September 2014 - openSUSE Commits - openSUSE Mailing Lists

commit ledmon for openSUSE:Factory
by root＠hilbert.suse.de 06 Sep '14

06 Sep '14

Hello community, here is the log from the commit of package ledmon for openSUSE:Factory checked in at 2014-09-06 12:18:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ledmon (Old) and /work/SRC/openSUSE:Factory/.ledmon.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "ledmon" Changes: -------- --- /work/SRC/openSUSE:Factory/ledmon/ledmon.changes 2014-01-15 16:25:15.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.ledmon.new/ledmon.changes 2014-09-06 12:18:21.000000000 +0200 @@ -1,0 +2,5 @@ +Wed Sep 3 01:48:48 CEST 2014 - ro(a)suse.de + +- sanitize release line in specfile + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ledmon.spec ++++++ --- /var/tmp/diff_new_pack.DY0bbp/_old 2014-09-06 12:18:22.000000000 +0200 +++ /var/tmp/diff_new_pack.DY0bbp/_new 2014-09-06 12:18:22.000000000 +0200 @@ -19,7 +19,7 @@ Name: ledmon Url: http://sourceforge.net/projects/ledmon/ Version: 0.79 -Release: 0.<RELEASE10> +Release: 0 #Release: 0.<RELEASE5> BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: Enclosure LED Utilities -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit device-mapper for openSUSE:Factory
by root＠hilbert.suse.de 06 Sep '14

06 Sep '14

Hello community, here is the log from the commit of package device-mapper for openSUSE:Factory checked in at 2014-09-06 12:18:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/device-mapper (Old) and /work/SRC/openSUSE:Factory/.device-mapper.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "device-mapper" Changes: -------- --- /work/SRC/openSUSE:Factory/device-mapper/device-mapper.changes 2014-08-20 17:51:56.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.device-mapper.new/device-mapper.changes 2014-09-06 12:18:19.000000000 +0200 @@ -1,0 +2,5 @@ +Wed Sep 3 01:48:48 CEST 2014 - ro(a)suse.de + +- sanitize release line in specfile + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ device-mapper.spec ++++++ --- /var/tmp/diff_new_pack.VEaQMV/_old 2014-09-06 12:18:20.000000000 +0200 +++ /var/tmp/diff_new_pack.VEaQMV/_new 2014-09-06 12:18:20.000000000 +0200 @@ -23,7 +23,7 @@ %endif # Version: 1.02.78 -Release: 0.<RELEASE11> +Release: 0 Summary: Device Mapper Tools License: GPL-2.0+ and LGPL-2.1+ Group: System/Base -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit netcontrol for openSUSE:Factory
by root＠hilbert.suse.de 06 Sep '14

06 Sep '14

Hello community, here is the log from the commit of package netcontrol for openSUSE:Factory checked in at 2014-09-06 12:18:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/netcontrol (Old) and /work/SRC/openSUSE:Factory/.netcontrol.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "netcontrol" Changes: -------- --- /work/SRC/openSUSE:Factory/netcontrol/netcontrol.changes 2014-05-09 08:51:53.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.netcontrol.new/netcontrol.changes 2014-09-06 12:18:18.000000000 +0200 @@ -1,0 +2,5 @@ +Wed Sep 3 01:48:48 CEST 2014 - ro(a)suse.de + +- sanitize release line in specfile + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ netcontrol.spec ++++++ --- /var/tmp/diff_new_pack.wGyP1u/_old 2014-09-06 12:18:19.000000000 +0200 +++ /var/tmp/diff_new_pack.wGyP1u/_new 2014-09-06 12:18:19.000000000 +0200 @@ -18,7 +18,7 @@ Name: netcontrol Version: 0.3.0 -Release: 0.<RELEASE0> +Release: 0 Summary: A network configuration library License: LGPL-2.1+ Group: Productivity/Networking/System -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit seccheck for openSUSE:Factory
by root＠hilbert.suse.de 06 Sep '14

06 Sep '14

Hello community, here is the log from the commit of package seccheck for openSUSE:Factory checked in at 2014-09-06 12:18:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/seccheck (Old) and /work/SRC/openSUSE:Factory/.seccheck.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "seccheck" Changes: -------- --- /work/SRC/openSUSE:Factory/seccheck/seccheck.changes 2014-08-15 09:56:17.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.seccheck.new/seccheck.changes 2014-09-06 12:18:17.000000000 +0200 @@ -1,0 +2,6 @@ +Wed Sep 3 12:35:19 UTC 2014 - vpereira(a)suse.com + +- refactoring: each security test, has its own helper +- ran spec-clean + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ seccheck-3.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/seccheck-3.0/helper.inc new/seccheck-3.0/helper.inc --- old/seccheck-3.0/helper.inc 2014-08-14 11:59:33.000000000 +0200 +++ new/seccheck-3.0/helper.inc 2014-08-25 11:36:55.000000000 +0200 @@ -80,20 +80,6 @@ /bin/mv "$out1" "$old1" } -# params -# $1 = directory for checkneverlogin -function check_neverlogin () { - bin_path=$1 - # - local output_file=`mktemp -t neverlogin.XXXX` # TEMPDIR is set but not exported.. does it work? - - $bin_path/checkneverlogin > "$output_file" - if [ -s "$output_file" ] ; then - printf "\nPlease check and perhaps disable the following unused accounts:\n" - cat "$output_file" - fi - rm -f "$output_file" -} # use john the ripper to check guessable passwords # if you pass "quick" as argument it will simple try to find easy @@ -126,51 +112,7 @@ fi } -# param mount points -function check_suid_sgid () { - mnt_point=$1 - local output_file=`mktemp -t suid_sgid.XXXX` # TEMPDIR is set but not exported.. does it work? - ( nice -n 1 find $mnt_point -mount $ -perm -04000 -o -perm -02000 $ -type f | sort | \ - xargs --no-run-if-empty ls -cdl --time-style=long-iso -- > "$SEC_DATA/sbit.new" ) 2> /dev/null - diff -uw "$SEC_DATA/sbit" "$SEC_DATA/sbit.new" | egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" - if [ -s "$output_file" ] ; then - printf "\nThe following files are suid/sgid:\n" - cat "$output_file" - fi - mv "$SEC_DATA/sbit.new" "$SEC_DATA/sbit" - rm -f "$output_file" -} - -# param mount points -function check_writable_executable () { - mnt_point=$1 - local output_file=`mktemp -t writable_executable.XXXX` # TEMPDIR is set but not exported.. does it work? - ( nice -n 1 find $mnt_point -mount $ -perm -30 -o -perm -3 $ -type f | sort | \ - xargs --no-run-if-empty ls -cdl --time-style=long-iso -- > "$SEC_DATA/write-bin.new" ) 2> /dev/null - diff -uw "$SEC_DATA/write-bin" "$SEC_DATA/write-bin.new" | \ - egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" - if [ -s "$output_file" ] ; then - printf "\nThe following program executables are group/world writeable:\n" - cat "$output_file" - fi - mv "$SEC_DATA/write-bin.new" "$SEC_DATA/write-bin" - rm -f "$output_file" -} -# param mount points -function check_world_writable () { - mnt_point=$1 - local output_file=`mktemp -t world_writable.XXXX` # TEMPDIR is set but not exported.. does it work? - ( nice -n 1 find $mnt_point -mount -perm -2 $ -type f -o -type d $ -not -perm -01000 | sort > "$SEC_DATA/write.new" ) 2> /dev/null - diff -uw "$SEC_DATA/write" "$SEC_DATA/write.new" | \ - egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" - if [ -s "$output_file" ] ; then - printf "\nThe following files/directories are world writeable and not sticky:\n" - cat "$output_file" - fi - mv "$SEC_DATA/write.new" "$SEC_DATA/write" - rm -f "$output_file" -} # param mount points function check_new_devices () { @@ -235,40 +177,6 @@ rm -f "$output_file" } -# promisc check to catch all cases even from other hosts if -function check_promisc () { - # new promisc check - # rewrite of promisc check to catch all cases even from other hosts if - # script runs on a central syslog host. Thomas Biege <thomas(a)suse.de> - - local output_file=`mktemp -t mounted_with_missing_nosuid.XXXX` # TEMPDIR is set but not exported.. does it work? - - # local devices - for IF in $(grep "$(date +"%b %e")" /var/log/messages \ - | grep "$HOSTNAME kernel: device .* entered promiscuous mode" \ - | awk -F' ' '{print $7}') - do - ifconfig $IF | grep -C 2 PROMISC | grep -v ' [RT]X p' >> $output_file - done - - if [ -s "$output_file" ] ; then - printf "\nChecking local devices for promiscious mode.\n" - cat "$output_file" - fi - rm -f "$output_file" - # remote devices - for LL in $(grep "$(date +"%b %e")" /var/log/messages \ - | grep "kernel: device .* entered promiscuous mode" \ - | grep -v "$HOSTAME") - do - echo "$LL" >> $output_file - done - if [ -s "$output_file" ] ; then - printf "\nChecking remote devices for promiscious mode. (raw log entries)\n" - cat "$output_file" - fi - rm -f "$output_file" -} function check_for_globally_exported_fs () { @@ -297,18 +205,3 @@ rm -f "$output_file" fi } - - -function check_mailboxes_owned_by_user_and_unreadable () { - local output_file=`mktemp -t globally_exported_fs.XXXX` # TEMPDIR is set but not exported.. does it work? - ls -cl /var/spool/mail | sed 1d | \ - awk '$3 != $9 \ - { print "user " $9 " mailbox is owned by " $3 } - $1 != "-rw-------" \ - { print "user " $9 " mailbox is " $1 ", group " $4 }' > $output_file - if [ -s "$output_file" ] ; then - printf "\nChecking mailbox ownership.\n" - sort -u "$output_file" - fi - rm -f "$output_file" -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/seccheck-3.0/misc_helper.inc new/seccheck-3.0/misc_helper.inc --- old/seccheck-3.0/misc_helper.inc 2014-08-14 11:59:33.000000000 +0200 +++ new/seccheck-3.0/misc_helper.inc 1970-01-01 01:00:00.000000000 +0100 @@ -1,285 +0,0 @@ -# misc security checks - -# executables should not be in the /etc/aliases file. -function no_exec_in_etcaliases () { - if [ -s /etc/aliases ]; then - local output_file=`mktemp -t no_exec_in_etcaliases.XXXX` # TEMPDIR is set but not exported.. does it work? - grep -v '^#' /etc/aliases | grep '|' > $output_file - if [ -s "$output_file" ] ; then - printf "\nThe following programs are executed in your mail via /etc/aliases (bad!):\n" - cat "$output_file" - fi - rm -f "$output_file" - fi - - -} - -# it doesnt save it to a file like the others.. why? -function check_no_plus () { - local output_file=`mktemp -t check_no_plus.XXXX` # TEMPDIR is set but not exported.. does it work? - list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd" - for f in $list ; do - if [ -s "$f" ] ; then - awk '{ - if ($0 ~ /^\+@.*$/) - next; - if ($0 ~ /^\+.*$/) - printf("\nPlus sign in the file %s\n", FILENAME); - }' $f - fi - done -} - -# .rhosts check -function check_rhosts () { - local output_file=`mktemp -t check_rhosts.XXXX` # TEMPDIR is set but not exported.. does it work? - awk -F: '{ print $1 " " $6 }' /etc/passwd | - while read uid homedir; do - for j in .rhosts .shosts; do - if [ -s ${homedir}/$j ] ; then - rhost=`ls -lcdbg ${homedir}/$j|sed 's/[%\]/_/g'` - printf "$uid: $rhost\n" - test -f "$j" && { # still a race, however ... - if egrep \\+ ${homedir}/$j > /dev/null ; then - printf "\t(has got a plus (+) sign!)\n" - fi - } - fi - done - done > $output_file - if [ -s "$output_file" ] ; then - printf "\nChecking for users with .rhosts/.shosts files.\n" - cat "$output_file" - fi - rm -f "$output_file" -} - -# Check home directories. Directories should not be owned by someone else -function check_home_directories_owners () { - local output_file=`mktemp -t home_directories_owners.XXXX` # TEMPDIR is set but not exported.. does it work? - awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ - while read uid homedir; do - if [ -d ${homedir}/ ] ; then - file=`ls -ldb ${homedir}|sed 's/[%\]/_/g'` - printf "$uid $file\n" - fi - done | - awk '$1 != $4 && $4 != "root" \ - { print "user " $1 " : home directory is owned by " $4 } - $2 ~ /^-....w/ \ - { print "user " $1 " : home directory is group writeable" } - $2 ~ /^-.......w/ \ - { print "user " $1 " : home directory is other writeable" }' > $output_file - if [ -s "$output_file" ] ; then - printf "\nChecking home directories.\n" - sort -u "$output_file" - fi - rm -f "$output_file" -} - - -# Files that should not be owned by someone else or writeable. -function check_special_files_owner () { - output_file=`mktemp -t specia_files_owner.XXXX` # TEMPDIR is set but not exported.. does it work? - list=".bashrc .bash_profile .bash_login .bash_logout .cshrc .emacs .exrc \ - .forward .klogin .login .logout .profile .tcshrc .fvwmrc .inputrc .kshrc \ - .nexrc .screenrc .ssh .ssh/config .ssh/authorized_keys .ssh/environment \ - .ssh/known_hosts .ssh/rc .twmrc .xsession .xinitrc .Xdefaults .rhosts \ - .shosts .Xauthority .pgp/secring.pgp .ssh/identity .ssh/random_seed \ - .pgp/randseed.bin .netrc .exrc .vimrc .viminfo" - awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ - while read uid homedir; do - for f in $list ; do - file=${homedir}/${f} - if [ -f "$file" ] ; then - printf "$uid $f `ls -ldcb $file|sed 's/[%\]/_/g'`\n" - fi - done - done | - awk '$1 != $5 && $5 != "root" \ - { print "user " $1 " " $2 " : file is owned by " $5 } - $3 ~ /^-....w/ \ - { print "user " $1 " " $2 " : file is group writeable" } - $3 ~ /^-.......w/ \ - { print "user " $1 " " $2 " : file is other writeable" }' >> $output_file - if [ -s "$output_file" ] ; then - printf "\nChecking dot files.\n" - sort -u "$output_file" - fi -} - -# checking root's login scrips for secure path and umask -function check_root_login_scripts () { - local output_file=`mktemp -t check_root_login_scripts.0.XXXX` # TEMPDIR is set but not exported.. does it work? - local tmp_file1=`mktemp -t check_root_login_scripts.1.XXXX` # TEMPDIR is set but not exported.. does it work? - local tmp_file2=`mktemp -t check_root_login_scripts.2.XXXX` # TEMPDIR is set but not exported.. does it work? - rhome=/root - umaskset=no - list="/etc/csh.cshrc /etc/csh.login" - for i in $list ; do - if [ -s "$i" ] ; then - if egrep umask $i > /dev/null ; then - umaskset=yes - fi - egrep umask $i | - awk '$2 % 100 < 20 \ - { print "Root umask is group writeable" } - $2 % 10 < 2 \ - { print "Root umask is other writeable" }' >> $output_file - SAVE_PATH=$PATH - unset PATH 2> /dev/null || PATH="" # redhat ... - /bin/csh -f -s << end-of-csh > /dev/null 2>&1 - test -f "$i" && ( # still a race - source $i - /bin/ls -ldcbg \$path > $tmp_file1 - ) -end-of-csh - PATH=$SAVE_PATH - awk '{ - if ($9 ~ /^\.$/) { - print "The root path includes ."; - next; - } - } - $1 ~ /^d....w/ \ - { print "Root path directory " $9 " is group writeable." } \ - $1 ~ /^d.......w/ \ - { print "Root path directory " $9 " is other writeable." }' \ - < $tmp_file1 >> $tmp_file2 - fi - done - if [ $umaskset = "no" -o -s "$tmp_file2" ] ; then - sort -u $tmp_file2 > $output_file - printf "\nChecking root csh paths, umask values:\n$list\n" - if [ -s "$output_file" ] ; then - cat "$output_file" - fi - if [ $umaskset = "no" ] ; then - printf "\nRoot csh startup files do not set the umask.\n" - fi - fi - > $output_file - > $tmp_file1 - > $tmp_file2 - rhome=/root - umaskset=no - list="/etc/profile ${rhome}/.profile ${rhome}/.bashrc ${rhome}/.bash_login" - for i in $list; do - if [ -s "$i" ] ; then - if egrep umask $i > /dev/null ; then - umaskset=yes - fi - egrep umask $i | - awk '$2 % 100 < 20 \ - { print "Root umask is group writeable" } \ - $2 % 10 < 2 \ - { print "Root umask is other writeable" }' >> $output_file - SAVE_PATH=$PATH - unset PATH 2> /dev/null || PATH="" # redhat again ... - /bin/sh << end-of-sh > /dev/null 2>&1 - file "$i" | grep -qw text && . $i - list=\`echo \$PATH | /usr/bin/sed -e 's/:/ /g'\` - /bin/ls -ldgbT \$list > $tmp_file1 -end-of-sh - PATH=$SAVE_PATH - awk '{ - if ($9 ~ /^\.$/) { - print "The root path includes ."; - next; - } - } - $1 ~ /^d....w/ \ - { print "Root path directory " $9 " is group writeable." } \ - $1 ~ /^d.......w/ \ - { print "Root path directory " $9 " is other writeable." }' \ - < $tmp_file1 >> $tmp_file2 - - fi - done - if [ $umaskset = "no" -o -s "$tmp_file2" ] ; then - sort -u $tmp_file2 > $output_file - printf "\nChecking root sh paths, umask values:\n$list\n" - if [ -s "$output_file" ] ; then - cat "$output_file" - fi - if [ $umaskset = "no" ] ; then - printf "\nRoot sh startup files do not set the umask.\n" - fi - fi - rm -f "$output_file" "$tmp_file1" "$tmp_file2" -} - -function check_ASLR_enabled () { - if test `cat /proc/sys/kernel/randomize_va_space` -ne 2; then - printf "ASLR isnt enable. By default its enabled.\n" - fi -} - -function check_leak_kernel_internal_addresses () { - if test `cat /proc/sys/kernel/kptr_restrict` -ne 1; then - printf "/proc/sys/kernel/kptr_restrict should be 1.\n" - fi - - if test `cat /proc/sys/kernel/dmesg_restrict` -ne 1; then - printf "/proc/sys/kernel/dmesg_restrict should be 1.\n" - fi - -} - - -function check_xinetd_services () { - local output_file=`mktemp -t check_xinted_services.XXXX` # TEMPDIR is set but not exported.. does it work? - /sbin/chkconfig --list | awk '/xinetd based services/,/""/' | grep -v off > "$SEC_DATA/xinetd.new" - diff -uw "$SEC_DATA/xinetd" "$SEC_DATA/xinetd.new" |egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" - if [ -s "$output_file" ] ; then - printf "\nThere are the following changes in xinetd running services output:\n" - cat "$output_file" - fi - mv "$SEC_DATA/xinetd.new" "$SEC_DATA/xinetd" - rm -f "$output_file" -} - -function check_systemd_services() { - local output_file=`mktemp -t check_systemd_services.XXXX` # TEMPDIR is set but not exported.. does it work? - /usr/bin/systemctl list-unit-files --type=service > "$SEC_DATA/systemd_services.new" - diff -uw "$SEC_DATA/systemd_services" "$SEC_DATA/systemd_services.new" |egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" - if [ -s "$output_file" ] ; then - printf "\nThere are the following changes in systemctl services output:\n" - cat "$output_file" - fi - mv "$SEC_DATA/systemd_services.new" "$SEC_DATA/systemd_services" - rm -f "$output_file" -} - -function check_sysctl () { - local output_file=`mktemp -t check_sysctl.XXXX` # TEMPDIR is set but not exported.. does it work? - /usr/sbin/sysctl -a > "$SEC_DATA/sysctl.new" - diff -uw "$SEC_DATA/sysctl" "$SEC_DATA/sysctl.new" |egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" - if [ -s "$output_file" ] ; then - printf "\nThere are the following changes in the output from sysctl -a:\n" - cat "$output_file" - fi - mv "$SEC_DATA/sysctl.new" "$SEC_DATA/sysctl" - rm -f "$output_file" -} - -# params -# $1 the sysctl param -# $2 the returned value expected -function check_specifics_sysctl_helper () { - test `cat "$SEC_DATA/sysctl" | grep "$1" | cut -f2 -d'='` -eq "$2" -} - -# some specific security sysctl parameters -function check_specifics_sysctl () { - - if [ ! -e "$SEC_DATA/sysctl" ]; then - /usr/sbin/sysctl -a > "$SEC_DATA/sysctl" - fi - # we can refactor it in a loop - check_specifics_sysctl_helper "net.ipv4.tcp_syncookies" 1 || printf "\nnet.ipv4.tcp_syncookies is disabled\n" - check_specifics_sysctl_helper "net.ipv4.conf.all.accept_source_route" 0 || printf "\nnet.ipv4.conf.all.accept_source_route is enabled" - check_specifics_sysctl_helper "net.ipv4.conf.all.accept_redirects" 0 || printf "\nnet.ipv4.conf.all_accept_redirects is enabled\n" - check_specifics_sysctl_helper "net.ipv4.conf.all.rp_filter" 1 || printf "\nnet.ipv4.conf.all.rp_filter\n is disabled" -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/seccheck-3.0/security-daily.sh new/seccheck-3.0/security-daily.sh --- old/seccheck-3.0/security-daily.sh 2014-08-14 11:59:33.000000000 +0200 +++ new/seccheck-3.0/security-daily.sh 2014-08-25 11:36:55.000000000 +0200 @@ -13,8 +13,8 @@ . $MY_DIR/basic.inc source $MY_DIR/helper.inc +source $MY_DIR/security_daily_helper.inc source $MY_DIR/user_group_password_helper.inc -source $MY_DIR/misc_helper.inc set_tmpdir "security-daily.sh" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/seccheck-3.0/security-weekly.sh new/seccheck-3.0/security-weekly.sh --- old/seccheck-3.0/security-weekly.sh 2014-08-14 11:59:33.000000000 +0200 +++ new/seccheck-3.0/security-weekly.sh 2014-08-25 11:36:55.000000000 +0200 @@ -16,8 +16,8 @@ . $MY_DIR/basic.inc source $MY_DIR/helper.inc +source $MY_DIR/security_weekly_helper.inc source $MY_DIR/user_group_password_helper.inc -source $MY_DIR/misc_helper.inc diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/seccheck-3.0/security_daily_helper.inc new/seccheck-3.0/security_daily_helper.inc --- old/seccheck-3.0/security_daily_helper.inc 1970-01-01 01:00:00.000000000 +0100 +++ new/seccheck-3.0/security_daily_helper.inc 2014-08-25 11:36:55.000000000 +0200 @@ -0,0 +1,331 @@ +# tests specific for security-daily.sh +function check_mailboxes_owned_by_user_and_unreadable () { + local output_file=`mktemp -t globally_exported_fs.XXXX` # TEMPDIR is set but not exported.. does it work? + ls -cl /var/spool/mail | sed 1d | \ + awk '$3 != $9 \ + { print "user " $9 " mailbox is owned by " $3 } + $1 != "-rw-------" \ + { print "user " $9 " mailbox is " $1 ", group " $4 }' > $output_file + if [ -s "$output_file" ] ; then + printf "\nChecking mailbox ownership.\n" + sort -u "$output_file" + fi + rm -f "$output_file" +} + +# params +# $1 the sysctl param +# $2 the returned value expected +function check_specifics_sysctl_helper () { + test `cat "$SEC_DATA/sysctl" | grep "$1" | cut -f2 -d'='` -eq "$2" +} + +# some specific security sysctl parameters +function check_specifics_sysctl () { + + if [ ! -e "$SEC_DATA/sysctl" ]; then + /usr/sbin/sysctl -a > "$SEC_DATA/sysctl" + fi + # we can refactor it in a loop + check_specifics_sysctl_helper "net.ipv4.tcp_syncookies" 1 || printf "\nnet.ipv4.tcp_syncookies is disabled\n" + check_specifics_sysctl_helper "net.ipv4.conf.all.accept_source_route" 0 || printf "\nnet.ipv4.conf.all.accept_source_route is enabled" + check_specifics_sysctl_helper "net.ipv4.conf.all.accept_redirects" 0 || printf "\nnet.ipv4.conf.all_accept_redirects is enabled\n" + check_specifics_sysctl_helper "net.ipv4.conf.all.rp_filter" 1 || printf "\nnet.ipv4.conf.all.rp_filter\n is disabled" +} + +function check_systemd_services() { + local output_file=`mktemp -t check_systemd_services.XXXX` # TEMPDIR is set but not exported.. does it work? + /usr/bin/systemctl list-unit-files --type=service > "$SEC_DATA/systemd_services.new" + diff -uw "$SEC_DATA/systemd_services" "$SEC_DATA/systemd_services.new" |egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" + if [ -s "$output_file" ] ; then + printf "\nThere are the following changes in systemctl services output:\n" + cat "$output_file" + fi + mv "$SEC_DATA/systemd_services.new" "$SEC_DATA/systemd_services" + rm -f "$output_file" +} + +function check_sysctl () { + local output_file=`mktemp -t check_sysctl.XXXX` # TEMPDIR is set but not exported.. does it work? + /usr/sbin/sysctl -a > "$SEC_DATA/sysctl.new" + diff -uw "$SEC_DATA/sysctl" "$SEC_DATA/sysctl.new" |egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" + if [ -s "$output_file" ] ; then + printf "\nThere are the following changes in the output from sysctl -a:\n" + cat "$output_file" + fi + mv "$SEC_DATA/sysctl.new" "$SEC_DATA/sysctl" + rm -f "$output_file" +} + +function check_xinetd_services () { + local output_file=`mktemp -t check_xinetd_services.XXXX` # TEMPDIR is set but not exported.. does it work? + /sbin/chkconfig --list | awk '/xinetd based services/,/""/' | grep -v off > "$SEC_DATA/xinetd.new" + diff -uw "$SEC_DATA/xinetd" "$SEC_DATA/xinetd.new" |egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" + if [ -s "$output_file" ] ; then + printf "\nThere are the following changes in xinetd running services output:\n" + cat "$output_file" + fi + mv "$SEC_DATA/xinetd.new" "$SEC_DATA/xinetd" + rm -f "$output_file" +} + +function check_ASLR_enabled () { + if test `cat /proc/sys/kernel/randomize_va_space` -ne 2; then + printf "ASLR isnt enable. By default its enabled.\n" + fi +} + +function check_leak_kernel_internal_addresses () { + if test `cat /proc/sys/kernel/kptr_restrict` -ne 1; then + printf "/proc/sys/kernel/kptr_restrict should be 1.\n" + fi + + if test `cat /proc/sys/kernel/dmesg_restrict` -ne 1; then + printf "/proc/sys/kernel/dmesg_restrict should be 1.\n" + fi + +} + +# promisc check to catch all cases even from other hosts if +function check_promisc () { + # new promisc check + # rewrite of promisc check to catch all cases even from other hosts if + # script runs on a central syslog host. Thomas Biege <thomas(a)suse.de> + + local output_file=`mktemp -t mounted_with_missing_nosuid.XXXX` # TEMPDIR is set but not exported.. does it work? + + # local devices + for IF in $(grep "$(date +"%b %e")" /var/log/messages \ + | grep "$HOSTNAME kernel: device .* entered promiscuous mode" \ + | awk -F' ' '{print $7}') + do + ifconfig $IF | grep -C 2 PROMISC | grep -v ' [RT]X p' >> $output_file + done + + if [ -s "$output_file" ] ; then + printf "\nChecking local devices for promiscious mode.\n" + cat "$output_file" + fi + rm -f "$output_file" + # remote devices + for LL in $(grep "$(date +"%b %e")" /var/log/messages \ + | grep "kernel: device .* entered promiscuous mode" \ + | grep -v "$HOSTAME") + do + echo "$LL" >> $output_file + done + if [ -s "$output_file" ] ; then + printf "\nChecking remote devices for promiscious mode. (raw log entries)\n" + cat "$output_file" + fi + rm -f "$output_file" +} + +# .rhosts check +function check_rhosts () { + local output_file=`mktemp -t check_rhosts.XXXX` # TEMPDIR is set but not exported.. does it work? + awk -F: '{ print $1 " " $6 }' /etc/passwd | + while read uid homedir; do + for j in .rhosts .shosts; do + if [ -s ${homedir}/$j ] ; then + rhost=`ls -lcdbg ${homedir}/$j|sed 's/[%\]/_/g'` + printf "$uid: $rhost\n" + test -f "$j" && { # still a race, however ... + if egrep \\+ ${homedir}/$j > /dev/null ; then + printf "\t(has got a plus (+) sign!)\n" + fi + } + fi + done + done > $output_file + if [ -s "$output_file" ] ; then + printf "\nChecking for users with .rhosts/.shosts files.\n" + cat "$output_file" + fi + rm -f "$output_file" +} + +# executables should not be in the /etc/aliases file. +function no_exec_in_etcaliases () { + if [ -s /etc/aliases ]; then + local output_file=`mktemp -t no_exec_in_etcaliases.XXXX` # TEMPDIR is set but not exported.. does it work? + grep -v '^#' /etc/aliases | grep '|' > $output_file + if [ -s "$output_file" ] ; then + printf "\nThe following programs are executed in your mail via /etc/aliases (bad!):\n" + cat "$output_file" + fi + rm -f "$output_file" + fi + + +} + +# it doesnt save it to a file like the others.. why? +function check_no_plus () { + local output_file=`mktemp -t check_no_plus.XXXX` # TEMPDIR is set but not exported.. does it work? + list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd" + for f in $list ; do + if [ -s "$f" ] ; then + awk '{ + if ($0 ~ /^\+@.*$/) + next; + if ($0 ~ /^\+.*$/) + printf("\nPlus sign in the file %s\n", FILENAME); + }' $f + fi + done +} + +# Check home directories. Directories should not be owned by someone else +function check_home_directories_owners () { + local output_file=`mktemp -t home_directories_owners.XXXX` # TEMPDIR is set but not exported.. does it work? + awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ + while read uid homedir; do + if [ -d ${homedir}/ ] ; then + file=`ls -ldb ${homedir}|sed 's/[%\]/_/g'` + printf "$uid $file\n" + fi + done | + awk '$1 != $4 && $4 != "root" \ + { print "user " $1 " : home directory is owned by " $4 } + $2 ~ /^-....w/ \ + { print "user " $1 " : home directory is group writeable" } + $2 ~ /^-.......w/ \ + { print "user " $1 " : home directory is other writeable" }' > $output_file + if [ -s "$output_file" ] ; then + printf "\nChecking home directories.\n" + sort -u "$output_file" + fi + rm -f "$output_file" +} + +# Files that should not be owned by someone else or writeable. +function check_special_files_owner () { + output_file=`mktemp -t specia_files_owner.XXXX` # TEMPDIR is set but not exported.. does it work? + list=".bashrc .bash_profile .bash_login .bash_logout .cshrc .emacs .exrc \ + .forward .klogin .login .logout .profile .tcshrc .fvwmrc .inputrc .kshrc \ + .nexrc .screenrc .ssh .ssh/config .ssh/authorized_keys .ssh/environment \ + .ssh/known_hosts .ssh/rc .twmrc .xsession .xinitrc .Xdefaults .rhosts \ + .shosts .Xauthority .pgp/secring.pgp .ssh/identity .ssh/random_seed \ + .pgp/randseed.bin .netrc .exrc .vimrc .viminfo" + awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ + while read uid homedir; do + for f in $list ; do + file=${homedir}/${f} + if [ -f "$file" ] ; then + printf "$uid $f `ls -ldcb $file|sed 's/[%\]/_/g'`\n" + fi + done + done | + awk '$1 != $5 && $5 != "root" \ + { print "user " $1 " " $2 " : file is owned by " $5 } + $3 ~ /^-....w/ \ + { print "user " $1 " " $2 " : file is group writeable" } + $3 ~ /^-.......w/ \ + { print "user " $1 " " $2 " : file is other writeable" }' >> $output_file + if [ -s "$output_file" ] ; then + printf "\nChecking dot files.\n" + sort -u "$output_file" + fi +} + +# checking root's login scrips for secure path and umask +function check_root_login_scripts () { + local output_file=`mktemp -t check_root_login_scripts.0.XXXX` # TEMPDIR is set but not exported.. does it work? + local tmp_file1=`mktemp -t check_root_login_scripts.1.XXXX` # TEMPDIR is set but not exported.. does it work? + local tmp_file2=`mktemp -t check_root_login_scripts.2.XXXX` # TEMPDIR is set but not exported.. does it work? + rhome=/root + umaskset=no + list="/etc/csh.cshrc /etc/csh.login" + for i in $list ; do + if [ -s "$i" ] ; then + if egrep umask $i > /dev/null ; then + umaskset=yes + fi + egrep umask $i | + awk '$2 % 100 < 20 \ + { print "Root umask is group writeable" } + $2 % 10 < 2 \ + { print "Root umask is other writeable" }' >> $output_file + SAVE_PATH=$PATH + unset PATH 2> /dev/null || PATH="" # redhat ... + /bin/csh -f -s << end-of-csh > /dev/null 2>&1 + test -f "$i" && ( # still a race + source $i + /bin/ls -ldcbg \$path > $tmp_file1 + ) +end-of-csh + PATH=$SAVE_PATH + awk '{ + if ($9 ~ /^\.$/) { + print "The root path includes ."; + next; + } + } + $1 ~ /^d....w/ \ + { print "Root path directory " $9 " is group writeable." } \ + $1 ~ /^d.......w/ \ + { print "Root path directory " $9 " is other writeable." }' \ + < $tmp_file1 >> $tmp_file2 + fi + done + if [ $umaskset = "no" -o -s "$tmp_file2" ] ; then + sort -u $tmp_file2 > $output_file + printf "\nChecking root csh paths, umask values:\n$list\n" + if [ -s "$output_file" ] ; then + cat "$output_file" + fi + if [ $umaskset = "no" ] ; then + printf "\nRoot csh startup files do not set the umask.\n" + fi + fi + > $output_file + > $tmp_file1 + > $tmp_file2 + rhome=/root + umaskset=no + list="/etc/profile ${rhome}/.profile ${rhome}/.bashrc ${rhome}/.bash_login" + for i in $list; do + if [ -s "$i" ] ; then + if egrep umask $i > /dev/null ; then + umaskset=yes + fi + egrep umask $i | + awk '$2 % 100 < 20 \ + { print "Root umask is group writeable" } \ + $2 % 10 < 2 \ + { print "Root umask is other writeable" }' >> $output_file + SAVE_PATH=$PATH + unset PATH 2> /dev/null || PATH="" # redhat again ... + /bin/sh << end-of-sh > /dev/null 2>&1 + file "$i" | grep -qw text && . $i + list=\`echo \$PATH | /usr/bin/sed -e 's/:/ /g'\` + /bin/ls -ldgbT \$list > $tmp_file1 +end-of-sh + PATH=$SAVE_PATH + awk '{ + if ($9 ~ /^\.$/) { + print "The root path includes ."; + next; + } + } + $1 ~ /^d....w/ \ + { print "Root path directory " $9 " is group writeable." } \ + $1 ~ /^d.......w/ \ + { print "Root path directory " $9 " is other writeable." }' \ + < $tmp_file1 >> $tmp_file2 + + fi + done + if [ $umaskset = "no" -o -s "$tmp_file2" ] ; then + sort -u $tmp_file2 > $output_file + printf "\nChecking root sh paths, umask values:\n$list\n" + if [ -s "$output_file" ] ; then + cat "$output_file" + fi + if [ $umaskset = "no" ] ; then + printf "\nRoot sh startup files do not set the umask.\n" + fi + fi + rm -f "$output_file" "$tmp_file1" "$tmp_file2" +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/seccheck-3.0/security_weekly_helper.inc new/seccheck-3.0/security_weekly_helper.inc --- old/seccheck-3.0/security_weekly_helper.inc 1970-01-01 01:00:00.000000000 +0100 +++ new/seccheck-3.0/security_weekly_helper.inc 2014-08-25 11:36:55.000000000 +0200 @@ -0,0 +1,60 @@ +# param mount points +function check_suid_sgid () { + mnt_point=$1 + local output_file=`mktemp -t suid_sgid.XXXX` # TEMPDIR is set but not exported.. does it work? + ( nice -n 1 find $mnt_point -mount $ -perm -04000 -o -perm -02000 $ -type f | sort | \ + xargs --no-run-if-empty ls -cdl --time-style=long-iso -- > "$SEC_DATA/sbit.new" ) 2> /dev/null + diff -uw "$SEC_DATA/sbit" "$SEC_DATA/sbit.new" | egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" + if [ -s "$output_file" ] ; then + printf "\nThe following files are suid/sgid:\n" + cat "$output_file" + fi + mv "$SEC_DATA/sbit.new" "$SEC_DATA/sbit" + rm -f "$output_file" +} + +# param mount points +function check_writable_executable () { + mnt_point=$1 + local output_file=`mktemp -t writable_executable.XXXX` # TEMPDIR is set but not exported.. does it work? + ( nice -n 1 find $mnt_point -mount $ -perm -30 -o -perm -3 $ -type f | sort | \ + xargs --no-run-if-empty ls -cdl --time-style=long-iso -- > "$SEC_DATA/write-bin.new" ) 2> /dev/null + diff -uw "$SEC_DATA/write-bin" "$SEC_DATA/write-bin.new" | \ + egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" + if [ -s "$output_file" ] ; then + printf "\nThe following program executables are group/world writeable:\n" + cat "$output_file" + fi + mv "$SEC_DATA/write-bin.new" "$SEC_DATA/write-bin" + rm -f "$output_file" +} + +# param mount points +function check_world_writable () { + mnt_point=$1 + local output_file=`mktemp -t world_writable.XXXX` # TEMPDIR is set but not exported.. does it work? + ( nice -n 1 find $mnt_point -mount -perm -2 $ -type f -o -type d $ -not -perm -01000 | sort > "$SEC_DATA/write.new" ) 2> /dev/null + diff -uw "$SEC_DATA/write" "$SEC_DATA/write.new" | \ + egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" + if [ -s "$output_file" ] ; then + printf "\nThe following files/directories are world writeable and not sticky:\n" + cat "$output_file" + fi + mv "$SEC_DATA/write.new" "$SEC_DATA/write" + rm -f "$output_file" +} + +# params +# $1 = directory for checkneverlogin +function check_neverlogin () { + bin_path=$1 + # + local output_file=`mktemp -t neverlogin.XXXX` # TEMPDIR is set but not exported.. does it work? + + $bin_path/checkneverlogin > "$output_file" + if [ -s "$output_file" ] ; then + printf "\nPlease check and perhaps disable the following unused accounts:\n" + cat "$output_file" + fi + rm -f "$output_file" +} -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit ibacm for openSUSE:Factory
by root＠hilbert.suse.de 06 Sep '14

