pool/libvirt
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 212580 from Virtualization

Browse Source 
- Ignore 'make check' on older, code 11 base

OBS-URL: https://build.opensuse.org/request/show/212580
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvirt?expand=0&rev=136
This commit is contained in:
Stephan Kulow 2014-01-07 19:58:30 +00:00 committed by Git OBS Bridge
commit ee4135b043
41 changed files with 900 additions and 1979 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
2dba0323-CVE-2013-4297.patch
View File

@ -1,21 +0,0 @@
commit 2dba0323ff0cec31bdcea9dd3b2428af297401f2
Author: Michal Privoznik <mprivozn@redhat.com>
Date: Tue Sep 3 18:56:06 2013 +0200
virFileNBDDeviceAssociate: Avoid use of uninitialized variable
The @qemunbd variable can be used uninitialized.
Index: libvirt-1.1.2/src/util/virfile.c
===================================================================
--- libvirt-1.1.2.orig/src/util/virfile.c
+++ libvirt-1.1.2/src/util/virfile.c
@@ -732,7 +732,7 @@ int virFileNBDDeviceAssociate(const char
char **dev)
{
char *nbddev;
- char *qemunbd;
+ char *qemunbd = NULL;
virCommandPtr cmd = NULL;
int ret = -1;
const char *fmtstr = NULL;

354
3e2f27e1-CVE-2013-4400.patch
View File

@ -1,354 +0,0 @@
commit 3e2f27e13b94f7302ad948bcacb5e02c859a25fc
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Thu Oct 10 13:09:08 2013 +0100
Don't link virt-login-shell against libvirt.so (CVE-2013-4400)
The libvirt.so library has far too many library deps to allow
linking against it from setuid programs. Those libraries can
do stuff in __attribute__((constructor) functions which is
not setuid safe.
The virt-login-shell needs to link directly against individual
files that it uses, with all library deps turned off except
for libxml2 and libselinux.
Create a libvirt-setuid-rpc-client.la library which is linked
to by virt-login-shell. A config-post.h file allows this library
to disable all external deps except libselinux and libxml2.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.1.2/Makefile.am
===================================================================
--- libvirt-1.1.2.orig/Makefile.am
+++ libvirt-1.1.2/Makefile.am
@@ -31,6 +31,7 @@ XML_EXAMPLES = \
test/*.xml storage/*.xml)))
EXTRA_DIST = \
+ config-post.h \
ChangeLog-old \
libvirt.spec libvirt.spec.in \
mingw-libvirt.spec.in \
Index: libvirt-1.1.2/config-post.h
===================================================================
--- /dev/null
+++ libvirt-1.1.2/config-post.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2013 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>.
+ */
+
+/*
+ * Since virt-login-shell will be setuid, we must do everything
+ * we can to avoid linking to other libraries. Many of them do
+ * unsafe things in functions marked __atttribute__((constructor)).
+ * The only way avoid to avoid such deps is to re-compile the
+ * functions with the code in question disabled, and for that we
+ * must override the main config.h rules. Hence this file :-(
+ */
+
+#ifdef LIBVIRT_SETUID_RPC_CLIENT
+# undef HAVE_LIBDEVMAPPER_H
+# undef HAVE_LIBNL
+# undef HAVE_LIBNL3
+# undef HAVE_LIBSASL2
+# undef WITH_CAPNG
+# undef WITH_CURL
+# undef WITH_DTRACE_PROBES
+# undef WITH_GNUTLS
+# undef WITH_MACVTAP
+# undef WITH_NUMACTL
+# undef WITH_SASL
+# undef WITH_SSH2
+# undef WITH_VIRTUALPORT
+# undef WITH_YAJL
+# undef WITH_YAJL2
+#endif
Index: libvirt-1.1.2/configure.ac
===================================================================
--- libvirt-1.1.2.orig/configure.ac
+++ libvirt-1.1.2/configure.ac
@@ -20,6 +20,7 @@ AC_INIT([libvirt], [1.1.2], [libvir-list
AC_CONFIG_SRCDIR([src/libvirt.c])
AC_CONFIG_AUX_DIR([build-aux])
AC_CONFIG_HEADERS([config.h])
+AH_BOTTOM([#include <config-post.h>])
AC_CONFIG_MACRO_DIR([m4])
dnl Make automake keep quiet about wildcards & other GNUmake-isms
AM_INIT_AUTOMAKE([-Wno-portability tar-ustar])
Index: libvirt-1.1.2/daemon/Makefile.am
===================================================================
--- libvirt-1.1.2.orig/daemon/Makefile.am
+++ libvirt-1.1.2/daemon/Makefile.am
@@ -18,6 +18,7 @@
INCLUDES = \
-I$(top_builddir)/gnulib/lib -I$(top_srcdir)/gnulib/lib \
+ -I$(top_srcdir) \
-I$(top_builddir)/include -I$(top_srcdir)/include \
-I$(top_builddir)/src -I$(top_srcdir)/src \
-I$(top_srcdir)/src/util \
Index: libvirt-1.1.2/examples/domain-events/events-c/Makefile.am
===================================================================
--- libvirt-1.1.2.orig/examples/domain-events/events-c/Makefile.am
+++ libvirt-1.1.2/examples/domain-events/events-c/Makefile.am
@@ -15,7 +15,8 @@
## <http://www.gnu.org/licenses/>.
INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include \
- -I$(top_builddir)/gnulib/lib -I$(top_srcdir)/gnulib/lib
+ -I$(top_builddir)/gnulib/lib -I$(top_srcdir)/gnulib/lib \
+ -I$(top_srcdir)
noinst_PROGRAMS = event-test
event_test_CFLAGS = $(WARN_CFLAGS)
event_test_SOURCES = event-test.c
Index: libvirt-1.1.2/examples/hellolibvirt/Makefile.am
===================================================================
--- libvirt-1.1.2.orig/examples/hellolibvirt/Makefile.am
+++ libvirt-1.1.2/examples/hellolibvirt/Makefile.am
@@ -14,7 +14,7 @@
## License along with this library. If not, see
## <http://www.gnu.org/licenses/>.
-INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include
+INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include -I$(top_srcdir)
noinst_PROGRAMS = hellolibvirt
hellolibvirt_CFLAGS = $(WARN_CFLAGS)
hellolibvirt_SOURCES = hellolibvirt.c
Index: libvirt-1.1.2/examples/openauth/Makefile.am
===================================================================
--- libvirt-1.1.2.orig/examples/openauth/Makefile.am
+++ libvirt-1.1.2/examples/openauth/Makefile.am
@@ -14,7 +14,7 @@
## License along with this library. If not, see
## <http://www.gnu.org/licenses/>.
-INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include
+INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include -I$(top_srcdir)
noinst_PROGRAMS = openauth
openauth_CFLAGS = $(WARN_CFLAGS)
openauth_SOURCES = openauth.c
Index: libvirt-1.1.2/gnulib/lib/Makefile.am
===================================================================
--- libvirt-1.1.2.orig/gnulib/lib/Makefile.am
+++ libvirt-1.1.2/gnulib/lib/Makefile.am
@@ -27,4 +27,4 @@ noinst_LTLIBRARIES =
include gnulib.mk
-INCLUDES = $(GETTEXT_CPPFLAGS)
+INCLUDES = -I$(top_srcdir) $(GETTEXT_CPPFLAGS)
Index: libvirt-1.1.2/python/Makefile.am
===================================================================
--- libvirt-1.1.2.orig/python/Makefile.am
+++ libvirt-1.1.2/python/Makefile.am
@@ -20,6 +20,7 @@ INCLUDES = \
$(PYTHON_INCLUDES) \
-I$(top_builddir)/gnulib/lib \
-I$(top_srcdir)/gnulib/lib \
+ -I$(top_srcdir) \
-I$(top_builddir)/src \
-I$(top_srcdir)/src \
-I$(top_srcdir)/src/util \
Index: libvirt-1.1.2/src/Makefile.am
===================================================================
--- libvirt-1.1.2.orig/src/Makefile.am
+++ libvirt-1.1.2/src/Makefile.am
@@ -21,6 +21,7 @@
# that actually use them. Also keep GETTEXT_CPPFLAGS at the end.
INCLUDES = -I../gnulib/lib \
-I$(top_srcdir)/gnulib/lib \
+ -I$(top_srcdir) \
-I../include \
-I$(top_srcdir)/include \
-I$(top_srcdir)/src/util \
@@ -1917,6 +1918,77 @@ libvirt_lxc_la_LDFLAGS = \
libvirt_lxc_la_CFLAGS = $(AM_CFLAGS)
libvirt_lxc_la_LIBADD = libvirt.la $(CYGWIN_EXTRA_LIBADD)
+# Since virt-login-shell will be setuid, we must do everything
+# we can to avoid linking to other libraries. Many of them do
+# unsafe things in functions marked __atttribute__((constructor)).
+# This library is built to include the bare minimum required to
+# have a RPC client for local UNIX socket access only. We use
+# the ../config-post.h header to disable all external deps that
+# we don't want
+if WITH_LXC
+noinst_LTLIBRARIES += libvirt-setuid-rpc-client.la
+
+libvirt_setuid_rpc_client_la_SOURCES = \
+ util/viralloc.c \
+ util/virbitmap.c \
+ util/virbuffer.c \
+ util/vircommand.c \
+ util/virconf.c \
+ util/virerror.c \
+ util/virevent.c \
+ util/vireventpoll.c \
+ util/virfile.c \
+ util/virhash.c \
+ util/virhashcode.c \
+ util/virjson.c \
+ util/virlog.c \
+ util/virobject.c \
+ util/virpidfile.c \
+ util/virprocess.c \
+ util/virrandom.c \
+ util/virsocketaddr.c \
+ util/virstoragefile.c \
+ util/virstring.c \
+ util/virtime.c \
+ util/virthread.c \
+ util/virtypedparam.c \
+ util/viruri.c \
+ util/virutil.c \
+ util/viruuid.c \
+ conf/domain_event.c \
+ rpc/virnetsocket.c \
+ rpc/virnetsocket.h \
+ rpc/virnetmessage.h \
+ rpc/virnetmessage.c \
+ rpc/virkeepalive.c \
+ rpc/virkeepalive.h \
+ rpc/virnetclient.c \
+ rpc/virnetclientprogram.c \
+ rpc/virnetclientstream.c \
+ rpc/virnetprotocol.c \
+ remote/remote_driver.c \
+ remote/remote_protocol.c \
+ remote/qemu_protocol.c \
+ remote/lxc_protocol.c \
+ datatypes.c \
+ libvirt.c \
+ libvirt-lxc.c \
+ $(NULL)
+
+libvirt_setuid_rpc_client_la_LDFLAGS = \
+ $(AM_LDFLAGS) \
+ $(LIBXML_LIBS) \
+ $(SELINUX_LIBS) \
+ $(NULL)
+libvirt_setuid_rpc_client_la_CFLAGS = \
+ -DLIBVIRT_SETUID_RPC_CLIENT \
+ -I$(top_srcdir)/src/conf \
+ -I$(top_srcdir)/src/rpc \
+ $(AM_CFLAGS) \
+ $(SELINUX_CFLAGS) \
+ $(NULL)
+endif WITH_LXC
+
lockdriverdir = $(libdir)/libvirt/lock-driver
lockdriver_LTLIBRARIES =
Index: libvirt-1.1.2/src/libvirt.c
===================================================================
--- libvirt-1.1.2.orig/src/libvirt.c
+++ libvirt-1.1.2/src/libvirt.c
@@ -446,40 +446,46 @@ virGlobalInit(void)
goto error;
/*
+ * Note we must avoid everything except 'remote' driver
+ * for virt-login-shell usage
+ */
+#ifndef LIBVIRT_SETUID_RPC_CLIENT
+ /*
* Note that the order is important: the first ones have a higher
* priority when calling virConnectOpen.
*/
-#ifdef WITH_TEST
+# ifdef WITH_TEST
if (testRegister() == -1)
goto error;
-#endif
-#ifdef WITH_OPENVZ
+# endif
+# ifdef WITH_OPENVZ
if (openvzRegister() == -1)
goto error;
-#endif
-#ifdef WITH_VMWARE
+# endif
+# ifdef WITH_VMWARE
if (vmwareRegister() == -1)
goto error;
-#endif
-#ifdef WITH_PHYP
+# endif
+# ifdef WITH_PHYP
if (phypRegister() == -1)
goto error;
-#endif
-#ifdef WITH_ESX
+# endif
+# ifdef WITH_ESX
if (esxRegister() == -1)
goto error;
-#endif
-#ifdef WITH_HYPERV
+# endif
+# ifdef WITH_HYPERV
if (hypervRegister() == -1)
goto error;
-#endif
-#ifdef WITH_XENAPI
+# endif
+# ifdef WITH_XENAPI
if (xenapiRegister() == -1)
goto error;
-#endif
-#ifdef WITH_PARALLELS
+# endif
+# ifdef WITH_PARALLELS
if (parallelsRegister() == -1)
goto error;
+# endif
#endif
#ifdef WITH_REMOTE
if (remoteRegister() == -1)
Index: libvirt-1.1.2/tools/Makefile.am
===================================================================
--- libvirt-1.1.2.orig/tools/Makefile.am
+++ libvirt-1.1.2/tools/Makefile.am
@@ -149,6 +149,11 @@ virt_host_validate_CFLAGS = \
$(COVERAGE_CFLAGS) \
$(NULL)
+# Since virt-login-shell will be setuid, we must do everything
+# we can to avoid linking to other libraries. Many of them do
+# unsafe things in functions marked __atttribute__((constructor)).
+# This we statically link to a library containing only the minimal
+# libvirt client code, not libvirt.so itself.
virt_login_shell_SOURCES = \
virt-login-shell.c
@@ -159,11 +164,11 @@ virt_login_shell_LDFLAGS = \
virt_login_shell_LDADD = \
$(STATIC_BINARIES) \
$(PIE_LDFLAGS) \
- ../src/libvirt.la \
- ../src/libvirt-lxc.la \
+ ../src/libvirt-setuid-rpc-client.la \
../gnulib/lib/libgnu.la
virt_login_shell_CFLAGS = \
+ -DLIBVIRT_SETUID_RPC_CLIENT \
$(WARN_CFLAGS) \
$(PIE_CFLAGS) \
$(COVERAGE_CFLAGS)

31
484cc321-fix-spice-migration.patch
View File

@ -1,31 +0,0 @@
commit 484cc3217b73b865f00bf42a9c12187b37200699
Author: Martin Kletzander <mkletzan@redhat.com>
Date: Fri Sep 20 16:40:20 2013 +0200
qemu: Fix seamless SPICE migration
Since the wait is done during migration (still inside
QEMU_ASYNC_JOB_MIGRATION_OUT), the code should enter the monitor as such
in order to prohibit all other jobs from interfering in the meantime.
This patch fixes bug #1009886 in which qemuDomainGetBlockInfo was
waiting on the monitor condition and after GetSpiceMigrationStatus
mangled its internal data, the daemon crashed.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1009886
Index: libvirt-1.1.2/src/qemu/qemu_migration.c
===================================================================
--- libvirt-1.1.2.orig/src/qemu/qemu_migration.c
+++ libvirt-1.1.2/src/qemu/qemu_migration.c
@@ -1598,7 +1598,10 @@ qemuMigrationWaitForSpice(virQEMUDriverP
/* Poll every 50ms for progress & to allow cancellation */
struct timespec ts = { .tv_sec = 0, .tv_nsec = 50 * 1000 * 1000ull };
- qemuDomainObjEnterMonitor(driver, vm);
+ if (qemuDomainObjEnterMonitorAsync(driver, vm,
+ QEMU_ASYNC_JOB_MIGRATION_OUT) < 0)
+ return -1;
+
if (qemuMonitorGetSpiceMigrationStatus(priv->mon,
&spice_migrated) < 0) {
qemuDomainObjExitMonitor(driver, vm);

52
57687fd6-CVE-2013-4401.patch
View File

@ -1,52 +0,0 @@
commit 57687fd6bf7f6e1b3662c52f3f26c06ab19dc96c
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Thu Oct 3 16:37:57 2013 +0100
Fix perms for virConnectDomainXML{To,From}Native (CVE-2013-4401)
The virConnectDomainXMLToNative API should require 'connect:write'
not 'connect:read', since it will trigger execution of the QEMU
binaries listed in the XML.
Also make virConnectDomainXMLFromNative API require a full
read-write connection and 'connect:write' permission. Although the
current impl doesn't trigger execution of QEMU, we should not
rely on that impl detail from an API permissioning POV.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.1.2/src/libvirt.c
===================================================================
--- libvirt-1.1.2.orig/src/libvirt.c
+++ libvirt-1.1.2/src/libvirt.c
@@ -4606,6 +4606,10 @@ char *virConnectDomainXMLFromNative(virC
virDispatchError(NULL);
return NULL;
}
+ if (conn->flags & VIR_CONNECT_RO) {
+ virLibDomainError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+ goto error;
+ }
virCheckNonNullArgGoto(nativeFormat, error);
virCheckNonNullArgGoto(nativeConfig, error);
Index: libvirt-1.1.2/src/remote/remote_protocol.x
===================================================================
--- libvirt-1.1.2.orig/src/remote/remote_protocol.x
+++ libvirt-1.1.2/src/remote/remote_protocol.x
@@ -3812,13 +3812,13 @@ enum remote_procedure {
/**
* @generate: both
- * @acl: connect:read
+ * @acl: connect:write
*/
REMOTE_PROC_CONNECT_DOMAIN_XML_FROM_NATIVE = 135,
/**
* @generate: both
- * @acl: connect:read
+ * @acl: connect:write
*/
REMOTE_PROC_CONNECT_DOMAIN_XML_TO_NATIVE = 136,

