February 2015 - openSUSE Commits - openSUSE Mailing Lists

commit live555 for openSUSE:Factory
by root＠hilbert.suse.de 06 Feb '15

06 Feb '15

Hello community, here is the log from the commit of package live555 for openSUSE:Factory checked in at 2015-02-06 10:17:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/live555 (Old) and /work/SRC/openSUSE:Factory/.live555.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "live555" Changes: -------- --- /work/SRC/openSUSE:Factory/live555/live555.changes 2014-11-03 13:11:14.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.live555.new/live555.changes 2015-02-06 10:17:08.000000000 +0100 @@ -1,0 +2,128 @@ +Sat Jan 31 13:00:25 UTC 2015 - aloisio(a)gmx.com + +- fixed paths in live555.pc +- update to version 2015.01.27: + * Fixed a bug in "MPEG2TransportStreamFromESSource" that could + sometimes cause an abort if more than one Elementary Stream + Source were multiplexed into a single Transport Stream. + (Thanks to Marc Palau for reporting this issue.) +- version 2015.01.19: + * Fixed an obscure bug in "RTSPClient" that might conceivably + have caused a crash if it received a completely empty RTSP + response. +- version 2015.01.04: + * Updated "config.iphone-simulator" to work with the latest Xcode. + (Thanks to Braden Ackerman.) + * In the "BasicUsageEnvironment" implementation, renamed + "EventTime" to "_EventTime" to avoid a reported naming conflict. +- version 2014.12.17: + * Updated "RTSPServerSupportingHTTPStreaming" to make sure that + the data stream source gets closed when it's no longer needed. +- version 2014.12.16: + * Changed the FD_SETSIZE check (introduced in version 2014.12.11) + so that it's not done in Windows (because in Windows, + FD_SETSIZE has different semantics). + (Thanks to Deanna Earley for reporting this.) +- version 2014.12.13: + * Updated the H.264/H.265 parsing code in "H264or5VideoStreamFramer" + to be a little smarter about how it computes a file's frame rate + (when streaming a 'raw' H.264 or H.265 file). + (Thanks to Michel Promonet for inspiring this.) + * Updated "config.iphoneos" to work with the latest Xcode. + (Thanks to Braden Ackerman.) +- version 2014.12.11: + * Changed our implementation of "setBackgroundHandling()" and + "moveBackgroundHandling()" in "BasicTaskScheduler" to check for + (and disallow) socket numbers >= FD_SETSIZE, because <sys/select.h> + has a bug (at least, in most systems) that causes buffer overflow + in this case. (Thanks to Michel Promonet for pointing this out.) +- version 2014.12.09: + * Needed to make the "QuickTimeFileSink" constructor and destructor + protected: to allow subclassing. +- version 2014.12.08: + * Fixed a bug in parsing 'absolute' RTSP "Range:" headers with no end + time. (Thanks to Ken Chow for reporting this.) + * Added a new option "-K" to "openRTSP, to tell the client to + periodically send "OPTIONS" requests as 'keep-alives' for buggy + servers that don't use incoming RTCP "RR" packets to indicate client + liveness. (Thanks to Peter Schlaile for this suggestion.) + * Added a new 'protected' virtual member function "noteRecordedFrame()" + to "QuickTimeFileSink". This function is called whenever a frame is + recorded to the output file. The default implementation of this + virtual function does nothing, but subclasses can redefine it if + they wish. +- version 2014.11.28: + * When "RTSPClient" parses a RTSP response, we first skip over any + blank lines that may be at the start of the response. This can + happen if the previous response (e.g., to a "DESCRIBE") contained + extra whitespace. (Thanks to ilwoo Nam for giving an example of + a server that exhibited this behavior.) +- version 2014.11.12: + * We had forgotten to initialize the "RTSPClient" member variable + "fAllowBasicAuthentication" that we introduced in the previous + version. +- version 2014.11.07: + * Added a new "RTSPClient" member function "disallowBasicAuthentication()" + that you can call if you don't want a RTSP client to perform 'basic' + authentication (whcih involves sending the username and password over + the network), even if the server asks for this. + (Thanks to Tomasz Pala for this suggestion.) + * Updated the debugging printout code in "RTCP.cpp" to identify all + known RTCP payload types, even if we don't currently handle them. + We also - when doing debugging printout - parse and print out + the contents of SDES RTCP packets. +- version 2014.11.01: + * Updated "RTSPClient" so that it reuses "fCurrentAuthenticator" + if we previously updated it with data from a "WWW-Authenticate:" + response, even if a non_NULL "authenticator" parameter was + passed as a parameter to the command. This reduces the number + of authetication exchanges that take place if the server asks + for authentication on more than one command in a RTSP session. + (Thanks to Tomasz Pala for this suggestion.) + * Updated "DigestAuthenticator" to allow for the possibility of + "username" or "password" being NULL. + * Updated the "RTSPServer" implementation to add an access check + before the first "SETUP" (the one that doesn't include a + session id), because it's possible, in principle, for a client + to send such a "SETUP" without first sending a "DESCRIBE". + Therefore, we need to perform access checks on both commands. +- version 2014.10.28: + * Added support for the VP9 video RTP payload format (sending and + receiving), including the demultiplexing and streaming of a VP9 + video track from a Matroska-format file. + * Made "VP8VideoRTPSource" more robust against a bad first-byte + header field in the payload. +- version 2014.10.21: + * Increased the max output packet size for "MultiFramedRTPSink" + and "RTCPInstance" from 1448 to 1456, because we had a report + of problems when proxying incoming JPEG/RTP packets of this + size (and because 1456 bytes still gives a packet size of no + more than 1500 bytes when we add + in IP, UDP, and UMTP headers). +- version 2014.10.20: + * Increased the RTSP request and response buffer sizes from 10000 + to 20000 bytes, because we saw a RTSP stream (VP8 video) that + had an extremely large "configuration=" string that was hiting + the previous limit. +- version 2014.10.16: + * Fixed the "RTSPServer" implementation to handle a rare race + condition that could cause a "ServerMediaSession" object to + be deleted while it was being used to implement "DESCRIBE". + (Thanks to Michel Promonet for reporting this.) +- version 2014.10.07: + * Fixed a bug in the "MultiFramedRTPSource" implementation where + we weren't properly checking the size of incoming RTP packets + that have the "CC" field (i.e., number of "CSRC" fields) non-zero. + * Updated "Groupsock::output()" to be a virtual function. + (This makes it possible to implement "Groupsock" subclasses that + implement 'bump-in-the-stack' protocols (such as SRT(C)P) below + RTP/RTCP.) +- version 2014.10.03: + * Fixed a problem in the "timestampString()" routine that occurs + if "time_t" is 64 bits, but we're on a 32-bit machine. + (Thanks to Deanna Earley for reporting this.) + * Updated the debugging output code in "RTCP.cpp" to make it + clearer that SDES and APP packets are not invalid; just not + (yet) handled by us. + +------------------------------------------------------------------- Old: ---- live.2014.09.22.tar.gz New: ---- live.2015.01.27.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ live555.spec ++++++ --- /var/tmp/diff_new_pack.yUKMO4/_old 2015-02-06 10:17:09.000000000 +0100 +++ /var/tmp/diff_new_pack.yUKMO4/_new 2015-02-06 10:17:09.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package live555 # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2013 Dominique Leuenberger, Amsterdam, The Netherlands # # All modifications and additions to the file contributed by third parties @@ -18,7 +18,7 @@ Name: live555 -Version: 2014.09.22 +Version: 2015.01.27 Release: 1.2 Summary: LIVE555 Streaming Media License: LGPL-2.1 @@ -40,8 +40,8 @@ Summary: LIVE555 Streaming Media Group: Development/Languages/C and C++ # Actually, live555 is a devel package only. Headers, code and a static lib is all there is. -Provides: live555 = %{version} -Obsoletes: live555 < %{version} +Provides: %{name} = %{version} +Obsoletes: %{name} < %{version} %description devel This code forms a set of C++ libraries for multimedia streaming, @@ -53,13 +53,15 @@ %patch0 -p1 %build +export CFLAGS="%{optflags}" +export CPPFLAGS="%{optflags}" ./genMakefiles linux make %{?_smp_mflags} %install install -d -m 755 %{buildroot}%{_libdir}/live install -d -m 755 %{buildroot}%{_includedir} -find . -type f -name "*.a" -exec install {} %{buildroot}%{_libdir}/live \; +find . -type f -name "*.a" -exec install -m 644 {} %{buildroot}%{_libdir}/live \; for fld in liveMedia groupsock BasicUsageEnvironment UsageEnvironment; do install -d -m 755 %{buildroot}%{_includedir}/$fld cp -rL $fld/include/* %{buildroot}%{_includedir}/$fld @@ -76,8 +78,8 @@ Name: live555 Description: Multimedia streaming libraries Version: %{version} -Libs: -L${libdir} -lliveMedia -lUsageEnvironment -lgroupsock -lBasicUsageEnvironment -Cflags: -I${includedir} -I${includedir}/liveMedia -I${includedir}/UsageEnvironment -I${includedir}/groupsock -I${includedir}/BasicUsageEnvironment +Libs: -L${libdir}/live -lliveMedia -lUsageEnvironment -lgroupsock -lBasicUsageEnvironment +Cflags: -I${includedir}/liveMedia -I${includedir}/UsageEnvironment -I${includedir}/groupsock -I${includedir}/BasicUsageEnvironment EOF %files devel ++++++ live.2014.09.22.tar.gz -> live.2015.01.27.tar.gz ++++++ ++++ 6454 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit patchinfo.3399 for openSUSE:13.1:Update
by root＠hilbert.suse.de 06 Feb '15

06 Feb '15

Hello community, here is the log from the commit of package patchinfo.3399 for openSUSE:13.1:Update checked in at 2015-02-06 10:16:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/patchinfo.3399 (Old) and /work/SRC/openSUSE:13.1:Update/.patchinfo.3399.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "patchinfo.3399" Changes: -------- New Changes file: NO CHANGES FILE!!! New: ---- _patchinfo ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _patchinfo ++++++ <patchinfo incident="3399"> <issue id="903359" tracker="bnc">Temporary migration name is not cleaned up after migration</issue> <issue id="910681" tracker="bnc">VUL-0: CVE-2015-0361: XSA-116: xen: xen crash due to use after free on hvm guest teardown</issue> <issue id="905465" tracker="bnc">VUL-0: CVE-2014-8866: XSA-111: xen: Excessive checking in compatibility mode hypercall argument translation</issue> <issue id="906996" tracker="bnc">VUL-0: CVE-2014-9065, CVE-2014-9066: XSA-114: xen: p2m lock starvation</issue> <issue id="903970" tracker="bnc">VUL-0: CVE-2014-8595: XSA-110: xen: Missing privilege level checks in x86 emulation of far branches</issue> <issue id="901317" tracker="bnc">increase limit domUloader to 32MB</issue> <issue id="900292" tracker="bnc">xl tries to save core files to missing /var/xen/dump directory</issue> <issue id="905467" tracker="bnc">VUL-0: CVE-2014-8867: XSA-112: xen: Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor</issue> <issue id="906439" tracker="bnc">VUL-0: CVE-2014-9030: XSA-113: xen: Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling</issue> <issue id="903967" tracker="bnc">VUL-0: CVE-2014-8594: XSA-109: xen: Insufficient restrictions on certain MMU update hypercalls</issue> <issue id="866902" tracker="bnc">Xen save/restore of HVM guests cuts off disk and networking</issue> <issue id="826717" tracker="bnc">VUL-0: CVE-2013-3495: XSA-59: xen: Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts</issue> <issue id="903357" tracker="bnc">Corrupted save/restore test leaves orphaned data in xenstore</issue> <issue id="882089" tracker="bnc">Windows 2012 R2 fails to boot up with greater than 60 vcpus</issue> <issue id="889526" tracker="bnc">VUL-0: CVE-2014-5146,CVE-2014-5149: xen: XSA-97 Long latency virtual-mmu operations are not preemptible</issue> <issue id="903850" tracker="bnc">VUL-0: Xen: guest user mode triggerable VM exits not handled by hypervisor</issue> <issue id="CVE-2014-5146" tracker="cve" /> <issue id="CVE-2014-8594" tracker="cve" /> <issue id="CVE-2014-8595" tracker="cve" /> <issue id="CVE-2015-0361" tracker="cve" /> <issue id="CVE-2014-9030" tracker="cve" /> <issue id="CVE-2014-5149" tracker="cve" /> <issue id="CVE-2014-8866" tracker="cve" /> <issue id="CVE-2013-3495" tracker="cve" /> <issue id="CVE-2014-9065" tracker="cve" /> <issue id="CVE-2014-8867" tracker="cve" /> <issue id="CVE-2014-9066" tracker="cve" /> <category>security</category> <rating>important</rating> <packager>charlesa</packager> <description> The virtualization software XEN was updated to version 4.3.3 and also to fix bugs and security issues. Security issues fixed: CVE-2015-0361: XSA-116: xen: xen crash due to use after free on hvm guest teardown CVE-2014-9065, CVE-2014-9066: XSA-114: xen: p2m lock starvation CVE-2014-9030: XSA-113: Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling CVE-2014-8867: XSA-112: xen: Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor CVE-2014-8866: XSA-111: xen: Excessive checking in compatibility mode hypercall argument translation CVE-2014-8595: XSA-110: xen: Missing privilege level checks in x86 emulation of far branches CVE-2014-8594: XSA-109: xen: Insufficient restrictions on certain MMU update hypercalls CVE-2013-3495: XSA-59: xen: Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts CVE-2014-5146, CVE-2014-5149: xen: XSA-97 Long latency virtual-mmu operations are not preemptible Bugs fixed: - bnc#903357 - Corrupted save/restore test leaves orphaned data in xenstore - bnc#903359 - Temporary migration name is not cleaned up after migration - bnc#903850 - VUL-0: Xen: guest user mode triggerable VM exits not handled by hypervisor - bnc#866902 - L3: Xen save/restore of HVM guests cuts off disk and networking - bnc#901317 - L3: increase limit domUloader to 32MB domUloader.py - bnc#882089 - Windows 2012 R2 fails to boot up with greater than 60 vcpus - bsc#900292 - xl: change default dump directory - Update to Xen 4.3.3 </description> <reboot_needed/> <summary>Security update for xen</summary> </patchinfo> -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit xen for openSUSE:13.1:Update
by root＠hilbert.suse.de 06 Feb '15

06 Feb '15

Hello community, here is the log from the commit of package xen for openSUSE:13.1:Update checked in at 2015-02-06 10:16:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/xen (Old) and /work/SRC/openSUSE:13.1:Update/.xen.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "xen" Changes: -------- New Changes file: NO CHANGES FILE!!! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _link ++++++ --- /var/tmp/diff_new_pack.ugaTG1/_old 2015-02-06 10:16:59.000000000 +0100 +++ /var/tmp/diff_new_pack.ugaTG1/_new 2015-02-06 10:16:59.000000000 +0100 @@ -1 +1 @@ -<link package='xen.3332' cicount='copy' /> +<link package='xen.3399' cicount='copy' /> -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit gnuplot for openSUSE:Factory
by root＠hilbert.suse.de 06 Feb '15

06 Feb '15

Hello community, here is the log from the commit of package gnuplot for openSUSE:Factory checked in at 2015-02-06 10:16:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gnuplot (Old) and /work/SRC/openSUSE:Factory/.gnuplot.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "gnuplot" Changes: -------- --- /work/SRC/openSUSE:Factory/gnuplot/gnuplot.changes 2015-01-25 21:14:38.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.gnuplot.new/gnuplot.changes 2015-02-06 10:16:34.000000000 +0100 @@ -1,0 +2,7 @@ +Sat Jan 31 12:54:31 UTC 2015 - alinm.elena(a)gmail.com + +- for versions greater than 13.1 we shall build against qt5 + * cleaned up various rpmlint warning + * got rid of configure options obsoleted + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnuplot.spec ++++++ --- /var/tmp/diff_new_pack.EbDEUw/_old 2015-02-06 10:16:35.000000000 +0100 +++ /var/tmp/diff_new_pack.EbDEUw/_new 2015-02-06 10:16:35.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package gnuplot # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,11 @@ %bcond_without h3d_gridbox - +%if %{suse_version} > 1310 +%define qtver 5 +%else +%define qtver 4 +%endif Name: gnuplot BuildRequires: ImageMagick BuildRequires: automake @@ -28,17 +32,24 @@ BuildRequires: gd-devel BuildRequires: gtk2-devel BuildRequires: libjpeg-devel -BuildRequires: libqt4-devel >= 4.5 +BuildRequires: libqt5-linguist-devel BuildRequires: netpbm BuildRequires: pango-devel BuildRequires: readline-devel -%if %suse_version <= 1140 -BuildRequires: zziplib +%if %qtver >= 5 +BuildRequires: pkgconfig(Qt5Core) +BuildRequires: pkgconfig(Qt5Gui) +BuildRequires: pkgconfig(Qt5Network) +BuildRequires: pkgconfig(Qt5PrintSupport) +BuildRequires: pkgconfig(Qt5Svg) +%else +BuildRequires: libqt4-devel >= 4.5 %endif BuildRequires: latex2html BuildRequires: texlive-latex BuildRequires: texlive-tex4ht BuildRequires: texlive-ucs +BuildRequires: zziplib %if %suse_version >= 1220 BuildRequires: makeinfo %endif @@ -51,24 +62,17 @@ BuildRequires: tex(pdftex.def) BuildRequires: tex(subfigure.sty) %endif -BuildRequires: xorg-x11 -BuildRequires: xorg-x11-devel -%if %suse_version > 1130 -BuildRequires: wxWidgets-devel -%else -BuildRequires: wxGTK-devel -%endif +BuildRequires: fdupes BuildRequires: libpng-devel BuildRequires: lua-devel -%if 0%{?suse_version} > 1110 BuildRequires: plotutils-devel -%else -BuildRequires: plotutils -%endif +BuildRequires: wxWidgets-devel +BuildRequires: xorg-x11 +BuildRequires: xorg-x11-devel Url: http://www.gnuplot.info/ Version: 5.0.0 Release: 0 -Summary: GNUplot a Function Plotting Utility +Summary: Function Plotting Utility and more License: SUSE-Gnuplot and GPL-2.0+ Group: Productivity/Graphics/Visualization/Graph # http://sourceforge.net/projects/gnuplot/files/gnuplot/4.6.4/gnuplot-4.6.4.t… @@ -102,10 +106,8 @@ %define _x11inc %{_includedir} %define _appdef %{_x11data}/app-defaults %endif -%if %suse_version > 1130 %define _use_internal_dependency_generator 0 %define __find_requires %wx_requires -%endif %description GNUplot is a command line driven interactive function plotting utility. @@ -119,9 +121,7 @@ Requires: %{name} Requires(post): %install_info_prereq Requires(postun): %install_info_prereq -%if 0%{?suse_version} >= 1120 BuildArch: noarch -%endif %description doc GNUplot documentation files including the man and info pages. GNUplot @@ -144,6 +144,7 @@ %patch1 -p 0 -b .x11ovf %build + SECSVGA="-DSVGA_IS_SECURE=1" export CPPFLAGS="-I%{_x11inc} -I%{_includedir}/gd -DAppDefDir=\\\"%{_appdef}\\\"" export CPPFLAGS="$CPPFLAGS -DGNUPLOT_LIB_DEFAULT=\\\"%{_docdir}/%{name}/demo\\\"" @@ -157,8 +158,17 @@ done autoreconf -fi +# sed -i "s;bin/uic;bin/uic-qt5;g" ./configure +# sed -i "s;bin/moc;bin/moc-qt5;g" ./configure +# sed -i "s;bin/rcc;bin/rcc-qt5;g" ./configure +# sed -i "s;bin/lrelease;bin/lrelease-qt5;g" ./configure +# sed -i "s;UIC=uic;UIC=uic-qt5;g" ./configure +# sed -i "s;MOC=moc;MOC=moc-qt5;g" ./configure +# sed -i "s;RCC=rcc;RCC=rcc-qt5;g" ./configure +# sed -i "s;LRELEASE=lrelease;LRELEASE=lrelease-qt5;g" ./configure + %configure \ - --with-gcc \ + --enable-stats \ --with-x \ --x-includes=%{_x11inc} \ --x-libraries=%{_x11lib}\ @@ -177,18 +187,17 @@ --enable-h3d-gridbox \ %endif --enable-backwards-compatibility\ - --with-zlib \ --with-gd \ - --enable-thin-splines \ --without-row-help \ --with-kpsexpand \ - --with-plot=%{_libdir} \ - --enable-qt -%if %suse_version <= 1140 - make %{?_smp_mflags} RCC=/usr/bin/rcc LRELEASE=/usr/bin/lrelease + --with-qt=qt%{qtver} + +%if %{qtver} >= 5 + make %{?_smp_mflags} UIC=/usr/bin/uic-qt5 MOC=/usr/bin/moc-qt5 RCC=/usr/bin/rcc-qt5 LRELEASE=/usr/bin/lrelease-qt5 %else make %{?_smp_mflags} %endif + pushd docs/ make srcdir=. clean all html pdf gpcard.ps info pushd psdoc/ @@ -239,6 +248,7 @@ install -m 0444 lisp/gnuplot*.el* %{buildroot}/%{_datadir}/emacs/site-lisp/ mv %{buildroot}/%{_mandir}/man1/gnuplot-ja.1 %{buildroot}/%{_mandir}/ja/man1/gnuplot.1 rm -f %{buildroot}/%{_docdir}/gnuplot/demo/Makefile* + %fdupes -s %{buildroot} %post doc %install_info --info-dir=.%{_infodir} .%{_infodir}/%{name}.info.gz -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit numactl for openSUSE:Factory
by root＠hilbert.suse.de 06 Feb '15

06 Feb '15

Hello community, here is the log from the commit of package numactl for openSUSE:Factory checked in at 2015-02-06 10:16:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/numactl (Old) and /work/SRC/openSUSE:Factory/.numactl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "numactl" Changes: -------- --- /work/SRC/openSUSE:Factory/numactl/numactl.changes 2015-01-21 21:54:21.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.numactl.new/numactl.changes 2015-02-06 10:16:10.000000000 +0100 @@ -1,0 +2,5 @@ +Tue Jan 27 11:07:47 UTC 2015 - trenn(a)suse.de + +- Change license from GPL-2.0+ to GPL-2.0 + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ numactl.spec ++++++ --- /var/tmp/diff_new_pack.ynzBct/_old 2015-02-06 10:16:11.000000000 +0100 +++ /var/tmp/diff_new_pack.ynzBct/_new 2015-02-06 10:16:11.000000000 +0100 @@ -20,7 +20,7 @@ Name: numactl Summary: NUMA Policy Control -License: GPL-2.0+ +License: GPL-2.0 Group: System/Management Version: 2.0.10 Release: 0 @@ -52,7 +52,7 @@ %package -n libnuma-devel Summary: NUMA Policy Control -License: GPL-2.0+ +License: GPL-2.0 Group: Development/Languages/C and C++ Requires: libnuma1 = %{version} -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit libvirt for openSUSE:13.1:Update
by root＠hilbert.suse.de 06 Feb '15

06 Feb '15

Hello community, here is the log from the commit of package libvirt for openSUSE:13.1:Update checked in at 2015-02-06 10:08:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/libvirt (Old) and /work/SRC/openSUSE:13.1:Update/.libvirt.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libvirt" Changes: -------- New Changes file: NO CHANGES FILE!!! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _link ++++++ --- /var/tmp/diff_new_pack.sZlAxm/_old 2015-02-06 10:08:32.000000000 +0100 +++ /var/tmp/diff_new_pack.sZlAxm/_new 2015-02-06 10:08:32.000000000 +0100 @@ -1 +1 @@ -<link package='libvirt.3348' cicount='copy' /> +<link package='libvirt.3472' cicount='copy' /> -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit libvirt.3472 for openSUSE:13.1:Update
by root＠hilbert.suse.de 06 Feb '15

