2016-08-04 15:09:24 +02:00
|
|
|
From: Bruce Rogers <brogers@suse.com>
|
|
|
|
|
Date: Tue, 2 Aug 2016 11:36:02 -0600
|
2019-01-04 22:08:16 +01:00
|
|
|
Subject: qemu-bridge-helper: reduce security profile
|
2016-09-19 19:06:58 +02:00
|
|
|
MIME-Version: 1.0
|
|
|
|
|
Content-Type: text/plain; charset=UTF-8
|
|
|
|
|
Content-Transfer-Encoding: 8bit
|
2016-08-04 15:09:24 +02:00
|
|
|
|
2019-09-12 17:54:03 +02:00
|
|
|
References: boo#988279
|
|
|
|
|
|
2016-08-04 15:09:24 +02:00
|
|
|
Change from using glib alloc and free routines to those
|
|
|
|
|
from libc. Also perform safety measure of dropping privs
|
|
|
|
|
to user if configured no-caps.
|
|
|
|
|
|
|
|
|
|
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
2016-09-19 19:06:58 +02:00
|
|
|
[AF: Rebased for v2.7.0-rc2]
|
|
|
|
|
Signed-off-by: Andreas Färber <afaerber@suse.de>
|
2016-08-04 15:09:24 +02:00
|
|
|
---
|
2019-05-02 00:51:10 +02:00
|
|
|
qemu-bridge-helper.c | 28 +++++++++++++++++++++++++---
|
|
|
|
|
1 file changed, 25 insertions(+), 3 deletions(-)
|
2016-08-04 15:09:24 +02:00
|
|
|
|
|
|
|
|
diff --git a/qemu-bridge-helper.c b/qemu-bridge-helper.c
|
Accepting request 854151 from home:bfrogers:branches:Virtualization
- Update to v5.2.0: See http://wiki.qemu.org/ChangeLog/5.2
Take note that ongoing feature deprecation is tracked at both
http://wiki.qemu-project.org/Features/LegacyRemoval and in
the deprecated.html file installed with the qemu package
Some noteworthy changes:
* Dropped system emulators: qemu-system-lm32, qemu-system-unicore32
* Dropped linux user emulator: qemu-ppc64abi32
* Added linux user emulator: qemu-extensaeb
* Unicore32 and lm32 guest support dropped
* New sub-packages (most due to ongoing modularization of QEMU):
qemu-audio-spice, qemu-hw-chardev-spice, qemu-hw-display-virtio-vga,
qemu-hw-display-virtio-gpu, qemu-hw-display-virtio-gpu-pci,
qemu-ui-spice-core, qemu-ui-opengl, qemu-ivshmem-tools
* x86: A new KVM feature which improves the handling of asynchronous page
faults is available with -cpu ...,kvm-async-pf-int (requires Linux 5.8)
* s390: More instructions emulated under TCG
* PowerPC: nvdimm= machine option now functions correctly; misc improvements
* ARM: new boards: mps2-an386 (Cortex-M4 based) and mps2-an500
(Cortex-M7 based), raspi3ap (the Pi 3 model A+), raspi0 (the Pi Zero)
and raspi1ap (the Pi A+)
* RISC-V: OpenSBI v0.8 included by default; Generic OpenSBI platform used
when no -bios argument is supplied; Support for NUMA sockets on Virt
and Spike Machines; Support for migrating machines; misc improvements
* Misc NVMe improvements
* The 'vhost-user-blk' export type has been added, allowing
qemu-storage-daemon to act as a vhost-user-blk device backend
* The SMBIOS OEM strings can now come from a file
* 9pfs - misc performance related improvements
* virtiofs - misc improvements
* migration: The default migration bandwidth has been increased to 1Gbps
(users are still encouraged to tune it to their own hardware); The new
'calc-dirty-rate' and 'query-dirty-rate' QMP commands can help determine
the likelihood of precopy migration success; TLS+multifd now supported
for higher bandwidth encrypted migration; misc minor features added
* Misc minor block features added
* Misc doc improvements
* qemu-microvm subpackage change: the bios-microvm.bin is now SeaBIOS based,
and the qboot based on is now qboot.rom
* elf2dmp is no longer part of qemu-tools (it was never intended to be
a packaged binary)
* Some subpackages which were 'Requires' are now 'Recommends', allowing for
a smaller qemu packaging footprint if needed
* Patches dropped (included in release tarball, unless otherwise noted):
docs-fix-trace-docs-build-with-sphinx-3..patch (fixed differently)
hw-hyperv-vmbus-Fix-32bit-compilation.patch
linux-user-properly-test-for-infinite-ti.patch