103
5a0ea4b7-CVE-2013-4400.patch
View File

@ -1,103 +0,0 @@
commit 5a0ea4b7b9af2231ed161b94f9af65375c6ee9c2
Author: Jim Fehlig <jfehlig@suse.com>
Date: Mon Oct 21 15:36:11 2013 -0600
build: fix linking virt-login-shell
After commit 3e2f27e1, I've noticed build failures of virt-login-shell
when libapparmor-devel is installed on the build host
CCLD virt-login-shell
../src/.libs/libvirt-setuid-rpc-client.a(libvirt_setuid_rpc_client_la-vircommand.o):
In function `virExec':
/home/jfehlig/virt/upstream/libvirt/src/util/vircommand.c:653: undefined
reference to `aa_change_profile'
collect2: error: ld returned 1 exit status
I was about to commit an easy fix under the build-breaker rule
(build-fix-1.patch), but thought to extend the notion of SECDRIVER_LIBS
to SECDRIVER_CFLAGS, and use both throughout src/Makefile.am where it
makes sense (build-fix-2.patch).
Should I just stick with the simple fix, or is something along the lines
of patch 2 preferred?
Regards,
Jim
>From a0f35945f3127ab70d051101037e821b1759b4bb Mon Sep 17 00:00:00 2001
From: Jim Fehlig <jfehlig@suse.com>
Date: Mon, 21 Oct 2013 15:30:02 -0600
Subject: [PATCH] build: fix virt-login-shell build with apparmor
With libapparmor-devel installed, virt-login-shell fails to link
CCLD virt-login-shell
../src/.libs/libvirt-setuid-rpc-client.a(libvirt_setuid_rpc_client_la-vircommand.o): In function `virExec':
/home/jfehlig/virt/upstream/libvirt/src/util/vircommand.c:653: undefined reference to `aa_change_profile'
collect2: error: ld returned 1 exit status
Fix by linking libvirt_setuid_rpc_client with previously determined
SECDRIVER_LIBS in src/Makefile.am. While at it, introduce SECDRIVER_CFLAGS
and use both throughout src/Makefile.am where it makes sense.
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Index: libvirt-1.1.2/src/Makefile.am
===================================================================
--- libvirt-1.1.2.orig/src/Makefile.am
+++ libvirt-1.1.2/src/Makefile.am
@@ -49,11 +49,14 @@ nodist_conf_DATA =
THREAD_LIBS = $(LIB_PTHREAD) $(LTLIBMULTITHREAD)
+SECDRIVER_CFLAGS =
SECDRIVER_LIBS =
if WITH_SECDRIVER_SELINUX
+SECDRIVER_CFLAGS += $(SELINUX_CFLAGS)
SECDRIVER_LIBS += $(SELINUX_LIBS)
endif
if WITH_SECDRIVER_APPARMOR
+SECDRIVER_CFLAGS += $(APPARMOR_CFLAGS)
SECDRIVER_LIBS += $(APPARMOR_LIBS)
endif
@@ -1978,14 +1981,14 @@ libvirt_setuid_rpc_client_la_SOURCES =
libvirt_setuid_rpc_client_la_LDFLAGS = \
$(AM_LDFLAGS) \
$(LIBXML_LIBS) \
- $(SELINUX_LIBS) \
+ $(SECDRIVER_LIBS) \
$(NULL)
libvirt_setuid_rpc_client_la_CFLAGS = \
-DLIBVIRT_SETUID_RPC_CLIENT \
-I$(top_srcdir)/src/conf \
-I$(top_srcdir)/src/rpc \
$(AM_CFLAGS) \
- $(SELINUX_CFLAGS) \
+ $(SECDRIVER_CFLAGS) \
$(NULL)
endif WITH_LXC
@@ -2268,6 +2271,7 @@ libvirt_net_rpc_la_LDFLAGS = \
$(GNUTLS_LIBS) \
$(SASL_LIBS) \
$(SSH2_LIBS)\
+ $(SECDRIVER_LIBS) \
$(AM_LDFLAGS) \
$(CYGWIN_EXTRA_LDFLAGS) \
$(MINGW_EXTRA_LDFLAGS)
@@ -2410,12 +2414,7 @@ if WITH_BLKID
libvirt_lxc_CFLAGS += $(BLKID_CFLAGS)
libvirt_lxc_LDADD += $(BLKID_LIBS)
endif
-if WITH_SECDRIVER_SELINUX
-libvirt_lxc_CFLAGS += $(SELINUX_CFLAGS)
-endif
-if WITH_SECDRIVER_APPARMOR
-libvirt_lxc_CFLAGS += $(APPARMOR_CFLAGS)
-endif
+libvirt_lxc_CFLAGS += $(SECDRIVER_CFLAGS)
endif
endif
EXTRA_DIST += $(LXC_CONTROLLER_SOURCES)

31
5e397d9c-test-fix-dbus-crash.patch Normal file
View File

@ -0,0 +1,31 @@
From 5e397d9c0f2ce7d464f8e7e6a598d1c955dfc04a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Wed, 18 Dec 2013 17:33:44 +0000
Subject: [PATCH] Fix crash in virsystemdtest with dbus 1.7.6
D-bus introduced some changes in its locking code. Overriding the init
function skips the new locking init and thus crashes later in libvirt
test. Removing the function makes the test pass again.
---
tests/virsystemdmock.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/tests/virsystemdmock.c b/tests/virsystemdmock.c
index b8fc031..b3b82b4 100644
--- a/tests/virsystemdmock.c
+++ b/tests/virsystemdmock.c
@@ -31,11 +31,6 @@ void dbus_connection_set_change_sigpipe(dbus_bool_t will_modify_sigpipe ATTRIBUT
{
}
-dbus_bool_t dbus_threads_init_default(void)
-{
- return 1;
-}
-
DBusConnection *dbus_bus_get(DBusBusType type ATTRIBUTE_UNUSED,
DBusError *error ATTRIBUTE_UNUSED)
{
--
1.8.4.4

43
78af457e-fix-virnettlscontexttest.patch Normal file
View File

@ -0,0 +1,43 @@
From 78af457eefaf40e66a28b00446c03f8ee9a7f30f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Mon, 23 Dec 2013 09:01:42 +0100
Subject: [PATCH] virnettlscontexttest fails with GNUTLS 3.0.28
On openSUSE 12.x with GNUTLS 3.0.28, virnettlscontexttest fails. It has
been reported to work from GNUTLS 3.1.11 on Fedora 19. Changed the
constraints on gnutls to 3.1+ for unit test cacert4req.
Signed-off-by: Eric Blake <eblake@redhat.com>
---
tests/virnettlscontexttest.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c
index fc512fc..1cc9946 100644
--- a/tests/virnettlscontexttest.c
+++ b/tests/virnettlscontexttest.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2011-2012 Red Hat, Inc.
+ * Copyright (C) 2011-2013 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -265,10 +265,12 @@ mymain(void)
/* Technically a CA cert with basic constraints
* key purpose == key signing + non-critical should
- * be rejected. GNUTLS < 3 does not reject it and
+ * be rejected. GNUTLS < 3.1 does not reject it and
* we don't anticipate them changing this behaviour
*/
- DO_CTX_TEST(true, cacert4req.filename, servercert4req.filename, GNUTLS_VERSION_MAJOR >= 3);
+ DO_CTX_TEST(true, cacert4req.filename, servercert4req.filename,
+ (GNUTLS_VERSION_MAJOR == 3 && GNUTLS_VERSION_MINOR >= 1) ||
+ GNUTLS_VERSION_MAJOR > 3);
DO_CTX_TEST(true, cacert5req.filename, servercert5req.filename, true);
DO_CTX_TEST(true, cacert6req.filename, servercert6req.filename, true);
--
1.8.4.4

87
79552754-libvirtd-chardev-crash.patch
View File

@ -1,87 +0,0 @@
commit 795527548fea79902ea4ce32747e069944cf3e61
Author: Peter Krempa <pkrempa@redhat.com>
Date: Thu Sep 26 08:12:39 2013 +0200
conf: Don't crash on invalid chardev source definition of RNGs and other
Since commit 297c99a5 an invalid source definition XML of a character
device that is used as backend for RNG devices, smartcards and redirdevs
causes crash of the daemon when parsing such a definition.
The device types mentioned above are not a part of a regular character
device but are backends for other types. Thus when parsing such device
NULL is passed as the argument @chr_def. Later when checking the
validity of the definition @chr_def was dereferenced when parsing a UNIX
socket backend with missing path of the socket and crashed the daemon.
Sample offending configuration:
<devices>
...
<rng model='virtio'>
<backend model='egd' type='unix'>
<source mode='bind' service='1024'/>
</backend>
</rng>
</devices>
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1012196
Index: libvirt-1.1.2/src/conf/domain_conf.c
===================================================================
--- libvirt-1.1.2.orig/src/conf/domain_conf.c
+++ libvirt-1.1.2/src/conf/domain_conf.c
@@ -7026,7 +7026,8 @@ virDomainChrSourceDefParseXML(virDomainC
case VIR_DOMAIN_CHR_TYPE_UNIX:
/* path can be auto generated */
if (!path &&
- chr_def->targetType != VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO) {
+ (!chr_def ||
+ chr_def->targetType != VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO)) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
_("Missing source path attribute for char device"));
goto error;
Index: libvirt-1.1.2/tests/qemuxml2argvdata/qemuxml2argv-virtio-rng-egd-crash.xml
===================================================================
--- /dev/null
+++ libvirt-1.1.2/tests/qemuxml2argvdata/qemuxml2argv-virtio-rng-egd-crash.xml
@@ -0,0 +1,27 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219100</memory>
+ <currentMemory unit='KiB'>219100</currentMemory>
+ <vcpu placement='static' cpuset='1-4,8-20,525'>1</vcpu>
+ <os>
+ <type arch='i686' machine='pc'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu</emulator>
+ <controller type='usb' index='0'/>
+ <controller type='pci' index='0' model='pci-root'/>
+ <memballoon model='virtio'/>
+ <rng model='virtio'>
+ <backend model='egd' type='unix'>
+ <!-- https://bugzilla.redhat.com/show_bug.cgi?id=1012196 -->
+ <source mode='connect' host='1.2.3.4' service='1234'/>
+ </backend>
+ </rng>
+ </devices>
+</domain>
Index: libvirt-1.1.2/tests/qemuxml2argvtest.c
===================================================================
--- libvirt-1.1.2.orig/tests/qemuxml2argvtest.c
+++ libvirt-1.1.2/tests/qemuxml2argvtest.c
@@ -973,6 +973,8 @@ mymain(void)
QEMU_CAPS_OBJECT_RNG_RANDOM);
DO_TEST("virtio-rng-egd", QEMU_CAPS_DEVICE, QEMU_CAPS_DEVICE_VIRTIO_RNG,
QEMU_CAPS_OBJECT_RNG_EGD);
+ DO_TEST_PARSE_ERROR("virtio-rng-egd-crash", QEMU_CAPS_DEVICE,
+ QEMU_CAPS_DEVICE_VIRTIO_RNG, QEMU_CAPS_OBJECT_RNG_EGD);
DO_TEST("virtio-rng-ccw",
QEMU_CAPS_DEVICE, QEMU_CAPS_CHARDEV, QEMU_CAPS_NODEFCONFIG,
QEMU_CAPS_DRIVE, QEMU_CAPS_BOOTINDEX, QEMU_CAPS_VIRTIO_CCW,

48
8294aa0c-CVE-2013-4399.patch
View File

@ -1,48 +0,0 @@
commit 8294aa0c1750dcb49d6345cd9bd97bf421580d8b
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Fri Sep 27 15:46:07 2013 +0100
Fix crash in libvirtd when events are registered & ACLs active
When a client disconnects from libvirtd, all event callbacks
must be removed. This involves running the public API
virConnectDomainEventDeregisterAny
This code does not run in normal API dispatch context, so no
identity was set. The result was that the access control drivers
denied the attempt to deregister callbacks. The callbacks thus
continued to trigger after the client was free'd causing fairly
predictable use of free memory & a crash.
This can be triggered by any client with readonly access when
the ACL drivers are active.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.1.2/daemon/remote.c
===================================================================
--- libvirt-1.1.2.orig/daemon/remote.c
+++ libvirt-1.1.2/daemon/remote.c
@@ -666,8 +666,11 @@ void remoteClientFreeFunc(void *data)
/* Deregister event delivery callback */
if (priv->conn) {
+ virIdentityPtr sysident = virIdentityGetSystem();
size_t i;
+ virIdentitySetCurrent(sysident);
+
for (i = 0; i < VIR_DOMAIN_EVENT_ID_LAST; i++) {
if (priv->domainEventCallbackID[i] != -1) {
VIR_DEBUG("Deregistering to relay remote events %zu", i);
@@ -678,6 +681,9 @@ void remoteClientFreeFunc(void *data)
}
virConnectClose(priv->conn);
+
+ virIdentitySetCurrent(NULL);
+ virObjectUnref(sysident);
}
VIR_FREE(priv);

27
843bdb2f-CVE-2013-4400.patch
View File

@ -1,27 +0,0 @@
commit 843bdb2f8a3364637cda2911624149525188843f
Author: Jim Fehlig <jfehlig@suse.com>
Date: Mon Oct 21 23:12:22 2013 -0600
build: fix build of virt-login-shell on systems with older gnutls
On systems where gnutls uses libgcrypt, I'm seeing the following
build failure
libvirt.c:314: error: variable 'virTLSThreadImpl' has initializer but incomplete type
libvirt.c:319: error: 'GCRY_THREAD_OPTION_PTHREAD' undeclared here (not in a function)
...
Fix by undefining WITH_GNUTLS_GCRYPT in config-post.h
Index: libvirt-1.1.2/config-post.h
===================================================================
--- libvirt-1.1.2.orig/config-post.h
+++ libvirt-1.1.2/config-post.h
@@ -34,6 +34,7 @@
# undef WITH_CURL
# undef WITH_DTRACE_PROBES
# undef WITH_GNUTLS
+# undef WITH_GNUTLS_GCRYPT
# undef WITH_MACVTAP
# undef WITH_NUMACTL
# undef WITH_SASL

61
8c3586ea-CVE-2013-4400.patch
View File

@ -1,61 +0,0 @@
commit 8c3586ea755c40d5e01b22cb7b5c1e668cdec994
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Wed Oct 9 10:59:36 2013 +0100
Only allow 'stderr' log output when running setuid (CVE-2013-4400)
We must not allow file/syslog/journald log outputs when running
setuid since they can be abused to do bad things. In particular
the 'file' output can be used to overwrite files.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.1.2/src/util/virlog.c
===================================================================
--- libvirt-1.1.2.orig/src/util/virlog.c
+++ libvirt-1.1.2/src/util/virlog.c
@@ -1318,6 +1318,9 @@ int virLogPriorityFromSyslog(int priorit
* Multiple output can be defined in a single @output, they just need to be
* separated by spaces.
*
+ * If running in setuid mode, then only the 'stderr' output will
+ * be allowed
+ *
* Returns the number of output parsed and installed or -1 in case of error
*/
int
@@ -1329,6 +1332,7 @@ virLogParseOutputs(const char *outputs)
virLogPriority prio;
int ret = -1;
int count = 0;
+ bool isSUID = virIsSUID();
if (cur == NULL)
return -1;
@@ -1348,6 +1352,8 @@ virLogParseOutputs(const char *outputs)
if (virLogAddOutputToStderr(prio) == 0)
count++;
} else if (STREQLEN(cur, "syslog", 6)) {
+ if (isSUID)
+ goto cleanup;
cur += 6;
if (*cur != ':')
goto cleanup;
@@ -1365,6 +1371,8 @@ virLogParseOutputs(const char *outputs)
VIR_FREE(name);
#endif /* HAVE_SYSLOG_H */
} else if (STREQLEN(cur, "file", 4)) {
+ if (isSUID)
+ goto cleanup;
cur += 4;
if (*cur != ':')
goto cleanup;
@@ -1385,6 +1393,8 @@ virLogParseOutputs(const char *outputs)
VIR_FREE(name);
VIR_FREE(abspath);
} else if (STREQLEN(cur, "journald", 8)) {
+ if (isSUID)
+ goto cleanup;
cur += 8;
#if USE_JOURNALD
if (virLogAddOutputToJournald(prio) == 0)

