Accepting request 640126 from home:ldewey:branches:Virtualization
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.0 * Patches added: 0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch 0043-configure-require-libseccomp-2.2.0.patch 0044-seccomp-set-the-seccomp-filter-to-a.patch 0045-sandbox-disable-sandbox-if-CONFIG_S.patch 0046-seccomp-check-TSYNC-host-capability.patch * Adding changes to mitigate seccomp vulnerability (CVE-2018-15746 bsc#1106222) - Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.0 * Patches added: 0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch 0043-configure-require-libseccomp-2.2.0.patch 0044-seccomp-set-the-seccomp-filter-to-a.patch 0045-sandbox-disable-sandbox-if-CONFIG_S.patch 0046-seccomp-check-TSYNC-host-capability.patch * Adding changes to mitigate seccomp vulnerability (CVE-2018-15746 bsc#1106222) - Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.0 * Patches added: 0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch 0043-configure-require-libseccomp-2.2.0.patch 0044-seccomp-set-the-seccomp-filter-to-a.patch 0045-sandbox-disable-sandbox-if-CONFIG_S.patch 0046-seccomp-check-TSYNC-host-capability.patch OBS-URL: https://build.opensuse.org/request/show/640126 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=431
This commit is contained in:
parent
c5a48fe0b5
commit
72f4642d7c
90
0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch
Normal file
90
0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch
Normal file
@ -0,0 +1,90 @@
|
||||
From 6edbf80f95ecc20ced40004ce0e882e1cf756b98 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
|
||||
Date: Wed, 22 Aug 2018 19:02:48 +0200
|
||||
Subject: [PATCH] seccomp: prefer SCMP_ACT_KILL_PROCESS if available
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The upcoming libseccomp release should have SCMP_ACT_KILL_PROCESS
|
||||
action (https://github.com/seccomp/libseccomp/issues/96).
|
||||
|
||||
SCMP_ACT_KILL_PROCESS is preferable to immediately terminate the
|
||||
offending process, rather than having the SIGSYS handler running.
|
||||
|
||||
Use SECCOMP_GET_ACTION_AVAIL to check availability of kernel support,
|
||||
as libseccomp will fallback on SCMP_ACT_KILL otherwise, and we still
|
||||
prefer SCMP_ACT_TRAP.
|
||||
|
||||
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||
Acked-by: Eduardo Otubo <otubo@redhat.com>
|
||||
(cherry picked from commit bda08a5764d470f101fa38635d30b41179a313e1)
|
||||
[LD: BSC#1106222 CVE-2018-15746]
|
||||
Signed-off-by: Larry Dewey <ldewey@suse.com>
|
||||
---
|
||||
qemu-seccomp.c | 31 ++++++++++++++++++++++++++++++-
|
||||
1 file changed, 30 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
|
||||
index 9cd8eb9499..f0c833f3ca 100644
|
||||
--- a/qemu-seccomp.c
|
||||
+++ b/qemu-seccomp.c
|
||||
@@ -20,6 +20,7 @@
|
||||
#include <sys/prctl.h>
|
||||
#include <seccomp.h>
|
||||
#include "sysemu/seccomp.h"
|
||||
+#include <linux/seccomp.h>
|
||||
|
||||
/* For some architectures (notably ARM) cacheflush is not supported until
|
||||
* libseccomp 2.2.3, but configure enforces that we are using a more recent
|
||||
@@ -107,12 +108,40 @@ static const struct QemuSeccompSyscall blacklist[] = {
|
||||
{ SCMP_SYS(sched_get_priority_min), QEMU_SECCOMP_SET_RESOURCECTL },
|
||||
};
|
||||
|
||||
+static inline __attribute__((unused)) int
|
||||
+qemu_seccomp(unsigned int operation, unsigned int flags, void *args)
|
||||
+{
|
||||
+#ifdef __NR_seccomp
|
||||
+ return syscall(__NR_seccomp, operation, flags, args);
|
||||
+#else
|
||||
+ errno = ENOSYS;
|
||||
+ return -1;
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
+static uint32_t qemu_seccomp_get_kill_action(void)
|
||||
+{
|
||||
+#if defined(SECCOMP_GET_ACTION_AVAIL) && defined(SCMP_ACT_KILL_PROCESS) && \
|
||||
+ defined(SECCOMP_RET_KILL_PROCESS)
|
||||
+ {
|
||||