Switch-order-of-libraries-for-mpath-supp.patch (fixed differently)
Conditionalize-ui-bitmap-installation-be.patch (fixed differently)
hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch (no longer using gcc9)
hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch (no longer using gcc9)
roms-Makefile-enable-cross-compile-for-b.patch (fixed with different patch)
libvhost-user-handle-endianness-as-manda.patch
virtio-add-vhost-user-fs-ccw-device.patch
Fix-s-directive-argument-is-null-error.patch
build-Workaround-compilation-error-with-.patch
build-Be-explicit-about-fcommon-compiler.patch
intel-Avoid-spurious-compiler-warning-on.patch
golan-Add-explicit-type-casts-for-nodnic.patch
Do-not-apply-WORKAROUND_CFLAGS-for-host-.patch
ensure-headers-included-are-compatible-w.patch
Enable-cross-compile-prefix-for-C-compil.patch (fixed differently)
hw-net-net_tx_pkt-fix-assertion-failure-.patch
hw-net-xgmac-Fix-buffer-overflow-in-xgma.patch
s390x-protvirt-allow-to-IPL-secure-guest.patch
usb-fix-setup_len-init-CVE-2020-14364.patch
* Patches added:
meson-install-ivshmem-client-and-ivshmem.patch
Revert-roms-efirom-tests-uefi-test-tools.patch
Makefile-Don-t-check-pc-bios-as-pre-requ.patch
roms-Makefile-add-cross-file-to-qboot-me.patch
qboot-add-cross.ini-file-to-handle-aarch.patch
usb-Help-compiler-out-to-avoid-a-warning.patch
- In spec file, where reasonable, switch BuildRequires: XXX-devel
to be pkgconfig(XXX') instead
- No longer disable link time optimization for qemu for x86. It looks like
either the build service, qemu code changes and/or the switch to meson
have resolved issues previously seen there. We still see problems for
other architectures however.
- For the record, the following issues reported for SUSE SLE15-SP2
are either fixed in this current package, or are otherwise no longer
an issue: bsc#1172384 bsc#1174386 bsc#1174641 bsc#1174863 bsc#1175370
bsc#1175441 bsc#1176494 CVE-2020-13361 CVE-2020-14364 CVE-2020-15863
CVE-2020-16092 CVE-2020-24352
and the following feature requests are satisfied by this package:
jsc#SLE-13689 jsc#SEL-13780 jsc#SLE-13840
- To be more accurate, and to align with other qemu packaging
practices, rename the qemu-s390 package to qemu-s390x. The old
name (in the rpm namespace) is provided with a "Provides"
directive, and an "Obsoletes" done against that name for prior
qemu versions, as is standard practice (boo#1177764 jsc#SLE-17060)
- Take this opportunity to remove some ancient Split-Provides
mechanisms which can't conceivably be needed any more:
qemu-block-curl provided: qemu:%_libdir/%name/block-curl.so
qemu-guest-agent provided: qemu:%_bindir/qemu-ga
qemu-tools provided: qemu:%_libexecdir/qemu-bridge-helper
- Disable linux-user 'ls' test on 32 bit arm. It's failing with
"Allocating guest commpage: Cannot allocate memory" error, which
we should hunt down, but for now we don't want it to prevent the
package from being built
OBS-URL: https://build.opensuse.org/request/show/854151
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=597
2020-12-08 23:01:20 +01:00
|
|
|
index a26e1663f02de3c99198df6e2080..f3483b0a344da4f82b6710551390 100644
|
2016-08-04 15:09:24 +02:00
|
|
|
--- a/qemu-bridge-helper.c
|
|
|
|
|
+++ b/qemu-bridge-helper.c
|
Accepting request 854151 from home:bfrogers:branches:Virtualization
- Update to v5.2.0: See http://wiki.qemu.org/ChangeLog/5.2
Take note that ongoing feature deprecation is tracked at both
http://wiki.qemu-project.org/Features/LegacyRemoval and in
the deprecated.html file installed with the qemu package
Some noteworthy changes:
* Dropped system emulators: qemu-system-lm32, qemu-system-unicore32
* Dropped linux user emulator: qemu-ppc64abi32
* Added linux user emulator: qemu-extensaeb
* Unicore32 and lm32 guest support dropped