06 Sep '14

Hello community, here is the log from the commit of package ibacm for openSUSE:Factory checked in at 2014-09-06 12:18:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ibacm (Old) and /work/SRC/openSUSE:Factory/.ibacm.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "ibacm" Changes: -------- --- /work/SRC/openSUSE:Factory/ibacm/ibacm.changes 2014-07-04 09:34:20.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.ibacm.new/ibacm.changes 2014-09-06 12:18:16.000000000 +0200 @@ -2 +2 @@ -Wed Jun 25 11:14:23 CEST 2014 - pth(a)suse.de +Fri Aug 29 16:39:18 CEST 2014 - pth(a)suse.de @@ -4 +4,6 @@ -- Provide full source URL +- Fix another case of type-punning by using memcpy. + +------------------------------------------------------------------- +Tue Jun 3 11:24:34 CEST 2014 - pth(a)suse.de + +- Update to OFED 3.12 final. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ibacm.spec ++++++ --- /var/tmp/diff_new_pack.Gk3SCR/_old 2014-09-06 12:18:17.000000000 +0200 +++ /var/tmp/diff_new_pack.Gk3SCR/_new 2014-09-06 12:18:17.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package ibacm # -# Copyright (c) 2012-2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -23,7 +23,7 @@ License: GPL-2.0 or BSD-2-Clause Group: Productivity/Networking/System Url: http://www.openfabrics.org/ -Source: https://www.openfabrics.org/downloads/rdmacm/%{name}-%{version}.tar.gz +Source: %{name}-%{version}.tar.gz # PATCH-FIX-UPSTREAM ibacm-no_type_punning.patch Patch0: ibacm-no_type_punning.patch BuildRequires: libibumad-devel ++++++ ibacm-no_type_punning.patch ++++++ --- /var/tmp/diff_new_pack.Gk3SCR/_old 2014-09-06 12:18:17.000000000 +0200 +++ /var/tmp/diff_new_pack.Gk3SCR/_new 2014-09-06 12:18:17.000000000 +0200 @@ -6,14 +6,14 @@ Replace unsafe type punning by cast by two memcpy and a temp variable. --- - src/acm.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) + src/acm.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) Index: src/acm.c =================================================================== ---- src/acm.c.orig 2011-09-14 23:48:29.000000000 +0200 -+++ src/acm.c 2012-09-14 13:45:40.262038135 +0200 -@@ -31,6 +31,7 @@ +--- src/acm.c.orig 2013-07-26 06:27:59.000000000 +0200 ++++ src/acm.c 2014-08-29 16:52:58.562260193 +0200 +@@ -32,6 +32,7 @@ # include <config.h> #endif /* HAVE_CONFIG_H */ @@ -21,7 +21,7 @@ #include <stdio.h> #include <stdarg.h> #include <string.h> -@@ -1573,7 +1574,7 @@ static void acm_process_timeouts(void) +@@ -1605,7 +1606,7 @@ static void acm_process_timeouts(void) DListRemove(entry); msg = container_of(entry, struct acm_send_msg, entry); @@ -30,3 +30,15 @@ acm_format_name(0, log_data, sizeof log_data, rec->dest_type, rec->dest, sizeof rec->dest); +@@ -2740,8 +2741,10 @@ static int acm_parse_osm_fullv1_paths(FI + for (i = 0; i < 2; i++) { + memset(addr, 0, ACM_MAX_ADDRESS); + if (i == 0) { ++ uint16_t ui_addr; + addr_type = ACM_ADDRESS_LID; +- *((uint16_t *) addr) = htons(dlid); ++ ui_addr = htons(dlid); ++ memcpy(&addr, &ui_addr, sizeof(uint16_t)); + } else { + addr_type = ACM_ADDRESS_GID; + memcpy(addr, &dgid, sizeof(dgid)); -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit haproxy for openSUSE:Factory
by root＠hilbert.suse.de 06 Sep '14

06 Sep '14

Hello community, here is the log from the commit of package haproxy for openSUSE:Factory checked in at 2014-09-06 12:18:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/haproxy (Old) and /work/SRC/openSUSE:Factory/.haproxy.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "haproxy" Changes: -------- --- /work/SRC/openSUSE:Factory/haproxy/haproxy.changes 2014-08-25 11:05:25.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.haproxy.new/haproxy.changes 2014-09-06 12:18:15.000000000 +0200 @@ -1,0 +2,26 @@ +Wed Sep 3 07:35:14 UTC 2014 - kgronlund(a)suse.com + +- update to 1.5.4 + - BUG: config: error in http-response replace-header number of arguments + - BUG/MINOR: Fix search for -p argument in systemd wrapper. + - BUG/MEDIUM: auth: fix segfault with http-auth and a configuration with an unknown encryption algorithm + - BUG/MEDIUM: config: userlists should ensure that encrypted passwords are supported + - MEDIUM: connection: add new bit in Proxy Protocol V2 + - BUG/MINOR: server: move the directive #endif to the end of file + - BUG/MEDIUM: http: tarpit timeout is reset + - BUG/MAJOR: tcp: fix a possible busy spinning loop in content track-sc* + - BUG/MEDIUM: http: fix inverted condition in pat_match_meth() + - BUG/MEDIUM: http: fix improper parsing of HTTP methods for use with ACLs + - BUG/MINOR: pattern: remove useless allocation of unused trash in pat_parse_reg() + - BUG/MEDIUM: acl: correctly compute the output type when a converter is used + - CLEANUP: acl: cleanup some of the redundancy and spaghetti after last fix + - BUG/CRITICAL: http: don't update msg->sov once data start to leave the buffer + +- Dropped patches: + - 0001-BUG-MINOR-server-move-the-directive-endif-to-the-end.patch + - 0002-BUG-MINOR-Fix-search-for-p-argument-in-systemd-wrapp.patch + - 0003-BUG-MAJOR-tcp-fix-a-possible-busy-spinning-loop-in-c.patch + - 0004-BUG-config-error-in-http-response-replace-header-num.patch + - 0005-BUG-MEDIUM-http-tarpit-timeout-is-reset.patch + +------------------------------------------------------------------- Old: ---- 0001-BUG-MINOR-server-move-the-directive-endif-to-the-end.patch 0002-BUG-MINOR-Fix-search-for-p-argument-in-systemd-wrapp.patch 0003-BUG-MAJOR-tcp-fix-a-possible-busy-spinning-loop-in-c.patch 0004-BUG-config-error-in-http-response-replace-header-num.patch 0005-BUG-MEDIUM-http-tarpit-timeout-is-reset.patch haproxy-1.5.3.tar.gz New: ---- haproxy-1.5.4.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ haproxy.spec ++++++ --- /var/tmp/diff_new_pack.AXQ9m9/_old 2014-09-06 12:18:16.000000000 +0200 +++ /var/tmp/diff_new_pack.AXQ9m9/_new 2014-09-06 12:18:16.000000000 +0200 @@ -33,7 +33,7 @@ %bcond_without apparmor Name: haproxy -Version: 1.5.3 +Version: 1.5.4 Release: 0 # # @@ -61,11 +61,6 @@ Patch2: haproxy-makefile_lib.patch Patch3: sec-options.patch Patch4: haproxy-1.5_check_config_before_start.patch -Patch5: 0001-BUG-MINOR-server-move-the-directive-endif-to-the-end.patch -Patch6: 0002-BUG-MINOR-Fix-search-for-p-argument-in-systemd-wrapp.patch -Patch7: 0003-BUG-MAJOR-tcp-fix-a-possible-busy-spinning-loop-in-c.patch -Patch8: 0004-BUG-config-error-in-http-response-replace-header-num.patch -Patch9: 0005-BUG-MEDIUM-http-tarpit-timeout-is-reset.patch Source99: haproxy-rpmlintrc # Summary: The Reliable, High Performance TCP/HTTP Load Balancer @@ -99,11 +94,6 @@ %patch2 %patch3 %patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 %build %{__make} \ ++++++ haproxy-1.5.3.tar.gz -> haproxy-1.5.4.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/CHANGELOG new/haproxy-1.5.4/CHANGELOG --- old/haproxy-1.5.3/CHANGELOG 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/CHANGELOG 2014-09-02 13:54:16.000000000 +0200 @@ -1,6 +1,22 @@ ChangeLog : =========== +2014/09/02 : 1.5.4 + - BUG: config: error in http-response replace-header number of arguments + - BUG/MINOR: Fix search for -p argument in systemd wrapper. + - BUG/MEDIUM: auth: fix segfault with http-auth and a configuration with an unknown encryption algorithm + - BUG/MEDIUM: config: userlists should ensure that encrypted passwords are supported + - MEDIUM: connection: add new bit in Proxy Protocol V2 + - BUG/MINOR: server: move the directive #endif to the end of file + - BUG/MEDIUM: http: tarpit timeout is reset + - BUG/MAJOR: tcp: fix a possible busy spinning loop in content track-sc* + - BUG/MEDIUM: http: fix inverted condition in pat_match_meth() + - BUG/MEDIUM: http: fix improper parsing of HTTP methods for use with ACLs + - BUG/MINOR: pattern: remove useless allocation of unused trash in pat_parse_reg() + - BUG/MEDIUM: acl: correctly compute the output type when a converter is used + - CLEANUP: acl: cleanup some of the redundancy and spaghetti after last fix + - BUG/CRITICAL: http: don't update msg->sov once data start to leave the buffer + 2014/07/25 : 1.5.3 - DOC: fix typo in Unix Socket commands - BUG/MEDIUM: connection: fix memory corruption when building a proxy v2 header diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/README new/haproxy-1.5.4/README --- old/haproxy-1.5.3/README 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/README 2014-09-02 13:54:16.000000000 +0200 @@ -1,9 +1,9 @@ ---------------------- HAProxy how-to ---------------------- - version 1.5.3 + version 1.5.4 willy tarreau - 2014/07/25 + 2014/09/02 1) How to build it diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/VERDATE new/haproxy-1.5.4/VERDATE --- old/haproxy-1.5.3/VERDATE 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/VERDATE 2014-09-02 13:54:16.000000000 +0200 @@ -1,2 +1,2 @@ $Format:%ci$ -2014/07/25 +2014/09/02 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/VERSION new/haproxy-1.5.4/VERSION --- old/haproxy-1.5.3/VERSION 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/VERSION 2014-09-02 13:54:16.000000000 +0200 @@ -1 +1 @@ -1.5.3 +1.5.4 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/doc/configuration.txt new/haproxy-1.5.4/doc/configuration.txt --- old/haproxy-1.5.3/doc/configuration.txt 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/doc/configuration.txt 2014-09-02 13:54:16.000000000 +0200 @@ -2,9 +2,9 @@ HAProxy Configuration Manual ---------------------- - version 1.5.3 + version 1.5.4 willy tarreau - 2014/07/25 + 2014/09/02 This document covers the configuration language as implemented in the version diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/examples/haproxy.spec new/haproxy-1.5.4/examples/haproxy.spec --- old/haproxy-1.5.3/examples/haproxy.spec 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/examples/haproxy.spec 2014-09-02 13:54:16.000000000 +0200 @@ -1,6 +1,6 @@ Summary: HA-Proxy is a TCP/HTTP reverse proxy for high availability environments Name: haproxy -Version: 1.5.3 +Version: 1.5.4 Release: 1 License: GPL Group: System Environment/Daemons @@ -76,6 +76,9 @@ %attr(0755,root,root) %config %{_sysconfdir}/rc.d/init.d/%{name} %changelog +* Tue Sep 2 2014 Willy Tarreau <w(a)1wt.eu> +- updated to 1.5.4 + * Fri Jul 25 2014 Willy Tarreau <w(a)1wt.eu> - updated to 1.5.3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/include/proto/server.h new/haproxy-1.5.4/include/proto/server.h --- old/haproxy-1.5.3/include/proto/server.h 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/include/proto/server.h 2014-09-02 13:54:16.000000000 +0200 @@ -54,8 +54,6 @@ s->counters.last_sess = now.tv_sec; } -#endif /* _PROTO_SERVER_H */ - /* * Registers the server keyword list <kwl> as a list of valid keywords for next * parsing sessions. @@ -200,6 +198,8 @@ srv_clr_admin_flag(s, SRV_ADMF_FMAINT); } +#endif /* _PROTO_SERVER_H */ + /* * Local variables: * c-indent-level: 8 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/include/proto/ssl_sock.h new/haproxy-1.5.4/include/proto/ssl_sock.h --- old/haproxy-1.5.3/include/proto/ssl_sock.h 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/include/proto/ssl_sock.h 2014-09-02 13:54:16.000000000 +0200 @@ -51,7 +51,8 @@ const char *ssl_sock_get_cipher_name(struct connection *conn); const char *ssl_sock_get_proto_version(struct connection *conn); char *ssl_sock_get_version(struct connection *conn); -int ssl_sock_get_cert_used(struct connection *conn); +int ssl_sock_get_cert_used_sess(struct connection *conn); +int ssl_sock_get_cert_used_conn(struct connection *conn); int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *out); unsigned int ssl_sock_get_verify_result(struct connection *conn); #ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/include/types/channel.h new/haproxy-1.5.4/include/types/channel.h --- old/haproxy-1.5.3/include/types/channel.h 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/include/types/channel.h 2014-09-02 13:54:16.000000000 +0200 @@ -105,7 +105,7 @@ #define CF_STREAMER 0x00010000 /* the producer is identified as streaming data */ #define CF_STREAMER_FAST 0x00020000 /* the consumer seems to eat the stream very fast */ -/* unused: 0x00040000 */ +#define CF_WROTE_DATA 0x00040000 /* some data were sent from this buffer */ #define CF_ANA_TIMEOUT 0x00080000 /* the analyser timeout has expired */ #define CF_READ_ATTACHED 0x00100000 /* the read side is attached for the first time */ #define CF_KERN_SPLICING 0x00200000 /* kernel splicing desired for this channel */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/include/types/connection.h new/haproxy-1.5.4/include/types/connection.h --- old/haproxy-1.5.3/include/types/connection.h 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/include/types/connection.h 2014-09-02 13:54:16.000000000 +0200 @@ -345,8 +345,9 @@ uint8_t sub_tlv[0]; }__attribute__((packed)); -#define PP2_CLIENT_SSL 0x01 -#define PP2_CLIENT_CERT 0x02 +#define PP2_CLIENT_SSL 0x01 +#define PP2_CLIENT_CERT_CONN 0x02 +#define PP2_CLIENT_CERT_SESS 0x04 #endif /* _TYPES_CONNECTION_H */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/src/acl.c new/haproxy-1.5.4/src/acl.c --- old/haproxy-1.5.3/src/acl.c 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/src/acl.c 2014-09-02 13:54:16.000000000 +0200 @@ -145,7 +145,6 @@ const char *begw; const char *endw; const char *endt; - unsigned long prev_type; int cur_type; int nbargs; int operator = STD_OP_EQ; @@ -161,6 +160,7 @@ struct pat_ref *ref; struct pattern_expr *pattern_expr; int load_as_map = 0; + int acl_conv_found = 0; /* First, we look for an ACL keyword. And if we don't find one, then * we look for a sample fetch expression starting with a sample fetch @@ -229,8 +229,10 @@ /* look for the begining of the converters list. Those directly attached * to the ACL keyword are found just after <arg> which points to the comma. + * If we find any converter, then we don't use the ACL keyword's match + * anymore but the one related to the converter's output type. */ - prev_type = smp->fetch->out_type; + cur_type = smp->fetch->out_type; while (*arg) { struct sample_conv *conv; struct sample_conv_expr *conv_expr; @@ -289,19 +291,20 @@ } /* If impossible type conversion */ - if (!sample_casts[prev_type][conv->in_type]) { + if (!sample_casts[cur_type][conv->in_type]) { memprintf(err, "ACL keyword '%s' : conv method '%s' cannot be applied.", aclkw->kw, ckw); goto out_free_smp; } - prev_type = conv->out_type; + cur_type = conv->out_type; conv_expr = calloc(1, sizeof(struct sample_conv_expr)); if (!conv_expr) goto out_free_smp; LIST_ADDQ(&(smp->conv_exprs), &(conv_expr->list)); conv_expr->conv = conv; + acl_conv_found = 1; if (arg != endw) { int err_arg; @@ -347,6 +350,7 @@ memprintf(err, "%s in ACL expression '%s'", *err, *args); goto out_return; } + cur_type = smp_expr_output_type(smp); } expr = (struct acl_expr *)calloc(1, sizeof(*expr)); @@ -357,38 +361,26 @@ pattern_init_head(&expr->pat); - expr->kw = aclkw ? aclkw->kw : smp->fetch->kw; - expr->pat.parse = aclkw ? aclkw->parse : NULL; - expr->pat.index = aclkw ? aclkw->index : NULL; - expr->pat.match = aclkw ? aclkw->match : NULL; - expr->pat.delete = aclkw ? aclkw->delete : NULL; - expr->pat.prune = aclkw ? aclkw->prune : NULL; - expr->pat.expect_type = smp->fetch->out_type; - expr->smp = smp; - smp = NULL; - - /* Fill NULL pointers with values provided by the pattern.c arrays */ - if (aclkw) { - if (!expr->pat.parse) - expr->pat.parse = pat_parse_fcts[aclkw->match_type]; - - if (!expr->pat.index) - expr->pat.index = pat_index_fcts[aclkw->match_type]; - - if (!expr->pat.match) - expr->pat.match = pat_match_fcts[aclkw->match_type]; - - if (!expr->pat.delete) - expr->pat.delete = pat_delete_fcts[aclkw->match_type]; - - if (!expr->pat.prune) - expr->pat.prune = pat_prune_fcts[aclkw->match_type]; + expr->pat.expect_type = cur_type; + expr->smp = smp; + expr->kw = smp->fetch->kw; + smp = NULL; /* don't free it anymore */ + + if (aclkw && !acl_conv_found) { + expr->kw = aclkw->kw; + expr->pat.parse = aclkw->parse ? aclkw->parse : pat_parse_fcts[aclkw->match_type]; + expr->pat.index = aclkw->index ? aclkw->index : pat_index_fcts[aclkw->match_type]; + expr->pat.match = aclkw->match ? aclkw->match : pat_match_fcts[aclkw->match_type]; + expr->pat.delete = aclkw->delete ? aclkw->delete : pat_delete_fcts[aclkw->match_type]; + expr->pat.prune = aclkw->prune ? aclkw->prune : pat_prune_fcts[aclkw->match_type]; } if (!expr->pat.parse) { - /* some types can be automatically converted */ - - switch (expr->smp ? expr->smp->fetch->out_type : aclkw->smp->out_type) { + /* Parse/index/match functions depend on the expression type, + * so we have to map them now. Some types can be automatically + * converted. + */ + switch (cur_type) { case SMP_T_BOOL: expr->pat.parse = pat_parse_fcts[PAT_MATCH_BOOL]; expr->pat.index = pat_index_fcts[PAT_MATCH_BOOL]; @@ -427,7 +419,6 @@ } /* Additional check to protect against common mistakes */ - cur_type = smp_expr_output_type(expr->smp); if (expr->pat.parse && cur_type != SMP_T_BOOL && !*args[1]) { Warning("parsing acl keyword '%s' :\n" " no pattern to match against were provided, so this ACL will never match.\n" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/src/auth.c new/haproxy-1.5.4/src/auth.c --- old/haproxy-1.5.3/src/auth.c 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/src/auth.c 2014-09-02 13:54:16.000000000 +0200 @@ -252,7 +252,7 @@ fprintf(stderr, ", crypt=%s\n", ep); #endif - if (!strcmp(ep, u->pass)) + if (ep && strcmp(ep, u->pass) == 0) return 1; else return 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/src/cfgparse.c new/haproxy-1.5.4/src/cfgparse.c --- old/haproxy-1.5.3/src/cfgparse.c 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/src/cfgparse.c 2014-09-02 13:54:16.000000000 +0200 @@ -10,6 +10,16 @@ * */ +#ifdef CONFIG_HAP_CRYPT +/* This is to have crypt() defined on Linux */ +#define _GNU_SOURCE + +#ifdef NEED_CRYPT_H +/* some platforms such as Solaris need this */ +#include <crypt.h> +#endif +#endif /* CONFIG_HAP_CRYPT */ + #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -5689,7 +5699,14 @@ while (*args[cur_arg]) { if (!strcmp(args[cur_arg], "password")) { -#ifndef CONFIG_HAP_CRYPT +#ifdef CONFIG_HAP_CRYPT + if (!crypt("", args[cur_arg + 1])) { + Alert("parsing [%s:%d]: the encrypted password used for user '%s' is not supported by crypt(3).\n", + file, linenum, newuser->user); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; + } +#else Warning("parsing [%s:%d]: no crypt(3) support compiled, encrypted passwords will not work.\n", file, linenum); err_code |= ERR_ALERT; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/src/connection.c new/haproxy-1.5.4/src/connection.c --- old/haproxy-1.5.3/src/connection.c 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/src/connection.c 2014-09-02 13:54:16.000000000 +0200 @@ -678,9 +678,11 @@ tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len-ret-ssl_tlv_len), PP2_TYPE_SSL_VERSION, strlen(value), value); ssl_tlv_len += tlv_len; } - if (ssl_sock_get_cert_used(remote)) { - tlv->client |= PP2_CLIENT_CERT; + if (ssl_sock_get_cert_used_sess(remote)) { + tlv->client |= PP2_CLIENT_CERT_SESS; tlv->verify = htonl(ssl_sock_get_verify_result(remote)); + if (ssl_sock_get_cert_used_conn(remote)) + tlv->client |= PP2_CLIENT_CERT_CONN; } if (srv->pp_opts & SRV_PP_V2_SSL_CN) { cn_trash = get_trash_chunk(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/src/haproxy-systemd-wrapper.c new/haproxy-1.5.4/src/haproxy-systemd-wrapper.c --- old/haproxy-1.5.3/src/haproxy-systemd-wrapper.c 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/src/haproxy-systemd-wrapper.c 2014-09-02 13:54:16.000000000 +0200 @@ -130,11 +130,8 @@ static void init(int argc, char **argv) { while (argc > 1) { - if (**argv == '-') { - char *flag = *argv + 1; - --argc; ++argv; - if (*flag == 'p') - pid_file = *argv; + if ((*argv)[0] == '-' && (*argv)[1] == 'p') { + pid_file = *(argv + 1); } --argc; ++argv; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/src/pattern.c new/haproxy-1.5.4/src/pattern.c --- old/haproxy-1.5.3/src/pattern.c 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/src/pattern.c 2014-09-02 13:54:16.000000000 +0200 @@ -178,19 +178,15 @@ * * These functions are exported and may be used by any other component. * - * The following functions are used for parsing pattern matching - * input value. The <text> contain the string to be parsed. <pattern> - * must be a preallocated pattern. The pat_parse_* functions fill this - * structure with the parsed value. <usage> can be PAT_U_COMPILE or - * PAT_U_LOOKUP. If the value PAT_U_COMPILE is used memory is allocated - * for filling the pattern. If the value PAT_U_LOOKUP is set, the parser - * use "trash" or return pointers to the input strings. In both cases, - * the caller must use the value PAT_U_LOOKUP with caution. <err> is - * filled with an error message built with memprintf() function. - * - * In succes case, the pat_parse_* function return 1. If the function - * fail, it returns 0 and <err> is filled. + * The following functions are used for parsing pattern matching input value. + * The <text> contain the string to be parsed. <pattern> must be a preallocated + * pattern. The pat_parse_* functions fill this structure with the parsed value. + * <err> is filled with an error message built with memprintf() function. It is + * allowed to use a trash as a temporary storage for the returned pattern, as + * the next call after these functions will be pat_idx_*. * + * In success case, the pat_parse_* function returns 1. If the function + * fails, it returns 0 and <err> is filled. */ /* ignore the current line */ @@ -223,17 +219,7 @@ /* Parse a regex. It is allocated. */ int pat_parse_reg(const char *text, struct pattern *pattern, int mflags, char **err) { - struct chunk *trash; - - trash = get_trash_chunk(); - if (trash->size < sizeof(*pattern->ptr.reg)) { - memprintf(err, "no space avalaible in the buffer. expect %d, provides %d", - (int)sizeof(*pattern->ptr.reg), trash->size); - return 0; - } - pattern->ptr.str = (char *)text; - return 1; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/src/proto_http.c new/haproxy-1.5.4/src/proto_http.c --- old/haproxy-1.5.3/src/proto_http.c 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/src/proto_http.c 2014-09-02 13:54:16.000000000 +0200 @@ -4117,8 +4117,9 @@ done: /* done with this analyser, continue with next ones that the calling * points will have set, if any. */ - req->analysers &= ~an_bit; req->analyse_exp = TICK_ETERNITY; + done_without_exp: /* done with this analyser, but dont reset the analyse_exp. */ + req->analysers &= ~an_bit; return 1; tarpit: @@ -4144,7 +4145,7 @@ s->be->be_counters.denied_req++; if (s->listener->counters) s->listener->counters->denied_req++; - goto done; + goto done_without_exp; deny: /* this request was blocked (denied) */ txn->flags |= TX_CLDENY; @@ -4885,8 +4886,8 @@ s->req->cons->conn_retries = 0; /* used for logging too */ s->req->cons->exp = TICK_ETERNITY; s->req->cons->flags &= SI_FL_DONT_WAKE; /* we're in the context of process_session */ - s->req->flags &= ~(CF_SHUTW|CF_SHUTW_NOW|CF_AUTO_CONNECT|CF_WRITE_ERROR|CF_STREAMER|CF_STREAMER_FAST|CF_NEVER_WAIT|CF_WAKE_CONNECT); - s->rep->flags &= ~(CF_SHUTR|CF_SHUTR_NOW|CF_READ_ATTACHED|CF_READ_ERROR|CF_READ_NOEXP|CF_STREAMER|CF_STREAMER_FAST|CF_WRITE_PARTIAL|CF_NEVER_WAIT); + s->req->flags &= ~(CF_SHUTW|CF_SHUTW_NOW|CF_AUTO_CONNECT|CF_WRITE_ERROR|CF_STREAMER|CF_STREAMER_FAST|CF_NEVER_WAIT|CF_WAKE_CONNECT|CF_WROTE_DATA); + s->rep->flags &= ~(CF_SHUTR|CF_SHUTR_NOW|CF_READ_ATTACHED|CF_READ_ERROR|CF_READ_NOEXP|CF_STREAMER|CF_STREAMER_FAST|CF_WRITE_PARTIAL|CF_NEVER_WAIT|CF_WROTE_DATA); s->flags &= ~(SN_DIRECT|SN_ASSIGNED|SN_ADDR_SET|SN_BE_ASSIGNED|SN_FORCE_PRST|SN_IGNORE_PRST); s->flags &= ~(SN_CURR_SESS|SN_REDIRECTABLE|SN_SRV_REUSED); @@ -5429,7 +5430,7 @@ * such as last chunk of data or trailers. */ b_adv(req->buf, msg->next); - if (unlikely(!(s->rep->flags & CF_READ_ATTACHED))) + if (unlikely(!(s->req->flags & CF_WROTE_DATA))) msg->sov -= msg->next; msg->next = 0; @@ -5481,7 +5482,7 @@ missing_data: /* we may have some pending data starting at req->buf->p */ b_adv(req->buf, msg->next); - if (unlikely(!(s->rep->flags & CF_READ_ATTACHED))) + if (unlikely(!(s->req->flags & CF_WROTE_DATA))) msg->sov -= msg->next + MIN(msg->chunk_len, req->buf->i); msg->next = 0; @@ -9281,8 +9282,8 @@ cur_arg = 1; if (!*args[cur_arg] || !*args[cur_arg+1] || !*args[cur_arg+2] || - (*args[cur_arg+3] && strcmp(args[cur_arg+2], "if") != 0 && strcmp(args[cur_arg+2], "unless") != 0)) { - Alert("parsing [%s:%d]: 'http-request %s' expects exactly 3 arguments.\n", + (*args[cur_arg+3] && strcmp(args[cur_arg+3], "if") != 0 && strcmp(args[cur_arg+3], "unless") != 0)) { + Alert("parsing [%s:%d]: 'http-response %s' expects exactly 3 arguments.\n", file, linenum, args[0]); goto out_err; } @@ -9770,20 +9771,13 @@ static int pat_parse_meth(const char *text, struct pattern *pattern, int mflags, char **err) { int len, meth; - struct chunk *trash; len = strlen(text); meth = find_http_meth(text, len); pattern->val.i = meth; if (meth == HTTP_METH_OTHER) { - trash = get_trash_chunk(); - if (trash->size < len) { - memprintf(err, "no space avalaible in the buffer. expect %d, provides %d", - len, trash->size); - return 0; - } - pattern->ptr.str = trash->str; + pattern->ptr.str = (char *)text; pattern->len = len; } else { @@ -9848,8 +9842,8 @@ continue; icase = expr->mflags & PAT_MF_IGNORE_CASE; - if ((icase && strncasecmp(pattern->ptr.str, smp->data.meth.str.str, smp->data.meth.str.len) != 0) || - (!icase && strncmp(pattern->ptr.str, smp->data.meth.str.str, smp->data.meth.str.len) != 0)) + if ((icase && strncasecmp(pattern->ptr.str, smp->data.meth.str.str, smp->data.meth.str.len) == 0) || + (!icase && strncmp(pattern->ptr.str, smp->data.meth.str.str, smp->data.meth.str.len) == 0)) return pattern; } return NULL; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/src/proto_tcp.c new/haproxy-1.5.4/src/proto_tcp.c --- old/haproxy-1.5.3/src/proto_tcp.c 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/src/proto_tcp.c 2014-09-02 13:54:16.000000000 +0200 @@ -1048,8 +1048,8 @@ t = rule->act_prm.trk_ctr.table.t; key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ | partial, rule->act_prm.trk_ctr.expr, &smp); - if (smp.flags & SMP_F_MAY_CHANGE) - goto missing_data; + if ((smp.flags & SMP_F_MAY_CHANGE) && !(partial & SMP_OPT_FINAL)) + goto missing_data; /* key might appear later */ if (key && (ts = stktable_get_entry(t, key))) { session_track_stkctr(&s->stkctr[tcp_trk_idx(rule->action)], t, ts); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/src/sample.c new/haproxy-1.5.4/src/sample.c --- old/haproxy-1.5.3/src/sample.c 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/src/sample.c 2014-09-02 13:54:16.000000000 +0200 @@ -896,6 +896,18 @@ * Note: the fetch functions are required to properly set the return type. The * conversion functions must do so too. However the cast functions do not need * to since they're made to cast mutiple types according to what is required. + * + * The caller may indicate in <opt> if it considers the result final or not. + * The caller needs to check the SMP_F_MAY_CHANGE flag in p->flags to verify + * if the result is stable or not, according to the following table : + * + * return MAY_CHANGE FINAL Meaning for the sample + * NULL 0 * Not present and will never be (eg: header) + * NULL 1 0 Not present yet, could change (eg: POST param) + * NULL 1 1 Not present yet, will not change anymore + * smp 0 * Present and will not change (eg: header) + * smp 1 0 Present, may change (eg: request length) + * smp 1 1 Present, last known value (eg: request length) */ struct sample *sample_process(struct proxy *px, struct session *l4, void *l7, unsigned int opt, @@ -1153,7 +1165,16 @@ * and <opt> does not contain SMP_OPT_FINAL, then the sample is returned as-is * with its SMP_F_MAY_CHANGE flag so that the caller can check it and decide to * take actions (eg: wait longer). If a sample could not be found or could not - * be converted, NULL is returned. + * be converted, NULL is returned. The caller MUST NOT use the sample if the + * SMP_F_MAY_CHANGE flag is present, as it is used only as a hint that there is + * still hope to get it after waiting longer, and is not converted to string. + * The possible output combinations are the following : + * + * return MAY_CHANGE FINAL Meaning for the sample + * NULL * * Not present and will never be (eg: header) + * smp 0 * Final value converted (eg: header) + * smp 1 0 Not present yet, may appear later (eg: header) + * smp 1 1 never happens (either flag is cleared on output) */ struct sample *sample_fetch_string(struct proxy *px, struct session *l4, void *l7, unsigned int opt, struct sample_expr *expr) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/src/ssl_sock.c new/haproxy-1.5.4/src/ssl_sock.c --- old/haproxy-1.5.3/src/ssl_sock.c 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/src/ssl_sock.c 2014-09-02 13:54:16.000000000 +0200 @@ -2720,8 +2720,25 @@ return result; } -/* returns 1 if client passed a certificate, 0 if not */ -int ssl_sock_get_cert_used(struct connection *conn) +/* returns 1 if client passed a certificate for this session, 0 if not */ +int ssl_sock_get_cert_used_sess(struct connection *conn) +{ + X509 *crt = NULL; + + if (!ssl_sock_is_ssl(conn)) + return 0; + + /* SSL_get_peer_certificate, it increase X509 * ref count */ + crt = SSL_get_peer_certificate(conn->xprt_ctx); + if (!crt) + return 0; + + X509_free(crt); + return 1; +} + +/* returns 1 if client passed a certificate for this connection, 0 if not */ +int ssl_sock_get_cert_used_conn(struct connection *conn) { if (!ssl_sock_is_ssl(conn)) return 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/src/stick_table.c new/haproxy-1.5.4/src/stick_table.c --- old/haproxy-1.5.3/src/stick_table.c 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/src/stick_table.c 2014-09-02 13:54:16.000000000 +0200 @@ -603,7 +603,16 @@ * no key could be extracted, or a pointer to the converted result stored in * static_table_key in format <table_type>. If <smp> is not NULL, it will be reset * and its flags will be initialized so that the caller gets a copy of the input - * sample, and knows why it was not accepted (eg: SMP_F_MAY_CHANGE is present). + * sample, and knows why it was not accepted (eg: SMP_F_MAY_CHANGE is present + * without SMP_OPT_FINAL). The output will be usable like this : + * + * return MAY_CHANGE FINAL Meaning for the sample + * NULL 0 * Not present and will never be (eg: header) + * NULL 1 0 Not present or unstable, could change (eg: req_len) + * NULL 1 1 Not present, will not change anymore + * smp 0 * Present and will not change (eg: header) + * smp 1 0 not possible + * smp 1 1 Present, last known value (eg: request length) */ struct stktable_key *stktable_fetch_key(struct stktable *t, struct proxy *px, struct session *l4, void *l7, unsigned int opt, struct sample_expr *expr, struct sample *smp) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/src/stream_interface.c new/haproxy-1.5.4/src/stream_interface.c --- old/haproxy-1.5.3/src/stream_interface.c 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/src/stream_interface.c 2014-09-02 13:54:16.000000000 +0200 @@ -658,7 +658,7 @@ if (chn->pipe && conn->xprt->snd_pipe) { ret = conn->xprt->snd_pipe(conn, chn->pipe); if (ret > 0) - chn->flags |= CF_WRITE_PARTIAL; + chn->flags |= CF_WRITE_PARTIAL | CF_WROTE_DATA; if (!chn->pipe->data) { put_pipe(chn->pipe); @@ -702,7 +702,7 @@ ret = conn->xprt->snd_buf(conn, chn->buf, send_flag); if (ret > 0) { - chn->flags |= CF_WRITE_PARTIAL; + chn->flags |= CF_WRITE_PARTIAL | CF_WROTE_DATA; if (!chn->buf->o) { /* Always clear both flags once everything has been sent, they're one-shot */ -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit python-dfVFS for openSUSE:Factory
by root＠hilbert.suse.de 06 Sep '14

