_USER) - flags |= CLONE_NEWUSER; -@@ -2067,14 +2080,21 @@ int lxcContainerAvailable(int features) +@@ -2044,12 +2058,19 @@ int lxcContainerAvailable(int features) if (features & LXC_CONTAINER_FEATURE_NET) flags |= CLONE_NEWNET; -- if (VIR_ALLOC_N(stack, getpagesize() * 4) < 0) { +#ifdef __ia64__ + stacksize *= 2; +#endif -+ if (VIR_ALLOC_N(stack, stacksize) < 0) { - VIR_DEBUG("Unable to allocate stack"); + if (VIR_ALLOC_N(stack, stacksize) < 0) return -1; - } -- childStack = stack + (getpagesize() * 4); -+ childStack = stack + stacksize; + childStack = stack + stacksize; +#ifdef __ia64__ + cpid = __clone2(lxcContainerDummyChild, childStack, stacksize, flags, NULL); diff --git a/install-apparmor-profiles.patch b/install-apparmor-profiles.patch index 0d70823..a63df1f 100644 --- a/install-apparmor-profiles.patch +++ b/install-apparmor-profiles.patch @@ -1,7 +1,7 @@ -Index: libvirt-1.1.4/examples/apparmor/Makefile.am +Index: libvirt-1.2.0/examples/apparmor/Makefile.am =================================================================== ---- libvirt-1.1.4.orig/examples/apparmor/Makefile.am -+++ libvirt-1.1.4/examples/apparmor/Makefile.am +--- libvirt-1.2.0.orig/examples/apparmor/Makefile.am ++++ libvirt-1.2.0/examples/apparmor/Makefile.am @@ -14,8 +14,45 @@ ## License along with this library. If not, see ## . @@ -53,10 +53,10 @@ Index: libvirt-1.1.4/examples/apparmor/Makefile.am + rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/libvirt/TEMPLATE + +endif -Index: libvirt-1.1.4/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in +Index: libvirt-1.2.0/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in =================================================================== --- /dev/null -+++ libvirt-1.1.4/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in ++++ libvirt-1.2.0/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -0,0 +1,41 @@ +# Last Modified: Fri Aug 19 11:21:48 2011 +#include @@ -99,9 +99,9 @@ Index: libvirt-1.1.4/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in + /var/lib/kvm/images/ r, + /var/lib/kvm/images/** r, +} -Index: libvirt-1.1.4/examples/apparmor/usr.lib.libvirt.virt-aa-helper +Index: libvirt-1.2.0/examples/apparmor/usr.lib.libvirt.virt-aa-helper =================================================================== ---- libvirt-1.1.4.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper +--- libvirt-1.2.0.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper +++ /dev/null @@ -1,38 +0,0 @@ -# Last Modified: Mon Apr 5 15:10:27 2010 @@ -142,9 +142,9 @@ Index: libvirt-1.1.4/examples/apparmor/usr.lib.libvirt.virt-aa-helper - /var/lib/libvirt/images/ r, - /var/lib/libvirt/images/** r, -} -Index: libvirt-1.1.4/examples/apparmor/usr.sbin.libvirtd +Index: libvirt-1.2.0/examples/apparmor/usr.sbin.libvirtd =================================================================== ---- libvirt-1.1.4.orig/examples/apparmor/usr.sbin.libvirtd +--- libvirt-1.2.0.orig/examples/apparmor/usr.sbin.libvirtd +++ /dev/null @@ -1,52 +0,0 @@ -# Last Modified: Mon Apr 5 15:03:58 2010 @@ -199,10 +199,10 @@ Index: libvirt-1.1.4/examples/apparmor/usr.sbin.libvirtd - change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, - -} -Index: libvirt-1.1.4/examples/apparmor/usr.sbin.libvirtd.in +Index: libvirt-1.2.0/examples/apparmor/usr.sbin.libvirtd.in =================================================================== --- /dev/null -+++ libvirt-1.1.4/examples/apparmor/usr.sbin.libvirtd.in ++++ libvirt-1.2.0/examples/apparmor/usr.sbin.libvirtd.in @@ -0,0 +1,61 @@ +# Last Modified: Fri Aug 19 11:20:36 2011 +#include @@ -265,9 +265,9 @@ Index: libvirt-1.1.4/examples/apparmor/usr.sbin.libvirtd.in + change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, + +} -Index: libvirt-1.1.4/examples/apparmor/libvirt-qemu +Index: libvirt-1.2.0/examples/apparmor/libvirt-qemu =================================================================== ---- libvirt-1.1.4.orig/examples/apparmor/libvirt-qemu +--- libvirt-1.2.0.orig/examples/apparmor/libvirt-qemu +++ /dev/null @@ -1,129 +0,0 @@ -# Last Modified: Fri Mar 9 14:43:22 2012 @@ -399,10 +399,10 @@ Index: libvirt-1.1.4/examples/apparmor/libvirt-qemu - - /usr/libexec/qemu-bridge-helper rmix, - } -Index: libvirt-1.1.4/examples/apparmor/libvirt-qemu.in +Index: libvirt-1.2.0/examples/apparmor/libvirt-qemu.in =================================================================== --- /dev/null -+++ libvirt-1.1.4/examples/apparmor/libvirt-qemu.in ++++ libvirt-1.2.0/examples/apparmor/libvirt-qemu.in @@ -0,0 +1,132 @@ +# Last Modified: Fri Mar 9 14:43:22 2012 + diff --git a/libvirt-1.1.4.tar.bz2 b/libvirt-1.1.4.tar.bz2 deleted file mode 100644 index dd63173..0000000 --- a/libvirt-1.1.4.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:407a9b7602e86bcec457d95dcf97ff806544850b05b9bab9854dcce76e10c1ae -size 19319071 diff --git a/libvirt-1.2.0.tar.bz2 b/libvirt-1.2.0.tar.bz2 new file mode 100644 index 0000000..7bcf571 --- /dev/null +++ b/libvirt-1.2.0.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fbfe494beed93925f3f74ecc51775299218127ce9b6f747852701afa120b7eda +size 19390046 diff --git a/libvirt-guests-init-script.patch b/libvirt-guests-init-script.patch index 5f81453..c64b46a 100644 --- a/libvirt-guests-init-script.patch +++ b/libvirt-guests-init-script.patch @@ -1,9 +1,9 @@ Adjust libvirt-guests init files to conform to SUSE standards -Index: libvirt-1.1.4/tools/libvirt-guests.init.in +Index: libvirt-1.2.0/tools/libvirt-guests.init.in =================================================================== ---- libvirt-1.1.4.orig/tools/libvirt-guests.init.in -+++ libvirt-1.1.4/tools/libvirt-guests.init.in +--- libvirt-1.2.0.orig/tools/libvirt-guests.init.in ++++ libvirt-1.2.0/tools/libvirt-guests.init.in @@ -3,15 +3,15 @@ # the following is the LSB init header # @@ -28,10 +28,10 @@ Index: libvirt-1.1.4/tools/libvirt-guests.init.in ### END INIT INFO # the following is chkconfig init header -Index: libvirt-1.1.4/tools/libvirt-guests.sh.in +Index: libvirt-1.2.0/tools/libvirt-guests.sh.in =================================================================== ---- libvirt-1.1.4.orig/tools/libvirt-guests.sh.in -+++ libvirt-1.1.4/tools/libvirt-guests.sh.in +--- libvirt-1.2.0.orig/tools/libvirt-guests.sh.in ++++ libvirt-1.2.0/tools/libvirt-guests.sh.in @@ -16,14 +16,13 @@ # License along with this library. If not, see # . @@ -189,10 +189,10 @@ Index: libvirt-1.1.4/tools/libvirt-guests.sh.in esac -exit $RETVAL +rc_exit -Index: libvirt-1.1.4/tools/libvirt-guests.sysconf +Index: libvirt-1.2.0/tools/libvirt-guests.sysconf =================================================================== ---- libvirt-1.1.4.orig/tools/libvirt-guests.sysconf -+++ libvirt-1.1.4/tools/libvirt-guests.sysconf +--- libvirt-1.2.0.orig/tools/libvirt-guests.sysconf ++++ libvirt-1.2.0/tools/libvirt-guests.sysconf @@ -1,19 +1,29 @@ +## Path: System/Virtualization/libvirt-guests + diff --git a/libvirt-suse-netcontrol.patch b/libvirt-suse-netcontrol.patch index 9998960..855c830 100644 --- a/libvirt-suse-netcontrol.patch +++ b/libvirt-suse-netcontrol.patch @@ -1,16 +1,16 @@ -Index: libvirt-1.1.4/configure.ac +Index: libvirt-1.2.0/configure.ac =================================================================== ---- libvirt-1.1.4.orig/configure.ac -+++ libvirt-1.1.4/configure.ac -@@ -230,6 +230,7 @@ LIBVIRT_CHECK_DBUS - LIBVIRT_CHECK_FUSE +--- libvirt-1.2.0.orig/configure.ac ++++ libvirt-1.2.0/configure.ac +@@ -231,6 +231,7 @@ LIBVIRT_CHECK_FUSE + LIBVIRT_CHECK_GLUSTER LIBVIRT_CHECK_HAL LIBVIRT_CHECK_NETCF +LIBVIRT_CHECK_NETCONTROL LIBVIRT_CHECK_NUMACTL LIBVIRT_CHECK_OPENWSMAN LIBVIRT_CHECK_PCIACCESS -@@ -2375,11 +2376,12 @@ if test "$with_libvirtd" = "no" ; then +@@ -2312,11 +2313,12 @@ if test "$with_libvirtd" = "no" ; then with_interface=no fi @@ -26,19 +26,19 @@ Index: libvirt-1.1.4/configure.ac esac if test "$with_interface" = "yes" ; then -@@ -2694,6 +2696,7 @@ LIBVIRT_RESULT_DBUS - LIBVIRT_RESULT_FUSE +@@ -2631,6 +2633,7 @@ LIBVIRT_RESULT_FUSE + LIBVIRT_RESULT_GLUSTER LIBVIRT_RESULT_HAL LIBVIRT_RESULT_NETCF +LIBVIRT_RESULT_NETCONTROL LIBVIRT_RESULT_NUMACTL LIBVIRT_RESULT_OPENWSMAN LIBVIRT_RESULT_PCIACCESS -Index: libvirt-1.1.4/src/Makefile.am +Index: libvirt-1.2.0/src/Makefile.am =================================================================== ---- libvirt-1.1.4.orig/src/Makefile.am -+++ libvirt-1.1.4/src/Makefile.am -@@ -780,6 +780,10 @@ if WITH_NETCF +--- libvirt-1.2.0.orig/src/Makefile.am ++++ libvirt-1.2.0/src/Makefile.am +@@ -781,6 +781,10 @@ if WITH_NETCF INTERFACE_DRIVER_SOURCES += \ interface/interface_backend_netcf.c endif WITH_NETCF @@ -49,7 +49,7 @@ Index: libvirt-1.1.4/src/Makefile.am if WITH_UDEV INTERFACE_DRIVER_SOURCES += \ interface/interface_backend_udev.c -@@ -1342,10 +1346,15 @@ if WITH_NETCF +@@ -1346,10 +1350,15 @@ if WITH_NETCF libvirt_driver_interface_la_CFLAGS += $(NETCF_CFLAGS) libvirt_driver_interface_la_LIBADD += $(NETCF_LIBS) else ! WITH_NETCF @@ -65,11 +65,11 @@ Index: libvirt-1.1.4/src/Makefile.am endif ! WITH_NETCF if WITH_DRIVER_MODULES libvirt_driver_interface_la_LIBADD += ../gnulib/lib/libgnu.la -Index: libvirt-1.1.4/tools/virsh.c +Index: libvirt-1.2.0/tools/virsh.c =================================================================== ---- libvirt-1.1.4.orig/tools/virsh.c -+++ libvirt-1.1.4/tools/virsh.c -@@ -3026,6 +3026,8 @@ vshShowVersion(vshControl *ctl ATTRIBUTE +--- libvirt-1.2.0.orig/tools/virsh.c ++++ libvirt-1.2.0/tools/virsh.c +@@ -3029,6 +3029,8 @@ vshShowVersion(vshControl *ctl ATTRIBUTE vshPrint(ctl, " Interface"); # if defined(WITH_NETCF) vshPrint(ctl, " netcf"); @@ -78,10 +78,10 @@ Index: libvirt-1.1.4/tools/virsh.c # elif defined(WITH_UDEV) vshPrint(ctl, " udev"); # endif -Index: libvirt-1.1.4/src/interface/interface_backend_netcf.c +Index: libvirt-1.2.0/src/interface/interface_backend_netcf.c =================================================================== ---- libvirt-1.1.4.orig/src/interface/interface_backend_netcf.c -+++ libvirt-1.1.4/src/interface/interface_backend_netcf.c +--- libvirt-1.2.0.orig/src/interface/interface_backend_netcf.c ++++ libvirt-1.2.0/src/interface/interface_backend_netcf.c @@ -23,7 +23,12 @@ #include @@ -165,10 +165,10 @@ Index: libvirt-1.1.4/src/interface/interface_backend_netcf.c return 0; } -Index: libvirt-1.1.4/src/interface/interface_driver.c +Index: libvirt-1.2.0/src/interface/interface_driver.c =================================================================== ---- libvirt-1.1.4.orig/src/interface/interface_driver.c -+++ libvirt-1.1.4/src/interface/interface_driver.c +--- libvirt-1.2.0.orig/src/interface/interface_driver.c ++++ libvirt-1.2.0/src/interface/interface_driver.c @@ -28,8 +28,15 @@ interfaceRegister(void) { if (netcfIfaceRegister() == 0) return 0; @@ -186,10 +186,10 @@ Index: libvirt-1.1.4/src/interface/interface_driver.c if (udevIfaceRegister() == 0) return 0; #endif /* WITH_UDEV */ -Index: libvirt-1.1.4/m4/virt-netcontrol.m4 +Index: libvirt-1.2.0/m4/virt-netcontrol.m4 =================================================================== --- /dev/null -+++ libvirt-1.1.4/m4/virt-netcontrol.m4 ++++ libvirt-1.2.0/m4/virt-netcontrol.m4 @@ -0,0 +1,35 @@ +dnl The libnetcontrol library +dnl diff --git a/libvirt.changes b/libvirt.changes index 681767d..5df79cf 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Fri Dec 6 11:03:54 MST 2013 - jfehlig@suse.com + +- Update to libvirt 1.2.0 + - Add support for gluster pool + - Separation of python binding + - vbox: add support for 4.3 APIs + - Many incremental improvements and bug fixes, see + http://libvirt.org/news.html + - Updated and renamed clone.patch to ia64-clone.patch + ------------------------------------------------------------------- Wed Dec 4 14:28:14 MST 2013 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index 8a8d119..67ffe72 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -63,6 +63,7 @@ %define with_storage_mpath 0%{!?_without_storage_mpath:%{server_drivers}} %define with_storage_rbd 0 %define with_storage_sheepdog 0 +%define with_storage_gluster 0 %define with_numactl 0%{!?_without_numactl:%{server_drivers}} %define with_selinux 0%{!?_without_selinux:%{server_drivers}} %define with_apparmor 0%{!?_without_apparmor:%{server_drivers}} @@ -91,7 +92,6 @@ %define with_libssh2 0%{!?_without_libssh2:0} # Non-server/HV driver defaults which are always enabled -%define with_python 0%{!?_without_python:1} %define with_sasl 0%{!?_without_sasl:1} # Set the OS / architecture specific special cases @@ -182,6 +182,7 @@ %define with_storage_mpath 0 %define with_storage_rbd 0 %define with_storage_sheepdog 0 +%define with_storage_gluster 0 %define with_storage_disk 0 %endif @@ -191,6 +192,13 @@ %define with_nwfilter 0%{!?_without_nwfilter:%{server_drivers}} %define with_libpcap 0%{!?_without_libpcap:%{server_drivers}} %define with_macvtap 0%{!?_without_macvtap:%{server_drivers}} +# numad is used to manage the CPU and memory placement dynamically. +# It is only available on x86, and openSUSE >= 13.1 +%if 0%{?suse_version} >= 1310 +%ifarch i386 i586 i686 x86_64 +%define with_numad 0%{!?_without_numad:%{server_drivers}} +%endif +%endif # Force QEMU to run as qemu:qemu %define qemu_user qemu %define qemu_group qemu @@ -225,7 +233,7 @@ Name: libvirt Url: http://libvirt.org/ -Version: 1.1.4 +Version: 1.2.0 Release: 0 Summary: Library providing a simple virtualization API License: LGPL-2.1+ @@ -286,7 +294,7 @@ BuildRequires: libtasn1-devel BuildRequires: libxml2-devel BuildRequires: libxslt BuildRequires: ncurses-devel -BuildRequires: python-devel +BuildRequires: python BuildRequires: python-xml BuildRequires: readline-devel BuildRequires: xhtml-dtd @@ -398,6 +406,9 @@ BuildRequires: audit-devel # we need /usr/sbin/dtrace BuildRequires: systemtap-sdt-devel %endif +%if %{with_numad} +BuildRequires: numad +%endif Source0: %{name}-%{version}.tar.bz2 Source1: libvirtd.init @@ -406,7 +417,7 @@ Source99: baselibs.conf # Upstream patches # Need to go upstream Patch100: xen-name-for-devid.patch -Patch101: clone.patch +Patch101: ia64-clone.patch Patch102: xen-pv-cdrom.patch Patch103: libxl-hvm-vnc.patch Patch104: libxl-hvm-nic.patch @@ -491,6 +502,9 @@ Requires: dmidecode # For service management %{?systemd_requires} %endif +%if %{with_numad} +Requires: numad +%endif %description daemon Server side daemon required to manage the virtualization capabilities @@ -898,25 +912,10 @@ connect a user to an LXC container when they login, by switching namespaces. %endif -%if %{with_python} - -%package python -Summary: Python bindings for the libvirt library -Group: Development/Libraries/C and C++ -Requires: %{name}-client = %{version}-%{release} -%py_requires - -%description python -The libvirt-python package contains a module that permits applications -written in the Python programming language to use the interface -supplied by the libvirt library to use the virtualization capabilities -of recent versions of Linux (and other OSes). -%endif - %prep %setup -q %patch100 -p1 -%patch101 +%patch101 -p1 %patch102 -p1 %patch103 -p1 %patch104 -p1 @@ -999,6 +998,9 @@ of recent versions of Linux (and other OSes). %if ! %{with_storage_sheepdog} %define _without_storage_sheepdog --without-storage-sheepdog %endif +%if ! %{with_storage_gluster} +%define _without_storage_gluster --without-storage-gluster +%endif %if ! %{with_numactl} %define _without_numactl --without-numactl %endif @@ -1053,9 +1055,6 @@ of recent versions of Linux (and other OSes). %if ! %{with_avahi} %define _without_avahi --without-avahi %endif -%if ! %{with_python} -%define _without_python --without-python -%endif %if ! %{with_libpcap} %define _without_libpcap --without-libpcap %endif @@ -1091,7 +1090,6 @@ export CFLAGS="$RPM_OPT_FLAGS" %{?