* New sub-packages (most due to ongoing modularization of QEMU):
qemu-audio-spice, qemu-hw-chardev-spice, qemu-hw-display-virtio-vga,
qemu-hw-display-virtio-gpu, qemu-hw-display-virtio-gpu-pci,
qemu-ui-spice-core, qemu-ui-opengl, qemu-ivshmem-tools
* x86: A new KVM feature which improves the handling of asynchronous page
faults is available with -cpu ...,kvm-async-pf-int (requires Linux 5.8)
* s390: More instructions emulated under TCG
* PowerPC: nvdimm= machine option now functions correctly; misc improvements
* ARM: new boards: mps2-an386 (Cortex-M4 based) and mps2-an500
(Cortex-M7 based), raspi3ap (the Pi 3 model A+), raspi0 (the Pi Zero)
and raspi1ap (the Pi A+)
* RISC-V: OpenSBI v0.8 included by default; Generic OpenSBI platform used
when no -bios argument is supplied; Support for NUMA sockets on Virt
and Spike Machines; Support for migrating machines; misc improvements
* Misc NVMe improvements
* The 'vhost-user-blk' export type has been added, allowing
qemu-storage-daemon to act as a vhost-user-blk device backend
* The SMBIOS OEM strings can now come from a file
* 9pfs - misc performance related improvements
* virtiofs - misc improvements
* migration: The default migration bandwidth has been increased to 1Gbps
(users are still encouraged to tune it to their own hardware); The new
'calc-dirty-rate' and 'query-dirty-rate' QMP commands can help determine
the likelihood of precopy migration success; TLS+multifd now supported
for higher bandwidth encrypted migration; misc minor features added
* Misc minor block features added
* Misc doc improvements
* qemu-microvm subpackage change: the bios-microvm.bin is now SeaBIOS based,
and the qboot based on is now qboot.rom
* elf2dmp is no longer part of qemu-tools (it was never intended to be
a packaged binary)
* Some subpackages which were 'Requires' are now 'Recommends', allowing for
a smaller qemu packaging footprint if needed
* Patches dropped (included in release tarball, unless otherwise noted):
docs-fix-trace-docs-build-with-sphinx-3..patch (fixed differently)
hw-hyperv-vmbus-Fix-32bit-compilation.patch
linux-user-properly-test-for-infinite-ti.patch
Switch-order-of-libraries-for-mpath-supp.patch (fixed differently)
Conditionalize-ui-bitmap-installation-be.patch (fixed differently)
hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch (no longer using gcc9)
hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch (no longer using gcc9)
roms-Makefile-enable-cross-compile-for-b.patch (fixed with different patch)
libvhost-user-handle-endianness-as-manda.patch
virtio-add-vhost-user-fs-ccw-device.patch
Fix-s-directive-argument-is-null-error.patch
build-Workaround-compilation-error-with-.patch
build-Be-explicit-about-fcommon-compiler.patch
intel-Avoid-spurious-compiler-warning-on.patch
golan-Add-explicit-type-casts-for-nodnic.patch
Do-not-apply-WORKAROUND_CFLAGS-for-host-.patch
ensure-headers-included-are-compatible-w.patch
Enable-cross-compile-prefix-for-C-compil.patch (fixed differently)
hw-net-net_tx_pkt-fix-assertion-failure-.patch
hw-net-xgmac-Fix-buffer-overflow-in-xgma.patch
s390x-protvirt-allow-to-IPL-secure-guest.patch
usb-fix-setup_len-init-CVE-2020-14364.patch
* Patches added:
meson-install-ivshmem-client-and-ivshmem.patch
Revert-roms-efirom-tests-uefi-test-tools.patch
Makefile-Don-t-check-pc-bios-as-pre-requ.patch
roms-Makefile-add-cross-file-to-qboot-me.patch
qboot-add-cross.ini-file-to-handle-aarch.patch
usb-Help-compiler-out-to-avoid-a-warning.patch
- In spec file, where reasonable, switch BuildRequires: XXX-devel
to be pkgconfig(XXX') instead
- No longer disable link time optimization for qemu for x86. It looks like
either the build service, qemu code changes and/or the switch to meson
have resolved issues previously seen there. We still see problems for
other architectures however.