06 Sep '14

Hello community, here is the log from the commit of package python-dfVFS for openSUSE:Factory checked in at 2014-09-06 12:18:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-dfVFS (Old) and /work/SRC/openSUSE:Factory/.python-dfVFS.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "python-dfVFS" Changes: -------- --- /work/SRC/openSUSE:Factory/python-dfVFS/python-dfVFS.changes 2014-08-27 07:46:08.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.python-dfVFS.new/python-dfVFS.changes 2014-09-06 12:18:13.000000000 +0200 @@ -5,0 +6,2 @@ +- add Requires libvmdk since it is now in OBS +- add Requires libvhdi since it is now in OBS ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-dfVFS.spec ++++++ --- /var/tmp/diff_new_pack.ua2DKS/_old 2014-09-06 12:18:15.000000000 +0200 +++ /var/tmp/diff_new_pack.ua2DKS/_new 2014-09-06 12:18:15.000000000 +0200 @@ -35,10 +35,10 @@ Requires: pysmdev Requires: pytsk Requires: pyvshadow +Requires: pysmraw +Requires: pyvmdk +Requires: pyvhdi Requires: python-construct -Requires: python-libsmraw -# BuildRequires: libvhdi -# BuildRequires: libvmdk Requires: python-protobuf Requires: python-six BuildRoot: %{_tmppath}/%{name}-%{version}-build -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit libvirt-cim for openSUSE:Factory
by root＠hilbert.suse.de 06 Sep '14

06 Sep '14

Hello community, here is the log from the commit of package libvirt-cim for openSUSE:Factory checked in at 2014-09-06 12:18:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libvirt-cim (Old) and /work/SRC/openSUSE:Factory/.libvirt-cim.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libvirt-cim" Changes: -------- --- /work/SRC/openSUSE:Factory/libvirt-cim/libvirt-cim.changes 2014-02-26 06:58:31.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.libvirt-cim.new/libvirt-cim.changes 2014-09-06 12:18:12.000000000 +0200 @@ -1,0 +2,5 @@ +Wed Sep 3 01:48:48 CEST 2014 - ro(a)suse.de + +- sanitize release line in specfile + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libvirt-cim.spec ++++++ --- /var/tmp/diff_new_pack.k4dgyI/_old 2014-09-06 12:18:13.000000000 +0200 +++ /var/tmp/diff_new_pack.k4dgyI/_new 2014-09-06 12:18:13.000000000 +0200 @@ -46,7 +46,7 @@ Group: System/Management AutoReqProv: yes Version: 0.6.3 -Release: 0.<RELEASE2> +Release: 0 Summary: CMPI-based CIM provider implementing DMTF SVPC model Source: %{name}-%{version}.tar.bz2 Source1: libvirt-cim-rpmlintrc -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit csindex for openSUSE:Factory
by root＠hilbert.suse.de 06 Sep '14

06 Sep '14

Hello community, here is the log from the commit of package csindex for openSUSE:Factory checked in at 2014-09-06 12:18:05 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/csindex (Old) and /work/SRC/openSUSE:Factory/.csindex.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "csindex" Changes: -------- --- /work/SRC/openSUSE:Factory/csindex/csindex.changes 2012-05-14 16:12:18.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.csindex.new/csindex.changes 2014-09-06 12:18:11.000000000 +0200 @@ -1,0 +2,5 @@ +Tue Sep 2 12:28:55 UTC 2014 - coolo(a)suse.com + +- fix license for spdx 1.2 + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ csindex.spec ++++++ --- /var/tmp/diff_new_pack.9MOM70/_old 2014-09-06 12:18:12.000000000 +0200 +++ /var/tmp/diff_new_pack.9MOM70/_new 2014-09-06 12:18:12.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package csindex # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,17 +16,16 @@ # - Name: csindex -License: SUSE-MakeIndex Summary: Utility for creating Czech or Slovak Sorted LaTeX Index Files +License: MakeIndex +Group: Productivity/Publishing/TeX/Utilities Version: 19980713 -Release: 655 +Release: 0 Source: %{name}-%{version}.tar.bz2 Source1: COPYING Url: ftp://ftp.fi.muni.cz/pub/localization/csindex/ Patch: %{name}-%{version}.dif -Group: Productivity/Publishing/TeX/Utilities BuildRoot: %{_tmppath}/%{name}-%{version}-build %description -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit tgt for openSUSE:Factory
by root＠hilbert.suse.de 06 Sep '14

06 Sep '14

Hello community, here is the log from the commit of package tgt for openSUSE:Factory checked in at 2014-09-06 12:18:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tgt (Old) and /work/SRC/openSUSE:Factory/.tgt.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "tgt" Changes: -------- --- /work/SRC/openSUSE:Factory/tgt/tgt.changes 2014-05-21 16:31:36.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.tgt.new/tgt.changes 2014-09-06 12:18:10.000000000 +0200 @@ -1,0 +2,5 @@ +Tue Sep 2 19:34:55 CEST 2014 - mls(a)suse.de + +- support ppc64le + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tgt.spec ++++++ --- /var/tmp/diff_new_pack.fNUtq4/_old 2014-09-06 12:18:11.000000000 +0200 +++ /var/tmp/diff_new_pack.fNUtq4/_new 2014-09-06 12:18:11.000000000 +0200 @@ -61,7 +61,7 @@ %patch3 -p1 %build -%ifarch ppc ppc64 +%ifarch ppc ppc64 ppc64le %define backends ISCSI=1 FCP=1 FCOE=1 IBMVIO=1 %else %define backends ISCSI=1 FCP=1 FCOE=1 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit twilio-utils for openSUSE:Factory
by root＠hilbert.suse.de 06 Sep '14

06 Sep '14

Hello community, here is the log from the commit of package twilio-utils for openSUSE:Factory checked in at 2014-09-06 12:18:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/twilio-utils (Old) and /work/SRC/openSUSE:Factory/.twilio-utils.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "twilio-utils" Changes: -------- --- /work/SRC/openSUSE:Factory/twilio-utils/twilio-utils.changes 2013-09-23 16:05:47.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.twilio-utils.new/twilio-utils.changes 2014-09-06 12:18:09.000000000 +0200 @@ -1,0 +2,5 @@ +Tue Sep 2 13:30:51 UTC 2014 - archie(a)dellroad.org + +- Fix logger(1) dependency on openSUSE > 13.1 + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ twilio-utils.spec ++++++ --- /var/tmp/diff_new_pack.EgMkjj/_old 2014-09-06 12:18:10.000000000 +0200 +++ /var/tmp/diff_new_pack.EgMkjj/_new 2014-09-06 12:18:10.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package twilio-utils # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright 2013 Archie L. Cobbs <archie(a)dellroad.org> # # All modifications and additions to the file contributed by third parties @@ -35,13 +35,18 @@ BuildRequires: libxslt-tools BuildRequires: make BuildRequires: php5 -BuildRequires: util-linux BuildRequires: xmlstarlet Requires: curl >= 7.18 Requires: libxslt-tools Requires: php5 -Requires: util-linux Requires: xmlstarlet +%if %suse_version < 1320 +BuildRequires: util-linux +Requires: util-linux +%else +BuildRequires: util-linux-systemd +Requires: util-linux-systemd +%endif %description The twilio-utils project contains a few UNIX command-line utilities -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit python-pygit2 for openSUSE:Factory
by root＠hilbert.suse.de 06 Sep '14

06 Sep '14

Hello community, here is the log from the commit of package python-pygit2 for openSUSE:Factory checked in at 2014-09-06 12:18:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-pygit2 (Old) and /work/SRC/openSUSE:Factory/.python-pygit2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "python-pygit2" Changes: -------- --- /work/SRC/openSUSE:Factory/python-pygit2/python-pygit2.changes 2013-12-10 20:06:44.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.python-pygit2.new/python-pygit2.changes 2014-09-06 12:18:08.000000000 +0200 @@ -1,0 +2,37 @@ +Tue Sep 2 18:20:17 UTC 2014 - p.drouand(a)gmail.com + +- Update to version 0.20.2 + + Fix regression with Python 2, ``IndexEntry.path`` returns str + (bytes in Python 2 and unicode in Python 3) + + Get back ``IndexEntry.oid`` for backwards compatibility + + Config, iterate over the keys (instead of the key/value pairs) + `#395 <https://github.com/libgit2/pygit2/pull/395>`_ + + ``Diff.find_similar`` supports new threshold arguments + `#396 <https://github.com/libgit2/pygit2/pull/396>`_ + + Optimization, do not load the object when expanding an oid prefix + `#397 <https://github.com/libgit2/pygit2/pull/397>`_ +- Changes from version 0.20.1 + + Install fix + `#382 <https://github.com/libgit2/pygit2/pull/382>`_ + + Documentation improved, including + `#383 <https://github.com/libgit2/pygit2/pull/383>`_ + `#385 <https://github.com/libgit2/pygit2/pull/385>`_ + `#388 <https://github.com/libgit2/pygit2/pull/388>`_ + + Documentation, use the read-the-docs theme + `#387 <https://github.com/libgit2/pygit2/pull/387>`_ + + Coding style improvements + `#392 <https://github.com/libgit2/pygit2/pull/392>`_ + + New ``Repository.state_cleanup()`` + `#386 <https://github.com/libgit2/pygit2/pull/386>`_ + + New ``Index.conflicts`` + `#345 <https://github.com/libgit2/pygit2/issues/345>`_ + `#389 <https://github.com/libgit2/pygit2/pull/389>`_ + + New checkout option to define the target directory + `#390 <https://github.com/libgit2/pygit2/pull/390>`_ +- Fix build +- Remove python_sitelib definition; pygit2 is arch dependant +- Add python-cffi and python-unittest2 requirements; new + dependencies +- Disable tests; network is now needed for launching them + +------------------------------------------------------------------- Old: ---- pygit2-0.20.0.tar.gz New: ---- pygit2-0.21.2.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-pygit2.spec ++++++ --- /var/tmp/diff_new_pack.Ops1Qh/_old 2014-09-06 12:18:09.000000000 +0200 +++ /var/tmp/diff_new_pack.Ops1Qh/_new 2014-09-06 12:18:09.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package python-pygit2 # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: python-pygit2 -Version: 0.20.0 +Version: 0.21.2 Release: 0 Url: http://github.com/dborowitz/pygit2 Summary: Python bindings for libgit2 @@ -26,11 +26,11 @@ Source: http://pypi.python.org/packages/source/p/pygit2/pygit2-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: libgit2-devel +BuildRequires: python-cffi BuildRequires: python-devel +#BuildRequires: python-unittest2 BuildRequires: libopenssl-devel -%if 0%{?suse_version} && 0%{?suse_version} <= 1110 -%{!?python_sitelib: %global python_sitelib %(python -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} -%endif +Requires: python-cffi %description Bindings for libgit2, a linkable C library for the Git version-control system. @@ -48,7 +48,7 @@ python setup.py install --prefix=%{_prefix} --root=%{buildroot} %check -python setup.py test +#python setup.py test %files %defattr(-,root,root,-) ++++++ pygit2-0.20.0.tar.gz -> pygit2-0.21.2.tar.gz ++++++ ++++ 12546 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit netcdf for openSUSE:Factory
by root＠hilbert.suse.de 06 Sep '14

06 Sep '14

Hello community, here is the log from the commit of package netcdf for openSUSE:Factory checked in at 2014-09-06 12:18:01 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/netcdf (Old) and /work/SRC/openSUSE:Factory/.netcdf.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "netcdf" Changes: -------- --- /work/SRC/openSUSE:Factory/netcdf/netcdf.changes 2014-05-21 16:19:56.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.netcdf.new/netcdf.changes 2014-09-06 12:18:07.000000000 +0200 @@ -1,0 +2,5 @@ +Tue Sep 2 12:31:13 UTC 2014 - coolo(a)suse.com + +- fix license for spdx 1.2 + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ netcdf.spec ++++++ --- /var/tmp/diff_new_pack.ithKH9/_old 2014-09-06 12:18:08.000000000 +0200 +++ /var/tmp/diff_new_pack.ithKH9/_new 2014-09-06 12:18:08.000000000 +0200 @@ -20,7 +20,7 @@ Name: netcdf Summary: Libraries for the Unidata network Common Data Form -License: SUSE-NetCDF +License: NetCDF Group: System/Libraries Version: 4.3.2 Release: 0 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit netcdf-cxx for openSUSE:Factory
by root＠hilbert.suse.de 06 Sep '14

06 Sep '14

Hello community, here is the log from the commit of package netcdf-cxx for openSUSE:Factory checked in at 2014-09-06 12:17:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/netcdf-cxx (Old) and /work/SRC/openSUSE:Factory/.netcdf-cxx.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "netcdf-cxx" Changes: -------- --- /work/SRC/openSUSE:Factory/netcdf-cxx/netcdf-cxx.changes 2012-06-28 15:38:14.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.netcdf-cxx.new/netcdf-cxx.changes 2014-09-06 12:18:05.000000000 +0200 @@ -1,0 +2,5 @@ +Tue Sep 2 12:31:43 UTC 2014 - coolo(a)suse.com + +- fix license for spdx 1.2 + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ netcdf-cxx.spec ++++++ --- /var/tmp/diff_new_pack.LZZbNL/_old 2014-09-06 12:18:06.000000000 +0200 +++ /var/tmp/diff_new_pack.LZZbNL/_new 2014-09-06 12:18:06.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package netcdf-cxx # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -22,7 +22,7 @@ Version: 4.2 Release: 0 Summary: Old C++ library for the Unidata network Common Data Form -License: SUSE-NetCDF +License: NetCDF Group: System/Libraries Url: http://www.unidata.ucar.edu/software/netcdf/ Source0: http://www.unidata.ucar.edu/downloads/netcdf/ftp/netcdf-cxx-%{version}.tar.… -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit libregf for openSUSE:Factory
by root＠hilbert.suse.de 06 Sep '14

06 Sep '14

Hello community, here is the log from the commit of package libregf for openSUSE:Factory checked in at 2014-09-06 12:17:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libregf (Old) and /work/SRC/openSUSE:Factory/.libregf.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libregf" Changes: -------- --- /work/SRC/openSUSE:Factory/libregf/libregf.changes 2014-08-18 11:23:55.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libregf.new/libregf.changes 2014-09-06 12:18:04.000000000 +0200 @@ -1,0 +2,7 @@ +Tue Aug 26 17:17:16 UTC 2014 - Greg.Freemyer(a)gmail.com + +- add these 2 lines to python sub-project to ensure proper syncronization between versions + * Requires: %lname = %version + * Provides: pyregf = %version + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libregf.spec ++++++ --- /var/tmp/diff_new_pack.5BGVPw/_old 2014-09-06 12:18:05.000000000 +0200 +++ /var/tmp/diff_new_pack.5BGVPw/_new 2014-09-06 12:18:05.000000000 +0200 @@ -93,7 +93,9 @@ Summary: Python bindings for libregf, a library to access Windows REGF Registry files License: LGPL-3.0+ Group: Development/Libraries/Python +Requires: %lname = %version Requires: python +Provides: pyregf = %version %description -n python-%{name} libregf is a library to access Windows Registry files of the REGF -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit libmsiecf for openSUSE:Factory
by root＠hilbert.suse.de 06 Sep '14

06 Sep '14

Hello community, here is the log from the commit of package libmsiecf for openSUSE:Factory checked in at 2014-09-06 12:17:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libmsiecf (Old) and /work/SRC/openSUSE:Factory/.libmsiecf.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libmsiecf" Changes: -------- --- /work/SRC/openSUSE:Factory/libmsiecf/libmsiecf.changes 2014-08-18 11:23:59.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libmsiecf.new/libmsiecf.changes 2014-09-06 12:18:03.000000000 +0200 @@ -1,0 +2,6 @@ +Tue Aug 26 16:56:24 UTC 2014 - Greg.Freemyer(a)gmail.com + +- add these 2 lines to python sub-project to ensure proper syncronization between versions + * Provides: pyevt = %version + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libmsiecf.spec ++++++ --- /var/tmp/diff_new_pack.U4KEsC/_old 2014-09-06 12:18:04.000000000 +0200 +++ /var/tmp/diff_new_pack.U4KEsC/_new 2014-09-06 12:18:04.000000000 +0200 @@ -87,6 +87,7 @@ Group: Development/Libraries/Python Requires: %lname = %version Requires: python +Provides: pymsiecf = %version %description -n python-%name Python bindings for libmsiecf, which can read MS IE cache files. -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit liblnk for openSUSE:Factory
by root＠hilbert.suse.de 06 Sep '14

06 Sep '14

Hello community, here is the log from the commit of package liblnk for openSUSE:Factory checked in at 2014-09-06 12:17:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/liblnk (Old) and /work/SRC/openSUSE:Factory/.liblnk.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "liblnk" Changes: -------- --- /work/SRC/openSUSE:Factory/liblnk/liblnk.changes 2014-08-14 14:58:25.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.liblnk.new/liblnk.changes 2014-09-06 12:18:02.000000000 +0200 @@ -1,0 +2,7 @@ +Tue Aug 26 16:54:30 UTC 2014 - Greg.Freemyer(a)gmail.com + +- add these 2 lines to python sub-project to ensure proper syncronization between versions + * Requires: %lname = %version + * Provides: pylnk = %version + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ liblnk.spec ++++++ --- /var/tmp/diff_new_pack.exOxsw/_old 2014-09-06 12:18:03.000000000 +0200 +++ /var/tmp/diff_new_pack.exOxsw/_new 2014-09-06 12:18:03.000000000 +0200 @@ -83,7 +83,9 @@ Summary: Python bindings for liblnk, a Windows Shortcut Link parser License: LGPL-3.0+ Group: Development/Libraries/Python +Requires: %lname = %version Requires: python +Provides: pylnk = %version %description -n python-%name Python binding for liblnk, which can read Windows Shortcut Link files. -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit libevt for openSUSE:Factory
by root＠hilbert.suse.de 06 Sep '14