06 Feb '15

Hello community, here is the log from the commit of package libvirt.3472 for openSUSE:13.1:Update checked in at 2015-02-06 10:08:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/libvirt.3472 (Old) and /work/SRC/openSUSE:13.1:Update/.libvirt.3472.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libvirt.3472" Changes: -------- New Changes file: --- /dev/null 2014-12-25 22:38:16.200041506 +0100 +++ /work/SRC/openSUSE:13.1:Update/.libvirt.3472.new/libvirt.changes 2015-02-06 10:08:30.000000000 +0100 @@ -0,0 +1,2432 @@ +------------------------------------------------------------------- +Wed Jan 28 12:04:09 MST 2015 - jfehlig(a)suse.com + +- CVE-2015-0236: libvirt: access control bypass + 03c3c0c8-CVE-2015-0236.patch, b347c0c2-CVE-2015-0236.patch + bsc#914693 + +------------------------------------------------------------------- +Fri Dec 19 17:31:47 MST 2014 - jfehlig(a)suse.com + +- CVE-2014-8136: libvirt: local denial of service in qemu driver + 2bdcd29c-CVE-2014-8136.patch + bsc#910862 + +------------------------------------------------------------------- +Mon Nov 10 22:15:12 MST 2014 - jfehlig(a)suse.com + +- CVE-2014-7823: dumpxml: security hole with migratable flag + b1674ad5-CVE-2014-7823.patch + bsc#904176 + +------------------------------------------------------------------- +Thu Oct 2 09:52:27 MDT 2014 - jfehlig(a)suse.com + +- CVE-2014-3657: Fix domain deadlock + fc22b2e7-CVE-2014-3657.patch + bsc#899484 + +------------------------------------------------------------------- +Thu Sep 18 22:54:52 MDT 2014 - jfehlig(a)suse.com + +- CVE-2014-3633: Use correct definition when looking up disk in + qemu blkiotune + 3e745e8f-CVE-2014-3633.patch + bsc#897783 + +------------------------------------------------------------------- +Tue May 20 15:13:22 MDT 2014 - jfehlig(a)suse.com + +- spec: libvirt-daemon package owns /etc/libvirt, not libvirt-client + bnc#878056 + +------------------------------------------------------------------- +Mon May 5 16:47:43 MDT 2014 - jfehlig(a)suse.com + +- CVE-2014-0179: Don't expand entities when parsing XML + d6b27d3e-CVE-2014-0179.patch + bnc#873705 + +------------------------------------------------------------------- +Wed Apr 30 07:07:52 UTC 2014 - rhafer(a)suse.com + +- Fix migration with QEMU 1.6 (bnc#875694) + QEMU 1.6.0 introduced new migration status: setup + Libvirt does not expect such string in QMP and refuses to migrate + with error "unexpected migration status in setup" + d35ae41-bnc875694.patch + +------------------------------------------------------------------- +Fri Apr 18 14:35:48 MDT 2014 - jfehlig(a)suse.com + +- libvirtd: notify systemd when ready to accept connections + bnc#873103, bnc#871154 + +------------------------------------------------------------------- +Fri Mar 21 12:16:25 MDT 2014 - jfehlig(a)suse.com + +- Rename patch to include CVE number + 484cc321-fix-spice-migration.patch -> 484cc321-CVE-2013-7336.patch + +------------------------------------------------------------------- +Tue Mar 18 10:50:21 UTC 2014 - cbosdonnat(a)suse.com + +- Backport libvirt-guests fixes + 4e7fc83-bnc852005.patch, 68954fb-bnc852005.patch, + ba79e38-bnc852005.patch + bnc#852005 + +------------------------------------------------------------------- +Tue Mar 4 17:34:36 UTC 2014 - cbosdonnat(a)suse.com + +- CVE-2013-6456: unsafe usage of paths under /proc/$PID/root + 1754c7f-CVE-2013-6456.patch + 1cadeaf-CVE-2013-6456.patch + 2c2bec9-CVE-2013-6456.patch + 4dd3a7d-CVE-2013-6456.patch + 5fc590a-CVE-2013-6456.patch + 7a44af9-CVE-2013-6456.patch + 7c72ef6-CVE-2013-6456.patch + 7fba01c-CVE-2013-6456.patch + a537827-CVE-2013-6456.patch + aebbcdd-CVE-2013-6456.patch + c321bfc-CVE-2013-6456.patch + c364897-CVE-2013-6456.patch + c3eb12c-CVE-2013-6456.patch + d24e6b8-CVE-2013-6456.patch + bnc#857490 +- avoid short reads while chasing backing chain. This commit is + needed by one of the patches fixing the CVE. + d697b0f3-storage-avoid-short-reads.patch + +------------------------------------------------------------------- +Wed Jan 22 15:12:21 MST 2014 - jfehlig(a)suse.com + +- CVE-2013-6458: qemu: Fix job usage in several APIs + 17db7e28-CVE-2013-6458.patch, 54cb7f05-CVE-2013-6458.patch, + bcb9a035-CVE-2013-6458.patch, 939b0818-CVE-2013-6458.patch, + 82daa87f-CVE-2013-6458.patch + bnc#857492 + +------------------------------------------------------------------- +Wed Jan 22 14:49:40 MST 2014 - jfehlig(a)suse.com + +- CVE-2014-1447: Prevent libvirtd crash if a connection closes + early + ed327dfc-CVE-2014-1447.patch, 2842b103-CVE-2014-1447.patch + bnc#858817 + +------------------------------------------------------------------- +Wed Jan 22 14:40:21 MST 2014 - jfehlig(a)suse.com + +- CVE-2013-6457: avoid crashing libvirtd when calling + `virsh numatune' on inactive Xen libxl domain + 52c40003-CVE-2013-6457.patch + bnc#858824 + +------------------------------------------------------------------- +Wed Jan 22 14:33:55 MST 2014 - jfehlig(a)suse.com + +- CVE-2014-0028: filter global events by domain:getattr ACL + fb5a3190-CVE-2014-0028.patch + bnc#859051 + +------------------------------------------------------------------- +Wed Jan 22 10:02:06 MST 2014 - jfehlig(a)suse.com + +- Add CAP_SYS_PACCT capability to libvirtd AppArmor profile + Modified install-apparmor-profiles.patch + bnc#817407 + +-------------------------------------------------------------------- +Mon Jan 20 18:29:29 MST 2014 - jfehlig(a)suse.com + +- Following the upstream pattern, introduce the + daemon-config-network subpackage to handle defining the default + network + bnc#859041 + +------------------------------------------------------------------- +Thu Jan 9 18:01:04 MST 2014 - jfehlig(a)suse.com + +- Fix initialization of emulated NICs + Added 7c98d1c1-nic-type.patch + Replaced libxl-hvm-nic.patch with upstream + e1459c1f-nic-devid.patch + bnc#857271 + +------------------------------------------------------------------- +Wed Jan 8 11:16:47 MST 2014 - jfehlig(a)suse.com + +- Fix potential segfault in libxl driver when domain create fails + b03eba13-libxl-segfault-fix.patch + bnc#857271 + +------------------------------------------------------------------- +Fri Dec 20 09:04:45 MST 2013 - jfehlig(a)suse.com + +- CVE-2013-6436: Fix crashes in lxc memtune code, one of which + results in DoS + f8c1cb90-CVE-2013-6436.patch, 9faf3f29-LXC-memtune.patch + bnc#854486 + +------------------------------------------------------------------- +Thu Dec 12 21:00:32 UTC 2013 - cbosdonnat(a)suse.com + +- Backported upstream patch to fix LXC container failing start. + bnc#855239 + +------------------------------------------------------------------- +Mon Dec 9 13:07:29 MST 2013 - jfehlig(a)suse.com + +- Building with polkit support requires polkit-devel + bnc#854144 + +------------------------------------------------------------------- +Fri Dec 6 10:52:56 MST 2013 - jfehlig(a)suse.com + +- More adjustments to the spec file to fix package dependency + issues + bnc#848918 + +------------------------------------------------------------------- +Tue Nov 26 14:46:21 MST 2013 - jfehlig(a)suse.com + +- Allow execution of libvirt hook scripts in /etc/libvirt/hooks/ + in libvirtd AppArmor profile + ++++ 2235 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.libvirt.3472.new/libvirt.changes New: ---- 03c3c0c8-CVE-2015-0236.patch 1754c7f-CVE-2013-6456.patch 17db7e28-CVE-2013-6458.patch 1cadeaf-CVE-2013-6456.patch 2842b103-CVE-2014-1447.patch 2bdcd29c-CVE-2014-8136.patch 2c2bec9-CVE-2013-6456.patch 2dba0323-CVE-2013-4297.patch 3e2f27e1-CVE-2013-4400.patch 3e745e8f-CVE-2014-3633.patch 484cc321-CVE-2013-7336.patch 4dd3a7d-CVE-2013-6456.patch 4e7fc83-bnc852005.patch 52c40003-CVE-2013-6457.patch 54cb7f05-CVE-2013-6458.patch 57687fd6-CVE-2013-4401.patch 5a0ea4b7-CVE-2013-4400.patch 5fc590a-CVE-2013-6456.patch 68954fb-bnc852005.patch 79552754-libvirtd-chardev-crash.patch 7a44af9-CVE-2013-6456.patch 7c72ef6-CVE-2013-6456.patch 7c98d1c1-nic-type.patch 7fba01c-CVE-2013-6456.patch 8294aa0c-CVE-2013-4399.patch 82daa87f-CVE-2013-6458.patch 843bdb2f-CVE-2013-4400.patch 8c3586ea-CVE-2013-4400.patch 922b7fda-CVE-2013-4311.patch 939b0818-CVE-2013-6458.patch 97973ebb-LXC-threading-error.patch 9faf3f29-LXC-memtune.patch a537827-CVE-2013-6456.patch ae53e5d1-CVE-2013-4400.patch aebbcdd-CVE-2013-6456.patch b03eba13-libxl-segfault-fix.patch b1674ad5-CVE-2014-7823.patch b347c0c2-CVE-2015-0236.patch b7fcc799a-CVE-2013-4400.patch ba79e38-bnc852005.patch baselibs.conf bcb9a035-CVE-2013-6458.patch bd773e74-lxc-terminate-machine.patch c321bfc-CVE-2013-6456.patch c364897-CVE-2013-6456.patch c3eb12c-CVE-2013-6456.patch clone.patch d24e6b8-CVE-2013-6456.patch d35ae41-bnc875694.patch d697b0f3-storage-avoid-short-reads.patch d6b27d3e-CVE-2014-0179.patch db7a5688-CVE-2013-4311.patch e1459c1f-nic-devid.patch e350826c-python-fix-fd-passing.patch e4697b92-CVE-2013-4311.patch e65667c0-CVE-2013-4311.patch e7f400a1-CVE-2013-4296.patch ed327dfc-CVE-2014-1447.patch f8c1cb90-CVE-2013-6436.patch fb5a3190-CVE-2014-0028.patch fc22b2e7-CVE-2014-3657.patch fix-pci-attach-xen-driver.patch install-apparmor-profiles.patch libvirt-1.1.2.tar.bz2 libvirt-guests-init-script.patch libvirt-suse-netcontrol.patch libvirt.changes libvirt.spec libvirtd-defaults.patch libvirtd-init-script.patch libvirtd-relocation-server.fw libvirtd.init libxl-hvm-vnc.patch support-managed-pci-xen-driver.patch suse-qemu-conf.patch systemd-service-xen.patch virtlockd-init-script.patch xen-name-for-devid.patch xen-pv-cdrom.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libvirt.spec ++++++ ++++ 1892 lines (skipped) ++++++ 03c3c0c8-CVE-2015-0236.patch ++++++ commit 03c3c0c874c84dfa51ef17556062b095c6e1c0a3 Author: Peter Krempa <pkrempa(a)redhat.com> Date: Tue Jan 20 17:01:01 2015 +0100 CVE-2015-0236: qemu: Check ACLs when dumping security info from save image The ACL check didn't check the VIR_DOMAIN_XML_SECURE flag and the appropriate permission for it. Index: libvirt-1.1.2/src/qemu/qemu_driver.c =================================================================== --- libvirt-1.1.2.orig/src/qemu/qemu_driver.c +++ libvirt-1.1.2/src/qemu/qemu_driver.c @@ -5485,7 +5485,7 @@ qemuDomainSaveImageGetXMLDesc(virConnect if (fd < 0) goto cleanup; - if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0) + if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0) goto cleanup; ret = qemuDomainDefFormatXML(driver, def, flags); Index: libvirt-1.1.2/src/remote/remote_protocol.x =================================================================== --- libvirt-1.1.2.orig/src/remote/remote_protocol.x +++ libvirt-1.1.2/src/remote/remote_protocol.x @@ -4498,6 +4498,7 @@ enum remote_procedure { * @generate: both * @priority: high * @acl: domain:read + * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE */ REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235, ++++++ 1754c7f-CVE-2013-6456.patch ++++++ >From 77ddbad2a9272239a09673c5d6993793308514e9 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" <berrange(a)redhat.com> Date: Thu, 30 Jan 2014 17:45:08 +0000 Subject: [PATCH 12/14] CVE-2013-6456: Avoid unsafe use of /proc/$PID/root in LXC block hostdev hotplug Rewrite lxcDomainAttachDeviceHostdevStorageLive function to use the virProcessRunInMountNamespace helper. This avoids risk of a malicious guest replacing /dev with a absolute symlink, tricking the driver into changing the host OS filesystem. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> (cherry picked from commit 1754c7f0ab1407dcf7c89636a35711dd9b1febe1) --- src/lxc/lxc_driver.c | 66 ++++++++++++++-------------------------------------- 1 file changed, 18 insertions(+), 48 deletions(-) Index: libvirt-1.1.2/src/lxc/lxc_driver.c =================================================================== --- libvirt-1.1.2.orig/src/lxc/lxc_driver.c +++ libvirt-1.1.2/src/lxc/lxc_driver.c @@ -3492,11 +3492,7 @@ lxcDomainAttachDeviceHostdevStorageLive( virLXCDomainObjPrivatePtr priv = vm->privateData; virDomainHostdevDefPtr def = dev->data.hostdev; int ret = -1; - char *dst = NULL; - char *vroot = NULL; struct stat sb; - bool created = false; - mode_t mode = 0; if (!def->source.caps.u.storage.block) { virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", @@ -3524,51 +3520,29 @@ lxcDomainAttachDeviceHostdevStorageLive( goto cleanup; } - if (virAsprintf(&vroot, "/proc/%llu/root", - (unsigned long long)priv->initpid) < 0) - goto cleanup; - - if (virAsprintf(&dst, "%s/%s", - vroot, - def->source.caps.u.storage.block) < 0) - goto cleanup; - if (VIR_REALLOC_N(vm->def->hostdevs, vm->def->nhostdevs+1) < 0) goto cleanup; - if (lxcContainerSetupHostdevCapsMakePath(dst) < 0) { - virReportSystemError(errno, - _("Unable to create directory for device %s"), - dst); - goto cleanup; - } - - mode = 0700 | S_IFBLK; - - VIR_DEBUG("Creating dev %s (%d,%d)", - def->source.caps.u.storage.block, - major(sb.st_rdev), minor(sb.st_rdev)); - if (mknod(dst, mode, sb.st_rdev) < 0) { - virReportSystemError(errno, - _("Unable to create device %s"), - dst); - goto cleanup; - } - created = true; - - if (lxcContainerChown(vm->def, dst) < 0) - goto cleanup; - - if (virSecurityManagerSetHostdevLabel(driver->securityManager, - vm->def, def, vroot) < 0) - goto cleanup; - - if (virCgroupAllowDevicePath(priv->cgroup, def->source.caps.u.storage.block, - VIR_CGROUP_DEVICE_RW | - VIR_CGROUP_DEVICE_MKNOD) != 0) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("cannot allow device %s for domain %s"), - def->source.caps.u.storage.block, vm->def->name); + if (virCgroupAllowDevice(priv->cgroup, + 'b', + major(sb.st_rdev), + minor(sb.st_rdev), + VIR_CGROUP_DEVICE_RWM) < 0) + goto cleanup; + + if (lxcDomainAttachDeviceMknod(driver, + 0700 | S_IFBLK, + sb.st_rdev, + vm, + dev, + def->source.caps.u.storage.block) < 0) { + if (virCgroupDenyDevice(priv->cgroup, + 'b', + major(sb.st_rdev), + minor(sb.st_rdev), + VIR_CGROUP_DEVICE_RWM) < 0) + VIR_WARN("cannot deny device %s for domain %s", + def->source.caps.u.storage.block, vm->def->name); goto cleanup; } @@ -3578,10 +3552,6 @@ lxcDomainAttachDeviceHostdevStorageLive( cleanup: virDomainAuditHostdev(vm, def, "attach", ret == 0); - if (dst && created && ret < 0) - unlink(dst); - VIR_FREE(dst); - VIR_FREE(vroot); return ret; } ++++++ 17db7e28-CVE-2013-6458.patch ++++++ commit 17db7e28a1ec77382bb8fa96205ef2cf6deefa88 Author: Jiri Denemark <jdenemar(a)redhat.com> Date: Thu Dec 19 22:10:04 2013 +0100 qemu: Do not access stale data in virDomainBlockStats CVE-2013-6458 https://bugzilla.redhat.com/show_bug.cgi?id=1043069 When virDomainDetachDeviceFlags is called concurrently to virDomainBlockStats: libvirtd may crash because qemuDomainBlockStats finds a disk in vm->def before getting a job on a domain and uses the disk pointer after getting the job. However, the domain in unlocked while waiting on a job condition and thus data behind the disk pointer may disappear. This happens when thread 1 runs virDomainDetachDeviceFlags and enters monitor to actually remove the disk. Then another thread starts running virDomainBlockStats, finds the disk in vm->def, and while it's waiting on the job condition (owned by the first thread), the first thread finishes the disk removal. When the second thread gets the job, the memory pointed to be the disk pointer is already gone. That said, every API that is going to begin a job should do that before fetching data from vm->def. (cherry picked from commit db86da5ca2109e4006c286a09b6c75bfe10676ad) Index: libvirt-1.1.2/src/qemu/qemu_driver.c =================================================================== --- libvirt-1.1.2.orig/src/qemu/qemu_driver.c +++ libvirt-1.1.2/src/qemu/qemu_driver.c @@ -8946,34 +8946,29 @@ qemuDomainBlockStats(virDomainPtr dom, if (virDomainBlockStatsEnsureACL(dom->conn, vm->def) < 0) goto cleanup; + if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_QUERY) < 0) + goto cleanup; + if (!virDomainObjIsActive(vm)) { virReportError(VIR_ERR_OPERATION_INVALID, "%s", _("domain is not running")); - goto cleanup; + goto endjob; } if ((idx = virDomainDiskIndexByName(vm->def, path, false)) < 0) { virReportError(VIR_ERR_INVALID_ARG, _("invalid path: %s"), path); - goto cleanup; + goto endjob; } disk = vm->def->disks[idx]; if (!disk->info.alias) { virReportError(VIR_ERR_INTERNAL_ERROR, _("missing disk device alias name for %s"), disk->dst); - goto cleanup; + goto endjob; } priv = vm->privateData; - if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_QUERY) < 0) - goto cleanup; - - if (!virDomainObjIsActive(vm)) { - virReportError(VIR_ERR_OPERATION_INVALID, - "%s", _("domain is not running")); - goto endjob; - } qemuDomainObjEnterMonitor(driver, vm); ret = qemuMonitorGetBlockStatsInfo(priv->mon, ++++++ 1cadeaf-CVE-2013-6456.patch ++++++ >From a06bdfcb446f182e490f70422a8431c3bcb2c801 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" <berrange(a)redhat.com> Date: Thu, 30 Jan 2014 17:47:39 +0000 Subject: [PATCH 13/14] CVE-2013-6456: Avoid unsafe use of /proc/$PID/root in LXC chardev hostdev hotplug Rewrite lxcDomainAttachDeviceHostdevMiscLive function to use the virProcessRunInMountNamespace helper. This avoids risk of a malicious guest replacing /dev with a absolute symlink, tricking the driver into changing the host OS filesystem. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> (cherry picked from commit 1cadeafcaa422844a27ef622e2a7041d0235bcb3) --- src/lxc/lxc_driver.c | 66 ++++++++++++++-------------------------------------- 1 file changed, 18 insertions(+), 48 deletions(-) Index: libvirt-1.1.2/src/lxc/lxc_driver.c =================================================================== --- libvirt-1.1.2.orig/src/lxc/lxc_driver.c +++ libvirt-1.1.2/src/lxc/lxc_driver.c @@ -3564,11 +3564,7 @@ lxcDomainAttachDeviceHostdevMiscLive(vir virLXCDomainObjPrivatePtr priv = vm->privateData; virDomainHostdevDefPtr def = dev->data.hostdev; int ret = -1; - char *dst = NULL; - char *vroot = NULL; struct stat sb; - bool created = false; - mode_t mode = 0; if (!def->source.caps.u.misc.chardev) { virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", @@ -3596,51 +3592,29 @@ lxcDomainAttachDeviceHostdevMiscLive(vir goto cleanup; } - if (virAsprintf(&vroot, "/proc/%llu/root", - (unsigned long long)priv->initpid) < 0) - goto cleanup; - - if (virAsprintf(&dst, "%s/%s", - vroot, - def->source.caps.u.misc.chardev) < 0) + if (virCgroupAllowDevice(priv->cgroup, + 'c', + major(sb.st_rdev), + minor(sb.st_rdev), + VIR_CGROUP_DEVICE_RWM) < 0) goto cleanup; if (VIR_REALLOC_N(vm->def->hostdevs, vm->def->nhostdevs+1) < 0) goto cleanup; - if (lxcContainerSetupHostdevCapsMakePath(dst) < 0) { - virReportSystemError(errno, - _("Unable to create directory for device %s"), - dst); - goto cleanup; - } - - mode = 0700 | S_IFCHR; - - VIR_DEBUG("Creating dev %s (%d,%d)", - def->source.caps.u.misc.chardev, - major(sb.st_rdev), minor(sb.st_rdev)); - if (mknod(dst, mode, sb.st_rdev) < 0) { - virReportSystemError(errno, - _("Unable to create device %s"), - dst); - goto cleanup; - } - created = true; - - if (lxcContainerChown(vm->def, dst) < 0) - goto cleanup; - - if (virSecurityManagerSetHostdevLabel(driver->securityManager, - vm->def, def, vroot) < 0) - goto cleanup; - - if (virCgroupAllowDevicePath(priv->cgroup, def->source.caps.u.misc.chardev, - VIR_CGROUP_DEVICE_RW | - VIR_CGROUP_DEVICE_MKNOD) != 0) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("cannot allow device %s for domain %s"), - def->source.caps.u.misc.chardev, vm->def->name); + if (lxcDomainAttachDeviceMknod(driver, + 0700 | S_IFBLK, + sb.st_rdev, + vm, + dev, + def->source.caps.u.misc.chardev) < 0) { + if (virCgroupDenyDevice(priv->cgroup, + 'c', + major(sb.st_rdev), + minor(sb.st_rdev), + VIR_CGROUP_DEVICE_RWM) < 0) + VIR_WARN("cannot deny device %s for domain %s", + def->source.caps.u.storage.block, vm->def->name); goto cleanup; } @@ -3650,10 +3624,6 @@ lxcDomainAttachDeviceHostdevMiscLive(vir cleanup: virDomainAuditHostdev(vm, def, "attach", ret == 0); - if (dst && created && ret < 0) - unlink(dst); - VIR_FREE(dst); - VIR_FREE(vroot); return ret; } ++++++ 2842b103-CVE-2014-1447.patch ++++++ commit 2842b103b1cd5d0872050a164b758967eb2e4be4 Author: Jiri Denemark <jdenemar(a)redhat.com> Date: Mon Jan 13 15:46:24 2014 +0100 Really don't crash if a connection closes early https://bugzilla.redhat.com/show_bug.cgi?id=1047577 When writing commit 173c291, I missed the fact virNetServerClientClose unlocks the client object before actually clearing client->sock and thus it is possible to hit a window when client->keepalive is NULL while client->sock is not NULL. I was thinking client->sock == NULL was a better check for a closed connection but apparently we have to go with client->keepalive == NULL to actually fix the crash. Signed-off-by: Jiri Denemark <jdenemar(a)redhat.com> (cherry picked from commit 066c8ef6c18bc1faf8b3e10787b39796a7a06cc0) Index: libvirt-1.1.2/src/rpc/virnetserverclient.c =================================================================== --- libvirt-1.1.2.orig/src/rpc/virnetserverclient.c +++ libvirt-1.1.2/src/rpc/virnetserverclient.c @@ -1540,7 +1540,7 @@ virNetServerClientStartKeepAlive(virNetS /* The connection might have been closed before we got here and thus the * keepalive object could have been removed too. */ - if (!client->sock) { + if (!client->keepalive) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("connection not open")); goto cleanup; ++++++ 2bdcd29c-CVE-2014-8136.patch ++++++ commit 2bdcd29c713dfedd813c89f56ae98f6f3898313d Author: Peter Krempa <pkrempa(a)redhat.com> Date: Mon Dec 8 19:25:21 2014 +0100 qemu: migration: Unlock vm on failed ACL check in protocol v2 APIs Avoid leaving the domain locked on a failed ACL check in qemuDomainMigratePerform() and qemuDomainMigrateFinish2(). Introduced in commit abf75aea247e (Add ACL checks into the QEMU driver). Index: libvirt-1.1.2/src/qemu/qemu_driver.c =================================================================== --- libvirt-1.1.2.orig/src/qemu/qemu_driver.c +++ libvirt-1.1.2/src/qemu/qemu_driver.c @@ -10095,8 +10095,10 @@ qemuDomainMigratePerform(virDomainPtr do if (!(vm = qemuDomObjFromDomain(dom))) goto cleanup; - if (virDomainMigratePerformEnsureACL(dom->conn, vm->def) < 0) + if (virDomainMigratePerformEnsureACL(dom->conn, vm->def) < 0) { + virObjectUnlock(vm); goto cleanup; + } if (flags & VIR_MIGRATE_PEER2PEER) { dconnuri = uri; @@ -10142,8 +10144,10 @@ qemuDomainMigrateFinish2(virConnectPtr d goto cleanup; } - if (virDomainMigrateFinish2EnsureACL(dconn, vm->def) < 0) + if (virDomainMigrateFinish2EnsureACL(dconn, vm->def) < 0) { + virObjectUnlock(vm); goto cleanup; + } /* Do not use cookies in v2 protocol, since the cookie * length was not sufficiently large, causing failures ++++++ 2c2bec9-CVE-2013-6456.patch ++++++ >From b272b572cc013e1e0a9aadc22b9690ee097a2bb8 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" <berrange(a)redhat.com> Date: Tue, 4 Feb 2014 17:41:22 +0000 Subject: [PATCH 04/14] Fix reset of cgroup when detaching USB device from LXC guests When detaching a USB device from an LXC guest we must remove the device from the cgroup ACL. Unfortunately we were telling the cgroup code to use the guest /dev path, not the host /dev path, and the guest device node had already been unlinked. This was, however, fortunate since the code passed &priv->cgroup instead of priv->cgroup, so would have crash if the device node were accessible. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> (cherry picked from commit 2c2bec94d27ccd070bee18a6113b1cfea6d80126) --- src/lxc/lxc_driver.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Index: libvirt-1.1.2/src/lxc/lxc_driver.c =================================================================== --- libvirt-1.1.2.orig/src/lxc/lxc_driver.c +++ libvirt-1.1.2/src/lxc/lxc_driver.c @@ -3908,7 +3908,7 @@ lxcDomainDetachDeviceHostdevUSBLive(virL } if (!(usb = virUSBDeviceNew(def->source.subsys.u.usb.bus, - def->source.subsys.u.usb.device, vroot))) + def->source.subsys.u.usb.device, NULL))) goto cleanup; VIR_DEBUG("Unlinking %s", dst); @@ -3922,7 +3922,7 @@ lxcDomainDetachDeviceHostdevUSBLive(virL if (virUSBDeviceFileIterate(usb, virLXCTeardownHostUsbDeviceCgroup, - &priv->cgroup) < 0) + priv->cgroup) < 0) VIR_WARN("cannot deny device %s for domain %s", dst, vm->def->name); ++++++ 2dba0323-CVE-2013-4297.patch ++++++ commit 2dba0323ff0cec31bdcea9dd3b2428af297401f2 Author: Michal Privoznik <mprivozn(a)redhat.com> Date: Tue Sep 3 18:56:06 2013 +0200 virFileNBDDeviceAssociate: Avoid use of uninitialized variable The @qemunbd variable can be used uninitialized. Index: libvirt-1.1.2/src/util/virfile.c =================================================================== --- libvirt-1.1.2.orig/src/util/virfile.c +++ libvirt-1.1.2/src/util/virfile.c @@ -732,7 +732,7 @@ int virFileNBDDeviceAssociate(const char char **dev) { char *nbddev; - char *qemunbd; + char *qemunbd = NULL; virCommandPtr cmd = NULL; int ret = -1; const char *fmtstr = NULL; ++++++ 3e2f27e1-CVE-2013-4400.patch ++++++ commit 3e2f27e13b94f7302ad948bcacb5e02c859a25fc Author: Daniel P. Berrange <berrange(a)redhat.com> Date: Thu Oct 10 13:09:08 2013 +0100 Don't link virt-login-shell against libvirt.so (CVE-2013-4400) The libvirt.so library has far too many library deps to allow linking against it from setuid programs. Those libraries can do stuff in __attribute__((constructor) functions which is not setuid safe. The virt-login-shell needs to link directly against individual files that it uses, with all library deps turned off except for libxml2 and libselinux. Create a libvirt-setuid-rpc-client.la library which is linked to by virt-login-shell. A config-post.h file allows this library to disable all external deps except libselinux and libxml2. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> Index: libvirt-1.1.2/Makefile.am =================================================================== --- libvirt-1.1.2.orig/Makefile.am +++ libvirt-1.1.2/Makefile.am @@ -31,6 +31,7 @@ XML_EXAMPLES = \ test/*.xml storage/*.xml))) EXTRA_DIST = \ + config-post.h \ ChangeLog-old \ libvirt.spec libvirt.spec.in \ mingw-libvirt.spec.in \ Index: libvirt-1.1.2/config-post.h =================================================================== --- /dev/null +++ libvirt-1.1.2/config-post.h @@ -0,0 +1,44 @@ +/* + * Copyright (C) 2013 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * <http://www.gnu.org/licenses/>. + */ + +/* + * Since virt-login-shell will be setuid, we must do everything + * we can to avoid linking to other libraries. Many of them do + * unsafe things in functions marked __atttribute__((constructor)). + * The only way avoid to avoid such deps is to re-compile the + * functions with the code in question disabled, and for that we + * must override the main config.h rules. Hence this file :-( + */ + +#ifdef LIBVIRT_SETUID_RPC_CLIENT +# undef HAVE_LIBDEVMAPPER_H +# undef HAVE_LIBNL +# undef HAVE_LIBNL3 +# undef HAVE_LIBSASL2 +# undef WITH_CAPNG +# undef WITH_CURL +# undef WITH_DTRACE_PROBES +# undef WITH_GNUTLS +# undef WITH_MACVTAP +# undef WITH_NUMACTL +# undef WITH_SASL +# undef WITH_SSH2 +# undef WITH_VIRTUALPORT +# undef WITH_YAJL +# undef WITH_YAJL2 +#endif Index: libvirt-1.1.2/configure.ac =================================================================== --- libvirt-1.1.2.orig/configure.ac +++ libvirt-1.1.2/configure.ac @@ -20,6 +20,7 @@ AC_INIT([libvirt], [1.1.2], [libvir-list AC_CONFIG_SRCDIR([src/libvirt.c]) AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_HEADERS([config.h]) +AH_BOTTOM([#include <config-post.h>]) AC_CONFIG_MACRO_DIR([m4]) dnl Make automake keep quiet about wildcards & other GNUmake-isms AM_INIT_AUTOMAKE([-Wno-portability tar-ustar]) Index: libvirt-1.1.2/daemon/Makefile.am =================================================================== --- libvirt-1.1.2.orig/daemon/Makefile.am +++ libvirt-1.1.2/daemon/Makefile.am @@ -18,6 +18,7 @@ INCLUDES = \ -I$(top_builddir)/gnulib/lib -I$(top_srcdir)/gnulib/lib \ + -I$(top_srcdir) \ -I$(top_builddir)/include -I$(top_srcdir)/include \ -I$(top_builddir)/src -I$(top_srcdir)/src \ -I$(top_srcdir)/src/util \ Index: libvirt-1.1.2/examples/domain-events/events-c/Makefile.am =================================================================== --- libvirt-1.1.2.orig/examples/domain-events/events-c/Makefile.am +++ libvirt-1.1.2/examples/domain-events/events-c/Makefile.am @@ -15,7 +15,8 @@ ## <http://www.gnu.org/licenses/>. INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include \ - -I$(top_builddir)/gnulib/lib -I$(top_srcdir)/gnulib/lib + -I$(top_builddir)/gnulib/lib -I$(top_srcdir)/gnulib/lib \ + -I$(top_srcdir) noinst_PROGRAMS = event-test event_test_CFLAGS = $(WARN_CFLAGS) event_test_SOURCES = event-test.c Index: libvirt-1.1.2/examples/hellolibvirt/Makefile.am =================================================================== --- libvirt-1.1.2.orig/examples/hellolibvirt/Makefile.am +++ libvirt-1.1.2/examples/hellolibvirt/Makefile.am @@ -14,7 +14,7 @@ ## License along with this library. If not, see ## <http://www.gnu.org/licenses/>. -INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include +INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include -I$(top_srcdir) noinst_PROGRAMS = hellolibvirt hellolibvirt_CFLAGS = $(WARN_CFLAGS) hellolibvirt_SOURCES = hellolibvirt.c Index: libvirt-1.1.2/examples/openauth/Makefile.am =================================================================== --- libvirt-1.1.2.orig/examples/openauth/Makefile.am +++ libvirt-1.1.2/examples/openauth/Makefile.am @@ -14,7 +14,7 @@ ## License along with this library. If not, see ## <http://www.gnu.org/licenses/>. -INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include +INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include -I$(top_srcdir) noinst_PROGRAMS = openauth openauth_CFLAGS = $(WARN_CFLAGS) openauth_SOURCES = openauth.c Index: libvirt-1.1.2/gnulib/lib/Makefile.am =================================================================== --- libvirt-1.1.2.orig/gnulib/lib/Makefile.am +++ libvirt-1.1.2/gnulib/lib/Makefile.am @@ -27,4 +27,4 @@ noinst_LTLIBRARIES = include gnulib.mk -INCLUDES = $(GETTEXT_CPPFLAGS) +INCLUDES = -I$(top_srcdir) $(GETTEXT_CPPFLAGS) Index: libvirt-1.1.2/python/Makefile.am =================================================================== --- libvirt-1.1.2.orig/python/Makefile.am +++ libvirt-1.1.2/python/Makefile.am @@ -20,6 +20,7 @@ INCLUDES = \ $(PYTHON_INCLUDES) \ -I$(top_builddir)/gnulib/lib \ -I$(top_srcdir)/gnulib/lib \ + -I$(top_srcdir) \ -I$(top_builddir)/src \ -I$(top_srcdir)/src \ -I$(top_srcdir)/src/util \ Index: libvirt-1.1.2/src/Makefile.am =================================================================== --- libvirt-1.1.2.orig/src/Makefile.am +++ libvirt-1.1.2/src/Makefile.am @@ -21,6 +21,7 @@ # that actually use them. Also keep GETTEXT_CPPFLAGS at the end. INCLUDES = -I../gnulib/lib \ -I$(top_srcdir)/gnulib/lib \ + -I$(top_srcdir) \ -I../include \ -I$(top_srcdir)/include \ -I$(top_srcdir)/src/util \ @@ -1917,6 +1918,77 @@ libvirt_lxc_la_LDFLAGS = \ libvirt_lxc_la_CFLAGS = $(AM_CFLAGS) libvirt_lxc_la_LIBADD = libvirt.la $(CYGWIN_EXTRA_LIBADD) +# Since