- For the record, the following issues reported for SUSE SLE15-SP2
are either fixed in this current package, or are otherwise no longer
an issue: bsc#1172384 bsc#1174386 bsc#1174641 bsc#1174863 bsc#1175370
bsc#1175441 bsc#1176494 CVE-2020-13361 CVE-2020-14364 CVE-2020-15863
CVE-2020-16092 CVE-2020-24352
and the following feature requests are satisfied by this package:
jsc#SLE-13689 jsc#SEL-13780 jsc#SLE-13840
- To be more accurate, and to align with other qemu packaging
practices, rename the qemu-s390 package to qemu-s390x. The old
name (in the rpm namespace) is provided with a "Provides"
directive, and an "Obsoletes" done against that name for prior
qemu versions, as is standard practice (boo#1177764 jsc#SLE-17060)
- Take this opportunity to remove some ancient Split-Provides
mechanisms which can't conceivably be needed any more:
qemu-block-curl provided: qemu:%_libdir/%name/block-curl.so
qemu-guest-agent provided: qemu:%_bindir/qemu-ga
qemu-tools provided: qemu:%_libexecdir/qemu-bridge-helper
- Disable linux-user 'ls' test on 32 bit arm. It's failing with
"Allocating guest commpage: Cannot allocate memory" error, which
we should hunt down, but for now we don't want it to prevent the
package from being built
OBS-URL: https://build.opensuse.org/request/show/854151
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=597
2020-12-08 23:01:20 +01:00
|
|
|
@@ -124,7 +124,12 @@ static int parse_acl_file(const char *filename, ACLList *acl_list)
|
2019-09-12 17:54:03 +02:00
|
|
|
}
|
2016-08-04 15:09:24 +02:00
|
|
|
|
|
|
|
|
if (strcmp(cmd, "deny") == 0) {
|
|
|
|
|
- acl_rule = g_malloc(sizeof(*acl_rule));
|
|
|
|
|
+ acl_rule = calloc(1, sizeof(*acl_rule));
|
|
|
|
|
+ if (!acl_rule) {
|
|
|
|
|
+ fclose(f);
|
|
|
|
|
+ errno = ENOMEM;
|
|
|
|
|
+ return -1;
|
|
|
|
|
+ }
|
|
|
|
|
if (strcmp(arg, "all") == 0) {
|
|
|
|
|
acl_rule->type = ACL_DENY_ALL;
|
|
|
|
|
} else {
|
Accepting request 854151 from home:bfrogers:branches:Virtualization
- Update to v5.2.0: See http://wiki.qemu.org/ChangeLog/5.2
Take note that ongoing feature deprecation is tracked at both
http://wiki.qemu-project.org/Features/LegacyRemoval and in
the deprecated.html file installed with the qemu package
Some noteworthy changes:
* Dropped system emulators: qemu-system-lm32, qemu-system-unicore32
* Dropped linux user emulator: qemu-ppc64abi32
* Added linux user emulator: qemu-extensaeb
* Unicore32 and lm32 guest support dropped
* New sub-packages (most due to ongoing modularization of QEMU):
qemu-audio-spice, qemu-hw-chardev-spice, qemu-hw-display-virtio-vga,
qemu-hw-display-virtio-gpu, qemu-hw-display-virtio-gpu-pci,
qemu-ui-spice-core, qemu-ui-opengl, qemu-ivshmem-tools
* x86: A new KVM feature which improves the handling of asynchronous page
faults is available with -cpu ...,kvm-async-pf-int (requires Linux 5.8)
* s390: More instructions emulated under TCG
* PowerPC: nvdimm= machine option now functions correctly; misc improvements
* ARM: new boards: mps2-an386 (Cortex-M4 based) and mps2-an500
(Cortex-M7 based), raspi3ap (the Pi 3 model A+), raspi0 (the Pi Zero)
and raspi1ap (the Pi A+)
* RISC-V: OpenSBI v0.8 included by default; Generic OpenSBI platform used
when no -bios argument is supplied; Support for NUMA sockets on Virt
and Spike Machines; Support for migrating machines; misc improvements
* Misc NVMe improvements
* The 'vhost-user-blk' export type has been added, allowing
qemu-storage-daemon to act as a vhost-user-blk device backend
* The SMBIOS OEM strings can now come from a file
* 9pfs - misc performance related improvements
* virtiofs - misc improvements
* migration: The default migration bandwidth has been increased to 1Gbps
(users are still encouraged to tune it to their own hardware); The new
'calc-dirty-rate' and 'query-dirty-rate' QMP commands can help determine
the likelihood of precopy migration success; TLS+multifd now supported
for higher bandwidth encrypted migration; misc minor features added
* Misc minor block features added
* Misc doc improvements
* qemu-microvm subpackage change: the bios-microvm.bin is now SeaBIOS based,
and the qboot based on is now qboot.rom
* elf2dmp is no longer part of qemu-tools (it was never intended to be