171
922b7fda-CVE-2013-4311.patch
View File

@ -1,171 +0,0 @@
commit 922b7fda77b094dbf022d625238262ea05335666
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Wed Aug 28 15:25:40 2013 +0100
Add support for using 3-arg pkcheck syntax for process (CVE-2013-4311)
With the existing pkcheck (pid, start time) tuple for identifying
the process, there is a race condition, where a process can make
a libvirt RPC call and in another thread exec a setuid application,
causing it to change to effective UID 0. This in turn causes polkit
to do its permission check based on the wrong UID.
To address this, libvirt must get the UID the caller had at time
of connect() (from SO_PEERCRED) and pass a (pid, start time, uid)
triple to the pkcheck program.
This fix requires that libvirt is re-built against a version of
polkit that has the fix for its CVE-2013-4288, so that libvirt
can see 'pkg-config --variable pkcheck_supports_uid polkit-gobject-1'
Signed-off-by: Colin Walters <walters@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.1.2/configure.ac
===================================================================
--- libvirt-1.1.2.orig/configure.ac
+++ libvirt-1.1.2/configure.ac
@@ -1184,6 +1184,14 @@ if test "x$with_polkit" = "xyes" || test
AC_PATH_PROG([PKCHECK_PATH],[pkcheck], [], [/usr/sbin:$PATH])
if test "x$PKCHECK_PATH" != "x" ; then
AC_DEFINE_UNQUOTED([PKCHECK_PATH],["$PKCHECK_PATH"],[Location of pkcheck program])
+ AC_MSG_CHECKING([whether pkcheck supports uid value])
+ pkcheck_supports_uid=`$PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1`
+ if test "x$pkcheck_supports_uid" = "xtrue"; then
+ AC_MSG_RESULT([yes])
+ AC_DEFINE_UNQUOTED([PKCHECK_SUPPORTS_UID], 1, [Pass uid to pkcheck])
+ else
+ AC_MSG_RESULT([no])
+ fi
AC_DEFINE_UNQUOTED([WITH_POLKIT], 1,
[use PolicyKit for UNIX socket access checks])
AC_DEFINE_UNQUOTED([WITH_POLKIT1], 1,
Index: libvirt-1.1.2/daemon/remote.c
===================================================================
--- libvirt-1.1.2.orig/daemon/remote.c
+++ libvirt-1.1.2/daemon/remote.c
@@ -2738,10 +2738,12 @@ remoteDispatchAuthPolkit(virNetServerPtr
int status = -1;
char *ident = NULL;
bool authdismissed = 0;
+ bool supportsuid = false;
char *pkout = NULL;
struct daemonClientPrivate *priv =
virNetServerClientGetPrivateData(client);
virCommandPtr cmd = NULL;
+ static bool polkitInsecureWarned;
virMutexLock(&priv->lock);
action = virNetServerClientGetReadonly(client) ?
@@ -2763,14 +2765,28 @@ remoteDispatchAuthPolkit(virNetServerPtr
goto authfail;
}
+ if (timestamp == 0) {
+ VIR_WARN("Failing polkit auth due to missing client (pid=%lld) start time",
+ (long long)callerPid);
+ goto authfail;
+ }
+
VIR_INFO("Checking PID %lld running as %d",
(long long) callerPid, callerUid);
virCommandAddArg(cmd, "--process");
- if (timestamp != 0) {
- virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp);
+# ifdef PKCHECK_SUPPORTS_UID
+ supportsuid = true;
+# endif
+ if (supportsuid) {
+ virCommandAddArgFormat(cmd, "%lld,%llu,%lu",
+ (long long) callerPid, timestamp, (unsigned long) callerUid);
} else {
- virCommandAddArgFormat(cmd, "%lld", (long long) callerPid);
+ if (!polkitInsecureWarned) {
+ VIR_WARN("No support for caller UID with pkcheck. This deployment is known to be insecure.");
+ polkitInsecureWarned = true;
+ }
+ virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp);
}
virCommandAddArg(cmd, "--allow-user-interaction");
Index: libvirt-1.1.2/libvirt.spec.in
===================================================================
--- libvirt-1.1.2.orig/libvirt.spec.in
+++ libvirt-1.1.2/libvirt.spec.in
@@ -508,8 +508,7 @@ BuildRequires: cyrus-sasl-devel
%endif
%if %{with_polkit}
%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
-# Only need the binary, not -devel
-BuildRequires: polkit >= 0.93
+BuildRequires: polkit-devel >= 0.93
%else
BuildRequires: PolicyKit-devel >= 0.6
%endif
Index: libvirt-1.1.2/src/access/viraccessdriverpolkit.c
===================================================================
--- libvirt-1.1.2.orig/src/access/viraccessdriverpolkit.c
+++ libvirt-1.1.2/src/access/viraccessdriverpolkit.c
@@ -72,8 +72,12 @@ static char *
virAccessDriverPolkitFormatProcess(const char *actionid)
{
virIdentityPtr identity = virIdentityGetCurrent();
- const char *process = NULL;
+ const char *callerPid = NULL;
+ const char *callerTime = NULL;
+ const char *callerUid = NULL;
char *ret = NULL;
+ bool supportsuid = false;
+ static bool polkitInsecureWarned;
if (!identity) {
virAccessError(VIR_ERR_ACCESS_DENIED,
@@ -81,17 +85,43 @@ virAccessDriverPolkitFormatProcess(const
actionid);
return NULL;
}
- if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, &process) < 0)
+ if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, &callerPid) < 0)
+ goto cleanup;
+ if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME, &callerTime) < 0)
+ goto cleanup;
+ if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_USER_ID, &callerUid) < 0)
goto cleanup;
- if (!process) {
+ if (!callerPid) {
virAccessError(VIR_ERR_INTERNAL_ERROR, "%s",
_("No UNIX process ID available"));
goto cleanup;
}
-
- if (VIR_STRDUP(ret, process) < 0)
+ if (!callerTime) {
+ virAccessError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("No UNIX process start time available"));
+ goto cleanup;
+ }
+ if (!callerUid) {
+ virAccessError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("No UNIX caller UID available"));
goto cleanup;
+ }
+
+#ifdef PKCHECK_SUPPORTS_UID
+ supportsuid = true;
+#endif
+ if (supportsuid) {
+ if (virAsprintf(&ret, "%s,%s,%s", callerPid, callerTime, callerUid) < 0)
+ goto cleanup;
+ } else {
+ if (!polkitInsecureWarned) {
+ VIR_WARN("No support for caller UID with pkcheck. This deployment is known to be insecure.");
+ polkitInsecureWarned = true;
+ }
+ if (virAsprintf(&ret, "%s,%s", callerPid, callerTime) < 0)
+ goto cleanup;
+ }
cleanup:
virObjectUnref(identity);

199
9faf3f29-LXC-memtune.patch Normal file
View File

@ -0,0 +1,199 @@
commit 9faf3f2950aed1643ab7564afcb4c693c77f71b5
Author: Martin Kletzander <mkletzan@redhat.com>
Date: Mon Dec 9 11:15:12 2013 +0100
Fix crash in lxcDomainSetMemoryParameters
The function doesn't check whether the request is made for active or
inactive domain. Thus when the domain is not running it still tries
accessing non-existing cgroups (priv->cgroup, which is NULL).
I re-made the function in order for it to work the same way it's qemu
counterpart does.
Reproducer:
1) Define an LXC domain
2) Do 'virsh memtune <domain> --hard-limit 133T'
Backtrace:
Thread 6 (Thread 0x7fffec8c0700 (LWP 26826)):
#0 0x00007ffff70edcc4 in virCgroupPathOfController (group=0x0, controller=3,
key=0x7ffff75734bd "memory.limit_in_bytes", path=0x7fffec8bf718) at util/vircgroup.c:1764
#1 0x00007ffff70e9206 in virCgroupSetValueStr (group=0x0, controller=3,
key=0x7ffff75734bd "memory.limit_in_bytes", value=0x7fffe409f360 "1073741824")
at util/vircgroup.c:669
#2 0x00007ffff70e98b4 in virCgroupSetValueU64 (group=0x0, controller=3,
key=0x7ffff75734bd "memory.limit_in_bytes", value=1073741824) at util/vircgroup.c:740
#3 0x00007ffff70ee518 in virCgroupSetMemory (group=0x0, kb=1048576) at util/vircgroup.c:1904
#4 0x00007ffff70ee675 in virCgroupSetMemoryHardLimit (group=0x0, kb=1048576)
at util/vircgroup.c:1944
#5 0x00005555557d54c8 in lxcDomainSetMemoryParameters (dom=0x7fffe40cc420,
params=0x7fffe409f100, nparams=1, flags=0) at lxc/lxc_driver.c:774
#6 0x00007ffff72c20f9 in virDomainSetMemoryParameters (domain=0x7fffe40cc420,
params=0x7fffe409f100, nparams=1, flags=0) at libvirt.c:4051
#7 0x000055555561365f in remoteDispatchDomainSetMemoryParameters (server=0x555555eb7e00,
client=0x555555ec4b10, msg=0x555555eb94e0, rerr=0x7fffec8bfb70, args=0x7fffe40b8510)
at remote_dispatch.h:7621
#8 0x00005555556133fd in remoteDispatchDomainSetMemoryParametersHelper (server=0x555555eb7e00,
client=0x555555ec4b10, msg=0x555555eb94e0, rerr=0x7fffec8bfb70, args=0x7fffe40b8510,
ret=0x7fffe40b84f0) at remote_dispatch.h:7591
#9 0x00007ffff73b293f in virNetServerProgramDispatchCall (prog=0x555555ec3ae0,
server=0x555555eb7e00, client=0x555555ec4b10, msg=0x555555eb94e0)
at rpc/virnetserverprogram.c:435
#10 0x00007ffff73b207f in virNetServerProgramDispatch (prog=0x555555ec3ae0,
server=0x555555eb7e00, client=0x555555ec4b10, msg=0x555555eb94e0)
at rpc/virnetserverprogram.c:305
#11 0x00007ffff73a4d2c in virNetServerProcessMsg (srv=0x555555eb7e00, client=0x555555ec4b10,
prog=0x555555ec3ae0, msg=0x555555eb94e0) at rpc/virnetserver.c:165
#12 0x00007ffff73a4e8d in virNetServerHandleJob (jobOpaque=0x555555ec3e30, opaque=0x555555eb7e00)
at rpc/virnetserver.c:186
#13 0x00007ffff7187f3f in virThreadPoolWorker (opaque=0x555555eb7ac0) at util/virthreadpool.c:144
#14 0x00007ffff718733a in virThreadHelper (data=0x555555eb7890) at util/virthreadpthread.c:161
#15 0x00007ffff468ed89 in start_thread (arg=0x7fffec8c0700) at pthread_create.c:308
#16 0x00007ffff3da26bd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
Index: libvirt-1.2.0/src/lxc/lxc_driver.c
===================================================================
--- libvirt-1.2.0.orig/src/lxc/lxc_driver.c
+++ libvirt-1.2.0/src/lxc/lxc_driver.c
@@ -742,12 +742,24 @@ lxcDomainSetMemoryParameters(virDomainPt
int nparams,
unsigned int flags)
{
- size_t i;
+ virCapsPtr caps = NULL;
+ virDomainDefPtr vmdef = NULL;
virDomainObjPtr vm = NULL;
+ virLXCDomainObjPrivatePtr priv = NULL;
+ virLXCDriverConfigPtr cfg = NULL;
+ virLXCDriverPtr driver = dom->conn->privateData;
+ unsigned long long hard_limit;
+ unsigned long long soft_limit;
+ unsigned long long swap_hard_limit;
+ bool set_hard_limit = false;
+ bool set_soft_limit = false;
+ bool set_swap_hard_limit = false;
+ int rc;
int ret = -1;
- virLXCDomainObjPrivatePtr priv;
- virCheckFlags(0, -1);
+ virCheckFlags(VIR_DOMAIN_AFFECT_LIVE |
+ VIR_DOMAIN_AFFECT_CONFIG, -1);
+
if (virTypedParamsValidate(params, nparams,
VIR_DOMAIN_MEMORY_HARD_LIMIT,
VIR_TYPED_PARAM_ULLONG,
@@ -762,29 +774,97 @@ lxcDomainSetMemoryParameters(virDomainPt
goto cleanup;
priv = vm->privateData;
+ cfg = virLXCDriverGetConfig(driver);
- if (virDomainSetMemoryParametersEnsureACL(dom->conn, vm->def, flags) < 0)
+ if (virDomainSetMemoryParametersEnsureACL(dom->conn, vm->def, flags) < 0 ||
+ !(caps = virLXCDriverGetCapabilities(driver, false)) ||
+ virDomainLiveConfigHelperMethod(caps, driver->xmlopt,
+ vm, &flags, &vmdef) < 0)
goto cleanup;
- ret = 0;
- for (i = 0; i < nparams; i++) {
- virTypedParameterPtr param = &params[i];
+ if (flags & VIR_DOMAIN_AFFECT_LIVE &&
+ !virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_MEMORY)) {
+ virReportError(VIR_ERR_OPERATION_INVALID,
+ "%s", _("cgroup memory controller is not mounted"));
+ goto cleanup;
+ }
- if (STREQ(param->field, VIR_DOMAIN_MEMORY_HARD_LIMIT)) {
- if (virCgroupSetMemoryHardLimit(priv->cgroup, params[i].value.ul) < 0)
- ret = -1;
- } else if (STREQ(param->field, VIR_DOMAIN_MEMORY_SOFT_LIMIT)) {
- if (virCgroupSetMemorySoftLimit(priv->cgroup, params[i].value.ul) < 0)
- ret = -1;
- } else if (STREQ(param->field, VIR_DOMAIN_MEMORY_SWAP_HARD_LIMIT)) {
- if (virCgroupSetMemSwapHardLimit(priv->cgroup, params[i].value.ul) < 0)
- ret = -1;
+#define VIR_GET_LIMIT_PARAMETER(PARAM, VALUE) \
+ if ((rc = virTypedParamsGetULLong(params, nparams, PARAM, &VALUE)) < 0) \
+ goto cleanup; \
+ \
+ if (rc == 1) \
+ set_ ## VALUE = true;
+
+ VIR_GET_LIMIT_PARAMETER(VIR_DOMAIN_MEMORY_SWAP_HARD_LIMIT, swap_hard_limit)
+ VIR_GET_LIMIT_PARAMETER(VIR_DOMAIN_MEMORY_HARD_LIMIT, hard_limit)
+ VIR_GET_LIMIT_PARAMETER(VIR_DOMAIN_MEMORY_SOFT_LIMIT, soft_limit)
+
+#undef VIR_GET_LIMIT_PARAMETER
+
+ /* Swap hard limit must be greater than hard limit.
+ * Note that limit of 0 denotes unlimited */
+ if (set_swap_hard_limit || set_hard_limit) {
+ unsigned long long mem_limit = vm->def->mem.hard_limit;
+ unsigned long long swap_limit = vm->def->mem.swap_hard_limit;
+
+ if (set_swap_hard_limit)
+ swap_limit = swap_hard_limit;
+
+ if (set_hard_limit)
+ mem_limit = hard_limit;
+
+ if (virCompareLimitUlong(mem_limit, swap_limit) > 0) {
+ virReportError(VIR_ERR_INVALID_ARG, "%s",
+ _("memory hard_limit tunable value must be lower "
+ "than or equal to swap_hard_limit"));
+ goto cleanup;
}
}
+#define LXC_SET_MEM_PARAMETER(FUNC, VALUE) \
+ if (set_ ## VALUE) { \
+ if (flags & VIR_DOMAIN_AFFECT_LIVE) { \
+ if ((rc = FUNC(priv->cgroup, VALUE)) < 0) { \
+ virReportSystemError(-rc, _("unable to set memory %s tunable"), \
+ #VALUE); \
+ \
+ goto cleanup; \
+ } \
+ vm->def->mem.VALUE = VALUE; \
+ } \
+ \
+ if (flags & VIR_DOMAIN_AFFECT_CONFIG) \
+ vmdef->mem.VALUE = VALUE; \
+ }
+
+ /* Soft limit doesn't clash with the others */
+ LXC_SET_MEM_PARAMETER(virCgroupSetMemorySoftLimit, soft_limit);
+
+ /* set hard limit before swap hard limit if decreasing it */
+ if (virCompareLimitUlong(vm->def->mem.hard_limit, hard_limit) > 0) {
+ LXC_SET_MEM_PARAMETER(virCgroupSetMemoryHardLimit, hard_limit);
+ /* inhibit changing the limit a second time */
+ set_hard_limit = false;
+ }
+
+ LXC_SET_MEM_PARAMETER(virCgroupSetMemSwapHardLimit, swap_hard_limit);
+
+ /* otherwise increase it after swap hard limit */
+ LXC_SET_MEM_PARAMETER(virCgroupSetMemoryHardLimit, hard_limit);
+
+#undef LXC_SET_MEM_PARAMETER
+
+ if (flags & VIR_DOMAIN_AFFECT_CONFIG &&
+ virDomainSaveConfig(cfg->configDir, vmdef) < 0)
+ goto cleanup;
+
+ ret = 0;
cleanup:
if (vm)
virObjectUnlock(vm);
+ virObjectUnref(caps);
+ virObjectUnref(cfg);
return ret;
}

96
ae53e5d1-CVE-2013-4400.patch
View File

@ -1,96 +0,0 @@
commit ae53e5d10e434e07079d7e3ba11ec654ba6a256e
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Wed Oct 9 10:52:39 2013 +0100
Add helpers for getting env vars in a setuid environment
Care must be taken accessing env variables when running
setuid. Introduce a virGetEnvAllowSUID for env vars which
are safe to use in a setuid environment, and another
virGetEnvBlockSUID for vars which are not safe. Also add
a virIsSUID helper method for any other non-env var code
to use.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.1.2/src/libvirt_private.syms
===================================================================
--- libvirt-1.1.2.orig/src/libvirt_private.syms
+++ libvirt-1.1.2/src/libvirt_private.syms
@@ -2042,6 +2042,8 @@ virFindFCHostCapableVport;
virFormatIntDecimal;
virGetDeviceID;
virGetDeviceUnprivSGIO;
+virGetEnvAllowSUID;
+virGetEnvBlockSUID;
virGetFCHostNameByWWN;
virGetGroupID;
virGetGroupList;
@@ -2060,6 +2062,7 @@ virIndexToDiskName;
virIsCapableFCHost;
virIsCapableVport;
virIsDevMapperDevice;
+virIsSUID;
virManageVport;
virParseNumber;
virParseOwnershipIds;
Index: libvirt-1.1.2/src/util/virutil.c
===================================================================
--- libvirt-1.1.2.orig/src/util/virutil.c
+++ libvirt-1.1.2/src/util/virutil.c
@@ -2116,3 +2116,42 @@ cleanup:
return rc;
}
+
+
+/**
+ * virGetEnvBlockSUID:
+ * @name: the environment variable name
+ *
+ * Obtain an environment variable which is unsafe to
+ * use when running setuid. If running setuid, a NULL
+ * value will be returned
+ */
+const char *virGetEnvBlockSUID(const char *name)
+{
+ return secure_getenv(name);
+}
+
+
+/**
+ * virGetEnvBlockSUID:
+ * @name: the environment variable name
+ *
+ * Obtain an environment variable which is safe to
+ * use when running setuid. The value will be returned
+ * even when running setuid
+ */
+const char *virGetEnvAllowSUID(const char *name)
+{
+ return getenv(name);
+}
+
+
+/**
+ * virIsSUID:
+ * Return a true value if running setuid. Does not
+ * check for elevated capabilities bits.
+ */
+bool virIsSUID(void)
+{
+ return getuid() != geteuid();
+}
Index: libvirt-1.1.2/src/util/virutil.h
===================================================================
--- libvirt-1.1.2.orig/src/util/virutil.h
+++ libvirt-1.1.2/src/util/virutil.h
@@ -172,4 +172,8 @@ int virCompareLimitUlong(unsigned long l
int virParseOwnershipIds(const char *label, uid_t *uidPtr, gid_t *gidPtr);
+const char *virGetEnvBlockSUID(const char *name);
+const char *virGetEnvAllowSUID(const char *name);
+bool virIsSUID(void);
+
#endif /* __VIR_UTIL_H__ */

36
b7fcc799a-CVE-2013-4400.patch
View File

@ -1,36 +0,0 @@
commit b7fcc799ad5d8f3e55b89b94e599903e3c092467
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Wed Oct 9 15:14:34 2013 +0100
Close all non-stdio FDs in virt-login-shell (CVE-2013-4400)
We don't want to inherit any FDs in the new namespace
except for the stdio FDs. Explicitly close them all,
just in case some do not have the close-on-exec flag
set.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.1.2/tools/virt-login-shell.c
===================================================================
--- libvirt-1.1.2.orig/tools/virt-login-shell.c
+++ libvirt-1.1.2/tools/virt-login-shell.c
@@ -313,6 +313,18 @@ main(int argc, char **argv)
if (cpid == 0) {
pid_t ccpid;
+ int openmax = sysconf(_SC_OPEN_MAX);
+ int fd;
+ if (openmax < 0) {
+ virReportSystemError(errno, "%s",
+ _("sysconf(_SC_OPEN_MAX) failed"));
+ return EXIT_FAILURE;
+ }
+ for (fd = 3; fd < openmax; fd++) {
+ int tmpfd = fd;
+ VIR_MASS_CLOSE(tmpfd);
+ }
+
/* Fork once because we don't want to affect
* virt-login-shell's namespace itself
*/