06 Sep '14

Hello community, here is the log from the commit of package libevt for openSUSE:Factory checked in at 2014-09-06 12:17:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libevt (Old) and /work/SRC/openSUSE:Factory/.libevt.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libevt" Changes: -------- --- /work/SRC/openSUSE:Factory/libevt/libevt.changes 2014-08-15 09:55:49.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libevt.new/libevt.changes 2014-09-06 12:18:01.000000000 +0200 @@ -1,0 +2,7 @@ +Tue Aug 26 16:34:59 UTC 2014 - Greg.Freemyer(a)gmail.com + +- add these 2 lines to python sub-project to ensure proper syncronization between versions + * Requires: %lname = %version + * Provides: pyevt = %version + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libevt.spec ++++++ --- /var/tmp/diff_new_pack.XB6dTw/_old 2014-09-06 12:18:02.000000000 +0200 +++ /var/tmp/diff_new_pack.XB6dTw/_new 2014-09-06 12:18:02.000000000 +0200 @@ -100,7 +100,9 @@ Summary: Python bindings for libevt, a Windows event file parser License: LGPL-3.0+ Group: Development/Libraries/Python +Requires: %lname = %version Requires: python +Provides: pyevt = %version %description -n python-%name Python bindings for libevt, which can read Windows event files. -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit wicked for openSUSE:Factory
by root＠hilbert.suse.de 06 Sep '14

06 Sep '14

Hello community, here is the log from the commit of package wicked for openSUSE:Factory checked in at 2014-09-06 12:17:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/wicked (Old) and /work/SRC/openSUSE:Factory/.wicked.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "wicked" Changes: -------- --- /work/SRC/openSUSE:Factory/wicked/wicked.changes 2014-09-03 21:18:11.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.wicked.new/wicked.changes 2014-09-06 12:17:57.000000000 +0200 @@ -1,0 +2,25 @@ +Fri Sep 5 15:14:37 UTC 2014 - mt(a)suse.de + +- version 0.6.5 +- nanny: fixed to reset on rearm and to hotplug bonding slaves + (bnc#884012,bnc#880515) + +------------------------------------------------------------------- +Wed Sep 3 22:34:51 UTC 2014 - mt(a)suse.de + +- version 0.6.4 +- dhcp6: changed --test to request in auto mode, recheck RA + and try to start on new device-change events (bnc#889981) +- address: enable events in wickedd and expose flags to make + them visible and up-to-date in ifstatus (bnc#889981) +- nanny: reset/rearm on enable/disable, do not arm at all + when the use-nanny is false (bnc#891045) +- leases: intrinsic lease installation hook improvements as + preparation for PPPoE support (bnc#865573) +- dhcp4: do not release and remove lease without request + (DHCLIENT_RELEASE_BEFORE_QUIT), randomized startup delay + (DHCLIENT_SLEEP) if enabled, handle defer timeout to stop + client waiting at ifup (DHCLIENT_WAIT_AT_BOOT), rebind and + reboot state fixes (bnc#866994) + +------------------------------------------------------------------- Old: ---- wicked-0.6.3.tar.bz2 New: ---- wicked-0.6.5.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ wicked.spec ++++++ --- /var/tmp/diff_new_pack.w7nBtW/_old 2014-09-06 12:17:58.000000000 +0200 +++ /var/tmp/diff_new_pack.w7nBtW/_new 2014-09-06 12:17:58.000000000 +0200 @@ -18,7 +18,7 @@ %define release_prefix %{?snapshot:%{snapshot}}%{!?snapshot:0} Name: wicked -Version: 0.6.3 +Version: 0.6.5 Release: %{release_prefix}.0.0 Summary: Network configuration infrastructure License: GPL-2.0 ++++++ wicked-0.6.3.tar.bz2 -> wicked-0.6.5.tar.bz2 ++++++ ++++ 2870 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit xen for openSUSE:Factory
by root＠hilbert.suse.de 06 Sep '14