+ uint32_t action = SECCOMP_RET_KILL_PROCESS;
|
||||
+
|
||||
+ if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) {
|
||||
+ return SCMP_ACT_KILL_PROCESS;
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+ return SCMP_ACT_TRAP;
|
||||
+}
|
||||
+
|
||||
|
||||
static int seccomp_start(uint32_t seccomp_opts)
|
||||
{
|
||||
int rc = 0;
|
||||
unsigned int i = 0;
|
||||
scmp_filter_ctx ctx;
|
||||
+ uint32_t action = qemu_seccomp_get_kill_action();
|
||||
|
||||
ctx = seccomp_init(SCMP_ACT_ALLOW);
|
||||
if (ctx == NULL) {
|
||||
@@ -125,7 +154,7 @@ static int seccomp_start(uint32_t seccomp_opts)
|
||||
continue;
|
||||
}
|
||||
|
||||
- rc = seccomp_rule_add_array(ctx, SCMP_ACT_KILL, blacklist[i].num,
|
||||
+ rc = seccomp_rule_add_array(ctx, action, blacklist[i].num,
|
||||
blacklist[i].narg, blacklist[i].arg_cmp);
|
||||
if (rc < 0) {
|
||||
goto seccomp_return;
|
53
0043-configure-require-libseccomp-2.2.0.patch
Normal file
53
0043-configure-require-libseccomp-2.2.0.patch
Normal file
@ -0,0 +1,53 @@
|
||||
From a9794287e84a87f4372a4aed027319491ec5eb68 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
|
||||
Date: Wed, 22 Aug 2018 19:02:49 +0200
|
||||
Subject: [PATCH] configure: require libseccomp 2.2.0
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The following patch is going to require TSYNC, which is only available
|
||||
since libseccomp 2.2.0.
|
||||
|
||||
libseccomp 2.2.0 was released February 12, 2015.
|
||||
|
||||
According to repology, libseccomp version in different distros:
|
||||
|
||||
RHEL-7: 2.3.1
|
||||
Debian (Stretch): 2.3.1
|
||||
OpenSUSE Leap 15: 2.3.2
|
||||
Ubuntu (Xenial): 2.3.1
|
||||
|
||||
This will drop support for -sandbox on:
|
||||
|
||||
Debian (Jessie): 2.1.1 (but 2.2.3 in backports)
|
||||
|
||||
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Acked-by: Eduardo Otubo <otubo@redhat.com>
|
||||
(cherry picked from commit d0699bd37c48067cffbd80383172efc29da6d2f9)
|
||||
[LD: BSC#1106222 CVE-2018-15746]
|
||||
Signed-off-by: Larry Dewey <ldewey@suse.com>
|
||||
---
|
||||
configure | 7 ++-----
|
||||
1 file changed, 2 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/configure b/configure
|
||||
index f08f2812e4..bceba37e90 100755
|
||||
--- a/configure
|
||||
+++ b/configure
|
||||
@@ -2216,13 +2216,10 @@ fi
|
||||
##########################################
|
||||
# libseccomp check
|
||||
|
||||
+libseccomp_minver="2.2.0"
|
||||
if test "$seccomp" != "no" ; then
|
||||
case "$cpu" in
|
||||
- i386|x86_64)
|
||||
- libseccomp_minver="2.1.0"
|
||||
- ;;
|
||||
- mips)
|
||||
- libseccomp_minver="2.2.0"
|
||||
+ i386|x86_64|mips)
|
||||
;;
|
||||
arm|aarch64)
|
||||
libseccomp_minver="2.2.3"
|
57
0044-seccomp-set-the-seccomp-filter-to-a.patch
Normal file
57
0044-seccomp-set-the-seccomp-filter-to-a.patch
Normal file
@ -0,0 +1,57 @@
|
||||
From e31313eacacefad16dc536b883e139a041fd2c28 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
|
||||
Date: Wed, 22 Aug 2018 19:02:50 +0200
|
||||
Subject: [PATCH] seccomp: set the seccomp filter to all threads
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
When using "-seccomp on", the seccomp policy is only applied to the
|
||||
main thread, the vcpu worker thread and other worker threads created
|
||||
after seccomp policy is applied; the seccomp policy is not applied to
|
||||
e.g. the RCU thread because it is created before the seccomp policy is
|
||||
applied and SECCOMP_FILTER_FLAG_TSYNC isn't used.
|
||||
|
||||
This can be verified with
|
||||
for task in /proc/`pidof qemu`/task/*; do cat $task/status | grep Secc ; done
|
||||
Seccomp: 2
|
||||
Seccomp: 0
|
||||
Seccomp: 0
|
||||
Seccomp: 2
|
||||
Seccomp: 2
|
||||
Seccomp: 2
|
||||
|
||||
Starting with libseccomp 2.2.0 and kernel >= 3.17, we can use
|
||||
seccomp_attr_set(ctx, > SCMP_FLTATR_CTL_TSYNC, 1) to update the policy
|
||||
on all threads.