a packaged binary)
* Some subpackages which were 'Requires' are now 'Recommends', allowing for
a smaller qemu packaging footprint if needed
* Patches dropped (included in release tarball, unless otherwise noted):
docs-fix-trace-docs-build-with-sphinx-3..patch (fixed differently)
hw-hyperv-vmbus-Fix-32bit-compilation.patch
linux-user-properly-test-for-infinite-ti.patch
Switch-order-of-libraries-for-mpath-supp.patch (fixed differently)
Conditionalize-ui-bitmap-installation-be.patch (fixed differently)
hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch (no longer using gcc9)
hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch (no longer using gcc9)
roms-Makefile-enable-cross-compile-for-b.patch (fixed with different patch)
libvhost-user-handle-endianness-as-manda.patch
virtio-add-vhost-user-fs-ccw-device.patch
Fix-s-directive-argument-is-null-error.patch
build-Workaround-compilation-error-with-.patch
build-Be-explicit-about-fcommon-compiler.patch
intel-Avoid-spurious-compiler-warning-on.patch
golan-Add-explicit-type-casts-for-nodnic.patch
Do-not-apply-WORKAROUND_CFLAGS-for-host-.patch
ensure-headers-included-are-compatible-w.patch
Enable-cross-compile-prefix-for-C-compil.patch (fixed differently)
hw-net-net_tx_pkt-fix-assertion-failure-.patch
hw-net-xgmac-Fix-buffer-overflow-in-xgma.patch
s390x-protvirt-allow-to-IPL-secure-guest.patch
usb-fix-setup_len-init-CVE-2020-14364.patch
* Patches added:
meson-install-ivshmem-client-and-ivshmem.patch
Revert-roms-efirom-tests-uefi-test-tools.patch
Makefile-Don-t-check-pc-bios-as-pre-requ.patch
roms-Makefile-add-cross-file-to-qboot-me.patch
qboot-add-cross.ini-file-to-handle-aarch.patch
usb-Help-compiler-out-to-avoid-a-warning.patch
- In spec file, where reasonable, switch BuildRequires: XXX-devel
to be pkgconfig(XXX') instead
- No longer disable link time optimization for qemu for x86. It looks like
either the build service, qemu code changes and/or the switch to meson
have resolved issues previously seen there. We still see problems for
other architectures however.
- For the record, the following issues reported for SUSE SLE15-SP2
are either fixed in this current package, or are otherwise no longer
an issue: bsc#1172384 bsc#1174386 bsc#1174641 bsc#1174863 bsc#1175370
bsc#1175441 bsc#1176494 CVE-2020-13361 CVE-2020-14364 CVE-2020-15863
CVE-2020-16092 CVE-2020-24352
and the following feature requests are satisfied by this package:
jsc#SLE-13689 jsc#SEL-13780 jsc#SLE-13840
- To be more accurate, and to align with other qemu packaging
practices, rename the qemu-s390 package to qemu-s390x. The old
name (in the rpm namespace) is provided with a "Provides"
directive, and an "Obsoletes" done against that name for prior
qemu versions, as is standard practice (boo#1177764 jsc#SLE-17060)
- Take this opportunity to remove some ancient Split-Provides
mechanisms which can't conceivably be needed any more:
qemu-block-curl provided: qemu:%_libdir/%name/block-curl.so
qemu-guest-agent provided: qemu:%_bindir/qemu-ga
qemu-tools provided: qemu:%_libexecdir/qemu-bridge-helper
- Disable linux-user 'ls' test on 32 bit arm. It's failing with
"Allocating guest commpage: Cannot allocate memory" error, which
we should hunt down, but for now we don't want it to prevent the
package from being built
OBS-URL: https://build.opensuse.org/request/show/854151
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=597
2020-12-08 23:01:20 +01:00
|
|
|
@@ -133,7 +138,12 @@ static int parse_acl_file(const char *filename, ACLList *acl_list)
|
2016-08-04 15:09:24 +02:00
|
|
|
}
|
|
|
|
|
QSIMPLEQ_INSERT_TAIL(acl_list, acl_rule, entry);
|
|
|
|
|
} else if (strcmp(cmd, "allow") == 0) {
|
|
|
|
|
- acl_rule = g_malloc(sizeof(*acl_rule));
|
|
|
|
|
+ acl_rule = calloc(1, sizeof(*acl_rule));
|
|
|
|
|
+ if (!acl_rule) {
|
|
|
|
|
+ fclose(f);
|
|
|
|
|
+ errno = ENOMEM;
|
|
|
|
|
+ return -1;
|
|
|
|
|
+ }
|
|
|
|
|
if (strcmp(arg, "all") == 0) {
|
|
|
|
|
acl_rule->type = ACL_ALLOW_ALL;
|
|
|
|
|
} else {
|
Accepting request 854151 from home:bfrogers:branches:Virtualization
- Update to v5.2.0: See http://wiki.qemu.org/ChangeLog/5.2
Take note that ongoing feature deprecation is tracked at both