_without_sasl} \ %{?_without_avahi} \ %{?_without_polkit} \ - %{?_without_python} \ %{?_without_libvirtd} \ %{?_without_uml} \ %{?_without_phyp} \ @@ -1108,6 +1106,7 @@ export CFLAGS="$RPM_OPT_FLAGS" %{?_without_storage_mpath} \ %{?_without_storage_rbd} \ %{?_without_storage_sheepdog} \ + %{?_without_storage_gluster} \ %{?_without_numactl} \ %{?_without_numad} \ %{?_without_capng} \ @@ -1138,14 +1137,12 @@ gzip -9 ChangeLog %install %makeinstall SYSTEMD_UNIT_DIR=%{_unitdir} DOCS_DIR=%{_docdir}/%{name}-python EXAMPLE_DIR=%{_docdir}/%{name}-python/examples HTML_DIR=%{_docdir}/%{name} -for i in domain-events/events-c dominfo domsuspend hellolibvirt openauth python xml/nwfilter systemtap +for i in domain-events/events-c dominfo domsuspend hellolibvirt openauth xml/nwfilter systemtap do (cd examples/$i ; make clean ; rm -rf .deps .libs Makefile Makefile.in) done rm -f $RPM_BUILD_ROOT%{_libdir}/*.la rm -f $RPM_BUILD_ROOT%{_libdir}/*.a -rm -f $RPM_BUILD_ROOT%{py_sitedir}/*.la -rm -f $RPM_BUILD_ROOT%{py_sitedir}/*.a rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/lock-driver/*.la rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/lock-driver/*.a %if %{with_driver_modules} @@ -1215,11 +1212,6 @@ EOF rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/libvirt_sanlock.aug rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/tests/test_libvirt_sanlock.aug %endif -%if ! %{with_python} -rm -rf $RPM_BUILD_ROOT%{_docdir}/%{name}-python -%else -rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/libvirt-python-%{version}/* -%endif # init scripts mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/init.d @@ -1668,16 +1660,4 @@ fi %{_bindir}/virt-login-shell %endif -%if %{with_python} - -%files python -%defattr(-, root, root) -%{py_sitedir}/libvirt.py* -%{py_sitedir}/libvirt_qemu.py* -%{py_sitedir}/libvirt_lxc.py* -%{py_sitedir}/libvirtmod* -%doc examples/python -%doc examples/domain-events/events-python -%endif - %changelog diff --git a/libvirtd-defaults.patch b/libvirtd-defaults.patch index ad52bcc..5f6f471 100644 --- a/libvirtd-defaults.patch +++ b/libvirtd-defaults.patch @@ -1,7 +1,7 @@ -Index: libvirt-1.1.4/daemon/libvirtd.conf +Index: libvirt-1.2.0/daemon/libvirtd.conf =================================================================== ---- libvirt-1.1.4.orig/daemon/libvirtd.conf -+++ libvirt-1.1.4/daemon/libvirtd.conf +--- libvirt-1.2.0.orig/daemon/libvirtd.conf ++++ libvirt-1.2.0/daemon/libvirtd.conf @@ -18,8 +18,8 @@ # It is necessary to setup a CA and issue server certificates before # using this capability. @@ -13,10 +13,10 @@ Index: libvirt-1.1.4/daemon/libvirtd.conf # Listen for unencrypted TCP connections on the public TCP/IP port. # NB, must pass the --listen flag to the libvirtd process for this to -Index: libvirt-1.1.4/daemon/libvirtd-config.c +Index: libvirt-1.2.0/daemon/libvirtd-config.c =================================================================== ---- libvirt-1.1.4.orig/daemon/libvirtd-config.c -+++ libvirt-1.1.4/daemon/libvirtd-config.c +--- libvirt-1.2.0.orig/daemon/libvirtd-config.c ++++ libvirt-1.2.0/daemon/libvirtd-config.c @@ -222,7 +222,7 @@ daemonConfigNew(bool privileged ATTRIBUT if (VIR_ALLOC(data) < 0) return NULL; diff --git a/libvirtd-init-script.patch b/libvirtd-init-script.patch index 38431b6..09fbc67 100644 --- a/libvirtd-init-script.patch +++ b/libvirtd-init-script.patch @@ -1,9 +1,9 @@ Adjust libvirtd sysconfig file to conform to SUSE standards -Index: libvirt-1.1.4/daemon/libvirtd.sysconf +Index: libvirt-1.2.0/daemon/libvirtd.sysconf =================================================================== ---- libvirt-1.1.4.orig/daemon/libvirtd.sysconf -+++ libvirt-1.1.4/daemon/libvirtd.sysconf +--- libvirt-1.2.0.orig/daemon/libvirtd.sysconf ++++ libvirt-1.2.0/daemon/libvirtd.sysconf @@ -1,16 +1,25 @@ +## Path: System/Virtualization/libvirt + diff --git a/libxl-hvm-nic.patch b/libxl-hvm-nic.patch index 9b8b9c5..d589ae5 100644 --- a/libxl-hvm-nic.patch +++ b/libxl-hvm-nic.patch @@ -1,8 +1,8 @@ -Index: libvirt-1.1.4/src/libxl/libxl_conf.c +Index: libvirt-1.2.0/src/libxl/libxl_conf.c =================================================================== ---- libvirt-1.1.4.orig/src/libxl/libxl_conf.c -+++ libvirt-1.1.4/src/libxl/libxl_conf.c -@@ -883,8 +883,6 @@ libxlMakeNic(virDomainNetDefPtr l_nic, l +--- libvirt-1.2.0.orig/src/libxl/libxl_conf.c ++++ libvirt-1.2.0/src/libxl/libxl_conf.c +@@ -886,8 +886,6 @@ libxlMakeNic(virDomainNetDefPtr l_nic, l * x_nics[i].mtu = 1492; */ @@ -11,7 +11,7 @@ Index: libvirt-1.1.4/src/libxl/libxl_conf.c virMacAddrGetRaw(&l_nic->mac, x_nic->mac); if (l_nic->model && !STREQ(l_nic->model, "netfront")) { -@@ -929,6 +927,8 @@ libxlMakeNicList(virDomainDefPtr def, l +@@ -932,6 +930,8 @@ libxlMakeNicList(virDomainDefPtr def, l return -1; for (i = 0; i < nnics; i++) { diff --git a/libxl-hvm-vnc.patch b/libxl-hvm-vnc.patch index e4ecc65..93521dd 100644 --- a/libxl-hvm-vnc.patch +++ b/libxl-hvm-vnc.patch @@ -1,7 +1,7 @@ -Index: libvirt-1.1.4/src/libxl/libxl_conf.c +Index: libvirt-1.2.0/src/libxl/libxl_conf.c =================================================================== ---- libvirt-1.1.4.orig/src/libxl/libxl_conf.c -+++ libvirt-1.1.4/src/libxl/libxl_conf.c +--- libvirt-1.2.0.orig/src/libxl/libxl_conf.c ++++ libvirt-1.2.0/src/libxl/libxl_conf.c @@ -561,6 +561,30 @@ libxlMakeChrdevStr(virDomainChrDefPtr de } @@ -33,7 +33,7 @@ Index: libvirt-1.1.4/src/libxl/libxl_conf.c libxlMakeDomBuildInfo(virDomainObjPtr vm, libxl_domain_config *d_config) { virDomainDefPtr def = vm->def; -@@ -1176,6 +1200,9 @@ libxlBuildDomainConfig(libxlDriverPrivat +@@ -1174,6 +1198,9 @@ libxlBuildDomainConfig(libxlDriverPrivat if (libxlMakeVfbList(driver, def, d_config) < 0) return -1; diff --git a/support-managed-pci-xen-driver.patch b/support-managed-pci-xen-driver.patch index e190634..3b298a6 100644 --- a/support-managed-pci-xen-driver.patch +++ b/support-managed-pci-xen-driver.patch @@ -8,10 +8,10 @@ Subject: [PATCH] support managed pci devices in xen driver src/xenxs/xen_xm.c | 28 +++++++++++++++++++++++++++- 2 files changed, 35 insertions(+), 15 deletions(-) -Index: libvirt-1.1.4/src/xenxs/xen_sxpr.c +Index: libvirt-1.2.0/src/xenxs/xen_sxpr.c =================================================================== ---- libvirt-1.1.4.orig/src/xenxs/xen_sxpr.c -+++ libvirt-1.1.4/src/xenxs/xen_sxpr.c +--- libvirt-1.2.0.orig/src/xenxs/xen_sxpr.c ++++ libvirt-1.2.0/src/xenxs/xen_sxpr.c @@ -996,6 +996,7 @@ xenParseSxprPCI(virDomainDefPtr def, int busID; int slotID; @@ -78,10 +78,10 @@ Index: libvirt-1.1.4/src/xenxs/xen_sxpr.c xenFormatSxprPCI(def->hostdevs[i], buf); } } -Index: libvirt-1.1.4/src/xenxs/xen_xm.c +Index: libvirt-1.2.0/src/xenxs/xen_xm.c =================================================================== ---- libvirt-1.1.4.orig/src/xenxs/xen_xm.c -+++ libvirt-1.1.4/src/xenxs/xen_xm.c +--- libvirt-1.2.0.orig/src/xenxs/xen_xm.c ++++ libvirt-1.2.0/src/xenxs/xen_xm.c @@ -802,6 +802,8 @@ xenParseXM(virConfPtr conf, int xendConf int busID; int slotID; diff --git a/suse-qemu-conf.patch b/suse-qemu-conf.patch index c8bf9f4..eefd498 100644 --- a/suse-qemu-conf.patch +++ b/suse-qemu-conf.patch @@ -1,7 +1,7 @@ -Index: libvirt-1.1.4/src/qemu/qemu.conf +Index: libvirt-1.2.0/src/qemu/qemu.conf =================================================================== ---- libvirt-1.1.4.orig/src/qemu/qemu.conf -+++ libvirt-1.1.4/src/qemu/qemu.conf +--- libvirt-1.2.0.orig/src/qemu/qemu.conf ++++ libvirt-1.2.0/src/qemu/qemu.conf @@ -200,7 +200,16 @@ # a special value; security_driver can be set to that value in # isolation, but it cannot appear in a list of drivers. diff --git a/systemd-service-xen.patch b/systemd-service-xen.patch index 1bfa0e5..7728454 100644 --- a/systemd-service-xen.patch +++ b/systemd-service-xen.patch @@ -1,7 +1,7 @@ -Index: libvirt-1.1.4/daemon/libvirtd.service.in +Index: libvirt-1.2.0/daemon/libvirtd.service.in =================================================================== ---- libvirt-1.1.4.orig/daemon/libvirtd.service.in -+++ libvirt-1.1.4/daemon/libvirtd.service.in +--- libvirt-1.2.0.orig/daemon/libvirtd.service.in ++++ libvirt-1.2.0/daemon/libvirtd.service.in @@ -9,6 +9,8 @@ Before=libvirt-guests.service After=network.target After=dbus.service diff --git a/virtlockd-init-script.patch b/virtlockd-init-script.patch index bbf1051..1552186 100644 --- a/virtlockd-init-script.patch +++ b/virtlockd-init-script.patch @@ -1,9 +1,9 @@ Adjust virtlockd init files to conform to SUSE standards -Index: libvirt-1.1.4/src/locking/virtlockd.sysconf +Index: libvirt-1.2.0/src/locking/virtlockd.sysconf =================================================================== ---- libvirt-1.1.4.orig/src/locking/virtlockd.sysconf -+++ libvirt-1.1.4/src/locking/virtlockd.sysconf +--- libvirt-1.2.0.orig/src/locking/virtlockd.sysconf ++++ libvirt-1.2.0/src/locking/virtlockd.sysconf @@ -1,3 +1,7 @@ +## Path: System/Virtualization/virtlockd + @@ -12,10 +12,10 @@ Index: libvirt-1.1.4/src/locking/virtlockd.sysconf # # Pass extra arguments to virtlockd #VIRTLOCKD_ARGS= -Index: libvirt-1.1.4/src/locking/virtlockd.init.in +Index: libvirt-1.2.0/src/locking/virtlockd.init.in =================================================================== ---- libvirt-1.1.4.orig/src/locking/virtlockd.init.in -+++ libvirt-1.1.4/src/locking/virtlockd.init.in +--- libvirt-1.2.0.orig/src/locking/virtlockd.init.in ++++ libvirt-1.2.0/src/locking/virtlockd.init.in @@ -4,11 +4,13 @@ # http://www.linux-foundation.org/spec//booksets/LSB-Core-generic/LSB-Core-generic.html#INITSCRCOMCONV # diff --git a/xen-name-for-devid.patch b/xen-name-for-devid.patch index 3390495..b9b18bd 100644 --- a/xen-name-for-devid.patch +++ b/xen-name-for-devid.patch @@ -14,10 +14,10 @@ is inactive. We obviously can't search xenstore when the domain is inactive. -Index: libvirt-1.1.4/src/xen/xend_internal.c +Index: libvirt-1.2.0/src/xen/xend_internal.c =================================================================== ---- libvirt-1.1.4.orig/src/xen/xend_internal.c -+++ libvirt-1.1.4/src/xen/xend_internal.c +--- libvirt-1.2.0.orig/src/xen/xend_internal.c ++++ libvirt-1.2.0/src/xen/xend_internal.c @@ -70,7 +70,7 @@ #define XEND_RCV_BUF_MAX_LEN (256 * 1024) diff --git a/xen-pv-cdrom.patch b/xen-pv-cdrom.patch index d552804..9c946b0 100644 --- a/xen-pv-cdrom.patch +++ b/xen-pv-cdrom.patch @@ -1,7 +1,7 @@ -Index: libvirt-1.1.4/src/xenxs/xen_sxpr.c +Index: libvirt-1.2.0/src/xenxs/xen_sxpr.c =================================================================== ---- libvirt-1.1.4.orig/src/xenxs/xen_sxpr.c -+++ libvirt-1.1.4/src/xenxs/xen_sxpr.c +--- libvirt-1.2.0.orig/src/xenxs/xen_sxpr.c ++++ libvirt-1.2.0/src/xenxs/xen_sxpr.c @@ -330,7 +330,7 @@ error: static int xenParseSxprDisks(virDomainDefPtr def, From c5c21c4a378cce757bc750a855acd896075d460a76870bcd24dc9e4325046bb4 Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Fri, 6 Dec 2013 22:49:19 +0000 Subject: [PATCH 09/14] Add missing changelog entry about building with numad support OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=335 --- libvirt.changes | 1 + 1 file changed, 1 insertion(+) diff --git a/libvirt.changes b/libvirt.changes index 5df79cf..a405a2c 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -8,6 +8,7 @@ Fri Dec 6 11:03:54 MST 2013 - jfehlig@suse.com - Many incremental improvements and bug fixes, see http://libvirt.org/news.html - Updated and renamed clone.patch to ia64-clone.patch +- Enabled numad support for openSUSE >= 13.1 ------------------------------------------------------------------- Wed Dec 4 14:28:14 MST 2013 - jfehlig@suse.com From 387203a9485707792b8600a15d592eba940b5132fc979fab54a4934a6d09360b Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Fri, 6 Dec 2013 22:50:19 +0000 Subject: [PATCH 10/14] - More adjustments to the spec file to fix package dependency issues bnc#848918 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=336 --- libvirt.changes | 7 +++ libvirt.spec | 160 +++++++++++++++++++++++++++++++++--------------- 2 files changed, 119 insertions(+), 48 deletions(-) diff --git a/libvirt.changes b/libvirt.changes index a405a2c..0a5e968 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Dec 6 15:49:34 MST 2013 - jfehlig@suse.com + +- More adjustments to the spec file to fix package dependency + issues + bnc#848918 + ------------------------------------------------------------------- Fri Dec 6 11:03:54 MST 2013 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index 67ffe72..f877183 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -244,22 +244,25 @@ Requires: libvirt-daemon = %{version}-%{release} %if %{with_nwfilter} Requires: libvirt-daemon-config-nwfilter = %{version}-%{release} %endif -%if %{with_libxl} || %{with_xen} -Requires: libvirt-daemon-xen +%if %{with_driver_modules} +%if %{with_libxl} +Requires: libvirt-daemon-driver-libxl = %{version}-%{release} %endif %if %{with_lxc} -Requires: libvirt-daemon-lxc +Requires: libvirt-daemon-driver-lxc = %{version}-%{release} %endif %if %{with_qemu} -Requires: libvirt-daemon-qemu +Requires: libvirt-daemon-driver-qemu = %{version}-%{release} %endif %if %{with_uml} -Requires: libvirt-daemon-uml +Requires: libvirt-daemon-driver-uml = %{version}-%{release} +%endif +%if %{with_xen} +Requires: libvirt-daemon-driver-xen = %{version}-%{release} %endif %if %{with_vbox} -Requires: libvirt-daemon-vbox +Requires: libvirt-daemon-driver-vbox = %{version}-%{release} %endif -%if %{with_driver_modules} %if %{with_nwfilter} Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release} %endif @@ -1181,19 +1184,34 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/qemu/networks/autostart/default.xml rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/nwfilter rm -rf $RPM_BUILD_ROOT%{_libdir}/%{name}/connection-driver/libvirt_driver_nwfilter.so %endif -%if ! %{with_lxc} +%if %{with_lxc} +cat > $RPM_BUILD_ROOT%{_docdir}/libvirt/libvirt-daemon-lxc.README << 'EOF' +Any empty package encapsulating requirements for a libvirtd capable +of managing LXC. +EOF +%else rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/lxc.conf rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/libvirtd_lxc.aug rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/tests/test_libvirtd_lxc.aug rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/libvirtd.lxc %endif -%if ! %{with_qemu} +%if %{with_qemu} +cat > $RPM_BUILD_ROOT%{_docdir}/libvirt/libvirt-daemon-qemu.README << 'EOF' +Any empty package encapsulating requirements for a libvirtd capable +of managing QEMU/KVM. +EOF +%else rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/qemu.conf rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/libvirtd_qemu.aug rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/tests/test_libvirtd_qemu.aug rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/libvirtd.qemu %endif -%if ! %{with_uml} +%if %{with_uml} +cat > $RPM_BUILD_ROOT%{_docdir}/libvirt/libvirt-daemon-uml.README << 'EOF' +Any empty package encapsulating requirements for a libvirtd capable +of managing UML. +EOF +%else rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/libvirtd.uml %endif %if %{with_vbox} @@ -1328,18 +1346,6 @@ fi %{_sbindir}/virtlockd %dir %{_libdir}/%{name} %dir %attr(0700, root, root) %{_sysconfdir}/libvirt/ -%if %{with_network} -%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/ -%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/networks/ -%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/networks/autostart -%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/network/ -%dir %attr(0755, root, root) %{_localstatedir}/lib/libvirt/dnsmasq/ -%dir %{_datadir}/libvirt/networks/ -%{_datadir}/libvirt/networks/default.xml -%endif -%if %{with_nwfilter} -%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/nwfilter/ -%endif %{_localstatedir}/adm/fillup-templates/sysconfig.libvirtd %config /etc/init.d/libvirtd %{_sbindir}/rclibvirtd @@ -1382,9 +1388,6 @@ fi %{_datadir}/PolicyKit/policy/org.libvirt.unix.policy %endif %endif -%if %{with_storage_disk} -%attr(0755, root, root) %{_libdir}/%{name}/libvirt_parthelper -%endif %attr(0755, root, root) %{_libdir}/%{name}/libvirt_iohelper %doc %{_mandir}/man8/libvirtd.8* %{_mandir}/man8/virtlockd.8* @@ -1400,14 +1403,60 @@ fi %endif %config %{_fwdefdir}/libvirtd-relocation-server -%if %{with_driver_modules} +%if ! %{with_driver_modules} +%if %{with_network} +%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/ +%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/networks/ +%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/networks/autostart +%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/network/ +%dir %attr(0755, root, root) %{_localstatedir}/lib/libvirt/dnsmasq/ +%dir %{_datadir}/libvirt/networks/ +%{_datadir}/libvirt/networks/default.xml +%endif +%if %{with_qemu} +%config(noreplace) %{_sysconfdir}/libvirt/qemu.conf +%config(noreplace) %{_sysconfdir}/libvirt/qemu-lockd.conf +%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu +%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/ +%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/cache/libvirt/qemu/ +%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/ +%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/ +%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/ +%{_datadir}/augeas/lenses/libvirtd_qemu.aug +%{_datadir}/augeas/lenses/tests/test_libvirtd_qemu.aug +%endif +%if %{with_lxc} +%config(noreplace) %{_sysconfdir}/libvirt/lxc.conf +%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.lxc +%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/lxc/ +%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/lxc/ +%attr(0755, root, root) %{_libdir}/%{name}/libvirt_lxc +%{_datadir}/augeas/lenses/libvirtd_lxc.aug +%{_datadir}/augeas/lenses/tests/test_libvirtd_lxc.aug +%endif +%if %{with_uml} +%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.uml +%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/uml/ +%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/uml/ +%endif +%if %{with_libxl} +%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/libxl/ +%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/libxl/ +%endif +%if %{with_storage_disk} +%attr(0755, root, root) %{_libdir}/%{name}/libvirt_parthelper +%endif +%endif # ! %{with_driver_modules} + %if %{with_nwfilter} %files daemon-config-nwfilter %defattr(-, root, root) +%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/nwfilter/ %{_sysconfdir}/libvirt/nwfilter/*.xml %endif +%if %{with_driver_modules} %if %{with_interface} %files daemon-driver-interface @@ -1420,6 +1469,13 @@ fi %files daemon-driver-network %defattr(-, root, root) +%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/ +%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/networks/ +%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/networks/autostart +%dir %{_datadir}/libvirt/networks/ +%{_datadir}/libvirt/networks/default.xml +%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/network/ +%dir %attr(0755, root, root) %{_localstatedir}/lib/libvirt/dnsmasq/ %dir %{_libdir}/%{name}/connection-driver %{_libdir}/%{name}/connection-driver/libvirt_driver_network.so %endif @@ -1449,6 +1505,9 @@ fi %files daemon-driver-storage %defattr(-, root, root) +%if %{with_storage_disk} +%attr(0755, root, root) %{_libdir}/%{name}/libvirt_parthelper +%endif %dir %{_libdir}/%{name}/connection-driver %{_libdir}/%{name}/connection-driver/libvirt_driver_storage.so %endif @@ -1457,6 +1516,17 @@ fi %files daemon-driver-qemu %defattr(-, root, root) +%defattr(-, root, root) +%config(noreplace) %{_sysconfdir}/libvirt/qemu.conf +%config(noreplace) %{_sysconfdir}/libvirt/qemu-lockd.conf +%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu +%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/ +%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/cache/libvirt/qemu/ +%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/ +%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/ +%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/ +%{_datadir}/augeas/lenses/libvirtd_qemu.aug +%{_datadir}/augeas/lenses/tests/test_libvirtd_qemu.aug %dir %{_libdir}/%{name}/connection-driver %{_libdir}/%{name}/connection-driver/libvirt_driver_qemu.so %endif @@ -1465,6 +1535,13 @@ fi %files daemon-driver-lxc %defattr(-, root, root) +%config(noreplace) %{_sysconfdir}/libvirt/lxc.conf +%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.lxc +%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/lxc/ +%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/lxc/ +%attr(0755, root, root) %{_libdir}/%{name}/libvirt_lxc +%{_datadir}/augeas/lenses/libvirtd_lxc.aug +%{_datadir}/augeas/lenses/tests/test_libvirtd_lxc.aug %dir %{_libdir}/%{name}/connection-driver %{_libdir}/%{name}/connection-driver/libvirt_driver_lxc.so %endif @@ -1473,6 +1550,9 @@ fi %files daemon-driver-uml %defattr(-, root, root) +%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.uml +%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/uml/ +%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/uml/ %dir %{_libdir}/%{name}/connection-driver %{_libdir}/%{name}/connection-driver/libvirt_driver_uml.so %endif @@ -1489,10 +1569,10 @@ fi %files daemon-driver-libxl %defattr(-, root, root) -%dir %{_libdir}/%{name}/connection-driver -%{_libdir}/%{name}/connection-driver/libvirt_driver_libxl.so %dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/libxl/ %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/libxl/ +%dir %{_libdir}/%{name}/connection-driver +%{_libdir}/%{name}/connection-driver/libvirt_driver_libxl.so %endif %if %{with_vbox} @@ -1507,38 +1587,21 @@ fi %files daemon-qemu %defattr(-, root, root) -%config(noreplace) %{_sysconfdir}/libvirt/qemu.conf -%config(noreplace) %{_sysconfdir}/libvirt/qemu-lockd.conf -%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/ -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/cache/libvirt/qemu/ -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/ -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/ -%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/ -%{_datadir}/augeas/lenses/libvirtd_qemu.aug -%{_datadir}/augeas/lenses/tests/test_libvirtd_qemu.aug +%doc %{_docdir}/%{name}/libvirt-daemon-qemu.README %endif %if %{with_lxc} %files daemon-lxc %defattr(-, root, root) -%config(noreplace) %{_sysconfdir}/libvirt/lxc.conf -%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.lxc -%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/lxc/ -%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/lxc/ -%attr(0755, root, root) %{_libdir}/%{name}/libvirt_lxc -%{_datadir}/augeas/lenses/libvirtd_lxc.aug -%{_datadir}/augeas/lenses/tests/test_libvirtd_lxc.aug +%doc %{_docdir}/%{name}/libvirt-daemon-lxc.README %endif %if %{with_uml} %files daemon-uml %defattr(-, root, root) -%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.uml -%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/uml/ -%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/uml/ +%doc %{_docdir}/%{name}/libvirt-daemon-uml.README %endif %if %{with_xen} || %{with_libxl} @@ -1563,6 +1626,7 @@ fi %doc %{_mandir}/man1/virt-xml-validate.1* %doc %{_mandir}/man1/virt-pki-validate.1* %doc %{_mandir}/man1/virt-host-validate.1* +%dir %attr(0700, root, root) %{_sysconfdir}/%{name} %config(noreplace) %{_sysconfdir}/%{name}/libvirt.conf %{_bindir}/virsh %{_bindir}/virt-xml-validate From 7ea60c0a2807bd421c2dcb03eb9be78bde71d572d5f2dd870a6241a5e1392a62 Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Fri, 20 Dec 2013 16:25:32 +0000 Subject: [PATCH 11/14] - CVE-2013-6436: Fix crashes in lxc memtune code, one of which results in DoS f8c1cb90-CVE-2013-6436.patch, 9faf3f29-LXC-memtune.patch bnc#854486 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=337 --- 9faf3f29-LXC-memtune.patch | 199 +++++++++++++++++++++++++++++++++++ f8c1cb90-CVE-2013-6436.patch | 145 +++++++++++++++++++++++++ libvirt.changes | 8 ++ libvirt.spec | 4 + 4 files changed, 356 insertions(+) create mode 100644 9faf3f29-LXC-memtune.patch create mode 100644 f8c1cb90-CVE-2013-6436.patch diff --git a/9faf3f29-LXC-memtune.patch b/9faf3f29-LXC-memtune.patch new file mode 100644 index 0000000..42fd606 --- /dev/null +++ b/9faf3f29-LXC-memtune.patch @@ -0,0 +1,199 @@ +commit 9faf3f2950aed1643ab7564afcb4c693c77f71b5 +Author: Martin Kletzander +Date: Mon Dec 9 11:15:12 2013 +0100 + + Fix crash in lxcDomainSetMemoryParameters + + The function doesn't check whether the request is made for active or + inactive domain. Thus when the domain is not running it still tries + accessing non-existing cgroups (priv->cgroup, which is NULL). + + I re-made the function in order for it to work the same way it's qemu + counterpart does. + + Reproducer: + 1) Define an LXC domain + 2) Do 'virsh memtune --hard-limit 133T' + + Backtrace: + Thread 6 (Thread 0x7fffec8c0700 (LWP 26826)): + #0 0x00007ffff70edcc4 in virCgroupPathOfController (group=0x0, controller=3, + key=0x7ffff75734bd "memory.limit_in_bytes", path=0x7fffec8bf718) at util/vircgroup.c:1764 + #1 0x00007ffff70e9206 in virCgroupSetValueStr (group=0x0, controller=3, + key=0x7ffff75734bd "memory.limit_in_bytes", value=0x7fffe409f360 "1073741824") + at util/vircgroup.c:669 + #2 0x00007ffff70e98b4 in virCgroupSetValueU64 (group=0x0, controller=3, + key=0x7ffff75734bd "memory.limit_in_bytes", value=1073741824) at util/vircgroup.c:740 + #3 0x00007ffff70ee518 in virCgroupSetMemory (group=0x0, kb=1048576) at util/vircgroup.c:1904 + #4 0x00007ffff70ee675 in virCgroupSetMemoryHardLimit (group=0x0, kb=1048576) + at util/vircgroup.c:1944 + #5 0x00005555557d54c8 in lxcDomainSetMemoryParameters (dom=0x7fffe40cc420, + params=0x7fffe409f100, nparams=1, flags=0) at lxc/lxc_driver.c:774 + #6 0x00007ffff72c20f9 in virDomainSetMemoryParameters (domain=0x7fffe40cc420, + params=0x7fffe409f100, nparams=1, flags=0) at libvirt.c:4051 + #7 0x000055555561365f in remoteDispatchDomainSetMemoryParameters (server=0x555555eb7e00, + client=0x555555ec4b10, msg=0x555555eb94e0, rerr=0x7fffec8bfb70, args=0x7fffe40b8510) + at remote_dispatch.h:7621 + #8 0x00005555556133fd in remoteDispatchDomainSetMemoryParametersHelper (server=0x555555eb7e00, + client=0x555555ec4b10, msg=0x555555eb94e0, rerr=0x7fffec8bfb70, args=0x7fffe40b8510, + ret=0x7fffe40b84f0) at remote_dispatch.h:7591 + #9 0x00007ffff73b293f in virNetServerProgramDispatchCall (prog=0x555555ec3ae0, + server=0x555555eb7e00, client=0x555555ec4b10, msg=0x555555eb94e0) + at rpc/virnetserverprogram.c:435 + #10 0x00007ffff73b207f in virNetServerProgramDispatch (prog=0x555555ec3ae0, + server=0x555555eb7e00, client=0x555555ec4b10, msg=0x555555eb94e0) + at rpc/virnetserverprogram.c:305 + #11 0x00007ffff73a4d2c in virNetServerProcessMsg (srv=0x555555eb7e00, client=0x555555ec4b10, + prog=0x555555ec3ae0, msg=0x555555eb94e0) at rpc/virnetserver.c:165 + #12 0x00007ffff73a4e8d in virNetServerHandleJob (jobOpaque=0x555555ec3e30, opaque=0x555555eb7e00) + at rpc/virnetserver.c:186 + #13 0x00007ffff7187f3f in virThreadPoolWorker (opaque=0x555555eb7ac0) at util/virthreadpool.c:144 + #14 0x00007ffff718733a in virThreadHelper (data=0x555555eb7890) at util/virthreadpthread.c:161 + #15 0x00007ffff468ed89 in start_thread (arg=0x7fffec8c0700) at pthread_create.c:308 + #16 0x00007ffff3da26bd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 + + Signed-off-by: Martin Kletzander + +Index: libvirt-1.2.0/src/lxc/lxc_driver.c +=================================================================== +--- libvirt-1.2.0.orig/src/lxc/lxc_driver.c ++++ libvirt-1.2.0/src/lxc/lxc_driver.c +@@ -742,12 +742,24 @@ lxcDomainSetMemoryParameters(virDomainPt + int nparams, + unsigned int flags) + { +- size_t i; ++ virCapsPtr caps = NULL; ++ virDomainDefPtr vmdef = NULL; + virDomainObjPtr vm = NULL; ++ virLXCDomainObjPrivatePtr priv = NULL; ++ virLXCDriverConfigPtr cfg = NULL; ++ virLXCDriverPtr driver = dom->conn->privateData; ++ unsigned long long hard_limit; ++ unsigned long long soft_limit; ++ unsigned long long swap_hard_limit; ++ bool set_hard_limit = false; ++ bool set_soft_limit = false; ++ bool set_swap_hard_limit = false; ++ int rc; + int ret = -1; +- virLXCDomainObjPrivatePtr priv; + +- virCheckFlags(0, -1); ++ virCheckFlags(VIR_DOMAIN_AFFECT_LIVE | ++ VIR_DOMAIN_AFFECT_CONFIG, -1); ++ + if (virTypedParamsValidate(params, nparams, + VIR_DOMAIN_MEMORY_HARD_LIMIT, + VIR_TYPED_PARAM_ULLONG, +@@ -762,29 +774,97 @@ lxcDomainSetMemoryParameters(virDomainPt + goto cleanup; + + priv = vm->privateData; ++ cfg = virLXCDriverGetConfig(driver); + +- if (virDomainSetMemoryParametersEnsureACL(dom->conn, vm->def, flags) < 0) ++ if (virDomainSetMemoryParametersEnsureACL(dom->conn, vm->def, flags) < 0 || ++ !(caps = virLXCDriverGetCapabilities(driver, false)) || ++ virDomainLiveConfigHelperMethod(caps, driver->xmlopt, ++ vm, &flags, &vmdef) < 0) + goto cleanup; + +- ret = 0; +- for (i = 0; i < nparams; i++) { +- virTypedParameterPtr param = ¶ms[i]; ++ if (flags & VIR_DOMAIN_AFFECT_LIVE && ++ !virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_MEMORY)) { ++ virReportError(VIR_ERR_OPERATION_INVALID, ++ "%s", _("cgroup memory controller is not mounted")); ++ goto cleanup; ++ } + +- if (STREQ(param->field, VIR_DOMAIN_MEMORY_HARD_LIMIT)) { +- if (virCgroupSetMemoryHardLimit(priv->cgroup, params[i].value.ul) < 0) +- ret = -1; +- } else if (STREQ(param->field, VIR_DOMAIN_MEMORY_SOFT_LIMIT)) { +- if (virCgroupSetMemorySoftLimit(priv->cgroup, params[i].value.ul) < 0) +- ret = -1; +- } else if (STREQ(param->field, VIR_DOMAIN_MEMORY_SWAP_HARD_LIMIT)) { +- if (virCgroupSetMemSwapHardLimit(priv->cgroup, params[i].value.ul) < 0) +- ret = -1; ++#define VIR_GET_LIMIT_PARAMETER(PARAM, VALUE) \ ++ if ((rc = virTypedParamsGetULLong(params, nparams, PARAM, &VALUE)) < 0) \ ++ goto cleanup; \ ++ \ ++ if (rc == 1) \ ++ set_ ## VALUE = true; ++ ++ VIR_GET_LIMIT_PARAMETER(VIR_DOMAIN_MEMORY_SWAP_HARD_LIMIT, swap_hard_limit) ++ VIR_GET_LIMIT_PARAMETER(VIR_DOMAIN_MEMORY_HARD_LIMIT, hard_limit) ++ VIR_GET_LIMIT_PARAMETER(VIR_DOMAIN_MEMORY_SOFT_LIMIT, soft_limit) ++ ++#undef VIR_GET_LIMIT_PARAMETER ++ ++ /* Swap hard limit must be greater than hard limit. ++ * Note that limit of 0 denotes unlimited */ ++ if (set_swap_hard_limit || set_hard_limit) { ++ unsigned long long mem_limit = vm->def->mem.hard_limit; ++ unsigned long long swap_limit = vm->def->mem.swap_hard_limit; ++ ++ if (set_swap_hard_limit) ++ swap_limit = swap_hard_limit; ++ ++ if (set_hard_limit) ++ mem_limit = hard_limit; ++ ++ if (virCompareLimitUlong(mem_limit, swap_limit) > 0) { ++ virReportError(VIR_ERR_INVALID_ARG, "%s", ++ _("memory hard_limit tunable value must be lower " ++ "than or equal to swap_hard_limit")); ++ goto cleanup; + } + } + ++#define LXC_SET_MEM_PARAMETER(FUNC, VALUE) \ ++ if (set_ ## VALUE) { \ ++ if (flags & VIR_DOMAIN_AFFECT_LIVE) { \ ++ if ((rc = FUNC(priv->cgroup, VALUE)) < 0) { \ ++ virReportSystemError(-rc, _("unable to set memory %s tunable"), \ ++ #VALUE); \ ++ \ ++ goto cleanup; \ ++ } \ ++ vm->def->mem.VALUE = VALUE; \ ++ } \ ++ \ ++ if (flags & VIR_DOMAIN_AFFECT_CONFIG) \ ++ vmdef->mem.VALUE = VALUE; \ ++ } ++ ++ /* Soft limit doesn't clash with the others */ ++ LXC_SET_MEM_PARAMETER(virCgroupSetMemorySoftLimit, soft_limit); ++ ++ /* set hard limit before swap hard limit if decreasing it */ ++ if (virCompareLimitUlong(vm->def->mem.hard_limit, hard_limit) > 0) { ++ LXC_SET_MEM_PARAMETER(virCgroupSetMemoryHardLimit, hard_limit); ++ /* inhibit changing the limit a second time */ ++ set_hard_limit = false; ++ } ++ ++ LXC_SET_MEM_PARAMETER(virCgroupSetMemSwapHardLimit, swap_hard_limit); ++ ++ /* otherwise increase it after swap hard limit */ ++ LXC_SET_MEM_PARAMETER(virCgroupSetMemoryHardLimit, hard_limit); ++ ++#undef LXC_SET_MEM_PARAMETER ++ ++ if (flags & VIR_DOMAIN_AFFECT_CONFIG && ++ virDomainSaveConfig(cfg->configDir, vmdef) < 0) ++ goto cleanup; ++ ++ ret = 0; + cleanup: + if (vm) + virObjectUnlock(vm); ++ virObjectUnref(caps); ++ virObjectUnref(cfg); + return ret; + } + diff --git a/f8c1cb90-CVE-2013-6436.patch b/f8c1cb90-CVE-2013-6436.patch new file mode 100644 index 0000000..911912f --- /dev/null +++ b/f8c1cb90-CVE-2013-6436.patch @@ -0,0 +1,145 @@ +commit f8c1cb90213508c4f32549023b0572ed774e48aa +Author: Martin Kletzander +Date: Mon Dec 9 11:15:11 2013 +0100 + + CVE-2013-6436: fix crash in lxcDomainGetMemoryParameters + + The function doesn't check whether the request is made for active or + inactive domain. Thus when the domain is not running it still tries + accessing non-existing cgroups (priv->cgroup, which is NULL). + + I re-made the function in order for it to work the same way it's qemu + counterpart does. + + Reproducer: + 1) Define an LXC domain + 2) Do 'virsh memtune ' + + Backtrace: + Thread 6 (Thread 0x7fffec8c0700 (LWP 13387)): + #0 0x00007ffff70edcc4 in virCgroupPathOfController (group=0x0, controller=3, + key=0x7ffff75734bd "memory.limit_in_bytes", path=0x7fffec8bf750) at util/vircgroup.c:1764 + #1 0x00007ffff70e958c in virCgroupGetValueStr (group=0x0, controller=3, + key=0x7ffff75734bd "memory.limit_in_bytes", value=0x7fffec8bf7c0) at util/vircgroup.c:705 + #2 0x00007ffff70e9d29 in virCgroupGetValueU64 (group=0x0, controller=3, + key=0x7ffff75734bd "memory.limit_in_bytes", value=0x7fffec8bf810) at util/vircgroup.c:804 + #3 0x00007ffff70ee706 in virCgroupGetMemoryHardLimit (group=0x0, kb=0x7fffec8bf8a8) + at util/vircgroup.c:1962 + #4 0x00005555557d590f in lxcDomainGetMemoryParameters (dom=0x7fffd40024a0, + params=0x7fffd40027a0, nparams=0x7fffec8bfa24, flags=0) at lxc/lxc_driver.c:826 + #5 0x00007ffff72c28d3 in virDomainGetMemoryParameters (domain=0x7fffd40024a0, + params=0x7fffd40027a0, nparams=0x7fffec8bfa24, flags=0) at libvirt.c:4137 + #6 0x000055555563714d in remoteDispatchDomainGetMemoryParameters (server=0x555555eb7e00, + client=0x555555ebaef0, msg=0x555555ebb3e0, rerr=0x7fffec8bfb70, args=0x7fffd40024e0, + ret=0x7fffd4002420) at remote.c:1895 + #7 0x00005555556052c4 in remoteDispatchDomainGetMemoryParametersHelper (server=0x555555eb7e00, + client=0x555555ebaef0, msg=0x555555ebb3e0, rerr=0x7fffec8bfb70, args=0x7fffd40024e0, + ret=0x7fffd4002420) at remote_dispatch.h:4050 + #8 0x00007ffff73b293f in virNetServerProgramDispatchCall (prog=0x555555ec3ae0, + server=0x555555eb7e00, client=0x555555ebaef0, msg=0x555555ebb3e0) + at rpc/virnetserverprogram.c:435 + #9 0x00007ffff73b207f in virNetServerProgramDispatch (prog=0x555555ec3ae0, + server=0x555555eb7e00, client=0x555555ebaef0, msg=0x555555ebb3e0) + at rpc/virnetserverprogram.c:305 + #10 0x00007ffff73a4d2c in virNetServerProcessMsg (srv=0x555555eb7e00, client=0x555555ebaef0, + prog=0x555555ec3ae0, msg=0x555555ebb3e0) at rpc/virnetserver.c:165 + #11 0x00007ffff73a4e8d in virNetServerHandleJob (jobOpaque=0x555555ebc7e0, opaque=0x555555eb7e00) + at rpc/virnetserver.c:186 + #12 0x00007ffff7187f3f in virThreadPoolWorker (opaque=0x555555eb7ac0) at util/virthreadpool.c:144 + #13 0x00007ffff718733a in virThreadHelper (data=0x555555eb7890) at util/virthreadpthread.c:161 + #14 0x00007ffff468ed89 in start_thread (arg=0x7fffec8c0700) at pthread_create.c:308 + #15 0x00007ffff3da26bd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 + + Signed-off-by: Martin Kletzander + +Index: libvirt-1.2.0/src/lxc/lxc_driver.c +=================================================================== +--- libvirt-1.2.0.orig/src/lxc/lxc_driver.c ++++ libvirt-1.2.0/src/lxc/lxc_driver.c +@@ -794,22 +794,36 @@ lxcDomainGetMemoryParameters(virDomainPt + int *nparams, + unsigned int flags) + { +- size_t i; ++ virCapsPtr caps = NULL; ++ virDomainDefPtr vmdef = NULL; + virDomainObjPtr vm = NULL; ++ virLXCDomainObjPrivatePtr priv = NULL; ++ virLXCDriverPtr driver = dom->conn->privateData; + unsigned long long val; + int ret = -1; +- virLXCDomainObjPrivatePtr priv; ++ size_t i; + +- virCheckFlags(0, -1); ++ virCheckFlags(VIR_DOMAIN_AFFECT_LIVE | ++ VIR_DOMAIN_AFFECT_CONFIG, -1); + + if (!(vm = lxcDomObjFromDomain(dom))) + goto cleanup; + + priv = vm->privateData; + +- if (virDomainGetMemoryParametersEnsureACL(dom->conn, vm->def) < 0) ++ if (virDomainGetMemoryParametersEnsureACL(dom->conn, vm->def) < 0 || ++ !(caps = virLXCDriverGetCapabilities(driver, false)) || ++ virDomainLiveConfigHelperMethod(caps, driver->xmlopt, ++ vm, &flags, &vmdef) < 0) + goto cleanup; + ++ if (flags & VIR_DOMAIN_AFFECT_LIVE && ++ !virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_MEMORY)) { ++ virReportError(VIR_ERR_OPERATION_INVALID, ++ "%s", _("cgroup memory controller is not mounted")); ++ goto cleanup; ++ } ++ + if ((*nparams) == 0) { + /* Current number of memory parameters supported by cgroups */ + *nparams = LXC_NB_MEM_PARAM; +@@ -823,22 +837,34 @@ lxcDomainGetMemoryParameters(virDomainPt + + switch (i) { + case 0: /* fill memory hard limit here */ +- if (virCgroupGetMemoryHardLimit(priv->cgroup, &val) < 0) ++ if (flags & VIR_DOMAIN_AFFECT_CONFIG) { ++ val = vmdef->mem.hard_limit; ++ val = val ? val : VIR_DOMAIN_MEMORY_PARAM_UNLIMITED; ++ } else if (virCgroupGetMemoryHardLimit(priv->cgroup, &val) < 0) { + goto cleanup; ++ } + if (virTypedParameterAssign(param, VIR_DOMAIN_MEMORY_HARD_LIMIT, + VIR_TYPED_PARAM_ULLONG, val) < 0) + goto cleanup; + break; + case 1: /* fill memory soft limit here */ +- if (virCgroupGetMemorySoftLimit(priv->cgroup, &val) < 0) ++ if (flags & VIR_DOMAIN_AFFECT_CONFIG) { ++ val = vmdef->mem.soft_limit; ++ val = val ? val : VIR_DOMAIN_MEMORY_PARAM_UNLIMITED; ++ } else if (virCgroupGetMemorySoftLimit(priv->cgroup, &val) < 0) { + goto cleanup; ++ } + if (virTypedParameterAssign(param, VIR_DOMAIN_MEMORY_SOFT_LIMIT, + VIR_TYPED_PARAM_ULLONG, val) < 0) + goto cleanup; + break; + case 2: /* fill swap hard limit here */ +- if (virCgroupGetMemSwapHardLimit(priv->cgroup, &val) < 0) ++ if (flags & VIR_DOMAIN_AFFECT_CONFIG) { ++ val = vmdef->mem.swap_hard_limit; ++ val = val ? val : VIR_DOMAIN_MEMORY_PARAM_UNLIMITED; ++ } else if (virCgroupGetMemSwapHardLimit(priv->cgroup, &val) < 0) { + goto cleanup; ++ } + if (virTypedParameterAssign(param, + VIR_DOMAIN_MEMORY_SWAP_HARD_LIMIT, + VIR_TYPED_PARAM_ULLONG, val) < 0) +@@ -859,6 +885,7 @@ lxcDomainGetMemoryParameters(virDomainPt + cleanup: + if (vm) + virObjectUnlock(vm); ++ virObjectUnref(caps); + return ret; + } + diff --git a/libvirt.changes b/libvirt.changes index 0a5e968..e555831 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Fri Dec 20 09:04:45 MST 2013 - jfehlig@suse.com + +- CVE-2013-6436: Fix crashes in lxc memtune code, one of which + results in DoS + f8c1cb90-CVE-2013-6436.patch, 9faf3f29-LXC-memtune.patch + bnc#854486 + ------------------------------------------------------------------- Fri Dec 6 15:49:34 MST 2013 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index f877183..217ab77 