|
||||
|
||||
libseccomp requirement was bumped to 2.2.0 in previous patch.
|
||||
libseccomp should fail to set the filter if it can't honour
|
||||
SCMP_FLTATR_CTL_TSYNC (untested), and thus -sandbox will now fail on
|
||||
kernel < 3.17.
|
||||
|
||||
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Acked-by: Eduardo Otubo <otubo@redhat.com>
|
||||
(cherry picked from commit 70dfabeaa79ba4d7a3b699abe1a047c8012db114)
|
||||
[LD: BSC#1106222 CVE-2018-15746]
|
||||
Signed-off-by: Larry Dewey <ldewey@suse.com>
|
||||
---
|
||||
qemu-seccomp.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
|
||||
index f0c833f3ca..4729eb107f 100644
|
||||
--- a/qemu-seccomp.c
|
||||
+++ b/qemu-seccomp.c
|
||||
@@ -149,6 +149,11 @@ static int seccomp_start(uint32_t seccomp_opts)
|
||||
goto seccomp_return;
|
||||
}
|
||||
|
||||
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
|
||||
+ if (rc != 0) {
|
||||
+ goto seccomp_return;
|
||||
+ }
|
||||
+
|
||||
for (i = 0; i < ARRAY_SIZE(blacklist); i++) {
|
||||
if (!(seccomp_opts & blacklist[i].set)) {
|
||||
continue;
|
39
0045-sandbox-disable-sandbox-if-CONFIG_S.patch
Normal file
39
0045-sandbox-disable-sandbox-if-CONFIG_S.patch
Normal file
@ -0,0 +1,39 @@
|
||||
From b481a5487b92fa40b74d8bf8c786a35d09eb97cd Mon Sep 17 00:00:00 2001
|
||||
From: Yi Min Zhao <zyimin@linux.ibm.com>
|
||||
Date: Thu, 31 May 2018 11:29:37 +0800
|
||||
Subject: [PATCH] sandbox: disable -sandbox if CONFIG_SECCOMP undefined
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If CONFIG_SECCOMP is undefined, the option 'elevatedprivileges' remains
|
||||
compiled. This would make libvirt set the corresponding capability and
|
||||
then trigger failure during guest startup. This patch moves the code
|
||||
regarding seccomp command line options to qemu-seccomp.c file and
|
||||
wraps qemu_opts_foreach finding sandbox option with CONFIG_SECCOMP.
|
||||
Because parse_sandbox() is moved into qemu-seccomp.c file, change
|
||||
seccomp_start() to static function.
|
||||
|
||||
Signed-off-by: Yi Min Zhao <zyimin@linux.ibm.com>
|
||||
Reviewed-by: Ján Tomko <jtomko@redhat.com>
|
||||
Tested-by: Ján Tomko <jtomko@redhat.com>
|
||||
Acked-by: Eduardo Otubo <otubo@redhat.com>
|
||||
(cherry picked from commit 9d0fdecbad130f01b602e35e87c6d3fad5821d6e)
|
||||
[LD: BSC#1106222 CVE-2018-15746]
|
||||
Signed-off-by: Larry Dewey <ldewey@suse.com>
|
||||
---
|
||||
qemu-seccomp.c | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
|
||||
index 4729eb107f..5507d9c4ef 100644
|
||||
--- a/qemu-seccomp.c
|
||||
+++ b/qemu-seccomp.c
|
||||
@@ -135,7 +135,6 @@ static uint32_t qemu_seccomp_get_kill_action(void)
|
||||
return SCMP_ACT_TRAP;
|
||||
}
|
||||
|
||||
-
|
||||
static int seccomp_start(uint32_t seccomp_opts)
|
||||
{
|
||||
int rc = 0;
|
68
0046-seccomp-check-TSYNC-host-capability.patch
Normal file
68
0046-seccomp-check-TSYNC-host-capability.patch
Normal file
@ -0,0 +1,68 @@
|
||||
From 79883c93023ec6d7b55cf2a3e91afcfda44e3a61 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
|
||||
Date: Thu, 30 Aug 2018 16:33:48 +0200
|
||||
Subject: [PATCH] seccomp: check TSYNC host capability
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Remove -sandbox option if the host is not capable of TSYNC, since the
|
||||
sandbox will fail at setup time otherwise. This will help libvirt, for
|
||||
ex, to figure out if -sandbox will work.