06 Sep '14

Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2014-09-06 12:17:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "xen" Changes: -------- --- /work/SRC/openSUSE:Factory/xen/xen.changes 2014-08-20 17:53:00.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.xen.new/xen.changes 2014-09-06 12:17:50.000000000 +0200 @@ -1,0 +2,41 @@ +Thu Sep 4 17:01:24 CST 2014 - cyliu(a)suse.com + +- bnc#882405 - Only one key-press event was generated while holding + a key before key-release in pv guests through xl vncviewer + tigervnc-long-press.patch + +------------------------------------------------------------------- +Tue Sep 2 09:01:24 MDT 2014 - carnold(a)suse.com + +- Update to Xen Version 4.4.1 FCS + xen-4.4.1-testing-src.tar.bz2 +- Dropped patches now contained in tarball + 53d7b781-x86-cpu-undo-BIOS-CPUID-max_leaf-limit-earlier.patch + 53df71c7-lz4-check-for-underruns.patch + 53e47d6b-x86_emulate-properly-do-IP-updates-and-other-side-effects.patch + +------------------------------------------------------------------- +Mon Sep 1 15:20:20 MDT 2014 - carnold(a)suse.com + +- bnc#882089 - Windows 2012 R2 fails to boot up with greater than + 60 vcpus + 53df727b-x86-HVM-extend-LAPIC-shortcuts-around-P2M-lookups.patch + 53e8be5f-x86-vHPET-use-rwlock-instead-of-simple-one.patch + 53ff3659-x86-consolidate-boolean-inputs-in-hvm-and-p2m.patch + 53ff36ae-x86-hvm-treat-non-insn-fetch-NPF-also-as-read-violations.patch + 53ff36d5-x86-mem_event-deliver-gla-fault-EPT-violation-information.patch + 54005472-EPT-utilize-GLA-GPA-translation-known-for-certain-faults.patch +- Upstream patches from Jan + 53f737b1-VMX-fix-DebugCtl-MSR-clearing.patch + 53f7386d-x86-irq-process-softirqs-in-irq-keyhandlers.patch + 53ff3716-x86-ats-Disable-Address-Translation-Services-by-default.patch + 53ff3899-x86-NMI-allow-processing-unknown-NMIs-with-watchdog.patch + +------------------------------------------------------------------- +Fri Aug 29 09:25:47 MDT 2014 - carnold(a)suse.com + +- bnc#864801 - VUL-0: CVE-2013-4540: qemu: zaurus: buffer overrun + on invalid state load + CVE-2013-4540-qemu.patch + +------------------------------------------------------------------- Old: ---- 53d7b781-x86-cpu-undo-BIOS-CPUID-max_leaf-limit-earlier.patch 53df71c7-lz4-check-for-underruns.patch 53e47d6b-x86_emulate-properly-do-IP-updates-and-other-side-effects.patch New: ---- 53e8be5f-x86-vHPET-use-rwlock-instead-of-simple-one.patch 53f737b1-VMX-fix-DebugCtl-MSR-clearing.patch 53f7386d-x86-irq-process-softirqs-in-irq-keyhandlers.patch 53ff3659-x86-consolidate-boolean-inputs-in-hvm-and-p2m.patch 53ff36ae-x86-hvm-treat-non-insn-fetch-NPF-also-as-read-violations.patch 53ff36d5-x86-mem_event-deliver-gla-fault-EPT-violation-information.patch 53ff3716-x86-ats-Disable-Address-Translation-Services-by-default.patch 53ff3899-x86-NMI-allow-processing-unknown-NMIs-with-watchdog.patch 54005472-EPT-utilize-GLA-GPA-translation-known-for-certain-faults.patch CVE-2013-4540-qemu.patch tigervnc-long-press.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xen.spec ++++++ --- /var/tmp/diff_new_pack.SmKn8C/_old 2014-09-06 12:17:53.000000000 +0200 +++ /var/tmp/diff_new_pack.SmKn8C/_new 2014-09-06 12:17:53.000000000 +0200 @@ -21,7 +21,7 @@ ExclusiveArch: %ix86 x86_64 %arm aarch64 %define xvers 4.4 %define xvermaj 4 -%define changeset 28531 +%define changeset 28541 %define xen_build_dir xen-4.4.1-testing # %define with_kmp 0 @@ -153,7 +153,7 @@ %endif %endif -Version: 4.4.1_02 +Version: 4.4.1_04 Release: 0 PreReq: %insserv_prereq %fillup_prereq Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel) @@ -224,11 +224,17 @@ Patch10: 53aac342-x86-HVM-consolidate-and-sanitize-CR4-guest-reserved-bit-determination.patch Patch11: 53c9151b-Fix-xl-vncviewer-accesses-port-0-by-any-invalid-domid.patch Patch12: 53d124e7-fix-list_domain_details-check-config-data-length-0.patch -Patch13: 53d7b781-x86-cpu-undo-BIOS-CPUID-max_leaf-limit-earlier.patch -Patch14: 53dba447-x86-ACPI-allow-CMOS-RTC-use-even-when-ACPI-says-there-is-none.patch -Patch15: 53df71c7-lz4-check-for-underruns.patch -Patch16: 53df727b-x86-HVM-extend-LAPIC-shortcuts-around-P2M-lookups.patch -Patch17: 53e47d6b-x86_emulate-properly-do-IP-updates-and-other-side-effects.patch +Patch13: 53dba447-x86-ACPI-allow-CMOS-RTC-use-even-when-ACPI-says-there-is-none.patch +Patch14: 53df727b-x86-HVM-extend-LAPIC-shortcuts-around-P2M-lookups.patch +Patch15: 53e8be5f-x86-vHPET-use-rwlock-instead-of-simple-one.patch +Patch16: 53f737b1-VMX-fix-DebugCtl-MSR-clearing.patch +Patch17: 53f7386d-x86-irq-process-softirqs-in-irq-keyhandlers.patch +Patch18: 53ff3659-x86-consolidate-boolean-inputs-in-hvm-and-p2m.patch +Patch19: 53ff36ae-x86-hvm-treat-non-insn-fetch-NPF-also-as-read-violations.patch +Patch20: 53ff36d5-x86-mem_event-deliver-gla-fault-EPT-violation-information.patch +Patch21: 53ff3716-x86-ats-Disable-Address-Translation-Services-by-default.patch +Patch22: 53ff3899-x86-NMI-allow-processing-unknown-NMIs-with-watchdog.patch +Patch23: 54005472-EPT-utilize-GLA-GPA-translation-known-for-certain-faults.patch # Upstream qemu Patch250: VNC-Support-for-ExtendedKeyEvent-client-message.patch Patch251: 0001-net-move-the-tap-buffer-into-TAPState.patch @@ -239,6 +245,7 @@ Patch256: 0006-e1000-clear-EOP-for-multi-buffer-descriptors.patch Patch257: 0007-e1000-verify-we-have-buffers-upfront.patch Patch258: 0008-e1000-check-buffer-availability.patch +Patch259: CVE-2013-4540-qemu.patch # Our platform specific patches Patch301: xen-destdir.patch Patch302: xen-xmexample.patch @@ -357,6 +364,7 @@ Patch470: qemu-xen-upstream-qdisk-cache-unsafe.patch Patch471: xen-pass-kernel-initrd-to-qemu.patch Patch472: qemu-support-xen-hvm-direct-kernel-boot.patch +Patch473: tigervnc-long-press.patch # Hypervisor and PV driver Patches Patch501: x86-ioapic-ack-default.patch Patch502: x86-cpufreq-report.patch @@ -611,6 +619,12 @@ %patch15 -p1 %patch16 -p1 %patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 # Upstream qemu patches %patch250 -p1 %patch251 -p1 @@ -621,6 +635,7 @@ %patch256 -p1 %patch257 -p1 %patch258 -p1 +%patch259 -p1 # Our platform specific patches %patch301 -p1 %patch302 -p1 @@ -738,6 +753,7 @@ %patch470 -p1 %patch471 -p1 %patch472 -p1 +%patch473 -p1 # Hypervisor and PV driver Patches %patch501 -p1 %patch502 -p1 ++++++ 53df727b-x86-HVM-extend-LAPIC-shortcuts-around-P2M-lookups.patch ++++++ --- /var/tmp/diff_new_pack.SmKn8C/_old 2014-09-06 12:17:53.000000000 +0200 +++ /var/tmp/diff_new_pack.SmKn8C/_new 2014-09-06 12:17:53.000000000 +0200 @@ -1,3 +1,5 @@ +References: bnc#882089 + # Commit fd1863847af15c3676348447755e1a1801f9d394 # Date 2014-08-04 13:46:03 +0200 # Author Jan Beulich <jbeulich(a)suse.com> ++++++ 53e8be5f-x86-vHPET-use-rwlock-instead-of-simple-one.patch ++++++ References: bnc#882089 # Commit ded2100990d1688b96c2edc7221887c56c1a8e04 # Date 2014-08-11 15:00:15 +0200 # Author Jan Beulich <jbeulich(a)suse.com> # Committer Jan Beulich <jbeulich(a)suse.com> x86/vHPET: use rwlock instead of simple one This namely benefits guests heavily reading the main counter, but not touching the HPET much otherwise. Note that due to the way hpet_get_comparator() works hpet_read() has to special cases reads from the comparator registers and use a write lock there instead of the read one used for all other registers. Signed-off-by: Jan Beulich <jbeulich(a)suse.com> --- a/xen/arch/x86/hvm/hpet.c +++ b/xen/arch/x86/hvm/hpet.c @@ -75,7 +75,7 @@ static inline uint64_t hpet_read_maincounter(HPETState *h) { - ASSERT(spin_is_locked(&h->lock)); + ASSERT(rw_is_locked(&h->lock)); if ( hpet_enabled(h) ) return guest_time_hpet(h) + h->mc_offset; @@ -88,6 +88,8 @@ static uint64_t hpet_get_comparator(HPET uint64_t comparator; uint64_t elapsed; + ASSERT(rw_is_write_locked(&h->lock)); + comparator = h->hpet.comparator64[tn]; if ( timer_is_periodic(h, tn) ) { @@ -172,16 +174,24 @@ static int hpet_read( goto out; } - spin_lock(&h->lock); + result = addr < HPET_Tn_CMP(0) || + ((addr - HPET_Tn_CMP(0)) % (HPET_Tn_CMP(1) - HPET_Tn_CMP(0))) > 7; + if ( result ) + read_lock(&h->lock); + else + write_lock(&h->lock); val = hpet_read64(h, addr); + if ( result ) + read_unlock(&h->lock); + else + write_unlock(&h->lock); + result = val; if ( length != 8 ) result = (val >> ((addr & 7) * 8)) & ((1ULL << (length * 8)) - 1); - spin_unlock(&h->lock); - out: *pval = result; return X86EMUL_OKAY; @@ -190,7 +200,7 @@ static int hpet_read( static void hpet_stop_timer(HPETState *h, unsigned int tn) { ASSERT(tn < HPET_TIMER_NUM); - ASSERT(spin_is_locked(&h->lock)); + ASSERT(rw_is_write_locked(&h->lock)); destroy_periodic_time(&h->pt[tn]); /* read the comparator to get it updated so a read while stopped will * return the expected value. */ @@ -208,7 +218,7 @@ static void hpet_set_timer(HPETState *h, unsigned int oneshot; ASSERT(tn < HPET_TIMER_NUM); - ASSERT(spin_is_locked(&h->lock)); + ASSERT(rw_is_write_locked(&h->lock)); if ( (tn == 0) && (h->hpet.config & HPET_CFG_LEGACY) ) { @@ -289,7 +299,7 @@ static int hpet_write( if ( hpet_check_access_length(addr, length) != 0 ) goto out; - spin_lock(&h->lock); + write_lock(&h->lock); old_val = hpet_read64(h, addr); new_val = val; @@ -448,7 +458,7 @@ static int hpet_write( #undef set_start_timer #undef set_restart_timer - spin_unlock(&h->lock); + write_unlock(&h->lock); out: return X86EMUL_OKAY; @@ -473,7 +483,7 @@ static int hpet_save(struct domain *d, h HPETState *hp = domain_vhpet(d); int rc; - spin_lock(&hp->lock); + write_lock(&hp->lock); /* Write the proper value into the main counter */ hp->hpet.mc64 = hp->mc_offset + guest_time_hpet(hp); @@ -507,7 +517,7 @@ static int hpet_save(struct domain *d, h rec->timers[2].cmp = hp->hpet.comparator64[2]; } - spin_unlock(&hp->lock); + write_unlock(&hp->lock); return rc; } @@ -519,12 +529,12 @@ static int hpet_load(struct domain *d, h uint64_t cmp; int i; - spin_lock(&hp->lock); + write_lock(&hp->lock); /* Reload the HPET registers */ if ( _hvm_check_entry(h, HVM_SAVE_CODE(HPET), HVM_SAVE_LENGTH(HPET), 1) ) { - spin_unlock(&hp->lock); + write_unlock(&hp->lock); return -EINVAL; } @@ -564,7 +574,7 @@ static int hpet_load(struct domain *d, h if ( timer_enabled(hp, i) ) hpet_set_timer(hp, i); - spin_unlock(&hp->lock); + write_unlock(&hp->lock); return 0; } @@ -578,7 +588,7 @@ void hpet_init(struct vcpu *v) memset(h, 0, sizeof(HPETState)); - spin_lock_init(&h->lock); + rwlock_init(&h->lock); h->stime_freq = S_TO_NS; @@ -607,14 +617,14 @@ void hpet_deinit(struct domain *d) int i; HPETState *h = domain_vhpet(d); - spin_lock(&h->lock); + write_lock(&h->lock); if ( hpet_enabled(h) ) for ( i = 0; i < HPET_TIMER_NUM; i++ ) if ( timer_enabled(h, i) ) hpet_stop_timer(h, i); - spin_unlock(&h->lock); + write_unlock(&h->lock); } void hpet_reset(struct domain *d) --- a/xen/arch/x86/hvm/vpt.c +++ b/xen/arch/x86/hvm/vpt.c @@ -508,10 +508,10 @@ void pt_adjust_global_vcpu_target(struct pt_adjust_vcpu(&pl_time->vrtc.pt, v); spin_unlock(&pl_time->vrtc.lock); - spin_lock(&pl_time->vhpet.lock); + write_lock(&pl_time->vhpet.lock); for ( i = 0; i < HPET_TIMER_NUM; i++ ) pt_adjust_vcpu(&pl_time->vhpet.pt[i], v); - spin_unlock(&pl_time->vhpet.lock); + write_unlock(&pl_time->vhpet.lock); } --- a/xen/include/asm-x86/hvm/vpt.h +++ b/xen/include/asm-x86/hvm/vpt.h @@ -96,7 +96,7 @@ typedef struct HPETState { uint64_t hpet_to_ns_limit; /* max hpet ticks convertable to ns */ uint64_t mc_offset; struct periodic_time pt[HPET_TIMER_NUM]; - spinlock_t lock; + rwlock_t lock; } HPETState; typedef struct RTCState { ++++++ 53f737b1-VMX-fix-DebugCtl-MSR-clearing.patch ++++++ # Commit dfa625e15f3d6c374637f2bb789e1f444c2781c3 # Date 2014-08-22 14:29:37 +0200 # Author Jan Beulich <jbeulich(a)suse.com> # Committer Jan Beulich <jbeulich(a)suse.com> VMX: fix DebugCtl MSR clearing The previous shortcut was wrong, as it bypassed the necessary vmwrite: All we really want to avoid if the guest writes zero is to add the MSR to the host-load list. Signed-off-by: Jan Beulich <jbeulich(a)suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3(a)citrix.com> Acked-by: Kevin Tian <kevin.tian(a)intel.com> --- a/xen/arch/x86/hvm/vmx/vmx.c +++ b/xen/arch/x86/hvm/vmx/vmx.c @@ -2170,8 +2170,6 @@ static int vmx_msr_write_intercept(unsig int i, rc = 0; uint64_t supported = IA32_DEBUGCTLMSR_LBR | IA32_DEBUGCTLMSR_BTF; - if ( !msr_content ) - break; if ( msr_content & ~supported ) { /* Perhaps some other bits are supported in vpmu. */ @@ -2191,12 +2189,10 @@ static int vmx_msr_write_intercept(unsig } if ( (rc < 0) || - (vmx_add_host_load_msr(msr) < 0) ) + (msr_content && (vmx_add_host_load_msr(msr) < 0)) ) hvm_inject_hw_exception(TRAP_machine_check, 0); else - { __vmwrite(GUEST_IA32_DEBUGCTL, msr_content); - } break; } ++++++ 53f7386d-x86-irq-process-softirqs-in-irq-keyhandlers.patch ++++++ # Commit e13b3203990706db1313ec2aadd9a30b249ee793 # Date 2014-08-22 14:32:45 +0200 # Author Andrew Cooper <andrew.cooper3(a)citrix.com> # Committer Jan Beulich <jbeulich(a)suse.com> x86/irq: process softirqs in irq keyhandlers Large machines with lots of interrupts can trip over the Xen watchdog. Suggested-by: Santosh Jodh <Santosh.Jodh(a)citrix.com> Signed-off-by: Andrew Cooper <andrew.cooper3(a)citrix.com> Tested-by: Santosh Jodh <Santosh.Jodh(a)citrix.com> # Commit bd083922f9e78ed19ef98e7de372e5f568402ed3 # Date 2014-08-26 17:56:52 +0200 # Author Jan Beulich <jbeulich(a)suse.com> # Committer Jan Beulich <jbeulich(a)suse.com> x86/IO-APIC: don't process softirqs during early boot Commit e13b320399 ("x86/irq: process softirqs in irq keyhandlers") made this unconditional, but the boot time use of __print_IO_APIC() (when "apic_verbosity=debug" was given) can't tolerate that. Reported-by: Sander Eikelenboom <linux(a)eikelenboom.it> Signed-off-by: Jan Beulich <jbeulich(a)suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3(a)citrix.com> Tested-by: Sander Eikelenboom <linux(a)eikelenboom.it> --- a/xen/arch/x86/io_apic.c +++ b/xen/arch/x86/io_apic.c @@ -28,6 +28,7 @@ #include <xen/sched.h> #include <xen/acpi.h> #include <xen/keyhandler.h> +#include <xen/softirq.h> #include <asm/mc146818rtc.h> #include <asm/smp.h> #include <asm/desc.h> @@ -1091,7 +1092,7 @@ static inline void UNEXPECTED_IO_APIC(vo { } -static void /*__init*/ __print_IO_APIC(void) +static void /*__init*/ __print_IO_APIC(bool_t boot) { int apic, i; union IO_APIC_reg_00 reg_00; @@ -1112,6 +1113,9 @@ static void /*__init*/ __print_IO_APIC(v printk(KERN_INFO "testing the IO APIC.......................\n"); for (apic = 0; apic < nr_ioapics; apic++) { + if ( !boot ) + process_pending_softirqs(); + if (!nr_ioapic_entries[apic]) continue; @@ -1215,6 +1219,10 @@ static void /*__init*/ __print_IO_APIC(v printk(KERN_DEBUG "IRQ to pin mappings:\n"); for (i = 0; i < nr_irqs_gsi; i++) { struct irq_pin_list *entry = irq_2_pin + i; + + if ( !boot && !(i & 0x1f) ) + process_pending_softirqs(); + if (entry->pin < 0) continue; printk(KERN_DEBUG "IRQ%d ", irq_to_desc(i)->arch.vector); @@ -1235,12 +1243,12 @@ static void /*__init*/ __print_IO_APIC(v static void __init print_IO_APIC(void) { if (apic_verbosity != APIC_QUIET) - __print_IO_APIC(); + __print_IO_APIC(1); } static void _print_IO_APIC_keyhandler(unsigned char key) { - __print_IO_APIC(); + __print_IO_APIC(0); } static struct keyhandler print_IO_APIC_keyhandler = { .diagnostic = 1, @@ -2454,6 +2462,9 @@ void dump_ioapic_irq_info(void) for ( irq = 0; irq < nr_irqs_gsi; irq++ ) { + if ( !(irq & 0x1f) ) + process_pending_softirqs(); + entry = &irq_2_pin[irq]; if ( entry->pin == -1 ) continue; --- a/xen/arch/x86/irq.c +++ b/xen/arch/x86/irq.c @@ -19,6 +19,7 @@ #include <xen/iommu.h> #include <xen/symbols.h> #include <xen/trace.h> +#include <xen/softirq.h> #include <xsm/xsm.h> #include <asm/msi.h> #include <asm/current.h> @@ -2231,6 +2232,8 @@ static void dump_irqs(unsigned char key) for ( irq = 0; irq < nr_irqs; irq++ ) { + if ( !(irq & 0x1f) ) + process_pending_softirqs(); desc = irq_to_desc(irq); @@ -2284,6 +2287,7 @@ static void dump_irqs(unsigned char key) xfree(ssid); } + process_pending_softirqs(); printk("Direct vector information:\n"); for ( i = FIRST_DYNAMIC_VECTOR; i < NR_VECTORS; ++i ) if ( direct_apic_vector[i] ) ++++++ 53ff3659-x86-consolidate-boolean-inputs-in-hvm-and-p2m.patch ++++++ References: bnc#882089 # Commit 3d4d4f9336159f3f77a7b480ce9984fd3ff7949f # Date 2014-08-28 16:02:01 +0200 # Author Tamas K Lengyel <tamas.lengyel(a)zentific.com> # Committer Jan Beulich <jbeulich(a)suse.com> x86: consolidate boolean inputs in hvm and p2m into a shared bitmap This patch consolidates the boolean input parameters of hvm_hap_nested_page_fault and p2m_mem_access_check into a common bitmap and defines the bitmap members accordingly. Signed-off-by: Tamas K Lengyel <tamas.lengyel(a)zentific.com> Reviewed-by: Jan Beulich <jbeulich(a)suse.com> Acked-by: Kevin Tian <kevin.tian(a)intel.com> Reviewed-by: Tim Deegan <tim(a)xen.org> # Commit 24857896a30105b7947e2cd36d63768054538bbc # Date 2014-09-03 15:06:06 +0200 # Author Andrew Cooper <andrew.cooper3(a)citrix.com> # Committer Jan Beulich <jbeulich(a)suse.com> x86/hvm: fix operator precedence bug introduced by 3d4d4f9336 Bitwise or has greater precedence than the ternary operator, making the result of the expression a constant P2M_UNSHARE. Coverity-ID: 1234633 Signed-off-by: Andrew Cooper <andrew.cooper3(a)citrix.com> Signed-off-by: Jan Beulich <jbeulich(a)suse.com> Reviewed-by: Don Slutz <dslutz(a)verizon.com> --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -1464,12 +1464,8 @@ void hvm_inject_page_fault(int errcode, hvm_inject_trap(&trap); } -int hvm_hap_nested_page_fault(paddr_t gpa, - bool_t gla_valid, - unsigned long gla, - bool_t access_r, - bool_t access_w, - bool_t access_x) +int hvm_hap_nested_page_fault(paddr_t gpa, unsigned long gla, + struct npfec npfec) { unsigned long gfn = gpa >> PAGE_SHIFT; p2m_type_t p2mt; @@ -1498,8 +1494,11 @@ int hvm_hap_nested_page_fault(paddr_t gp * into l1 guest if not fixable. The algorithm is * the same as for shadow paging. */ - rv = nestedhvm_hap_nested_page_fault(v, &gpa, - access_r, access_w, access_x); + + rv = nestedhvm_hap_nested_page_fault(v, &gpa, + npfec.read_access, + npfec.write_access, + npfec.insn_fetch); switch (rv) { case NESTEDHVM_PAGEFAULT_DONE: case NESTEDHVM_PAGEFAULT_RETRY: @@ -1538,47 +1537,49 @@ int hvm_hap_nested_page_fault(paddr_t gp p2m = p2m_get_hostp2m(v->domain); mfn = get_gfn_type_access(p2m, gfn, &p2mt, &p2ma, - P2M_ALLOC | (access_w ? P2M_UNSHARE : 0), NULL); + P2M_ALLOC | (npfec.write_access ? P2M_UNSHARE : 0), + NULL); /* Check access permissions first, then handle faults */ if ( mfn_x(mfn) != INVALID_MFN ) { - int violation = 0; + bool_t violation; + /* If the access is against the permissions, then send to mem_event */ - switch (p2ma) + switch (p2ma) { case p2m_access_n: case p2m_access_n2rwx: default: - violation = access_r || access_w || access_x; + violation = npfec.read_access || npfec.write_access || npfec.insn_fetch; break; case p2m_access_r: - violation = access_w || access_x; + violation = npfec.write_access || npfec.insn_fetch; break; case p2m_access_w: - violation = access_r || access_x; + violation = npfec.read_access || npfec.insn_fetch; break; case p2m_access_x: - violation = access_r || access_w; + violation = npfec.read_access || npfec.write_access; break; case p2m_access_rx: case p2m_access_rx2rw: - violation = access_w; + violation = npfec.write_access; break; case p2m_access_wx: - violation = access_r; + violation = npfec.read_access; break; case p2m_access_rw: - violation = access_x; + violation = npfec.insn_fetch; break; case p2m_access_rwx: + violation = 0; break; } if ( violation ) { - if ( p2m_mem_access_check(gpa, gla_valid, gla, access_r, - access_w, access_x, &req_ptr) ) + if ( p2m_mem_access_check(gpa, gla, npfec, &req_ptr) ) { fall_through = 1; } else { @@ -1594,7 +1595,7 @@ int hvm_hap_nested_page_fault(paddr_t gp * to the mmio handler. */ if ( (p2mt == p2m_mmio_dm) || - (access_w && (p2mt == p2m_ram_ro)) ) + (npfec.write_access && (p2mt == p2m_ram_ro)) ) { put_gfn(p2m->domain, gfn); @@ -1613,7 +1614,7 @@ int hvm_hap_nested_page_fault(paddr_t gp paged = 1; /* Mem sharing: unshare the page and try again */ - if ( access_w && (p2mt == p2m_ram_shared) ) + if ( npfec.write_access && (p2mt == p2m_ram_shared) ) { ASSERT(!p2m_is_nestedp2m(p2m)); sharing_enomem = @@ -1630,7 +1631,7 @@ int hvm_hap_nested_page_fault(paddr_t gp * a large page, we do not change other pages type within that large * page. */ - if ( access_w ) + if ( npfec.write_access ) { paging_mark_dirty(v->domain, mfn_x(mfn)); p2m_change_type(v->domain, gfn, p2m_ram_logdirty, p2m_ram_rw); @@ -1640,7 +1641,7 @@ int hvm_hap_nested_page_fault(paddr_t gp } /* Shouldn't happen: Maybe the guest was writing to a r/o grant mapping? */ - if ( access_w && (p2mt == p2m_grant_map_ro) ) + if ( npfec.write_access && (p2mt == p2m_grant_map_ro) ) { gdprintk(XENLOG_WARNING, "trying to write to read-only grant mapping\n"); --- a/xen/arch/x86/hvm/svm/svm.c +++ b/xen/arch/x86/hvm/svm/svm.c @@ -1289,7 +1289,7 @@ const struct hvm_function_table * __init } static void svm_do_nested_pgfault(struct vcpu *v, - struct cpu_user_regs *regs, uint32_t npfec, paddr_t gpa) + struct cpu_user_regs *regs, uint32_t pfec, paddr_t gpa) { int ret; unsigned long gfn = gpa >> PAGE_SHIFT; @@ -1298,10 +1298,13 @@ static void svm_do_nested_pgfault(struct p2m_access_t p2ma; struct p2m_domain *p2m = NULL; - ret = hvm_hap_nested_page_fault(gpa, 0, ~0ul, - 1, /* All NPFs count as reads */ - npfec & PFEC_write_access, - npfec & PFEC_insn_fetch); + struct npfec npfec = { + .read_access = 1, /* All NPFs count as reads */ + .write_access = !!(pfec & PFEC_write_access), + .insn_fetch = !!(pfec & PFEC_insn_fetch) + }; + + ret = hvm_hap_nested_page_fault(gpa, ~0ul, npfec); if ( tb_init_done ) { @@ -1329,7 +1332,7 @@ static void svm_do_nested_pgfault(struct case -1: ASSERT(nestedhvm_enabled(v->domain) && nestedhvm_vcpu_in_guestmode(v)); /* inject #VMEXIT(NPF) into guest. */ - nestedsvm_vmexit_defer(v, VMEXIT_NPF, npfec, gpa); + nestedsvm_vmexit_defer(v, VMEXIT_NPF, pfec, gpa); return; } --- a/xen/arch/x86/hvm/vmx/vmx.c +++ b/xen/arch/x86/hvm/vmx/vmx.c @@ -2278,6 +2278,11 @@ static void ept_handle_violation(unsigne p2m_type_t p2mt; int ret; struct domain *d = current->domain; + struct npfec npfec = { + .read_access = !!(qualification & EPT_READ_VIOLATION), + .write_access = !!(qualification & EPT_WRITE_VIOLATION), + .insn_fetch = !!(qualification & EPT_EXEC_VIOLATION) + }; if ( tb_init_done ) { @@ -2296,14 +2301,14 @@ static void ept_handle_violation(unsigne } if ( qualification & EPT_GLA_VALID ) + { __vmread(GUEST_LINEAR_ADDRESS, &gla); + npfec.gla_valid = 1; + } else gla = ~0ull; - ret = hvm_hap_nested_page_fault(gpa, - !!(qualification & EPT_GLA_VALID), gla, - !!(qualification & EPT_READ_VIOLATION), - !!(qualification & EPT_WRITE_VIOLATION), - !!(qualification & EPT_EXEC_VIOLATION)); + + ret = hvm_hap_nested_page_fault(gpa, gla, npfec); switch ( ret ) { case 0: // Unhandled L1 EPT violation --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -1261,9 +1261,9 @@ void p2m_mem_paging_resume(struct domain } } -bool_t p2m_mem_access_check(paddr_t gpa, bool_t gla_valid, unsigned long gla, - bool_t access_r, bool_t access_w, bool_t access_x, - mem_event_request_t **req_ptr) +bool_t p2m_mem_access_check(paddr_t gpa, unsigned long gla, + struct npfec npfec, + mem_event_request_t **req_ptr) { struct vcpu *v = current; unsigned long gfn = gpa >> PAGE_SHIFT; @@ -1281,7 +1281,7 @@ bool_t p2m_mem_access_check(paddr_t gpa, gfn_lock(p2m, gfn, 0); mfn = p2m->get_entry(p2m, gfn, &p2mt, &p2ma, 0, NULL); - if ( access_w && p2ma == p2m_access_rx2rw ) + if ( npfec.write_access && p2ma == p2m_access_rx2rw ) { rc = p2m->set_entry(p2m, gfn, mfn, PAGE_ORDER_4K, p2mt, p2m_access_rw); ASSERT(rc); @@ -1290,7 +1290,7 @@ bool_t p2m_mem_access_check(paddr_t gpa, } else if ( p2ma == p2m_access_n2rwx ) { - ASSERT(access_w || access_r || access_x); + ASSERT(npfec.write_access || npfec.read_access || npfec.insn_fetch); rc = p2m->set_entry(p2m, gfn, mfn, PAGE_ORDER_4K, p2mt, p2m_access_rwx); ASSERT(rc); @@ -1341,11 +1341,11 @@ bool_t p2m_mem_access_check(paddr_t gpa, /* Send request to mem event */ req->gfn = gfn; req->offset = gpa & ((1 << PAGE_SHIFT) - 1); - req->gla_valid = gla_valid; + req->gla_valid = npfec.gla_valid; req->gla = gla; - req->access_r = access_r; - req->access_w = access_w; - req->access_x = access_x; + req->access_r = npfec.read_access; + req->access_w = npfec.write_access; + req->access_x = npfec.insn_fetch; req->vcpu_id = v->vcpu_id; } --- a/xen/include/asm-x86/hvm/hvm.h +++ b/xen/include/asm-x86/hvm/hvm.h @@ -435,11 +435,8 @@ static inline void hvm_invalidate_regs_f #endif } -int hvm_hap_nested_page_fault(paddr_t gpa, - bool_t gla_valid, unsigned long gla, - bool_t access_r, - bool_t access_w, - bool_t access_x); +int hvm_hap_nested_page_fault(paddr_t gpa, unsigned long gla, + struct npfec npfec); #define hvm_msr_tsc_aux(v) ({ \ struct domain *__d = (v)->domain; \ --- a/xen/include/asm-x86/mm.h +++ b/xen/include/asm-x86/mm.h @@ -551,6 +551,16 @@ void audit_domains(void); #endif +/* + * Nested page fault exception codes. + */ +struct npfec { + unsigned int read_access:1; + unsigned int write_access:1; + unsigned int insn_fetch:1; + unsigned int gla_valid:1; +}; + int new_guest_cr3(unsigned long pfn); void make_cr3(struct vcpu *v, unsigned long mfn); void update_cr3(struct vcpu *v); --- a/xen/include/asm-x86/p2m.h +++ b/xen/include/asm-x86/p2m.h @@ -568,9 +568,9 @@ void p2m_mem_paging_resume(struct domain * been promoted with no underlying vcpu pause. If the req_ptr has been populated, * then the caller must put the event in the ring (once having released get_gfn* * locks -- caller must also xfree the request. */ -bool_t p2m_mem_access_check(paddr_t gpa, bool_t gla_valid, unsigned long gla, - bool_t access_r, bool_t access_w, bool_t access_x, - mem_event_request_t **req_ptr); +bool_t p2m_mem_access_check(paddr_t gpa, unsigned long gla, + struct npfec npfec, + mem_event_request_t **req_ptr); /* Resumes the running of the VCPU, restarting the last instruction */ void p2m_mem_access_resume(struct domain *d); ++++++ 53ff36ae-x86-hvm-treat-non-insn-fetch-NPF-also-as-read-violations.patch ++++++ References: bnc#882089 # Commit 401d5c5cc5a780cad160aa0e3c282c11ac11dd0c # Date 2014-08-28 16:03:26 +0200 # Author Tamas K Lengyel <tamas.lengyel(a)zentific.com> # Committer Jan Beulich <jbeulich(a)suse.com> x86/hvm: treat non-instruction fetch nested page faults also as read violations As pointed out by Jan Beulich in http://lists.xen.org/archives/html/xen-devel/2014-08/msg01269.html: "Read-modify-write instructions absolutely need to be treated as read accesses, yet hardware doesn't guarantee to tell us so (they may surface as just write accesses)." This patch addresses the issue in both the VMX and the SVM side. VMX: Treat all write data access violations also as read violations (in addition to those that were already reported as read violations). SVM: Refine the meaning of read data access violations to distinguish between read/write and instruction fetch access violations. With this patch both VMX and SVM specific nested page fault handling code reports violations the same way, thus abstracting the hardware specific behaviour from the layers above. Suggested-by: Jan Beulich <JBeulich(a)suse.com> Signed-off-by: Tamas K Lengyel <tamas.lengyel(a)zentific.com> Reviewed-by: Boris Ostrovsky <boris.ostrovsky(a)oracle.com> Reviewed-by: Tim Deegan <tim(a)xen.org> --- a/xen/arch/x86/hvm/svm/svm.c +++ b/xen/arch/x86/hvm/svm/svm.c @@ -1298,8 +1298,13 @@ static void svm_do_nested_pgfault(struct p2m_access_t p2ma; struct p2m_domain *p2m = NULL; + /* + * Since HW doesn't explicitly provide a read access bit and we need to + * somehow describe read-modify-write instructions we will conservatively + * set read_access for all memory accesses that are not instruction fetches. + */ struct npfec npfec = { - .read_access = 1, /* All NPFs count as reads */ + .read_access = !(pfec & PFEC_insn_fetch), .write_access = !!(pfec & PFEC_write_access), .insn_fetch = !!(pfec & PFEC_insn_fetch) }; --- a/xen/arch/x86/hvm/vmx/vmx.c +++ b/xen/arch/x86/hvm/vmx/vmx.c @@ -2278,8 +2278,21 @@ static void ept_handle_violation(unsigne p2m_type_t p2mt; int ret; struct domain *d = current->domain; + + /* + * We treat all write violations also as read violations. + * The reason why this is required is the following warning: + * "An EPT violation that occurs during as a result of execution of a + * read-modify-write operation sets bit 1 (data write). Whether it also + * sets bit 0 (data read) is implementation-specific and, for a given + * implementation, may differ for different kinds of read-modify-write + * operations." + * - Intel(R) 64 and IA-32 Architectures Software Developer's Manual + * Volume 3C: System Programming Guide, Part 3 + */ struct npfec npfec = { - .read_access = !!(qualification & EPT_READ_VIOLATION), + .read_access = !!(qualification & EPT_READ_VIOLATION) || + !!(qualification & EPT_WRITE_VIOLATION), .write_access = !!(qualification & EPT_WRITE_VIOLATION), .insn_fetch = !!(qualification & EPT_EXEC_VIOLATION) }; ++++++ 53ff36d5-x86-mem_event-deliver-gla-fault-EPT-violation-information.patch ++++++ References: bnc#882089 # Commit 692f3cc7dd05b80dbd027e46372b1c25d7975332 # Date 2014-08-28 16:04:05 +0200 # Author Tamas K Lengyel <tamas.lengyel(a)zentific.com> # Committer Jan Beulich <jbeulich(a)suse.com> x86/mem_event: deliver gla fault EPT violation information On Intel EPT the exit qualification generated by a violation also includes a bit (EPT_GLA_FAULT) which describes the following information: Set if the access causing the EPT violation is to a guest-physical address that is the translation of a linear address. Clear if the access causing the EPT violation is to a paging-structure entry as part of a page walk or the update of an accessed or dirty bit. For more information see Table 27-7 in the Intel SDM. This patch extends the mem_event system to deliver this extra information, which could be useful for determining the cause of a violation. Signed-off-by: Tamas K Lengyel <tamas.lengyel(a)zentific.com> Reviewed-by: Jan Beulich <jbeulich(a)suse.com> Acked-by: Kevin Tian <kevin.tian(a)intel.com> Acked-by: Tim Deegan <tim(a)xen.org> --- a/xen/arch/x86/hvm/svm/svm.c +++ b/xen/arch/x86/hvm/svm/svm.c @@ -1289,7 +1289,7 @@ const struct hvm_function_table * __init } static void svm_do_nested_pgfault(struct vcpu *v, - struct cpu_user_regs *regs, uint32_t pfec, paddr_t gpa) + struct cpu_user_regs *regs, uint64_t pfec, paddr_t gpa) { int ret; unsigned long gfn = gpa >> PAGE_SHIFT; @@ -1309,6 +1309,12 @@ static void svm_do_nested_pgfault(struct .insn_fetch = !!(pfec & PFEC_insn_fetch) }; + /* These bits are mutually exclusive */ + if ( pfec & NPT_PFEC_with_gla ) + npfec.kind = npfec_kind_with_gla; + else if ( pfec & NPT_PFEC_in_gpt ) + npfec.kind = npfec_kind_in_gpt; + ret = hvm_hap_nested_page_fault(gpa, ~0ul, npfec); if ( tb_init_done ) --- a/xen/arch/x86/hvm/vmx/vmx.c +++ b/xen/arch/x86/hvm/vmx/vmx.c @@ -2317,6 +2317,10 @@ static void ept_handle_violation(unsigne { __vmread(GUEST_LINEAR_ADDRESS, &gla); npfec.gla_valid = 1; + if( qualification & EPT_GLA_FAULT ) + npfec.kind = npfec_kind_with_gla; + else + npfec.kind = npfec_kind_in_gpt; } else gla = ~0ull; --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -1343,10 +1343,13 @@ bool_t p2m_mem_access_check(paddr_t gpa, req->offset = gpa & ((1 << PAGE_SHIFT) - 1); req->gla_valid = npfec.gla_valid; req->gla = gla; + if ( npfec.kind == npfec_kind_with_gla ) + req->fault_with_gla = 1; + else if ( npfec.kind == npfec_kind_in_gpt ) + req->fault_in_gpt = 1; req->access_r = npfec.read_access; req->access_w = npfec.write_access; req->access_x = npfec.insn_fetch; - req->vcpu_id = v->vcpu_id; } --- a/xen/include/asm-x86/hvm/svm/svm.h +++ b/xen/include/asm-x86/hvm/svm/svm.h @@ -105,4 +105,10 @@ extern u32 svm_feature_flags; extern void svm_host_osvw_reset(void); extern void svm_host_osvw_init(void); +/* EXITINFO1 fields on NPT faults */ +#define _NPT_PFEC_with_gla 32 +#define NPT_PFEC_with_gla (1UL<<_NPT_PFEC_with_gla) +#define _NPT_PFEC_in_gpt 33 +#define NPT_PFEC_in_gpt (1UL<<_NPT_PFEC_in_gpt) + #endif /* __ASM_X86_HVM_SVM_H__ */ --- a/xen/include/asm-x86/mm.h +++ b/xen/include/asm-x86/mm.h @@ -552,6 +552,16 @@ void audit_domains(void); #endif /* + * Extra fault info types which are used to further describe + * the source of an access violation. + */ +typedef enum { + npfec_kind_unknown, /* must be first */ + npfec_kind_in_gpt, /* violation in guest page table */ + npfec_kind_with_gla /* violation with guest linear address */ +} npfec_kind_t; + +/* * Nested page fault exception codes. */ struct npfec { @@ -559,6 +569,7 @@ struct npfec { unsigned int write_access:1; unsigned int insn_fetch:1; unsigned int gla_valid:1; + unsigned int kind:2; /* npfec_kind_t */ }; int new_guest_cr3(unsigned long pfn); --- a/xen/include/public/mem_event.h +++ b/xen/include/public/mem_event.h @@ -62,7 +62,9 @@ typedef struct mem_event_st { uint16_t access_w:1; uint16_t access_x:1; uint16_t gla_valid:1; - uint16_t available:12; + uint16_t fault_with_gla:1; + uint16_t fault_in_gpt:1; + uint16_t available:10; uint16_t reason; } mem_event_request_t, mem_event_response_t; ++++++ 53ff3716-x86-ats-Disable-Address-Translation-Services-by-default.patch ++++++ # Commit ad6eddb742577d182e634785bcfaf92732a50024 # Date 2014-08-28 16:05:10 +0200 # Author Andrew Cooper <andrew.cooper3(a)citrix.com> # Committer Jan Beulich <jbeulich(a)suse.com> x86/ats: Disable Address Translation Services by default Xen cannot safely use any ATS functionality until it gains asynchronous queued invalidation support, because of the current synchronous wait for completion. Do not turn ATS on by default. While editing the default in the command line documentation, correct the statement regarding PCI Passthrough. ATS is purely a performance optimisation, and is certainly not required for PCI Passthrough to function. Signed-off-by: Andrew Cooper <andrew.cooper3(a)citrix.com> Reviewed-by: Jan Beulich <jbeulich(a)suse.com> Acked-by: Suravee Suthikulpanit <suravee.suthikulpanit(a)amd.com> --- a/docs/misc/xen-command-line.markdown +++ b/docs/misc/xen-command-line.markdown @@ -167,10 +167,13 @@ developers wishing Xen to fall back to o ### ats > `= <boolean>` -> Default: `true` +> Default: `false` + +Permits Xen to set up and use PCI Address Translation Services. This is a +performance optimisation for PCI Passthrough. -Permits Xen to set up and use PCI Address Translation Services, which -is required for PCI Passthrough. +**WARNING: Xen cannot currently safely use ATS because of its synchronous wait +loops for Queued Invalidation completions.** ### availmem > `= <size>` --- a/xen/drivers/passthrough/x86/ats.c +++ b/xen/drivers/passthrough/x86/ats.c @@ -20,7 +20,7 @@ LIST_HEAD(ats_devices); -bool_t __read_mostly ats_enabled = 1; +bool_t __read_mostly ats_enabled = 0; boolean_param("ats", ats_enabled); int enable_ats_device(int seg, int bus, int devfn, const void *iommu) ++++++ 53ff3899-x86-NMI-allow-processing-unknown-NMIs-with-watchdog.patch ++++++ # Commit 3ea2ba980afe7356c613c8e1ba00d223d1c25412 # Date 2014-08-28 16:11:37 +0200 # Author Ross Lagerwall <ross.lagerwall(a)citrix.com> # Committer Jan Beulich <jbeulich(a)suse.com> x86/NMI: allow processing unknown NMIs when watchdog is enabled Change NMI processing so that if watchdog=force is passed on the command-line and the NMI is not caused by a perf counter overflow (i.e. likely not a watchdog "tick"), the NMI is handled by the unknown NMI handler. This allows injection of NMIs from IPMI controllers that don't set the IOCK/SERR bits to trigger the unknown NMI handler rather than be ignored. Signed-off-by: Ross Lagerwall <ross.lagerwall(a)citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3(a)citrix.com> Fix command line parsing (don't enable the watchdog on e.g. "watchdog=xyz"). Signed-off-by: Jan Beulich <jbeulich(a)suse.com> # Commit fd553ae5f0f57baa63d033bedee84f607de57d33 # Date 2014-09-03 15:09:59 +0200 # Author Jan Beulich <jbeulich(a)suse.com> # Committer Jan Beulich <jbeulich(a)suse.com> x86/NMI: allow passing just "watchdog" again This capability got inadvertently lost in commit 3ea2ba980a ("x86/NMI: allow processing unknown NMIs when watchdog is enabled") due to an oversight of mine. Reported-by: Ross Lagerwall <ross.lagerwall(a)citrix.com> Signed-off-by: Jan Beulich <jbeulich(a)suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3(a)citrix.com> --- a/docs/misc/xen-command-line.markdown +++ b/docs/misc/xen-command-line.markdown @@ -1039,12 +1039,14 @@ As the BTS virtualisation is not 100% sa don't use the vpmu flag on production systems with Intel cpus! ### watchdog -> `= <boolean>` +> `= force | <boolean>` > Default: `false` Run an NMI watchdog on each processor. If a processor is stuck for -longer than the **watchdog\_timeout**, a panic occurs. +longer than the **watchdog\_timeout**, a panic occurs. When `force` is +specified, in addition to running an NMI watchdog on each processor, +unknown NMIs will still be processed. ### watchdog\_timeout > `= <integer>` --- a/xen/arch/x86/nmi.c +++ b/xen/arch/x86/nmi.c @@ -43,7 +43,32 @@ static DEFINE_PER_CPU(unsigned int, nmi_ /* opt_watchdog: If true, run a watchdog NMI on each processor. */ bool_t __initdata opt_watchdog = 0; -boolean_param("watchdog", opt_watchdog); + +/* watchdog_force: If true, process unknown NMIs when running the watchdog. */ +bool_t watchdog_force = 0; + +static void __init parse_watchdog(char *s) +{ + if ( !