http://wiki.qemu-project.org/Features/LegacyRemoval and in
the deprecated.html file installed with the qemu package
Some noteworthy changes:
* Dropped system emulators: qemu-system-lm32, qemu-system-unicore32
* Dropped linux user emulator: qemu-ppc64abi32
* Added linux user emulator: qemu-extensaeb
* Unicore32 and lm32 guest support dropped
* New sub-packages (most due to ongoing modularization of QEMU):
qemu-audio-spice, qemu-hw-chardev-spice, qemu-hw-display-virtio-vga,
qemu-hw-display-virtio-gpu, qemu-hw-display-virtio-gpu-pci,
qemu-ui-spice-core, qemu-ui-opengl, qemu-ivshmem-tools
* x86: A new KVM feature which improves the handling of asynchronous page
faults is available with -cpu ...,kvm-async-pf-int (requires Linux 5.8)
* s390: More instructions emulated under TCG
* PowerPC: nvdimm= machine option now functions correctly; misc improvements
* ARM: new boards: mps2-an386 (Cortex-M4 based) and mps2-an500
(Cortex-M7 based), raspi3ap (the Pi 3 model A+), raspi0 (the Pi Zero)
and raspi1ap (the Pi A+)
* RISC-V: OpenSBI v0.8 included by default; Generic OpenSBI platform used
when no -bios argument is supplied; Support for NUMA sockets on Virt
and Spike Machines; Support for migrating machines; misc improvements
* Misc NVMe improvements
* The 'vhost-user-blk' export type has been added, allowing
qemu-storage-daemon to act as a vhost-user-blk device backend
* The SMBIOS OEM strings can now come from a file
* 9pfs - misc performance related improvements
* virtiofs - misc improvements
* migration: The default migration bandwidth has been increased to 1Gbps
(users are still encouraged to tune it to their own hardware); The new
'calc-dirty-rate' and 'query-dirty-rate' QMP commands can help determine
the likelihood of precopy migration success; TLS+multifd now supported
for higher bandwidth encrypted migration; misc minor features added
* Misc minor block features added
* Misc doc improvements
* qemu-microvm subpackage change: the bios-microvm.bin is now SeaBIOS based,
and the qboot based on is now qboot.rom
* elf2dmp is no longer part of qemu-tools (it was never intended to be
a packaged binary)
* Some subpackages which were 'Requires' are now 'Recommends', allowing for
a smaller qemu packaging footprint if needed
* Patches dropped (included in release tarball, unless otherwise noted):
docs-fix-trace-docs-build-with-sphinx-3..patch (fixed differently)
hw-hyperv-vmbus-Fix-32bit-compilation.patch
linux-user-properly-test-for-infinite-ti.patch
Switch-order-of-libraries-for-mpath-supp.patch (fixed differently)
Conditionalize-ui-bitmap-installation-be.patch (fixed differently)
hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch (no longer using gcc9)
hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch (no longer using gcc9)
roms-Makefile-enable-cross-compile-for-b.patch (fixed with different patch)
libvhost-user-handle-endianness-as-manda.patch
virtio-add-vhost-user-fs-ccw-device.patch
Fix-s-directive-argument-is-null-error.patch
build-Workaround-compilation-error-with-.patch
build-Be-explicit-about-fcommon-compiler.patch
intel-Avoid-spurious-compiler-warning-on.patch
golan-Add-explicit-type-casts-for-nodnic.patch
Do-not-apply-WORKAROUND_CFLAGS-for-host-.patch
ensure-headers-included-are-compatible-w.patch
Enable-cross-compile-prefix-for-C-compil.patch (fixed differently)
hw-net-net_tx_pkt-fix-assertion-failure-.patch
hw-net-xgmac-Fix-buffer-overflow-in-xgma.patch
s390x-protvirt-allow-to-IPL-secure-guest.patch
usb-fix-setup_len-init-CVE-2020-14364.patch
* Patches added:
meson-install-ivshmem-client-and-ivshmem.patch
Revert-roms-efirom-tests-uefi-test-tools.patch
Makefile-Don-t-check-pc-bios-as-pre-requ.patch
roms-Makefile-add-cross-file-to-qboot-me.patch
qboot-add-cross.ini-file-to-handle-aarch.patch
usb-Help-compiler-out-to-avoid-a-warning.patch
- In spec file, where reasonable, switch BuildRequires: XXX-devel
to be pkgconfig(XXX') instead
- No longer disable link time optimization for qemu for x86. It looks like
either the build service, qemu code changes and/or the switch to meson
have resolved issues previously seen there. We still see problems for
other architectures however.