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -418,6 +418,8 @@ Source1: libvirtd.init Source2: libvirtd-relocation-server.fw Source99: baselibs.conf # Upstream patches +Patch0: f8c1cb90-CVE-2013-6436.patch +Patch1: 9faf3f29-LXC-memtune.patch # Need to go upstream Patch100: xen-name-for-devid.patch Patch101: ia64-clone.patch @@ -917,6 +919,8 @@ namespaces. %prep %setup -q +%patch0 -p1 +%patch1 -p1 %patch100 -p1 %patch101 -p1 %patch102 -p1 From 57d3b850ee3dc998c9ab7b955977f6e7aa5ff4800c2d38b3b10519b112c72ee6 Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Fri, 20 Dec 2013 20:31:00 +0000 Subject: [PATCH 12/14] - Remove dependency on pm-utils from libvirt-client bnc#856381 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=338 --- libvirt.changes | 6 ++++++ libvirt.spec | 2 -- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/libvirt.changes b/libvirt.changes index e555831..ed25abd 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Dec 20 13:13:03 MST 2013 - jfehlig@suse.com + +- Remove dependency on pm-utils from libvirt-client + bnc#856381 + ------------------------------------------------------------------- Fri Dec 20 09:04:45 MST 2013 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index 217ab77..e9d7ede 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -865,8 +865,6 @@ Requires: netcat-openbsd Requires: gettext-runtime # Needed by virt-pki-validate script. Requires: gnutls -# Needed for probing the power management features of the host. -Requires: pm-utils %if %{with_sasl} Requires: cyrus-sasl # Not technically required, but makes 'out-of-box' config From 8b2f36a3ed30201635da44827a5d47b62f9096de687ab820f38e3bb4d0e90209 Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Thu, 26 Dec 2013 23:59:17 +0000 Subject: [PATCH 13/14] Accepting request 212280 from home:cbosdonnat:branches:Virtualization Reenabled make check. Still failing for 11.4... but it's really old, isn't it? OBS-URL: https://build.opensuse.org/request/show/212280 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=339 --- 5e397d9c-test-fix-dbus-crash.patch | 31 ++++++++++++++++++ 78af457e-fix-virnettlscontexttest.patch | 43 +++++++++++++++++++++++++ libvirt.changes | 5 +++ libvirt.spec | 21 ++++++++++++ 4 files changed, 100 insertions(+) create mode 100644 5e397d9c-test-fix-dbus-crash.patch create mode 100644 78af457e-fix-virnettlscontexttest.patch diff --git a/5e397d9c-test-fix-dbus-crash.patch b/5e397d9c-test-fix-dbus-crash.patch new file mode 100644 index 0000000..9cd8009 --- /dev/null +++ b/5e397d9c-test-fix-dbus-crash.patch @@ -0,0 +1,31 @@ +From 5e397d9c0f2ce7d464f8e7e6a598d1c955dfc04a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= +Date: Wed, 18 Dec 2013 17:33:44 +0000 +Subject: [PATCH] Fix crash in virsystemdtest with dbus 1.7.6 + +D-bus introduced some changes in its locking code. Overriding the init +function skips the new locking init and thus crashes later in libvirt +test. Removing the function makes the test pass again. +--- + tests/virsystemdmock.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/tests/virsystemdmock.c b/tests/virsystemdmock.c +index b8fc031..b3b82b4 100644 +--- a/tests/virsystemdmock.c ++++ b/tests/virsystemdmock.c +@@ -31,11 +31,6 @@ void dbus_connection_set_change_sigpipe(dbus_bool_t will_modify_sigpipe ATTRIBUT + { + } + +-dbus_bool_t dbus_threads_init_default(void) +-{ +- return 1; +-} +- + DBusConnection *dbus_bus_get(DBusBusType type ATTRIBUTE_UNUSED, + DBusError *error ATTRIBUTE_UNUSED) + { +-- +1.8.4.4 + diff --git a/78af457e-fix-virnettlscontexttest.patch b/78af457e-fix-virnettlscontexttest.patch new file mode 100644 index 0000000..f06f8d2 --- /dev/null +++ b/78af457e-fix-virnettlscontexttest.patch @@ -0,0 +1,43 @@ +From 78af457eefaf40e66a28b00446c03f8ee9a7f30f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= +Date: Mon, 23 Dec 2013 09:01:42 +0100 +Subject: [PATCH] virnettlscontexttest fails with GNUTLS 3.0.28 + +On openSUSE 12.x with GNUTLS 3.0.28, virnettlscontexttest fails. It has +been reported to work from GNUTLS 3.1.11 on Fedora 19. Changed the +constraints on gnutls to 3.1+ for unit test cacert4req. + +Signed-off-by: Eric Blake +--- + tests/virnettlscontexttest.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c +index fc512fc..1cc9946 100644 +--- a/tests/virnettlscontexttest.c ++++ b/tests/virnettlscontexttest.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (C) 2011-2012 Red Hat, Inc. ++ * Copyright (C) 2011-2013 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public +@@ -265,10 +265,12 @@ mymain(void) + + /* Technically a CA cert with basic constraints + * key purpose == key signing + non-critical should +- * be rejected. GNUTLS < 3 does not reject it and ++ * be rejected. GNUTLS < 3.1 does not reject it and + * we don't anticipate them changing this behaviour + */ +- DO_CTX_TEST(true, cacert4req.filename, servercert4req.filename, GNUTLS_VERSION_MAJOR >= 3); ++ DO_CTX_TEST(true, cacert4req.filename, servercert4req.filename, ++ (GNUTLS_VERSION_MAJOR == 3 && GNUTLS_VERSION_MINOR >= 1) || ++ GNUTLS_VERSION_MAJOR > 3); + DO_CTX_TEST(true, cacert5req.filename, servercert5req.filename, true); + DO_CTX_TEST(true, cacert6req.filename, servercert6req.filename, true); + +-- +1.8.4.4 + diff --git a/libvirt.changes b/libvirt.changes index ed25abd..1494478 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Dec 26 12:16:13 UTC 2013 - cbosdonnat@suse.com + +- Fixed and reenabled unit tests. bnc#854694 + ------------------------------------------------------------------- Fri Dec 20 13:13:03 MST 2013 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index e9d7ede..ea3dd35 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -420,6 +420,8 @@ Source99: baselibs.conf # Upstream patches Patch0: f8c1cb90-CVE-2013-6436.patch Patch1: 9faf3f29-LXC-memtune.patch +Patch2: 5e397d9c-test-fix-dbus-crash.patch +Patch3: 78af457e-fix-virnettlscontexttest.patch # Need to go upstream Patch100: xen-name-for-devid.patch Patch101: ia64-clone.patch @@ -919,6 +921,8 @@ namespaces. %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 %patch100 -p1 %patch101 -p1 %patch102 -p1 @@ -1261,6 +1265,23 @@ mv $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/libvirt-guests $RPM_BUILD_ROOT%{_loca %clean rm -rf $RPM_BUILD_ROOT +%check +cd tests +make +# These tests don't current work in a mock build root +for i in nodeinfotest seclabeltest +do + rm -f $i + printf 'int main(void) { return 0; }' > $i.c + printf '#!/bin/sh\nexit 0\n' > $i + chmod +x $i +done +if ! make check VIR_TEST_DEBUG=1 +then + cat test-suite.log || true + exit 1 +fi + %if %{with_libvirtd} %pre daemon From 5ad9c788975fd4a163eb027ea640bf73416b584af773e55273159b33bb3b28ea Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Fri, 27 Dec 2013 00:03:47 +0000 Subject: [PATCH 14/14] - Ignore 'make check' on older, code 11 base OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=340 --- libvirt.changes | 5 +++++ libvirt.spec | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/libvirt.changes b/libvirt.changes index 1494478..c7bbc2f 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Dec 26 17:01:48 MST 2013 - jfehlig@suse.com + +- Ignore 'make check' on older, code 11 base + ------------------------------------------------------------------- Thu Dec 26 12:16:13 UTC 2013 - cbosdonnat@suse.com diff --git a/libvirt.spec b/libvirt.spec index ea3dd35..d9f0e82 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -1265,6 +1265,9 @@ mv $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/libvirt-guests $RPM_BUILD_ROOT%{_loca %clean rm -rf $RPM_BUILD_ROOT +# Ignore 'make check' on older code base +%if 0%{?suse_version} >= 1210 + %check cd tests make @@ -1281,6 +1284,7 @@ then cat test-suite.log || true exit 1 fi +%endif %if %{with_libvirtd}