*s ) + { + opt_watchdog = 1; + return; + } + + switch ( parse_bool(s) ) + { + case 0: + opt_watchdog = 0; + return; + case 1: + opt_watchdog = 1; + return; + } + + if ( !strcmp(s, "force") ) + watchdog_force = opt_watchdog = 1; +} +custom_param("watchdog", parse_watchdog); /* opt_watchdog_timeout: Number of seconds to wait before panic. */ static unsigned int opt_watchdog_timeout = 5; @@ -82,6 +107,7 @@ int nmi_active; #define K7_EVNTSEL_USR (1 << 16) #define K7_EVENT_CYCLES_PROCESSOR_IS_RUNNING 0x76 #define K7_NMI_EVENT K7_EVENT_CYCLES_PROCESSOR_IS_RUNNING +#define K7_EVENT_WIDTH 32 #define P6_EVNTSEL0_ENABLE (1 << 22) #define P6_EVNTSEL_INT (1 << 20) @@ -89,10 +115,12 @@ int nmi_active; #define P6_EVNTSEL_USR (1 << 16) #define P6_EVENT_CPU_CLOCKS_NOT_HALTED 0x79 #define CORE_EVENT_CPU_CLOCKS_NOT_HALTED 0x3c +#define P6_EVENT_WIDTH 32 #define P4_ESCR_EVENT_SELECT(N) ((N)<<25) #define P4_CCCR_OVF_PMI0 (1<<26) #define P4_CCCR_OVF_PMI1 (1<<27) +#define P4_CCCR_OVF (1<<31) #define P4_CCCR_THRESHOLD(N) ((N)<<20) #define P4_CCCR_COMPLEMENT (1<<19) #define P4_CCCR_COMPARE (1<<18) @@ -433,8 +461,10 @@ int __init watchdog_setup(void) return 0; } -void nmi_watchdog_tick(struct cpu_user_regs * regs) +/* Returns false if this was not a watchdog NMI, true otherwise */ +bool_t nmi_watchdog_tick(struct cpu_user_regs *regs) { + bool_t watchdog_tick = 1; unsigned int sum = this_cpu(nmi_timer_ticks); if ( (this_cpu(last_irq_sums) == sum) && watchdog_enabled() ) @@ -460,8 +490,15 @@ void nmi_watchdog_tick(struct cpu_user_r if ( nmi_perfctr_msr ) { + uint64_t msr_content; + + /* Work out if this is a watchdog tick by checking for overflow. */ if ( nmi_perfctr_msr == MSR_P4_IQ_PERFCTR0 ) { + rdmsrl(MSR_P4_IQ_CCCR0, msr_content); + if ( !(msr_content & P4_CCCR_OVF) ) + watchdog_tick = 0; + /* * P4 quirks: * - An overflown perfctr will assert its interrupt @@ -474,14 +511,26 @@ void nmi_watchdog_tick(struct cpu_user_r } else if ( nmi_perfctr_msr == MSR_P6_PERFCTR0 ) { + rdmsrl(MSR_P6_PERFCTR0, msr_content); + if ( msr_content & (1ULL << P6_EVENT_WIDTH) ) + watchdog_tick = 0; + /* * Only P6 based Pentium M need to re-unmask the apic vector but * it doesn't hurt other P6 variants. */ apic_write(APIC_LVTPC, APIC_DM_NMI); } + else if ( nmi_perfctr_msr == MSR_K7_PERFCTR0 ) + { + rdmsrl(MSR_K7_PERFCTR0, msr_content); + if ( msr_content & (1ULL << K7_EVENT_WIDTH) ) + watchdog_tick = 0; + } write_watchdog_counter(NULL); } + + return watchdog_tick; } /* --- a/xen/arch/x86/traps.c +++ b/xen/arch/x86/traps.c @@ -3226,14 +3226,15 @@ void do_nmi(struct cpu_user_regs *regs) { unsigned int cpu = smp_processor_id(); unsigned char reason; + bool_t handle_unknown = 0; ++nmi_count(cpu); if ( nmi_callback(regs, cpu) ) return; - if ( nmi_watchdog ) - nmi_watchdog_tick(regs); + if ( !nmi_watchdog || (!nmi_watchdog_tick(regs) && watchdog_force) ) + handle_unknown = 1; /* Only the BSP gets external NMIs from the system. */ if ( cpu == 0 ) @@ -3243,7 +3244,7 @@ void do_nmi(struct cpu_user_regs *regs) pci_serr_error(regs); if ( reason & 0x40 ) io_check_error(regs); - if ( !(reason & 0xc0) && !nmi_watchdog ) + if ( !(reason & 0xc0) && handle_unknown ) unknown_nmi_error(regs, reason); } } --- a/xen/include/asm-x86/apic.h +++ b/xen/include/asm-x86/apic.h @@ -206,7 +206,7 @@ extern void release_lapic_nmi(void); extern void self_nmi(void); extern void disable_timer_nmi_watchdog(void); extern void enable_timer_nmi_watchdog(void); -extern void nmi_watchdog_tick (struct cpu_user_regs *regs); +extern bool_t nmi_watchdog_tick (struct cpu_user_regs *regs); extern int APIC_init_uniprocessor (void); extern void disable_APIC_timer(void); extern void enable_APIC_timer(void); --- a/xen/include/asm-x86/nmi.h +++ b/xen/include/asm-x86/nmi.h @@ -8,6 +8,9 @@ struct cpu_user_regs; /* Watchdog boolean from the command line */ extern bool_t opt_watchdog; + +/* Watchdog force parameter from the command line */ +extern bool_t watchdog_force; typedef int (*nmi_callback_t)(struct cpu_user_regs *regs, int cpu); ++++++ 54005472-EPT-utilize-GLA-GPA-translation-known-for-certain-faults.patch ++++++ References: bnc#882089 # Commit ecb69533582e51999e5d76bce513be870222908f # Date 2014-08-29 12:22:42 +0200 # Author Jan Beulich <jbeulich(a)suse.com> # Committer Jan Beulich <jbeulich(a)suse.com> EPT: utilize GLA->GPA translation known for certain faults Rather than doing the translation ourselves in __hvmemul_{read,write}() leverage that we know the association for faults other than such having occurred when translating addresses of page tables. There is one intentional but not necessarily obvious (and possibly subtle) adjustment to behavior: __hvmemul_read() no longer blindly bails on instruction fetches matching the MMIO GVA (the callers of handle_mmio_with_translation() now control the behavior via the struct npfec they pass, and it didn't seem right to bail here rather than just falling through to the unaccelerated path) Signed-off-by: Jan Beulich <jbeulich(a)suse.com> Reviewed-by: Tim Deegan <tim(a)xen.org> --- a/xen/arch/x86/hvm/emulate.c +++ b/xen/arch/x86/hvm/emulate.c @@ -496,10 +496,11 @@ static int __hvmemul_read( while ( off & (chunk - 1) ) chunk >>= 1; - if ( unlikely(vio->mmio_gva == (addr & PAGE_MASK)) && vio->mmio_gva ) + if ( ((access_type != hvm_access_insn_fetch + ? vio->mmio_access.read_access + : vio->mmio_access.insn_fetch)) && + (vio->mmio_gva == (addr & PAGE_MASK)) ) { - if ( access_type == hvm_access_insn_fetch ) - return X86EMUL_UNHANDLEABLE; gpa = (((paddr_t)vio->mmio_gpfn << PAGE_SHIFT) | off); while ( (off + chunk) <= PAGE_SIZE ) { @@ -639,7 +640,8 @@ static int hvmemul_write( while ( off & (chunk - 1) ) chunk >>= 1; - if ( unlikely(vio->mmio_gva == (addr & PAGE_MASK)) && vio->mmio_gva ) + if ( vio->mmio_access.write_access && + (vio->mmio_gva == (addr & PAGE_MASK)) ) { gpa = (((paddr_t)vio->mmio_gpfn << PAGE_SHIFT) | off); while ( (off + chunk) <= PAGE_SIZE ) --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -1529,7 +1529,7 @@ int hvm_hap_nested_page_fault(paddr_t gp && is_hvm_vcpu(v) && hvm_mmio_internal(gpa) ) { - if ( !handle_mmio() ) + if ( !handle_mmio_with_translation(gla, gpa >> PAGE_SHIFT, npfec) ) hvm_inject_hw_exception(TRAP_gp_fault, 0); rc = 1; goto out; @@ -1603,7 +1603,7 @@ int hvm_hap_nested_page_fault(paddr_t gp if ( unlikely(is_pvh_vcpu(v)) ) goto out; - if ( !handle_mmio() ) + if ( !handle_mmio_with_translation(gla, gpa >> PAGE_SHIFT, npfec) ) hvm_inject_hw_exception(TRAP_gp_fault, 0); rc = 1; goto out; --- a/xen/arch/x86/hvm/io.c +++ b/xen/arch/x86/hvm/io.c @@ -189,7 +189,7 @@ int handle_mmio(void) if ( vio->io_state == HVMIO_awaiting_completion ) vio->io_state = HVMIO_handle_mmio_awaiting_completion; else - vio->mmio_gva = 0; + vio->mmio_access = (struct npfec){}; switch ( rc ) { @@ -218,9 +218,14 @@ int handle_mmio(void) return 1; } -int handle_mmio_with_translation(unsigned long gva, unsigned long gpfn) +int handle_mmio_with_translation(unsigned long gva, unsigned long gpfn, + struct npfec access) { struct hvm_vcpu_io *vio = &current->arch.hvm_vcpu.hvm_io; + + vio->mmio_access = access.gla_valid && + access.kind == npfec_kind_with_gla + ? access : (struct npfec){}; vio->mmio_gva = gva & PAGE_MASK; vio->mmio_gpfn = gpfn; return handle_mmio(); --- a/xen/arch/x86/mm/shadow/multi.c +++ b/xen/arch/x86/mm/shadow/multi.c @@ -2839,6 +2839,11 @@ static int sh_page_fault(struct vcpu *v, p2m_type_t p2mt; uint32_t rc; int version; + struct npfec access = { + .read_access = 1, + .gla_valid = 1, + .kind = npfec_kind_with_gla + }; #if SHADOW_OPTIMIZATIONS & SHOPT_FAST_EMULATION int fast_emul = 0; #endif @@ -2849,6 +2854,9 @@ static int sh_page_fault(struct vcpu *v, perfc_incr(shadow_fault); + if ( regs->error_code & PFEC_write_access ) + access.write_access = 1; + #if SHADOW_OPTIMIZATIONS & SHOPT_FAST_EMULATION /* If faulting frame is successfully emulated in last shadow fault * it's highly likely to reach same emulation action for this frame. @@ -2950,7 +2958,7 @@ static int sh_page_fault(struct vcpu *v, SHADOW_PRINTK("fast path mmio %#"PRIpaddr"\n", gpa); reset_early_unshadow(v); trace_shadow_gen(TRC_SHADOW_FAST_MMIO, va); - return (handle_mmio_with_translation(va, gpa >> PAGE_SHIFT) + return (handle_mmio_with_translation(va, gpa >> PAGE_SHIFT, access) ? EXCRET_fault_fixed : 0); } else @@ -3447,7 +3455,7 @@ static int sh_page_fault(struct vcpu *v, paging_unlock(d); put_gfn(d, gfn_x(gfn)); trace_shadow_gen(TRC_SHADOW_MMIO, va); - return (handle_mmio_with_translation(va, gpa >> PAGE_SHIFT) + return (handle_mmio_with_translation(va, gpa >> PAGE_SHIFT, access) ? EXCRET_fault_fixed : 0); not_a_shadow_fault: --- a/xen/include/asm-x86/hvm/io.h +++ b/xen/include/asm-x86/hvm/io.h @@ -119,7 +119,8 @@ static inline void register_buffered_io_ void send_timeoffset_req(unsigned long timeoff); void send_invalidate_req(void); int handle_mmio(void); -int handle_mmio_with_translation(unsigned long gva, unsigned long gpfn); +int handle_mmio_with_translation(unsigned long gva, unsigned long gpfn, + struct npfec); int handle_pio(uint16_t port, unsigned int size, int dir); void hvm_interrupt_post(struct vcpu *v, int vector, int type); void hvm_io_assist(ioreq_t *p); --- a/xen/include/asm-x86/hvm/vcpu.h +++ b/xen/include/asm-x86/hvm/vcpu.h @@ -54,8 +54,9 @@ struct hvm_vcpu_io { * HVM emulation: * Virtual address @mmio_gva maps to MMIO physical frame @mmio_gpfn. * The latter is known to be an MMIO frame (not RAM). - * This translation is only valid if @mmio_gva is non-zero. + * This translation is only valid for accesses as per @mmio_access. */ + struct npfec mmio_access; unsigned long mmio_gva; unsigned long mmio_gpfn; ++++++ CVE-2013-4540-qemu.patch ++++++ References: bnc#864801 Subject: zaurus: fix buffer overrun on invalid state load From: Michael S. Tsirkin mst(a)redhat.com Thu Apr 3 19:52:13 2014 +0300 Date: Mon May 5 22:15:02 2014 +0200: Git: 52f91c3723932f8340fe36c8ec8b18a757c37b2b CVE-2013-4540 Within scoop_gpio_handler_update, if prev_level has a high bit set, then we get bit > 16 and that causes a buffer overrun. Since prev_level comes from wire indirectly, this can happen on invalid state load. Similarly for gpio_level and gpio_dir. To fix, limit to 16 bit. Reported-by: Michael S. Tsirkin <mst(a)redhat.com> Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert(a)redhat.com> Signed-off-by: Juan Quintela <quintela(a)redhat.com> Index: xen-4.4.1-testing/tools/qemu-xen-dir-remote/hw/gpio/zaurus.c =================================================================== --- xen-4.4.1-testing.orig/tools/qemu-xen-dir-remote/hw/gpio/zaurus.c +++ xen-4.4.1-testing/tools/qemu-xen-dir-remote/hw/gpio/zaurus.c @@ -203,6 +203,15 @@ static bool is_version_0 (void *opaque, return version_id == 0; } +static bool vmstate_scoop_validate(void *opaque, int version_id) +{ + ScoopInfo *s = opaque; + + return !(s->prev_level & 0xffff0000) && + !(s->gpio_level & 0xffff0000) && + !(s->gpio_dir & 0xffff0000); +} + static const VMStateDescription vmstate_scoop_regs = { .name = "scoop", .version_id = 1, @@ -215,6 +224,7 @@ static const VMStateDescription vmstate_ VMSTATE_UINT32(gpio_level, ScoopInfo), VMSTATE_UINT32(gpio_dir, ScoopInfo), VMSTATE_UINT32(prev_level, ScoopInfo), + VMSTATE_VALIDATE("irq levels are 16 bit", vmstate_scoop_validate), VMSTATE_UINT16(mcr, ScoopInfo), VMSTATE_UINT16(cdr, ScoopInfo), VMSTATE_UINT16(ccr, ScoopInfo), ++++++ README.SUSE ++++++ --- /var/tmp/diff_new_pack.SmKn8C/_old 2014-09-06 12:17:53.000000000 +0200 +++ /var/tmp/diff_new_pack.SmKn8C/_new 2014-09-06 12:17:53.000000000 +0200 @@ -550,16 +550,16 @@ Grub2 Example: Edit /etc/default/grub and add, - GRUB_CMDLINE_XEN_DEFAULT="loglvl=all loglvl_guest=all" + GRUB_CMDLINE_XEN_DEFAULT="loglvl=all guest_loglvl=all" and then run, grub2-mkconfig -o /boot/grub2/grub.cfg Grub1 Example: Edit /boot/grub/menu.lst and edit the line containing xen.gz - kernel /boot/xen.gz loglvl=all loglvl_guest=all + kernel /boot/xen.gz loglvl=all guest_loglvl=all 2) With the log levels specified above and the host rebooted, more useful -information about domain 0 and running VMs can be obtained using using the +information about domain 0 and running VMs can be obtained using the 'xl dmesg' and 'xl debug-keys' commands. For example, from the command line run: xl debug-keys h @@ -581,7 +581,7 @@ Grub2 Example: Edit /etc/default/grub and add, - GRUB_CMDLINE_XEN_DEFAULT="loglvl=all loglvl_guest=all console=com1 com1=115200,8n1" + GRUB_CMDLINE_XEN_DEFAULT="loglvl=all guest_loglvl=all console=com1 com1=115200,8n1" Also append additional serial flags to the option below such that it appears as, GRUB_CMDLINE_LINUX_DEFAULT="<pre-existing flags> console=ttyS0, 115200" where pre-existing flags are those options already present and then run, @@ -600,7 +600,7 @@ Grub2 Example: Edit /etc/default/grub and add, - GRUB_CMDLINE_XEN_DEFAULT="noreboot loglvl=all loglvl_guest=all" + GRUB_CMDLINE_XEN_DEFAULT="noreboot loglvl=all guest_loglvl=all" Edit /etc/grub.d/20_linux_xen file. Look for this line: while [ "x${xen_list}" != "x" ] ; do and add *before* the above line something like this: @@ -616,7 +616,7 @@ Edit your menu.lst configuration from something like this: kernel (hd0,5)/xen.gz To something like this: - kernel (hd0,5)/xen-dbg.gz noreboot loglvl=all loglvl_guest=all + kernel (hd0,5)/xen-dbg.gz noreboot loglvl=all guest_loglvl=all All hypervisor options require a reboot to take effect. After rebooting, the Xen hypervisor will write any error messages to the log file (viewable with ++++++ tigervnc-long-press.patch ++++++ Index: xen-4.4.1-testing/tools/qemu-xen-dir-remote/ui/vnc.c =================================================================== --- xen-4.4.1-testing.orig/tools/qemu-xen-dir-remote/ui/vnc.c +++ xen-4.4.1-testing/tools/qemu-xen-dir-remote/ui/vnc.c @@ -1651,6 +1651,25 @@ static void do_key_event(VncState *vs, i if (down) vs->modifiers_state[keycode] ^= 1; break; + default: + if (qemu_console_is_graphic(NULL)) { + /* record key 'down' info. Some client like tigervnc + * will send key down repeatedly if user pressing a + * a key for long time. In this case, we should add + * additional key up event before repeated key down, + * so that it can display the key multiple times. + */ + if (down) { + if (vs->modifiers_state[keycode]) { + /* add a key up event */ + do_key_event(vs, 0, keycode, sym); + } + vs->modifiers_state[keycode] = 1; + } else { + vs->modifiers_state[keycode] = 0; + } + } + break; } /* Turn off the lock state sync logic if the client support the led ++++++ x86-ioapic-ack-default.patch ++++++ --- /var/tmp/diff_new_pack.SmKn8C/_old 2014-09-06 12:17:53.000000000 +0200 +++ /var/tmp/diff_new_pack.SmKn8C/_new 2014-09-06 12:17:53.000000000 +0200 @@ -1,10 +1,8 @@ Change default IO-APIC ack mode for single IO-APIC systems to old-style. -Index: xen-4.3.0-testing/xen/arch/x86/io_apic.c -=================================================================== ---- xen-4.3.0-testing.orig/xen/arch/x86/io_apic.c -+++ xen-4.3.0-testing/xen/arch/x86/io_apic.c -@@ -2026,7 +2026,10 @@ void __init setup_IO_APIC(void) +--- a/xen/arch/x86/io_apic.c ++++ b/xen/arch/x86/io_apic.c +@@ -2034,7 +2034,10 @@ void __init setup_IO_APIC(void) io_apic_irqs = ~PIC_IRQS; printk("ENABLING IO-APIC IRQs\n"); ++++++ xen-4.4.1-testing-src.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xen-4.4.1-testing/ChangeLog new/xen-4.4.1-testing/ChangeLog --- old/xen-4.4.1-testing/ChangeLog 2014-08-07 18:29:51.000000000 +0200 +++ new/xen-4.4.1-testing/ChangeLog 2014-09-02 16:44:07.000000000 +0200 @@ -1,5 +1,5 @@ -commit 0f3cdfc4d7fa1e3dc93cc6153782872d90f25b53 +commit d5a7ed88d86f840c0cc26ebc48987101669b5bf7 Author: Jan Beulich <jbeulich(a)suse.com> -Date: Tue Aug 5 13:41:22 2014 +0200 +Date: Tue Sep 2 08:20:19 2014 +0200 - update Xen version to 4.4.1-rc2 + update Xen version to 4.4.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xen-4.4.1-testing/Config.mk new/xen-4.4.1-testing/Config.mk --- old/xen-4.4.1-testing/Config.mk 2014-08-07 18:29:51.000000000 +0200 +++ new/xen-4.4.1-testing/Config.mk 2014-09-02 16:44:07.000000000 +0200 @@ -234,7 +234,7 @@ SEABIOS_UPSTREAM_URL ?= git://xenbits.xen.org/seabios.git endif OVMF_UPSTREAM_REVISION ?= 447d264115c476142f884af0be287622cd244423 -QEMU_UPSTREAM_REVISION ?= qemu-xen-4.4.1-rc1 +QEMU_UPSTREAM_REVISION ?= qemu-xen-4.4.1 SEABIOS_UPSTREAM_TAG ?= rel-1.7.3.1 # Fri Aug 2 14:12:09 2013 -0400 # Fix bug in CBFS file walking with compressed files. @@ -246,7 +246,7 @@ # CONFIG_QEMU ?= `pwd`/$(XEN_ROOT)/../qemu-xen.git CONFIG_QEMU ?= $(QEMU_REMOTE) -QEMU_TAG ?= xen-4.4.1-rc2 +QEMU_TAG ?= xen-4.4.1 # Tue Apr 8 16:50:06 2014 +0000 # qemu-xen-trad: free all the pirqs for msi/msix when driver unloads diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xen-4.4.1-testing/tools/tests/x86_emulator/test_x86_emulator.c new/xen-4.4.1-testing/tools/tests/x86_emulator/test_x86_emulator.c --- old/xen-4.4.1-testing/tools/tests/x86_emulator/test_x86_emulator.c 2014-08-07 18:29:51.000000000 +0200 +++ new/xen-4.4.1-testing/tools/tests/x86_emulator/test_x86_emulator.c 2014-09-02 16:44:07.000000000 +0200 @@ -597,23 +597,32 @@ printf("skipped\n"); #endif +#define decl_insn(which) extern const unsigned char which[], which##_len[] +#define put_insn(which, insn) ".pushsection .test, \"ax\", @progbits\n" \ + #which ": " insn "\n" \ + ".equ " #which "_len, .-" #which "\n" \ + ".popsection" +#define set_insn(which) (regs.eip = (unsigned long)memcpy(instr, which, \ + (unsigned long)which##_len)) +#define check_eip(which) (regs.eip == (unsigned long)instr + \ + (unsigned long)which##_len) + printf("%-40s", "Testing movq %mm3,(%ecx)..."); if ( stack_exec && cpu_has_mmx ) { - extern const unsigned char movq_to_mem[]; + decl_insn(movq_to_mem); asm volatile ( "pcmpeqb %%mm3, %%mm3\n" - ".pushsection .test, \"a\", @progbits\n" - "movq_to_mem: movq %%mm3, (%0)\n" - ".popsection" :: "c" (NULL) ); + put_insn(movq_to_mem, "movq %%mm3, (%0)") + :: "c" (NULL) ); - memcpy(instr, movq_to_mem, 15); + set_insn(movq_to_mem); memset(res, 0x33, 64); memset(res + 8, 0xff, 8); - regs.eip = (unsigned long)&instr[0]; regs.ecx = (unsigned long)res; rc = x86_emulate(&ctxt, &emulops); - if ( (rc != X86EMUL_OKAY) || memcmp(res, res + 8, 32) ) + if ( (rc != X86EMUL_OKAY) || memcmp(res, res + 8, 32) || + !check_eip(movq_to_mem) ) goto fail; printf("okay\n"); } @@ -623,19 +632,17 @@ printf("%-40s", "Testing movq (%edx),%mm5..."); if ( stack_exec && cpu_has_mmx ) { - extern const unsigned char movq_from_mem[]; + decl_insn(movq_from_mem); asm volatile ( "pcmpgtb %%mm5, %%mm5\n" - ".pushsection .test, \"a\", @progbits\n" - "movq_from_mem: movq (%0), %%mm5\n" - ".popsection" :: "d" (NULL) ); + put_insn(movq_from_mem, "movq (%0), %%mm5") + :: "d" (NULL) ); - memcpy(instr, movq_from_mem, 15); - regs.eip = (unsigned long)&instr[0]; + set_insn(movq_from_mem); regs.ecx = 0; regs.edx = (unsigned long)res; rc = x86_emulate(&ctxt, &emulops); - if ( rc != X86EMUL_OKAY ) + if ( rc != X86EMUL_OKAY || !check_eip(movq_from_mem) ) goto fail; asm ( "pcmpeqb %%mm3, %%mm3\n\t" "pcmpeqb %%mm5, %%mm3\n\t" @@ -650,20 +657,19 @@ printf("%-40s", "Testing movdqu %xmm2,(%ecx)..."); if ( stack_exec && cpu_has_sse2 ) { - extern const unsigned char movdqu_to_mem[]; + decl_insn(movdqu_to_mem); asm volatile ( "pcmpeqb %%xmm2, %%xmm2\n" - ".pushsection .test, \"a\", @progbits\n" - "movdqu_to_mem: movdqu %%xmm2, (%0)\n" - ".popsection" :: "c" (NULL) ); + put_insn(movdqu_to_mem, "movdqu %%xmm2, (%0)") + :: "c" (NULL) ); - memcpy(instr, movdqu_to_mem, 15); + set_insn(movdqu_to_mem); memset(res, 0x55, 64); memset(res + 8, 0xff, 16); - regs.eip = (unsigned long)&instr[0]; regs.ecx = (unsigned long)res; rc = x86_emulate(&ctxt, &emulops); - if ( (rc != X86EMUL_OKAY) || memcmp(res, res + 8, 32) ) + if ( (rc != X86EMUL_OKAY) || memcmp(res, res + 8, 32) || + !check_eip(movdqu_to_mem) ) goto fail; printf("okay\n"); } @@ -673,19 +679,17 @@ printf("%-40s", "Testing movdqu (%edx),%xmm4..."); if ( stack_exec && cpu_has_sse2 ) { - extern const unsigned char movdqu_from_mem[]; + decl_insn(movdqu_from_mem); asm volatile ( "pcmpgtb %%xmm4, %%xmm4\n" - ".pushsection .test, \"a\", @progbits\n" - "movdqu_from_mem: movdqu (%0), %%xmm4\n" - ".popsection" :: "d" (NULL) ); + put_insn(movdqu_from_mem, "movdqu (%0), %%xmm4") + :: "d" (NULL) ); - memcpy(instr, movdqu_from_mem, 15); - regs.eip = (unsigned long)&instr[0]; + set_insn(movdqu_from_mem); regs.ecx = 0; regs.edx = (unsigned long)res; rc = x86_emulate(&ctxt, &emulops); - if ( rc != X86EMUL_OKAY ) + if ( rc != X86EMUL_OKAY || !check_eip(movdqu_from_mem) ) goto fail; asm ( "pcmpeqb %%xmm2, %%xmm2\n\t" "pcmpeqb %%xmm4, %%xmm2\n\t" @@ -700,21 +704,20 @@ printf("%-40s", "Testing vmovdqu %ymm2,(%ecx)..."); if ( stack_exec && cpu_has_avx ) { - extern const unsigned char vmovdqu_to_mem[]; + decl_insn(vmovdqu_to_mem); asm volatile ( "vpcmpeqb %%xmm2, %%xmm2, %%xmm2\n" - ".pushsection .test, \"a\", @progbits\n" - "vmovdqu_to_mem: vmovdqu %%ymm2, (%0)\n" - ".popsection" :: "c" (NULL) ); + put_insn(vmovdqu_to_mem, "vmovdqu %%ymm2, (%0)") + :: "c" (NULL) ); - memcpy(instr, vmovdqu_to_mem, 15); + set_insn(vmovdqu_to_mem); memset(res, 0x55, 128); memset(res + 16, 0xff, 16); memset(res + 20, 0x00, 16); - regs.eip = (unsigned long)&instr[0]; regs.ecx = (unsigned long)res; rc = x86_emulate(&ctxt, &emulops); - if ( (rc != X86EMUL_OKAY) || memcmp(res, res + 16, 64) ) + if ( (rc != X86EMUL_OKAY) || memcmp(res, res + 16, 64) || + !check_eip(vmovdqu_to_mem) ) goto fail; printf("okay\n"); } @@ -724,7 +727,7 @@ printf("%-40s", "Testing vmovdqu (%edx),%ymm4..."); if ( stack_exec && cpu_has_avx ) { - extern const unsigned char vmovdqu_from_mem[]; + decl_insn(vmovdqu_from_mem); #if 0 /* Don't use AVX2 instructions for now */ asm volatile ( "vpcmpgtb %%ymm4, %%ymm4, %%ymm4\n" @@ -732,17 +735,15 @@ asm volatile ( "vpcmpgtb %%xmm4, %%xmm4, %%xmm4\n\t" "vinsertf128 $1, %%xmm4, %%ymm4, %%ymm4\n" #endif - ".pushsection .test, \"a\", @progbits\n" - "vmovdqu_from_mem: vmovdqu (%0), %%ymm4\n" - ".popsection" :: "d" (NULL) ); + put_insn(vmovdqu_from_mem, "vmovdqu (%0), %%ymm4") + :: "d" (NULL) ); - memcpy(instr, vmovdqu_from_mem, 15); + set_insn(vmovdqu_from_mem); memset(res + 4, 0xff, 16); - regs.eip = (unsigned long)&instr[0]; regs.ecx = 0; regs.edx = (unsigned long)res; rc = x86_emulate(&ctxt, &emulops); - if ( rc != X86EMUL_OKAY ) + if ( rc != X86EMUL_OKAY || !check_eip(vmovdqu_from_mem) ) goto fail; #if 0 /* Don't use AVX2 instructions for now */ asm ( "vpcmpeqb %%ymm2, %%ymm2, %%ymm2\n\t" @@ -769,20 +770,19 @@ memset(res + 10, 0x66, 8); if ( stack_exec && cpu_has_sse2 ) { - extern const unsigned char movsd_to_mem[]; + decl_insn(movsd_to_mem); asm volatile ( "movlpd %0, %%xmm5\n\t" "movhpd %0, %%xmm5\n" - ".pushsection .test, \"a\", @progbits\n" - "movsd_to_mem: movsd %%xmm5, (%1)\n" - ".popsection" :: "m" (res[10]), "c" (NULL) ); + put_insn(movsd_to_mem, "movsd %%xmm5, (%1)") + :: "m" (res[10]), "c" (NULL) ); - memcpy(instr, movsd_to_mem, 15); - regs.eip = (unsigned long)&instr[0]; + set_insn(movsd_to_mem); regs.ecx = (unsigned long)(res + 2); regs.edx = 0; rc = x86_emulate(&ctxt, &emulops); - if ( (rc != X86EMUL_OKAY) || memcmp(res, res + 8, 32) ) + if ( (rc != X86EMUL_OKAY) || memcmp(res, res + 8, 32) || + !check_eip(movsd_to_mem) ) goto fail; printf("okay\n"); } @@ -795,19 +795,17 @@ printf("%-40s", "Testing movaps (%edx),%xmm7..."); if ( stack_exec && cpu_has_sse ) { - extern const unsigned char movaps_from_mem[]; + decl_insn(movaps_from_mem); asm volatile ( "xorps %%xmm7, %%xmm7\n" - ".pushsection .test, \"a\", @progbits\n" - "movaps_from_mem: movaps (%0), %%xmm7\n" - ".popsection" :: "d" (NULL) ); + put_insn(movaps_from_mem, "movaps (%0), %%xmm7") + :: "d" (NULL) ); - memcpy(instr, movaps_from_mem, 15); - regs.eip = (unsigned long)&instr[0]; + set_insn(movaps_from_mem); regs.ecx = 0; regs.edx = (unsigned long)res; rc = x86_emulate(&ctxt, &emulops); - if ( rc != X86EMUL_OKAY ) + if ( rc != X86EMUL_OKAY || !check_eip(movaps_from_mem) ) goto fail; asm ( "cmpeqps %1, %%xmm7\n\t" "movmskps %%xmm7, %0" : "=r" (rc) : "m" (res[8]) ); @@ -823,19 +821,18 @@ memset(res + 10, 0x77, 8); if ( stack_exec && cpu_has_avx ) { - extern const unsigned char vmovsd_to_mem[]; + decl_insn(vmovsd_to_mem); asm volatile ( "vbroadcastsd %0, %%ymm5\n" - ".pushsection .test, \"a\", @progbits\n" - "vmovsd_to_mem: vmovsd %%xmm5, (%1)\n" - ".popsection" :: "m" (res[10]), "c" (NULL) ); + put_insn(vmovsd_to_mem, "vmovsd %%xmm5, (%1)") + :: "m" (res[10]), "c" (NULL) ); - memcpy(instr, vmovsd_to_mem, 15); - regs.eip = (unsigned long)&instr[0]; + set_insn(vmovsd_to_mem); regs.ecx = (unsigned long)(res + 2); regs.edx = 0; rc = x86_emulate(&ctxt, &emulops); - if ( (rc != X86EMUL_OKAY) || memcmp(res, res + 8, 32) ) + if ( (rc != X86EMUL_OKAY) || memcmp(res, res + 8, 32) || + !check_eip(vmovsd_to_mem) ) goto fail; printf("okay\n"); } @@ -848,19 +845,17 @@ printf("%-40s", "Testing vmovaps (%edx),%ymm7..."); if ( stack_exec && cpu_has_avx ) { - extern const unsigned char vmovaps_from_mem[]; + decl_insn(vmovaps_from_mem); asm volatile ( "vxorps %%ymm7, %%ymm7, %%ymm7\n" - ".pushsection .test, \"a\", @progbits\n" - "vmovaps_from_mem: vmovaps (%0), %%ymm7\n" - ".popsection" :: "d" (NULL) ); + put_insn(vmovaps_from_mem, "vmovaps (%0), %%ymm7") + :: "d" (NULL) ); - memcpy(instr, vmovaps_from_mem, 15); - regs.eip = (unsigned long)&instr[0]; + set_insn(vmovaps_from_mem); regs.ecx = 0; regs.edx = (unsigned long)res; rc = x86_emulate(&ctxt, &emulops); - if ( rc != X86EMUL_OKAY ) + if ( rc != X86EMUL_OKAY || !check_eip(vmovaps_from_mem) ) goto fail; asm ( "vcmpeqps %1, %%ymm7, %%ymm0\n\t" "vmovmskps %%ymm0, %0" : "=r" (rc) : "m" (res[8]) ); @@ -871,6 +866,11 @@ else printf("skipped\n"); +#undef decl_insn +#undef put_insn +#undef set_insn +#undef check_eip + for ( j = 1; j <= 2; j++ ) { #if defined(__i386__) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xen-4.4.1-testing/xen/Makefile new/xen-4.4.1-testing/xen/Makefile --- old/xen-4.4.1-testing/xen/Makefile 2014-08-07 18:29:51.000000000 +0200 +++ new/xen-4.4.1-testing/xen/Makefile 2014-09-02 16:44:07.000000000 +0200 @@ -2,7 +2,7 @@ # All other places this is stored (eg. compile.h) should be autogenerated. export XEN_VERSION = 4 export XEN_SUBVERSION = 4 -export XEN_EXTRAVERSION ?= .1-rc2$(XEN_VENDORVERSION) +export XEN_EXTRAVERSION ?= .1$(XEN_VENDORVERSION) export XEN_FULLVERSION = $(XEN_VERSION).$(XEN_SUBVERSION)$(XEN_EXTRAVERSION) -include xen-version diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xen-4.4.1-testing/xen/arch/arm/traps.c new/xen-4.4.1-testing/xen/arch/arm/traps.c --- old/xen-4.4.1-testing/xen/arch/arm/traps.c 2014-08-07 18:29:51.000000000 +0200 +++ new/xen-4.4.1-testing/xen/arch/arm/traps.c 2014-09-02 16:44:07.000000000 +0200 @@ -286,7 +286,7 @@ regs->cpsr |= PSR_BIG_ENDIAN; } -static vaddr_t exception_handler(vaddr_t offset) +static vaddr_t exception_handler32(vaddr_t offset) { uint32_t sctlr = READ_SYSREG32(SCTLR_EL1); @@ -318,7 +318,7 @@ regs->lr_und = regs->pc32 + return_offset; /* Branch to exception vector */ - regs->pc32 = exception_handler(VECTOR32_UND); + regs->pc32 = exception_handler32(VECTOR32_UND); } /* Injects an Abort exception into the current vcpu, PC is the exact @@ -344,7 +344,7 @@ regs->spsr_abt = spsr; regs->lr_abt = regs->pc32 + return_offset; - regs->pc32 = exception_handler(prefetch ? VECTOR32_PABT : VECTOR32_DABT); + regs->pc32 = exception_handler32(prefetch ? VECTOR32_PABT : VECTOR32_DABT); /* Inject a debug fault, best we can do right now */ if ( READ_SYSREG(TCR_EL1) & TTBCR_EAE ) @@ -397,9 +397,28 @@ } #ifdef CONFIG_ARM_64 +/* + * Take care to call this while regs contains the original faulting + * state and not the (partially constructed) exception state. + */ +static vaddr_t exception_handler64(struct cpu_user_regs *regs, vaddr_t offset) +{ + vaddr_t base = READ_SYSREG(VBAR_EL1); + + if ( usr_mode(regs) ) + base += VECTOR64_LOWER32_BASE; + else if ( psr_mode(regs->cpsr,PSR_MODE_EL0t) ) + base += VECTOR64_LOWER64_BASE; + else /* Otherwise must be from kernel mode */ + base += VECTOR64_CURRENT_SPx_BASE; + + return base + offset; +} + /* Inject an undefined exception into a 64 bit guest */ static void inject_undef64_exception(struct cpu_user_regs *regs, int instr_len) { + vaddr_t handler; union hsr esr = { .iss = 0, .len = instr_len, @@ -408,12 +427,14 @@ BUG_ON( is_pv32_domain(current->domain) ); + handler = exception_handler64(regs, VECTOR64_SYNC_OFFSET); + regs->spsr_el1 = regs->cpsr; regs->elr_el1 = regs->pc; regs->cpsr = PSR_MODE_EL1h | PSR_ABT_MASK | PSR_FIQ_MASK | \ PSR_IRQ_MASK | PSR_DBG_MASK; - regs->pc = READ_SYSREG(VBAR_EL1) + VECTOR64_CURRENT_SPx_SYNC; + regs->pc = handler; WRITE_SYSREG32(esr.bits, ESR_EL1); } @@ -424,6 +445,7 @@ register_t addr, int instr_len) { + vaddr_t handler; union hsr esr = { .iss = 0, .len = instr_len, @@ -445,12 +467,14 @@ BUG_ON( is_pv32_domain(current->domain) ); + handler = exception_handler64(regs, VECTOR64_SYNC_OFFSET); + regs->spsr_el1 = regs->cpsr; regs->elr_el1 = regs->pc; regs->cpsr = PSR_MODE_EL1h | PSR_ABT_MASK | PSR_FIQ_MASK | \ PSR_IRQ_MASK | PSR_DBG_MASK; - regs->pc = READ_SYSREG(VBAR_EL1) + VECTOR64_CURRENT_SPx_SYNC; + regs->pc = handler; WRITE_SYSREG(addr, FAR_EL1); WRITE_SYSREG32(esr.bits, ESR_EL1); @@ -472,6 +496,17 @@ #endif +static void inject_undef_exception(struct cpu_user_regs *regs, + int instr_len) +{ + if ( is_pv32_domain(current->domain) ) + inject_undef32_exception(regs); +#ifdef CONFIG_ARM_64 + else + inject_undef64_exception(regs, instr_len); +#endif +} + static void inject_iabt_exception(struct cpu_user_regs *regs, register_t addr, int instr_len) @@ -697,7 +732,17 @@ show_registers_32(regs, ctxt, guest_mode, v); #ifdef CONFIG_ARM_64 else if ( is_pv64_domain(v->domain) ) - show_registers_64(regs, ctxt, guest_mode, v); + { + if ( psr_mode_is_32bit(regs->cpsr) ) + { + BUG_ON(!usr_mode(regs)); + show_registers_32(regs, ctxt, guest_mode, v); + } + else + { + show_registers_64(regs, ctxt, guest_mode, v); + } + } #endif } else @@ -1430,7 +1475,7 @@ gdprintk(XENLOG_ERR, "unhandled 32-bit CP15 access %#x\n", hsr.bits & HSR_CP32_REGS_MASK); #endif - inject_undef32_exception(regs); + inject_undef_exception(regs, hsr.len); return; } advance_pc(regs, hsr); @@ -1467,7 +1512,7 @@ gdprintk(XENLOG_ERR, "unhandled 64-bit CP15 access %#x\n", hsr.bits & HSR_CP64_REGS_MASK); #endif - inject_undef32_exception(regs); + inject_undef_exception(regs, hsr.len); return; } } @@ -1536,7 +1581,7 @@ gdprintk(XENLOG_ERR, "unhandled 32-bit cp14 access %#x\n", hsr.bits & HSR_CP32_REGS_MASK); #endif - inject_undef32_exception(regs); + inject_undef_exception(regs, hsr.len); return; } @@ -1551,7 +1596,7 @@ return; } - inject_undef32_exception(regs); + inject_undef_exception(regs, hsr.len); } static void do_cp(struct cpu_user_regs *regs, union hsr hsr) @@ -1562,7 +1607,7 @@ return; } - inject_undef32_exception(regs); + inject_undef_exception(regs, hsr.len); } #ifdef CONFIG_ARM_64 @@ -1637,7 +1682,8 @@ gdprintk(XENLOG_ERR, "unhandled 64-bit sysreg access %#x\n", hsr.bits & HSR_SYSREG_REGS_MASK); #endif - inject_undef64_exception(regs, sysreg.len); + inject_undef_exception(regs, sysreg.len); + return; } } @@ -1767,6 +1813,17 @@ { union hsr hsr = { .bits = READ_SYSREG32(ESR_EL2) }; + /* + * We currently do not handle 32-bit userspace on 64-bit kernels + * correctly (See XSA-102). Until that is resolved we treat any + * trap from 32-bit userspace on 64-bit kernel as undefined. + */ + if ( is_pv64_domain(current->domain) && psr_mode_is_32bit(regs->cpsr) ) + { + inject_undef_exception(regs, hsr.len); + return; + } + switch (hsr.ec) { case HSR_EC_WFI_WFE: if ( !check_conditional_instr(regs, hsr) ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xen-4.4.1-testing/xen/arch/x86/cpu/common.c new/xen-4.4.1-testing/xen/arch/x86/cpu/common.c --- old/xen-4.4.1-testing/xen/arch/x86/cpu/common.c 2014-08-07 18:29:51.000000000 +0200 +++ new/xen-4.4.1-testing/xen/arch/x86/cpu/common.c 2014-09-02 16:44:07.000000000 +0200 @@ -234,6 +234,9 @@ paddr_bits = cpuid_eax(0x80000008) & 0xff; } + /* Might lift BIOS max_leaf=3 limit. */ + early_intel_workaround(c); + /* Intel-defined flags: level 0x00000007 */ if ( c->cpuid_level >= 0x00000007 ) { u32 dummy; @@ -241,8 +244,6 @@ c->x86_capability[X86_FEATURE_FSGSBASE / 32] = ebx; } - early_intel_workaround(c); - #ifdef CONFIG_X86_HT c->phys_proc_id = (cpuid_ebx(1) >> 24) & 0xff; #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xen-4.4.1-testing/xen/arch/x86/x86_emulate/x86_emulate.c new/xen-4.4.1-testing/xen/arch/x86/x86_emulate/x86_emulate.c --- old/xen-4.4.1-testing/xen/arch/x86/x86_emulate/x86_emulate.c 2014-08-07 18:29:51.000000000 +0200 +++ new/xen-4.4.1-testing/xen/arch/x86/x86_emulate/x86_emulate.c 2014-09-02 16:44:07.000000000 +0200 @@ -720,29 +720,26 @@ put_fpu(&fic); \ } while (0) -static unsigned long __get_rep_prefix( - struct cpu_user_regs *int_regs, - struct cpu_user_regs *ext_regs, +static unsigned long _get_rep_prefix( + const struct cpu_user_regs *int_regs, int ad_bytes) { - unsigned long ecx = ((ad_bytes == 2) ? (uint16_t)int_regs->ecx : - (ad_bytes == 4) ? (uint32_t)int_regs->ecx : - int_regs->ecx); - - /* Skip the instruction if no repetitions are required. */ - if ( ecx == 0 ) - ext_regs->eip = int_regs->eip; - - return ecx; + return (ad_bytes == 2) ? (uint16_t)int_regs->ecx : + (ad_bytes == 4) ? (uint32_t)int_regs->ecx : + int_regs->ecx; } #define get_rep_prefix() ({ \ unsigned long max_reps = 1; \ if ( rep_prefix() ) \ - max_reps = __get_rep_prefix(&_regs, ctxt->regs, ad_bytes); \ + max_reps = _get_rep_prefix(&_regs, ad_bytes); \ if ( max_reps == 0 ) \ - goto done; \ - max_reps; \ + { \ + /* Skip the instruction if no repetitions are required. */ \ + dst.type = OP_NONE; \ + goto writeback; \ + } \ + max_reps; \ }) static void __put_rep_prefix( @@ -3921,7 +3918,8 @@ if ( !rc && (b & 1) && (ea.type == OP_MEM) ) rc = ops->write(ea.mem.seg, ea.mem.off, mmvalp, ea.bytes, ctxt); - goto done; + dst.type = OP_NONE; + break; } case 0x20: /* mov cr,reg */ @@ -4188,7 +4186,8 @@ if ( !rc && (b != 0x6f) && (ea.type == OP_MEM) ) rc = ops->write(ea.mem.seg, ea.mem.off, mmvalp, ea.bytes, ctxt); - goto done; + dst.type = OP_NONE; + break; } case 0x80 ... 0x8f: /* jcc (near) */ { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xen-4.4.1-testing/xen/common/lz4/decompress.c new/xen-4.4.1-testing/xen/common/lz4/decompress.c --- old/xen-4.4.1-testing/xen/common/lz4/decompress.c 2014-08-07 18:29:51.000000000 +0200 +++ new/xen-4.4.1-testing/xen/common/lz4/decompress.c 2014-09-02 16:44:07.000000000 +0200 @@ -84,6 +84,8 @@ ip += length; break; /* EOF */ } + if (unlikely((unsigned long)cpy < (unsigned long)op)) + goto _output_error; LZ4_WILDCOPY(ip, op, cpy); ip -= (op - cpy); op = cpy; @@ -142,6 +144,8 @@ goto _output_error; continue; } + if (unlikely((unsigned long)cpy < (unsigned long)op)) + goto _output_error; LZ4_SECURECOPY(ref, op, cpy); op = cpy; /* correction */ } @@ -207,6 +211,8 @@ op += length; break;/* Necessarily EOF, due to parsing restrictions */ } + if (unlikely((unsigned long)cpy < (unsigned long)op)) + goto _output_error; LZ4_WILDCOPY(ip, op, cpy); ip -= (op - cpy); op = cpy; @@ -270,6 +276,8 @@ goto _output_error; continue; } + if (unlikely((unsigned long)cpy < (unsigned long)op)) + goto _output_error; LZ4_SECURECOPY(ref, op, cpy); op = cpy; /* correction */ } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xen-4.4.1-testing/xen/include/asm-arm/processor.h new/xen-4.4.1-testing/xen/include/asm-arm/processor.h --- old/xen-4.4.1-testing/xen/include/asm-arm/processor.h 2014-08-07 18:29:51.000000000 +0200 +++ new/xen-4.4.1-testing/xen/include/asm-arm/processor.h 2014-09-02 16:44:07.000000000 +0200 @@ -432,14 +432,16 @@ #define VECTOR32_PABT 12 #define VECTOR32_DABT 16 /* ... ARM64 */ -#define VECTOR64_CURRENT_SP0_SYNC 0x000 -#define VECTOR64_CURRENT_SP0_IRQ 0x080 -#define VECTOR64_CURRENT_SP0_FIQ 0x100 -#define VECTOR64_CURRENT_SP0_ERROR 0x180 -#define VECTOR64_CURRENT_SPx_SYNC 0x200 -#define VECTOR64_CURRENT_SPx_IRQ 0x280 -#define VECTOR64_CURRENT_SPx_FIQ 0x300 -#define VECTOR64_CURRENT_SPx_ERROR 0x380 +#define VECTOR64_CURRENT_SP0_BASE 0x000 +#define VECTOR64_CURRENT_SPx_BASE 0x200 +#define VECTOR64_LOWER64_BASE 0x400 +#define VECTOR64_LOWER32_BASE 0x600 + +#define VECTOR64_SYNC_OFFSET 0x000 +#define VECTOR64_IRQ_OFFSET 0x080 +#define VECTOR64_FIQ_OFFSET 0x100 +#define VECTOR64_ERROR_OFFSET 0x180 + #if defined(CONFIG_ARM_32) # include <asm/arm32/processor.h> -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit systemd for openSUSE:Factory
by root＠hilbert.suse.de 06 Sep '14