- For the record, the following issues reported for SUSE SLE15-SP2
are either fixed in this current package, or are otherwise no longer
an issue: bsc#1172384 bsc#1174386 bsc#1174641 bsc#1174863 bsc#1175370
bsc#1175441 bsc#1176494 CVE-2020-13361 CVE-2020-14364 CVE-2020-15863
CVE-2020-16092 CVE-2020-24352
and the following feature requests are satisfied by this package:
jsc#SLE-13689 jsc#SEL-13780 jsc#SLE-13840
- To be more accurate, and to align with other qemu packaging
practices, rename the qemu-s390 package to qemu-s390x. The old
name (in the rpm namespace) is provided with a "Provides"
directive, and an "Obsoletes" done against that name for prior
qemu versions, as is standard practice (boo#1177764 jsc#SLE-17060)
- Take this opportunity to remove some ancient Split-Provides
mechanisms which can't conceivably be needed any more:
qemu-block-curl provided: qemu:%_libdir/%name/block-curl.so
qemu-guest-agent provided: qemu:%_bindir/qemu-ga
qemu-tools provided: qemu:%_libexecdir/qemu-bridge-helper
- Disable linux-user 'ls' test on 32 bit arm. It's failing with
"Allocating guest commpage: Cannot allocate memory" error, which
we should hunt down, but for now we don't want it to prevent the
package from being built
OBS-URL: https://build.opensuse.org/request/show/854151
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=597
2020-12-08 23:01:20 +01:00
|
|
|
@@ -438,6 +448,18 @@ int main(int argc, char **argv)
|
2016-08-04 15:09:24 +02:00
|
|
|
goto cleanup;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
+#ifndef CONFIG_LIBCAP
|
2019-05-02 00:51:10 +02:00
|
|
|
+ /*
|
|
|
|
|
+ * avoid sending the fd as root user if running suid to not fool
|
2016-08-04 15:09:24 +02:00
|
|
|
+ * peer credentials to daemons that dont expect that
|
|
|
|
|
+ */
|
|
|
|
|
+ if (setuid(getuid()) < 0) {
|
|
|
|
|
+ fprintf(stderr, "Failed to drop privileges.\n");
|
|
|
|
|
+ ret = EXIT_FAILURE;
|
|
|
|
|
+ goto cleanup;
|
|
|
|
|
+ }
|
|
|
|
|
+#endif
|
|
|
|
|
+
|
|
|
|
|
/* write fd to the domain socket */
|
|
|
|
|
if (send_fd(unixfd, fd) == -1) {
|
|
|
|
|
fprintf(stderr, "failed to write fd to unix socket: %s\n",
|
Accepting request 854151 from home:bfrogers:branches:Virtualization
- Update to v5.2.0: See http://wiki.qemu.org/ChangeLog/5.2
Take note that ongoing feature deprecation is tracked at both
http://wiki.qemu-project.org/Features/LegacyRemoval and in
the deprecated.html file installed with the qemu package
Some noteworthy changes:
* Dropped system emulators: qemu-system-lm32, qemu-system-unicore32
* Dropped linux user emulator: qemu-ppc64abi32
* Added linux user emulator: qemu-extensaeb
* Unicore32 and lm32 guest support dropped
* New sub-packages (most due to ongoing modularization of QEMU):
qemu-audio-spice, qemu-hw-chardev-spice, qemu-hw-display-virtio-vga,
qemu-hw-display-virtio-gpu, qemu-hw-display-virtio-gpu-pci,
qemu-ui-spice-core, qemu-ui-opengl, qemu-ivshmem-tools
* x86: A new KVM feature which improves the handling of asynchronous page
faults is available with -cpu ...,kvm-async-pf-int (requires Linux 5.8)
* s390: More instructions emulated under TCG
* PowerPC: nvdimm= machine option now functions correctly; misc improvements
* ARM: new boards: mps2-an386 (Cortex-M4 based) and mps2-an500
(Cortex-M7 based), raspi3ap (the Pi 3 model A+), raspi0 (the Pi Zero)
and raspi1ap (the Pi A+)
* RISC-V: OpenSBI v0.8 included by default; Generic OpenSBI platform used
when no -bios argument is supplied; Support for NUMA sockets on Virt
and Spike Machines; Support for migrating machines; misc improvements
* Misc NVMe improvements
* The 'vhost-user-blk' export type has been added, allowing
qemu-storage-daemon to act as a vhost-user-blk device backend
* The SMBIOS OEM strings can now come from a file
* 9pfs - misc performance related improvements
* virtiofs - misc improvements
* migration: The default migration bandwidth has been increased to 1Gbps
(users are still encouraged to tune it to their own hardware); The new
'calc-dirty-rate' and 'query-dirty-rate' QMP commands can help determine