|
||||
|
||||
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Signed-off-by: Eduardo Otubo <otubo@redhat.com>
|
||||
Acked-by: Eduardo Otubo <otubo@redhat.com>
|
||||
(cherry picked from commit 5780760f5ea6163939a5dabe7427318b4f07d1a2)
|
||||
[LD: BSC#1106222 CVE-2018-15746]
|
||||
Signed-off-by: Larry Dewey <ldewey@suse.com>
|
||||
---
|
||||
qemu-seccomp.c | 19 ++++++++++++++++++-
|
||||
vl.c | 4 ++--
|
||||
2 files changed, 20 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
|
||||
index 5507d9c4ef..1d94bdaf55 100644
|
||||
--- a/qemu-seccomp.c
|
||||
+++ b/qemu-seccomp.c
|
||||
@@ -281,7 +281,24 @@ static QemuOptsList qemu_sandbox_opts = {
|
||||
|
||||
static void seccomp_register(void)
|
||||
{
|
||||
- qemu_add_opts(&qemu_sandbox_opts);
|
||||
+ bool add = false;
|
||||
+
|
||||
+ /* FIXME: use seccomp_api_get() >= 2 check when released */
|
||||
+
|
||||
+#if defined(SECCOMP_FILTER_FLAG_TSYNC)
|
||||
+ int check;
|
||||
+
|
||||
+ /* check host TSYNC capability, it returns errno == ENOSYS if unavailable */
|
||||
+ check = qemu_seccomp(SECCOMP_SET_MODE_FILTER,
|
||||
+ SECCOMP_FILTER_FLAG_TSYNC, NULL);
|
||||
+ if (check < 0 && errno == EFAULT) {
|
||||
+ add = true;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+ if (add) {
|
||||
+ qemu_add_opts(&qemu_sandbox_opts);
|
||||
+ }
|
||||
}
|
||||
opts_init(seccomp_register);
|
||||
#endif
|
||||
diff --git a/vl.c b/vl.c
|
||||
index 3af5bcdc9e..a0295abb3e 100644
|
||||
--- a/vl.c
|
||||
+++ b/vl.c
|
||||
@@ -4015,8 +4015,8 @@ int main(int argc, char **argv, char **envp)
|
||||
}
|
||||
|
||||
#ifdef CONFIG_SECCOMP
|
||||
- if (qemu_opts_foreach(qemu_find_opts("sandbox"),
|
||||
- parse_sandbox, NULL, NULL)) {
|
||||
+ olist = qemu_find_opts_err("sandbox", NULL);
|
||||
+ if (olist && qemu_opts_foreach(olist, parse_sandbox, NULL, NULL)) {
|
||||
exit(1);
|
||||
}
|
||||
#endif
|
@ -1,3 +1,14 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Oct 5 16:52:18 UTC 2018 - Larry Dewey <ldewey@suse.com>
|
||||
|
||||
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.0
|
||||
* Patches added:
|
||||
0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch
|
||||
0043-configure-require-libseccomp-2.2.0.patch
|
||||
0044-seccomp-set-the-seccomp-filter-to-a.patch
|
||||
0045-sandbox-disable-sandbox-if-CONFIG_S.patch
|
||||
0046-seccomp-check-TSYNC-host-capability.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Sep 21 19:35:23 UTC 2018 - Bruce Rogers <brogers@suse.com>
|
||||
|
||||
|
@ -72,6 +72,11 @@ Patch0038: 0038-xen-add-block-resize-support-for-xe.patch
|
||||
Patch0039: 0039-tests-boot-serial-test-Bump-timeout.patch
|
||||
Patch0040: 0040-linux-headers-update.patch
|
||||
Patch0041: 0041-s390x-kvm-add-etoken-facility.patch
|
||||
Patch0042: 0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch
|
||||
Patch0043: 0043-configure-require-libseccomp-2.2.0.patch
|
||||
Patch0044: 0044-seccomp-set-the-seccomp-filter-to-a.patch
|
||||
Patch0045: 0045-sandbox-disable-sandbox-if-CONFIG_S.patch
|
||||
Patch0046: 0046-seccomp-check-TSYNC-host-capability.patch
|
||||
# Please do not add QEMU patches manually here.
|
||||
# Run update_git.sh to regenerate this queue.
|
||||
ExcludeArch: s390
|
||||
@ -144,6 +149,11 @@ syscall layer occurs on the native hardware and operating system.