virt-login-shell will be setuid, we must do everything +# we can to avoid linking to other libraries. Many of them do +# unsafe things in functions marked __atttribute__((constructor)). +# This library is built to include the bare minimum required to +# have a RPC client for local UNIX socket access only. We use +# the ../config-post.h header to disable all external deps that +# we don't want +if WITH_LXC +noinst_LTLIBRARIES += libvirt-setuid-rpc-client.la + +libvirt_setuid_rpc_client_la_SOURCES = \ + util/viralloc.c \ + util/virbitmap.c \ + util/virbuffer.c \ + util/vircommand.c \ + util/virconf.c \ + util/virerror.c \ + util/virevent.c \ + util/vireventpoll.c \ + util/virfile.c \ + util/virhash.c \ + util/virhashcode.c \ + util/virjson.c \ + util/virlog.c \ + util/virobject.c \ + util/virpidfile.c \ + util/virprocess.c \ + util/virrandom.c \ + util/virsocketaddr.c \ + util/virstoragefile.c \ + util/virstring.c \ + util/virtime.c \ + util/virthread.c \ + util/virtypedparam.c \ + util/viruri.c \ + util/virutil.c \ + util/viruuid.c \ + conf/domain_event.c \ + rpc/virnetsocket.c \ + rpc/virnetsocket.h \ + rpc/virnetmessage.h \ + rpc/virnetmessage.c \ + rpc/virkeepalive.c \ + rpc/virkeepalive.h \ + rpc/virnetclient.c \ + rpc/virnetclientprogram.c \ + rpc/virnetclientstream.c \ + rpc/virnetprotocol.c \ + remote/remote_driver.c \ + remote/remote_protocol.c \ + remote/qemu_protocol.c \ + remote/lxc_protocol.c \ + datatypes.c \ + libvirt.c \ + libvirt-lxc.c \ + $(NULL) + +libvirt_setuid_rpc_client_la_LDFLAGS = \ + $(AM_LDFLAGS) \ + $(LIBXML_LIBS) \ + $(SELINUX_LIBS) \ + $(NULL) +libvirt_setuid_rpc_client_la_CFLAGS = \ + -DLIBVIRT_SETUID_RPC_CLIENT \ + -I$(top_srcdir)/src/conf \ + -I$(top_srcdir)/src/rpc \ + $(AM_CFLAGS) \ + $(SELINUX_CFLAGS) \ + $(NULL) +endif WITH_LXC + lockdriverdir = $(libdir)/libvirt/lock-driver lockdriver_LTLIBRARIES = Index: libvirt-1.1.2/src/libvirt.c =================================================================== --- libvirt-1.1.2.orig/src/libvirt.c +++ libvirt-1.1.2/src/libvirt.c @@ -446,40 +446,46 @@ virGlobalInit(void) goto error; /* + * Note we must avoid everything except 'remote' driver + * for virt-login-shell usage + */ +#ifndef LIBVIRT_SETUID_RPC_CLIENT + /* * Note that the order is important: the first ones have a higher * priority when calling virConnectOpen. */ -#ifdef WITH_TEST +# ifdef WITH_TEST if (testRegister() == -1) goto error; -#endif -#ifdef WITH_OPENVZ +# endif +# ifdef WITH_OPENVZ if (openvzRegister() == -1) goto error; -#endif -#ifdef WITH_VMWARE +# endif +# ifdef WITH_VMWARE if (vmwareRegister() == -1) goto error; -#endif -#ifdef WITH_PHYP +# endif +# ifdef WITH_PHYP if (phypRegister() == -1) goto error; -#endif -#ifdef WITH_ESX +# endif +# ifdef WITH_ESX if (esxRegister() == -1) goto error; -#endif -#ifdef WITH_HYPERV +# endif +# ifdef WITH_HYPERV if (hypervRegister() == -1) goto error; -#endif -#ifdef WITH_XENAPI +# endif +# ifdef WITH_XENAPI if (xenapiRegister() == -1) goto error; -#endif -#ifdef WITH_PARALLELS +# endif +# ifdef WITH_PARALLELS if (parallelsRegister() == -1) goto error; +# endif #endif #ifdef WITH_REMOTE if (remoteRegister() == -1) Index: libvirt-1.1.2/tools/Makefile.am =================================================================== --- libvirt-1.1.2.orig/tools/Makefile.am +++ libvirt-1.1.2/tools/Makefile.am @@ -149,6 +149,11 @@ virt_host_validate_CFLAGS = \ $(COVERAGE_CFLAGS) \ $(NULL) +# Since virt-login-shell will be setuid, we must do everything +# we can to avoid linking to other libraries. Many of them do +# unsafe things in functions marked __atttribute__((constructor)). +# This we statically link to a library containing only the minimal +# libvirt client code, not libvirt.so itself. virt_login_shell_SOURCES = \ virt-login-shell.c @@ -159,11 +164,11 @@ virt_login_shell_LDFLAGS = \ virt_login_shell_LDADD = \ $(STATIC_BINARIES) \ $(PIE_LDFLAGS) \ - ../src/libvirt.la \ - ../src/libvirt-lxc.la \ + ../src/libvirt-setuid-rpc-client.la \ ../gnulib/lib/libgnu.la virt_login_shell_CFLAGS = \ + -DLIBVIRT_SETUID_RPC_CLIENT \ $(WARN_CFLAGS) \ $(PIE_CFLAGS) \ $(COVERAGE_CFLAGS) ++++++ 3e745e8f-CVE-2014-3633.patch ++++++ commit 3e745e8f775dfe6f64f18b5c2fe4791b35d3546b Author: Peter Krempa <pkrempa(a)redhat.com> Date: Thu Sep 11 16:35:53 2014 +0200 CVE-2014-3633: qemu: blkiotune: Use correct definition when looking up disk Live definition was used to look up the disk index while persistent one was indexed leading to a crash in qemuDomainGetBlockIoTune. Use the correct def and report a nice error. Unfortunately it's accessible via read-only connection, though it can only crash libvirtd in the cases where the guest is hot-plugging disks without reflecting those changes to the persistent definition. So avoiding hotplug, or doing hotplug where persistent is always modified alongside live definition, will avoid the out-of-bounds access. Introduced in: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa (v0.9.8) Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1140724 Reported-by: Luyao Huang <lhuang(a)redhat.com> Signed-off-by: Peter Krempa <pkrempa(a)redhat.com> Index: libvirt-1.1.2/src/qemu/qemu_driver.c =================================================================== --- libvirt-1.1.2.orig/src/qemu/qemu_driver.c +++ libvirt-1.1.2/src/qemu/qemu_driver.c @@ -14873,9 +14873,13 @@ qemuDomainGetBlockIoTune(virDomainPtr do } if (flags & VIR_DOMAIN_AFFECT_CONFIG) { - int idx = virDomainDiskIndexByName(vm->def, disk, true); - if (idx < 0) + int idx = virDomainDiskIndexByName(persistentDef, disk, true); + if (idx < 0) { + virReportError(VIR_ERR_INVALID_ARG, + _("disk '%s' was not found in the domain config"), + disk); goto endjob; + } reply = persistentDef->disks[idx]->blkdeviotune; } ++++++ 484cc321-CVE-2013-7336.patch ++++++ commit b6ea7abcf72d7d0aaf90e17aa8e8e88db8f778ea Author: Martin Kletzander <mkletzan(a)redhat.com> Date: Fri Sep 20 16:40:20 2013 +0200 qemu: Fix seamless SPICE migration Since the wait is done during migration (still inside QEMU_ASYNC_JOB_MIGRATION_OUT), the code should enter the monitor as such in order to prohibit all other jobs from interfering in the meantime. This patch fixes bug #1009886 in which qemuDomainGetBlockInfo was waiting on the monitor condition and after GetSpiceMigrationStatus mangled its internal data, the daemon crashed. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1009886 (cherry picked from commit 484cc3217b73b865f00bf42a9c12187b37200699) Index: libvirt-1.1.2/src/qemu/qemu_migration.c =================================================================== --- libvirt-1.1.2.orig/src/qemu/qemu_migration.c +++ libvirt-1.1.2/src/qemu/qemu_migration.c @@ -1598,7 +1598,10 @@ qemuMigrationWaitForSpice(virQEMUDriverP /* Poll every 50ms for progress & to allow cancellation */ struct timespec ts = { .tv_sec = 0, .tv_nsec = 50 * 1000 * 1000ull }; - qemuDomainObjEnterMonitor(driver, vm); + if (qemuDomainObjEnterMonitorAsync(driver, vm, + QEMU_ASYNC_JOB_MIGRATION_OUT) < 0) + return -1; + if (qemuMonitorGetSpiceMigrationStatus(priv->mon, &spice_migrated) < 0) { qemuDomainObjExitMonitor(driver, vm); ++++++ 4dd3a7d-CVE-2013-6456.patch ++++++ >From eae2a2ada81c5828991bb1b9438f7556a7e51ce8 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" <berrange(a)redhat.com> Date: Thu, 30 Jan 2014 15:59:20 +0000 Subject: [PATCH 10/14] CVE-2013-6456: Avoid unsafe use of /proc/$PID/root in LXC disk hotplug Rewrite lxcDomainAttachDeviceDiskLive function to use the virProcessRunInMountNamespace helper. This avoids risk of a malicious guest replacing /dev with a absolute symlink, tricking the driver into changing the host OS filesystem. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> (cherry picked from commit 4dd3a7d5bc44980135a1b11810ba9aeab42a4a59) --- src/lxc/lxc_driver.c | 185 +++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 141 insertions(+), 44 deletions(-) Index: libvirt-1.1.2/src/lxc/lxc_driver.c =================================================================== --- libvirt-1.1.2.orig/src/lxc/lxc_driver.c +++ libvirt-1.1.2/src/lxc/lxc_driver.c @@ -3059,6 +3059,115 @@ cleanup: } +struct lxcDomainAttachDeviceMknodData { + virLXCDriverPtr driver; + mode_t mode; + dev_t dev; + virDomainObjPtr vm; + virDomainDeviceDefPtr def; + char *file; +}; + +static int +lxcDomainAttachDeviceMknodHelper(pid_t pid ATTRIBUTE_UNUSED, + void *opaque) +{ + struct lxcDomainAttachDeviceMknodData *data = opaque; + int ret = -1; + + virSecurityManagerPostFork(data->driver->securityManager); + + if (virFileMakeParentPath(data->file) < 0) { + virReportSystemError(errno, + _("Unable to create %s"), data->file); + goto cleanup; + } + + /* Yes, the device name we're creating may not + * actually correspond to the major:minor number + * we're using, but we've no other option at this + * time. Just have to hope that containerized apps + * don't get upset that the major:minor is different + * to that normally implied by the device name + */ + VIR_DEBUG("Creating dev %s (%d,%d)", + data->file, major(data->dev), minor(data->dev)); + if (mknod(data->file, data->mode, data->dev) < 0) { + virReportSystemError(errno, + _("Unable to create device %s"), + data->file); + goto cleanup; + } + + if (lxcContainerChown(data->vm->def, data->file) < 0) + goto cleanup; + + /* Labelling normally operates on src, but we need + * to actually label the dst here, so hack the config */ + switch (data->def->type) { + case VIR_DOMAIN_DEVICE_DISK: { + virDomainDiskDefPtr def = data->def->data.disk; + char *tmpsrc = def->src; + def->src = data->file; + if (virSecurityManagerSetImageLabel(data->driver->securityManager, + data->vm->def, def) < 0) { + def->src = tmpsrc; + goto cleanup; + } + def->src = tmpsrc; + } break; + + default: + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Unexpected device type %d"), + data->def->type); + goto cleanup; + } + + ret = 0; + + cleanup: + if (ret < 0) + unlink(data->file); + return ret; +} + + +static int +lxcDomainAttachDeviceMknod(virLXCDriverPtr driver, + mode_t mode, + dev_t dev, + virDomainObjPtr vm, + virDomainDeviceDefPtr def, + char *file) +{ + virLXCDomainObjPrivatePtr priv = vm->privateData; + struct lxcDomainAttachDeviceMknodData data; + + memset(&data, 0, sizeof(data)); + + data.driver = driver; + data.mode = mode; + data.dev = dev; + data.vm = vm; + data.def = def; + data.file = file; + + if (virSecurityManagerPreFork(driver->securityManager) < 0) + return -1; + + if (virProcessRunInMountNamespace(priv->initpid, + lxcDomainAttachDeviceMknodHelper, + &data) < 0) { + virSecurityManagerPostFork(driver->securityManager); + return -1; + } + + virSecurityManagerPostFork(driver->securityManager); + return 0; +} + + static int lxcDomainAttachDeviceDiskLive(virLXCDriverPtr driver, virDomainObjPtr vm, @@ -3067,11 +3176,9 @@ lxcDomainAttachDeviceDiskLive(virLXCDriv virLXCDomainObjPrivatePtr priv = vm->privateData; virDomainDiskDefPtr def = dev->data.disk; int ret = -1; - char *dst = NULL; struct stat sb; - bool created = false; - mode_t mode = 0; - char *tmpsrc = def->src; + char *file = NULL; + int perms; if (!priv->initpid) { virReportError(VIR_ERR_OPERATION_INVALID, "%s", @@ -3115,51 +3222,44 @@ lxcDomainAttachDeviceDiskLive(virLXCDriv goto cleanup; } - if (virAsprintf(&dst, "/proc/%llu/root/dev/%s", - (unsigned long long)priv->initpid, def->dst) < 0) - goto cleanup; - - if (VIR_REALLOC_N(vm->def->disks, vm->def->ndisks+1) < 0) - goto cleanup; - - mode = 0700 | S_IFBLK; - - /* Yes, the device name we're creating may not - * actually correspond to the major:minor number - * we're using, but we've no other option at this - * time. Just have to hope that containerized apps - * don't get upset that the major:minor is different - * to that normally implied by the device name - */ - VIR_DEBUG("Creating dev %s (%d,%d) from %s", - dst, major(sb.st_rdev), minor(sb.st_rdev), def->src); - if (mknod(dst, mode, sb.st_rdev) < 0) { - virReportSystemError(errno, - _("Unable to create device %s"), - dst); + if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) { + virReportError(VIR_ERR_OPERATION_INVALID, "%s", + _("devices cgroup isn't mounted")); goto cleanup; } - if (lxcContainerChown(vm->def, dst) < 0) - goto cleanup; - - created = true; - - /* Labelling normally operates on src, but we need - * to actally label the dst here, so hack the config */ - def->src = dst; - if (virSecurityManagerSetImageLabel(driver->securityManager, - vm->def, def) < 0) - goto cleanup; - - if (virCgroupAllowDevicePath(priv->cgroup, def->src, - (def->readonly ? - VIR_CGROUP_DEVICE_READ : - VIR_CGROUP_DEVICE_RW) | - VIR_CGROUP_DEVICE_MKNOD) != 0) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("cannot allow device %s for domain %s"), - def->src, vm->def->name); + perms = (def->readonly ? + VIR_CGROUP_DEVICE_READ : + VIR_CGROUP_DEVICE_RW) | + VIR_CGROUP_DEVICE_MKNOD; + + if (virCgroupAllowDevice(priv->cgroup, + 'b', + major(sb.st_rdev), + minor(sb.st_rdev), + perms) < 0) + goto cleanup; + + if (VIR_REALLOC_N(vm->def->disks, vm->def->ndisks + 1) < 0) + goto cleanup; + + if (virAsprintf(&file, + "/dev/%s", def->dst) < 0) + goto cleanup; + + if (lxcDomainAttachDeviceMknod(driver, + 0700 | S_IFBLK, + sb.st_rdev, + vm, + dev, + file) < 0) { + if (virCgroupDenyDevice(priv->cgroup, + 'b', + major(sb.st_rdev), + minor(sb.st_rdev), + perms) < 0) + VIR_WARN("cannot deny device %s for domain %s", + def->src, vm->def->name); goto cleanup; } @@ -3168,10 +3268,8 @@ lxcDomainAttachDeviceDiskLive(virLXCDriv ret = 0; cleanup: - def->src = tmpsrc; virDomainAuditDisk(vm, NULL, def->src, "attach", ret == 0); - if (dst && created && ret < 0) - unlink(dst); + VIR_FREE(file); return ret; } ++++++ 4e7fc83-bnc852005.patch ++++++ >From 4e7fc8305a53676ba2362bfaa8ca05c4851b7e12 Mon Sep 17 00:00:00 2001 From: Michal Privoznik <mprivozn(a)redhat.com> Date: Fri, 21 Feb 2014 12:46:08 +0100 Subject: [PATCH] libvirt-guests: Wait for libvirtd to initialize I've noticed that in some cases systemd was quick enough and even if libvirt-guests.service is marked to be started after the libvirtd.service my guests were not resumed as libvirt-guests.sh failed to connect. This is because of a simple fact: systemd correctly starts libvirt-guests after it execs libvirtd. However, the daemon is not able to accept connections right from the start. It's doing some initialization which may take ages. This problem is not limited to systemd only, indeed. Any init system that is able to startup services in parallel (e.g. OpenRC) may run into this situation. The fix is to try connecting not only once, but continuously a few times with a small sleep in between tries. Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com> --- tools/libvirt-guests.sh.in | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) Index: libvirt-1.1.2/tools/libvirt-guests.sh.in =================================================================== --- libvirt-1.1.2.orig/tools/libvirt-guests.sh.in +++ libvirt-1.1.2/tools/libvirt-guests.sh.in @@ -37,6 +37,8 @@ SHUTDOWN_TIMEOUT=300 PARALLEL_SHUTDOWN=0 START_DELAY=0 BYPASS_CACHE=0 +CONNECT_RETRIES=10 +RETRIES_SLEEP=1 test -f "$sysconfdir"/sysconfig/libvirt-guests && . "$sysconfdir"/sysconfig/libvirt-guests @@ -87,12 +89,17 @@ test_connect() { uri=$1 - run_virsh "$uri" connect 2>/dev/null - if [ $? -ne 0 ]; then - eval_gettext "Can't connect to \$uri. Skipping." - echo - return 1 - fi + for ((i = 0; i < ${CONNECT_RETRIES}; i++)); do + run_virsh "$uri" connect 2>/dev/null + if [ $? -eq 0 ]; then + return 0; + fi + sleep ${RETRIES_SLEEP} + eval_gettext "Unable to connect to libvirt currently. Retrying .. \$i" + done + eval_gettext "Can't connect to \$uri. Skipping." + echo + return 1 } # list_guests URI PERSISTENT ++++++ 52c40003-CVE-2013-6457.patch ++++++ commit 52c40003805f1702f103095dc5c3d00cf38e7a82 Author: Dario Faggioli <dario.faggioli(a)citrix.com> Date: Fri Dec 20 16:29:47 2013 +0100 libxl: avoid crashing if calling `virsh numatune' on inactive domain by, in libxlDomainGetNumaParameters(), calling libxl_bitmap_init() as soon as possible, which avoids getting to 'cleanup:', where libxl_bitmap_dispose() happens, without having initialized the nodemap, and hence crashing after some invalid free()-s: # ./daemon/libvirtd -v *** Error in `/home/xen/libvirt.git/daemon/.libs/lt-libvirtd': munmap_chunk(): invalid pointer: 0x00007fdd42592666 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x7bbe7)[0x7fdd3f767be7] /lib64/libxenlight.so.4.3(libxl_bitmap_dispose+0xd)[0x7fdd2c88c045] /home/xen/libvirt.git/daemon/.libs/../../src/.libs/libvirt_driver_libxl.so(+0x12d26)[0x7fdd2caccd26] /home/xen/libvirt.git/src/.libs/libvirt.so.0(virDomainGetNumaParameters+0x15c)[0x7fdd4247898c] /home/xen/libvirt.git/daemon/.libs/lt-libvirtd(+0x1d9a2)[0x7fdd42ecc9a2] /home/xen/libvirt.git/src/.libs/libvirt.so.0(virNetServerProgramDispatch+0x3da)[0x7fdd424e9eaa] /home/xen/libvirt.git/src/.libs/libvirt.so.0(+0x1a6f38)[0x7fdd424e3f38] /home/xen/libvirt.git/src/.libs/libvirt.so.0(+0xa81e5)[0x7fdd423e51e5] /home/xen/libvirt.git/src/.libs/libvirt.so.0(+0xa783e)[0x7fdd423e483e] /lib64/libpthread.so.0(+0x7c53)[0x7fdd3febbc53] /lib64/libc.so.6(clone+0x6d)[0x7fdd3f7e1dbd] Signed-off-by: Dario Faggili <dario.faggioli(a)citrix.com> Cc: Jim Fehlig <jfehlig(a)suse.com> Cc: Ian Jackson <Ian.Jackson(a)eu.citrix.com> (cherry picked from commit f9ee91d35510ccbc6fc42cef8864b291b2d220f4) Conflicts: src/libxl/libxl_driver.c Index: libvirt-1.1.2/src/libxl/libxl_driver.c =================================================================== --- libvirt-1.1.2.orig/src/libxl/libxl_driver.c +++ libvirt-1.1.2/src/libxl/libxl_driver.c @@ -4682,6 +4682,8 @@ libxlDomainGetNumaParameters(virDomainPt * the filtering on behalf of older clients that can't parse it. */ flags &= ~VIR_TYPED_PARAM_STRING_OKAY; + libxl_bitmap_init(&nodemap); + libxlDriverLock(driver); vm = virDomainObjListFindByUUID(driver->domains, dom->uuid); libxlDriverUnlock(driver); @@ -4703,8 +4705,6 @@ libxlDomainGetNumaParameters(virDomainPt priv = vm->privateData; - libxl_bitmap_init(&nodemap); - if ((*nparams) == 0) { *nparams = LIBXL_NUMA_NPARAM; ret = 0; ++++++ 54cb7f05-CVE-2013-6458.patch ++++++ commit 54cb7f05ec5c822bb786833367dc80327648f2c0 Author: Jiri Denemark <jdenemar(a)redhat.com> Date: Fri Dec 20 14:50:02 2013 +0100 qemu: Avoid using stale data in virDomainGetBlockInfo CVE-2013-6458 Generally, every API that is going to begin a job should do that before fetching data from vm->def. However, qemuDomainGetBlockInfo does not know whether it will have to start a job or not before checking vm->def. To avoid using disk alias that might have been freed while we were waiting for a job, we use its copy. In case the disk was removed in the meantime, we will fail with "cannot find statistics for device '...'" error message. (cherry picked from commit b799259583bd65c0b2f5042e6c3ff19637ade881) Index: libvirt-1.1.2/src/qemu/qemu_driver.c =================================================================== --- libvirt-1.1.2.orig/src/qemu/qemu_driver.c +++ libvirt-1.1.2/src/qemu/qemu_driver.c @@ -9706,10 +9706,12 @@ cleanup: } -static int qemuDomainGetBlockInfo(virDomainPtr dom, - const char *path, - virDomainBlockInfoPtr info, - unsigned int flags) { +static int +qemuDomainGetBlockInfo(virDomainPtr dom, + const char *path, + virDomainBlockInfoPtr info, + unsigned int flags) +{ virQEMUDriverPtr driver = dom->conn->privateData; virDomainObjPtr vm; int ret = -1; @@ -9721,6 +9723,7 @@ static int qemuDomainGetBlockInfo(virDom int idx; int format; virQEMUDriverConfigPtr cfg = NULL; + char *alias = NULL; virCheckFlags(0, -1); @@ -9827,13 +9830,16 @@ static int qemuDomainGetBlockInfo(virDom virDomainObjIsActive(vm)) { qemuDomainObjPrivatePtr priv = vm->privateData; + if (VIR_STRDUP(alias, disk->info.alias) < 0) + goto cleanup; + if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_QUERY) < 0) goto cleanup; if (virDomainObjIsActive(vm)) { qemuDomainObjEnterMonitor(driver, vm); ret = qemuMonitorGetBlockExtent(priv->mon, - disk->info.alias, + alias, &info->allocation); qemuDomainObjExitMonitor(driver, vm); } else { @@ -9847,6 +9853,7 @@ static int qemuDomainGetBlockInfo(virDom } cleanup: + VIR_FREE(alias); virStorageFileFreeMetadata(meta); VIR_FORCE_CLOSE(fd); if (vm) ++++++ 57687fd6-CVE-2013-4401.patch ++++++ commit 57687fd6bf7f6e1b3662c52f3f26c06ab19dc96c Author: Daniel P. Berrange <berrange(a)redhat.com> Date: Thu Oct 3 16:37:57 2013 +0100 Fix perms for virConnectDomainXML{To,From}Native (CVE-2013-4401) The virConnectDomainXMLToNative API should require 'connect:write' not 'connect:read', since it will trigger execution of the QEMU binaries listed in the XML. Also make virConnectDomainXMLFromNative API require a full read-write connection and 'connect:write' permission. Although the current impl doesn't trigger execution of QEMU, we should not rely on that impl detail from an API permissioning POV. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> Index: libvirt-1.1.2/src/libvirt.c =================================================================== --- libvirt-1.1.2.orig/src/libvirt.c +++ libvirt-1.1.2/src/libvirt.c @@ -4606,6 +4606,10 @@ char *virConnectDomainXMLFromNative(virC virDispatchError(NULL); return NULL; } + if (conn->flags & VIR_CONNECT_RO) { + virLibDomainError(VIR_ERR_OPERATION_DENIED, __FUNCTION__); + goto error; + } virCheckNonNullArgGoto(nativeFormat, error); virCheckNonNullArgGoto(nativeConfig, error); Index: libvirt-1.1.2/src/remote/remote_protocol.x =================================================================== --- libvirt-1.1.2.orig/src/remote/remote_protocol.x +++ libvirt-1.1.2/src/remote/remote_protocol.x @@ -3812,13 +3812,13 @@ enum remote_procedure { /** * @generate: both - * @acl: connect:read + * @acl: connect:write */ REMOTE_PROC_CONNECT_DOMAIN_XML_FROM_NATIVE = 135, /** * @generate: both - * @acl: connect:read + * @acl: connect:write */ REMOTE_PROC_CONNECT_DOMAIN_XML_TO_NATIVE = 136, ++++++ 5a0ea4b7-CVE-2013-4400.patch ++++++ commit 5a0ea4b7b9af2231ed161b94f9af65375c6ee9c2 Author: Jim Fehlig <jfehlig(a)suse.com> Date: Mon Oct 21 15:36:11 2013 -0600 build: fix linking virt-login-shell After commit 3e2f27e1, I've noticed build failures of virt-login-shell when libapparmor-devel is installed on the build host CCLD virt-login-shell ../src/.libs/libvirt-setuid-rpc-client.a(libvirt_setuid_rpc_client_la-vircommand.o): In function `virExec': /home/jfehlig/virt/upstream/libvirt/src/util/vircommand.c:653: undefined reference to `aa_change_profile' collect2: error: ld returned 1 exit status I was about to commit an easy fix under the build-breaker rule (build-fix-1.patch), but thought to extend the notion of SECDRIVER_LIBS to SECDRIVER_CFLAGS, and use both throughout src/Makefile.am where it makes sense (build-fix-2.patch). Should I just stick with the simple fix, or is something along the lines of patch 2 preferred? Regards, Jim >From a0f35945f3127ab70d051101037e821b1759b4bb Mon Sep 17 00:00:00 2001 From: Jim Fehlig <jfehlig(a)suse.com> Date: Mon, 21 Oct 2013 15:30:02 -0600 Subject: [PATCH] build: fix virt-login-shell build with apparmor With libapparmor-devel installed, virt-login-shell fails to link CCLD virt-login-shell ../src/.libs/libvirt-setuid-rpc-client.a(libvirt_setuid_rpc_client_la-vircommand.o): In function `virExec': /home/jfehlig/virt/upstream/libvirt/src/util/vircommand.c:653: undefined reference to `aa_change_profile' collect2: error: ld returned 1 exit status Fix by linking libvirt_setuid_rpc_client with previously determined SECDRIVER_LIBS in src/Makefile.am. While at it, introduce SECDRIVER_CFLAGS and use both throughout src/Makefile.am where it makes sense. Signed-off-by: Jim Fehlig <jfehlig(a)suse.com> Index: libvirt-1.1.2/src/Makefile.am =================================================================== --- libvirt-1.1.2.orig/src/Makefile.am +++ libvirt-1.1.2/src/Makefile.am @@ -49,11 +49,14 @@ nodist_conf_DATA = THREAD_LIBS = $(LIB_PTHREAD) $(LTLIBMULTITHREAD) +SECDRIVER_CFLAGS = SECDRIVER_LIBS = if WITH_SECDRIVER_SELINUX +SECDRIVER_CFLAGS += $(SELINUX_CFLAGS) SECDRIVER_LIBS += $(SELINUX_LIBS) endif if WITH_SECDRIVER_APPARMOR +SECDRIVER_CFLAGS += $(APPARMOR_CFLAGS) SECDRIVER_LIBS += $(APPARMOR_LIBS) endif @@ -1978,14 +1981,14 @@ libvirt_setuid_rpc_client_la_SOURCES = libvirt_setuid_rpc_client_la_LDFLAGS = \ $(AM_LDFLAGS) \ $(LIBXML_LIBS) \ - $(SELINUX_LIBS) \ + $(SECDRIVER_LIBS) \ $(NULL) libvirt_setuid_rpc_client_la_CFLAGS = \ -DLIBVIRT_SETUID_RPC_CLIENT \ -I$(top_srcdir)/src/conf \ -I$(top_srcdir)/src/rpc \ $(AM_CFLAGS) \ - $(SELINUX_CFLAGS) \ + $(SECDRIVER_CFLAGS) \ $(NULL) endif WITH_LXC @@ -2268,6 +2271,7 @@ libvirt_net_rpc_la_LDFLAGS = \ $(GNUTLS_LIBS) \ $(SASL_LIBS) \ $(SSH2_LIBS)\ + $(SECDRIVER_LIBS) \ $(AM_LDFLAGS) \ $(CYGWIN_EXTRA_LDFLAGS) \ $(MINGW_EXTRA_LDFLAGS) @@ -2410,12 +2414,7 @@ if WITH_BLKID libvirt_lxc_CFLAGS += $(BLKID_CFLAGS) libvirt_lxc_LDADD += $(BLKID_LIBS) endif -if WITH_SECDRIVER_SELINUX -libvirt_lxc_CFLAGS += $(SELINUX_CFLAGS) -endif -if WITH_SECDRIVER_APPARMOR -libvirt_lxc_CFLAGS += $(APPARMOR_CFLAGS) -endif +libvirt_lxc_CFLAGS += $(SECDRIVER_CFLAGS) endif endif EXTRA_DIST += $(LXC_CONTROLLER_SOURCES) ++++++ 5fc590a-CVE-2013-6456.patch ++++++ >From f639b2d17ce935b650bb2aca7bdd8d727cab8b02 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" <berrange(a)redhat.com> Date: Thu, 30 Jan 2014 17:58:36 +0000 Subject: [PATCH 14/14] CVE-2013-6456: Avoid unsafe use of /proc/$PID/root in LXC hotunplug code Rewrite multiple hotunplug functions to to use the virProcessRunInMountNamespace helper. This avoids risk of a malicious guest replacing /dev with an absolute symlink, tricking the driver into changing the host OS filesystem. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> (cherry picked from commit 5fc590ad9f4071350a8df4d567ba88baacc8334d) --- src/lxc/lxc_driver.c | 79 ++++++++++++++++++++++++++-------------------------- 1 file changed, 39 insertions(+), 40 deletions(-) Index: libvirt-1.1.2/src/lxc/lxc_driver.c =================================================================== --- libvirt-1.1.2.orig/src/lxc/lxc_driver.c +++ libvirt-1.1.2/src/lxc/lxc_driver.c @@ -3176,6 +3176,39 @@ lxcDomainAttachDeviceMknod(virLXCDriverP static int +lxcDomainAttachDeviceUnlinkHelper(pid_t pid ATTRIBUTE_UNUSED, + void *opaque) +{ + const char *path = opaque; + + VIR_DEBUG("Unlinking %s", path); + if (unlink(path) < 0 && errno != ENOENT) { + virReportSystemError(errno, + _("Unable to remove device %s"), path); + return -1; + } + + return 0; +} + + +static int +lxcDomainAttachDeviceUnlink(virDomainObjPtr vm, + char *file) +{ + virLXCDomainObjPrivatePtr priv = vm->privateData; + + if (virProcessRunInMountNamespace(priv->initpid, + lxcDomainAttachDeviceUnlinkHelper, + file) < 0) { + return -1; + } + + return 0; +} + + +static int lxcDomainAttachDeviceDiskLive(virLXCDriverPtr driver, virDomainObjPtr vm, virDomainDeviceDefPtr dev) @@ -3766,8 +3799,7 @@ lxcDomainDetachDeviceDiskLive(virDomainO def = vm->def->disks[idx]; - if (virAsprintf(&dst, "/proc/%llu/root/dev/%s", - (unsigned long long)priv->initpid, def->dst) < 0) + if (virAsprintf(&dst, "/dev/%s", def->dst) < 0) goto cleanup; if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) { @@ -3776,11 +3808,8 @@ lxcDomainDetachDeviceDiskLive(virDomainO goto cleanup; } - VIR_DEBUG("Unlinking %s (backed by %s)", dst, def->src); - if (unlink(dst) < 0 && errno != ENOENT) { + if (lxcDomainAttachDeviceUnlink(vm, dst) < 0) { virDomainAuditDisk(vm, def->src, NULL, "detach", false); - virReportSystemError(errno, - _("Unable to remove device %s"), dst); goto cleanup; } virDomainAuditDisk(vm, def->src, NULL, "detach", true); @@ -3875,7 +3904,6 @@ lxcDomainDetachDeviceHostdevUSBLive(virL virDomainHostdevDefPtr def = NULL; int idx, ret = -1; char *dst = NULL; - char *vroot; virUSBDevicePtr usb = NULL; if ((idx = virDomainHostdevFind(vm->def, @@ -3886,12 +3914,7 @@ lxcDomainDetachDeviceHostdevUSBLive(virL goto cleanup; } - if (virAsprintf(&vroot, "/proc/%llu/root", - (unsigned long long)priv->initpid) < 0) - goto cleanup; - - if (virAsprintf(&dst, "%s/dev/bus/usb/%03d/%03d", - vroot, + if (virAsprintf(&dst, "/dev/bus/usb/%03d/%03d", def->source.subsys.u.usb.bus, def->source.subsys.u.usb.device) < 0) goto cleanup; @@ -3906,11 +3929,8 @@ lxcDomainDetachDeviceHostdevUSBLive(virL def->source.subsys.u.usb.device, NULL))) goto cleanup; - VIR_DEBUG("Unlinking %s", dst); - if (unlink(dst) < 0 && errno != ENOENT) { + if (lxcDomainAttachDeviceUnlink(vm, dst) < 0) { virDomainAuditHostdev(vm, def, "detach", false); - virReportSystemError(errno, - _("Unable to remove device %s"), dst); goto cleanup; } virDomainAuditHostdev(vm, def, "detach", true); @@ -3944,7 +3964,6 @@ lxcDomainDetachDeviceHostdevStorageLive( virLXCDomainObjPrivatePtr priv = vm->privateData; virDomainHostdevDefPtr def = NULL; int idx, ret = -1; - char *dst = NULL; if (!priv->initpid) { virReportError(VIR_ERR_OPERATION_INVALID, "%s", @@ -3961,22 +3980,14 @@ lxcDomainDetachDeviceHostdevStorageLive( goto cleanup; } - if (virAsprintf(&dst, "/proc/%llu/root/%s", - (unsigned long long)priv->initpid, - def->source.caps.u.storage.block) < 0) - goto cleanup; - if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) { virReportError(VIR_ERR_OPERATION_INVALID, "%s", _("devices cgroup isn't mounted")); goto cleanup; } - VIR_DEBUG("Unlinking %s", dst); - if (unlink(dst) < 0 && errno != ENOENT) { + if (lxcDomainAttachDeviceUnlink(vm, def->source.caps.u.storage.block) < 0) { virDomainAuditHostdev(vm, def, "detach", false); - virReportSystemError(errno, - _("Unable to remove device %s"), dst); goto cleanup; } virDomainAuditHostdev(vm, def, "detach", true); @@ -3991,7 +4002,6 @@ lxcDomainDetachDeviceHostdevStorageLive( ret = 0; cleanup: - VIR_FREE(dst); return ret; } @@ -4003,7 +4013,6 @@ lxcDomainDetachDeviceHostdevMiscLive(vir virLXCDomainObjPrivatePtr priv = vm->privateData; virDomainHostdevDefPtr def = NULL; int idx, ret = -1; - char *dst = NULL; if (!priv->initpid) { virReportError(VIR_ERR_OPERATION_INVALID, "%s", @@ -4020,22 +4029,14 @@ lxcDomainDetachDeviceHostdevMiscLive(vir goto cleanup; } - if (virAsprintf(&dst, "/proc/%llu/root/%s", - (unsigned long long)priv->initpid, - def->source.caps.u.misc.chardev) < 0) - goto cleanup; - if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) { virReportError(VIR_ERR_OPERATION_INVALID, "%s", _("devices cgroup isn't mounted")); goto cleanup; } - VIR_DEBUG("Unlinking %s", dst); - if (unlink(dst) < 0 && errno != ENOENT) { + if (lxcDomainAttachDeviceUnlink(vm, def->source.caps.u.misc.chardev) < 0) { virDomainAuditHostdev(vm, def, "detach", false); - virReportSystemError(errno, - _("Unable to remove device %s"), dst); goto cleanup; } virDomainAuditHostdev(vm, def, "detach", true); @@ -4050,7 +4051,6 @@ lxcDomainDetachDeviceHostdevMiscLive(vir ret = 0; cleanup: - VIR_FREE(dst); return ret; } ++++++ 68954fb-bnc852005.patch ++++++ >From 68954fb25c4a75c5c2c213f57927eb188cca2239 Mon Sep 17 00:00:00 2001 From: Michal Privoznik <mprivozn(a)redhat.com> Date: Fri, 21 Feb 2014 13:06:42 +0100 Subject: [PATCH] virNetServerRun: Notify systemd that we're accepting clients Systemd does not forget about the cases, where client service needs to wait for daemon service to initialize and start accepting new clients. Setting a dependency in client is not enough as systemd doesn't know when the daemon has initialized itself and started accepting new clients. However, it offers a mechanism to solve this. The daemon needs to call a special systemd function by which the daemon tells "I'm ready to accept new clients". This is exactly what we need with libvirtd-guests (client) and libvirtd (daemon). So now, with this change, libvirt-guests.service is invoked not any sooner than libvirtd.service calls the systemd notify function. Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com> --- configure.ac | 2 ++ daemon/libvirtd.service.in | 1 + m4/virt-systemd-daemon.m4 | 34 ++++++++++++++++++++++++++++++++++ src/Makefile.am | 4 ++-- src/libvirt_private.syms | 1 + src/rpc/virnetserver.c | 5 +++++ src/util/virsystemd.c | 12 ++++++++++++ src/util/virsystemd.h | 2 ++ 8 files changed, 59 insertions(+), 2 deletions(-) create mode 100644 m4/virt-systemd-daemon.m4 Index: libvirt-1.1.2/configure.ac =================================================================== --- libvirt-1.1.2.orig/configure.ac +++ libvirt-1.1.2/configure.ac @@ -181,6 +181,7 @@ LIBVIRT_CHECK_SANLOCK LIBVIRT_CHECK_SASL LIBVIRT_CHECK_SELINUX LIBVIRT_CHECK_SSH2 +LIBVIRT_CHECK_SYSTEMD_DAEMON LIBVIRT_CHECK_UDEV LIBVIRT_CHECK_YAJL @@ -2616,6 +2617,7 @@ LIBVIRT_RESULT_SANLOCK LIBVIRT_RESULT_SASL LIBVIRT_RESULT_SELINUX LIBVIRT_RESULT_SSH2 +LIBVIRT_RESULT_SYSTEMD_DAEMON LIBVIRT_RESULT_UDEV LIBVIRT_RESULT_YAJL AC_MSG_NOTICE([ libxml: $LIBXML_CFLAGS $LIBXML_LIBS]) Index: libvirt-1.1.2/daemon/libvirtd.service.in =================================================================== --- libvirt-1.1.2.orig/daemon/libvirtd.service.in +++ libvirt-1.1.2/daemon/libvirtd.service.in @@ -11,6 +11,7 @@ After=dbus.service After=iscsid.service [Service] +Type=notify EnvironmentFile=-/etc/sysconfig/libvirtd ExecStart=@sbindir@/libvirtd $LIBVIRTD_ARGS ExecReload=/bin/kill -HUP $MAINPID Index: libvirt-1.1.2/m4/virt-systemd-daemon.m4 =================================================================== --- /dev/null +++ libvirt-1.1.2/m4/virt-systemd-daemon.m4 @@ -0,0 +1,34 @@ +dnl The libsystemd-daemon.so library +dnl +dnl Copyright (C) 2012-2013 Red Hat, Inc. +dnl +dnl This library is free software; you can redistribute it and/or +dnl modify it under the terms of the GNU Lesser General Public +dnl License as published by the Free Software Foundation; either +dnl version 2.1 of the License, or (at your option) any later version. +dnl +dnl This library is distributed in the hope that it will be useful, +dnl but WITHOUT ANY WARRANTY; without even the implied warranty of +dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +dnl Lesser General Public License for more details. +dnl +dnl You should have received a copy of the GNU Lesser General Public +dnl License along with this library. If not, see +dnl <http://www.gnu.org/licenses/>. +dnl + +AC_DEFUN([LIBVIRT_CHECK_SYSTEMD_DAEMON],[ + LIBVIRT_CHECK_PKG([SYSTEMD_DAEMON], [libsystemd-daemon], [0.27.1]) + + old_CFLAGS="$CFLAGS" + old_LIBS="$LIBS" + CFLAGS="$CFLAGS $SYSTEMD_DAEMON_CFLAGS" + LIBS="$LIBS $SYSTEMD_DAEMON_LIBS" + AC_CHECK_FUNCS([sd_notify]) + CFLAGS="$old_CFLAGS" + LIBS="$old_LIBS" +]) + +AC_DEFUN([LIBVIRT_RESULT_SYSTEMD_DAEMON],[ + LIBVIRT_RESULT_LIB([SYSTEMD_DAEMON]) +]) Index: libvirt-1.1.2/src/Makefile.am =================================================================== --- libvirt-1.1.2.orig/src/Makefile.am +++ libvirt-1.1.2/src/Makefile.am @@ -906,11 +906,11 @@ libvirt_util_la_SOURCES = \ libvirt_util_la_CFLAGS = $(CAPNG_CFLAGS) $(YAJL_CFLAGS) $(LIBNL_CFLAGS) \ $(AM_CFLAGS) $(AUDIT_CFLAGS) $(DEVMAPPER_CFLAGS) \ $(DBUS_CFLAGS) $(LDEXP_LIBM) $(NUMACTL_CFLAGS) \ - -I$(top_srcdir)/src/conf + $(SYSTEMD_DAEMON_CFLAGS) -I$(top_srcdir)/src/conf libvirt_util_la_LIBADD = $(CAPNG_LIBS) $(YAJL_LIBS) $(LIBNL_LIBS) \ $(THREAD_LIBS) $(AUDIT_LIBS) $(DEVMAPPER_LIBS) \ $(LIB_CLOCK_GETTIME) $(DBUS_LIBS) $(MSCOM_LIBS) $(LIBXML_LIBS) \ - $(SECDRIVER_LIBS) $(NUMACTL_LIBS) + $(SECDRIVER_LIBS) $(NUMACTL_LIBS) $(SYSTEMD_DAEMON_LIBS) noinst_LTLIBRARIES += libvirt_conf.la Index: libvirt-1.1.2/src/libvirt_private.syms =================================================================== --- libvirt-1.1.2.orig/src/libvirt_private.syms +++ libvirt-1.1.2/src/libvirt_private.syms @@ -1946,6 +1946,7 @@ virSystemdCreateMachine; virSystemdMakeMachineName; virSystemdMakeScopeName; virSystemdMakeSliceName; +virSystemdNotifyStartup; virSystemdTerminateMachine; Index: libvirt-1.1.2/src/rpc/virnetserver.c =================================================================== --- libvirt-1.1.2.orig/src/rpc/virnetserver.c +++ libvirt-1.1.2/src/rpc/virnetserver.c @@ -38,6 +38,7 @@ #include "virnetservermdns.h" #include "virdbus.h" #include "virstring.h" +#include "virsystemd.h" #ifndef SA_SIGINFO # define SA_SIGINFO 0 @@ -1085,6 +1086,10 @@ void virNetServerRun(virNetServerPtr srv goto cleanup; } + /* We are accepting connections now. Notify systemd + * so it can start dependent services. */ + virSystemdNotifyStartup(); + VIR_DEBUG("srv=%p quit=%d", srv, srv->quit); while (!srv->quit) { /* A shutdown timeout is specified, so check Index: libvirt-1.1.2/src/util/virsystemd.c =================================================================== --- libvirt-1.1.2.orig/src/util/virsystemd.c +++ libvirt-1.1.2/src/util/virsystemd.c @@ -21,6 +21,10 @@ #include <config.h> +#ifdef WITH_SYSTEMD_DAEMON +# include <systemd/sd-daemon.h> +#endif + #include "virsystemd.h" #include "virdbus.h" #include "virstring.h" @@ -305,3 +309,11 @@ cleanup: VIR_FREE(machinename); return ret; } + +void +virSystemdNotifyStartup(void) +{ +#ifdef WITH_SYSTEMD_DAEMON + sd_notify(0, "READY=1"); +#endif +} Index: libvirt-1.1.2/src/util/virsystemd.h =================================================================== --- libvirt-1.1.2.orig/src/util/virsystemd.h +++ libvirt-1.1.2/src/util/virsystemd.h @@ -46,4 +46,6 @@ int virSystemdTerminateMachine(const cha const char *drivername, bool privileged); +void virSystemdNotifyStartup(void); + #endif /* __VIR_SYSTEMD_H__ */ ++++++ 79552754-libvirtd-chardev-crash.patch ++++++ commit 795527548fea79902ea4ce32747e069944cf3e61 Author: Peter Krempa <pkrempa(a)redhat.com> Date: Thu Sep 26 08:12:39 2013 +0200 conf: Don't crash on invalid chardev source definition of RNGs and other Since commit 297c99a5 an invalid source definition XML of a character device that is used as backend for RNG devices, smartcards and redirdevs causes crash of the daemon when parsing such a definition. The device types mentioned above are not a part of a regular character device but are backends for other types. Thus when parsing such device NULL is passed as the argument @chr_def. Later when checking the validity of the definition @chr_def was dereferenced when parsing a UNIX socket backend with missing path of the socket and crashed the daemon. Sample offending configuration: <devices> ... <rng model='virtio'> <backend model='egd' type='unix'> <source mode='bind' service='1024'/> </backend> </rng> </devices> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1012196 Index: libvirt-1.1.2/src/conf/domain_conf.c =================================================================== --- libvirt-1.1.2.orig/src/conf/domain_conf.c +++ libvirt-1.1.2/src/conf/domain_conf.c @@ -7026,7 +7026,8 @@ virDomainChrSourceDefParseXML(virDomainC case VIR_DOMAIN_CHR_TYPE_UNIX: /* path can be auto generated */ if (!path && - chr_def->targetType != VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO) { + (!chr_def || + chr_def->targetType != VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO)) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("Missing source path attribute for char device")); goto error; Index: libvirt-1.1.2/tests/qemuxml2argvdata/qemuxml2argv-virtio-rng-egd-crash.xml =================================================================== --- /dev/null +++ libvirt-1.1.2/tests/qemuxml2argvdata/qemuxml2argv-virtio-rng-egd-crash.xml @@ -0,0 +1,27 @@ +<domain type='qemu'> + <name>QEMUGuest1</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory unit='KiB'>219100</memory> + <currentMemory unit='KiB'>219100</currentMemory> + <vcpu placement='static' cpuset='1-4,8-20,525'>1</vcpu> + <os> + <type arch='i686' machine='pc'>hvm</type> + <boot dev='hd'/> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu</emulator> + <controller type='usb' index='0'/> + <controller type='pci' index='0' model='pci-root'/> + <memballoon model='virtio'/> + <rng model='virtio'> + <backend model='egd' type='unix'> +  + <source mode='connect' host='1.2.3.4' service='1234'/> + </backend> + </rng> + </devices> +</domain> Index: libvirt-1.1.2/tests/qemuxml2argvtest.c =================================================================== --- libvirt-1.1.2.orig/tests/qemuxml2argvtest.c +++ libvirt-1.1.2/tests/qemuxml2argvtest.c @@ -973,6 +973,8 @@ mymain(void) QEMU_CAPS_OBJECT_RNG_RANDOM); DO_TEST("virtio-rng-egd", QEMU_CAPS_DEVICE, QEMU_CAPS_DEVICE_VIRTIO_RNG, QEMU_CAPS_OBJECT_RNG_EGD); + DO_TEST_PARSE_ERROR("virtio-rng-egd-crash", QEMU_CAPS_DEVICE, + QEMU_CAPS_DEVICE_VIRTIO_RNG, QEMU_CAPS_OBJECT_RNG_EGD); DO_TEST("virtio-rng-ccw", QEMU_CAPS_DEVICE, QEMU_CAPS_CHARDEV, QEMU_CAPS_NODEFCONFIG, QEMU_CAPS_DRIVE, QEMU_CAPS_BOOTINDEX, QEMU_CAPS_VIRTIO_CCW, ++++++ 7a44af9-CVE-2013-6456.patch ++++++ >From 8ee7bd55c2a27f1e1e995f078b639bfbb5a1f462 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" <berrange(a)redhat.com> Date: Tue, 4 Feb 2014 16:21:12 +0000 Subject: [PATCH 01/14] Don't block use of USB with containers virDomainDefCompatibleDevice blocks use of USB if no USB controller is present. This is not correct for containers since devices can be assigned directly regardless of any controllers. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> (cherry picked from commit 7a44af963ef75c487f874bc91613ad45e5b167e9) --- src/conf/domain_conf.c | 1 + 1 file changed, 1 insertion(+) Index: libvirt-1.1.2/src/conf/domain_conf.c =================================================================== --- libvirt-1.1.2.orig/src/conf/domain_conf.c +++ libvirt-1.1.2/src/conf/domain_conf.c @@ -16996,6 +16996,7 @@ virDomainDefCompatibleDevice(virDomainDe virDomainDeviceDefPtr dev) { if (!virDomainDefHasUSB(def) && + STRNEQ(def->os.type, "exe") && virDomainDeviceIsUSB(dev)) { virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", _("Device configuration is not compatible: " ++++++ 7c72ef6-CVE-2013-6456.patch ++++++ >From f7b4d314c734908ca4f45e74aac10e7c2d711918 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" <berrange(a)redhat.com> Date: Thu, 30 Jan 2014 13:11:23 +0000 Subject: [PATCH 08/14] Add helper for running code in separate namespaces Implement virProcessRunInMountNamespace, which runs callback of type virProcessNamespaceCallback in a container namespace. This uses a child process to run the callback, since you can't change the mount namespace of a thread. This implies that callbacks have to be careful about what code they run due to async safety rules. Idea by Dan Berrange, based on an initial report by Reco <recoverym4n(a)gmail.com> at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732394 Signed-off-by: Daniel Berrange <berrange(a)redhat.com> Signed-off-by: Eric Blake <eblake(a)redhat.com> (cherry picked from commit 7c72ef6f555f1f9844d51be2f38f078bc908652c) --- src/libvirt_private.syms | 1 + src/util/virprocess.c | 106 +++++++++++++++++++++++++++++++++++++++++++++++ src/util/virprocess.h | 11 +++++ 3 files changed, 118 insertions(+) Index: libvirt-1.1.2/src/libvirt_private.syms =================================================================== --- libvirt-1.1.2.orig/src/libvirt_private.syms +++ libvirt-1.1.2/src/libvirt_private.syms @@ -1807,6 +1807,7 @@ virProcessGetNamespaces; virProcessGetStartTime; virProcessKill; virProcessKillPainfully; +virProcessRunInMountNamespace; virProcessSetAffinity; virProcessSetMaxFiles; virProcessSetMaxMemLock; Index: libvirt-1.1.2/src/util/virprocess.c =================================================================== --- libvirt-1.1.2.orig/src/util/virprocess.c +++ libvirt-1.1.2/src/util/virprocess.c @@ -46,6 +46,7 @@ #include "virlog.h" #include "virutil.h" #include "virstring.h" +#include "vircommand.h" #define VIR_FROM_THIS VIR_FROM_NONE @@ -847,3 +848,108 @@ int virProcessGetStartTime(pid_t pid, return 0; } #endif + + +#ifdef HAVE_SETNS +static int virProcessNamespaceHelper(int errfd, + pid_t pid, + virProcessNamespaceCallback cb, + void *opaque) +{ + char *path; + int fd = -1; + int ret = -1; + + if (virAsprintf(&path, "/proc/%llu/ns/mnt", (unsigned long long)pid) < 0) + goto cleanup; + + if ((fd = open(path, O_RDONLY)) < 0) { + virReportSystemError(errno, "%s", + _("Kernel does not provide mount namespace")); + goto cleanup; + } + + if (setns(fd, 0) < 0) { + virReportSystemError(errno, "%s", + _("Unable to enter mount namespace")); + goto cleanup; + } + + ret = cb(pid, opaque); + + cleanup: + if (ret < 0) { + virErrorPtr err = virGetLastError(); + if (err) { + size_t len = strlen(err->message) + 1; + ignore_value(safewrite(errfd, err->message, len)); + } + } + VIR_FREE(path); + VIR_FORCE_CLOSE(fd); + return ret; +} + +/* Run cb(opaque) in the mount namespace of pid. Return -1 with error + * message raised if we fail to run the child, if the child dies from + * a signal, or if the child has status 1; otherwise return the exit + * status of the child. The callback will be run in a child process + * so must be careful to only use async signal safe functions. + */ +int +virProcessRunInMountNamespace(pid_t pid, + virProcessNamespaceCallback cb, + void *opaque) +{ + int ret = -1; + pid_t child = -1; + int errfd[2] = { -1, -1 }; + + if (pipe(errfd) < 0) { + virReportSystemError(errno, "%s", + _("Cannot create pipe for child")); + return -1; + } + + ret = virFork(&child); + + if (ret < 0 || child < 0) { + if (child == 0) + _exit(1); + + /* parent */ + virProcessAbort(child); + goto cleanup; + } + + if (child == 0) { + VIR_FORCE_CLOSE(errfd[0]); + ret = virProcessNamespaceHelper(errfd[1], pid, + cb, opaque); + VIR_FORCE_CLOSE(errfd[1]); + _exit(ret < 0 ? 1 : 0); + } else { + char *buf = NULL; + VIR_FORCE_CLOSE(errfd[1]); + + ignore_value(virFileReadHeaderFD(errfd[0], 1024, &buf)); + ret = virProcessWait(child, NULL); + VIR_FREE(buf); + } + +cleanup: + VIR_FORCE_CLOSE(errfd[0]); + VIR_FORCE_CLOSE(errfd[1]); + return ret; +} +#else /* !HAVE_SETNS */ +int +virProcessRunInMountNamespace(pid_t pid ATTRIBUTE_UNUSED, + virProcessNamespaceCallback cb ATTRIBUTE_UNUSED, + void *opaque ATTRIBUTE_UNUSED) +{ + virReportSystemError(ENOSYS, "%s", + _("Mount namespaces are not available on this platform")); + return -1; +} +#endif Index: libvirt-1.1.2/src/util/virprocess.h =================================================================== --- libvirt-1.1.2.orig/src/util/virprocess.h +++ libvirt-1.1.2/src/util/virprocess.h @@ -60,4 +60,15 @@ int virProcessSetNamespaces(size_t nfdli int virProcessSetMaxMemLock(pid_t pid, unsigned long long bytes); int virProcessSetMaxProcesses(pid_t pid, unsigned int procs); int virProcessSetMaxFiles(pid_t pid, unsigned int files); + +/* Callback to run code within the mount namespace tied to the given + * pid. This function must use only async-signal-safe functions, as + * it gets run after a fork of a multi-threaded process. The return + * value of this function is passed to _exit(), except that a + * negative value is treated as an error. */ +typedef int (*virProcessNamespaceCallback)(pid_t pid, void *opaque); + +int virProcessRunInMountNamespace(pid_t pid, + virProcessNamespaceCallback cb, + void *opaque); #endif /* __VIR_PROCESS_H__ */ ++++++ 7c98d1c1-nic-type.patch ++++++ commit 7c98d1c153da5810ed4dcaa6be177df369b7d4bd Author: Jim Fehlig <jfehlig(a)suse.com> Date: Mon Jan 6 11:37:20 2014 -0700 libxl: Fix initialization of nictype in libxl_device_nic As pointed out by the Xen folks [1], HVM nics should always be set to type LIBXL_NIC_TYPE_VIF_IOEMU unless the user explicity requests LIBXL_NIC_TYPE_VIF via model='netfront'. The current logic in libxlMakeNic() only sets the nictype to LIBXL_NIC_TYPE_VIF_IOEMU if a model is specified that is not 'netfront', which breaks PXE booting configurations where no model is specified (i.e. use the hypervisor default). Reported-by: Stefan Bader <stefan.bader(a)canonical.com> [1] https://www.redhat.com/archives/libvir-list/2013-December/msg01156.html Index: libvirt-1.1.2/src/libxl/libxl_conf.c =================================================================== --- libvirt-1.1.2.orig/src/libxl/libxl_conf.c +++ libvirt-1.1.2/src/libxl/libxl_conf.c @@ -815,8 +815,12 @@ error: } int -libxlMakeNic(virDomainNetDefPtr l_nic, libxl_device_nic *x_nic) +libxlMakeNic(virDomainDefPtr def, + virDomainNetDefPtr l_nic, + libxl_device_nic *x_nic) { + bool ioemu_nic = STREQ(def->os.type, "hvm"); + /* TODO: Where is mtu stored? * * x_nics[i].mtu = 1492; @@ -826,12 +830,16 @@ libxlMakeNic(virDomainNetDefPtr l_nic, l virMacAddrGetRaw(&l_nic->mac, x_nic->mac); - if (l_nic->model && !STREQ(l_nic->model, "netfront")) { - if (VIR_STRDUP(x_nic->model, l_nic->model) < 0) - return -1; + if (ioemu_nic) x_nic->nictype = LIBXL_NIC_TYPE_VIF_IOEMU; - } else { + else x_nic->nictype = LIBXL_NIC_TYPE_VIF; + + if (l_nic->model) { + if (VIR_STRDUP(x_nic->model, l_nic->model) < 0) + return -1; + if (STREQ(l_nic->model, "netfront")) + x_nic->nictype = LIBXL_NIC_TYPE_VIF; } if (VIR_STRDUP(x_nic->ifname, l_nic->ifname) < 0) @@ -868,7 +876,7 @@ libxlMakeNicList(virDomainDefPtr def, l return -1; for (i = 0; i < nnics; i++) { - if (libxlMakeNic(l_nics[i], &x_nics[i])) + if (libxlMakeNic(def, l_nics[i], &x_nics[i])) goto error; } Index: libvirt-1.1.2/src/libxl/libxl_conf.h =================================================================== --- libvirt-1.1.2.orig/src/libxl/libxl_conf.h +++ libvirt-1.1.2/src/libxl/libxl_conf.h @@ -126,7 +126,9 @@ libxlMakeCapabilities(libxl_ctx *ctx); int libxlMakeDisk(virDomainDiskDefPtr l_dev, libxl_device_disk *x_dev); int -libxlMakeNic(virDomainNetDefPtr l_nic, libxl_device_nic *x_nic); +libxlMakeNic(virDomainDefPtr def, + virDomainNetDefPtr l_nic, + libxl_device_nic *x_nic); int libxlMakeVfb(libxlDriverPrivatePtr driver, virDomainGraphicsDefPtr l_vfb, libxl_device_vfb *x_vfb); ++++++ 7fba01c-CVE-2013-6456.patch ++++++ >From a6e9270ec79924fabd5a872984bb5d38eaf3df8a Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" <berrange(a)redhat.com> Date: Thu, 30 Jan 2014 16:34:19 +0000 Subject: [PATCH 11/14] CVE-2013-6456: Avoid unsafe use of /proc/$PID/root in LXC USB hotplug Rewrite lxcDomainAttachDeviceHostdevSubsysUSBLive function to use the virProcessRunInMountNamespace helper. This avoids risk of a malicious guest replacing /dev with a absolute symlink, tricking the driver into changing the host OS filesystem. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> (cherry picked from commit 7fba01c15c1f886b4235825692b4c13e88dd9f7b) --- src/lxc/lxc_driver.c | 73 ++++++++++++++++------------------------------------ 1 file changed, 22 insertions(+), 51 deletions(-) Index: libvirt-1.1.2/src/lxc/lxc_driver.c =================================================================== --- libvirt-1.1.2.orig/src/lxc/lxc_driver.c +++ libvirt-1.1.2/src/lxc/lxc_driver.c @@ -3117,6 +3117,13 @@ lxcDomainAttachDeviceMknodHelper(pid_t p def->src = tmpsrc; } break; + case VIR_DOMAIN_DEVICE_HOSTDEV: { + virDomainHostdevDefPtr def = data->def->data.hostdev; + if (virSecurityManagerSetHostdevLabel(data->driver->securityManager, + data->vm->def, def, NULL) < 0) + goto cleanup; + } break; + default: virReportError(VIR_ERR_INTERNAL_ERROR, _("Unexpected device type %d"), @@ -3411,13 +3418,8 @@ lxcDomainAttachDeviceHostdevSubsysUSBLiv virLXCDomainObjPrivatePtr priv = vm->privateData; virDomainHostdevDefPtr def = dev->data.hostdev; int ret = -1; - char *vroot = NULL; char *src = NULL; - char *dstdir = NULL; - char *dstfile = NULL; struct stat sb; - mode_t mode; - bool created = false; virUSBDevicePtr usb = NULL; if (virDomainHostdevFind(vm->def, def, NULL) >= 0) { @@ -3426,27 +3428,13 @@ lxcDomainAttachDeviceHostdevSubsysUSBLiv return -1; } - if (virAsprintf(&vroot, "/proc/%llu/root", - (unsigned long long)priv->initpid) < 0) - goto cleanup; - - if (virAsprintf(&dstdir, "%s/dev/bus/usb/%03d", - vroot, - def->source.subsys.u.usb.bus) < 0) - goto cleanup; - - if (virAsprintf(&dstfile, "%s/%03d", - dstdir, - def->source.subsys.u.usb.device) < 0) - goto cleanup; - if (virAsprintf(&src, "/dev/bus/usb/%03d/%03d", def->source.subsys.u.usb.bus, def->source.subsys.u.usb.device) < 0) goto cleanup; if (!(usb = virUSBDeviceNew(def->source.subsys.u.usb.bus, - def->source.subsys.u.usb.device, vroot))) + def->source.subsys.u.usb.device, NULL))) goto cleanup; if (stat(src, &sb) < 0) { @@ -3462,53 +3450,36 @@ lxcDomainAttachDeviceHostdevSubsysUSBLiv goto cleanup; } - mode = 0700 | S_IFCHR; - if (VIR_REALLOC_N(vm->def->hostdevs, vm->def->nhostdevs + 1) < 0) goto cleanup; - if (virFileMakePath(dstdir) < 0) { - virReportSystemError(errno, - _("Unable to create %s"), dstdir); - goto cleanup; - } - - VIR_DEBUG("Creating dev %s (%d,%d)", - dstfile, major(sb.st_rdev), minor(sb.st_rdev)); - if (mknod(dstfile, mode, sb.st_rdev) < 0) { - virReportSystemError(errno, - _("Unable to create device %s"), - dstfile); - goto cleanup; - } - created = true; - - if (lxcContainerChown(vm->def, dstfile) < 0) - goto cleanup; - - if (virSecurityManagerSetHostdevLabel(driver->securityManager, - vm->def, def, vroot) < 0) - goto cleanup; - if (virUSBDeviceFileIterate(usb, virLXCSetupHostUsbDeviceCgroup, priv->cgroup) < 0) goto cleanup; + if (lxcDomainAttachDeviceMknod(driver, + 0700 | S_IFCHR, + sb.st_rdev, + vm, + dev, + src) < 0) { + if (virUSBDeviceFileIterate(usb, + virLXCTeardownHostUsbDeviceCgroup, + priv->cgroup) < 0) + VIR_WARN("cannot deny device %s for domain %s", + src, vm->def->name); + goto cleanup; + } + vm->def->hostdevs[vm->def->nhostdevs++] = def; ret = 0; cleanup: virDomainAuditHostdev(vm, def, "attach", ret == 0); - if (ret < 0 && created) - unlink(dstfile); - virUSBDeviceFree(usb); VIR_FREE(src); - VIR_FREE(dstfile); - VIR_FREE(dstdir); - VIR_FREE(vroot); return ret; } ++++++ 8294aa0c-CVE-2013-4399.patch ++++++ commit 8294aa0c1750dcb49d6345cd9bd97bf421580d8b Author: Daniel P. Berrange <berrange(a)redhat.com> Date: Fri Sep 27 15:46:07 2013 +0100 Fix crash in libvirtd when events are registered & ACLs active When a client disconnects from libvirtd, all event callbacks must be removed. This involves running the public API virConnectDomainEventDeregisterAny This code does not run in normal API dispatch context, so no identity was set. The result was that the access control drivers denied the attempt to deregister callbacks. The callbacks thus continued to trigger after the client was free'd causing fairly predictable use of free memory & a crash. This can be triggered by any client with readonly access when the ACL drivers are active. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> Index: libvirt-1.1.2/daemon/remote.c =================================================================== --- libvirt-1.1.2.orig/daemon/remote.c +++ libvirt-1.1.2/daemon/remote.c @@ -666,8 +666,11 @@ void remoteClientFreeFunc(void *data) /* Deregister event delivery callback */ if (priv->conn) { + virIdentityPtr sysident = virIdentityGetSystem(); size_t i; + virIdentitySetCurrent(sysident); + for (i = 0; i < VIR_DOMAIN_EVENT_ID_LAST; i++) { if (priv->domainEventCallbackID[i] != -1) { VIR_DEBUG("Deregistering to relay remote events %zu", i); @@ -678,6 +681,9 @@ void remoteClientFreeFunc(void *data) } virConnectClose(priv->conn); + + virIdentitySetCurrent(NULL); + virObjectUnref(sysident); } VIR_FREE(priv); ++++++ 82daa87f-CVE-2013-6458.patch ++++++ commit 82daa87f6a020ba2d1274b300f8e95f903fbe0f8 Author: Jiri Denemark <jdenemar(a)redhat.com> Date: Fri Dec 20 15:41:04 2013 +0100 qemu: Fix job usage in virDomainGetBlockIoTune CVE-2013-6458 Every API that is going to begin a job should do that before fetching data from vm->def. (cherry picked from commit 3b56425938e2f97208d5918263efa0d6439e4ecd) Index: libvirt-1.1.2/src/qemu/qemu_driver.c =================================================================== --- libvirt-1.1.2.orig/src/qemu/qemu_driver.c +++ libvirt-1.1.2/src/qemu/qemu_driver.c @@ -14851,12 +14851,6 @@ qemuDomainGetBlockIoTune(virDomainPtr do goto cleanup; } - device = qemuDiskPathToAlias(vm, disk, NULL); - - if (!device) { - goto cleanup; - } - if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_MODIFY) < 0) goto cleanup; @@ -14864,6 +14858,11 @@ qemuDomainGetBlockIoTune(virDomainPtr do &persistentDef) < 0) goto endjob; + device = qemuDiskPathToAlias(vm, disk, NULL); + if (!device) { + goto endjob; + } + if (flags & VIR_DOMAIN_AFFECT_LIVE) { priv = vm->privateData; qemuDomainObjEnterMonitor(driver, vm); ++++++ 843bdb2f-CVE-2013-4400.patch ++++++ commit 843bdb2f8a3364637cda2911624149525188843f Author: Jim Fehlig <jfehlig(a)suse.com> Date: Mon Oct 21 23:12:22 2013 -0600 build: fix build of virt-login-shell on systems with older gnutls On systems where gnutls uses libgcrypt, I'm seeing the following build failure libvirt.c:314: error: variable 'virTLSThreadImpl' has initializer but incomplete type libvirt.c:319: error: 'GCRY_THREAD_OPTION_PTHREAD' undeclared here (not in a function) ... Fix by undefining WITH_GNUTLS_GCRYPT in config-post.h Index: libvirt-1.1.2/config-post.h =================================================================== --- libvirt-1.1.2.orig/config-post.h +++ libvirt-1.1.2/config-post.h @@ -34,6 +34,7 @@ # undef WITH_CURL # undef WITH_DTRACE_PROBES # undef WITH_GNUTLS +# undef WITH_GNUTLS_GCRYPT # undef WITH_MACVTAP # undef WITH_NUMACTL # undef WITH_SASL ++++++ 8c3586ea-CVE-2013-4400.patch ++++++ commit 8c3586ea755c40d5e01b22cb7b5c1e668cdec994 Author: Daniel P. Berrange <berrange(a)redhat.com> Date: Wed Oct 9 10:59:36 2013 +0100 Only allow 'stderr' log output when running setuid (CVE-2013-4400) We must not allow file/syslog/journald log outputs when running setuid since they can be abused to do bad things. In particular the 'file' output can be used to overwrite files. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> Index: libvirt-1.1.2/src/util/virlog.c =================================================================== --- libvirt-1.1.2.orig/src/util/virlog.c +++ libvirt-1.1.2/src/util/virlog.c @@ -1318,6 +1318,9 @@ int virLogPriorityFromSyslog(int priorit * Multiple output can be defined in a single @output, they just need to be * separated by spaces. * + * If running in setuid mode, then only the 'stderr' output will + * be allowed + * * Returns the number of output parsed and installed or -1 in case of error */ int @@ -1329,6 +1332,7 @@ virLogParseOutputs(const char *outputs) virLogPriority prio; int ret = -1; int count = 0; + bool isSUID = virIsSUID(); if (cur == NULL) return -1; @@ -1348,6 +1352,8 @@ virLogParseOutputs(const char *outputs) if (virLogAddOutputToStderr(prio) == 0) count++; } else if (STREQLEN(cur, "syslog", 6)) { + if (isSUID) + goto cleanup; cur += 6; if (*cur != ':') goto cleanup; @@ -1365,6 +1371,8 @@ virLogParseOutputs(const char *outputs) VIR_FREE(name); #endif /* HAVE_SYSLOG_H */ } else if (STREQLEN(cur, "file", 4)) { + if (isSUID) + goto cleanup; cur += 4; if (*cur != ':') goto cleanup; @@ -1385,6 +1393,8 @@ virLogParseOutputs(const char *outputs) VIR_FREE(name); VIR_FREE(abspath); } else if (STREQLEN(cur, "journald", 8)) { + if (isSUID) + goto cleanup; cur += 8; #if USE_JOURNALD if (virLogAddOutputToJournald(prio) == 0) ++++++ 922b7fda-CVE-2013-4311.patch ++++++ commit 922b7fda77b094dbf022d625238262ea05335666 Author: Daniel P. Berrange <berrange(a)redhat.com> Date: Wed Aug 28 15:25:40 2013 +0100 Add support for using 3-arg pkcheck syntax for process (CVE-2013-4311) With the existing pkcheck (pid, start time) tuple for identifying the process, there is a race condition, where a process can make a libvirt RPC call and in another thread exec a setuid application, causing it to change to effective UID 0. This in turn causes polkit to do its permission check based on the wrong UID. To address this, libvirt must get the UID the caller had at time of connect() (from SO_PEERCRED) and pass a (pid, start time, uid) triple to the pkcheck program. This fix requires that libvirt is re-built against a version of polkit that has the fix for its CVE-2013-4288, so that libvirt can see 'pkg-config --variable pkcheck_supports_uid polkit-gobject-1' Signed-off-by: Colin Walters <walters(a)redhat.com> Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> Index: libvirt-1.1.2/configure.ac =================================================================== --- libvirt-1.1.2.orig/configure.ac +++ libvirt-1.1.2/configure.ac @@ -1184,6 +1184,14 @@ if test "x$with_polkit" = "xyes" || test AC_PATH_PROG([PKCHECK_PATH],[pkcheck], [], [/usr/sbin:$PATH]) if test "x$PKCHECK_PATH" != "x" ; then AC_DEFINE_UNQUOTED([PKCHECK_PATH],["$PKCHECK_PATH"],[Location of pkcheck program]) + AC_MSG_CHECKING([whether pkcheck supports uid value]) + pkcheck_supports_uid=`$PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1` + if test "x$pkcheck_supports_uid" = "xtrue"; then + AC_MSG_RESULT([yes]) + AC_DEFINE_UNQUOTED([PKCHECK_SUPPORTS_UID], 1, [Pass uid to pkcheck]) + else + AC_MSG_RESULT([no]) + fi AC_DEFINE_UNQUOTED([WITH_POLKIT], 1, [use PolicyKit for UNIX socket access checks]) AC_DEFINE_UNQUOTED([WITH_POLKIT1], 1, Index: libvirt-1.1.2/daemon/remote.c =================================================================== --- libvirt-1.1.2.orig/daemon/remote.c +++ libvirt-1.1.2/daemon/remote.c @@ -2738,10 +2738,12 @@ remoteDispatchAuthPolkit(virNetServerPtr int status = -1; char *ident = NULL; bool authdismissed = 0; + bool supportsuid = false; char *pkout = NULL; struct daemonClientPrivate *priv = virNetServerClientGetPrivateData(client); virCommandPtr cmd = NULL; + static bool polkitInsecureWarned; virMutexLock(&priv->lock); action = virNetServerClientGetReadonly(client) ? @@ -2763,14 +2765,28 @@ remoteDispatchAuthPolkit(virNetServerPtr goto authfail; } + if (timestamp == 0) { + VIR_WARN("Failing polkit auth due to missing client (pid=%lld) start time", + (long long)callerPid); + goto authfail; + } + VIR_INFO("Checking PID %lld running as %d", (long long) callerPid, callerUid); virCommandAddArg(cmd, "--process"); - if (timestamp != 0) { - virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp); +# ifdef PKCHECK_SUPPORTS_UID + supportsuid = true; +# endif + if (supportsuid) { + virCommandAddArgFormat(cmd, "%lld,%llu,%lu", + (long long) callerPid, timestamp, (unsigned long) callerUid); } else { - virCommandAddArgFormat(cmd, "%lld", (long long) callerPid); + if (!polkitInsecureWarned) { + VIR_WARN("No support for caller UID with pkcheck. This deployment is known to be insecure."); + polkitInsecureWarned = true; + } + virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp); } virCommandAddArg(cmd, "--allow-user-interaction"); Index: libvirt-1.1.2/libvirt.spec.in =================================================================== --- libvirt-1.1.2.orig/libvirt.spec.in +++ libvirt-1.1.2/libvirt.spec.in @@ -508,8 +508,7 @@ BuildRequires: cyrus-sasl-devel %endif %if %{with_polkit} %if 0%{?fedora} >= 12 || 0%{?rhel} >= 6 -# Only need the binary, not -devel -BuildRequires: polkit >= 0.93 +BuildRequires: polkit-devel >= 0.93 %else BuildRequires: PolicyKit-devel >= 0.6 %endif Index: libvirt-1.1.2/src/access/viraccessdriverpolkit.c =================================================================== --- libvirt-1.1.2.orig/src/access/viraccessdriverpolkit.c +++ libvirt-1.1.2/src/access/viraccessdriverpolkit.c @@ -72,8 +72,12 @@ static char * virAccessDriverPolkitFormatProcess(const char *actionid) { virIdentityPtr identity = virIdentityGetCurrent(); - const char *process = NULL; + const char *callerPid = NULL; + const char *callerTime = NULL; + const char *callerUid = NULL; char *ret = NULL; + bool supportsuid = false; + static bool polkitInsecureWarned; if (!identity) { virAccessError(VIR_ERR_ACCESS_DENIED, @@ -81,17 +85,43 @@ virAccessDriverPolkitFormatProcess(const actionid); return NULL; } - if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, &process) < 0) + if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, &callerPid) < 0) + goto cleanup; + if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME, &callerTime) < 0) + goto cleanup; + if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_USER_ID, &callerUid) < 0) goto cleanup; - if (!process) { + if (!callerPid) { virAccessError(VIR_ERR_INTERNAL_ERROR, "%s", _("No UNIX process ID available")); goto cleanup; } - - if (VIR_STRDUP(ret, process) < 0) + if (!callerTime) { + virAccessError(VIR_ERR_INTERNAL_ERROR, "%s", + _("No UNIX process start time available")); + goto cleanup; + } + if (!callerUid) { + virAccessError(VIR_ERR_INTERNAL_ERROR, "%s", + _("No UNIX caller UID available")); goto cleanup; + } + +#ifdef PKCHECK_SUPPORTS_UID + supportsuid = true; +#endif + if (supportsuid) { + if (virAsprintf(&ret, "%s,%s,%s", callerPid, callerTime, callerUid) < 0) + goto cleanup; + } else { + if (!polkitInsecureWarned) { + VIR_WARN("No support for caller UID with pkcheck. This deployment is known to be insecure."); + polkitInsecureWarned = true; + } + if (virAsprintf(&ret, "%s,%s", callerPid, callerTime) < 0) + goto cleanup; + } cleanup: virObjectUnref(identity); ++++++ 939b0818-CVE-2013-6458.patch ++++++ commit 939b0818c223cd6e7a59dcf94c8117dfc5df2604 Author: Jiri Denemark <jdenemar(a)redhat.com> Date: Fri Dec 20 15:08:06 2013 +0100 qemu: Fix job usage in qemuDomainBlockCopy Every API that is going to begin a job should do that before fetching data from vm->def. (cherry picked from commit ff5f30b6bfa317f2a4c33f69289baf4e887eb048) Index: libvirt-1.1.2/src/qemu/qemu_driver.c =================================================================== --- libvirt-1.1.2.orig/src/qemu/qemu_driver.c +++ libvirt-1.1.2/src/qemu/qemu_driver.c @@ -14216,7 +14216,7 @@ qemuDomainBlockCopy(virDomainObjPtr vm, virQEMUDriverPtr driver = conn->privateData; qemuDomainObjPrivatePtr priv; char *device = NULL; - virDomainDiskDefPtr disk; + virDomainDiskDefPtr disk = NULL; int ret = -1; int idx; struct stat st; @@ -14231,29 +14231,32 @@ qemuDomainBlockCopy(virDomainObjPtr vm, priv = vm->privateData; cfg = virQEMUDriverGetConfig(driver); + if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_MODIFY) < 0) + goto cleanup; + if (!virDomainObjIsActive(vm)) { virReportError(VIR_ERR_OPERATION_INVALID, "%s", _("domain is not running")); - goto cleanup; + goto endjob; } device = qemuDiskPathToAlias(vm, path, &idx); if (!device) { - goto cleanup; + goto endjob; } disk = vm->def->disks[idx]; if (disk->mirror) { virReportError(VIR_ERR_BLOCK_COPY_ACTIVE, _("disk '%s' already in active block copy job"), disk->dst); - goto cleanup; + goto endjob; } if (!(virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_DRIVE_MIRROR) && virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_BLOCKJOB_ASYNC))) { virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", _("block copy is not supported with this QEMU binary")); - goto cleanup; + goto endjob; } if (vm->persistent) { /* XXX if qemu ever lets us start a new domain with mirroring @@ -14262,17 +14265,9 @@ qemuDomainBlockCopy(virDomainObjPtr vm, * this on persistent domains. */ virReportError(VIR_ERR_OPERATION_INVALID, "%s", _("domain is not transient")); - goto cleanup; - } - - if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_MODIFY) < 0) - goto cleanup; - - if (!virDomainObjIsActive(vm)) { - virReportError(VIR_ERR_OPERATION_INVALID, "%s", - _("domain is not running")); goto endjob; } + if (qemuDomainDetermineDiskChain(driver, disk, false) < 0) goto endjob; @@ -14362,7 +14357,7 @@ qemuDomainBlockCopy(virDomainObjPtr vm, endjob: if (need_unlink && unlink(dest)) VIR_WARN("unable to unlink just-created %s", dest); - if (ret < 0) + if (ret < 0 && disk) disk->mirrorFormat = VIR_STORAGE_FILE_NONE; VIR_FREE(mirror); if (qemuDomainObjEndJob(driver, vm) == 0) { ++++++ 97973ebb-LXC-threading-error.patch ++++++ >From 97973ebb7a64a3be6710ddd38d124307991ad7cb Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" <berrange(a)redhat.com> Date: Tue, 8 Oct 2013 14:35:01 +0100 Subject: [PATCH] Initialize threading & error layer in LXC controller In Fedora 20, libvirt_lxc crashes immediately at startup with a trace #0 0x00007f0cddb653ec in free () from /lib64/libc.so.6 #1 0x00007f0ce0e16f4a in virFree (ptrptr=ptrptr@entry=0x7f0ce1830058) at util/viralloc.c:580 #2 0x00007f0ce0e2764b in virResetError (err=0x7f0ce1830030) at util/virerror.c:354 #3 0x00007f0ce0e27a5a in virResetLastError () at util/virerror.c:387 #4 0x00007f0ce0e28858 in virEventRegisterDefaultImpl () at util/virevent.c:233 #5 0x00007f0ce0db47c6 in main (argc=11, argv=0x7fff4596c328) at lxc/lxc_controller.c:2352 Normally virInitialize calls virErrorInitialize and virThreadInitialize, but we don't link to libvirt.so in libvirt_lxc, and nor did we ever call the error or thread initializers. I have absolutely no idea how this has ever worked, let alone what caused it to stop working in Fedora 20. In addition not all code paths from virLogSetFromEnv will ensure virLogInitialize is called correctly, which is another possible crash scenario. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> --- src/lxc/lxc_controller.c | 4 +++- src/util/virlog.c | 6 ++++++ 2 files changed, 9 insertions(+), 1 deletion(-) Index: libvirt-1.1.2/src/lxc/lxc_controller.c =================================================================== --- libvirt-1.1.2.orig/src/lxc/lxc_controller.c +++ libvirt-1.1.2/src/lxc/lxc_controller.c @@ -2250,7 +2250,9 @@ int main(int argc, char *argv[]) if (setlocale(LC_ALL, "") == NULL || bindtextdomain(PACKAGE, LOCALEDIR) == NULL || - textdomain(PACKAGE) == NULL) { + textdomain(PACKAGE) == NULL || + virThreadInitialize() < 0 || + virErrorInitialize() < 0) { fprintf(stderr, _("%s: initialization failed\n"), argv[0]); exit(EXIT_FAILURE); } Index: libvirt-1.1.2/src/util/virlog.c =================================================================== --- libvirt-1.1.2.orig/src/util/virlog.c +++ libvirt-1.1.2/src/util/virlog.c @@ -547,6 +547,9 @@ virLogDefineFilter(const char *match, virCheckFlags(VIR_LOG_STACK_TRACE, -1); + if (virLogInitialize() < 0) + return -1; + if ((match == NULL) || (priority < VIR_LOG_DEBUG) || (priority > VIR_LOG_ERROR)) return -1; @@ -662,6 +665,9 @@ virLogDefineOutput(virLogOutputFunc f, virCheckFlags(0, -1); + if (virLogInitialize() < 0) + return -1; + if (f == NULL) return -1; ++++++ 9faf3f29-LXC-memtune.patch ++++++ commit 9faf3f2950aed1643ab7564afcb4c693c77f71b5 Author: Martin Kletzander <mkletzan(a)redhat.com> Date: Mon Dec 9 11:15:12 2013 +0100 Fix crash in lxcDomainSetMemoryParameters The function doesn't check whether the request is made for active or inactive domain. Thus when the domain is not running it still tries accessing non-existing cgroups (priv->cgroup, which is NULL). I re-made the function in order for it to work the same way it's qemu counterpart does. Reproducer: 1) Define an LXC domain 2) Do 'virsh memtune <domain> --hard-limit 133T' Backtrace: Thread 6 (Thread 0x7fffec8c0700 (LWP 26826)): #0 0x00007ffff70edcc4 in virCgroupPathOfController (group=0x0, controller=3, key=0x7ffff75734bd "memory.limit_in_bytes", path=0x7fffec8bf718) at util/vircgroup.c:1764 #1 0x00007ffff70e9206 in virCgroupSetValueStr (group=0x0, controller=3, key=0x7ffff75734bd "memory.limit_in_bytes", value=0x7fffe409f360 "1073741824") at util/vircgroup.c:669 #2 0x00007ffff70e98b4 in virCgroupSetValueU64 (group=0x0, controller=3, key=0x7ffff75734bd "memory.limit_in_bytes", value=1073741824) at util/vircgroup.c:740 #3 0x00007ffff70ee518 in virCgroupSetMemory (group=0x0, kb=1048576) at util/vircgroup.c:1904 #4 0x00007ffff70ee675 in virCgroupSetMemoryHardLimit (group=0x0, kb=1048576) at util/vircgroup.c:1944 #5 0x00005555557d54c8 in lxcDomainSetMemoryParameters (dom=0x7fffe40cc420, params=0x7fffe409f100, nparams=1, flags=0) at lxc/lxc_driver.c:774 #6 0x00007ffff72c20f9 in virDomainSetMemoryParameters (domain=0x7fffe40cc420, params=0x7fffe409f100, nparams=1, flags=0) at libvirt.c:4051 #7 0x000055555561365f in remoteDispatchDomainSetMemoryParameters (server=0x555555eb7e00, client=0x555555ec4b10, msg=0x555555eb94e0, rerr=0x7fffec8bfb70, args=0x7fffe40b8510) at remote_dispatch.h:7621 #8 0x00005555556133fd in remoteDispatchDomainSetMemoryParametersHelper (server=0x555555eb7e00, client=0x555555ec4b10, msg=0x555555eb94e0, rerr=0x7fffec8bfb70, args=0x7fffe40b8510, ret=0x7fffe40b84f0) at remote_dispatch.h:7591 #9 0x00007ffff73b293f in virNetServerProgramDispatchCall (prog=0x555555ec3ae0, server=0x555555eb7e00, client=0x555555ec4b10, msg=0x555555eb94e0) at rpc/virnetserverprogram.c:435 #10 0x00007ffff73b207f in virNetServerProgramDispatch (prog=0x555555ec3ae0, server=0x555555eb7e00, client=0x555555ec4b10, msg=0x555555eb94e0) at rpc/virnetserverprogram.c:305 #11 0x00007ffff73a4d2c in virNetServerProcessMsg (srv=0x555555eb7e00, client=0x555555ec4b10, prog=0x555555ec3ae0, msg=0x555555eb94e0) at rpc/virnetserver.c:165 #12 0x00007ffff73a4e8d in virNetServerHandleJob (jobOpaque=0x555555ec3e30, opaque=0x555555eb7e00) at rpc/virnetserver.c:186 #13 0x00007ffff7187f3f in virThreadPoolWorker (opaque=0x555555eb7ac0) at util/virthreadpool.c:144 #14 0x00007ffff718733a in virThreadHelper (data=0x555555eb7890) at util/virthreadpthread.c:161 #15 0x00007ffff468ed89 in start_thread (arg=0x7fffec8c0700) at pthread_create.c:308 #16 0x00007ffff3da26bd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com> Index: libvirt-1.1.2/src/lxc/lxc_driver.c =================================================================== --- libvirt-1.1.2.orig/src/lxc/lxc_driver.c +++ libvirt-1.1.2/src/lxc/lxc_driver.c @@ -743,12 +743,24 @@ lxcDomainSetMemoryParameters(virDomainPt int nparams, unsigned int flags) { - size_t i; + virCapsPtr caps = NULL; + virDomainDefPtr vmdef = NULL; virDomainObjPtr vm = NULL; + virLXCDomainObjPrivatePtr priv = NULL; + virLXCDriverConfigPtr cfg = NULL; + virLXCDriverPtr driver = dom->conn->privateData; + unsigned long long hard_limit; + unsigned long long soft_limit; + unsigned long long swap_hard_limit; + bool set_hard_limit = false; + bool set_soft_limit = false; + bool set_swap_hard_limit = false; + int rc; int ret = -1; - virLXCDomainObjPrivatePtr priv; - virCheckFlags(0, -1); + virCheckFlags(VIR_DOMAIN_AFFECT_LIVE | + VIR_DOMAIN_AFFECT_CONFIG, -1); + if (virTypedParamsValidate(params, nparams, VIR_DOMAIN_MEMORY_HARD_LIMIT, VIR_TYPED_PARAM_ULLONG, @@ -763,29 +775,97 @@ lxcDomainSetMemoryParameters(virDomainPt goto cleanup; priv = vm->privateData; + cfg = virLXCDriverGetConfig(driver); - if (virDomainSetMemoryParametersEnsureACL(dom->conn, vm->def, flags) < 0) + if (virDomainSetMemoryParametersEnsureACL(dom->conn, vm->def, flags) < 0 || + !(caps = virLXCDriverGetCapabilities(driver, false)) || + virDomainLiveConfigHelperMethod(caps, driver->xmlopt, + vm, &flags, &vmdef) < 0) goto cleanup; - ret = 0; - for (i = 0; i < nparams; i++) { - virTypedParameterPtr param = &params[i]; + if (flags & VIR_DOMAIN_AFFECT_LIVE && + !virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_MEMORY)) { + virReportError(VIR_ERR_OPERATION_INVALID, + "%s", _("cgroup memory controller is not mounted")); + goto cleanup; + } - if (STREQ(param->field, VIR_DOMAIN_MEMORY_HARD_LIMIT)) { - if (virCgroupSetMemoryHardLimit(priv->cgroup, params[i].value.ul) < 0) - ret = -1; - } else if (STREQ(param->field, VIR_DOMAIN_MEMORY_SOFT_LIMIT)) { - if (virCgroupSetMemorySoftLimit(priv->cgroup, params[i].value.ul) < 0) - ret = -1; - } else if (STREQ(param->field, VIR_DOMAIN_MEMORY_SWAP_HARD_LIMIT)) { - if (virCgroupSetMemSwapHardLimit(priv->cgroup, params[i].value.ul) < 0) - ret = -1; +#define VIR_GET_LIMIT_PARAMETER(PARAM, VALUE) \ + if ((rc = virTypedParamsGetULLong(params, nparams, PARAM, &VALUE)) < 0) \ + goto cleanup; \ + \ + if (rc == 1) \ + set_ ## VALUE = true; + + VIR_GET_LIMIT_PARAMETER(VIR_DOMAIN_MEMORY_SWAP_HARD_LIMIT, swap_hard_limit) + VIR_GET_LIMIT_PARAMETER(VIR_DOMAIN_MEMORY_HARD_LIMIT, hard_limit) + VIR_GET_LIMIT_PARAMETER(VIR_DOMAIN_MEMORY_SOFT_LIMIT, soft_limit) + +#undef VIR_GET_LIMIT_PARAMETER + + /* Swap hard limit must be greater than hard limit. + * Note that limit of 0 denotes unlimited */ + if (set_swap_hard_limit || set_hard_limit) { + unsigned long long mem_limit = vm->def->mem.hard_limit; + unsigned long long swap_limit = vm->def->mem.swap_hard_limit; + + if (set_swap_hard_limit) + swap_limit = swap_hard_limit; + + if (set_hard_limit) + mem_limit = hard_limit; + + if (virCompareLimitUlong(mem_limit, swap_limit) > 0) { + virReportError(VIR_ERR_INVALID_ARG, "%s", + _("memory hard_limit tunable value must be lower " + "than or equal to swap_hard_limit")); + goto cleanup; } } +#define LXC_SET_MEM_PARAMETER(FUNC, VALUE) \ + if (set_ ## VALUE) { \ + if (flags & VIR_DOMAIN_AFFECT_LIVE) { \ + if ((rc = FUNC(priv->cgroup, VALUE)) < 0) { \ + virReportSystemError(-rc, _("unable to set memory %s tunable"), \ + #VALUE); \ + \ + goto cleanup; \ + } \ + vm->def->mem.VALUE = VALUE; \ + } \ + \ + if (flags & VIR_DOMAIN_AFFECT_CONFIG) \ + vmdef->mem.VALUE = VALUE; \ + } + + /* Soft limit doesn't clash with the others */ + LXC_SET_MEM_PARAMETER(virCgroupSetMemorySoftLimit, soft_limit); + + /* set hard limit before swap hard limit if decreasing it */ + if (virCompareLimitUlong(vm->def->mem.hard_limit, hard_limit) > 0) { + LXC_SET_MEM_PARAMETER(virCgroupSetMemoryHardLimit, hard_limit); + /* inhibit changing the limit a second time */ + set_hard_limit = false; + } + + LXC_SET_MEM_PARAMETER(virCgroupSetMemSwapHardLimit, swap_hard_limit); + + /* otherwise increase it after swap hard limit */ + LXC_SET_MEM_PARAMETER(virCgroupSetMemoryHardLimit, hard_limit); + +#undef LXC_SET_MEM_PARAMETER + + if (flags & VIR_DOMAIN_AFFECT_CONFIG && + virDomainSaveConfig(cfg->configDir, vmdef) < 0) + goto cleanup; + + ret = 0; cleanup: if (vm) virObjectUnlock(vm); + virObjectUnref(caps); + virObjectUnref(cfg); return ret; } ++++++ a537827-CVE-2013-6456.patch ++++++ >From 5ef86f41148af71aefca9c7ad31926ca179c185b Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" <berrange(a)redhat.com> Date: Tue, 4 Feb 2014 16:46:28 +0000 Subject: [PATCH 03/14] Record hotplugged USB device in LXC live guest config After hotplugging a USB device, the LXC driver forgot to add the device def to the virDomainDefPtr. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> (cherry picked from commit a537827d15516f2b59afb23ce2d50b8a88d7f090) --- src/lxc/lxc_driver.c | 5 +++++ 1 file changed, 5 insertions(+) Index: libvirt-1.1.2/src/lxc/lxc_driver.c =================================================================== --- libvirt-1.1.2.orig/src/lxc/lxc_driver.c +++ libvirt-1.1.2/src/lxc/lxc_driver.c @@ -3374,6 +3374,9 @@ lxcDomainAttachDeviceHostdevSubsysUSBLiv mode = 0700 | S_IFCHR; + if (VIR_REALLOC_N(vm->def->hostdevs, vm->def->nhostdevs + 1) < 0) + goto cleanup; + if (virFileMakePath(dstdir) < 0) { virReportSystemError(errno, _("Unable to create %s"), dstdir); @@ -3402,6 +3405,8 @@ lxcDomainAttachDeviceHostdevSubsysUSBLiv priv->cgroup) < 0) goto cleanup; + vm->def->hostdevs[vm->def->nhostdevs++] = def; + ret = 0; cleanup: ++++++ ae53e5d1-CVE-2013-4400.patch ++++++ commit ae53e5d10e434e07079d7e3ba11ec654ba6a256e Author: Daniel P. Berrange <berrange(a)redhat.com> Date: Wed Oct 9 10:52:39 2013 +0100 Add helpers for getting env vars in a setuid environment Care must be taken accessing env variables when running setuid. Introduce a virGetEnvAllowSUID for env vars which are safe to use in a setuid environment, and another virGetEnvBlockSUID for vars which are not safe. Also add a virIsSUID helper method for any other non-env var code to use. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> Index: libvirt-1.1.2/src/libvirt_private.syms =================================================================== --- libvirt-1.1.2.orig/src/libvirt_private.syms +++ libvirt-1.1.2/src/libvirt_private.syms @@ -2042,6 +2042,8 @@ virFindFCHostCapableVport; virFormatIntDecimal; virGetDeviceID; virGetDeviceUnprivSGIO; +virGetEnvAllowSUID; +virGetEnvBlockSUID; virGetFCHostNameByWWN; virGetGroupID; virGetGroupList; @@ -2060,6 +2062,7 @@ virIndexToDiskName; virIsCapableFCHost; virIsCapableVport; virIsDevMapperDevice; +virIsSUID; virManageVport; virParseNumber; virParseOwnershipIds; Index: libvirt-1.1.2/src/util/virutil.c =================================================================== --- libvirt-1.1.2.orig/src/util/virutil.c +++ libvirt-1.1.2/src/util/virutil.c @@ -2116,3 +2116,42 @@ cleanup: return rc; } + + +/** + * virGetEnvBlockSUID: + * @name: the environment variable name + * + * Obtain an environment variable which is unsafe to + * use when running setuid. If running setuid, a NULL + * value will be returned + */ +const char *virGetEnvBlockSUID(const char *name) +{ + return secure_getenv(name); +} + + +/** + * virGetEnvBlockSUID: + * @name: the environment variable name + * + * Obtain an environment variable which is safe to + * use when running setuid. The value will be returned + * even when running setuid + */ +const char *virGetEnvAllowSUID(const char *name) +{ + return getenv(name); +} + + +/** + * virIsSUID: + * Return a true value if running setuid. Does not + * check for elevated capabilities bits. + */ +bool virIsSUID(void) +{ + return getuid() != geteuid(); +} Index: libvirt-1.1.2/src/util/virutil.h =================================================================== --- libvirt-1.1.2.orig/src/util/virutil.h +++ libvirt-1.1.2/src/util/virutil.h @@ -172,4 +172,8 @@ int virCompareLimitUlong(unsigned long l int virParseOwnershipIds(const char *label, uid_t *uidPtr, gid_t *gidPtr); +const char *virGetEnvBlockSUID(const char *name); +const char *virGetEnvAllowSUID(const char *name); +bool virIsSUID(void); + #endif /* __VIR_UTIL_H__ */ ++++++ aebbcdd-CVE-2013-6456.patch ++++++ >From 21368274a9aa91e8a5f0addb3a6bba8dad91e334 Mon Sep 17 00:00:00 2001 From: Eric Blake <eblake(a)redhat.com> Date: Mon, 23 Dec 2013 22:55:51 -0700 Subject: [PATCH 09/14] CVE-2013-6456: Avoid unsafe use of /proc/$PID/root in LXC shutdown/reboot code Use helper virProcessRunInMountNamespace in lxcDomainShutdownFlags and lxcDomainReboot. Otherwise, a malicious guest could use symlinks to force the host to manipulate the wrong file in the host's namespace. Idea by Dan Berrange, based on an initial report by Reco <recoverym4n(a)gmail.com> at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732394 Signed-off-by: Eric Blake <eblake(a)redhat.com> (cherry picked from commit aebbcdd33c8c18891f0bdbbf8924599a28152c9c) --- src/lxc/lxc_driver.c | 38 ++++++++++++++++++++------------------ src/util/virinitctl.c | 26 ++++++++++---------------- src/util/virinitctl.h | 5 ++--- 3 files changed, 32 insertions(+), 37 deletions(-) Index: libvirt-1.1.2/src/lxc/lxc_driver.c =================================================================== --- libvirt-1.1.2.orig/src/lxc/lxc_driver.c +++ libvirt-1.1.2/src/lxc/lxc_driver.c @@ -2739,12 +2739,20 @@ lxcConnectListAllDomains(virConnectPtr c static int +lxcDomainInitctlCallback(pid_t pid ATTRIBUTE_UNUSED, + void *opaque) +{ + int *command = opaque; + return virInitctlSetRunLevel(*command); +} + + +static int lxcDomainShutdownFlags(virDomainPtr dom, unsigned int flags) { virLXCDomainObjPrivatePtr priv; virDomainObjPtr vm; - char *vroot = NULL; int ret = -1; int rc; @@ -2771,16 +2779,14 @@ lxcDomainShutdownFlags(virDomainPtr dom, goto cleanup; } - if (virAsprintf(&vroot, "/proc/%llu/root", - (unsigned long long)priv->initpid) < 0) - goto cleanup; - if (flags == 0 || (flags & VIR_DOMAIN_SHUTDOWN_INITCTL)) { - if ((rc = virInitctlSetRunLevel(VIR_INITCTL_RUNLEVEL_POWEROFF, - vroot)) < 0) { + int command = VIR_INITCTL_RUNLEVEL_POWEROFF; + + if ((rc = virProcessRunInMountNamespace(priv->initpid, + lxcDomainInitctlCallback, + &command)) < 0) goto cleanup; - } if (rc == 0 && flags != 0 && ((flags & ~VIR_DOMAIN_SHUTDOWN_INITCTL) == 0)) { virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", @@ -2806,7 +2812,6 @@ lxcDomainShutdownFlags(virDomainPtr dom, ret = 0; cleanup: - VIR_FREE(vroot); if (vm) virObjectUnlock(vm); return ret; @@ -2818,13 +2823,13 @@ lxcDomainShutdown(virDomainPtr dom) return lxcDomainShutdownFlags(dom, 0); } + static int lxcDomainReboot(virDomainPtr dom, unsigned int flags) { virLXCDomainObjPrivatePtr priv; virDomainObjPtr vm; - char *vroot = NULL; int ret = -1; int rc; @@ -2851,16 +2856,14 @@ lxcDomainReboot(virDomainPtr dom, goto cleanup; } - if (virAsprintf(&vroot, "/proc/%llu/root", - (unsigned long long)priv->initpid) < 0) - goto cleanup; - if (flags == 0 || (flags & VIR_DOMAIN_REBOOT_INITCTL)) { - if ((rc = virInitctlSetRunLevel(VIR_INITCTL_RUNLEVEL_REBOOT, - vroot)) < 0) { + int command = VIR_INITCTL_RUNLEVEL_REBOOT; + + if ((rc = virProcessRunInMountNamespace(priv->initpid, + lxcDomainInitctlCallback, + &command)) < 0) goto cleanup; - } if (rc == 0 && flags != 0 && ((flags & ~VIR_DOMAIN_SHUTDOWN_INITCTL) == 0)) { virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", @@ -2886,7 +2889,6 @@ lxcDomainReboot(virDomainPtr dom, ret = 0; cleanup: - VIR_FREE(vroot); if (vm) virObjectUnlock(vm); return ret; Index: libvirt-1.1.2/src/util/virinitctl.c =================================================================== --- libvirt-1.1.2.orig/src/util/virinitctl.c +++ libvirt-1.1.2/src/util/virinitctl.c @@ -111,16 +111,18 @@ struct virInitctlRequest { # endif /* - * Send a message to init to change the runlevel + * Send a message to init to change the runlevel. This function is + * asynchronous-signal-safe (thus safe to use after fork of a + * multithreaded parent) - which is good, because it should only be + * used after forking and entering correct namespace. * * Returns 1 on success, 0 if initctl does not exist, -1 on error */ -int virInitctlSetRunLevel(virInitctlRunLevel level, - const char *vroot) +int +virInitctlSetRunLevel(virInitctlRunLevel level) { struct virInitctlRequest req; int fd = -1; - char *path = NULL; int ret = -1; memset(&req, 0, sizeof(req)); @@ -131,36 +133,28 @@ int virInitctlSetRunLevel(virInitctlRunL /* Yes it is an 'int' field, but wants a numeric character. Go figure */ req.runlevel = '0' + level; - if (vroot) { - if (virAsprintf(&path, "%s/%s", vroot, VIR_INITCTL_FIFO) < 0) - return -1; - } else { - if (VIR_STRDUP(path, VIR_INITCTL_FIFO) < 0) - return -1; - } - - if ((fd = open(path, O_WRONLY|O_NONBLOCK|O_CLOEXEC|O_NOCTTY)) < 0) { + if ((fd = open(VIR_INITCTL_FIFO, + O_WRONLY|O_NONBLOCK|O_CLOEXEC|O_NOCTTY)) < 0) { if (errno == ENOENT) { ret = 0; goto cleanup; } virReportSystemError(errno, _("Cannot open init control %s"), - path); + VIR_INITCTL_FIFO); goto cleanup; } if (safewrite(fd, &req, sizeof(req)) != sizeof(req)) { virReportSystemError(errno, _("Failed to send request to init control %s"), - path); + VIR_INITCTL_FIFO); goto cleanup; } ret = 1; cleanup: - VIR_FREE(path); VIR_FORCE_CLOSE(fd); return ret; } Index: libvirt-1.1.2/src/util/virinitctl.h =================================================================== --- libvirt-1.1.2.orig/src/util/virinitctl.h +++ libvirt-1.1.2/src/util/virinitctl.h @@ -1,7 +1,7 @@ /* * virinitctl.h: API for talking to init systems via initctl * - * Copyright (C) 2012 Red Hat, Inc. + * Copyright (C) 2012-2014 Red Hat, Inc. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -37,7 +37,6 @@ enum virInitctlRunLevel { VIR_INITCTL_RUNLEVEL_LAST }; -int virInitctlSetRunLevel(virInitctlRunLevel level, - const char *vroot); +int virInitctlSetRunLevel(virInitctlRunLevel level); #endif ++++++ b03eba13-libxl-segfault-fix.patch ++++++ commit b03eba137616a9c48921c017d9c1142a47020dc2 Author: Bamvor Jian Zhang <bjzhang(a)suse.com> Date: Fri Dec 20 15:14:42 2013 +0800 libxl: fix segfault when domain create fail there is a segfault in libxl logging in libxl_ctx_free when domain create fail. because the log output handler vmessage is freed by xtl_logger_destroy before libxl_ctx_free in virDomainObjListRemove. move xtl_logger_destroy after libxl_ctx_free could fix this bug. Signed-off-by: Bamvor Jian Zhang <bjzhang(a)suse.com> Index: libvirt-1.1.2/src/libxl/libxl_driver.c =================================================================== --- libvirt-1.1.2.orig/src/libxl/libxl_driver.c +++ libvirt-1.1.2/src/libxl/libxl_driver.c @@ -472,11 +472,10 @@ libxlDomainObjPrivateDispose(void *obj) virChrdevFree(priv->devs); + libxl_ctx_free(priv->ctx); xtl_logger_destroy(priv->logger); if (priv->logger_file) VIR_FORCE_FCLOSE(priv->logger_file); - - libxl_ctx_free(priv->ctx); } static void ++++++ b1674ad5-CVE-2014-7823.patch ++++++ commit 520ecab4ca09859d4de39cad7ae2e34272e0437e Author: Eric Blake <eblake(a)redhat.com> Date: Fri Oct 31 22:14:07 2014 -0600 CVE-2014-7823: dumpxml: security hole with migratable flag Commit 28f8dfd (v1.0.0) introduced a security hole: in at least the qemu implementation of virDomainGetXMLDesc, the use of the flag VIR_DOMAIN_XML_MIGRATABLE (which is usable from a read-only connection) triggers the implicit use of VIR_DOMAIN_XML_SECURE prior to calling qemuDomainFormatXML. However, the use of VIR_DOMAIN_XML_SECURE is supposed to be restricted to read-write clients only. This patch treats the migratable flag as requiring the same permissions, rather than analyzing what might break if migratable xml no longer includes secret information. Fortunately, the information leak is low-risk: all that is gated by the VIR_DOMAIN_XML_SECURE flag is the VNC connection password; but VNC passwords are already weak (FIPS forbids their use, and on a non-FIPS machine, anyone stupid enough to trust a max-8-byte password sent in plaintext over the network deserves what they get). SPICE offers better security than VNC, and all other secrets are properly protected by use of virSecret associations rather than direct output in domain XML. * src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_GET_XML_DESC): Tighten rules on use of migratable flag. * src/libvirt-domain.c (virDomainGetXMLDesc): Likewise. Signed-off-by: Eric Blake <eblake(a)redhat.com> (cherry picked from commit b1674ad5a97441b7e1bd5f5ebaff498ef2fbb11b) Conflicts: src/libvirt-domain.c - file split from older src/libvirt.c; context with older virLibConnError Signed-off-by: Eric Blake <eblake(a)redhat.com> Index: libvirt-1.1.2/src/libvirt.c =================================================================== --- libvirt-1.1.2.orig/src/libvirt.c +++ libvirt-1.1.2/src/libvirt.c @@ -4562,7 +4562,8 @@ virDomainGetXMLDesc(virDomainPtr domain, conn = domain->conn; - if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) { + if ((conn->flags & VIR_CONNECT_RO) && + (flags & (VIR_DOMAIN_XML_SECURE | VIR_DOMAIN_XML_MIGRATABLE))) { virLibConnError(VIR_ERR_OPERATION_DENIED, "%s", _("virDomainGetXMLDesc with secure flag")); goto error; Index: libvirt-1.1.2/src/remote/remote_protocol.x =================================================================== --- libvirt-1.1.2.orig/src/remote/remote_protocol.x +++ libvirt-1.1.2/src/remote/remote_protocol.x @@ -2979,6 +2979,7 @@ enum remote_procedure { * @generate: both * @acl: domain:read * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE + * @acl: domain:read_secure:VIR_DOMAIN_XML_MIGRATABLE */ REMOTE_PROC_DOMAIN_GET_XML_DESC = 14, ++++++ b347c0c2-CVE-2015-0236.patch ++++++ commit b347c0c2a321ec5c20aae214927949832a288c5a Author: Peter Krempa <pkrempa(a)redhat.com> Date: Tue Jan 20 17:01:01 2015 +0100 CVE-2015-0236: qemu: Check ACLs when dumping security info from snapshots The ACL check didn't check the VIR_DOMAIN_XML_SECURE flag and the appropriate permission for it. Found via code inspection while fixing permissions for save images. Index: libvirt-1.1.2/src/qemu/qemu_driver.c =================================================================== --- libvirt-1.1.2.orig/src/qemu/qemu_driver.c +++ libvirt-1.1.2/src/qemu/qemu_driver.c @@ -12934,7 +12934,7 @@ static char *qemuDomainSnapshotGetXMLDes if (!(vm = qemuDomObjFromSnapshot(snapshot))) goto cleanup; - if (virDomainSnapshotGetXMLDescEnsureACL(snapshot->domain->conn, vm->def) < 0) + if (virDomainSnapshotGetXMLDescEnsureACL(snapshot->domain->conn, vm->def, flags) < 0) goto cleanup; if (!(snap = qemuSnapObjFromSnapshot(vm, snapshot))) Index: libvirt-1.1.2/src/remote/remote_protocol.x =================================================================== --- libvirt-1.1.2.orig/src/remote/remote_protocol.x +++ libvirt-1.1.2/src/remote/remote_protocol.x @@ -4170,6 +4170,7 @@ enum remote_procedure { * @generate: both * @priority: high * @acl: domain:read + * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE */ REMOTE_PROC_DOMAIN_SNAPSHOT_GET_XML_DESC = 186, ++++++ b7fcc799a-CVE-2013-4400.patch ++++++ commit b7fcc799ad5d8f3e55b89b94e599903e3c092467 Author: Daniel P. Berrange <berrange(a)redhat.com> Date: Wed Oct 9 15:14:34 2013 +0100 Close all non-stdio FDs in virt-login-shell (CVE-2013-4400) We don't want to inherit any FDs in the new namespace except for the stdio FDs. Explicitly close them all, just in case some do not have the close-on-exec flag set. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> Index: libvirt-1.1.2/tools/virt-login-shell.c =================================================================== --- libvirt-1.1.2.orig/tools/virt-login-shell.c +++ libvirt-1.1.2/tools/virt-login-shell.c @@ -313,6 +313,18 @@ main(int argc, char **argv) if (cpid == 0) { pid_t ccpid; + int openmax = sysconf(_SC_OPEN_MAX); + int fd; + if (openmax < 0) { + virReportSystemError(errno, "%s", + _("sysconf(_SC_OPEN_MAX) failed")); + return EXIT_FAILURE; + } + for (fd = 3; fd < openmax; fd++) { + int tmpfd = fd; + VIR_MASS_CLOSE(tmpfd); + } + /* Fork once because we don't want to affect * virt-login-shell's namespace itself */ ++++++ ba79e38-bnc852005.patch ++++++ >From ba79e3879e771417ee90e125d8b38743a867d7d1 Mon Sep 17 00:00:00 2001 From: Michal Privoznik <mprivozn(a)redhat.com> Date: Fri, 21 Feb 2014 10:16:36 +0100 Subject: [PATCH] virSystemdCreateMachine: Set dependencies for slices https://bugzilla.redhat.com/show_bug.cgi?id=1031696 When creating a new domain, we let systemd know about it by calling CreateMachine() function via dbus. Systemd then creates a scope and places domain into it. However, later when the host is shutting down, systemd computes the shutdown order to see what processes can be shut down in parallel. And since we were not setting dependencies at all, the slices (and thus domains) were most likely killed before libvirt-guests.service. So user domains that had to be saved, shut off, whatever were in fact killed. This problem can be solved by letting systemd know that scopes we're creating must not be killed before libvirt-guests.service. Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com> --- src/util/virsystemd.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) Index: libvirt-1.1.2/src/util/virsystemd.c =================================================================== --- libvirt-1.1.2.orig/src/util/virsystemd.c +++ libvirt-1.1.2/src/util/virsystemd.c @@ -240,8 +240,10 @@ int virSystemdCreateMachine(const char * iscontainer ? "container" : "vm", (unsigned int)pidleader, rootdir ? rootdir : "", - 1, "Slice", "s", - slicename) < 0) { + 3, + "Slice", "s", slicename, + "After", "as", 1, "libvirtd.service", + "Before", "as", 1, "libvirt-guests.service") < 0) { virErrorPtr err = virGetLastError(); if (err->code == VIR_ERR_DBUS_SERVICE && STREQ(err->str2, "org.freedesktop.DBus.Error.ServiceUnknown")) { ++++++ baselibs.conf ++++++ libvirt-client requires -libvirt-<targettype> libvirt-devel requires -libvirt-<targettype> ++++++ bcb9a035-CVE-2013-6458.patch ++++++ commit bcb9a035a99cf8389069c401c94605aedccdc4df Author: Jiri Denemark <jdenemar(a)redhat.com> Date: Fri Dec 20 15:04:09 2013 +0100 qemu: Fix job usage in qemuDomainBlockJobImpl CVE-2013-6458 Every API that is going to begin a job should do that before fetching data from vm->def. (cherry picked from commit f93d2caa070f6197ab50d372d286018b0ba6bbd8) Index: libvirt-1.1.2/src/qemu/qemu_driver.c =================================================================== --- libvirt-1.1.2.orig/src/qemu/qemu_driver.c +++ libvirt-1.1.2/src/qemu/qemu_driver.c @@ -14030,16 +14030,25 @@ qemuDomainBlockJobImpl(virDomainObjPtr v goto cleanup; } + if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_MODIFY) < 0) + goto cleanup; + + if (!virDomainObjIsActive(vm)) { + virReportError(VIR_ERR_OPERATION_INVALID, "%s", + _("domain is not running")); + goto endjob; + } + device = qemuDiskPathToAlias(vm, path, &idx); if (!device) - goto cleanup; + goto endjob; disk = vm->def->disks[idx]; if (mode == BLOCK_JOB_PULL && disk->mirror) { virReportError(VIR_ERR_BLOCK_COPY_ACTIVE, _("disk '%s' already in active block copy job"), disk->dst); - goto cleanup; + goto endjob; } if (mode == BLOCK_JOB_ABORT && (flags & VIR_DOMAIN_BLOCK_JOB_ABORT_PIVOT) && @@ -14047,15 +14056,6 @@ qemuDomainBlockJobImpl(virDomainObjPtr v virReportError(VIR_ERR_OPERATION_INVALID, _("pivot of disk '%s' requires an active copy job"), disk->dst); - goto cleanup; - } - - if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_MODIFY) < 0) - goto cleanup; - - if (!virDomainObjIsActive(vm)) { - virReportError(VIR_ERR_OPERATION_INVALID, "%s", - _("domain is not running")); goto endjob; } ++++++ bd773e74-lxc-terminate-machine.patch ++++++ commit bd773e74f0d1d1b9ebbfcaa645178316b4f2265c Author: Cédric Bosdonnat <cbosdonnat(a)suse.com> Date: Mon Sep 30 16:46:29 2013 +0200 LXC: workaround machined uncleaned data with containers running systemd. The problem is described by [0] but its effect on libvirt is that starting a container with a full distro running systemd after having stopped it simply fails. The container cleanup now calls the machined Terminate function to make sure that everything is in order for the next run. [0]: https://bugs.freedesktop.org/show_bug.cgi?id=68370 Index: libvirt-1.1.2/src/libvirt_private.syms =================================================================== --- libvirt-1.1.2.orig/src/libvirt_private.syms +++ libvirt-1.1.2/src/libvirt_private.syms @@ -1940,8 +1940,10 @@ virSysinfoSetup; # util/virsystemd.h virSystemdCreateMachine; +virSystemdMakeMachineName; virSystemdMakeScopeName; virSystemdMakeSliceName; +virSystemdTerminateMachine; # util/virthread.h Index: libvirt-1.1.2/src/lxc/lxc_process.c =================================================================== --- libvirt-1.1.2.orig/src/lxc/lxc_process.c +++ libvirt-1.1.2/src/lxc/lxc_process.c @@ -50,6 +50,7 @@ #include "virstring.h" #include "viratomic.h" #include "virprocess.h" +#include "virsystemd.h" #define VIR_FROM_THIS VIR_FROM_LXC @@ -210,6 +211,13 @@ static void virLXCProcessCleanup(virLXCD virCgroupFree(&priv->cgroup); } + /* Get machined to terminate the machine as it may not have cleaned it + * properly. See https://bugs.freedesktop.org/show_bug.cgi?id=68370 for + * the bug we are working around here. + */ + virSystemdTerminateMachine(vm->def->name, "lxc", true); + + /* now that we know it's stopped call the hook if present */ if (virHookPresent(VIR_HOOK_DRIVER_LXC)) { char *xml = virDomainDefFormat(vm->def, 0); Index: libvirt-1.1.2/src/util/virsystemd.c =================================================================== --- libvirt-1.1.2.orig/src/util/virsystemd.c +++ libvirt-1.1.2/src/util/virsystemd.c @@ -116,6 +116,27 @@ char *virSystemdMakeSliceName(const char return virBufferContentAndReset(&buf); } +char *virSystemdMakeMachineName(const char *name, + const char *drivername, + bool privileged) +{ + char *machinename = NULL; + char *username = NULL; + if (privileged) { + if (virAsprintf(&machinename, "%s-%s", drivername, name) < 0) + goto cleanup; + } else { + if (!(username = virGetUserName(geteuid()))) + goto cleanup; + if (virAsprintf(&machinename, "%s-%s-%s", username, drivername, name) < 0) + goto cleanup; + } + +cleanup: + VIR_FREE(username); + + return machinename; +} /** * virSystemdCreateMachine: @@ -142,7 +163,6 @@ int virSystemdCreateMachine(const char * DBusConnection *conn; char *machinename = NULL; char *creatorname = NULL; - char *username = NULL; char *slicename = NULL; if (!virDBusHasSystemBus()) @@ -150,15 +170,8 @@ int virSystemdCreateMachine(const char * conn = virDBusGetSystemBus(); - if (privileged) { - if (virAsprintf(&machinename, "%s-%s", drivername, name) < 0) - goto cleanup; - } else { - if (!(username = virGetUserName(geteuid()))) - goto cleanup; - if (virAsprintf(&machinename, "%s-%s-%s", username, drivername, name) < 0) - goto cleanup; - } + if (!(machinename = virSystemdMakeMachineName(name, drivername, privileged))) + goto cleanup; if (virAsprintf(&creatorname, "libvirt-%s", drivername) < 0) goto cleanup; @@ -241,8 +254,52 @@ int virSystemdCreateMachine(const char * ret = 0; cleanup: - VIR_FREE(username); VIR_FREE(creatorname); VIR_FREE(machinename); return ret; } + +int virSystemdTerminateMachine(const char *name, + const char *drivername, + bool privileged) +{ + int ret; + DBusConnection *conn; + char *machinename = NULL; + + if(!virDBusHasSystemBus()) + return -2; + + conn = virDBusGetSystemBus(); + + ret = -1; + if (!(machinename = virSystemdMakeMachineName(name, drivername, privileged))) + goto cleanup; + + /* + * The systemd DBus API we're invoking has the + * following signature + * + * TerminateMachine(in s name); + * + * @name a host unique name for the machine. shows up + * in 'ps' listing & similar + */ + + VIR_DEBUG("Attempting to terminate machine via systemd"); + if (virDBusCallMethod(conn, + NULL, + "org.freedesktop.machine1", + "/org/freedesktop/machine1", + "org.freedesktop.machine1.Manager", + "TerminateMachine", + "s", + machinename) < 0) + goto cleanup; + + ret = 0; + +cleanup: + VIR_FREE(machinename); + return ret; +} Index: libvirt-1.1.2/src/util/virsystemd.h =================================================================== --- libvirt-1.1.2.orig/src/util/virsystemd.h +++ libvirt-1.1.2/src/util/virsystemd.h @@ -29,6 +29,10 @@ char *virSystemdMakeScopeName(const char const char *slicename); char *virSystemdMakeSliceName(const char *partition); +char *virSystemdMakeMachineName(const char *name, + const char *drivername, + bool privileged); + int virSystemdCreateMachine(const char *name, const char *drivername, bool privileged, @@ -38,4 +42,8 @@ int virSystemdCreateMachine(const char * bool iscontainer, const char *partition); +int virSystemdTerminateMachine(const char *name, + const char *drivername, + bool privileged); + #endif /* __VIR_SYSTEMD_H__ */ Index: libvirt-1.1.2/tests/virsystemdtest.c =================================================================== --- libvirt-1.1.2.orig/tests/virsystemdtest.c +++ libvirt-1.1.2/tests/virsystemdtest.c @@ -51,6 +51,18 @@ static int testCreateContainer(const voi return 0; } +static int testTerminateContainer(const void *opaque ATTRIBUTE_UNUSED) +{ + if (virSystemdTerminateMachine("demo", + "lxc", + true) < 0) { + fprintf(stderr, "%s", "Failed to terminate LXC machine\n"); + return -1; + } + + return 0; +} + static int testCreateMachine(const void *opaque ATTRIBUTE_UNUSED) { unsigned char uuid[VIR_UUID_BUFLEN] = { @@ -74,6 +86,18 @@ static int testCreateMachine(const void return 0; } +static int testTerminateMachine(const void *opaque ATTRIBUTE_UNUSED) +{ + if (virSystemdTerminateMachine("demo", + "qemu", + false) < 0) { + fprintf(stderr, "%s", "Failed to terminate KVM machine\n"); + return -1; + } + + return 0; +} + static int testCreateNoSystemd(const void *opaque ATTRIBUTE_UNUSED) { unsigned char uuid[VIR_UUID_BUFLEN] = { @@ -177,8 +201,12 @@ mymain(void) if (virtTestRun("Test create container ", 1, testCreateContainer, NULL) < 0) ret = -1; + if (virtTestRun("Test terminate container ", 1, testTerminateContainer, NULL) < 0) + ret = -1; if (virtTestRun("Test create machine ", 1, testCreateMachine, NULL) < 0) ret = -1; + if (virtTestRun("Test terminate machine ", 1, testTerminateMachine, NULL) < 0) + ret = -1; if (virtTestRun("Test create no systemd ", 1, testCreateNoSystemd, NULL) < 0) ret = -1; if (virtTestRun("Test create bad systemd ", 1, testCreateBadSystemd, NULL) < 0) ++++++ c321bfc-CVE-2013-6456.patch ++++++ >From 4f2282e9e1bb55b56b929a38512a6ef3e4319c44 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" <berrange(a)redhat.com> Date: Thu, 30 Jan 2014 17:06:39 +0000 Subject: [PATCH 07/14] Add virFileMakeParentPath helper function Add a helper function which takes a file path and ensures that all directory components leading up to the file exist. IOW, it strips the filename part of the path and passes the result to virFileMakePath. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> (cherry picked from commit c321bfc5c37c603af349dacf531bb03c91b0755e) --- src/libvirt_private.syms | 1 + src/util/virfile.c | 29 +++++++++++++++++++++++++++++ src/util/virfile.h | 1 + 3 files changed, 31 insertions(+) Index: libvirt-1.1.2/src/libvirt_private.syms =================================================================== --- libvirt-1.1.2.orig/src/libvirt_private.syms +++ libvirt-1.1.2/src/libvirt_private.syms @@ -1378,6 +1378,7 @@ virFileIsLink; virFileLinkPointsTo; virFileLock; virFileLoopDeviceAssociate; +virFileMakeParentPath; virFileMakePath; virFileMakePathWithMode; virFileMatchesNameSuffix; Index: libvirt-1.1.2/src/util/virfile.c =================================================================== --- libvirt-1.1.2.orig/src/util/virfile.c +++ libvirt-1.1.2/src/util/virfile.c @@ -2093,6 +2093,35 @@ cleanup: return ret; } + +int +virFileMakeParentPath(const char *path) +{ + char *p; + char *tmp; + int ret = -1; + + VIR_DEBUG("path=%s", path); + + if (VIR_STRDUP(tmp, path) < 0) { + errno = ENOMEM; + return -1; + } + + if ((p = strrchr(tmp, '/')) == NULL) { + errno = EINVAL; + goto cleanup; + } + *p = '\0'; + + ret = virFileMakePathHelper(tmp, 0777); + + cleanup: + VIR_FREE(tmp); + return ret; +} + + /* Build up a fully qualified path for a config file to be * associated with a persistent guest or network */ char * Index: libvirt-1.1.2/src/util/virfile.h =================================================================== --- libvirt-1.1.2.orig/src/util/virfile.h +++ libvirt-1.1.2/src/util/virfile.h @@ -187,6 +187,7 @@ int virDirCreate(const char *path, mode_ int virFileMakePath(const char *path) ATTRIBUTE_RETURN_CHECK; int virFileMakePathWithMode(const char *path, mode_t mode) ATTRIBUTE_RETURN_CHECK; +int virFileMakeParentPath(const char *path) ATTRIBUTE_RETURN_CHECK; char *virFileBuildPath(const char *dir, const char *name, ++++++ c364897-CVE-2013-6456.patch ++++++ >From e2a0b1a6b4f1c2f25957cc81ba93a13f247b9221 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" <berrange(a)redhat.com> Date: Tue, 4 Feb 2014 16:43:18 +0000 Subject: [PATCH 02/14] Fix path used for USB device attach with LXC The LXC code missed the 'usb' component out of the path /dev/bus/usb/$BUSNUM/$DEVNUM, so it failed to actually setup cgroups for the device. This was in fact lucky because the call to virLXCSetupHostUsbDeviceCgroup was also mistakenly passing '&priv->cgroup' instead of just 'priv->cgroup'. So once the path is fixed, libvirtd would then crash trying to access the bogus virCgroupPtr pointer. This would have been a security issue, were it not for the bogus path preventing the pointer reference being reached. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> (cherry picked from commit c3648972222d4eb056e6e667c193ba56a7aa3557) --- src/lxc/lxc_driver.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Index: libvirt-1.1.2/src/lxc/lxc_driver.c =================================================================== --- libvirt-1.1.2.orig/src/lxc/lxc_driver.c +++ libvirt-1.1.2/src/lxc/lxc_driver.c @@ -3334,7 +3334,7 @@ lxcDomainAttachDeviceHostdevSubsysUSBLiv (unsigned long long)priv->initpid) < 0) goto cleanup; - if (virAsprintf(&dstdir, "%s/dev/bus/%03d", + if (virAsprintf(&dstdir, "%s/dev/bus/usb/%03d", vroot, def->source.subsys.u.usb.bus) < 0) goto cleanup; @@ -3399,7 +3399,7 @@ lxcDomainAttachDeviceHostdevSubsysUSBLiv if (virUSBDeviceFileIterate(usb, virLXCSetupHostUsbDeviceCgroup, - &priv->cgroup) < 0) + priv->cgroup) < 0) goto cleanup; ret = 0; ++++++ c3eb12c-CVE-2013-6456.patch ++++++ >From 703a3af08166a705d1df031b897c98a411e3da67 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" <berrange(a)redhat.com> Date: Wed, 5 Feb 2014 17:48:03 +0000 Subject: [PATCH 06/14] Move check for cgroup devices ACL upfront in LXC hotplug The check for whether the cgroup devices ACL is available is done quite late during LXC hotplug - in fact after the device node is already created in the container in some cases. Better to do it upfront so we fail immediately. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> (cherry picked from commit c3eb12cace868884393d35c23278653634d81c70) --- src/lxc/lxc_driver.c | 36 ++++++++++++------------------------ 1 file changed, 12 insertions(+), 24 deletions(-) Index: libvirt-1.1.2/src/lxc/lxc_driver.c =================================================================== --- libvirt-1.1.2.orig/src/lxc/lxc_driver.c +++ libvirt-1.1.2/src/lxc/lxc_driver.c @@ -3077,6 +3077,12 @@ lxcDomainAttachDeviceDiskLive(virLXCDriv goto cleanup; } + if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) { + virReportError(VIR_ERR_OPERATION_INVALID, "%s", + _("devices cgroup isn't mounted")); + goto cleanup; + } + if (def->type != VIR_DOMAIN_DISK_TYPE_BLOCK) { virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", _("Can't setup disk for non-block device")); @@ -3144,12 +3150,6 @@ lxcDomainAttachDeviceDiskLive(virLXCDriv vm->def, def) < 0) goto cleanup; - if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) { - virReportError(VIR_ERR_OPERATION_INVALID, "%s", - _("devices cgroup isn't mounted")); - goto cleanup; - } - if (virCgroupAllowDevicePath(priv->cgroup, def->src, (def->readonly ? VIR_CGROUP_DEVICE_READ : @@ -3345,12 +3345,6 @@ lxcDomainAttachDeviceHostdevSubsysUSBLiv def->source.subsys.u.usb.device) < 0) goto cleanup; - if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) { - virReportError(VIR_ERR_OPERATION_INVALID, "%s", - _("devices cgroup isn't mounted")); - goto cleanup; - } - if (!(usb = virUSBDeviceNew(def->source.subsys.u.usb.bus, def->source.subsys.u.usb.device, vroot))) goto cleanup; @@ -3498,12 +3492,6 @@ lxcDomainAttachDeviceHostdevStorageLive( vm->def, def, vroot) < 0) goto cleanup; - if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) { - virReportError(VIR_ERR_OPERATION_INVALID, "%s", - _("devices cgroup isn't mounted")); - goto cleanup; - } - if (virCgroupAllowDevicePath(priv->cgroup, def->source.caps.u.storage.block, VIR_CGROUP_DEVICE_RW | VIR_CGROUP_DEVICE_MKNOD) != 0) { @@ -3606,12 +3594,6 @@ lxcDomainAttachDeviceHostdevMiscLive(vir vm->def, def, vroot) < 0) goto cleanup; - if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) { - virReportError(VIR_ERR_OPERATION_INVALID, "%s", - _("devices cgroup isn't mounted")); - goto cleanup; - } - if (virCgroupAllowDevicePath(priv->cgroup, def->source.caps.u.misc.chardev, VIR_CGROUP_DEVICE_RW | VIR_CGROUP_DEVICE_MKNOD) != 0) { @@ -3687,6 +3669,12 @@ lxcDomainAttachDeviceHostdevLive(virLXCD return -1; } + if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) { + virReportError(VIR_ERR_OPERATION_INVALID, "%s", + _("devices cgroup isn't mounted")); + return -1; + } + switch (dev->data.hostdev->mode) { case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS: return lxcDomainAttachDeviceHostdevSubsysLive(driver, vm, dev); ++++++ clone.patch ++++++ Index: src/lxc/lxc_container.c =================================================================== --- src/lxc/lxc_container.c.orig +++ src/lxc/lxc_container.c @@ -144,6 +144,7 @@ int lxcContainerHasReboot(void) int cmd, v; int status; char *tmp; + int stacksize = getpagesize() * 4; if (virFileReadAll("/proc/sys/kernel/ctrl-alt-del", 10, &buf) < 0) return -1; @@ -160,12 +161,19 @@ int lxcContainerHasReboot(void) VIR_FREE(buf); cmd = v ? LINUX_REBOOT_CMD_CAD_ON : LINUX_REBOOT_CMD_CAD_OFF; - if (VIR_ALLOC_N(stack, getpagesize() * 4) < 0) +#ifdef __ia64__ + stacksize *= 2; +#endif + if (VIR_ALLOC_N(stack, stacksize) < 0) return -1; - childStack = stack + (getpagesize() * 4); + childStack = stack + stacksize; +#ifdef __ia64__ + cpid = __clone2(lxcContainerRebootChild, childStack, stacksize, flags, &cmd); +#else cpid = clone(lxcContainerRebootChild, childStack, flags, &cmd); +#endif VIR_FREE(stack); if (cpid < 0) { virReportSystemError(errno, "%s", @@ -1893,7 +1901,11 @@ int lxcContainerStart(virDomainDefPtr de cflags |= CLONE_NEWNET; } +#ifdef __ia64__ + pid = __clone2(lxcContainerChild, stacktop, stacksize, cflags, &args); +#else pid = clone(lxcContainerChild, stacktop, cflags, &args); +#endif VIR_FREE(stack); VIR_DEBUG("clone() completed, new container PID is %d", pid); @@ -1919,6 +1931,7 @@ int lxcContainerAvailable(int features) int cpid; char *childStack; char *stack; + int stacksize = getpagesize() * 4; if (features & LXC_CONTAINER_FEATURE_USER) flags |= CLONE_NEWUSER; @@ -1926,14 +1939,21 @@ int lxcContainerAvailable(int features) if (features & LXC_CONTAINER_FEATURE_NET) flags |= CLONE_NEWNET; - if (VIR_ALLOC_N(stack, getpagesize() * 4) < 0) { +#ifdef __ia64__ + stacksize *= 2; +#endif + if (VIR_ALLOC_N(stack, stacksize) < 0) { VIR_DEBUG("Unable to allocate stack"); return -1; } - childStack = stack + (getpagesize() * 4); + childStack = stack + stacksize; +#ifdef __ia64__ + cpid = __clone2(lxcContainerDummyChild, childStack, stacksize, flags, NULL); +#else cpid = clone(lxcContainerDummyChild, childStack, flags, NULL); +#endif VIR_FREE(stack); if (cpid < 0) { char ebuf[1024] ATTRIBUTE_UNUSED; ++++++ d24e6b8-CVE-2013-6456.patch ++++++ >From c54afa41704e0e05829b9d373600ea194068ecbb Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" <berrange(a)redhat.com> Date: Wed, 5 Feb 2014 11:01:09 +0000 Subject: [PATCH 05/14] Disks are always block devices, never character devices The LXC disk hotplug code was allowing block or character devices to be given as disk. A disk is always a block device. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> (cherry picked from commit d24e6b8b1eb87daa6ee467b76cf343725468949c) --- src/lxc/lxc_driver.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) Index: libvirt-1.1.2/src/lxc/lxc_driver.c =================================================================== --- libvirt-1.1.2.orig/src/lxc/lxc_driver.c +++ libvirt-1.1.2/src/lxc/lxc_driver.c @@ -3100,9 +3100,9 @@ lxcDomainAttachDeviceDiskLive(virLXCDriv goto cleanup; } - if (!S_ISCHR(sb.st_mode) && !S_ISBLK(sb.st_mode)) { + if (!S_ISBLK(sb.st_mode)) { virReportError(VIR_ERR_CONFIG_UNSUPPORTED, - _("Disk source %s must be a character/block device"), + _("Disk source %s must be a block device"), def->src); goto cleanup; } @@ -3114,11 +3114,7 @@ lxcDomainAttachDeviceDiskLive(virLXCDriv if (VIR_REALLOC_N(vm->def->disks, vm->def->ndisks+1) < 0) goto cleanup; - mode = 0700; - if (S_ISCHR(sb.st_mode)) - mode |= S_IFCHR; - else - mode |= S_IFBLK; + mode = 0700 | S_IFBLK; /* Yes, the device name we're creating may not * actually correspond to the major:minor number ++++++ d35ae41-bnc875694.patch ++++++ commit d35ae4143d11f45856ae002fcd419da0eb9bba9f Author: Michael Avdienko <whitearchey(a)gmail.com> Date: Fri Nov 15 20:47:43 2013 +0900 Fix migration with QEMU 1.6 QEMU 1.6.0 introduced new migration status: setup Libvirt does not expect such string in QMP and refuses to migrate with error "unexpected migration status in setup" This patch fixes it. Signed-off-by: Jiri Denemark <jdenemar(a)redhat.com> Index: libvirt-1.1.2/src/qemu/qemu_migration.c =================================================================== --- libvirt-1.1.2.orig/src/qemu/qemu_migration.c +++ libvirt-1.1.2/src/qemu/qemu_migration.c @@ -1653,6 +1653,10 @@ qemuMigrationUpdateJobStatus(virQEMUDriv _("%s: %s"), job, _("is not active")); break; + case QEMU_MONITOR_MIGRATION_STATUS_SETUP: + ret = 0; + break; + case QEMU_MONITOR_MIGRATION_STATUS_ACTIVE: priv->job.info.fileTotal = priv->job.status.disk_total; priv->job.info.fileRemaining = priv->job.status.disk_remaining; Index: libvirt-1.1.2/src/qemu/qemu_monitor.c =================================================================== --- libvirt-1.1.2.orig/src/qemu/qemu_monitor.c +++ libvirt-1.1.2/src/qemu/qemu_monitor.c @@ -109,7 +109,7 @@ VIR_ONCE_GLOBAL_INIT(qemuMonitor) VIR_ENUM_IMPL(qemuMonitorMigrationStatus, QEMU_MONITOR_MIGRATION_STATUS_LAST, - "inactive", "active", "completed", "failed", "cancelled") + "inactive", "active", "completed", "failed", "cancelled", "setup") VIR_ENUM_IMPL(qemuMonitorMigrationCaps, QEMU_MONITOR_MIGRATION_CAPS_LAST, Index: libvirt-1.1.2/src/qemu/qemu_monitor.h =================================================================== --- libvirt-1.1.2.orig/src/qemu/qemu_monitor.h +++ libvirt-1.1.2/src/qemu/qemu_monitor.h @@ -396,6 +396,7 @@ enum { QEMU_MONITOR_MIGRATION_STATUS_COMPLETED, QEMU_MONITOR_MIGRATION_STATUS_ERROR, QEMU_MONITOR_MIGRATION_STATUS_CANCELLED, + QEMU_MONITOR_MIGRATION_STATUS_SETUP, QEMU_MONITOR_MIGRATION_STATUS_LAST }; ++++++ d697b0f3-storage-avoid-short-reads.patch ++++++ >From d697b0f383a23a94d7415b0e02b025eda46ad534 Mon Sep 17 00:00:00 2001 From: Eric Blake <eblake(a)redhat.com> Date: Tue, 5 Nov 2013 10:30:56 -0700 Subject: [PATCH] storage: avoid short reads while chasing backing chain Our backing file chain code was not very robust to an ill-timed EINTR, which could lead to a short read causing us to randomly treat metadata differently than usual. But the existing virFileReadLimFD forces an error if we don't read the entire file, even though we only care about the header of the file. So add a new virFile function that does what we want. * src/util/virfile.h (virFileReadHeaderFD): New prototype. * src/util/virfile.c (virFileReadHeaderFD): New function. * src/libvirt_private.syms (virfile.h): Export it. * src/util/virstoragefile.c (virStorageFileGetMetadataInternal) (virStorageFileProbeFormatFromFD): Use it. Signed-off-by: Eric Blake <eblake(a)redhat.com> (cherry picked from commit 5327fad4f292e4f3f84884ffe158c492bf00519c) Conflicts: src/util/virstoragefile.c: buffer signedness --- src/libvirt_private.syms | 1 + src/util/virfile.c | 21 +++++++++++++++++++++ src/util/virfile.h | 9 ++++++--- src/util/virstoragefile.c | 10 ++-------- 4 files changed, 30 insertions(+), 11 deletions(-) Index: libvirt-1.1.2/src/libvirt_private.syms =================================================================== --- libvirt-1.1.2.orig/src/libvirt_private.syms +++ libvirt-1.1.2/src/libvirt_private.syms @@ -1386,6 +1386,7 @@ virFileOpenAs; virFileOpenTty; virFilePrintf; virFileReadAll; +virFileReadHeaderFD; virFileReadLimFD; virFileResolveAllLinks; virFileResolveLink; Index: libvirt-1.1.2/src/util/virfile.c =================================================================== --- libvirt-1.1.2.orig/src/util/virfile.c +++ libvirt-1.1.2/src/util/virfile.c @@ -1153,6 +1153,27 @@ saferead_lim(int fd, size_t max_len, siz return NULL; } + +/* A wrapper around saferead_lim that merely stops reading at the + * specified maximum size. */ +int +virFileReadHeaderFD(int fd, int maxlen, char **buf) +{ + size_t len; + char *s; + + if (maxlen <= 0) { + errno = EINVAL; + return -1; + } + s = saferead_lim(fd, maxlen, &len); + if (s == NULL) + return -1; + *buf = s; + return len; +} + + /* A wrapper around saferead_lim that maps a failure due to exceeding the maximum size limitation to EOVERFLOW. */ int Index: libvirt-1.1.2/src/util/virfile.h =================================================================== --- libvirt-1.1.2.orig/src/util/virfile.h +++ libvirt-1.1.2/src/util/virfile.h @@ -122,9 +122,12 @@ int virFileNBDDeviceAssociate(const char int virFileDeleteTree(const char *dir); -int virFileReadLimFD(int fd, int maxlen, char **buf) ATTRIBUTE_RETURN_CHECK; - -int virFileReadAll(const char *path, int maxlen, char **buf) ATTRIBUTE_RETURN_CHECK; +int virFileReadHeaderFD(int fd, int maxlen, char **buf) + ATTRIBUTE_RETURN_CHECK ATTRIBUTE_NONNULL(3); +int virFileReadLimFD(int fd, int maxlen, char **buf) + ATTRIBUTE_RETURN_CHECK ATTRIBUTE_NONNULL(3); +int virFileReadAll(const char *path, int maxlen, char **buf) + ATTRIBUTE_RETURN_CHECK ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(3); int virFileWriteStr(const char *path, const char *str, mode_t mode) ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_RETURN_CHECK; Index: libvirt-1.1.2/src/util/virstoragefile.c =================================================================== --- libvirt-1.1.2.orig/src/util/virstoragefile.c +++ libvirt-1.1.2/src/util/virstoragefile.c @@ -788,10 +788,7 @@ virStorageFileGetMetadataInternal(const goto cleanup; } - if (VIR_ALLOC_N(buf, len) < 0) - goto cleanup; - - if ((len = read(fd, buf, len)) < 0) { + if ((len = virFileReadHeaderFD(fd, len, (char **)&buf)) < 0) { virReportSystemError(errno, _("cannot read header '%s'"), path); goto cleanup; } @@ -934,15 +931,12 @@ virStorageFileProbeFormatFromFD(const ch return VIR_STORAGE_FILE_DIR; } - if (VIR_ALLOC_N(head, len) < 0) - return -1; - if (lseek(fd, 0, SEEK_SET) == (off_t)-1) { virReportSystemError(errno, _("cannot set to start of '%s'"), path); goto cleanup; } - if ((len = read(fd, head, len)) < 0) { + if ((len = virFileReadHeaderFD(fd, len, (char **)&head)) < 0) { virReportSystemError(errno, _("cannot read header '%s'"), path); goto cleanup; } ++++++ d6b27d3e-CVE-2014-0179.patch ++++++ commit d6b27d3e4c40946efa79e91d134616b41b1666c4 Author: Daniel P. Berrange <berrange(a)redhat.com> Date: Tue Apr 15 11:20:29 2014 +0100 LSN-2014-0003: Don't expand entities when parsing XML If the XML_PARSE_NOENT flag is passed to libxml2, then any entities in the input document will be fully expanded. This allows the user to read arbitrary files on the host machine by creating an entity pointing to a local file. Removing the XML_PARSE_NOENT flag means that any entities are left unchanged by the parser, or expanded to "" by the XPath APIs. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> Index: libvirt-1.1.2/src/util/virxml.c =================================================================== --- libvirt-1.1.2.orig/src/util/virxml.c +++ libvirt-1.1.2/src/util/virxml.c @@ -746,11 +746,11 @@ virXMLParseHelper(int domcode, if (filename) { xml = xmlCtxtReadFile(pctxt, filename, NULL, - XML_PARSE_NOENT | XML_PARSE_NONET | + XML_PARSE_NONET | XML_PARSE_NOWARNING); } else { xml = xmlCtxtReadDoc(pctxt, BAD_CAST xmlStr, url, NULL, - XML_PARSE_NOENT | XML_PARSE_NONET | + XML_PARSE_NONET | XML_PARSE_NOWARNING); } if (!xml) ++++++ db7a5688-CVE-2013-4311.patch ++++++ commit db7a5688c05f3fd60d9d2b74c72427eb9ee9c176 Author: Daniel P. Berrange <berrange(a)redhat.com> Date: Thu Aug 22 16:00:01 2013 +0100 Also store user & group ID values in virIdentity Future improvements to the polkit code will require access to the numeric user ID, not merely user name. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> Index: libvirt-1.1.2/src/rpc/virnetserverclient.c =================================================================== --- libvirt-1.1.2.orig/src/rpc/virnetserverclient.c +++ libvirt-1.1.2/src/rpc/virnetserverclient.c @@ -652,7 +652,9 @@ virNetServerClientCreateIdentity(virNetS char *processid = NULL; char *processtime = NULL; char *username = NULL; + char *userid = NULL; char *groupname = NULL; + char *groupid = NULL; #if WITH_SASL char *saslname = NULL; #endif @@ -672,8 +674,12 @@ virNetServerClientCreateIdentity(virNetS if (!(username = virGetUserName(uid))) goto cleanup; + if (virAsprintf(&userid, "%d", (int)uid) < 0) + goto cleanup; if (!(groupname = virGetGroupName(gid))) goto cleanup; + if (virAsprintf(&userid, "%d", (int)gid) < 0) + goto cleanup; if (virAsprintf(&processid, "%llu", (unsigned long long)pid) < 0) goto cleanup; @@ -710,11 +716,21 @@ virNetServerClientCreateIdentity(virNetS VIR_IDENTITY_ATTR_UNIX_USER_NAME, username) < 0) goto error; + if (userid && + virIdentitySetAttr(ret, + VIR_IDENTITY_ATTR_UNIX_USER_ID, + userid) < 0) + goto error; if (groupname && virIdentitySetAttr(ret, VIR_IDENTITY_ATTR_UNIX_GROUP_NAME, groupname) < 0) goto error; + if (groupid && + virIdentitySetAttr(ret, + VIR_IDENTITY_ATTR_UNIX_GROUP_ID, + groupid) < 0) + goto error; if (processid && virIdentitySetAttr(ret, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, @@ -745,7 +761,9 @@ virNetServerClientCreateIdentity(virNetS cleanup: VIR_FREE(username); + VIR_FREE(userid); VIR_FREE(groupname); + VIR_FREE(groupid); VIR_FREE(processid); VIR_FREE(processtime); VIR_FREE(seccontext); Index: libvirt-1.1.2/src/util/viridentity.c =================================================================== --- libvirt-1.1.2.orig/src/util/viridentity.c +++ libvirt-1.1.2/src/util/viridentity.c @@ -133,7 +133,9 @@ int virIdentitySetCurrent(virIdentityPtr virIdentityPtr virIdentityGetSystem(void) { char *username = NULL; + char *userid = NULL; char *groupname = NULL; + char *groupid = NULL; char *seccontext = NULL; virIdentityPtr ret = NULL; #if WITH_SELINUX @@ -147,8 +149,13 @@ virIdentityPtr virIdentityGetSystem(void if (!(username = virGetUserName(getuid()))) goto cleanup; + if (virAsprintf(&userid, "%d", (int)getuid()) < 0) + goto cleanup; + if (!