06 Sep '14

Hello community, here is the log from the commit of package systemd for openSUSE:Factory checked in at 2014-09-06 12:17:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/systemd (Old) and /work/SRC/openSUSE:Factory/.systemd.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "systemd" Changes: -------- --- /work/SRC/openSUSE:Factory/systemd/systemd-mini.changes 2014-09-03 21:12:19.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.systemd.new/systemd-mini.changes 2014-09-06 12:17:43.000000000 +0200 @@ -1,0 +2,7 @@ +Thu Sep 4 13:10:28 UTC 2014 - werner(a)suse.de + +- Disable patch + module-load-handle-SUSE-etc-sysconfig-kernel-module-list.patch + for SLES-12 as well as for openSUSE-13.2 (bnc#895087) + +------------------------------------------------------------------- systemd.changes: same change ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ systemd-mini.spec ++++++ --- /var/tmp/diff_new_pack.tkkG0l/_old 2014-09-06 12:17:48.000000000 +0200 +++ /var/tmp/diff_new_pack.tkkG0l/_new 2014-09-06 12:17:48.000000000 +0200 @@ -1206,7 +1206,9 @@ %patch5 -p1 %patch6 -p1 %patch7 -p1 +%if 0%{?suse_version} <= 1310 %patch8 -p1 +%endif %patch9 -p1 %patch12 -p1 %patch13 -p0 systemd.spec: same change -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit dracut for openSUSE:Factory
by root＠hilbert.suse.de 06 Sep '14

06 Sep '14

Hello community, here is the log from the commit of package dracut for openSUSE:Factory checked in at 2014-09-06 12:17:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dracut (Old) and /work/SRC/openSUSE:Factory/.dracut.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "dracut" Changes: -------- --- /work/SRC/openSUSE:Factory/dracut/dracut.changes 2014-08-30 18:56:06.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.dracut.new/dracut.changes 2014-09-06 12:17:36.000000000 +0200 @@ -1,0 +2,14 @@ +Thu Sep 4 12:59:27 UTC 2014 - trenn(a)suse.de + +- Network module may take quite a lot of initrd space. Do not add it + unconditionally (bnc#892851) +* Add 0153-Only-add-network-module-on-request-and-on-dependenci.patch +- S390x can do s2disk, allow resume module there + (bnc#889795) +* Add 0154-resume-Also-allow-this-module-on-S390-again-s2disk-c.patch +- Harden iscsi parameter checking. No bug report, but this problem + was found during multipath testing and happens with 2 or more + iscsi devices. +* Add 0155-iscsi-iscsi.initiator-and-others-can-and-must-only-s.patch + +------------------------------------------------------------------- New: ---- 0153-Only-add-network-module-on-request-and-on-dependenci.patch 0154-resume-Also-allow-this-module-on-S390-again-s2disk-c.patch 0155-iscsi-iscsi.initiator-and-others-can-and-must-only-s.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dracut.spec ++++++ --- /var/tmp/diff_new_pack.5FAiIE/_old 2014-09-06 12:17:38.000000000 +0200 +++ /var/tmp/diff_new_pack.5FAiIE/_new 2014-09-06 12:17:38.000000000 +0200 @@ -173,6 +173,9 @@ Patch150: 0150-Find-kernel-modules-in-extra-and-weak-updates-path-a.patch Patch151: 0151-Go-back-to-xz-again-pixz-may-use-too-much-memory-whi.patch Patch152: 0152-Add-a-comment-to-easily-add-debug-modules-also-add-v.patch +Patch153: 0153-Only-add-network-module-on-request-and-on-dependenci.patch +Patch154: 0154-resume-Also-allow-this-module-on-S390-again-s2disk-c.patch +Patch155: 0155-iscsi-iscsi.initiator-and-others-can-and-must-only-s.patch BuildRequires: asciidoc BuildRequires: bash @@ -368,6 +371,9 @@ %patch150 -p1 %patch151 -p1 %patch152 -p1 +%patch153 -p1 +%patch154 -p1 +%patch155 -p1 %build %configure\ ++++++ 0153-Only-add-network-module-on-request-and-on-dependenci.patch ++++++ >From 8692d504138fdae15a1f94702efe3948917781cf Mon Sep 17 00:00:00 2001 From: Thomas Renninger <trenn(a)suse.de> Date: Mon, 1 Sep 2014 12:31:26 +0200 Subject: Only add network module on request (and on dependencies) bnc#892851 Signed-off-by: Thomas Renninger <trenn(a)suse.de> --- modules.d/40network/module-setup.sh | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/modules.d/40network/module-setup.sh b/modules.d/40network/module-setup.sh index 8d74450..886866b 100755 --- a/modules.d/40network/module-setup.sh +++ b/modules.d/40network/module-setup.sh @@ -11,7 +11,7 @@ check() { require_binaries ip arping $WICKEDD_DHCP_PATH/wickedd-dhcp4 $WICKEDD_DHCP_PATH/wickedd-dhcp6 || return 1 - return 0 + return 255 } # called by dracut -- 1.7.6.1 ++++++ 0154-resume-Also-allow-this-module-on-S390-again-s2disk-c.patch ++++++ >From 30cb6e8070804878a060ffebd685d9a8579c696f Mon Sep 17 00:00:00 2001 From: Thomas Renninger <trenn(a)suse.de> Date: Wed, 3 Sep 2014 13:49:16 +0200 Subject: resume: Also allow this module on S390 again -> s2disk can work on s390(x) bnc#889795 Signed-off-by: Thomas Renninger <trenn(a)suse.de> --- modules.d/95resume/module-setup.sh | 4 ---- 1 files changed, 0 insertions(+), 4 deletions(-) diff --git a/modules.d/95resume/module-setup.sh b/modules.d/95resume/module-setup.sh index b1044ed..108e6ab 100755 --- a/modules.d/95resume/module-setup.sh +++ b/modules.d/95resume/module-setup.sh @@ -4,10 +4,6 @@ # called by dracut check() { - local _arch=$(uname -m) - # No suspend support on s390(x) - [ "$_arch" = "s390" -o "$_arch" = "s390x" ] && return 1 - # No point trying to support resume, if no swap partition exist [[ $hostonly ]] || [[ $mount_needs ]] && { for fs in "${host_fs_types[@]}"; do -- 1.7.6.1 ++++++ 0155-iscsi-iscsi.initiator-and-others-can-and-must-only-s.patch ++++++ >From 26a858af5977a41b21839ce8411024bfe3f63dea Mon Sep 17 00:00:00 2001 From: Thomas Renninger <trenn(a)suse.de> Date: Thu, 4 Sep 2014 13:36:18 +0200 Subject: iscsi: iscsi.initiator and others can and must only show up once Make sure duplicates of iscsi.initiator vanish. Only get one rd.iscsi.* paramter value. If getargs is used and several parameters are parsed, one gets two values separated by whitespace in a variable which breaks later code and is not suppported. Signed-off-by: Thomas Renninger <trenn(a)suse.de> --- modules.d/95iscsi/iscsiroot.sh | 18 +++++++++--------- modules.d/95iscsi/module-setup.sh | 5 ++++- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/modules.d/95iscsi/iscsiroot.sh b/modules.d/95iscsi/iscsiroot.sh index 1de6fb7..1c4be4e 100755 --- a/modules.d/95iscsi/iscsiroot.sh +++ b/modules.d/95iscsi/iscsiroot.sh @@ -83,23 +83,23 @@ handle_netroot() local p # override conf settings by command line options - arg=$(getargs rd.iscsi.initiator -d iscsi_initiator=) + arg=$(getarg rd.iscsi.initiator -d iscsi_initiator=) [ -n "$arg" ] && iscsi_initiator=$arg - arg=$(getargs rd.iscsi.target.name -d iscsi_target_name=) + arg=$(getarg rd.iscsi.target.name -d iscsi_target_name=) [ -n "$arg" ] && iscsi_target_name=$arg - arg=$(getargs rd.iscsi.target.ip -d iscsi_target_ip) + arg=$(getarg rd.iscsi.target.ip -d iscsi_target_ip) [ -n "$arg" ] && iscsi_target_ip=$arg - arg=$(getargs rd.iscsi.target.port -d iscsi_target_port=) + arg=$(getarg rd.iscsi.target.port -d iscsi_target_port=) [ -n "$arg" ] && iscsi_target_port=$arg - arg=$(getargs rd.iscsi.target.group -d iscsi_target_group=) + arg=$(getarg rd.iscsi.target.group -d iscsi_target_group=) [ -n "$arg" ] && iscsi_target_group=$arg - arg=$(getargs rd.iscsi.username -d iscsi_username=) + arg=$(getarg rd.iscsi.username -d iscsi_username=) [ -n "$arg" ] && iscsi_username=$arg - arg=$(getargs rd.iscsi.password -d iscsi_password) + arg=$(getarg rd.iscsi.password -d iscsi_password) [ -n "$arg" ] && iscsi_password=$arg - arg=$(getargs rd.iscsi.in.username -d iscsi_in_username=) + arg=$(getarg rd.iscsi.in.username -d iscsi_in_username=) [ -n "$arg" ] && iscsi_in_username=$arg - arg=$(getargs rd.iscsi.in.password -d iscsi_in_password=) + arg=$(getarg rd.iscsi.in.password -d iscsi_in_password=) [ -n "$arg" ] && iscsi_in_password=$arg for p in $(getargs rd.iscsi.param -d iscsi_param); do iscsi_param="$iscsi_param --param $p" diff --git a/modules.d/95iscsi/module-setup.sh b/modules.d/95iscsi/module-setup.sh index 9772210..4784ea3 100755 --- a/modules.d/95iscsi/module-setup.sh +++ b/modules.d/95iscsi/module-setup.sh @@ -99,7 +99,10 @@ install_iscsiroot() { iscsi_address="[$iscsi_address]" ;; esac - echo "rd.iscsi.initiator=${iscsi_initiator} netroot=iscsi:${iscsi_address}::${iscsi_port}:${iscsi_lun}:${iscsi_targetname}" + # Must be two separate lines, so that "sort | uniq" commands later + # can sort out rd.iscsi.initiator= duplicates + echo "rd.iscsi.initiator=${iscsi_initiator}" + echo "netroot=iscsi:${iscsi_address}::${iscsi_port}:${iscsi_lun}:${iscsi_targetname}" fi return 0 } -- 1.7.6.1 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit uhd for openSUSE:Factory
by root＠hilbert.suse.de 05 Sep '14

05 Sep '14

Hello community, here is the log from the commit of package uhd for openSUSE:Factory checked in at 2014-09-05 13:00:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/uhd (Old) and /work/SRC/openSUSE:Factory/.uhd.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "uhd" Changes: -------- --- /work/SRC/openSUSE:Factory/uhd/uhd.changes 2014-08-27 07:46:23.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.uhd.new/uhd.changes 2014-09-05 13:00:17.000000000 +0200 @@ -1,0 +2,6 @@ +Mon Sep 1 22:22:58 UTC 2014 - wk(a)ire.pw.edu.pl + +- Update to version 3.7.2 + * bugfix release + +------------------------------------------------------------------- Old: ---- uhd-images_003.007.000-release.tar.gz uhd-source_003.007.000-1-stable.tar.gz New: ---- uhd-images_003.007.002-release.tar.gz uhd-source_003.007.002-release.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ uhd.spec ++++++ --- /var/tmp/diff_new_pack.wAExMT/_old 2014-09-05 13:00:19.000000000 +0200 +++ /var/tmp/diff_new_pack.wAExMT/_new 2014-09-05 13:00:19.000000000 +0200 @@ -18,14 +18,14 @@ Name: uhd %define libname libuhd003 -Version: 3.7.0 -%define src_ver 003.007.000 +Version: 3.7.2 Release: 0 +%define src_ver 003.007.002 Summary: The driver for USRP SDR boards License: GPL-3.0+ Group: Hardware/Other Url: http://ettus-apps.sourcerepo.com/redmine/ettus/projects/uhd/wiki -Source0: http://files.ettus.com/binaries/uhd_stable/uhd_%{src_ver}-release/uhd-sourc… +Source0: http://files.ettus.com/binaries/uhd_stable/uhd_%{src_ver}-release/uhd-sourc… Source1: http://files.ettus.com/binaries/uhd_stable/uhd_%{src_ver}-release/uhd-image… BuildRequires: boost-devel >= 1.36 BuildRequires: cmake >= 2.6 @@ -35,11 +35,11 @@ BuildRequires: gcc-c++ BuildRequires: orc BuildRequires: pkg-config -BuildRequires: pkgconfig(libusb-1.0) -BuildRequires: pkgconfig(libxml-2.0) BuildRequires: python-cheetah >= 2.0.0 BuildRequires: python-devel >= 2.6 BuildRequires: udev +BuildRequires: pkgconfig(libusb-1.0) +BuildRequires: pkgconfig(libxml-2.0) Requires: udev BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -106,7 +106,7 @@ This package contains binary firmware images for the Universal Hardware Driver (UHD). %prep -%setup -q -n uhd-source_%{src_ver}-1-stable +%setup -q -n uhd-source_%{src_ver}-release # remove buildtime from documentation echo "HTML_TIMESTAMP = NO" >> docs/Doxyfile.in ++++++ uhd-images_003.007.000-release.tar.gz -> uhd-images_003.007.002-release.tar.gz ++++++ /work/SRC/openSUSE:Factory/uhd/uhd-images_003.007.000-release.tar.gz /work/SRC/openSUSE:Factory/.uhd.new/uhd-images_003.007.002-release.tar.gz differ: char 5, line 1 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit ThePEG for openSUSE:Factory
by root＠hilbert.suse.de 05 Sep '14

05 Sep '14

Hello community, here is the log from the commit of package ThePEG for openSUSE:Factory checked in at 2014-09-05 13:00:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ThePEG (Old) and /work/SRC/openSUSE:Factory/.ThePEG.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "ThePEG" Changes: -------- --- /work/SRC/openSUSE:Factory/ThePEG/ThePEG.changes 2014-05-06 14:03:41.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.ThePEG.new/ThePEG.changes 2014-09-05 13:00:13.000000000 +0200 @@ -1,0 +2,12 @@ +Thu Sep 4 23:20:29 UTC 2014 - badshah400(a)gmail.com + +- Update to version 1.9.2: + + Better support for LHAPDF 6; now determines if version 6 is + available and makes use of new LHAPDFv6 features +- Changes from version 1.9.1: + + Build fix for SLC6 + + Build fix for Rivet 2.1.1: adapted to Rivet 2.1.1 changed + header file layout +- Use macro instead of hard-coding version in file-list. + +------------------------------------------------------------------- Old: ---- ThePEG-1.9.0.tar.bz2 New: ---- ThePEG-1.9.2.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ThePEG.spec ++++++ --- /var/tmp/diff_new_pack.hMLLgZ/_old 2014-09-05 13:00:14.000000000 +0200 +++ /var/tmp/diff_new_pack.hMLLgZ/_new 2014-09-05 13:00:14.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package ThePEG # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ %define so_version 18 Name: ThePEG -Version: 1.9.0 +Version: 1.9.2 Release: 0 Summary: Toolkit providing a common platform for event generators in C++ License: GPL-2.0 @@ -104,10 +104,10 @@ %{_libdir}/%{name}/*.so %{_libdir}/%{name}/Makefile %{_libdir}/%{name}/Makefile.common -%{_libdir}/%{name}/ThePEGDefaults-1.9.0.rpo +%{_libdir}/%{name}/ThePEGDefaults-%{version}.rpo %{_libdir}/%{name}/ThePEGDefaults.rpo -%{_libdir}/%{name}/runThePEG-1.9.0 -%{_libdir}/%{name}/setupThePEG-1.9.0 +%{_libdir}/%{name}/runThePEG-%{version} +%{_libdir}/%{name}/setupThePEG-%{version} %{_datadir}/%{name}/ %changelog ++++++ ThePEG-1.9.0.tar.bz2 -> ThePEG-1.9.2.tar.bz2 ++++++ ++++ 24778 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit autoyast2 for openSUSE:Factory
by root＠hilbert.suse.de 05 Sep '14