247
bd773e74-lxc-terminate-machine.patch
View File

@ -1,247 +0,0 @@
commit bd773e74f0d1d1b9ebbfcaa645178316b4f2265c
Author: Cédric Bosdonnat <cbosdonnat@suse.com>
Date: Mon Sep 30 16:46:29 2013 +0200
LXC: workaround machined uncleaned data with containers running systemd.
The problem is described by [0] but its effect on libvirt is that
starting a container with a full distro running systemd after having
stopped it simply fails.
The container cleanup now calls the machined Terminate function to make
sure that everything is in order for the next run.
[0]: https://bugs.freedesktop.org/show_bug.cgi?id=68370
Index: libvirt-1.1.2/src/libvirt_private.syms
===================================================================
--- libvirt-1.1.2.orig/src/libvirt_private.syms
+++ libvirt-1.1.2/src/libvirt_private.syms
@@ -1940,8 +1940,10 @@ virSysinfoSetup;
# util/virsystemd.h
virSystemdCreateMachine;
+virSystemdMakeMachineName;
virSystemdMakeScopeName;
virSystemdMakeSliceName;
+virSystemdTerminateMachine;
# util/virthread.h
Index: libvirt-1.1.2/src/lxc/lxc_process.c
===================================================================
--- libvirt-1.1.2.orig/src/lxc/lxc_process.c
+++ libvirt-1.1.2/src/lxc/lxc_process.c
@@ -50,6 +50,7 @@
#include "virstring.h"
#include "viratomic.h"
#include "virprocess.h"
+#include "virsystemd.h"
#define VIR_FROM_THIS VIR_FROM_LXC
@@ -210,6 +211,13 @@ static void virLXCProcessCleanup(virLXCD
virCgroupFree(&priv->cgroup);
}
+ /* Get machined to terminate the machine as it may not have cleaned it
+ * properly. See https://bugs.freedesktop.org/show_bug.cgi?id=68370 for
+ * the bug we are working around here.
+ */
+ virSystemdTerminateMachine(vm->def->name, "lxc", true);
+
+
/* now that we know it's stopped call the hook if present */
if (virHookPresent(VIR_HOOK_DRIVER_LXC)) {
char *xml = virDomainDefFormat(vm->def, 0);
Index: libvirt-1.1.2/src/util/virsystemd.c
===================================================================
--- libvirt-1.1.2.orig/src/util/virsystemd.c
+++ libvirt-1.1.2/src/util/virsystemd.c
@@ -116,6 +116,27 @@ char *virSystemdMakeSliceName(const char
return virBufferContentAndReset(&buf);
}
+char *virSystemdMakeMachineName(const char *name,
+ const char *drivername,
+ bool privileged)
+{
+ char *machinename = NULL;
+ char *username = NULL;
+ if (privileged) {
+ if (virAsprintf(&machinename, "%s-%s", drivername, name) < 0)
+ goto cleanup;
+ } else {
+ if (!(username = virGetUserName(geteuid())))
+ goto cleanup;
+ if (virAsprintf(&machinename, "%s-%s-%s", username, drivername, name) < 0)
+ goto cleanup;
+ }
+
+cleanup:
+ VIR_FREE(username);
+
+ return machinename;
+}
/**
* virSystemdCreateMachine:
@@ -142,7 +163,6 @@ int virSystemdCreateMachine(const char *
DBusConnection *conn;
char *machinename = NULL;
char *creatorname = NULL;
- char *username = NULL;
char *slicename = NULL;
if (!virDBusHasSystemBus())
@@ -150,15 +170,8 @@ int virSystemdCreateMachine(const char *
conn = virDBusGetSystemBus();
- if (privileged) {
- if (virAsprintf(&machinename, "%s-%s", drivername, name) < 0)
- goto cleanup;
- } else {
- if (!(username = virGetUserName(geteuid())))
- goto cleanup;
- if (virAsprintf(&machinename, "%s-%s-%s", username, drivername, name) < 0)
- goto cleanup;
- }
+ if (!(machinename = virSystemdMakeMachineName(name, drivername, privileged)))
+ goto cleanup;
if (virAsprintf(&creatorname, "libvirt-%s", drivername) < 0)
goto cleanup;
@@ -241,8 +254,52 @@ int virSystemdCreateMachine(const char *
ret = 0;
cleanup:
- VIR_FREE(username);
VIR_FREE(creatorname);
VIR_FREE(machinename);
return ret;
}
+
+int virSystemdTerminateMachine(const char *name,
+ const char *drivername,
+ bool privileged)
+{
+ int ret;
+ DBusConnection *conn;
+ char *machinename = NULL;
+
+ if(!virDBusHasSystemBus())
+ return -2;
+
+ conn = virDBusGetSystemBus();
+
+ ret = -1;
+ if (!(machinename = virSystemdMakeMachineName(name, drivername, privileged)))
+ goto cleanup;
+
+ /*
+ * The systemd DBus API we're invoking has the
+ * following signature
+ *
+ * TerminateMachine(in s name);
+ *
+ * @name a host unique name for the machine. shows up
+ * in 'ps' listing & similar
+ */
+
+ VIR_DEBUG("Attempting to terminate machine via systemd");
+ if (virDBusCallMethod(conn,
+ NULL,
+ "org.freedesktop.machine1",
+ "/org/freedesktop/machine1",
+ "org.freedesktop.machine1.Manager",
+ "TerminateMachine",
+ "s",
+ machinename) < 0)
+ goto cleanup;
+
+ ret = 0;
+
+cleanup:
+ VIR_FREE(machinename);
+ return ret;
+}
Index: libvirt-1.1.2/src/util/virsystemd.h
===================================================================
--- libvirt-1.1.2.orig/src/util/virsystemd.h
+++ libvirt-1.1.2/src/util/virsystemd.h
@@ -29,6 +29,10 @@ char *virSystemdMakeScopeName(const char
const char *slicename);
char *virSystemdMakeSliceName(const char *partition);
+char *virSystemdMakeMachineName(const char *name,
+ const char *drivername,
+ bool privileged);
+
int virSystemdCreateMachine(const char *name,
const char *drivername,
bool privileged,
@@ -38,4 +42,8 @@ int virSystemdCreateMachine(const char *
bool iscontainer,
const char *partition);
+int virSystemdTerminateMachine(const char *name,
+ const char *drivername,
+ bool privileged);
+
#endif /* __VIR_SYSTEMD_H__ */
Index: libvirt-1.1.2/tests/virsystemdtest.c
===================================================================
--- libvirt-1.1.2.orig/tests/virsystemdtest.c
+++ libvirt-1.1.2/tests/virsystemdtest.c
@@ -51,6 +51,18 @@ static int testCreateContainer(const voi
return 0;
}
+static int testTerminateContainer(const void *opaque ATTRIBUTE_UNUSED)
+{
+ if (virSystemdTerminateMachine("demo",
+ "lxc",
+ true) < 0) {
+ fprintf(stderr, "%s", "Failed to terminate LXC machine\n");
+ return -1;
+ }
+
+ return 0;
+}
+
static int testCreateMachine(const void *opaque ATTRIBUTE_UNUSED)
{
unsigned char uuid[VIR_UUID_BUFLEN] = {
@@ -74,6 +86,18 @@ static int testCreateMachine(const void
return 0;
}
+static int testTerminateMachine(const void *opaque ATTRIBUTE_UNUSED)
+{
+ if (virSystemdTerminateMachine("demo",
+ "qemu",
+ false) < 0) {
+ fprintf(stderr, "%s", "Failed to terminate KVM machine\n");
+ return -1;
+ }
+
+ return 0;
+}
+
static int testCreateNoSystemd(const void *opaque ATTRIBUTE_UNUSED)
{
unsigned char uuid[VIR_UUID_BUFLEN] = {
@@ -177,8 +201,12 @@ mymain(void)
if (virtTestRun("Test create container ", 1, testCreateContainer, NULL) < 0)
ret = -1;
+ if (virtTestRun("Test terminate container ", 1, testTerminateContainer, NULL) < 0)
+ ret = -1;
if (virtTestRun("Test create machine ", 1, testCreateMachine, NULL) < 0)
ret = -1;
+ if (virtTestRun("Test terminate machine ", 1, testTerminateMachine, NULL) < 0)
+ ret = -1;
if (virtTestRun("Test create no systemd ", 1, testCreateNoSystemd, NULL) < 0)
ret = -1;
if (virtTestRun("Test create bad systemd ", 1, testCreateBadSystemd, NULL) < 0)

149
db7a5688-CVE-2013-4311.patch
View File

@ -1,149 +0,0 @@
commit db7a5688c05f3fd60d9d2b74c72427eb9ee9c176
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Thu Aug 22 16:00:01 2013 +0100
Also store user & group ID values in virIdentity
Future improvements to the polkit code will require access to
the numeric user ID, not merely user name.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.1.2/src/rpc/virnetserverclient.c
===================================================================
--- libvirt-1.1.2.orig/src/rpc/virnetserverclient.c
+++ libvirt-1.1.2/src/rpc/virnetserverclient.c
@@ -652,7 +652,9 @@ virNetServerClientCreateIdentity(virNetS
char *processid = NULL;
char *processtime = NULL;
char *username = NULL;
+ char *userid = NULL;
char *groupname = NULL;
+ char *groupid = NULL;
#if WITH_SASL
char *saslname = NULL;
#endif
@@ -672,8 +674,12 @@ virNetServerClientCreateIdentity(virNetS
if (!(username = virGetUserName(uid)))
goto cleanup;
+ if (virAsprintf(&userid, "%d", (int)uid) < 0)
+ goto cleanup;
if (!(groupname = virGetGroupName(gid)))
goto cleanup;
+ if (virAsprintf(&userid, "%d", (int)gid) < 0)
+ goto cleanup;
if (virAsprintf(&processid, "%llu",
(unsigned long long)pid) < 0)
goto cleanup;
@@ -710,11 +716,21 @@ virNetServerClientCreateIdentity(virNetS
VIR_IDENTITY_ATTR_UNIX_USER_NAME,
username) < 0)
goto error;
+ if (userid &&
+ virIdentitySetAttr(ret,
+ VIR_IDENTITY_ATTR_UNIX_USER_ID,
+ userid) < 0)
+ goto error;
if (groupname &&
virIdentitySetAttr(ret,
VIR_IDENTITY_ATTR_UNIX_GROUP_NAME,
groupname) < 0)
goto error;
+ if (groupid &&
+ virIdentitySetAttr(ret,
+ VIR_IDENTITY_ATTR_UNIX_GROUP_ID,
+ groupid) < 0)
+ goto error;
if (processid &&
virIdentitySetAttr(ret,
VIR_IDENTITY_ATTR_UNIX_PROCESS_ID,
@@ -745,7 +761,9 @@ virNetServerClientCreateIdentity(virNetS
cleanup:
VIR_FREE(username);
+ VIR_FREE(userid);
VIR_FREE(groupname);
+ VIR_FREE(groupid);
VIR_FREE(processid);
VIR_FREE(processtime);
VIR_FREE(seccontext);
Index: libvirt-1.1.2/src/util/viridentity.c
===================================================================
--- libvirt-1.1.2.orig/src/util/viridentity.c
+++ libvirt-1.1.2/src/util/viridentity.c
@@ -133,7 +133,9 @@ int virIdentitySetCurrent(virIdentityPtr
virIdentityPtr virIdentityGetSystem(void)
{
char *username = NULL;
+ char *userid = NULL;
char *groupname = NULL;
+ char *groupid = NULL;
char *seccontext = NULL;
virIdentityPtr ret = NULL;
#if WITH_SELINUX
@@ -147,8 +149,13 @@ virIdentityPtr virIdentityGetSystem(void
if (!(username = virGetUserName(getuid())))
goto cleanup;
+ if (virAsprintf(&userid, "%d", (int)getuid()) < 0)
+ goto cleanup;
+
if (!(groupname = virGetGroupName(getgid())))
goto cleanup;
+ if (virAsprintf(&groupid, "%d", (int)getgid()) < 0)
+ goto cleanup;
#if WITH_SELINUX
if (getcon(&con) < 0) {
@@ -166,16 +173,22 @@ virIdentityPtr virIdentityGetSystem(void
if (!(ret = virIdentityNew()))
goto cleanup;
- if (username &&
- virIdentitySetAttr(ret,
+ if (virIdentitySetAttr(ret,
VIR_IDENTITY_ATTR_UNIX_USER_NAME,
username) < 0)
goto error;
- if (groupname &&
- virIdentitySetAttr(ret,
+ if (virIdentitySetAttr(ret,
+ VIR_IDENTITY_ATTR_UNIX_USER_ID,
+ userid) < 0)
+ goto error;
+ if (virIdentitySetAttr(ret,
VIR_IDENTITY_ATTR_UNIX_GROUP_NAME,
groupname) < 0)
goto error;
+ if (virIdentitySetAttr(ret,
+ VIR_IDENTITY_ATTR_UNIX_GROUP_ID,
+ groupid) < 0)
+ goto error;
if (seccontext &&
virIdentitySetAttr(ret,
VIR_IDENTITY_ATTR_SELINUX_CONTEXT,
@@ -188,7 +201,9 @@ virIdentityPtr virIdentityGetSystem(void
cleanup:
VIR_FREE(username);
+ VIR_FREE(userid);
VIR_FREE(groupname);
+ VIR_FREE(groupid);
VIR_FREE(seccontext);
VIR_FREE(processid);
return ret;
Index: libvirt-1.1.2/src/util/viridentity.h
===================================================================
--- libvirt-1.1.2.orig/src/util/viridentity.h
+++ libvirt-1.1.2/src/util/viridentity.h
@@ -29,7 +29,9 @@ typedef virIdentity *virIdentityPtr;
typedef enum {
VIR_IDENTITY_ATTR_UNIX_USER_NAME,
+ VIR_IDENTITY_ATTR_UNIX_USER_ID,
VIR_IDENTITY_ATTR_UNIX_GROUP_NAME,
+ VIR_IDENTITY_ATTR_UNIX_GROUP_ID,
VIR_IDENTITY_ATTR_UNIX_PROCESS_ID,
VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME,
VIR_IDENTITY_ATTR_SASL_USER_NAME,

26
e350826c-python-fix-fd-passing.patch
View File

@ -1,26 +0,0 @@
commit e350826c653b20dd271ab99075d2f224c7451356
Author: Marian Neagul <marian@info.uvt.ro>
Date: Tue Oct 22 16:03:39 2013 +0100
python: Fix Create*WithFiles filefd passing
Commit d76227be added functions virDomainCreateWithFiles and
virDomainCreateXMLWithFiles, but there was a little piece missing in
python bindings. This patch fixes proper passing of file descriptors
in the overwrites of these functions.
Index: libvirt-1.1.2/python/libvirt-override.c
===================================================================
--- libvirt-1.1.2.orig/python/libvirt-override.c
+++ libvirt-1.1.2/python/libvirt-override.c
@@ -7149,6 +7149,10 @@ libvirt_virDomainCreateXMLWithFiles(PyOb
if (libvirt_intUnwrap(pyfd, &fd) < 0)
goto cleanup;
+
+ files[i] = fd;
+
+ files[i] = fd;
}
LIBVIRT_BEGIN_ALLOW_THREADS;

35
e4697b92-CVE-2013-4311.patch
View File

@ -1,35 +0,0 @@
commit e4697b92abaad16e8e6b41a1e55be9b084d48d5a
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Mon Sep 23 12:46:25 2013 +0100
Fix typo in identity code which is pre-requisite for CVE-2013-4311
The fix for CVE-2013-4311 had a pre-requisite enhancement
to the identity code
commit db7a5688c05f3fd60d9d2b74c72427eb9ee9c176
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Thu Aug 22 16:00:01 2013 +0100
Also store user & group ID values in virIdentity
This had a typo which caused the group ID to overwrite the
user ID string. This meant any checks using this would have
the wrong ID value. This only affected the ACL code, not the
initial polkit auth. It also leaked memory.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.1.2/src/rpc/virnetserverclient.c
===================================================================
--- libvirt-1.1.2.orig/src/rpc/virnetserverclient.c
+++ libvirt-1.1.2/src/rpc/virnetserverclient.c
@@ -678,7 +678,7 @@ virNetServerClientCreateIdentity(virNetS
goto cleanup;
if (!(groupname = virGetGroupName(gid)))
goto cleanup;
- if (virAsprintf(&userid, "%d", (int)gid) < 0)
+ if (virAsprintf(&groupid, "%d", (int)gid) < 0)
goto cleanup;
if (virAsprintf(&processid, "%llu",
(unsigned long long)pid) < 0)

65
e65667c0-CVE-2013-4311.patch
View File

@ -1,65 +0,0 @@
commit e65667c0c6e016d42abea077e31628ae43f57b74
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Wed Aug 28 15:22:05 2013 +0100
Ensure system identity includes process start time
The polkit access driver will want to use the process start
time field. This was already set for network identities, but
not for the system identity.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.1.2/src/util/viridentity.c
===================================================================
--- libvirt-1.1.2.orig/src/util/viridentity.c
+++ libvirt-1.1.2/src/util/viridentity.c
@@ -35,6 +35,7 @@
#include "virthread.h"
#include "virutil.h"
#include "virstring.h"
+#include "virprocess.h"
#define VIR_FROM_THIS VIR_FROM_IDENTITY
@@ -142,11 +143,20 @@ virIdentityPtr virIdentityGetSystem(void
security_context_t con;
#endif
char *processid = NULL;
+ unsigned long long timestamp;
+ char *processtime = NULL;
if (virAsprintf(&processid, "%llu",
(unsigned long long)getpid()) < 0)
goto cleanup;
+ if (virProcessGetStartTime(getpid(), &timestamp) < 0)
+ goto cleanup;
+
+ if (timestamp != 0 &&
+ virAsprintf(&processtime, "%llu", timestamp) < 0)
+ goto cleanup;
+
if (!(username = virGetUserName(getuid())))
goto cleanup;
if (virAsprintf(&userid, "%d", (int)getuid()) < 0)
@@ -198,6 +208,11 @@ virIdentityPtr virIdentityGetSystem(void
VIR_IDENTITY_ATTR_UNIX_PROCESS_ID,
processid) < 0)
goto error;
+ if (processtime &&
+ virIdentitySetAttr(ret,
+ VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME,
+ processtime) < 0)
+ goto error;
cleanup:
VIR_FREE(username);
@@ -206,6 +221,7 @@ cleanup:
VIR_FREE(groupid);
VIR_FREE(seccontext);
VIR_FREE(processid);
+ VIR_FREE(processtime);
return ret;
error:

35
e7f400a1-CVE-2013-4296.patch
View File

@ -1,35 +0,0 @@
commit e7f400a110e2e3673b96518170bfea0855dd82c0
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Tue Sep 3 16:52:06 2013 +0100
Fix crash in remoteDispatchDomainMemoryStats (CVE-2013-4296)
The 'stats' variable was not initialized to NULL, so if some
early validation of the RPC call fails, it is possible to jump
to the 'cleanup' label and VIR_FREE an uninitialized pointer.
This is a security flaw, since the API can be called from a
readonly connection which can trigger the validation checks.
This was introduced in release v0.9.1 onwards by
commit 158ba8730e44b7dd07a21ab90499996c5dec080a
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Wed Apr 13 16:21:35 2011 +0100
Merge all returns paths from dispatcher into single path
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.1.2/daemon/remote.c
===================================================================
--- libvirt-1.1.2.orig/daemon/remote.c
+++ libvirt-1.1.2/daemon/remote.c
@@ -1146,7 +1146,7 @@ remoteDispatchDomainMemoryStats(virNetSe
remote_domain_memory_stats_ret *ret)
{
virDomainPtr dom = NULL;
- struct _virDomainMemoryStat *stats;
+ struct _virDomainMemoryStat *stats = NULL;
int nr_stats;
size_t i;
int rv = -1;

145
f8c1cb90-CVE-2013-6436.patch Normal file
View File

@ -0,0 +1,145 @@
commit f8c1cb90213508c4f32549023b0572ed774e48aa
Author: Martin Kletzander <mkletzan@redhat.com>
Date: Mon Dec 9 11:15:11 2013 +0100
CVE-2013-6436: fix crash in lxcDomainGetMemoryParameters
The function doesn't check whether the request is made for active or
inactive domain. Thus when the domain is not running it still tries
accessing non-existing cgroups (priv->cgroup, which is NULL).
I re-made the function in order for it to work the same way it's qemu
counterpart does.
Reproducer:
1) Define an LXC domain
2) Do 'virsh memtune <domain>'
Backtrace:
Thread 6 (Thread 0x7fffec8c0700 (LWP 13387)):
#0 0x00007ffff70edcc4 in virCgroupPathOfController (group=0x0, controller=3,
key=0x7ffff75734bd "memory.limit_in_bytes", path=0x7fffec8bf750) at util/vircgroup.c:1764
#1 0x00007ffff70e958c in virCgroupGetValueStr (group=0x0, controller=3,
key=0x7ffff75734bd "memory.limit_in_bytes", value=0x7fffec8bf7c0) at util/vircgroup.c:705
#2 0x00007ffff70e9d29 in virCgroupGetValueU64 (group=0x0, controller=3,
key=0x7ffff75734bd "memory.limit_in_bytes", value=0x7fffec8bf810) at util/vircgroup.c:804
#3 0x00007ffff70ee706 in virCgroupGetMemoryHardLimit (group=0x0, kb=0x7fffec8bf8a8)
at util/vircgroup.c:1962
#4 0x00005555557d590f in lxcDomainGetMemoryParameters (dom=0x7fffd40024a0,
params=0x7fffd40027a0, nparams=0x7fffec8bfa24, flags=0) at lxc/lxc_driver.c:826
#5 0x00007ffff72c28d3 in virDomainGetMemoryParameters (domain=0x7fffd40024a0,
params=0x7fffd40027a0, nparams=0x7fffec8bfa24, flags=0) at libvirt.c:4137
#6 0x000055555563714d in remoteDispatchDomainGetMemoryParameters (server=0x555555eb7e00,
client=0x555555ebaef0, msg=0x555555ebb3e0, rerr=0x7fffec8bfb70, args=0x7fffd40024e0,
ret=0x7fffd4002420) at remote.c:1895
#7 0x00005555556052c4 in remoteDispatchDomainGetMemoryParametersHelper (server=0x555555eb7e00,
client=0x555555ebaef0, msg=0x555555ebb3e0, rerr=0x7fffec8bfb70, args=0x7fffd40024e0,
ret=0x7fffd4002420) at remote_dispatch.h:4050
#8 0x00007ffff73b293f in virNetServerProgramDispatchCall (prog=0x555555ec3ae0,
server=0x555555eb7e00, client=0x555555ebaef0, msg=0x555555ebb3e0)
at rpc/virnetserverprogram.c:435
#9 0x00007ffff73b207f in virNetServerProgramDispatch (prog=0x555555ec3ae0,
server=0x555555eb7e00, client=0x555555ebaef0, msg=0x555555ebb3e0)
at rpc/virnetserverprogram.c:305
#10 0x00007ffff73a4d2c in virNetServerProcessMsg (srv=0x555555eb7e00, client=0x555555ebaef0,
prog=0x555555ec3ae0, msg=0x555555ebb3e0) at rpc/virnetserver.c:165
#11 0x00007ffff73a4e8d in virNetServerHandleJob (jobOpaque=0x555555ebc7e0, opaque=0x555555eb7e00)
at rpc/virnetserver.c:186
#12 0x00007ffff7187f3f in virThreadPoolWorker (opaque=0x555555eb7ac0) at util/virthreadpool.c:144
#13 0x00007ffff718733a in virThreadHelper (data=0x555555eb7890) at util/virthreadpthread.c:161
#14 0x00007ffff468ed89 in start_thread (arg=0x7fffec8c0700) at pthread_create.c:308
#15 0x00007ffff3da26bd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
Index: libvirt-1.2.0/src/lxc/lxc_driver.c
===================================================================
--- libvirt-1.2.0.orig/src/lxc/lxc_driver.c
+++ libvirt-1.2.0/src/lxc/lxc_driver.c
@@ -794,22 +794,36 @@ lxcDomainGetMemoryParameters(virDomainPt
int *nparams,
unsigned int flags)
{
- size_t i;
+ virCapsPtr caps = NULL;
+ virDomainDefPtr vmdef = NULL;
virDomainObjPtr vm = NULL;
+ virLXCDomainObjPrivatePtr priv = NULL;
+ virLXCDriverPtr driver = dom->conn->privateData;
unsigned long long val;
int ret = -1;
- virLXCDomainObjPrivatePtr priv;
+ size_t i;
- virCheckFlags(0, -1);
+ virCheckFlags(VIR_DOMAIN_AFFECT_LIVE |
+ VIR_DOMAIN_AFFECT_CONFIG, -1);
if (!(vm = lxcDomObjFromDomain(dom)))
goto cleanup;
priv = vm->privateData;
- if (virDomainGetMemoryParametersEnsureACL(dom->conn, vm->def) < 0)
+ if (virDomainGetMemoryParametersEnsureACL(dom->conn, vm->def) < 0 ||
+ !(caps = virLXCDriverGetCapabilities(driver, false)) ||
+ virDomainLiveConfigHelperMethod(caps, driver->xmlopt,
+ vm, &flags, &vmdef) < 0)
goto cleanup;
+ if (flags & VIR_DOMAIN_AFFECT_LIVE &&
+ !virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_MEMORY)) {
+ virReportError(VIR_ERR_OPERATION_INVALID,
+ "%s", _("cgroup memory controller is not mounted"));
+ goto cleanup;
+ }
+
if ((*nparams) == 0) {
/* Current number of memory parameters supported by cgroups */
*nparams = LXC_NB_MEM_PARAM;
@@ -823,22 +837,34 @@ lxcDomainGetMemoryParameters(virDomainPt
switch (i) {
case 0: /* fill memory hard limit here */
- if (virCgroupGetMemoryHardLimit(priv->cgroup, &val) < 0)
+ if (flags & VIR_DOMAIN_AFFECT_CONFIG) {
+ val = vmdef->mem.hard_limit;
+ val = val ? val : VIR_DOMAIN_MEMORY_PARAM_UNLIMITED;
+ } else if (virCgroupGetMemoryHardLimit(priv->cgroup, &val) < 0) {
goto cleanup;
+ }
if (virTypedParameterAssign(param, VIR_DOMAIN_MEMORY_HARD_LIMIT,
VIR_TYPED_PARAM_ULLONG, val) < 0)
goto cleanup;
break;
case 1: /* fill memory soft limit here */
- if (virCgroupGetMemorySoftLimit(priv->cgroup, &val) < 0)
+ if (flags & VIR_DOMAIN_AFFECT_CONFIG) {
+ val = vmdef->mem.soft_limit;
+ val = val ? val : VIR_DOMAIN_MEMORY_PARAM_UNLIMITED;
+ } else if (virCgroupGetMemorySoftLimit(priv->cgroup, &val) < 0) {
goto cleanup;
+ }
if (virTypedParameterAssign(param, VIR_DOMAIN_MEMORY_SOFT_LIMIT,
VIR_TYPED_PARAM_ULLONG, val) < 0)
goto cleanup;
break;
case 2: /* fill swap hard limit here */
- if (virCgroupGetMemSwapHardLimit(priv->cgroup, &val) < 0)
+ if (flags & VIR_DOMAIN_AFFECT_CONFIG) {
+ val = vmdef->mem.swap_hard_limit;
+ val = val ? val : VIR_DOMAIN_MEMORY_PARAM_UNLIMITED;
+ } else if (virCgroupGetMemSwapHardLimit(priv->cgroup, &val) < 0) {
goto cleanup;
+ }
if (virTypedParameterAssign(param,
VIR_DOMAIN_MEMORY_SWAP_HARD_LIMIT,
VIR_TYPED_PARAM_ULLONG, val) < 0)
@@ -859,6 +885,7 @@ lxcDomainGetMemoryParameters(virDomainPt
cleanup:
if (vm)
virObjectUnlock(vm);
+ virObjectUnref(caps);
return ret;
}

10
fix-pci-attach-xen-driver.patch
View File

@ -8,11 +8,11 @@ uses the 'device_configure' RPC.
This patch changes the xend driver to always call 'device_configure' for
PCI devices to be consistent with the usage in the xen tools.
Index: libvirt-1.1.2/src/xen/xend_internal.c
Index: libvirt-1.2.0/src/xen/xend_internal.c
===================================================================
--- libvirt-1.1.2.orig/src/xen/xend_internal.c
+++ libvirt-1.1.2/src/xen/xend_internal.c
@@ -2206,6 +2206,7 @@ xenDaemonAttachDeviceFlags(virConnectPtr
--- libvirt-1.2.0.orig/src/xen/xend_internal.c
+++ libvirt-1.2.0/src/xen/xend_internal.c
@@ -2207,6 +2207,7 @@ xenDaemonAttachDeviceFlags(virConnectPtr
virBuffer buf = VIR_BUFFER_INITIALIZER;
char class[8], ref[80];
char *target = NULL;
@ -20,7 +20,7 @@ Index: libvirt-1.1.2/src/xen/xend_internal.c
virCheckFlags(VIR_DOMAIN_AFFECT_LIVE | VIR_DOMAIN_AFFECT_CONFIG, -1);
@@ -2304,8 +2305,18 @@ xenDaemonAttachDeviceFlags(virConnectPtr
@@ -2305,8 +2306,18 @@ xenDaemonAttachDeviceFlags(virConnectPtr
}
sexpr = virBufferContentAndReset(&buf);

52
clone.patch → ia64-clone.patch
View File

@ -1,28 +1,18 @@
Index: src/lxc/lxc_container.c
Index: libvirt-1.2.0/src/lxc/lxc_container.c
===================================================================
--- src/lxc/lxc_container.c.orig
+++ src/lxc/lxc_container.c
@@ -144,6 +144,7 @@ int lxcContainerHasReboot(void)
int cmd, v;
int status;
char *tmp;
+ int stacksize = getpagesize() * 4;
if (virFileReadAll("/proc/sys/kernel/ctrl-alt-del", 10, &buf) < 0)
return -1;
@@ -160,12 +161,19 @@ int lxcContainerHasReboot(void)
--- libvirt-1.2.0.orig/src/lxc/lxc_container.c
+++ libvirt-1.2.0/src/lxc/lxc_container.c
@@ -162,12 +162,19 @@ int lxcContainerHasReboot(void)
VIR_FREE(buf);
cmd = v ? LINUX_REBOOT_CMD_CAD_ON : LINUX_REBOOT_CMD_CAD_OFF;
- if (VIR_ALLOC_N(stack, getpagesize() * 4) < 0)
+#ifdef __ia64__
+ stacksize *= 2;
+#endif
+ if (VIR_ALLOC_N(stack, stacksize) < 0)
if (VIR_ALLOC_N(stack, stacksize) < 0)
return -1;
- childStack = stack + (getpagesize() * 4);
+ childStack = stack + stacksize;
childStack = stack + stacksize;
+#ifdef __ia64__
+ cpid = __clone2(lxcContainerRebootChild, childStack, stacksize, flags, &cmd);
@ -32,7 +22,17 @@ Index: src/lxc/lxc_container.c
VIR_FREE(stack);
if (cpid < 0) {
virReportSystemError(errno, "%s",
@@ -1893,7 +1901,11 @@ int lxcContainerStart(virDomainDefPtr de
@@ -1985,6 +1992,9 @@ int lxcContainerStart(virDomainDefPtr de
.handshakefd = handshakefd
};
+#ifdef __ia64__
+ stacksize *= 2;
+#endif
/* allocate a stack for the container */
if (VIR_ALLOC_N(stack, stacksize) < 0)
return -1;
@@ -2010,7 +2020,11 @@ int lxcContainerStart(virDomainDefPtr de
cflags |= CLONE_NEWNET;
}
@ -44,29 +44,17 @@ Index: src/lxc/lxc_container.c
VIR_FREE(stack);
VIR_DEBUG("clone() completed, new container PID is %d", pid);
@@ -1919,6 +1931,7 @@ int lxcContainerAvailable(int features)
int cpid;
char *childStack;
char *stack;
+ int stacksize = getpagesize() * 4;
if (features & LXC_CONTAINER_FEATURE_USER)
flags |= CLONE_NEWUSER;
@@ -1926,14 +1939,21 @@ int lxcContainerAvailable(int features)
@@ -2044,12 +2058,19 @@ int lxcContainerAvailable(int features)
if (features & LXC_CONTAINER_FEATURE_NET)
flags |= CLONE_NEWNET;
- if (VIR_ALLOC_N(stack, getpagesize() * 4) < 0) {
+#ifdef __ia64__
+ stacksize *= 2;
+#endif
+ if (VIR_ALLOC_N(stack, stacksize) < 0) {
VIR_DEBUG("Unable to allocate stack");
if (VIR_ALLOC_N(stack, stacksize) < 0)
return -1;
}
- childStack = stack + (getpagesize() * 4);
+ childStack = stack + stacksize;
childStack = stack + stacksize;
+#ifdef __ia64__
+ cpid = __clone2(lxcContainerDummyChild, childStack, stacksize, flags, NULL);

37
install-apparmor-profiles.patch
View File

@ -1,7 +1,7 @@
Index: libvirt-1.1.2/examples/apparmor/Makefile.am
Index: libvirt-1.2.0/examples/apparmor/Makefile.am
===================================================================
--- libvirt-1.1.2.orig/examples/apparmor/Makefile.am
+++ libvirt-1.1.2/examples/apparmor/Makefile.am
--- libvirt-1.2.0.orig/examples/apparmor/Makefile.am
+++ libvirt-1.2.0/examples/apparmor/Makefile.am
@@ -14,8 +14,45 @@
## License along with this library. If not, see
## <http://www.gnu.org/licenses/>.
@ -53,10 +53,10 @@ Index: libvirt-1.1.2/examples/apparmor/Makefile.am
+ rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/libvirt/TEMPLATE
+
+endif
Index: libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
Index: libvirt-1.2.0/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
===================================================================
--- /dev/null
+++ libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ libvirt-1.2.0/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -0,0 +1,41 @@
+# Last Modified: Fri Aug 19 11:21:48 2011
+#include <tunables/global>
@ -99,9 +99,9 @@ Index: libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
+ /var/lib/kvm/images/ r,
+ /var/lib/kvm/images/** r,
+}
Index: libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper
Index: libvirt-1.2.0/examples/apparmor/usr.lib.libvirt.virt-aa-helper
===================================================================
--- libvirt-1.1.2.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper
--- libvirt-1.2.0.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ /dev/null
@@ -1,38 +0,0 @@
-# Last Modified: Mon Apr 5 15:10:27 2010
@ -142,9 +142,9 @@ Index: libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper
- /var/lib/libvirt/images/ r,
- /var/lib/libvirt/images/** r,
-}
Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd
Index: libvirt-1.2.0/examples/apparmor/usr.sbin.libvirtd
===================================================================
--- libvirt-1.1.2.orig/examples/apparmor/usr.sbin.libvirtd
--- libvirt-1.2.0.orig/examples/apparmor/usr.sbin.libvirtd
+++ /dev/null
@@ -1,52 +0,0 @@
-# Last Modified: Mon Apr 5 15:03:58 2010
@ -199,11 +199,11 @@ Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd
- change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
-
-}
Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in
Index: libvirt-1.2.0/examples/apparmor/usr.sbin.libvirtd.in
===================================================================
--- /dev/null
+++ libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in
@@ -0,0 +1,60 @@
+++ libvirt-1.2.0/examples/apparmor/usr.sbin.libvirtd.in
@@ -0,0 +1,61 @@
+# Last Modified: Fri Aug 19 11:20:36 2011
+#include <tunables/global>
+@{LIBVIRT}="libvirt"
@ -244,8 +244,8 @@ Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in
+ /sbin/* Ux,
+ /usr/bin/* Ux,
+ /usr/sbin/* Ux,
+ /usr/lib/xen/bin/qemu-dm Ux,
+ /usr/lib/xen/bin/qemu-system-i386 Ux,
+ /usr/lib/xen/bin/* Ux,
+ /usr/lib64/xen/bin/* Ux,
+ /usr/lib/PolicyKit/polkit-read-auth-helper Px,
+
+ # force the use of virt-aa-helper
@ -255,6 +255,7 @@ Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in
+ audit deny /sys/kernel/security/apparmor/matching rwxl,
+ audit deny /sys/kernel/security/apparmor/.* rwxl,
+ /sys/kernel/security/apparmor/profiles r,
+ /etc/libvirt/hooks/* rix,
+ /etc/xen/scripts/* rix,
+ @libdir@/libvirt/* Pxr,
+ @libdir@/libvirt/libvirt_parthelper Ux,
@ -264,9 +265,9 @@ Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in
+ change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+
+}
Index: libvirt-1.1.2/examples/apparmor/libvirt-qemu
Index: libvirt-1.2.0/examples/apparmor/libvirt-qemu
===================================================================
--- libvirt-1.1.2.orig/examples/apparmor/libvirt-qemu
--- libvirt-1.2.0.orig/examples/apparmor/libvirt-qemu
+++ /dev/null
@@ -1,129 +0,0 @@
-# Last Modified: Fri Mar 9 14:43:22 2012
@ -398,10 +399,10 @@ Index: libvirt-1.1.2/examples/apparmor/libvirt-qemu
-
- /usr/libexec/qemu-bridge-helper rmix,
- }
Index: libvirt-1.1.2/examples/apparmor/libvirt-qemu.in
Index: libvirt-1.2.0/examples/apparmor/libvirt-qemu.in
===================================================================
--- /dev/null
+++ libvirt-1.1.2/examples/apparmor/libvirt-qemu.in
+++ libvirt-1.2.0/examples/apparmor/libvirt-qemu.in
@@ -0,0 +1,132 @@
+# Last Modified: Fri Mar 9 14:43:22 2012
+