(groupname = virGetGroupName(getgid()))) goto cleanup; + if (virAsprintf(&groupid, "%d", (int)getgid()) < 0) + goto cleanup; #if WITH_SELINUX if (getcon(&con) < 0) { @@ -166,16 +173,22 @@ virIdentityPtr virIdentityGetSystem(void if (!(ret = virIdentityNew())) goto cleanup; - if (username && - virIdentitySetAttr(ret, + if (virIdentitySetAttr(ret, VIR_IDENTITY_ATTR_UNIX_USER_NAME, username) < 0) goto error; - if (groupname && - virIdentitySetAttr(ret, + if (virIdentitySetAttr(ret, + VIR_IDENTITY_ATTR_UNIX_USER_ID, + userid) < 0) + goto error; + if (virIdentitySetAttr(ret, VIR_IDENTITY_ATTR_UNIX_GROUP_NAME, groupname) < 0) goto error; + if (virIdentitySetAttr(ret, + VIR_IDENTITY_ATTR_UNIX_GROUP_ID, + groupid) < 0) + goto error; if (seccontext && virIdentitySetAttr(ret, VIR_IDENTITY_ATTR_SELINUX_CONTEXT, @@ -188,7 +201,9 @@ virIdentityPtr virIdentityGetSystem(void cleanup: VIR_FREE(username); + VIR_FREE(userid); VIR_FREE(groupname); + VIR_FREE(groupid); VIR_FREE(seccontext); VIR_FREE(processid); return ret; Index: libvirt-1.1.2/src/util/viridentity.h =================================================================== --- libvirt-1.1.2.orig/src/util/viridentity.h +++ libvirt-1.1.2/src/util/viridentity.h @@ -29,7 +29,9 @@ typedef virIdentity *virIdentityPtr; typedef enum { VIR_IDENTITY_ATTR_UNIX_USER_NAME, + VIR_IDENTITY_ATTR_UNIX_USER_ID, VIR_IDENTITY_ATTR_UNIX_GROUP_NAME, + VIR_IDENTITY_ATTR_UNIX_GROUP_ID, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME, VIR_IDENTITY_ATTR_SASL_USER_NAME, ++++++ e1459c1f-nic-devid.patch ++++++ commit e1459c1fe88068f231bad254733b29287c28d517 Author: Stefan Bader <stefan.bader(a)canonical.com> Date: Wed Jan 8 11:39:19 2014 +0100 libxl: Fix devid init in libxlMakeNicList This basically reverts commit ba64b97134a6129a48684f22f31be92c3b6eef96 "libxl: Allow libxl to set NIC devid". However assigning devid's before calling libxlMakeNic does not work as that is calling libxl_device_nic_init which sets it back to -1. Right now auto-assignment only works in the hotplug case. But even if that would be fixed at some point (if that is possible at all), this would add a weird dependency between Xen and libvirt versions. The change here should accept any auto-assignment that makes it into libxl_device_nic_init. My understanding is that a caller always is allowed to make the devid choice itself. And assuming libxlMakeNicList is only used on domain creation, a sequential numbering should be ok. Signed-off-by: Stefan Bader <stefan.bader(a)canonical.com> Index: libvirt-1.1.2/src/libxl/libxl_conf.c =================================================================== --- libvirt-1.1.2.orig/src/libxl/libxl_conf.c +++ libvirt-1.1.2/src/libxl/libxl_conf.c @@ -878,6 +878,13 @@ libxlMakeNicList(virDomainDefPtr def, l for (i = 0; i < nnics; i++) { if (libxlMakeNic(def, l_nics[i], &x_nics[i])) goto error; + /* + * The devid (at least right now) will not get initialized by + * libxl in the setup case but is required for starting the + * device-model. + */ + if (x_nics[i].devid < 0) + x_nics[i].devid = i; } d_config->nics = x_nics; ++++++ e350826c-python-fix-fd-passing.patch ++++++ commit e350826c653b20dd271ab99075d2f224c7451356 Author: Marian Neagul <marian(a)info.uvt.ro> Date: Tue Oct 22 16:03:39 2013 +0100 python: Fix Create*WithFiles filefd passing Commit d76227be added functions virDomainCreateWithFiles and virDomainCreateXMLWithFiles, but there was a little piece missing in python bindings. This patch fixes proper passing of file descriptors in the overwrites of these functions. Index: libvirt-1.1.2/python/libvirt-override.c =================================================================== --- libvirt-1.1.2.orig/python/libvirt-override.c +++ libvirt-1.1.2/python/libvirt-override.c @@ -7149,6 +7149,10 @@ libvirt_virDomainCreateXMLWithFiles(PyOb if (libvirt_intUnwrap(pyfd, &fd) < 0) goto cleanup; + + files[i] = fd; + + files[i] = fd; } LIBVIRT_BEGIN_ALLOW_THREADS; ++++++ e4697b92-CVE-2013-4311.patch ++++++ commit e4697b92abaad16e8e6b41a1e55be9b084d48d5a Author: Daniel P. Berrange <berrange(a)redhat.com> Date: Mon Sep 23 12:46:25 2013 +0100 Fix typo in identity code which is pre-requisite for CVE-2013-4311 The fix for CVE-2013-4311 had a pre-requisite enhancement to the identity code commit db7a5688c05f3fd60d9d2b74c72427eb9ee9c176 Author: Daniel P. Berrange <berrange(a)redhat.com> Date: Thu Aug 22 16:00:01 2013 +0100 Also store user & group ID values in virIdentity This had a typo which caused the group ID to overwrite the user ID string. This meant any checks using this would have the wrong ID value. This only affected the ACL code, not the initial polkit auth. It also leaked memory. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> Index: libvirt-1.1.2/src/rpc/virnetserverclient.c =================================================================== --- libvirt-1.1.2.orig/src/rpc/virnetserverclient.c +++ libvirt-1.1.2/src/rpc/virnetserverclient.c @@ -678,7 +678,7 @@ virNetServerClientCreateIdentity(virNetS goto cleanup; if (!(groupname = virGetGroupName(gid))) goto cleanup; - if (virAsprintf(&userid, "%d", (int)gid) < 0) + if (virAsprintf(&groupid, "%d", (int)gid) < 0) goto cleanup; if (virAsprintf(&processid, "%llu", (unsigned long long)pid) < 0) ++++++ e65667c0-CVE-2013-4311.patch ++++++ commit e65667c0c6e016d42abea077e31628ae43f57b74 Author: Daniel P. Berrange <berrange(a)redhat.com> Date: Wed Aug 28 15:22:05 2013 +0100 Ensure system identity includes process start time The polkit access driver will want to use the process start time field. This was already set for network identities, but not for the system identity. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> Index: libvirt-1.1.2/src/util/viridentity.c =================================================================== --- libvirt-1.1.2.orig/src/util/viridentity.c +++ libvirt-1.1.2/src/util/viridentity.c @@ -35,6 +35,7 @@ #include "virthread.h" #include "virutil.h" #include "virstring.h" +#include "virprocess.h" #define VIR_FROM_THIS VIR_FROM_IDENTITY @@ -142,11 +143,20 @@ virIdentityPtr virIdentityGetSystem(void security_context_t con; #endif char *processid = NULL; + unsigned long long timestamp; + char *processtime = NULL; if (virAsprintf(&processid, "%llu", (unsigned long long)getpid()) < 0) goto cleanup; + if (virProcessGetStartTime(getpid(), &timestamp) < 0) + goto cleanup; + + if (timestamp != 0 && + virAsprintf(&processtime, "%llu", timestamp) < 0) + goto cleanup; + if (!(username = virGetUserName(getuid()))) goto cleanup; if (virAsprintf(&userid, "%d", (int)getuid()) < 0) @@ -198,6 +208,11 @@ virIdentityPtr virIdentityGetSystem(void VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, processid) < 0) goto error; + if (processtime && + virIdentitySetAttr(ret, + VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME, + processtime) < 0) + goto error; cleanup: VIR_FREE(username); @@ -206,6 +221,7 @@ cleanup: VIR_FREE(groupid); VIR_FREE(seccontext); VIR_FREE(processid); + VIR_FREE(processtime); return ret; error: ++++++ e7f400a1-CVE-2013-4296.patch ++++++ commit e7f400a110e2e3673b96518170bfea0855dd82c0 Author: Daniel P. Berrange <berrange(a)redhat.com> Date: Tue Sep 3 16:52:06 2013 +0100 Fix crash in remoteDispatchDomainMemoryStats (CVE-2013-4296) The 'stats' variable was not initialized to NULL, so if some early validation of the RPC call fails, it is possible to jump to the 'cleanup' label and VIR_FREE an uninitialized pointer. This is a security flaw, since the API can be called from a readonly connection which can trigger the validation checks. This was introduced in release v0.9.1 onwards by commit 158ba8730e44b7dd07a21ab90499996c5dec080a Author: Daniel P. Berrange <berrange(a)redhat.com> Date: Wed Apr 13 16:21:35 2011 +0100 Merge all returns paths from dispatcher into single path Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> Index: libvirt-1.1.2/daemon/remote.c =================================================================== --- libvirt-1.1.2.orig/daemon/remote.c +++ libvirt-1.1.2/daemon/remote.c @@ -1146,7 +1146,7 @@ remoteDispatchDomainMemoryStats(virNetSe remote_domain_memory_stats_ret *ret) { virDomainPtr dom = NULL; - struct _virDomainMemoryStat *stats; + struct _virDomainMemoryStat *stats = NULL; int nr_stats; size_t i; int rv = -1; ++++++ ed327dfc-CVE-2014-1447.patch ++++++ commit ed327dfcf4216c1412501b13367b5370de740a22 Author: Jiri Denemark <jdenemar(a)redhat.com> Date: Thu Jan 9 22:26:40 2014 +0100 Don't crash if a connection closes early https://bugzilla.redhat.com/show_bug.cgi?id=1047577 When a client closes its connection to libvirtd early during virConnectOpen, more specifically just after making REMOTE_PROC_CONNECT_SUPPORTS_FEATURE call to check if VIR_DRV_FEATURE_PROGRAM_KEEPALIVE is supported without even waiting for the result, libvirtd may crash due to a race in keep-alive initialization. Once receiving the REMOTE_PROC_CONNECT_SUPPORTS_FEATURE call, the daemon's event loop delegates it to a worker thread. In case the event loop detects EOF on the connection and calls virNetServerClientClose before the worker thread starts to handle REMOTE_PROC_CONNECT_SUPPORTS_FEATURE call, client->keepalive will be disposed by the time virNetServerClientStartKeepAlive gets called from remoteDispatchConnectSupportsFeature. Because the flow is common for both authenticated and read-only connections, even unprivileged clients may cause the daemon to crash. To avoid the crash, virNetServerClientStartKeepAlive needs to check if the connection is still open before starting keep-alive protocol. Every libvirt release since 0.9.8 is affected by this bug. (cherry picked from commit 173c2914734eb5c32df6d35a82bf503e12261bcf) Index: libvirt-1.1.2/src/rpc/virnetserverclient.c =================================================================== --- libvirt-1.1.2.orig/src/rpc/virnetserverclient.c +++ libvirt-1.1.2/src/rpc/virnetserverclient.c @@ -1533,9 +1533,22 @@ cleanup: int virNetServerClientStartKeepAlive(virNetServerClientPtr client) { - int ret; + int ret = -1; + virObjectLock(client); + + /* The connection might have been closed before we got here and thus the + * keepalive object could have been removed too. + */ + if (!client->sock) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("connection not open")); + goto cleanup; + } + ret = virKeepAliveStart(client->keepalive, 0, 0); + +cleanup: virObjectUnlock(client); return ret; } ++++++ f8c1cb90-CVE-2013-6436.patch ++++++ commit f8c1cb90213508c4f32549023b0572ed774e48aa Author: Martin Kletzander <mkletzan(a)redhat.com> Date: Mon Dec 9 11:15:11 2013 +0100 CVE-2013-6436: fix crash in lxcDomainGetMemoryParameters The function doesn't check whether the request is made for active or inactive domain. Thus when the domain is not running it still tries accessing non-existing cgroups (priv->cgroup, which is NULL). I re-made the function in order for it to work the same way it's qemu counterpart does. Reproducer: 1) Define an LXC domain 2) Do 'virsh memtune <domain>' Backtrace: Thread 6 (Thread 0x7fffec8c0700 (LWP 13387)): #0 0x00007ffff70edcc4 in virCgroupPathOfController (group=0x0, controller=3, key=0x7ffff75734bd "memory.limit_in_bytes", path=0x7fffec8bf750) at util/vircgroup.c:1764 #1 0x00007ffff70e958c in virCgroupGetValueStr (group=0x0, controller=3, key=0x7ffff75734bd "memory.limit_in_bytes", value=0x7fffec8bf7c0) at util/vircgroup.c:705 #2 0x00007ffff70e9d29 in virCgroupGetValueU64 (group=0x0, controller=3, key=0x7ffff75734bd "memory.limit_in_bytes", value=0x7fffec8bf810) at util/vircgroup.c:804 #3 0x00007ffff70ee706 in virCgroupGetMemoryHardLimit (group=0x0, kb=0x7fffec8bf8a8) at util/vircgroup.c:1962 #4 0x00005555557d590f in lxcDomainGetMemoryParameters (dom=0x7fffd40024a0, params=0x7fffd40027a0, nparams=0x7fffec8bfa24, flags=0) at lxc/lxc_driver.c:826 #5 0x00007ffff72c28d3 in virDomainGetMemoryParameters (domain=0x7fffd40024a0, params=0x7fffd40027a0, nparams=0x7fffec8bfa24, flags=0) at libvirt.c:4137 #6 0x000055555563714d in remoteDispatchDomainGetMemoryParameters (server=0x555555eb7e00, client=0x555555ebaef0, msg=0x555555ebb3e0, rerr=0x7fffec8bfb70, args=0x7fffd40024e0, ret=0x7fffd4002420) at remote.c:1895 #7 0x00005555556052c4 in remoteDispatchDomainGetMemoryParametersHelper (server=0x555555eb7e00, client=0x555555ebaef0, msg=0x555555ebb3e0, rerr=0x7fffec8bfb70, args=0x7fffd40024e0, ret=0x7fffd4002420) at remote_dispatch.h:4050 #8 0x00007ffff73b293f in virNetServerProgramDispatchCall (prog=0x555555ec3ae0, server=0x555555eb7e00, client=0x555555ebaef0, msg=0x555555ebb3e0) at rpc/virnetserverprogram.c:435 #9 0x00007ffff73b207f in virNetServerProgramDispatch (prog=0x555555ec3ae0, server=0x555555eb7e00, client=0x555555ebaef0, msg=0x555555ebb3e0) at rpc/virnetserverprogram.c:305 #10 0x00007ffff73a4d2c in virNetServerProcessMsg (srv=0x555555eb7e00, client=0x555555ebaef0, prog=0x555555ec3ae0, msg=0x555555ebb3e0) at rpc/virnetserver.c:165 #11 0x00007ffff73a4e8d in virNetServerHandleJob (jobOpaque=0x555555ebc7e0, opaque=0x555555eb7e00) at rpc/virnetserver.c:186 #12 0x00007ffff7187f3f in virThreadPoolWorker (opaque=0x555555eb7ac0) at util/virthreadpool.c:144 #13 0x00007ffff718733a in virThreadHelper (data=0x555555eb7890) at util/virthreadpthread.c:161 #14 0x00007ffff468ed89 in start_thread (arg=0x7fffec8c0700) at pthread_create.c:308 #15 0x00007ffff3da26bd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com> Index: libvirt-1.1.2/src/lxc/lxc_driver.c =================================================================== --- libvirt-1.1.2.orig/src/lxc/lxc_driver.c +++ libvirt-1.1.2/src/lxc/lxc_driver.c @@ -795,22 +795,36 @@ lxcDomainGetMemoryParameters(virDomainPt int *nparams, unsigned int flags) { - size_t i; + virCapsPtr caps = NULL; + virDomainDefPtr vmdef = NULL; virDomainObjPtr vm = NULL; + virLXCDomainObjPrivatePtr priv = NULL; + virLXCDriverPtr driver = dom->conn->privateData; unsigned long long val; int ret = -1; - virLXCDomainObjPrivatePtr priv; + size_t i; - virCheckFlags(0, -1); + virCheckFlags(VIR_DOMAIN_AFFECT_LIVE | + VIR_DOMAIN_AFFECT_CONFIG, -1); if (!(vm = lxcDomObjFromDomain(dom))) goto cleanup; priv = vm->privateData; - if (virDomainGetMemoryParametersEnsureACL(dom->conn, vm->def) < 0) + if (virDomainGetMemoryParametersEnsureACL(dom->conn, vm->def) < 0 || + !(caps = virLXCDriverGetCapabilities(driver, false)) || + virDomainLiveConfigHelperMethod(caps, driver->xmlopt, + vm, &flags, &vmdef) < 0) goto cleanup; + if (flags & VIR_DOMAIN_AFFECT_LIVE && + !virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_MEMORY)) { + virReportError(VIR_ERR_OPERATION_INVALID, + "%s", _("cgroup memory controller is not mounted")); + goto cleanup; + } + if ((*nparams) == 0) { /* Current number of memory parameters supported by cgroups */ *nparams = LXC_NB_MEM_PARAM; @@ -824,22 +838,34 @@ lxcDomainGetMemoryParameters(virDomainPt switch (i) { case 0: /* fill memory hard limit here */ - if (virCgroupGetMemoryHardLimit(priv->cgroup, &val) < 0) + if (flags & VIR_DOMAIN_AFFECT_CONFIG) { + val = vmdef->mem.hard_limit; + val = val ? val : VIR_DOMAIN_MEMORY_PARAM_UNLIMITED; + } else if (virCgroupGetMemoryHardLimit(priv->cgroup, &val) < 0) { goto cleanup; + } if (virTypedParameterAssign(param, VIR_DOMAIN_MEMORY_HARD_LIMIT, VIR_TYPED_PARAM_ULLONG, val) < 0) goto cleanup; break; case 1: /* fill memory soft limit here */ - if (virCgroupGetMemorySoftLimit(priv->cgroup, &val) < 0) + if (flags & VIR_DOMAIN_AFFECT_CONFIG) { + val = vmdef->mem.soft_limit; + val = val ? val : VIR_DOMAIN_MEMORY_PARAM_UNLIMITED; + } else if (virCgroupGetMemorySoftLimit(priv->cgroup, &val) < 0) { goto cleanup; + } if (virTypedParameterAssign(param, VIR_DOMAIN_MEMORY_SOFT_LIMIT, VIR_TYPED_PARAM_ULLONG, val) < 0) goto cleanup; break; case 2: /* fill swap hard limit here */ - if (virCgroupGetMemSwapHardLimit(priv->cgroup, &val) < 0) + if (flags & VIR_DOMAIN_AFFECT_CONFIG) { + val = vmdef->mem.swap_hard_limit; + val = val ? val : VIR_DOMAIN_MEMORY_PARAM_UNLIMITED; + } else if (virCgroupGetMemSwapHardLimit(priv->cgroup, &val) < 0) { goto cleanup; + } if (virTypedParameterAssign(param, VIR_DOMAIN_MEMORY_SWAP_HARD_LIMIT, VIR_TYPED_PARAM_ULLONG, val) < 0) @@ -860,6 +886,7 @@ lxcDomainGetMemoryParameters(virDomainPt cleanup: if (vm) virObjectUnlock(vm); + virObjectUnref(caps); return ret; } ++++++ fb5a3190-CVE-2014-0028.patch ++++++ commit fb5a3190c6409897744a244c6e0d5e2d52d34b39 Author: Eric Blake <eblake(a)redhat.com> Date: Tue Jan 14 10:29:34 2014 -0700 event: filter global events by domain:getattr ACL [CVE-2014-0028] Ever since ACL filtering was added in commit 7639736 (v1.1.1), a user could still use event registration to obtain access to a domain that they could not normally access via virDomainLookup* or virConnectListAllDomains and friends. We already have the framework in the RPC generator for creating the filter, and previous cleanup patches got us to the point that we can now wire the filter through the entire object event stack. Furthermore, whether or not domain:getattr is honored, use of global events is a form of obtaining a list of networks, which is covered by connect:search_domains added in a93cd08 (v1.1.0). Ideally, we'd have a way to enforce connect:search_domains when doing global registrations while omitting that check on a per-domain registration. But this patch just unconditionally requires connect:search_domains, even when no list could be obtained, based on the following observations: 1. Administrators are unlikely to grant domain:getattr for one or all domains while still denying connect:search_domains - a user that is able to manage domains will want to be able to manage them efficiently, but efficient management includes being able to list the domains they can access. The idea of denying connect:search_domains while still granting access to individual domains is therefore not adding any real security, but just serves as a layer of obscurity to annoy the end user. 2. In the current implementation, domain events are filtered on the client; the server has no idea if a domain filter was requested, and must therefore assume that all domain event requests are global. Even if we fix the RPC protocol to allow for server-side filtering for newer client/server combos, making the connect:serach_domains ACL check conditional on whether the domain argument was NULL won't benefit older clients. Therefore, we choose to document that connect:search_domains is a pre-requisite to any domain event management. Network events need the same treatment, with the obvious change of using connect:search_networks and network:getattr. * src/access/viraccessperm.h (VIR_ACCESS_PERM_CONNECT_SEARCH_DOMAINS) (VIR_ACCESS_PERM_CONNECT_SEARCH_NETWORKS): Document additional effect of the permission. * src/conf/domain_event.h (virDomainEventStateRegister) (virDomainEventStateRegisterID): Add new parameter. * src/conf/network_event.h (virNetworkEventStateRegisterID): Likewise. * src/conf/object_event_private.h (virObjectEventStateRegisterID): Likewise. * src/conf/object_event.c (_virObjectEventCallback): Track a filter. (virObjectEventDispatchMatchCallback): Use filter. (virObjectEventCallbackListAddID): Register filter. * src/conf/domain_event.c (virDomainEventFilter): New function. (virDomainEventStateRegister, virDomainEventStateRegisterID): Adjust callers. * src/conf/network_event.c (virNetworkEventFilter): New function. (virNetworkEventStateRegisterID): Adjust caller. * src/remote/remote_protocol.x (REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER) (REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER_ANY) (REMOTE_PROC_CONNECT_NETWORK_EVENT_REGISTER_ANY): Generate a filter, and require connect:search_domains instead of weaker connect:read. * src/test/test_driver.c (testConnectDomainEventRegister) (testConnectDomainEventRegisterAny) (testConnectNetworkEventRegisterAny): Update callers. * src/remote/remote_driver.c (remoteConnectDomainEventRegister) (remoteConnectDomainEventRegisterAny): Likewise. * src/xen/xen_driver.c (xenUnifiedConnectDomainEventRegister) (xenUnifiedConnectDomainEventRegisterAny): Likewise. * src/vbox/vbox_tmpl.c (vboxDomainGetXMLDesc): Likewise. * src/libxl/libxl_driver.c (libxlConnectDomainEventRegister) (libxlConnectDomainEventRegisterAny): Likewise. * src/qemu/qemu_driver.c (qemuConnectDomainEventRegister) (qemuConnectDomainEventRegisterAny): Likewise. * src/uml/uml_driver.c (umlConnectDomainEventRegister) (umlConnectDomainEventRegisterAny): Likewise. * src/network/bridge_driver.c (networkConnectNetworkEventRegisterAny): Likewise. * src/lxc/lxc_driver.c (lxcConnectDomainEventRegister) (lxcConnectDomainEventRegisterAny): Likewise. Signed-off-by: Eric Blake <eblake(a)redhat.com> (cherry picked from commit f9f56340539d609cdc2e9d4ab812b9f146c3f100) Conflicts: src/conf/object_event.c - not backporting event refactoring src/conf/object_event_private.h - likewise src/conf/network_event.c - not backporting network events src/conf/network_event.h - likewise src/network/bridge_driver.c - likewise src/access/viraccessperm.h - likewise src/remote/remote_protocol.x - likewise src/conf/domain_event.c - includes code that upstream has in object_event src/conf/domain_event.h - context src/libxl/libxl_driver.c - context src/lxc/lxc_driver.c - context src/remote/remote_driver.c - context, not backporting network events src/test/test_driver.c - context, not backporting network events src/uml/uml_driver.c - context src/xen/xen_driver.c - context Index: libvirt-1.1.2/src/access/viraccessperm.h =================================================================== --- libvirt-1.1.2.orig/src/access/viraccessperm.h +++ libvirt-1.1.2/src/access/viraccessperm.h @@ -1,7 +1,7 @@ /* * viraccessperm.h: access control permissions * - * Copyright (C) 2012-2013 Red Hat, Inc. + * Copyright (C) 2012-2014 Red Hat, Inc. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -47,7 +47,7 @@ typedef enum { /** * @desc: List domains - * @message: Listing domains requires authorization + * @message: Listing domains or using domain events requires authorization * @anonymous: 1 */ VIR_ACCESS_PERM_CONNECT_SEARCH_DOMAINS, Index: libvirt-1.1.2/src/conf/domain_event.c =================================================================== --- libvirt-1.1.2.orig/src/conf/domain_event.c +++ libvirt-1.1.2/src/conf/domain_event.c @@ -32,6 +32,20 @@ #define VIR_FROM_THIS VIR_FROM_NONE +/** + * virObjectEventCallbackFilter: + * @conn: the connection pointer + * @event: the event about to be dispatched + * @opaque: opaque data registered with the filter + * + * Callback to do final filtering for a reason not tracked directly by + * virObjectEventStateRegisterID(). Return false if @event must not + * be sent to @conn. + */ +typedef bool (*virObjectEventCallbackFilter)(virConnectPtr conn, + virDomainEventPtr event, + void *opaque); + struct _virDomainMeta { int id; char *name; @@ -68,6 +82,8 @@ struct _virDomainEventCallback { int eventID; virConnectPtr conn; virDomainMetaPtr dom; + virObjectEventCallbackFilter filter; + void *filter_opaque; virConnectDomainEventGenericCallback cb; void *opaque; virFreeCallback freecb; @@ -337,6 +353,9 @@ virDomainEventCallbackListPurgeMarked(vi * virDomainEventCallbackListAddID: * @conn: pointer to the connection * @cbList: the list + * @dom: optional domain to filter on + * @filter optional last-ditch filter callback + * @filter_opaque: opaque data to pass to @filter * @eventID: the event ID * @callback: the callback to add * @opaque: opaque data tio pass to callback @@ -348,6 +367,8 @@ static int virDomainEventCallbackListAddID(virConnectPtr conn, virDomainEventCallbackListPtr cbList, virDomainPtr dom, + virObjectEventCallbackFilter filter, + void *filter_opaque, int eventID, virConnectDomainEventGenericCallback callback, void *opaque, @@ -394,6 +415,8 @@ virDomainEventCallbackListAddID(virConne memcpy(event->dom->uuid, dom->uuid, VIR_UUID_BUFLEN); event->dom->id = dom->id; } + event->filter = filter; + event->filter_opaque = filter_opaque; /* Make space on list */ if (VIR_REALLOC_N(cbList->callbacks, cbList->count + 1) < 0) @@ -433,6 +456,8 @@ error: * virDomainEventCallbackListAdd: * @conn: pointer to the connection * @cbList: the list + * @filter optional last-ditch filter callback + * @filter_opaque: opaque data to pass to @filter * @callback: the callback to add * @opaque: opaque data tio pass to callback * @@ -441,11 +466,14 @@ error: static int virDomainEventCallbackListAdd(virConnectPtr conn, virDomainEventCallbackListPtr cbList, + virObjectEventCallbackFilter filter, + void *filter_opaque, virConnectDomainEventCallback callback, void *opaque, virFreeCallback freecb) { return virDomainEventCallbackListAddID(conn, cbList, NULL, + filter, filter_opaque, VIR_DOMAIN_EVENT_ID_LIFECYCLE, VIR_DOMAIN_EVENT_CALLBACK(callback), opaque, freecb, NULL); @@ -673,6 +701,32 @@ static virDomainEventPtr virDomainEventN return event; } + +/** + * virDomainEventFilter: + * @conn: pointer to the connection + * @event: the event to check + * @opaque: opaque data holding ACL filter to use + * + * Internal function to run ACL filtering before dispatching an event + */ +static bool +virDomainEventFilter(virConnectPtr conn, virDomainEventPtr event, + void *opaque) +{ + virDomainDef dom; + virDomainObjListFilter filter = opaque; + + /* For now, we just create a virDomainDef with enough contents to + * satisfy what viraccessdriverpolkit.c references. This is a bit + * fragile, but I don't know of anything better. */ + dom.name = event->dom.name; + memcpy(dom.uuid, event->dom.uuid, VIR_UUID_BUFLEN); + + return (filter)(conn, &dom); +} + + virDomainEventPtr virDomainEventNew(int id, const char *name, const unsigned char *uuid, int type, int detail) @@ -1374,6 +1428,9 @@ static int virDomainEventDispatchMatchCa if (cb->eventID != event->eventID) return 0; + if (cb->filter && !(cb->filter)(cb->conn, event, cb->filter_opaque)) + return 0; + if (cb->dom) { /* Deliberately ignoring 'id' for matching, since that * will cause problems when a domain switches between @@ -1503,6 +1560,7 @@ virDomainEventStateFlush(virDomainEventS * virDomainEventStateRegister: * @conn: connection to associate with callback * @state: domain event state + * @filter: optional ACL filter to limit which events can be sent * @callback: function to remove from event * @opaque: data blob to pass to callback * @freecb: callback to free @opaque @@ -1515,6 +1573,7 @@ virDomainEventStateFlush(virDomainEventS int virDomainEventStateRegister(virConnectPtr conn, virDomainEventStatePtr state, + virDomainObjListFilter filter, virConnectDomainEventCallback callback, void *opaque, virFreeCallback freecb) @@ -1535,7 +1594,8 @@ virDomainEventStateRegister(virConnectPt } ret = virDomainEventCallbackListAdd(conn, state->callbacks, - callback, opaque, freecb); + filter ? virDomainEventFilter : NULL, + filter, callback, opaque, freecb); if (ret == -1 && state->callbacks->count == 0 && @@ -1554,6 +1614,7 @@ cleanup: * virDomainEventStateRegisterID: * @conn: connection to associate with callback * @state: domain event state + * @filter: optional ACL filter to limit which events can be sent * @eventID: ID of the event type to register for * @cb: function to remove from event * @opaque: data blob to pass to callback @@ -1568,6 +1629,7 @@ cleanup: int virDomainEventStateRegisterID(virConnectPtr conn, virDomainEventStatePtr state, + virDomainObjListFilter filter, virDomainPtr dom, int eventID, virConnectDomainEventGenericCallback cb, @@ -1590,8 +1652,9 @@ virDomainEventStateRegisterID(virConnect goto cleanup; } - ret = virDomainEventCallbackListAddID(conn, state->callbacks, - dom, eventID, cb, opaque, freecb, + ret = virDomainEventCallbackListAddID(conn, state->callbacks, dom, + filter ? virDomainEventFilter : NULL, + filter, eventID, cb, opaque, freecb, callbackID); if (ret == -1 && Index: libvirt-1.1.2/src/conf/domain_event.h =================================================================== --- libvirt-1.1.2.orig/src/conf/domain_event.h +++ libvirt-1.1.2/src/conf/domain_event.h @@ -1,7 +1,7 @@ /* * domain_event.h: domain event queue processing helpers * - * Copyright (C) 2012 Red Hat, Inc. + * Copyright (C) 2012-2014 Red Hat, Inc. * Copyright (C) 2008 VirtualIron * * This library is free software; you can redistribute it and/or @@ -149,19 +149,21 @@ virDomainEventStateQueue(virDomainEventS ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2); int virDomainEventStateRegister(virConnectPtr conn, virDomainEventStatePtr state, + virDomainObjListFilter filter, virConnectDomainEventCallback callback, void *opaque, virFreeCallback freecb) - ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3); + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(4); int virDomainEventStateRegisterID(virConnectPtr conn, virDomainEventStatePtr state, + virDomainObjListFilter filter, virDomainPtr dom, int eventID, virConnectDomainEventGenericCallback cb, void *opaque, virFreeCallback freecb, int *callbackID) - ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(5); + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(6); int virDomainEventStateDeregister(virConnectPtr conn, virDomainEventStatePtr state, Index: libvirt-1.1.2/src/libxl/libxl_driver.c =================================================================== --- libvirt-1.1.2.orig/src/libxl/libxl_driver.c +++ libvirt-1.1.2/src/libxl/libxl_driver.c @@ -4202,6 +4202,7 @@ libxlConnectDomainEventRegister(virConne libxlDriverLock(driver); ret = virDomainEventStateRegister(conn, driver->domainEventState, + virConnectDomainEventRegisterCheckACL, callback, opaque, freecb); libxlDriverUnlock(driver); @@ -4879,6 +4880,7 @@ libxlConnectDomainEventRegisterAny(virCo libxlDriverLock(driver); if (virDomainEventStateRegisterID(conn, driver->domainEventState, + virConnectDomainEventRegisterAnyCheckACL, dom, eventID, callback, opaque, freecb, &ret) < 0) ret = -1; Index: libvirt-1.1.2/src/lxc/lxc_driver.c =================================================================== --- libvirt-1.1.2.orig/src/lxc/lxc_driver.c +++ libvirt-1.1.2/src/lxc/lxc_driver.c @@ -1295,6 +1295,7 @@ lxcConnectDomainEventRegister(virConnect ret = virDomainEventStateRegister(conn, driver->domainEventState, + virConnectDomainEventRegisterCheckACL, callback, opaque, freecb); return ret; @@ -1335,6 +1336,7 @@ lxcConnectDomainEventRegisterAny(virConn if (virDomainEventStateRegisterID(conn, driver->domainEventState, + virConnectDomainEventRegisterAnyCheckACL, dom, eventID, callback, opaque, freecb, &ret) < 0) ret = -1; Index: libvirt-1.1.2/src/qemu/qemu_driver.c =================================================================== --- libvirt-1.1.2.orig/src/qemu/qemu_driver.c +++ libvirt-1.1.2/src/qemu/qemu_driver.c @@ -9875,6 +9875,7 @@ qemuConnectDomainEventRegister(virConnec if (virDomainEventStateRegister(conn, driver->domainEventState, + virConnectDomainEventRegisterCheckACL, callback, opaque, freecb) < 0) goto cleanup; @@ -9923,6 +9924,7 @@ qemuConnectDomainEventRegisterAny(virCon if (virDomainEventStateRegisterID(conn, driver->domainEventState, + virConnectDomainEventRegisterAnyCheckACL, dom, eventID, callback, opaque, freecb, &ret) < 