the likelihood of precopy migration success; TLS+multifd now supported
for higher bandwidth encrypted migration; misc minor features added
* Misc minor block features added
* Misc doc improvements
* qemu-microvm subpackage change: the bios-microvm.bin is now SeaBIOS based,
and the qboot based on is now qboot.rom
* elf2dmp is no longer part of qemu-tools (it was never intended to be
a packaged binary)
* Some subpackages which were 'Requires' are now 'Recommends', allowing for
a smaller qemu packaging footprint if needed
* Patches dropped (included in release tarball, unless otherwise noted):
docs-fix-trace-docs-build-with-sphinx-3..patch (fixed differently)
hw-hyperv-vmbus-Fix-32bit-compilation.patch
linux-user-properly-test-for-infinite-ti.patch
Switch-order-of-libraries-for-mpath-supp.patch (fixed differently)
Conditionalize-ui-bitmap-installation-be.patch (fixed differently)
hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch (no longer using gcc9)
hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch (no longer using gcc9)
roms-Makefile-enable-cross-compile-for-b.patch (fixed with different patch)
libvhost-user-handle-endianness-as-manda.patch
virtio-add-vhost-user-fs-ccw-device.patch
Fix-s-directive-argument-is-null-error.patch
build-Workaround-compilation-error-with-.patch
build-Be-explicit-about-fcommon-compiler.patch
intel-Avoid-spurious-compiler-warning-on.patch
golan-Add-explicit-type-casts-for-nodnic.patch
Do-not-apply-WORKAROUND_CFLAGS-for-host-.patch
ensure-headers-included-are-compatible-w.patch
Enable-cross-compile-prefix-for-C-compil.patch (fixed differently)
hw-net-net_tx_pkt-fix-assertion-failure-.patch
hw-net-xgmac-Fix-buffer-overflow-in-xgma.patch
s390x-protvirt-allow-to-IPL-secure-guest.patch
usb-fix-setup_len-init-CVE-2020-14364.patch
* Patches added:
meson-install-ivshmem-client-and-ivshmem.patch
Revert-roms-efirom-tests-uefi-test-tools.patch
Makefile-Don-t-check-pc-bios-as-pre-requ.patch
roms-Makefile-add-cross-file-to-qboot-me.patch
qboot-add-cross.ini-file-to-handle-aarch.patch
usb-Help-compiler-out-to-avoid-a-warning.patch
- In spec file, where reasonable, switch BuildRequires: XXX-devel
to be pkgconfig(XXX') instead
- No longer disable link time optimization for qemu for x86. It looks like
either the build service, qemu code changes and/or the switch to meson
have resolved issues previously seen there. We still see problems for
other architectures however.
- For the record, the following issues reported for SUSE SLE15-SP2
are either fixed in this current package, or are otherwise no longer
an issue: bsc#1172384 bsc#1174386 bsc#1174641 bsc#1174863 bsc#1175370
bsc#1175441 bsc#1176494 CVE-2020-13361 CVE-2020-14364 CVE-2020-15863
CVE-2020-16092 CVE-2020-24352
and the following feature requests are satisfied by this package:
jsc#SLE-13689 jsc#SEL-13780 jsc#SLE-13840
- To be more accurate, and to align with other qemu packaging
practices, rename the qemu-s390 package to qemu-s390x. The old
name (in the rpm namespace) is provided with a "Provides"
directive, and an "Obsoletes" done against that name for prior
qemu versions, as is standard practice (boo#1177764 jsc#SLE-17060)
- Take this opportunity to remove some ancient Split-Provides
mechanisms which can't conceivably be needed any more:
qemu-block-curl provided: qemu:%_libdir/%name/block-curl.so
qemu-guest-agent provided: qemu:%_bindir/qemu-ga
qemu-tools provided: qemu:%_libexecdir/qemu-bridge-helper
- Disable linux-user 'ls' test on 32 bit arm. It's failing with
"Allocating guest commpage: Cannot allocate memory" error, which
we should hunt down, but for now we don't want it to prevent the
package from being built
OBS-URL: https://build.opensuse.org/request/show/854151
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=597
2020-12-08 23:01:20 +01:00
|
|
|
@@ -459,7 +481,7 @@ cleanup:
|
2016-08-04 15:09:24 +02:00
|
|
|
}
|
|
|
|
|
while ((acl_rule = QSIMPLEQ_FIRST(&acl_list)) != NULL) {
|
|
|
|
|
QSIMPLEQ_REMOVE_HEAD(&acl_list, entry);
|
|
|
|
|
- g_free(acl_rule);
|
|
|
|
|
+ free(acl_rule);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ret;
|