3
libvirt-1.1.2.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:9aa2fd6d2e7737323c846092cb2f8bf95e0b622c570b29ee4060eed634409cf4
size 18774400

3
libvirt-1.2.0.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:fbfe494beed93925f3f74ecc51775299218127ce9b6f747852701afa120b7eda
size 19390046

18
libvirt-guests-init-script.patch
View File

@ -1,9 +1,9 @@
Adjust libvirt-guests init files to conform to SUSE standards
Index: libvirt-1.1.2/tools/libvirt-guests.init.in
Index: libvirt-1.2.0/tools/libvirt-guests.init.in
===================================================================
--- libvirt-1.1.2.orig/tools/libvirt-guests.init.in
+++ libvirt-1.1.2/tools/libvirt-guests.init.in
--- libvirt-1.2.0.orig/tools/libvirt-guests.init.in
+++ libvirt-1.2.0/tools/libvirt-guests.init.in
@@ -3,15 +3,15 @@
# the following is the LSB init header
#
@ -28,10 +28,10 @@ Index: libvirt-1.1.2/tools/libvirt-guests.init.in
### END INIT INFO
# the following is chkconfig init header
Index: libvirt-1.1.2/tools/libvirt-guests.sh.in
Index: libvirt-1.2.0/tools/libvirt-guests.sh.in
===================================================================
--- libvirt-1.1.2.orig/tools/libvirt-guests.sh.in
+++ libvirt-1.1.2/tools/libvirt-guests.sh.in
--- libvirt-1.2.0.orig/tools/libvirt-guests.sh.in
+++ libvirt-1.2.0/tools/libvirt-guests.sh.in
@@ -16,14 +16,13 @@
# License along with this library. If not, see
# <http://www.gnu.org/licenses/>.
@ -189,10 +189,10 @@ Index: libvirt-1.1.2/tools/libvirt-guests.sh.in
esac
-exit $RETVAL
+rc_exit
Index: libvirt-1.1.2/tools/libvirt-guests.sysconf
Index: libvirt-1.2.0/tools/libvirt-guests.sysconf
===================================================================
--- libvirt-1.1.2.orig/tools/libvirt-guests.sysconf
+++ libvirt-1.1.2/tools/libvirt-guests.sysconf
--- libvirt-1.2.0.orig/tools/libvirt-guests.sysconf
+++ libvirt-1.2.0/tools/libvirt-guests.sysconf
@@ -1,19 +1,29 @@
+## Path: System/Virtualization/libvirt-guests
+

108
libvirt-suse-netcontrol.patch
View File

@ -1,16 +1,16 @@
Index: libvirt-1.1.2/configure.ac
Index: libvirt-1.2.0/configure.ac
===================================================================
--- libvirt-1.1.2.orig/configure.ac
+++ libvirt-1.1.2/configure.ac
@@ -174,6 +174,7 @@ LIBVIRT_CHECK_DBUS
LIBVIRT_CHECK_FUSE
--- libvirt-1.2.0.orig/configure.ac
+++ libvirt-1.2.0/configure.ac
@@ -231,6 +231,7 @@ LIBVIRT_CHECK_FUSE
LIBVIRT_CHECK_GLUSTER
LIBVIRT_CHECK_HAL
LIBVIRT_CHECK_NETCF
+LIBVIRT_CHECK_NETCONTROL
LIBVIRT_CHECK_NUMACTL
LIBVIRT_CHECK_OPENWSMAN
LIBVIRT_CHECK_PCIACCESS
@@ -2297,11 +2298,12 @@ if test "$with_libvirtd" = "no" ; then
@@ -2312,11 +2313,12 @@ if test "$with_libvirtd" = "no" ; then
with_interface=no
fi
@ -26,22 +26,22 @@ Index: libvirt-1.1.2/configure.ac
esac
if test "$with_interface" = "yes" ; then
@@ -2609,6 +2611,7 @@ LIBVIRT_RESULT_DBUS
LIBVIRT_RESULT_FUSE
@@ -2631,6 +2633,7 @@ LIBVIRT_RESULT_FUSE
LIBVIRT_RESULT_GLUSTER
LIBVIRT_RESULT_HAL
LIBVIRT_RESULT_NETCF
+LIBVIRT_RESULT_NETCONTROL
LIBVIRT_RESULT_NUMACTL
LIBVIRT_RESULT_OPENWSMAN
LIBVIRT_RESULT_PCIACCESS
Index: libvirt-1.1.2/src/Makefile.am
Index: libvirt-1.2.0/src/Makefile.am
===================================================================
--- libvirt-1.1.2.orig/src/Makefile.am
+++ libvirt-1.1.2/src/Makefile.am
@@ -754,6 +754,10 @@ if WITH_NETCF
--- libvirt-1.2.0.orig/src/Makefile.am
+++ libvirt-1.2.0/src/Makefile.am
@@ -781,6 +781,10 @@ if WITH_NETCF
INTERFACE_DRIVER_SOURCES += \
interface/interface_backend_netcf.c
endif
endif WITH_NETCF
+if WITH_NETCONTROL
+INTERFACE_DRIVER_SOURCES += \
+ interface/interface_backend_netcf.c
@ -49,28 +49,27 @@ Index: libvirt-1.1.2/src/Makefile.am
if WITH_UDEV
INTERFACE_DRIVER_SOURCES += \
interface/interface_backend_udev.c
@@ -1314,11 +1318,16 @@ if WITH_NETCF
@@ -1346,10 +1350,15 @@ if WITH_NETCF
libvirt_driver_interface_la_CFLAGS += $(NETCF_CFLAGS)
libvirt_driver_interface_la_LIBADD += $(NETCF_LIBS)
else
else ! WITH_NETCF
+if WITH_NETCONTROL
+libvirt_driver_interface_la_CFLAGS += $(NETCONTROL_CFLAGS)
+libvirt_driver_interface_la_LIBADD += $(NETCONTROL_LIBS)
+else
+else ! WITH_NETCONTROL
if WITH_UDEV
libvirt_driver_interface_la_CFLAGS += $(UDEV_CFLAGS)
libvirt_driver_interface_la_LIBADD += $(UDEV_LIBS)
endif
endif
+endif
endif WITH_UDEV
+endif ! WITH_NETCONTROL
endif ! WITH_NETCF
if WITH_DRIVER_MODULES
libvirt_driver_interface_la_LIBADD += ../gnulib/lib/libgnu.la
libvirt_driver_interface_la_LDFLAGS += -module -avoid-version
Index: libvirt-1.1.2/tools/virsh.c
Index: libvirt-1.2.0/tools/virsh.c
===================================================================
--- libvirt-1.1.2.orig/tools/virsh.c
+++ libvirt-1.1.2/tools/virsh.c
@@ -2864,6 +2864,8 @@ vshShowVersion(vshControl *ctl ATTRIBUTE
--- libvirt-1.2.0.orig/tools/virsh.c
+++ libvirt-1.2.0/tools/virsh.c
@@ -3029,6 +3029,8 @@ vshShowVersion(vshControl *ctl ATTRIBUTE
vshPrint(ctl, " Interface");
# if defined(WITH_NETCF)
vshPrint(ctl, " netcf");
@ -79,10 +78,10 @@ Index: libvirt-1.1.2/tools/virsh.c
# elif defined(WITH_UDEV)
vshPrint(ctl, " udev");
# endif
Index: libvirt-1.1.2/src/interface/interface_backend_netcf.c
Index: libvirt-1.2.0/src/interface/interface_backend_netcf.c
===================================================================
--- libvirt-1.1.2.orig/src/interface/interface_backend_netcf.c
+++ libvirt-1.1.2/src/interface/interface_backend_netcf.c
--- libvirt-1.2.0.orig/src/interface/interface_backend_netcf.c
+++ libvirt-1.2.0/src/interface/interface_backend_netcf.c
@@ -23,7 +23,12 @@
#include <config.h>
@ -97,9 +96,9 @@ Index: libvirt-1.1.2/src/interface/interface_backend_netcf.c
#include "virerror.h"
#include "datatypes.h"
@@ -54,6 +59,38 @@ static void interfaceDriverUnlock(struct
virMutexUnlock(&driver->lock);
}
@@ -63,6 +68,37 @@ VIR_ONCE_GLOBAL_INIT(virNetcfDriverState
static virNetcfDriverStatePtr driverState = NULL;
+#ifdef WITH_NETCONTROL
+static void
@ -132,25 +131,44 @@ Index: libvirt-1.1.2/src/interface/interface_backend_netcf.c
+ virLogMessage(VIR_LOG_FROM_FILE, vp, file, line, func, 0, "%s", msg);
+}
+#endif
+
/*
* Get a minimal virInterfaceDef containing enough metadata
* for access control checks to be performed. Currently
@@ -164,6 +201,10 @@ static virDrvOpenStatus netcfInterfaceOp
goto mutex_error;
}
static void
virNetcfDriverStateDispose(void *obj)
@@ -85,7 +121,22 @@ netcfStateInitialize(bool privileged ATT
if (!(driverState = virObjectLockableNew(virNetcfDriverStateClass)))
return -1;
+#ifdef WITH_NETCONTROL
+ nc_logger_redirect_to(interface_nc_log_driver);
+#endif
+
/* open netcf */
if (ncf_init(&driverState->netcf, NULL) != 0)
{
Index: libvirt-1.1.2/src/interface/interface_driver.c
+ /* Note: On SUSE, ncf_init will fail if Network Manager is enabled. Ignore
+ * the failure so libvirtd will still start. Connections to the driver will
+ * fail in netcfInterfaceOpen. This restores the behavior before
+ * commit 822fe136.
+ */
+ if (ncf_init(&driverState->netcf, NULL) != 0) {
+ VIR_WARN("Failed to initialize netcontrol. Continuing with network "
+ "interface management features disabled");
+ virObjectUnref(driverState);
+ driverState = NULL;
+ }
+#else
if (ncf_init(&driverState->netcf, NULL) != 0) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
_("failed to initialize netcf"));
@@ -93,6 +144,7 @@ netcfStateInitialize(bool privileged ATT
driverState = NULL;
return -1;
}
+#endif
return 0;
}
Index: libvirt-1.2.0/src/interface/interface_driver.c
===================================================================
--- libvirt-1.1.2.orig/src/interface/interface_driver.c
+++ libvirt-1.1.2/src/interface/interface_driver.c
--- libvirt-1.2.0.orig/src/interface/interface_driver.c
+++ libvirt-1.2.0/src/interface/interface_driver.c
@@ -28,8 +28,15 @@ interfaceRegister(void) {
if (netcfIfaceRegister() == 0)
return 0;
@ -168,10 +186,10 @@ Index: libvirt-1.1.2/src/interface/interface_driver.c
if (udevIfaceRegister() == 0)
return 0;
#endif /* WITH_UDEV */
Index: libvirt-1.1.2/m4/virt-netcontrol.m4
Index: libvirt-1.2.0/m4/virt-netcontrol.m4
===================================================================
--- /dev/null
+++ libvirt-1.1.2/m4/virt-netcontrol.m4
+++ libvirt-1.2.0/m4/virt-netcontrol.m4
@@ -0,0 +1,35 @@
+dnl The libnetcontrol library
+dnl

105
libvirt.changes
View File

@ -1,3 +1,108 @@
-------------------------------------------------------------------
Thu Dec 26 17:01:48 MST 2013 - jfehlig@suse.com
- Ignore 'make check' on older, code 11 base
-------------------------------------------------------------------
Thu Dec 26 12:16:13 UTC 2013 - cbosdonnat@suse.com
- Fixed and reenabled unit tests. bnc#854694
-------------------------------------------------------------------
Fri Dec 20 13:13:03 MST 2013 - jfehlig@suse.com
- Remove dependency on pm-utils from libvirt-client
bnc#856381
-------------------------------------------------------------------
Fri Dec 20 09:04:45 MST 2013 - jfehlig@suse.com
- CVE-2013-6436: Fix crashes in lxc memtune code, one of which
results in DoS
f8c1cb90-CVE-2013-6436.patch, 9faf3f29-LXC-memtune.patch
bnc#854486
-------------------------------------------------------------------
Fri Dec 6 15:49:34 MST 2013 - jfehlig@suse.com
- More adjustments to the spec file to fix package dependency
issues
bnc#848918
-------------------------------------------------------------------
Fri Dec 6 11:03:54 MST 2013 - jfehlig@suse.com
- Update to libvirt 1.2.0
- Add support for gluster pool
- Separation of python binding
- vbox: add support for 4.3 APIs
- Many incremental improvements and bug fixes, see
http://libvirt.org/news.html
- Updated and renamed clone.patch to ia64-clone.patch
- Enabled numad support for openSUSE >= 13.1
-------------------------------------------------------------------
Wed Dec 4 14:28:14 MST 2013 - jfehlig@suse.com
- Link with same versions of libnl used by netcontrol to prevent
crashing libvirtd on start
-------------------------------------------------------------------
Wed Dec 4 10:43:28 MST 2013 - jfehlig@suse.com
- Add '/etc/sasl2' to libvirt-client file list to fix Factory build
-------------------------------------------------------------------
Tue Nov 26 20:02:48 MST 2013 - jfehlig@suse.com
- Fix starting of libvirtd when NetworkManager is enabled
Modified libvirt-suse-netcontrol.patch
-------------------------------------------------------------------
Tue Nov 26 14:51:44 MST 2013 - jfehlig@suse.com
- Allow execution of libvirt hook scripts in /etc/libvirt/hooks/
in libvirtd AppArmor profile
-------------------------------------------------------------------
Wed Nov 20 10:57:57 MST 2013 - jfehlig@suse.com
- Update to libvirt 1.1.4
- Add support for AArch64 architecture
- Various improvements on test code and test driver
- Don't link virt-login-shell against libvirt.so
- Close all non-stdio FDs in virt-login-shell
- Only allow 'stderr' log output when running setuid
- Fix perms for virConnectDomainXML{To,From}Native
- Many incremental improvements and bug fixes, see
http://libvirt.org/news.html
- Drop upstream patches: e7f400a1-CVE-2013-4296.patch,
2dba0323-CVE-2013-4297.patch, db7a5688-CVE-2013-4311.patch,
e65667c0-CVE-2013-4311.patch, 922b7fda-CVE-2013-4311.patch,
e4697b92-CVE-2013-4311.patch, 8294aa0c-CVE-2013-4399.patch,
484cc321-fix-spice-migration.patch,
79552754-libvirtd-chardev-crash.patch,
57687fd6-CVE-2013-4401.patch, ae53e5d1-CVE-2013-4400.patch,
8c3586ea-CVE-2013-4400.patch, b7fcc799a-CVE-2013-4400.patch,
3e2f27e1-CVE-2013-4400.patch, 5a0ea4b7-CVE-2013-4400.patch,
843bdb2f-CVE-2013-4400.patch,
bd773e74-lxc-terminate-machine.patch,
e350826c-python-fix-fd-passing.patch
-------------------------------------------------------------------
Tue Nov 19 14:23:27 MST 2013 - jfehlig@suse.com
- Allow execution of Xen binaries in /usr/lib{,64}/xen/bin in
libvirtd AppArmor profile
bnc#849524
-------------------------------------------------------------------
Tue Nov 19 13:09:31 MST 2013 - jfehlig@suse.com
- Require libvirt-daemon-<hypervisor> in the main libvirt package
for each supported hypervisor
bnc#850882
-------------------------------------------------------------------
Mon Nov 4 15:44:39 MST 2013 - jfehlig@suse.com