05 Sep '14

Hello community, here is the log from the commit of package autoyast2 for openSUSE:Factory checked in at 2014-09-05 13:00:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/autoyast2 (Old) and /work/SRC/openSUSE:Factory/.autoyast2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "autoyast2" Changes: -------- --- /work/SRC/openSUSE:Factory/autoyast2/autoyast2.changes 2014-08-30 16:03:45.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.autoyast2.new/autoyast2.changes 2014-09-05 13:00:09.000000000 +0200 @@ -1,0 +2,7 @@ +Tue Sep 2 12:08:53 CEST 2014 - fehr(a)suse.de + +- Fix failure to import report settings from profile introduced with + fix for bnc#887397 and bnc#893744 +- 3.1.58 + +------------------------------------------------------------------- Old: ---- autoyast2-3.1.57.tar.bz2 New: ---- autoyast2-3.1.58.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ autoyast2.spec ++++++ --- /var/tmp/diff_new_pack.EPWXja/_old 2014-09-05 13:00:10.000000000 +0200 +++ /var/tmp/diff_new_pack.EPWXja/_new 2014-09-05 13:00:10.000000000 +0200 @@ -17,7 +17,7 @@ Name: autoyast2 -Version: 3.1.57 +Version: 3.1.58 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build ++++++ autoyast2-3.1.57.tar.bz2 -> autoyast2-3.1.58.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/autoyast2-3.1.57/package/autoyast2.changes new/autoyast2-3.1.58/package/autoyast2.changes --- old/autoyast2-3.1.57/package/autoyast2.changes 2014-08-25 10:40:16.000000000 +0200 +++ new/autoyast2-3.1.58/package/autoyast2.changes 2014-09-03 18:10:08.000000000 +0200 @@ -1,4 +1,11 @@ ------------------------------------------------------------------- +Tue Sep 2 12:08:53 CEST 2014 - fehr(a)suse.de + +- Fix failure to import report settings from profile introduced with + fix for bnc#887397 and bnc#893744 +- 3.1.58 + +------------------------------------------------------------------- Mon Aug 25 08:59:22 CEST 2014 - schubi(a)suse.de - Making "second_stage" public in order to switch off second stage diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/autoyast2-3.1.57/package/autoyast2.spec new/autoyast2-3.1.58/package/autoyast2.spec --- old/autoyast2-3.1.57/package/autoyast2.spec 2014-08-25 10:40:16.000000000 +0200 +++ new/autoyast2-3.1.58/package/autoyast2.spec 2014-09-03 18:10:08.000000000 +0200 @@ -17,7 +17,7 @@ Name: autoyast2 -Version: 3.1.57 +Version: 3.1.58 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/autoyast2-3.1.57/src/clients/inst_autoinit.rb new/autoyast2-3.1.58/src/clients/inst_autoinit.rb --- old/autoyast2-3.1.57/src/clients/inst_autoinit.rb 2014-08-25 10:40:16.000000000 +0200 +++ new/autoyast2-3.1.58/src/clients/inst_autoinit.rb 2014-09-03 18:10:08.000000000 +0200 @@ -206,8 +206,8 @@ # (bnc#887397) report = Report.Export # getting all values report["yesno_messages"] = report.fetch("errors",{}) - Report.Import(report) # setting all values end + Report.Import(report) # setting all values AutoinstGeneral.Import(Profile.current.fetch("general",{})) AutoinstGeneral.SetSignatureHandling AutoinstGeneral.SetMultipathing diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/autoyast2-3.1.57/test_xml/fehr_lvm_sles11_sda_disklvm.xml new/autoyast2-3.1.58/test_xml/fehr_lvm_sles11_sda_disklvm.xml --- old/autoyast2-3.1.57/test_xml/fehr_lvm_sles11_sda_disklvm.xml 1970-01-01 01:00:00.000000000 +0100 +++ new/autoyast2-3.1.58/test_xml/fehr_lvm_sles11_sda_disklvm.xml 2014-09-03 18:10:08.000000000 +0200 @@ -0,0 +1,122 @@ +<?xml version="1.0"?> +<!DOCTYPE profile SYSTEM "/usr/share/autoinstall/dtd/profile.dtd"> +<profile xmlns="http://www.suse.com/1.0/yast2ns" xmlns:config="http://www.suse.com/1.0/configns"> + + + <configure> + <sound> + <autoinstall config:type="boolean">true</autoinstall> + <configure_detected config:type="boolean">true</configure_detected> + </sound> + <networking> + <dns> + <dhcp_hostname config:type="boolean">true</dhcp_hostname> + <dhcp_resolv config:type="boolean">true</dhcp_resolv> + </dns> + <interfaces config:type="list"> + <interface> + <bootproto>dhcp</bootproto> + <device>eth0</device> + <name>Ethernet Network Card</name> + <startmode>auto</startmode> + <usercontrol>no</usercontrol> + </interface> + </interfaces> + <modules config:type="list"> + <module_entry> + <device>static-0</device> + <module></module> + <options></options> + </module_entry> + </modules> + <routing> + <ip_forward config:type="boolean">false</ip_forward> + </routing> + </networking> + </configure> + <install> + <software> + + </software> + <users config:type="list"> + <user> + <encrypted config:type="boolean">true</encrypted> + <user_password>pw</user_password> + <username>root</username> + </user> + </users> + <scripts> + <postpartitioning-scripts config:type="list"> + <script> + <filename>disks_into_lvm</filename> + <interpreter>shell</interpreter> + <source><![CDATA[ +set +x +DISKS=`ls -d /sys/block/sd* | sed -e 1d -e s:/sys/block/::` +for d in $DISKS +do + # nuke possibly exising partitions on disk + parted -s /dev/$d mklabel msdos + # make disk into a LVM PV + pvcreate -ff /dev/$d + # extend VG with the LVM PV + vgextend system /dev/$d +done +]]></source> + </script> + </postpartitioning-scripts> + </scripts> + <partitioning config:type="list"> + <drive> + <device>/dev/sda</device> + <partitions config:type="list"> + <partition> + <format config:type="boolean">true</format> + <size>300M</size> + <filesystem config:type="symbol">ext3</filesystem> + <mount>/boot</mount> + </partition> + <partition> + <create config:type="boolean">true</create> + <partition_id config:type="integer">142</partition_id> + <lvm_group>system</lvm_group> + <size>max</size> + </partition> + </partitions> + <use>all</use> + </drive> + <drive> + <device>/dev/system</device> + <initialize config:type="boolean">true</initialize> + <is_lvm_vg config:type="boolean">true</is_lvm_vg> + <type config:type="symbol">CT_LVM</type> + <partitions config:type="list"> + <partition> + <create config:type="boolean">true</create> + <format config:type="boolean">true</format> + <filesystem config:type="symbol">ext3</filesystem> + <lv_name>root_lv</lv_name> + <mount>/</mount> + <size>3G</size> + </partition> + <partition> + <filesystem config:type="symbol">ext3</filesystem> + <lv_name>xxx_lv</lv_name> + <mount>/xxxx</mount> + <size>200M</size> + </partition> + <partition> + <filesystem config:type="symbol">swap</filesystem> + <lv_name>swap_lv</lv_name> + <mount>swap</mount> + <size>auto</size> + </partition> + </partitions> + <pesize>4M</pesize> + <use>all</use> + </drive> + </partitioning> + </install> +</profile> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/autoyast2-3.1.57/test_xml/fehr_lvm_sles12_sdb_full_sdcd.xml new/autoyast2-3.1.58/test_xml/fehr_lvm_sles12_sdb_full_sdcd.xml --- old/autoyast2-3.1.57/test_xml/fehr_lvm_sles12_sdb_full_sdcd.xml 1970-01-01 01:00:00.000000000 +0100 +++ new/autoyast2-3.1.58/test_xml/fehr_lvm_sles12_sdb_full_sdcd.xml 2014-09-03 18:10:08.000000000 +0200 @@ -0,0 +1,260 @@ +<?xml version="1.0"?> +<!DOCTYPE profile SYSTEM "/usr/share/autoinstall/dtd/profile.dtd"> +<profile xmlns="http://www.suse.com/1.0/yast2ns" xmlns:config="http://www.suse.com/1.0/configns"> +<configure> + + <bootloader> + <loader_type>grub2</loader_type> + </bootloader> + <firewall> + <FW_CONFIGURATIONS_EXT>sshd</FW_CONFIGURATIONS_EXT> + <FW_ALLOW_FW_BROADCAST_DMZ>no</FW_ALLOW_FW_BROADCAST_DMZ> + <FW_ALLOW_FW_BROADCAST_EXT>no</FW_ALLOW_FW_BROADCAST_EXT> + <FW_ALLOW_FW_BROADCAST_INT>no</FW_ALLOW_FW_BROADCAST_INT> + <FW_CONFIGURATIONS_DMZ>sshd</FW_CONFIGURATIONS_DMZ> + <FW_CONFIGURATIONS_EXT>sshd</FW_CONFIGURATIONS_EXT> + <FW_CONFIGURATIONS_INT>sshd</FW_CONFIGURATIONS_INT> + <FW_DEV_EXT>eth0</FW_DEV_EXT> + <FW_IGNORE_FW_BROADCAST_DMZ>no</FW_IGNORE_FW_BROADCAST_DMZ> + <FW_IGNORE_FW_BROADCAST_EXT>yes</FW_IGNORE_FW_BROADCAST_EXT> + <FW_IGNORE_FW_BROADCAST_INT>no</FW_IGNORE_FW_BROADCAST_INT> + <FW_IPSEC_TRUST>no</FW_IPSEC_TRUST> + <FW_LOAD_MODULES>nf_conntrack_netbios_ns</FW_LOAD_MODULES> + <FW_LOG_ACCEPT_ALL>no</FW_LOG_ACCEPT_ALL> + <FW_LOG_ACCEPT_CRIT>yes</FW_LOG_ACCEPT_CRIT> + <FW_LOG_DROP_ALL>no</FW_LOG_DROP_ALL> + <FW_LOG_DROP_CRIT>yes</FW_LOG_DROP_CRIT> + <FW_MASQUERADE>no</FW_MASQUERADE> + <FW_PROTECT_FROM_INT>no</FW_PROTECT_FROM_INT> + <FW_ROUTE>no</FW_ROUTE> + <enable_firewall config:type="boolean">false</enable_firewall> + <start_firewall config:type="boolean">false</start_firewall> + </firewall> + <general> + <signature-handling> + <accept_unsigned_file config:type="boolean">true</accept_unsigned_file> + <accept_file_without_checksum config:type="boolean">true</accept_file_without_checksum> + <accept_verification_failed config:type="boolean">true</accept_verification_failed> + <accept_unknown_gpg_key config:type="boolean">true</accept_unknown_gpg_key> + <import_gpg_key config:type="boolean">true</import_gpg_key> + </signature-handling> + <mode> + <confirm config:type="boolean">true</confirm> + <final_reboot config:type="boolean">false</final_reboot> + <max_systemd_wait config:type="integer">345</max_systemd_wait> + </mode> + <storage> + <start_multipath config:type="boolean">false</start_multipath> + </storage> + </general> + <networking> + <keep_install_network config:type="boolean">true</keep_install_network> + </networking> + <report> + <errors> + <log config:type="boolean">true</log> + <show config:type="boolean">true</show> + <timeout config:type="integer">10</timeout> + </errors> + <messages> + <log config:type="boolean">true</log> + <show config:type="boolean">true</show> + <timeout config:type="integer">10</timeout> + </messages> + <warnings> + <log config:type="boolean">true</log> + <show config:type="boolean">true</show> + <timeout config:type="integer">10</timeout> + </warnings> + <yesno_messages> + <log config:type="boolean">true</log> + <show config:type="boolean">true</show> + <timeout config:type="integer">10</timeout> + </yesno_messages> + </report> + <runlevel> + <default>5</default> + <services config:type="list" > + <service> + <service_name>sshd</service_name> + <service_start>3 5</service_start> + </service> + <service> + <service_name>rpcbind</service_name> + <service_start>3 5</service_start> + </service> + <service> + <service_name>autofs</service_name> + <service_start>3 5</service_start> + </service> + <service> + <service_name>nfs</service_name> + <service_start>3 5</service_start> + </service> + <service> + <service_name>cups</service_name> + <service_status>disable</service_status> + </service> + <service> + <service_name>SuSEfirewall2</service_name> + <service_status>disable</service_status> + </service> + </services> + </runlevel> + <sound> + <autoinstall config:type="boolean">true</autoinstall> + <configure_detected config:type="boolean">true</configure_detected> + </sound> + <scripts> + </scripts> + <timezone> + <hwclock>UTC</hwclock> + <timezone>Europe/Berlin</timezone> + </timezone> +</configure> +<install> + <partitioning config:type="list"> + <drive> + <device>/dev/sdb</device> + <initialize config:type="boolean">true</initialize> + <partitions config:type="list"> + <partition> + <create config:type="boolean">true</create> + <filesystem config:type="symbol">ext3</filesystem> + <format config:type="boolean">true</format> + <fstopt>acl,user_xattr</fstopt> + <mount>/boot</mount> + <partition_nr config:type="integer">1</partition_nr> + <size>187858432</size> + </partition> + <partition> + <create config:type="boolean">true</create> + <filesystem config:type="symbol">ext4</filesystem> + <lvm_group>system</lvm_group> + <partition_id config:type="integer">142</partition_id> + <partition_nr config:type="integer">2</partition_nr> + <size>max</size> + </partition> + </partitions> + <pesize/> + <type config:type="symbol">CT_DISK</type> + <use>all</use> + </drive> + <drive> + <device>/dev/sdc</device> + <initialize config:type="boolean">true</initialize> + <partitions config:type="list"> + <partition> + <create config:type="boolean">false</create> + <lvm_group>system</lvm_group> + <partition_nr config:type="integer">0</partition_nr> + <size>max</size> + </partition> + </partitions> + <pesize/> + <type config:type="symbol">CT_DISK</type> + <use>all</use> + </drive> + <drive> + <device>/dev/sdd</device> + <initialize config:type="boolean">true</initialize> + <partitions config:type="list"> + <partition> + <create config:type="boolean">false</create> + <lvm_group>system</lvm_group> + <partition_nr config:type="integer">0</partition_nr> + <size>max</size> + </partition> + </partitions> + <pesize/> + <type config:type="symbol">CT_DISK</type> + <use>all</use> + </drive> + <drive> + <device>/dev/system</device> + <initialize config:type="boolean">true</initialize> + <partitions config:type="list"> + <partition> + <create config:type="boolean">true</create> + <filesystem config:type="symbol">ext4</filesystem> + <format config:type="boolean">true</format> + <fstopt>acl,user_xattr</fstopt> + <lv_name>home</lv_name> + <mount>/home</mount> + <size>2147483648</size> + </partition> + <partition> + <create config:type="boolean">true</create> + <filesystem config:type="symbol">ext4</filesystem> + <format config:type="boolean">true</format> + <fstopt>acl,user_xattr</fstopt> + <lv_name>root</lv_name> + <mount>/</mount> + <size>4294967296</size> + </partition> + <partition> + <create config:type="boolean">true</create> + <filesystem config:type="symbol">swap</filesystem> + <format config:type="boolean">true</format> + <fstopt>defaults</fstopt> + <lv_name>swap</lv_name> + <mount>swap</mount> + <size>1073741824</size> + </partition> + </partitions> + <pesize>4M</pesize> + <type config:type="symbol">CT_LVM</type> + <use>all</use> + </drive> + </partitioning> + <software> + <image/> + <instsource/> + <packages config:type="list"> + <package>autoyast2</package> + <package>autoyast2-installation</package> + <package>kexec-tools</package> + <package>libXmu6</package> + <package>libnl-1_1</package> + <package>libxslt-tools</package> + <package>libxslt1</package> + <package>yast2-schema</package> + <package>yast2-trans-en_US</package> + </packages> + <patterns config:type="list"> + </patterns> + </software> + <users config:type="list"> + <user> + <encrypted config:type="boolean">true</encrypted> + <fullname>root</fullname> + <gid>0</gid> + <home>/root</home> + <password_settings> + <expire/> + <flag/> + <inact/> + <max/> + <min/> + <warn/> + </password_settings> + <shell>/bin/bash</shell> + <uid>0</uid> + <user_password>pw</user_password> + <username>root</username> + </user> + </users> +</install> +</profile> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/autoyast2-3.1.57/test_xml/fehr_sdb.xml new/autoyast2-3.1.58/test_xml/fehr_sdb.xml --- old/autoyast2-3.1.57/test_xml/fehr_sdb.xml 2014-08-25 10:40:16.000000000 +0200 +++ new/autoyast2-3.1.58/test_xml/fehr_sdb.xml 2014-09-03 18:10:08.000000000 +0200 @@ -122,12 +122,14 @@ </sound> <scripts> </scripts> + <timezone> <hwclock>UTC</hwclock> <timezone>Europe/Berlin</timezone> @@ -138,6 +140,7 @@ <drive> <device>/dev/sdb</device> <initialize config:type="boolean">true</initialize> + <disklabel>msdos</disklabel>  diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/autoyast2-3.1.57/test_xml/fehr_sdb_lvm_ask.xml new/autoyast2-3.1.58/test_xml/fehr_sdb_lvm_ask.xml --- old/autoyast2-3.1.57/test_xml/fehr_sdb_lvm_ask.xml 1970-01-01 01:00:00.000000000 +0100 +++ new/autoyast2-3.1.58/test_xml/fehr_sdb_lvm_ask.xml 2014-09-03 18:10:08.000000000 +0200 @@ -0,0 +1,331 @@ +<?xml version="1.0"?> +<!DOCTYPE profile SYSTEM "/usr/share/autoinstall/dtd/profile.dtd"> +<profile xmlns="http://www.suse.com/1.0/yast2ns" xmlns:config="http://www.suse.com/1.0/configns"> +<configure> + <bootloader> + <global> + <generic_mbr>true</generic_mbr> + <timeout config:type="integer">8</timeout> + <gfxmenu>/boot/menu</gfxmenu> + </global> + </bootloader> + <firewall> + <FW_CONFIGURATIONS_EXT>sshd</FW_CONFIGURATIONS_EXT> + <FW_ALLOW_FW_BROADCAST_DMZ>no</FW_ALLOW_FW_BROADCAST_DMZ> + <FW_ALLOW_FW_BROADCAST_EXT>no</FW_ALLOW_FW_BROADCAST_EXT> + <FW_ALLOW_FW_BROADCAST_INT>no</FW_ALLOW_FW_BROADCAST_INT> + <FW_CONFIGURATIONS_DMZ>sshd</FW_CONFIGURATIONS_DMZ> + <FW_CONFIGURATIONS_EXT>sshd</FW_CONFIGURATIONS_EXT> + <FW_CONFIGURATIONS_INT>sshd</FW_CONFIGURATIONS_INT> + <FW_DEV_EXT>eth0</FW_DEV_EXT> + <FW_IGNORE_FW_BROADCAST_DMZ>no</FW_IGNORE_FW_BROADCAST_DMZ> + <FW_IGNORE_FW_BROADCAST_EXT>yes</FW_IGNORE_FW_BROADCAST_EXT> + <FW_IGNORE_FW_BROADCAST_INT>no</FW_IGNORE_FW_BROADCAST_INT> + <FW_IPSEC_TRUST>no</FW_IPSEC_TRUST> + <FW_LOAD_MODULES>nf_conntrack_netbios_ns</FW_LOAD_MODULES> + <FW_LOG_ACCEPT_ALL>no</FW_LOG_ACCEPT_ALL> + <FW_LOG_ACCEPT_CRIT>yes</FW_LOG_ACCEPT_CRIT> + <FW_LOG_DROP_ALL>no</FW_LOG_DROP_ALL> + <FW_LOG_DROP_CRIT>yes</FW_LOG_DROP_CRIT> + <FW_MASQUERADE>no</FW_MASQUERADE> + <FW_PROTECT_FROM_INT>no</FW_PROTECT_FROM_INT> + <FW_ROUTE>no</FW_ROUTE> + <enable_firewall config:type="boolean">false</enable_firewall> + <start_firewall config:type="boolean">false</start_firewall> + </firewall> + <general> + <signature-handling> + <accept_unsigned_file config:type="boolean">true</accept_unsigned_file> + <accept_file_without_checksum config:type="boolean">true</accept_file_without_checksum> + <accept_verification_failed config:type="boolean">true</accept_verification_failed> + <accept_unknown_gpg_key config:type="boolean">true</accept_unknown_gpg_key> + </signature-handling> + <mode> + <confirm config:type="boolean">true</confirm> + <final_reboot config:type="boolean">false</final_reboot> + </mode> + <ask-list config:type="list"> + <ask> + <dialog config:type="integer">0</dialog> + <element config:type="integer">0</element> + <title>VG name</title> + <question>Enter name of Volume group</question> + <stage>initial</stage> + <help>put some blabla here</help> + <password config:type="boolean">false</password> + <script> + <environment config:type="boolean">true</environment> + <source><![CDATA[ +sed -e s/VG_PLACEHOLDER/$VAL/ -e s/ask-list/disabled/ </tmp/profile/autoinst.xml >/tmp/profile/modified.xml +]]> + </source> + </script> + </ask> + + </ask-list> + </general> + <networking> + + <interfaces config:type="list"> + <interface> + <bootproto>dhcp</bootproto> + <device>eth-id-08:00:27:3d:0c:1d</device> + <startmode>onboot</startmode> + </interface> + </interfaces> + <managed config:type="boolean">false</managed> + <routing> + <ip_forward config:type="boolean">false</ip_forward> + <routes config:type="list"> + <route> + <destination>default</destination> + <device>-</device> + <gateway>10.120.255.254</gateway> + <netmask>-</netmask> + </route> + </routes> + </routing> + </networking> + <report> + <errors> + <log config:type="boolean">true</log> + <show config:type="boolean">true</show> + <timeout config:type="integer">10</timeout> + </errors> + <messages> + <log config:type="boolean">true</log> + <show config:type="boolean">true</show> + <timeout config:type="integer">10</timeout> + </messages> + <warnings> + <log config:type="boolean">true</log> + <show config:type="boolean">true</show> + <timeout config:type="integer">10</timeout> + </warnings> + <yesno_messages> + <log config:type="boolean">true</log> + <show config:type="boolean">true</show> + <timeout config:type="integer">10</timeout> + </yesno_messages> + </report> + <runlevel> + <default>5</default> + <services config:type="list" > + <service> + <service_name>sshd</service_name> + <service_start>3 5</service_start> + </service> + <service> + <service_name>rpcbind</service_name> + <service_start>3 5</service_start> + </service> + <service> + <service_name>autofs</service_name> + <service_start>3 5</service_start> + </service> + <service> + <service_name>nfs</service_name> + <service_start>3 5</service_start> + </service> + <service> + <service_name>cups</service_name> + <service_status>disable</service_status> + </service> + <service> + <service_name>SuSEfirewall2</service_name> + <service_status>disable</service_status> + </service> + </services> + </runlevel> + <sound> + <autoinstall config:type="boolean">true</autoinstall> + <configure_detected config:type="boolean">true</configure_detected> + </sound> + + <timezone> + <hwclock>UTC</hwclock> + <timezone>Europe/Berlin</timezone> + </timezone> +</configure> +<install> + <partitioning config:type="list"> + <drive> + <device>/dev/sdb</device> + <initialize config:type="boolean">true</initialize> + <partitions config:type="list"> + <partition> + <create config:type="boolean">true</create> + <filesystem config:type="symbol">ext3</filesystem> + <format config:type="boolean">true</format> + <mount>/boot</mount> + <size>256M</size> + </partition> + <partition> + <create config:type="boolean">true</create> + <lvm_group>VG_PLACEHOLDER</lvm_group> + <size>max</size> + </partition> + </partitions> + <type config:type="symbol">CT_DISK</type> + <use>all</use> + </drive> + <drive> + <device>/dev/VG_PLACEHOLDER</device> + <partitions config:type="list"> + <partition> + <create config:type="boolean">true</create> + <filesystem config:type="symbol">swap</filesystem> + <format config:type="boolean">true</format> + <lv_name>swapvol</lv_name> + <mount>swap</mount> + <mountby config:type="symbol">device</mountby> + <size>auto</size> + </partition> + <partition> + <create config:type="boolean">true</create> + <filesystem config:type="symbol">ext3</filesystem> + <format config:type="boolean">true</format> + <lv_name>rootvol</lv_name> + <mount>/</mount> + <mountby config:type="symbol">device</mountby> + <size>4G</size> + </partition> + <partition> + <create config:type="boolean">true</create> + <filesystem config:type="symbol">ext3</filesystem> + <format config:type="boolean">true</format> + <lv_name>usrvol</lv_name> + <mount>/usr</mount> + <size>2G</size> + </partition> + <partition> + <create config:type="boolean">true</create> + <filesystem config:type="symbol">ext3</filesystem> + <format config:type="boolean">true</format> + <lv_name>tmpvol</lv_name> + <mount>/tmp</mount> + <mountby config:type="symbol">device</mountby> + <size>500M</size> + </partition> + <partition> + <create config:type="boolean">true</create> + <filesystem config:type="symbol">ext3</filesystem> + <format config:type="boolean">true</format> + <lv_name>homevol</lv_name> + <mount>/psa/home</mount> + <mountby config:type="symbol">device</mountby> + <size>128M</size> + </partition> + <partition> + <create config:type="boolean">true</create> + <filesystem config:type="symbol">ext3</filesystem> + <format config:type="boolean">true</format> + <lv_name>optvol</lv_name> + <mount>/opt</mount> + <mountby config:type="symbol">device</mountby> + <size>130M</size> + </partition> + </partitions> + <type config:type="symbol">CT_LVM</type> + <use>all</use> + </drive> + </partitioning> + <software> + <image/> + <instsource/> + <packages config:type="list"> + <package>less</package> + <package>yast2-trans-en_US</package> + </packages> + <patterns config:type="list"> + <pattern>Minimal</pattern> + <pattern>base</pattern> + </patterns> + </software> + <users config:type="list"> + <user> + <user_password>pw</user_password> + <username>root</username> + </user> + </users> +</install> +</profile> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/autoyast2-3.1.57/test_xml/fehr_sdb_sle12.xml new/autoyast2-3.1.58/test_xml/fehr_sdb_sle12.xml --- old/autoyast2-3.1.57/test_xml/fehr_sdb_sle12.xml 2014-08-25 10:40:16.000000000 +0200 +++ new/autoyast2-3.1.58/test_xml/fehr_sdb_sle12.xml 2014-09-03 18:10:08.000000000 +0200 @@ -132,8 +132,11 @@ <install> <partitioning config:type="list"> <drive> + <initialize config:type="boolean">true</initialize> + <disklabel>msdos</disklabel>  @@ -150,9 +153,19 @@ <partition> <mount>/</mount> <size>max</size> - <filesystem config:type="symbol">ext4</filesystem> <format config:type="boolean">true</format> - </partition> + <filesystem config:type="symbol">ext4</filesystem> + + </partition>  </partitions> + </drive> </partitioning> <software> @@ -179,7 +195,7 @@ </software> <users config:type="list"> <user> - <user_password>rootpw</user_password> + <user_password>pw</user_password> <username>root</username> </user> </users> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/autoyast2-3.1.57/test_xml/fehr_test.xml new/autoyast2-3.1.58/test_xml/fehr_test.xml --- old/autoyast2-3.1.57/test_xml/fehr_test.xml 2014-08-25 10:40:16.000000000 +0200 +++ new/autoyast2-3.1.58/test_xml/fehr_test.xml 2014-09-03 18:10:08.000000000 +0200 @@ -48,12 +48,15 @@ <confirm config:type="boolean">true</confirm> </mode> </general> + <sound> <autoinstall config:type="boolean">true</autoinstall> <configure_detected config:type="boolean">true</configure_detected> @@ -99,56 +102,96 @@ <username>root</username> </user> </users> - <partitioning config:type="list"> + <partitioning config:type="list"> + <drive> + <device>/dev/lsys</device> + <disklabel>msdos</disklabel> + <enable_snapshots config:type="boolean">true</enable_snapshots> + <initialize config:type="boolean">true</initialize> + <partitions config:type="list"> + <partition> + <create config:type="boolean">true</create> + <crypt_fs config:type="boolean">false</crypt_fs> + <filesystem config:type="symbol">xfs</filesystem> + <format config:type="boolean">true</format> + <loop_fs config:type="boolean">false</loop_fs> + <lv_name>lvall</lv_name> + <mount>/media/lvall</mount> + <mountby config:type="symbol">device</mountby> + <partition_nr config:type="integer">1</partition_nr> + <resize config:type="boolean">false</resize> + <size>max</size> + </partition> + </partitions> + <pesize>4M</pesize> + <type config:type="symbol">CT_LVM</type> + <use>all</use> + </drive> <drive> <device>/dev/sdb</device> + <disklabel>gpt</disklabel> + <enable_snapshots config:type="boolean">true</enable_snapshots> <initialize config:type="boolean">true</initialize> - <disklabel>msdos</disklabel> - <partitions config:type="list"> - <partition> - <mount>swap</mount> - <size>3727M</size> - <filesystem>swap</filesystem> - <format config:type="boolean">true</format> - </partition> - <partition> - <mount>/</mount> - <size>max</size> - <filesystem config:type="symbol">btrfs</filesystem> - <format config:type="boolean">true</format> - <subvolumes config:type="list"> - <path>var/tmp</path> - <path>var/log</path> - <path>var/spool</path> - <path>tmp</path> - <path>opt</path> - <path>srv</path> - <path>xyz_abcd</path> - </subvolumes> - </partition> - <partition> - <mount>/boot</mount> - <size>500M</size> - <filesystem>ext3</filesystem> - <format config:type="boolean">true</format> - <filesystem config:type="symbol">ext3</filesystem> - </partition> - <partition> - <mount>/emil</mount> - <size>1000M</size> - <filesystem>ext3</filesystem> - <format config:type="boolean">true</format> - <filesystem config:type="symbol">ext3</filesystem> - </partition> - <partition> - <mount>/fritz</mount> - <size>1500M</size> - <filesystem>ext3</filesystem> - <format config:type="boolean">true</format> - <filesystem config:type="symbol">ext3</filesystem> - </partition> - </partitions> - </drive> - </partitioning> + <partitions config:type="list"> + <partition> + <create config:type="boolean">true</create> + <crypt_fs config:type="boolean">false</crypt_fs> + <filesystem config:type="symbol">vfat</filesystem> + <format config:type="boolean">true</format> + <fstopt>umask=0002,utf8=true</fstopt> + <loop_fs config:type="boolean">false</loop_fs> + <mount>/boot/efi</mount> + <mountby config:type="symbol">uuid</mountby> + <partition_id config:type="integer">259</partition_id> + <partition_nr config:type="integer">1</partition_nr> + <resize config:type="boolean">false</resize> + <size>476216832</size> + </partition> + <partition> + <create config:type="boolean">true</create> + <crypt_fs config:type="boolean">false</crypt_fs> + <filesystem config:type="symbol">swap</filesystem> + <format config:type="boolean">true</format> + <loop_fs config:type="boolean">false</loop_fs> + <mount>swap</mount> + <mountby config:type="symbol">uuid</mountby> + <partition_id config:type="integer">130</partition_id> + <partition_nr config:type="integer">2</partition_nr> + <resize config:type="boolean">false</resize> + <size>17173741056</size> + </partition> + <partition> + <create config:type="boolean">true</create> + <crypt_fs config:type="boolean">false</crypt_fs> + <filesystem config:type="symbol">ext4</filesystem> + <format config:type="boolean">true</format> + <fstopt>acl,user_xattr</fstopt> + <loop_fs config:type="boolean">false</loop_fs> + <mount>/</mount> + <mountby config:type="symbol">uuid</mountby> + <partition_id config:type="integer">131</partition_id> + <partition_nr config:type="integer">3</partition_nr> + <resize config:type="boolean">false</resize> + <size>42949672960</size> + </partition> + <partition> + <create config:type="boolean">true</create> + <crypt_fs config:type="boolean">false</crypt_fs> + <filesystem config:type="symbol">btrfs</filesystem> + <format config:type="boolean">false</format> + <loop_fs config:type="boolean">false</loop_fs> + <lvm_group>lsys</lvm_group> + <mountby config:type="symbol">device</mountby> + <partition_id config:type="integer">142</partition_id> + <partition_nr config:type="integer">4</partition_nr> + <resize config:type="boolean">false</resize> + <size>max</size> + </partition> + </partitions> + <pesize/> + <type config:type="symbol">CT_DISK</type> + <use>all</use> + </drive> + </partitioning> </install> </profile> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/autoyast2-3.1.57/test_xml/ft_tmp.xml new/autoyast2-3.1.58/test_xml/ft_tmp.xml --- old/autoyast2-3.1.57/test_xml/ft_tmp.xml 2014-08-25 10:40:16.000000000 +0200 +++ new/autoyast2-3.1.58/test_xml/ft_tmp.xml 1970-01-01 01:00:00.000000000 +0100 @@ -1,187 +0,0 @@ -<?xml version="1.0"?> -<!DOCTYPE profile SYSTEM "/usr/share/autoinstall/dtd/profile.dtd"> -<profile xmlns="http://www.suse.com/1.0/yast2ns" xmlns:config="http://www.suse.com/1.0/configns"> -<configure> - <bootloader> - <global> - <generic_mbr>true</generic_mbr> - <timeout config:type="integer">8</timeout> - <gfxmenu>/boot/menu</gfxmenu> - </global> - </bootloader> - <firewall> - <FW_CONFIGURATIONS_EXT>sshd</FW_CONFIGURATIONS_EXT> - <FW_ALLOW_FW_BROADCAST_DMZ>no</FW_ALLOW_FW_BROADCAST_DMZ> - <FW_ALLOW_FW_BROADCAST_EXT>no</FW_ALLOW_FW_BROADCAST_EXT> - <FW_ALLOW_FW_BROADCAST_INT>no</FW_ALLOW_FW_BROADCAST_INT> - <FW_CONFIGURATIONS_DMZ>sshd</FW_CONFIGURATIONS_DMZ> - <FW_CONFIGURATIONS_EXT>sshd</FW_CONFIGURATIONS_EXT> - <FW_CONFIGURATIONS_INT>sshd</FW_CONFIGURATIONS_INT> - <FW_DEV_EXT>eth0</FW_DEV_EXT> - <FW_IGNORE_FW_BROADCAST_DMZ>no</FW_IGNORE_FW_BROADCAST_DMZ> - <FW_IGNORE_FW_BROADCAST_EXT>yes</FW_IGNORE_FW_BROADCAST_EXT> - <FW_IGNORE_FW_BROADCAST_INT>no</FW_IGNORE_FW_BROADCAST_INT> - <FW_IPSEC_TRUST>no</FW_IPSEC_TRUST> - <FW_LOAD_MODULES>nf_conntrack_netbios_ns</FW_LOAD_MODULES> - <FW_LOG_ACCEPT_ALL>no</FW_LOG_ACCEPT_ALL> - <FW_LOG_ACCEPT_CRIT>yes</FW_LOG_ACCEPT_CRIT> - <FW_LOG_DROP_ALL>no</FW_LOG_DROP_ALL> - <FW_LOG_DROP_CRIT>yes</FW_LOG_DROP_CRIT> - <FW_MASQUERADE>no</FW_MASQUERADE> - <FW_PROTECT_FROM_INT>no</FW_PROTECT_FROM_INT> - <FW_ROUTE>no</FW_ROUTE> - <enable_firewall config:type="boolean">false</enable_firewall> - <start_firewall config:type="boolean">false</start_firewall> - </firewall> - <general> - <signature-handling> - <accept_unsigned_file config:type="boolean">true</accept_unsigned_file> - <accept_file_without_checksum config:type="boolean">true</accept_file_without_checksum> - <accept_verification_failed config:type="boolean">true</accept_verification_failed> - <accept_unknown_gpg_key config:type="boolean">true</accept_unknown_gpg_key> - </signature-handling> - <mode> - <confirm config:type="boolean">true</confirm> - <final_reboot config:type="boolean">false</final_reboot> - </mode> - </general> - <networking> - <keep_install_network config:type="boolean">true</keep_install_network> - </networking> - <report> - <errors> - <log config:type="boolean">true</log> - <show config:type="boolean">true</show> - <timeout config:type="integer">0</timeout> - </errors> - <messages> - <log config:type="boolean">true</log> - <show config:type="boolean">true</show> - <timeout config:type="integer">20</timeout> - </messages> - <warnings> - <log config:type="boolean">true</log> - <show config:type="boolean">true</show> - <timeout config:type="integer">30</timeout> - </warnings> - <yesno_messages> - <log config:type="boolean">true</log> - <show config:type="boolean">true</show> - <timeout config:type="integer">25</timeout> - </yesno_messages> - </report> - <runlevel> - <default>5</default> - <services config:type="list" > - <service> - <service_name>sshd</service_name> - <service_start>3 5</service_start> - </service> - <service> - <service_name>rpcbind</service_name> - <service_start>3 5</service_start> - </service> - <service> - <service_name>autofs</service_name> - <service_start>3 5</service_start> - </service> - <service> - <service_name>nfs</service_name> - <service_start>3 5</service_start> - </service> - <service> - <service_name>cups</service_name> - <service_status>disable</service_status> - </service> - <service> - <service_name>SuSEfirewall2</service_name> - <service_status>disable</service_status> - </service> - </services> - </runlevel> - <sound> - <autoinstall config:type="boolean">true</autoinstall> - <configure_detected config:type="boolean">true</configure_detected> - </sound> - <scripts> - <chroot-scripts config:type="list"> - <script> - <interpreter>shell</interpreter> - <debug config:type="boolean">true</debug> - <chrooted config:type="boolean">false</chrooted> - <source><![CDATA[ - cp -av /usr/share/YaST2/modules/SLP.rb /mnt/usr/share/YaST2/modules -]]> - </source> - </script> - </chroot-scripts> - </scripts> - - <timezone> - <hwclock>UTC</hwclock> - <timezone>Europe/Berlin</timezone> - </timezone> -</configure> -<install> - <partitioning config:type="list"> - <drive> - <device>/dev/sdb</device> - <initialize config:type="boolean">true</initialize> - - <partitions config:type="list"> - <partition> - <mount>swap</mount> - <size>500M</size> - <filesystem>swap</filesystem> - <format config:type="boolean">true</format> - - </partition> - <partition> - <mount>/</mount> - <size>max</size> - <filesystem config:type="symbol">ext4</filesystem> - <format config:type="boolean">true</format> - </partition> - - </partitions> - </drive> - </partitioning> - <software> - <image/> - <instsource/> - <packages config:type="list"> - <package>less</package> - <package>yast2-trans-en_US</package> - </packages> - <patterns config:type="list"> - <pattern>Minimal</pattern> - <pattern>base</pattern> - </patterns> - </software> - <users config:type="list"> - <user> - <user_password>rootpw</user_password> - <username>root</username> - </user> - </users> -</install> -</profile> -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0