|
||||
%patch0039 -p1
|
||||
%patch0040 -p1
|
||||
%patch0041 -p1
|
||||
%patch0042 -p1
|
||||
%patch0043 -p1
|
||||
%patch0044 -p1
|
||||
%patch0045 -p1
|
||||
%patch0046 -p1
|
||||
|
||||
%build
|
||||
./configure \
|
||||
|
@ -1,3 +1,15 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Oct 5 16:52:15 UTC 2018 - Larry Dewey <ldewey@suse.com>
|
||||
* Adding changes to mitigate seccomp vulnerability
|
||||
(CVE-2018-15746 bsc#1106222)
|
||||
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.0
|
||||
* Patches added:
|
||||
0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch
|
||||
0043-configure-require-libseccomp-2.2.0.patch
|
||||
0044-seccomp-set-the-seccomp-filter-to-a.patch
|
||||
0045-sandbox-disable-sandbox-if-CONFIG_S.patch
|
||||
0046-seccomp-check-TSYNC-host-capability.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Sep 24 21:25:37 UTC 2018 - Bruce Rogers <brogers@suse.com>
|
||||
|
||||
|
@ -177,6 +177,11 @@ Patch0038: 0038-xen-add-block-resize-support-for-xe.patch
|
||||
Patch0039: 0039-tests-boot-serial-test-Bump-timeout.patch
|
||||
Patch0040: 0040-linux-headers-update.patch
|
||||
Patch0041: 0041-s390x-kvm-add-etoken-facility.patch
|
||||
Patch0042: 0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch
|
||||
Patch0043: 0043-configure-require-libseccomp-2.2.0.patch
|
||||
Patch0044: 0044-seccomp-set-the-seccomp-filter-to-a.patch
|
||||
Patch0045: 0045-sandbox-disable-sandbox-if-CONFIG_S.patch
|
||||
Patch0046: 0046-seccomp-check-TSYNC-host-capability.patch
|
||||
# Please do not add QEMU patches manually here.
|
||||
# Run update_git.sh to regenerate this queue.
|
||||
|
||||
@ -924,6 +929,11 @@ This package provides a service file for starting and stopping KSM.
|
||||
%patch0039 -p1
|
||||
%patch0040 -p1
|
||||
%patch0041 -p1
|
||||
%patch0042 -p1
|
||||
%patch0043 -p1
|
||||
%patch0044 -p1
|
||||
%patch0045 -p1
|
||||
%patch0046 -p1
|
||||
|
||||
pushd roms/seabios
|
||||
%patch1100 -p1
|
||||
|
12
qemu.changes
12
qemu.changes
@ -1,3 +1,15 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Oct 5 16:52:15 UTC 2018 - Larry Dewey <ldewey@suse.com>
|
||||
* Adding changes to mitigate seccomp vulnerability
|
||||
(CVE-2018-15746 bsc#1106222)
|
||||
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.0
|
||||
* Patches added:
|
||||
0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch
|
||||
0043-configure-require-libseccomp-2.2.0.patch
|
||||
0044-seccomp-set-the-seccomp-filter-to-a.patch
|
||||
0045-sandbox-disable-sandbox-if-CONFIG_S.patch
|
||||
0046-seccomp-check-TSYNC-host-capability.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Sep 24 21:25:37 UTC 2018 - Bruce Rogers <brogers@suse.com>
|
||||
|
||||
|
10
qemu.spec
10
qemu.spec
@ -177,6 +177,11 @@ Patch0038: 0038-xen-add-block-resize-support-for-xe.patch
|
||||
Patch0039: 0039-tests-boot-serial-test-Bump-timeout.patch
|
||||
Patch0040: 0040-linux-headers-update.patch
|
||||
Patch0041: 0041-s390x-kvm-add-etoken-facility.patch
|
||||
Patch0042: 0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch
|
||||
Patch0043: 0043-configure-require-libseccomp-2.2.0.patch
|
||||
Patch0044: 0044-seccomp-set-the-seccomp-filter-to-a.patch
|
||||
Patch0045: 0045-sandbox-disable-sandbox-if-CONFIG_S.patch
|
||||
Patch0046: 0046-seccomp-check-TSYNC-host-capability.patch
|
||||
# Please do not add QEMU patches manually here.
|
||||
# Run update_git.sh to regenerate this queue.
|
||||
|
||||
@ -924,6 +929,11 @@ This package provides a service file for starting and stopping KSM.
|
||||
%patch0039 -p1
|
||||
%patch0040 -p1
|
||||
%patch0041 -p1
|
||||
%patch0042 -p1
|
||||
%patch0043 -p1
|
||||
%patch0044 -p1
|
||||
%patch0045 -p1
|
||||
%patch0046 -p1
|
||||
|
||||
pushd roms/seabios
|
||||
%patch1100 -p1
|
||||
|
Loading…
Reference in New Issue
Block a user