369
libvirt.spec
View File

@ -42,10 +42,10 @@
%define with_lxc 0%{!?_without_lxc:%{server_drivers}}
%define with_uml 0%{!?_without_uml:%{server_drivers}}
%define with_libxl 0%{!?_without_libxl:%{server_drivers}}
%define with_vbox 0%{!?_without_vbox:%{server_drivers}}
# Then the hypervisor drivers that run outside libvirtd, in libvirt.so
%define with_openvz 0%{!?_without_openvz:1}
%define with_vbox 0%{!?_without_vbox:1}
%define with_vmware 0%{!?_without_vmware:1}
%define with_phyp 0%{!?_without_phyp:0}
%define with_esx 0%{!?_without_esx:1}
@ -63,6 +63,7 @@
%define with_storage_mpath 0%{!?_without_storage_mpath:%{server_drivers}}
%define with_storage_rbd 0
%define with_storage_sheepdog 0
%define with_storage_gluster 0
%define with_numactl 0%{!?_without_numactl:%{server_drivers}}
%define with_selinux 0%{!?_without_selinux:%{server_drivers}}
%define with_apparmor 0%{!?_without_apparmor:%{server_drivers}}
@ -91,7 +92,6 @@
%define with_libssh2 0%{!?_without_libssh2:0}
# Non-server/HV driver defaults which are always enabled
%define with_python 0%{!?_without_python:1}
%define with_sasl 0%{!?_without_sasl:1}
# Set the OS / architecture specific special cases
@ -182,6 +182,7 @@
%define with_storage_mpath 0
%define with_storage_rbd 0
%define with_storage_sheepdog 0
%define with_storage_gluster 0
%define with_storage_disk 0
%endif
@ -191,6 +192,13 @@
%define with_nwfilter 0%{!?_without_nwfilter:%{server_drivers}}
%define with_libpcap 0%{!?_without_libpcap:%{server_drivers}}
%define with_macvtap 0%{!?_without_macvtap:%{server_drivers}}
# numad is used to manage the CPU and memory placement dynamically.
# It is only available on x86, and openSUSE >= 13.1
%if 0%{?suse_version} >= 1310
%ifarch i386 i586 i686 x86_64
%define with_numad 0%{!?_without_numad:%{server_drivers}}
%endif
%endif
# Force QEMU to run as qemu:qemu
%define qemu_user qemu
%define qemu_group qemu
@ -225,7 +233,7 @@
Name: libvirt
Url: http://libvirt.org/
Version: 1.1.2
Version: 1.2.0
Release: 0
Summary: Library providing a simple virtualization API
License: LGPL-2.1+
@ -289,7 +297,7 @@ BuildRequires: libtasn1-devel
BuildRequires: libxml2-devel
BuildRequires: libxslt
BuildRequires: ncurses-devel
BuildRequires: python-devel
BuildRequires: python
BuildRequires: python-xml
BuildRequires: readline-devel
BuildRequires: xhtml-dtd
@ -311,10 +319,14 @@ BuildRequires: sanlock-devel >= 2.4
BuildRequires: libpcap-devel
%endif
%if %{with_libnl}
%if 0%{?suse_version} < 1210
BuildRequires: libnl-devel
%else
%if 0%{?suse_version} >= 1310
BuildRequires: libnl3-devel
%else
%if 0%{?suse_version} >= 1210
BuildRequires: libnl-1_1-devel
%else
BuildRequires: libnl-devel
%endif
%endif
%endif
%if %{with_avahi}
@ -340,7 +352,7 @@ BuildRequires: cyrus-sasl-devel
%endif
%if %{with_polkit}
%if 0%{?suse_version} > 1110
BuildRequires: polkit >= 0.9
BuildRequires: polkit-devel >= 0.9
%else
BuildRequires: PolicyKit-devel >= 0.6
%endif
@ -397,33 +409,22 @@ BuildRequires: audit-devel
# we need /usr/sbin/dtrace
BuildRequires: systemtap-sdt-devel
%endif
%if %{with_numad}
BuildRequires: numad
%endif
Source0: %{name}-%{version}.tar.bz2
Source1: libvirtd.init
Source2: libvirtd-relocation-server.fw
Source99: baselibs.conf
# Upstream patches
Patch0: e7f400a1-CVE-2013-4296.patch
Patch1: 2dba0323-CVE-2013-4297.patch
Patch2: db7a5688-CVE-2013-4311.patch
Patch3: e65667c0-CVE-2013-4311.patch
Patch4: 922b7fda-CVE-2013-4311.patch
Patch5: e4697b92-CVE-2013-4311.patch
Patch6: 8294aa0c-CVE-2013-4399.patch
Patch7: 484cc321-fix-spice-migration.patch
Patch8: 79552754-libvirtd-chardev-crash.patch
Patch9: 57687fd6-CVE-2013-4401.patch
Patch10: ae53e5d1-CVE-2013-4400.patch
Patch11: 8c3586ea-CVE-2013-4400.patch
Patch12: b7fcc799a-CVE-2013-4400.patch
Patch13: 3e2f27e1-CVE-2013-4400.patch
Patch14: 5a0ea4b7-CVE-2013-4400.patch
Patch15: 843bdb2f-CVE-2013-4400.patch
Patch16: bd773e74-lxc-terminate-machine.patch
Patch17: e350826c-python-fix-fd-passing.patch
Patch0: f8c1cb90-CVE-2013-6436.patch
Patch1: 9faf3f29-LXC-memtune.patch
Patch2: 5e397d9c-test-fix-dbus-crash.patch
Patch3: 78af457e-fix-virnettlscontexttest.patch
# Need to go upstream
Patch100: xen-name-for-devid.patch
Patch101: clone.patch
Patch101: ia64-clone.patch
Patch102: xen-pv-cdrom.patch
Patch103: libxl-hvm-vnc.patch
Patch104: libxl-hvm-nic.patch
@ -487,16 +488,6 @@ Requires: bridge-utils
Requires: iproute
Requires: logrotate
%if %{with_network}
Requires: dnsmasq >= 2.41
Requires: radvd
%endif
%if %{with_network} || %{with_nwfilter}
Requires: iptables
%endif
%if %{with_nwfilter}
Requires: ebtables
%endif
%if %{with_udev}
Requires: udev >= 145
%endif
@ -507,39 +498,6 @@ Recommends: polkit >= 0.93
Recommends: PolicyKit >= 0.6
%endif
%endif
%if %{with_storage_fs}
Requires: nfs-utils
# For mkfs
Requires: util-linux
%endif
%if %{with_qemu}
# From QEMU RPMs
Requires: /usr/bin/qemu-img
# For image compression
Requires: bzip2
Requires: gzip
Requires: xz
%if 0%{?suse_version} > 1210
Requires: lzop
%endif
%endif
%if %{with_storage_lvm}
# For LVM drivers
Requires: lvm2
%endif
%if %{with_storage_iscsi}
# For ISCSI driver
Requires: open-iscsi
%endif
%if %{with_storage_disk}
# For disk driver
Requires: device-mapper
Requires: parted
%endif
%if %{with_storage_mpath}
# For multipath support
Requires: device-mapper
%endif
%if %{with_cgconfig}
Requires: libcgroup1
%endif
@ -551,6 +509,9 @@ Requires: dmidecode
# For service management
%{?systemd_requires}
%endif
%if %{with_numad}
Requires: numad
%endif
%description daemon
Server side daemon required to manage the virtualization capabilities
@ -576,7 +537,11 @@ cleaning guest network traffic.
%package daemon-driver-network
Summary: Network driver plugin for the libvirtd daemon
Group: Development/Libraries/C and C++
Requires: dnsmasq >= 2.41
Requires: iptables
# TODO Requires: iptables-ipv6
Requires: libvirt-daemon = %{version}-%{release}
Requires: radvd
%description daemon-driver-network
The network driver plugin for the libvirtd daemon, providing
@ -589,6 +554,9 @@ bridge capabilities.
%package daemon-driver-nwfilter
Summary: A nwfilter driver plugin for the libvirtd daemon
Group: Development/Libraries/C and C++
Requires: ebtables
Requires: iptables
# TODO Requires: iptables-ipv6
Requires: libvirt-daemon = %{version}-%{release}
%description daemon-driver-nwfilter
@ -638,6 +606,32 @@ an implementation of the secret key APIs.
Summary: Storage driver plugin for the libvirtd daemon
Group: Development/Libraries/C and C++
Requires: libvirt-daemon = %{version}-%{release}
%if %{with_storage_fs}
Requires: nfs-utils
# For mkfs
Requires: util-linux
%endif
%if %{with_qemu}
# From QEMU RPMs
Requires: /usr/bin/qemu-img
%endif
%if %{with_storage_lvm}
# For LVM drivers
Requires: lvm2
%endif
%if %{with_storage_iscsi}
# For ISCSI driver
Requires: open-iscsi
%endif
%if %{with_storage_disk}
# For disk driver
Requires: device-mapper
Requires: parted
%endif
%if %{with_storage_mpath}
# For multipath support
Requires: device-mapper
%endif
%description daemon-driver-storage
The storage driver plugin for the libvirtd daemon, providing
@ -652,7 +646,15 @@ Summary: Qemu driver plugin for the libvirtd daemon
Group: Development/Libraries/C and C++
Requires: libvirt-daemon = %{version}-%{release}
# There really is a hard cross-driver dependency here
Requires: /usr/bin/qemu-img
Requires: libvirt-daemon-driver-network = %{version}-%{release}
# For image compression
Requires: bzip2
Requires: gzip
Requires: xz
%if 0%{?suse_version} > 1210
Requires: lzop
%endif
%description daemon-driver-qemu
The qemu driver plugin for the libvirtd daemon, providing
@ -865,8 +867,6 @@ Requires: netcat-openbsd
Requires: gettext-runtime
# Needed by virt-pki-validate script.
Requires: gnutls
# Needed for probing the power management features of the host.
Requires: pm-utils
%if %{with_sasl}
Requires: cyrus-sasl
# Not technically required, but makes 'out-of-box' config
@ -917,43 +917,14 @@ connect a user to an LXC container when they login, by switching
namespaces.
%endif
%if %{with_python}
%package python
Summary: Python bindings for the libvirt library
Group: Development/Libraries/C and C++
Requires: %{name}-client = %{version}-%{release}
%py_requires
%description python
The libvirt-python package contains a module that permits applications
written in the Python programming language to use the interface
supplied by the libvirt library to use the virtualization capabilities
of recent versions of Linux (and other OSes).
%endif
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch100 -p1
%patch101
%patch101 -p1
%patch102 -p1
%patch103 -p1
%patch104 -p1
@ -1036,6 +1007,9 @@ of recent versions of Linux (and other OSes).
%if ! %{with_storage_sheepdog}
%define _without_storage_sheepdog --without-storage-sheepdog
%endif
%if ! %{with_storage_gluster}
%define _without_storage_gluster --without-storage-gluster
%endif
%if ! %{with_numactl}
%define _without_numactl --without-numactl
%endif
@ -1090,9 +1064,6 @@ of recent versions of Linux (and other OSes).
%if ! %{with_avahi}
%define _without_avahi --without-avahi
%endif
%if ! %{with_python}
%define _without_python --without-python
%endif
%if ! %{with_libpcap}
%define _without_libpcap --without-libpcap
%endif
@ -1128,7 +1099,6 @@ export CFLAGS="$RPM_OPT_FLAGS"
%{?_without_sasl} \
%{?_without_avahi} \
%{?_without_polkit} \
%{?_without_python} \
%{?_without_libvirtd} \
%{?_without_uml} \
%{?_without_phyp} \
@ -1145,6 +1115,7 @@ export CFLAGS="$RPM_OPT_FLAGS"
%{?_without_storage_mpath} \
%{?_without_storage_rbd} \
%{?_without_storage_sheepdog} \
%{?_without_storage_gluster} \
%{?_without_numactl} \
%{?_without_numad} \
%{?_without_capng} \
@ -1175,14 +1146,12 @@ gzip -9 ChangeLog
%install
%makeinstall SYSTEMD_UNIT_DIR=%{_unitdir} DOCS_DIR=%{_docdir}/%{name}-python EXAMPLE_DIR=%{_docdir}/%{name}-python/examples HTML_DIR=%{_docdir}/%{name}
for i in domain-events/events-c dominfo domsuspend hellolibvirt openauth python xml/nwfilter systemtap
for i in domain-events/events-c dominfo domsuspend hellolibvirt openauth xml/nwfilter systemtap
do
(cd examples/$i ; make clean ; rm -rf .deps .libs Makefile Makefile.in)
done
rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
rm -f $RPM_BUILD_ROOT%{_libdir}/*.a
rm -f $RPM_BUILD_ROOT%{py_sitedir}/*.la
rm -f $RPM_BUILD_ROOT%{py_sitedir}/*.a
rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/lock-driver/*.la
rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/lock-driver/*.a
%if %{with_driver_modules}
@ -1221,19 +1190,34 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/qemu/networks/autostart/default.xml
rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/nwfilter
rm -rf $RPM_BUILD_ROOT%{_libdir}/%{name}/connection-driver/libvirt_driver_nwfilter.so
%endif
%if ! %{with_lxc}
%if %{with_lxc}
cat > $RPM_BUILD_ROOT%{_docdir}/libvirt/libvirt-daemon-lxc.README << 'EOF'
Any empty package encapsulating requirements for a libvirtd capable
of managing LXC.
EOF
%else
rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/lxc.conf
rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/libvirtd_lxc.aug
rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/tests/test_libvirtd_lxc.aug
rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/libvirtd.lxc
%endif
%if ! %{with_qemu}
%if %{with_qemu}
cat > $RPM_BUILD_ROOT%{_docdir}/libvirt/libvirt-daemon-qemu.README << 'EOF'
Any empty package encapsulating requirements for a libvirtd capable
of managing QEMU/KVM.
EOF
%else
rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/qemu.conf
rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/libvirtd_qemu.aug
rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/tests/test_libvirtd_qemu.aug
rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/libvirtd.qemu
%endif
%if ! %{with_uml}
%if %{with_uml}
cat > $RPM_BUILD_ROOT%{_docdir}/libvirt/libvirt-daemon-uml.README << 'EOF'
Any empty package encapsulating requirements for a libvirtd capable
of managing UML.
EOF
%else
rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/libvirtd.uml
%endif
%if %{with_vbox}
@ -1252,11 +1236,6 @@ EOF
rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/libvirt_sanlock.aug
rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/tests/test_libvirt_sanlock.aug
%endif
%if ! %{with_python}
rm -rf $RPM_BUILD_ROOT%{_docdir}/%{name}-python
%else
rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/libvirt-python-%{version}/*
%endif
# init scripts
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/init.d
@ -1286,6 +1265,27 @@ mv $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/libvirt-guests $RPM_BUILD_ROOT%{_loca
%clean
rm -rf $RPM_BUILD_ROOT
# Ignore 'make check' on older code base
%if 0%{?suse_version} >= 1210
%check
cd tests
make
# These tests don't current work in a mock build root
for i in nodeinfotest seclabeltest
do
rm -f $i
printf 'int main(void) { return 0; }' > $i.c
printf '#!/bin/sh\nexit 0\n' > $i
chmod +x $i
done
if ! make check VIR_TEST_DEBUG=1
then
cat test-suite.log || true
exit 1
fi
%endif
%if %{with_libvirtd}
%pre daemon
@ -1373,18 +1373,6 @@ fi
%{_sbindir}/virtlockd
%dir %{_libdir}/%{name}
%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/
%if %{with_network}
%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/
%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/networks/
%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/networks/autostart
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/network/
%dir %attr(0755, root, root) %{_localstatedir}/lib/libvirt/dnsmasq/
%dir %{_datadir}/libvirt/networks/
%{_datadir}/libvirt/networks/default.xml
%endif
%if %{with_nwfilter}
%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/nwfilter/
%endif
%{_localstatedir}/adm/fillup-templates/sysconfig.libvirtd
%config /etc/init.d/libvirtd
%{_sbindir}/rclibvirtd
@ -1427,9 +1415,6 @@ fi
%{_datadir}/PolicyKit/policy/org.libvirt.unix.policy
%endif
%endif
%if %{with_storage_disk}
%attr(0755, root, root) %{_libdir}/%{name}/libvirt_parthelper
%endif
%attr(0755, root, root) %{_libdir}/%{name}/libvirt_iohelper
%doc %{_mandir}/man8/libvirtd.8*
%{_mandir}/man8/virtlockd.8*
@ -1445,14 +1430,60 @@ fi
%endif
%config %{_fwdefdir}/libvirtd-relocation-server
%if %{with_driver_modules}
%if ! %{with_driver_modules}
%if %{with_network}
%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/
%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/networks/
%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/networks/autostart
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/network/
%dir %attr(0755, root, root) %{_localstatedir}/lib/libvirt/dnsmasq/
%dir %{_datadir}/libvirt/networks/
%{_datadir}/libvirt/networks/default.xml
%endif
%if %{with_qemu}
%config(noreplace) %{_sysconfdir}/libvirt/qemu.conf
%config(noreplace) %{_sysconfdir}/libvirt/qemu-lockd.conf
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu
%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/
%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/cache/libvirt/qemu/
%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/
%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/
%{_datadir}/augeas/lenses/libvirtd_qemu.aug
%{_datadir}/augeas/lenses/tests/test_libvirtd_qemu.aug
%endif
%if %{with_lxc}
%config(noreplace) %{_sysconfdir}/libvirt/lxc.conf
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.lxc
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/lxc/
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/lxc/
%attr(0755, root, root) %{_libdir}/%{name}/libvirt_lxc
%{_datadir}/augeas/lenses/libvirtd_lxc.aug
%{_datadir}/augeas/lenses/tests/test_libvirtd_lxc.aug
%endif
%if %{with_uml}
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.uml
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/uml/
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/uml/
%endif
%if %{with_libxl}
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/libxl/
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/libxl/
%endif
%if %{with_storage_disk}
%attr(0755, root, root) %{_libdir}/%{name}/libvirt_parthelper
%endif
%endif # ! %{with_driver_modules}
%if %{with_nwfilter}
%files daemon-config-nwfilter
%defattr(-, root, root)
%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/nwfilter/
%{_sysconfdir}/libvirt/nwfilter/*.xml
%endif
%if %{with_driver_modules}
%if %{with_interface}
%files daemon-driver-interface
@ -1465,6 +1496,13 @@ fi
%files daemon-driver-network
%defattr(-, root, root)
%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/
%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/networks/
%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/networks/autostart
%dir %{_datadir}/libvirt/networks/
%{_datadir}/libvirt/networks/default.xml
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/network/
%dir %attr(0755, root, root) %{_localstatedir}/lib/libvirt/dnsmasq/
%dir %{_libdir}/%{name}/connection-driver
%{_libdir}/%{name}/connection-driver/libvirt_driver_network.so
%endif
@ -1494,6 +1532,9 @@ fi
%files daemon-driver-storage
%defattr(-, root, root)
%if %{with_storage_disk}
%attr(0755, root, root) %{_libdir}/%{name}/libvirt_parthelper
%endif
%dir %{_libdir}/%{name}/connection-driver
%{_libdir}/%{name}/connection-driver/libvirt_driver_storage.so
%endif
@ -1502,6 +1543,17 @@ fi
%files daemon-driver-qemu
%defattr(-, root, root)
%defattr(-, root, root)
%config(noreplace) %{_sysconfdir}/libvirt/qemu.conf
%config(noreplace) %{_sysconfdir}/libvirt/qemu-lockd.conf
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu
%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/
%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/cache/libvirt/qemu/
%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/
%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/
%{_datadir}/augeas/lenses/libvirtd_qemu.aug
%{_datadir}/augeas/lenses/tests/test_libvirtd_qemu.aug
%dir %{_libdir}/%{name}/connection-driver
%{_libdir}/%{name}/connection-driver/libvirt_driver_qemu.so
%endif
@ -1510,6 +1562,13 @@ fi
%files daemon-driver-lxc
%defattr(-, root, root)
%config(noreplace) %{_sysconfdir}/libvirt/lxc.conf
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.lxc
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/lxc/
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/lxc/
%attr(0755, root, root) %{_libdir}/%{name}/libvirt_lxc
%{_datadir}/augeas/lenses/libvirtd_lxc.aug
%{_datadir}/augeas/lenses/tests/test_libvirtd_lxc.aug
%dir %{_libdir}/%{name}/connection-driver
%{_libdir}/%{name}/connection-driver/libvirt_driver_lxc.so
%endif
@ -1518,6 +1577,9 @@ fi
%files daemon-driver-uml
%defattr(-, root, root)
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.uml
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/uml/
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/uml/
%dir %{_libdir}/%{name}/connection-driver
%{_libdir}/%{name}/connection-driver/libvirt_driver_uml.so
%endif
@ -1534,10 +1596,10 @@ fi
%files daemon-driver-libxl
%defattr(-, root, root)
%dir %{_libdir}/%{name}/connection-driver
%{_libdir}/%{name}/connection-driver/libvirt_driver_libxl.so
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/libxl/
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/libxl/
%dir %{_libdir}/%{name}/connection-driver
%{_libdir}/%{name}/connection-driver/libvirt_driver_libxl.so
%endif
%if %{with_vbox}
@ -1552,38 +1614,21 @@ fi
%files daemon-qemu
%defattr(-, root, root)
%config(noreplace) %{_sysconfdir}/libvirt/qemu.conf
%config(noreplace) %{_sysconfdir}/libvirt/qemu-lockd.conf
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu
%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/
%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/cache/libvirt/qemu/
%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/
%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/
%{_datadir}/augeas/lenses/libvirtd_qemu.aug
%{_datadir}/augeas/lenses/tests/test_libvirtd_qemu.aug
%doc %{_docdir}/%{name}/libvirt-daemon-qemu.README
%endif
%if %{with_lxc}
%files daemon-lxc
%defattr(-, root, root)
%config(noreplace) %{_sysconfdir}/libvirt/lxc.conf
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.lxc
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/lxc/
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/lxc/
%attr(0755, root, root) %{_libdir}/%{name}/libvirt_lxc
%{_datadir}/augeas/lenses/libvirtd_lxc.aug
%{_datadir}/augeas/lenses/tests/test_libvirtd_lxc.aug
%doc %{_docdir}/%{name}/libvirt-daemon-lxc.README
%endif
%if %{with_uml}
%files daemon-uml
%defattr(-, root, root)
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.uml
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/uml/
%dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/uml/
%doc %{_docdir}/%{name}/libvirt-daemon-uml.README
%endif
%if %{with_xen} || %{with_libxl}
@ -1608,6 +1653,7 @@ fi
%doc %{_mandir}/man1/virt-xml-validate.1*
%doc %{_mandir}/man1/virt-pki-validate.1*
%doc %{_mandir}/man1/virt-host-validate.1*
%dir %attr(0700, root, root) %{_sysconfdir}/%{name}
%config(noreplace) %{_sysconfdir}/%{name}/libvirt.conf
%{_bindir}/virsh
%{_bindir}/virt-xml-validate
@ -1644,6 +1690,7 @@ fi
%{_datadir}/libvirt/cpu_map.xml
%{_datadir}/libvirt/libvirtLogo.png
%if %{with_sasl}
%dir %{_sysconfdir}/sasl2/
%config(noreplace) %{_sysconfdir}/sasl2/libvirt.conf
%endif
@ -1704,16 +1751,4 @@ fi
%{_bindir}/virt-login-shell
%endif
%if %{with_python}
%files python
%defattr(-, root, root)
%{py_sitedir}/libvirt.py*
%{py_sitedir}/libvirt_qemu.py*
%{py_sitedir}/libvirt_lxc.py*
%{py_sitedir}/libvirtmod*
%doc examples/python
%doc examples/domain-events/events-python
%endif
%changelog

12
libvirtd-defaults.patch
View File

@ -1,7 +1,7 @@
Index: libvirt-1.1.2/daemon/libvirtd.conf
Index: libvirt-1.2.0/daemon/libvirtd.conf
===================================================================
--- libvirt-1.1.2.orig/daemon/libvirtd.conf
+++ libvirt-1.1.2/daemon/libvirtd.conf
--- libvirt-1.2.0.orig/daemon/libvirtd.conf
+++ libvirt-1.2.0/daemon/libvirtd.conf
@@ -18,8 +18,8 @@
# It is necessary to setup a CA and issue server certificates before
# using this capability.
@ -13,10 +13,10 @@ Index: libvirt-1.1.2/daemon/libvirtd.conf
# Listen for unencrypted TCP connections on the public TCP/IP port.
# NB, must pass the --listen flag to the libvirtd process for this to
Index: libvirt-1.1.2/daemon/libvirtd-config.c
Index: libvirt-1.2.0/daemon/libvirtd-config.c
===================================================================
--- libvirt-1.1.2.orig/daemon/libvirtd-config.c
+++ libvirt-1.1.2/daemon/libvirtd-config.c
--- libvirt-1.2.0.orig/daemon/libvirtd-config.c
+++ libvirt-1.2.0/daemon/libvirtd-config.c
@@ -222,7 +222,7 @@ daemonConfigNew(bool privileged ATTRIBUT
if (VIR_ALLOC(data) < 0)
return NULL;

6
libvirtd-init-script.patch
View File

@ -1,9 +1,9 @@
Adjust libvirtd sysconfig file to conform to SUSE standards
Index: libvirt-1.1.2/daemon/libvirtd.sysconf
Index: libvirt-1.2.0/daemon/libvirtd.sysconf
===================================================================
--- libvirt-1.1.2.orig/daemon/libvirtd.sysconf
+++ libvirt-1.1.2/daemon/libvirtd.sysconf
--- libvirt-1.2.0.orig/daemon/libvirtd.sysconf
+++ libvirt-1.2.0/daemon/libvirtd.sysconf
@@ -1,16 +1,25 @@
+## Path: System/Virtualization/libvirt
+

10
libxl-hvm-nic.patch
View File

@ -1,8 +1,8 @@
Index: libvirt-1.1.2/src/libxl/libxl_conf.c
Index: libvirt-1.2.0/src/libxl/libxl_conf.c
===================================================================
--- libvirt-1.1.2.orig/src/libxl/libxl_conf.c
+++ libvirt-1.1.2/src/libxl/libxl_conf.c
@@ -846,8 +846,6 @@ libxlMakeNic(virDomainNetDefPtr l_nic, l
--- libvirt-1.2.0.orig/src/libxl/libxl_conf.c
+++ libvirt-1.2.0/src/libxl/libxl_conf.c
@@ -886,8 +886,6 @@ libxlMakeNic(virDomainNetDefPtr l_nic, l
* x_nics[i].mtu = 1492;
*/
@ -11,7 +11,7 @@ Index: libvirt-1.1.2/src/libxl/libxl_conf.c
virMacAddrGetRaw(&l_nic->mac, x_nic->mac);
if (l_nic->model && !STREQ(l_nic->model, "netfront")) {
@@ -892,6 +890,8 @@ libxlMakeNicList(virDomainDefPtr def, l
@@ -932,6 +930,8 @@ libxlMakeNicList(virDomainDefPtr def, l
return -1;
for (i = 0; i < nnics; i++) {

10
libxl-hvm-vnc.patch
View File

@ -1,8 +1,8 @@
Index: libvirt-1.1.2/src/libxl/libxl_conf.c
Index: libvirt-1.2.0/src/libxl/libxl_conf.c
===================================================================
--- libvirt-1.1.2.orig/src/libxl/libxl_conf.c
+++ libvirt-1.1.2/src/libxl/libxl_conf.c
@@ -524,6 +524,30 @@ libxlMakeChrdevStr(virDomainChrDefPtr de
--- libvirt-1.2.0.orig/src/libxl/libxl_conf.c
+++ libvirt-1.2.0/src/libxl/libxl_conf.c
@@ -561,6 +561,30 @@ libxlMakeChrdevStr(virDomainChrDefPtr de
}
static int
@ -33,7 +33,7 @@ Index: libvirt-1.1.2/src/libxl/libxl_conf.c
libxlMakeDomBuildInfo(virDomainObjPtr vm, libxl_domain_config *d_config)
{
virDomainDefPtr def = vm->def;
@@ -1025,6 +1049,9 @@ libxlBuildDomainConfig(libxlDriverPrivat
@@ -1174,6 +1198,9 @@ libxlBuildDomainConfig(libxlDriverPrivat
if (libxlMakeVfbList(driver, def, d_config) < 0)
return -1;

22
support-managed-pci-xen-driver.patch
View File

@ -8,11 +8,11 @@ Subject: [PATCH] support managed pci devices in xen driver
src/xenxs/xen_xm.c | 28 +++++++++++++++++++++++++++-
2 files changed, 35 insertions(+), 15 deletions(-)
Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c
Index: libvirt-1.2.0/src/xenxs/xen_sxpr.c
===================================================================
--- libvirt-1.1.2.orig/src/xenxs/xen_sxpr.c
+++ libvirt-1.1.2/src/xenxs/xen_sxpr.c
@@ -993,6 +993,7 @@ xenParseSxprPCI(virDomainDefPtr def,
--- libvirt-1.2.0.orig/src/xenxs/xen_sxpr.c
+++ libvirt-1.2.0/src/xenxs/xen_sxpr.c
@@ -996,6 +996,7 @@ xenParseSxprPCI(virDomainDefPtr def,
int busID;
int slotID;
int funcID;
@ -20,7 +20,7 @@ Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c
node = cur->u.s.car;
if (!sexpr_lookup(node, "dev"))
@@ -1040,11 +1041,13 @@ xenParseSxprPCI(virDomainDefPtr def,
@@ -1043,11 +1044,13 @@ xenParseSxprPCI(virDomainDefPtr def,
goto error;
}
@ -35,7 +35,7 @@ Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c
dev->source.subsys.type = VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI;
dev->source.subsys.u.pci.addr.domain = domainID;
dev->source.subsys.u.pci.addr.bus = busID;
@@ -1990,11 +1993,15 @@ static void
@@ -1991,11 +1994,15 @@ static void
xenFormatSxprPCI(virDomainHostdevDefPtr def,
virBufferPtr buf)
{
@ -52,7 +52,7 @@ Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c
}
@@ -2013,12 +2020,6 @@ xenFormatSxprOnePCI(virDomainHostdevDefP
@@ -2014,12 +2021,6 @@ xenFormatSxprOnePCI(virDomainHostdevDefP
virBufferPtr buf,
int detach)
{
@ -65,7 +65,7 @@ Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c
virBufferAddLit(buf, "(pci ");
xenFormatSxprPCI(def, buf);
if (detach)
@@ -2073,12 +2074,6 @@ xenFormatSxprAllPCI(virDomainDefPtr def,
@@ -2074,12 +2075,6 @@ xenFormatSxprAllPCI(virDomainDefPtr def,
for (i = 0; i < def->nhostdevs; i++) {
if (def->hostdevs[i]->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS &&
def->hostdevs[i]->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI) {
@ -78,10 +78,10 @@ Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c
xenFormatSxprPCI(def->hostdevs[i], buf);
}
}
Index: libvirt-1.1.2/src/xenxs/xen_xm.c
Index: libvirt-1.2.0/src/xenxs/xen_xm.c
===================================================================
--- libvirt-1.1.2.orig/src/xenxs/xen_xm.c
+++ libvirt-1.1.2/src/xenxs/xen_xm.c
--- libvirt-1.2.0.orig/src/xenxs/xen_xm.c
+++ libvirt-1.2.0/src/xenxs/xen_xm.c
@@ -802,6 +802,8 @@ xenParseXM(virConfPtr conf, int xendConf
int busID;
int slotID;

10
suse-qemu-conf.patch
View File

@ -1,8 +1,8 @@
Index: libvirt-1.1.2/src/qemu/qemu.conf
Index: libvirt-1.2.0/src/qemu/qemu.conf
===================================================================
--- libvirt-1.1.2.orig/src/qemu/qemu.conf
+++ libvirt-1.1.2/src/qemu/qemu.conf
@@ -175,7 +175,16 @@
--- libvirt-1.2.0.orig/src/qemu/qemu.conf
+++ libvirt-1.2.0/src/qemu/qemu.conf
@@ -200,7 +200,16 @@
# a special value; security_driver can be set to that value in
# isolation, but it cannot appear in a list of drivers.
#
@ -19,7 +19,7 @@ Index: libvirt-1.1.2/src/qemu/qemu.conf
# If set to non-zero, then the default security labeling
# will make guests confined. If set to zero, then guests
@@ -371,6 +380,15 @@
@@ -402,6 +411,15 @@
#allow_disk_format_probing = 1

6
systemd-service-xen.patch
View File

@ -1,7 +1,7 @@
Index: libvirt-1.1.2/daemon/libvirtd.service.in
Index: libvirt-1.2.0/daemon/libvirtd.service.in
===================================================================
--- libvirt-1.1.2.orig/daemon/libvirtd.service.in
+++ libvirt-1.1.2/daemon/libvirtd.service.in
--- libvirt-1.2.0.orig/daemon/libvirtd.service.in
+++ libvirt-1.2.0/daemon/libvirtd.service.in
@@ -9,6 +9,8 @@ Before=libvirt-guests.service
After=network.target
After=dbus.service

12
virtlockd-init-script.patch
View File

@ -1,9 +1,9 @@
Adjust virtlockd init files to conform to SUSE standards
Index: libvirt-1.1.2/src/locking/virtlockd.sysconf
Index: libvirt-1.2.0/src/locking/virtlockd.sysconf
===================================================================
--- libvirt-1.1.2.orig/src/locking/virtlockd.sysconf
+++ libvirt-1.1.2/src/locking/virtlockd.sysconf
--- libvirt-1.2.0.orig/src/locking/virtlockd.sysconf
+++ libvirt-1.2.0/src/locking/virtlockd.sysconf
@@ -1,3 +1,7 @@
+## Path: System/Virtualization/virtlockd
+
@ -12,10 +12,10 @@ Index: libvirt-1.1.2/src/locking/virtlockd.sysconf
#
# Pass extra arguments to virtlockd
#VIRTLOCKD_ARGS=
Index: libvirt-1.1.2/src/locking/virtlockd.init.in
Index: libvirt-1.2.0/src/locking/virtlockd.init.in
===================================================================
--- libvirt-1.1.2.orig/src/locking/virtlockd.init.in
+++ libvirt-1.1.2/src/locking/virtlockd.init.in
--- libvirt-1.2.0.orig/src/locking/virtlockd.init.in
+++ libvirt-1.2.0/src/locking/virtlockd.init.in
@@ -4,11 +4,13 @@
# http://www.linux-foundation.org/spec//booksets/LSB-Core-generic/LSB-Core-generic.html#INITSCRCOMCONV
#

14
xen-name-for-devid.patch
View File

@ -14,10 +14,10 @@
is inactive. We obviously can't search xenstore when the domain is
inactive.
Index: libvirt-1.1.2/src/xen/xend_internal.c
Index: libvirt-1.2.0/src/xen/xend_internal.c
===================================================================
--- libvirt-1.1.2.orig/src/xen/xend_internal.c
+++ libvirt-1.1.2/src/xen/xend_internal.c
--- libvirt-1.2.0.orig/src/xen/xend_internal.c
+++ libvirt-1.2.0/src/xen/xend_internal.c
@@ -70,7 +70,7 @@
#define XEND_RCV_BUF_MAX_LEN (256 * 1024)
@ -27,7 +27,7 @@ Index: libvirt-1.1.2/src/xen/xend_internal.c
virDomainDeviceDefPtr dev, char *class,
char *ref, int ref_len);
@@ -3314,18 +3314,18 @@ xenDaemonDomainBlockPeek(virConnectPtr c
@@ -3316,18 +3316,18 @@ xenDaemonDomainBlockPeek(virConnectPtr c
* Returns 0 in case of success, -1 in case of failure.
*/
static int
@ -50,7 +50,7 @@ Index: libvirt-1.1.2/src/xen/xend_internal.c
if (dev->data.disk->driverName &&
STREQ(dev->data.disk->driverName, "tap"))
strcpy(class, "tap");
@@ -3335,19 +3335,17 @@ virDomainXMLDevID(virConnectPtr conn,
@@ -3337,19 +3337,17 @@ virDomainXMLDevID(virConnectPtr conn,
else
strcpy(class, "vbd");
@ -81,7 +81,7 @@ Index: libvirt-1.1.2/src/xen/xend_internal.c
} else if (dev->type == VIR_DOMAIN_DEVICE_NET) {
char mac[VIR_MAC_STRING_BUFLEN];
virDomainNetDefPtr netdef = dev->data.net;
@@ -3355,16 +3353,22 @@ virDomainXMLDevID(virConnectPtr conn,
@@ -3357,16 +3355,22 @@ virDomainXMLDevID(virConnectPtr conn,
strcpy(class, "vif");
@ -114,7 +114,7 @@ Index: libvirt-1.1.2/src/xen/xend_internal.c
} else if (dev->type == VIR_DOMAIN_DEVICE_HOSTDEV &&
dev->data.hostdev->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS &&
dev->data.hostdev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI) {
@@ -3380,17 +3384,44 @@ virDomainXMLDevID(virConnectPtr conn,
@@ -3382,17 +3386,44 @@ virDomainXMLDevID(virConnectPtr conn,
strcpy(class, "pci");

10
xen-pv-cdrom.patch
View File

@ -1,8 +1,8 @@
Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c
Index: libvirt-1.2.0/src/xenxs/xen_sxpr.c
===================================================================
--- libvirt-1.1.2.orig/src/xenxs/xen_sxpr.c
+++ libvirt-1.1.2/src/xenxs/xen_sxpr.c
@@ -327,7 +327,7 @@ error:
--- libvirt-1.2.0.orig/src/xenxs/xen_sxpr.c
+++ libvirt-1.2.0/src/xenxs/xen_sxpr.c
@@ -330,7 +330,7 @@ error:
static int
xenParseSxprDisks(virDomainDefPtr def,
const struct sexpr *root,
@ -11,7 +11,7 @@ Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c
int xendConfigVersion)
{
const struct sexpr *cur, *node;
@@ -378,7 +378,6 @@ xenParseSxprDisks(virDomainDefPtr def,
@@ -381,7 +381,6 @@ xenParseSxprDisks(virDomainDefPtr def,
/* There is a case without the uname to the CD-ROM device */
offset = strchr(dst, ':');
if (!offset ||