0) ret = -1; Index: libvirt-1.1.2/src/remote/remote_driver.c =================================================================== --- libvirt-1.1.2.orig/src/remote/remote_driver.c +++ libvirt-1.1.2/src/remote/remote_driver.c @@ -4292,7 +4292,7 @@ static int remoteConnectDomainEventRegis remoteDriverLock(priv); - if ((count = virDomainEventStateRegister(conn, priv->domainEventState, + if ((count = virDomainEventStateRegister(conn, priv->domainEventState, NULL, callback, opaque, freecb)) < 0) { virReportError(VIR_ERR_RPC, "%s", _("adding cb to list")); goto done; @@ -5078,7 +5078,7 @@ static int remoteConnectDomainEventRegis remoteDriverLock(priv); if ((count = virDomainEventStateRegisterID(conn, - priv->domainEventState, + priv->domainEventState, NULL, dom, eventID, callback, opaque, freecb, &callbackID)) < 0) { Index: libvirt-1.1.2/src/remote/remote_protocol.x =================================================================== --- libvirt-1.1.2.orig/src/remote/remote_protocol.x +++ libvirt-1.1.2/src/remote/remote_protocol.x @@ -1952,7 +1952,7 @@ struct remote_node_device_destroy_args { /* * Events Register/Deregister: - * It would seem rpcgen does not like both args, and ret + * It would seem rpcgen does not like both args and ret * to be null. It will not generate the prototype otherwise. * Pass back a redundant boolean to force prototype generation. */ @@ -3606,7 +3606,8 @@ enum remote_procedure { /** * @generate: none * @priority: high - * @acl: connect:read + * @acl: connect:search_domains + * @aclfilter: domain:getattr */ REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER = 105, @@ -4038,7 +4039,8 @@ enum remote_procedure { /** * @generate: none * @priority: high - * @acl: connect:read + * @acl: connect:search_domains + * @aclfilter: domain:getattr */ REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER_ANY = 167, Index: libvirt-1.1.2/src/test/test_driver.c =================================================================== --- libvirt-1.1.2.orig/src/test/test_driver.c +++ libvirt-1.1.2/src/test/test_driver.c @@ -5628,7 +5628,7 @@ testConnectDomainEventRegister(virConnec testDriverLock(driver); ret = virDomainEventStateRegister(conn, - driver->domainEventState, + driver->domainEventState, NULL, callback, opaque, freecb); testDriverUnlock(driver); @@ -5666,7 +5666,7 @@ testConnectDomainEventRegisterAny(virCon testDriverLock(driver); if (virDomainEventStateRegisterID(conn, - driver->domainEventState, + driver->domainEventState, NULL, dom, eventID, callback, opaque, freecb, &ret) < 0) ret = -1; Index: libvirt-1.1.2/src/uml/uml_driver.c =================================================================== --- libvirt-1.1.2.orig/src/uml/uml_driver.c +++ libvirt-1.1.2/src/uml/uml_driver.c @@ -2618,6 +2618,7 @@ umlConnectDomainEventRegister(virConnect umlDriverLock(driver); ret = virDomainEventStateRegister(conn, driver->domainEventState, + virConnectDomainEventRegisterCheckACL, callback, opaque, freecb); umlDriverUnlock(driver); @@ -2660,6 +2661,7 @@ umlConnectDomainEventRegisterAny(virConn umlDriverLock(driver); if (virDomainEventStateRegisterID(conn, driver->domainEventState, + virConnectDomainEventRegisterAnyCheckACL, dom, eventID, callback, opaque, freecb, &ret) < 0) ret = -1; Index: libvirt-1.1.2/src/vbox/vbox_tmpl.c =================================================================== --- libvirt-1.1.2.orig/src/vbox/vbox_tmpl.c +++ libvirt-1.1.2/src/vbox/vbox_tmpl.c @@ -7265,7 +7265,7 @@ static int vboxConnectDomainEventRegiste * later you can iterate over them */ - ret = virDomainEventStateRegister(conn, data->domainEvents, + ret = virDomainEventStateRegister(conn, data->domainEvents, NULL, callback, opaque, freecb); VIR_DEBUG("virDomainEventStateRegister (ret = %d) (conn: %p, " "callback: %p, opaque: %p, " @@ -7357,7 +7357,7 @@ static int vboxConnectDomainEventRegiste * later you can iterate over them */ - if (virDomainEventStateRegisterID(conn, data->domainEvents, + if (virDomainEventStateRegisterID(conn, data->domainEvents, NULL, dom, eventID, callback, opaque, freecb, &ret) < 0) ret = -1; Index: libvirt-1.1.2/src/xen/xen_driver.c =================================================================== --- libvirt-1.1.2.orig/src/xen/xen_driver.c +++ libvirt-1.1.2/src/xen/xen_driver.c @@ -2306,6 +2306,7 @@ xenUnifiedConnectDomainEventRegister(vir } ret = virDomainEventStateRegister(conn, priv->domainEvents, + virConnectDomainEventRegisterCheckACL, callback, opaque, freefunc); xenUnifiedUnlock(priv); @@ -2363,6 +2364,7 @@ xenUnifiedConnectDomainEventRegisterAny( } if (virDomainEventStateRegisterID(conn, priv->domainEvents, + virConnectDomainEventRegisterAnyCheckACL, dom, eventID, callback, opaque, freefunc, &ret) < 0) ret = -1; ++++++ fc22b2e7-CVE-2014-3657.patch ++++++ commit fc22b2e74890873848b43fffae43025d22053669 Author: Pavel Hrdina <phrdina(a)redhat.com> Date: Mon Sep 22 18:19:07 2014 +0200 domain_conf: fix domain deadlock If you use public api virConnectListAllDomains() with second parameter set to NULL to get only the number of domains you will lock out all other operations with domains. Introduced by commit 2c680804. Signed-off-by: Pavel Hrdina <phrdina(a)redhat.com> Index: libvirt-1.1.2/src/conf/domain_conf.c =================================================================== --- libvirt-1.1.2.orig/src/conf/domain_conf.c +++ libvirt-1.1.2/src/conf/domain_conf.c @@ -18274,7 +18274,7 @@ virDomainListPopulate(void *payload, /* just count the machines */ if (!data->domains) { data->ndomains++; - return; + goto cleanup; } if (!(dom = virGetDomain(data->conn, vm->def->name, vm->def->uuid))) { ++++++ fix-pci-attach-xen-driver.patch ++++++ Fix PCI device attach in xend driver When attaching PCI device using the xend driver, the 'device_create' RPC is called, which is not sufficient to fully prepare/configure the device for attachment to a domain. In the xen tools, xm pci-attach uses the 'device_configure' RPC. This patch changes the xend driver to always call 'device_configure' for PCI devices to be consistent with the usage in the xen tools. Index: libvirt-1.1.2/src/xen/xend_internal.c =================================================================== --- libvirt-1.1.2.orig/src/xen/xend_internal.c +++ libvirt-1.1.2/src/xen/xend_internal.c @@ -2206,6 +2206,7 @@ xenDaemonAttachDeviceFlags(virConnectPtr virBuffer buf = VIR_BUFFER_INITIALIZER; char class[8], ref[80]; char *target = NULL; + int new_dev; virCheckFlags(VIR_DOMAIN_AFFECT_LIVE | VIR_DOMAIN_AFFECT_CONFIG, -1); @@ -2304,8 +2305,18 @@ xenDaemonAttachDeviceFlags(virConnectPtr } sexpr = virBufferContentAndReset(&buf); + new_dev = virDomainXMLDevID(conn, minidef, dev, class, ref, sizeof(ref)); - if (virDomainXMLDevID(conn, minidef, dev, class, ref, sizeof(ref))) { + /* always call 'device_configure' for pci device */ + if (dev->type == VIR_DOMAIN_DEVICE_HOSTDEV && + dev->data.hostdev->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS && + dev->data.hostdev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI) { + ret = xend_op(conn, def->name, "op", "device_configure", + "config", sexpr, "dev", ref, NULL); + goto cleanup; + } + + if (new_dev) { /* device doesn't exist, define it */ ret = xend_op(conn, def->name, "op", "device_create", "config", sexpr, NULL); ++++++ install-apparmor-profiles.patch ++++++ Index: libvirt-1.1.2/examples/apparmor/Makefile.am =================================================================== --- libvirt-1.1.2.orig/examples/apparmor/Makefile.am +++ libvirt-1.1.2/examples/apparmor/Makefile.am @@ -14,8 +14,45 @@ ## License along with this library. If not, see ## <http://www.gnu.org/licenses/>. -EXTRA_DIST= \ - TEMPLATE \ - libvirt-qemu \ - usr.lib.libvirt.virt-aa-helper \ - usr.sbin.libvirtd +EXTRA_DIST= \ + TEMPLATE \ + libvirt-qemu.in \ + usr.lib.libvirt.virt-aa-helper.in \ + usr.sbin.libvirtd.in + +if WITH_SECDRIVER_APPARMOR + +libvirt-qemu: libvirt-qemu.in + sed \ + -e 's![@]libdir[@]!$(libdir)!g' \ + < $< > $@-t + mv $@-t $@ + +usr.lib.libvirt.virt-aa-helper: usr.lib.libvirt.virt-aa-helper.in + sed \ + -e 's![@]libdir[@]!$(libdir)!g' \ + < $< > $@-t + mv $@-t $@ + +usr.sbin.libvirtd: usr.sbin.libvirtd.in + sed \ + -e 's![@]libdir[@]!$(libdir)!g' \ + < $< > $@-t + mv $@-t $@ + +install-data-local: libvirt-qemu usr.sbin.libvirtd usr.lib.libvirt.virt-aa-helper + mkdir -p $(DESTDIR)$(sysconfdir)/apparmor.d/ + $(INSTALL_DATA) usr.lib.libvirt.virt-aa-helper $(DESTDIR)$(sysconfdir)/apparmor.d/usr.lib.libvirt.virt-aa-helper + $(INSTALL_DATA) usr.sbin.libvirtd $(DESTDIR)$(sysconfdir)/apparmor.d/usr.sbin.libvirtd + mkdir -p $(DESTDIR)$(sysconfdir)/apparmor.d/libvirt + $(INSTALL_DATA) TEMPLATE $(DESTDIR)$(sysconfdir)/apparmor.d/libvirt/TEMPLATE + mkdir -p $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions + $(INSTALL_DATA) libvirt-qemu $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/libvirt-qemu + +uninstall-local:: + rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/usr.lib.libvirt.virt-aa-helper + rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/usr.sbin.libvirtd + rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/libvirt-qemu + rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/libvirt/TEMPLATE + +endif Index: libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in =================================================================== --- /dev/null +++ libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -0,0 +1,41 @@ +# Last Modified: Fri Aug 19 11:21:48 2011 +#include <tunables/global> + +@libdir@/libvirt/virt-aa-helper { + #include <abstractions/base> + + # needed for searching directories + capability dac_override, + capability dac_read_search, + + # needed for when disk is on a network filesystem + network inet, + + @{PROC}/[0-9]** r, + deny @{PROC}/[0-9]*/mounts r, + @{PROC}/filesystems r, + + # for hostdev + /sys/devices/ r, + /sys/devices/** r, + + @libdir@/libvirt/virt-aa-helper mr, + /sbin/apparmor_parser Ux, + + /etc/apparmor.d/libvirt/* r, + /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + + # for backingstore -- allow access to non-hidden files in @{HOME} as well + # as storage pools + audit deny @{HOME}/.* mrwkl, + audit deny @{HOME}/.*/ rw, + audit deny @{HOME}/.*/** mrwkl, + audit deny @{HOME}/bin/ rw, + audit deny @{HOME}/bin/** mrwkl, + @{HOME}/ r, + @{HOME}/** r, + /var/lib/libvirt/images/ r, + /var/lib/libvirt/images/** r, + /var/lib/kvm/images/ r, + /var/lib/kvm/images/** r, +} Index: libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper =================================================================== --- libvirt-1.1.2.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper +++ /dev/null @@ -1,38 +0,0 @@ -# Last Modified: Mon Apr 5 15:10:27 2010 -#include <tunables/global> - -/usr/lib/libvirt/virt-aa-helper { - #include <abstractions/base> - - # needed for searching directories - capability dac_override, - capability dac_read_search, - - # needed for when disk is on a network filesystem - network inet, - - deny @{PROC}/[0-9]*/mounts r, - @{PROC}/filesystems r, - - # for hostdev - /sys/devices/ r, - /sys/devices/** r, - - /usr/lib/libvirt/virt-aa-helper mr, - /sbin/apparmor_parser Ux, - - /etc/apparmor.d/libvirt/* r, - /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, - - # for backingstore -- allow access to non-hidden files in @{HOME} as well - # as storage pools - audit deny @{HOME}/.* mrwkl, - audit deny @{HOME}/.*/ rw, - audit deny @{HOME}/.*/** mrwkl, - audit deny @{HOME}/bin/ rw, - audit deny @{HOME}/bin/** mrwkl, - @{HOME}/ r, - @{HOME}/** r, - /var/lib/libvirt/images/ r, - /var/lib/libvirt/images/** r, -} Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd =================================================================== --- libvirt-1.1.2.orig/examples/apparmor/usr.sbin.libvirtd +++ /dev/null @@ -1,52 +0,0 @@ -# Last Modified: Mon Apr 5 15:03:58 2010 -#include <tunables/global> -@{LIBVIRT}="libvirt" - -/usr/sbin/libvirtd { - #include <abstractions/base> - - capability kill, - capability net_admin, - capability net_raw, - capability setgid, - capability sys_admin, - capability sys_module, - capability sys_ptrace, - capability sys_nice, - capability sys_chroot, - capability setuid, - capability dac_override, - capability dac_read_search, - capability fowner, - capability chown, - capability setpcap, - capability mknod, - capability fsetid, - - network inet stream, - network inet dgram, - network inet6 stream, - network inet6 dgram, - - # Very lenient profile for libvirtd since we want to first focus on confining - # the guests. Guests will have a very restricted profile. - /** rwmkl, - - /bin/* Ux, - /sbin/* Ux, - /usr/bin/* Ux, - /usr/sbin/* Ux, - - # force the use of virt-aa-helper - audit deny /sbin/apparmor_parser rwxl, - audit deny /etc/apparmor.d/libvirt/** wxl, - audit deny /sys/kernel/security/apparmor/features rwxl, - audit deny /sys/kernel/security/apparmor/matching rwxl, - audit deny /sys/kernel/security/apparmor/.* rwxl, - /sys/kernel/security/apparmor/profiles r, - /usr/lib/libvirt/* PUxr, - - # allow changing to our UUID-based named profiles - change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, - -} Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in =================================================================== --- /dev/null +++ libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in @@ -0,0 +1,62 @@ +# Last Modified: Fri Aug 19 11:20:36 2011 +#include <tunables/global> +@{LIBVIRT}="libvirt" + +/usr/sbin/libvirtd { + #include <abstractions/base> + + capability kill, + capability net_admin, + capability net_raw, + capability setgid, + capability sys_admin, + capability sys_module, + capability sys_ptrace, + capability sys_pacct, + capability sys_nice, + capability sys_chroot, + capability setuid, + capability dac_override, + capability dac_read_search, + capability fowner, + capability chown, + capability setpcap, + capability mknod, + capability fsetid, + capability ipc_lock, + + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + network packet dgram, + + # Very lenient profile for libvirtd since we want to first focus on confining + # the guests. Guests will have a very restricted profile. + /** rwmkl, + + /bin/* Ux, + /sbin/* Ux, + /usr/bin/* Ux, + /usr/sbin/* Ux, + /usr/lib/xen/bin/* Ux, + /usr/lib64/xen/bin/* Ux, + /usr/lib/PolicyKit/polkit-read-auth-helper Px, + + # force the use of virt-aa-helper + audit deny /sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + /etc/libvirt/hooks/* rix, + /etc/xen/scripts/* rix, + @libdir@/libvirt/* Pxr, + @libdir@/libvirt/libvirt_parthelper Ux, + @libdir@/libvirt/libvirt_iohelper Ux, + + # allow changing to our UUID-based named profiles + change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, + +} Index: libvirt-1.1.2/examples/apparmor/libvirt-qemu =================================================================== --- libvirt-1.1.2.orig/examples/apparmor/libvirt-qemu +++ /dev/null @@ -1,129 +0,0 @@ -# Last Modified: Fri Mar 9 14:43:22 2012 - - #include <abstractions/base> - #include <abstractions/consoles> - #include <abstractions/nameservice> - - # required for reading disk images - capability dac_override, - capability dac_read_search, - capability chown, - - network inet stream, - network inet6 stream, - - /dev/net/tun rw, - /dev/kvm rw, - /dev/ptmx rw, - /dev/kqemu rw, - @{PROC}/*/status r, - - # For hostdev access. The actual devices will be added dynamically - /sys/bus/usb/devices/ r, - /sys/devices/*/*/usb[0-9]*/** r, - - # WARNING: this gives the guest direct access to host hardware and specific - # portions of shared memory. This is required for sound using ALSA with kvm, - # but may constitute a security risk. If your environment does not require - # the use of sound in your VMs, feel free to comment out or prepend 'deny' to - # the rules for files in /dev. - /{dev,run}/shm r, - /{dev,run}/shmpulse-shm* r, - /{dev,run}/shmpulse-shm* rwk, - /dev/snd/* rw, - capability ipc_lock, - # 'kill' is not required for sound and is a security risk. Do not enable - # unless you absolutely need it. - deny capability kill, - - # Uncomment the following if you need access to /dev/fb* - #/dev/fb* rw, - - /etc/pulse/client.conf r, - @{HOME}/.pulse-cookie rwk, - owner /root/.pulse-cookie rwk, - owner /root/.pulse/ rw, - owner /root/.pulse/* rw, - /usr/share/alsa/** r, - owner /tmp/pulse-*/ rw, - owner /tmp/pulse-*/* rw, - /var/lib/dbus/machine-id r, - - # access to firmware's etc - /usr/share/kvm/** r, - /usr/share/qemu/** r, - /usr/share/bochs/** r, - /usr/share/openbios/** r, - /usr/share/openhackware/** r, - /usr/share/proll/** r, - /usr/share/vgabios/** r, - /usr/share/seabios/** r, - - # access PKI infrastructure - /etc/pki/libvirt-vnc/** r, - - # the various binaries - /usr/bin/kvm rmix, - /usr/bin/qemu rmix, - /usr/bin/qemu-system-arm rmix, - /usr/bin/qemu-system-cris rmix, - /usr/bin/qemu-system-i386 rmix, - /usr/bin/qemu-system-m68k rmix, - /usr/bin/qemu-system-microblaze rmix, - /usr/bin/qemu-system-microblazeel rmix, - /usr/bin/qemu-system-mips rmix, - /usr/bin/qemu-system-mips64 rmix, - /usr/bin/qemu-system-mips64el rmix, - /usr/bin/qemu-system-mipsel rmix, - /usr/bin/qemu-system-ppc rmix, - /usr/bin/qemu-system-ppc64 rmix, - /usr/bin/qemu-system-ppcemb rmix, - /usr/bin/qemu-system-sh4 rmix, - /usr/bin/qemu-system-sh4eb rmix, - /usr/bin/qemu-system-sparc rmix, - /usr/bin/qemu-system-sparc64 rmix, - /usr/bin/qemu-system-x86_64 rmix, - /usr/bin/qemu-alpha rmix, - /usr/bin/qemu-arm rmix, - /usr/bin/qemu-armeb rmix, - /usr/bin/qemu-cris rmix, - /usr/bin/qemu-i386 rmix, - /usr/bin/qemu-m68k rmix, - /usr/bin/qemu-microblaze rmix, - /usr/bin/qemu-microblazeel rmix, - /usr/bin/qemu-mips rmix, - /usr/bin/qemu-mipsel rmix, - /usr/bin/qemu-ppc rmix, - /usr/bin/qemu-ppc64 rmix, - /usr/bin/qemu-ppc64abi32 rmix, - /usr/bin/qemu-sh4 rmix, - /usr/bin/qemu-sh4eb rmix, - /usr/bin/qemu-sparc rmix, - /usr/bin/qemu-sparc64 rmix, - /usr/bin/qemu-sparc32plus rmix, - /usr/bin/qemu-sparc64 rmix, - /usr/bin/qemu-x86_64 rmix, - - # for save and resume - /bin/dash rmix, - /bin/dd rmix, - /bin/cat rmix, - - /usr/libexec/qemu-bridge-helper Cx, - # child profile for bridge helper process - profile /usr/libexec/qemu-bridge-helper { - #include <abstractions/base> - - capability setuid, - capability setgid, - capability setpcap, - capability net_admin, - - network inet stream, - - /dev/net/tun rw, - /etc/qemu/** r, - owner @{PROC}/*/status r, - - /usr/libexec/qemu-bridge-helper rmix, - } Index: libvirt-1.1.2/examples/apparmor/libvirt-qemu.in =================================================================== --- /dev/null +++ libvirt-1.1.2/examples/apparmor/libvirt-qemu.in @@ -0,0 +1,132 @@ +# Last Modified: Fri Mar 9 14:43:22 2012 + + #include <abstractions/base> + #include <abstractions/consoles> + #include <abstractions/nameservice> + + # required for reading disk images + capability dac_override, + capability dac_read_search, + capability chown, + capability setgid, + + network inet stream, + network inet6 stream, + + /dev/net/tun rw, + /dev/kvm rw, + /dev/ptmx rw, + /dev/kqemu rw, + @{PROC}/*/status r, + + # For hostdev access. The actual devices will be added dynamically + /sys/bus/usb/devices/ r, + /sys/devices/*/*/usb[0-9]*/** r, + + # WARNING: this gives the guest direct access to host hardware and specific + # portions of shared memory. This is required for sound using ALSA with kvm, + # but may constitute a security risk. If your environment does not require + # the use of sound in your VMs, feel free to comment out or prepend 'deny' to + # the rules for files in /dev. + /{dev,run}/shm r, + /{dev,run}/shmpulse-shm* r, + /{dev,run}/shmpulse-shm* rwk, + /dev/snd/* rw, + capability ipc_lock, + # 'kill' is not required for sound and is a security risk. Do not enable + # unless you absolutely need it. + deny capability kill, + + # Uncomment the following if you need access to /dev/fb* + #/dev/fb* rw, + + /etc/pulse/client.conf r, + @{HOME}/.pulse-cookie rwk, + owner /root/.pulse-cookie rwk, + owner /root/.pulse/ rw, + owner /root/.pulse/* rw, + /usr/share/alsa/** r, + owner /tmp/pulse-*/ rw, + owner /tmp/pulse-*/* rw, + /var/lib/dbus/machine-id r, + + # access to firmware's etc + /usr/share/kvm/** r, + /usr/share/qemu/** r, + /usr/share/qemu-kvm/** r, + /usr/share/bochs/** r, + /usr/share/openbios/** r, + /usr/share/openhackware/** r, + /usr/share/proll/** r, + /usr/share/vgabios/** r, + /usr/share/seabios/** r, + + # access PKI infrastructure + /etc/pki/libvirt-vnc/** r, + + # the various binaries + /usr/bin/kvm rmix, + /usr/bin/qemu rmix, + /usr/bin/qemu-kvm rmix, + /usr/bin/qemu-system-arm rmix, + /usr/bin/qemu-system-cris rmix, + /usr/bin/qemu-system-i386 rmix, + /usr/bin/qemu-system-m68k rmix, + /usr/bin/qemu-system-microblaze rmix, + /usr/bin/qemu-system-microblazeel rmix, + /usr/bin/qemu-system-mips rmix, + /usr/bin/qemu-system-mips64 rmix, + /usr/bin/qemu-system-mips64el rmix, + /usr/bin/qemu-system-mipsel rmix, + /usr/bin/qemu-system-ppc rmix, + /usr/bin/qemu-system-ppc64 rmix, + /usr/bin/qemu-system-ppcemb rmix, + /usr/bin/qemu-system-sh4 rmix, + /usr/bin/qemu-system-sh4eb rmix, + /usr/bin/qemu-system-sparc rmix, + /usr/bin/qemu-system-sparc64 rmix, + /usr/bin/qemu-system-x86_64 rmix, + /usr/bin/qemu-alpha rmix, + /usr/bin/qemu-arm rmix, + /usr/bin/qemu-armeb rmix, + /usr/bin/qemu-cris rmix, + /usr/bin/qemu-i386 rmix, + /usr/bin/qemu-m68k rmix, + /usr/bin/qemu-microblaze rmix, + /usr/bin/qemu-microblazeel rmix, + /usr/bin/qemu-mips rmix, + /usr/bin/qemu-mipsel rmix, + /usr/bin/qemu-ppc rmix, + /usr/bin/qemu-ppc64 rmix, + /usr/bin/qemu-ppc64abi32 rmix, + /usr/bin/qemu-sh4 rmix, + /usr/bin/qemu-sh4eb rmix, + /usr/bin/qemu-sparc rmix, + /usr/bin/qemu-sparc64 rmix, + /usr/bin/qemu-sparc32plus rmix, + /usr/bin/qemu-sparc64 rmix, + /usr/bin/qemu-x86_64 rmix, + + # for save and resume + /bin/dash rmix, + /bin/dd rmix, + /bin/cat rmix, + + @libdir@/qemu-bridge-helper Cx, + # child profile for bridge helper process + profile @libdir@/qemu-bridge-helper { + #include <abstractions/base> + + capability setuid, + capability setgid, + capability setpcap, + capability net_admin, + + network inet stream, + + /dev/net/tun rw, + /etc/qemu/** r, + owner @{PROC}/*/status r, + + @libdir@/qemu-bridge-helper rmix, + } ++++++ libvirt-guests-init-script.patch ++++++ Adjust libvirt-guests init files to conform to SUSE standards Index: libvirt-1.1.2/tools/libvirt-guests.init.in =================================================================== --- libvirt-1.1.2.orig/tools/libvirt-guests.init.in +++ libvirt-1.1.2/tools/libvirt-guests.init.in @@ -3,15 +3,15 @@ # the following is the LSB init header # ### BEGIN INIT INFO -# Provides: libvirt-guests -# Required-Start: libvirtd -# Required-Stop: libvirtd -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 +# Provides: libvirt-guests +# Required-Start: $network $remote_fs libvirtd +# Required-Stop: $network $remote_fs libvirtd +# Default-Start: 3 5 +# Default-Stop: 0 1 2 4 6 # Short-Description: suspend/resume libvirt guests on shutdown/boot -# Description: This is a script for suspending active libvirt guests -# on shutdown and resuming them on next boot -# See http://libvirt.org +# Description: This is a script for suspending active libvirt guests +# on shutdown and resuming them on next boot +# See http://libvirt.org ### END INIT INFO # the following is chkconfig init header Index: libvirt-1.1.2/tools/libvirt-guests.sh.in =================================================================== --- libvirt-1.1.2.orig/tools/libvirt-guests.sh.in +++ libvirt-1.1.2/tools/libvirt-guests.sh.in @@ -16,14 +16,13 @@ # License along with this library. If not, see # <http://www.gnu.org/licenses/>. +. /etc/rc.status +rc_reset + sysconfdir="@sysconfdir@" localstatedir="@localstatedir@" libvirtd="@sbindir@"/libvirtd -# Source function library. -test ! -r "$sysconfdir"/rc.d/init.d/functions || - . "$sysconfdir"/rc.d/init.d/functions - # Source gettext library. # Make sure this file is recognized as having translations: _("dummy") . "@bindir@"/gettext.sh @@ -44,9 +43,11 @@ test -f "$sysconfdir"/sysconfig/libvirt- . "$sysconfdir"/sysconfig/libvirt-guests LISTFILE="$localstatedir"/lib/libvirt/libvirt-guests -VAR_SUBSYS_LIBVIRT_GUESTS="$localstatedir"/lock/subsys/libvirt-guests - -RETVAL=0 +if [ -d "$localstatedir"/lock/subsys ]; then + VAR_SUBSYS_LIBVIRT_GUESTS="$localstatedir"/lock/subsys/libvirt-guests +else + VAR_SUBSYS_LIBVIRT_GUESTS="$localstatedir"/lock/libvirt-guests +fi # retval COMMAND ARGUMENTS... # run command with arguments and convert non-zero return value to 1 and set @@ -54,7 +55,7 @@ RETVAL=0 retval() { "$@" if [ $? -ne 0 ]; then - RETVAL=1 + rc_failed 1 return 1 else return 0 @@ -83,6 +84,25 @@ run_virsh_c() { ( export LC_ALL=C; run_virsh "$@" ) } +await_daemon_up() +{ + uri=$1 + i=1 + rets=10 + run_virsh $uri list > /dev/null 2>&1 + while [ $? -ne 0 -a $i -lt $rets ]; do + sleep 1 + echo -n . + i=$(($i + 1)) + run_virsh $uri list > /dev/null 2>&1 + done + if [ $i -eq $rets ]; then + echo $"libvirt-guests unable to connect to URI: $uri" + return 1 + fi + return 0 +} + # test_connect URI # check if URI is reachable test_connect() @@ -114,7 +134,7 @@ list_guests() { list=$(run_virsh_c "$uri" list --uuid $persistent) if [ $? -ne 0 ]; then - RETVAL=1 + rc_failed 1 return 1 fi @@ -140,7 +160,7 @@ guest_is_on() { guest_running=false id=$(run_virsh "$uri" domid "$uuid") if [ $? -ne 0 ]; then - RETVAL=1 + rc_failed 1 return 1 fi @@ -188,6 +208,12 @@ start() { test_connect "$uri" || continue + await_daemon_up $uri + if [ $? -ne 0 ]; then + echo $"Ignoring guests on $uri URI, can't connect" + continue + fi + eval_gettext "Resuming guests on \$uri URI..."; echo for guest in $list; do name=$(guest_name "$uri" "$guest") @@ -401,7 +427,7 @@ shutdown_guests_parallel() timeout=$(($timeout - 1)) if [ $timeout -le 0 ]; then eval_gettext "Timeout expired while shutting down domains"; echo - RETVAL=1 + rc_failed 1 return fi else @@ -429,7 +455,7 @@ stop() { if [ $SHUTDOWN_TIMEOUT -lt 0 ]; then gettext "SHUTDOWN_TIMEOUT must be equal or greater than 0" echo - RETVAL=6 + rc_failed 6 return fi fi @@ -477,14 +503,14 @@ stop() { if [ $? -ne 0 ]; then eval_gettext "Failed to list persistent guests on \$uri" echo - RETVAL=1 + rc_failed 1 set +f return fi else gettext "Failed to list transient guests" echo - RETVAL=1 + rc_failed 1 set +f return fi @@ -543,14 +569,13 @@ gueststatus() { rh_status() { if [ -f "$LISTFILE" ]; then gettext "stopped, with saved guests"; echo - RETVAL=3 + rc_failed 3 else if [ -f "$VAR_SUBSYS_LIBVIRT_GUESTS" ]; then gettext "started"; echo - RETVAL=0 else gettext "stopped, with no saved guests"; echo - RETVAL=3 + rc_failed 3 fi fi } @@ -595,4 +620,4 @@ case "$1" in usage ;; esac -exit $RETVAL +rc_exit Index: libvirt-1.1.2/tools/libvirt-guests.sysconf =================================================================== --- libvirt-1.1.2.orig/tools/libvirt-guests.sysconf +++ libvirt-1.1.2/tools/libvirt-guests.sysconf @@ -1,19 +1,29 @@ +## Path: System/Virtualization/libvirt-guests + +## Type: string +## Default: default # URIs to check for running guests # example: URIS='default xen:/// vbox+tcp://host/system lxc:///' -#URIS=default +URIS=default +## Type: string +## Default: start # action taken on host boot # - start all guests which were running on shutdown are started on boot # regardless on their autostart settings # - ignore libvirt-guests init script won't start any guest on boot, however, # guests marked as autostart will still be automatically started by # libvirtd -#ON_BOOT=start +ON_BOOT=start +## Type: integer +## Default: 0 # Number of seconds to wait between each guest start. Set to 0 to allow # parallel startup. -#START_DELAY=0 +START_DELAY=0 +## Type: string +## Default: suspend # action taken on host shutdown # - suspend all running guests are suspended using virsh managedsave # - shutdown all running guests are asked to shutdown. Please be careful with @@ -22,12 +32,16 @@ # which just needs a long time to shutdown. When setting # ON_SHUTDOWN=shutdown, you must also set SHUTDOWN_TIMEOUT to a # value suitable for your guests. -#ON_SHUTDOWN=suspend +ON_SHUTDOWN=suspend +## Type: integer +## Default: 0 # If set to non-zero, shutdown will suspend guests concurrently. Number of # guests on shutdown at any time will not exceed number set in this variable. -#PARALLEL_SHUTDOWN=0 +PARALLEL_SHUTDOWN=0 +## Type: integer +## Default: 300 # Number of seconds we're willing to wait for a guest to shut down. If parallel # shutdown is enabled, this timeout applies as a timeout for shutting down all # guests on a single URI defined in the variable URIS. If this is 0, then there @@ -35,7 +49,9 @@ # request). The default value is 300 seconds (5 minutes). #SHUTDOWN_TIMEOUT=300 +## Type: integer +## Default: 0 # If non-zero, try to bypass the file system cache when saving and # restoring guests, even though this may give slower operation for # some file systems. -#BYPASS_CACHE=0 +BYPASS_CACHE=0 ++++++ libvirt-suse-netcontrol.patch ++++++ Index: libvirt-1.1.2/configure.ac =================================================================== --- libvirt-1.1.2.orig/configure.ac +++ libvirt-1.1.2/configure.ac @@ -174,6 +174,7 @@ LIBVIRT_CHECK_DBUS LIBVIRT_CHECK_FUSE LIBVIRT_CHECK_HAL LIBVIRT_CHECK_NETCF +LIBVIRT_CHECK_NETCONTROL LIBVIRT_CHECK_NUMACTL LIBVIRT_CHECK_OPENWSMAN LIBVIRT_CHECK_PCIACCESS @@ -2298,11 +2299,12 @@ if test "$with_libvirtd" = "no" ; then with_interface=no fi -dnl The interface driver depends on the netcf library or udev library -case $with_interface:$with_netcf:$with_udev in +dnl The interface driver depends on the netcf library, netcontrol library, or +dnl udev library +case $with_interface:$with_netcf:$with_netcontrol:$with_udev in check:*yes*) with_interface=yes ;; check:no:no) with_interface=no ;; - yes:no:no) AC_MSG_ERROR([Requested the Interface driver without netcf or udev support]) ;; + yes:no:no) AC_MSG_ERROR([Requested the Interface driver without netcf, netcontrol, or udev support]) ;; esac if test "$with_interface" = "yes" ; then @@ -2610,6 +2612,7 @@ LIBVIRT_RESULT_DBUS LIBVIRT_RESULT_FUSE LIBVIRT_RESULT_HAL LIBVIRT_RESULT_NETCF +LIBVIRT_RESULT_NETCONTROL LIBVIRT_RESULT_NUMACTL LIBVIRT_RESULT_OPENWSMAN LIBVIRT_RESULT_PCIACCESS Index: libvirt-1.1.2/src/Makefile.am =================================================================== --- libvirt-1.1.2.orig/src/Makefile.am +++ libvirt-1.1.2/src/Makefile.am @@ -754,6 +754,10 @@ if WITH_NETCF INTERFACE_DRIVER_SOURCES += \ interface/interface_backend_netcf.c endif +if WITH_NETCONTROL +INTERFACE_DRIVER_SOURCES += \ + interface/interface_backend_netcf.c +endif if WITH_UDEV INTERFACE_DRIVER_SOURCES += \ interface/interface_backend_udev.c @@ -1314,11 +1318,16 @@ if WITH_NETCF libvirt_driver_interface_la_CFLAGS += $(NETCF_CFLAGS) libvirt_driver_interface_la_LIBADD += $(NETCF_LIBS) else +if WITH_NETCONTROL +libvirt_driver_interface_la_CFLAGS += $(NETCONTROL_CFLAGS) +libvirt_driver_interface_la_LIBADD += $(NETCONTROL_LIBS) +else if WITH_UDEV libvirt_driver_interface_la_CFLAGS += $(UDEV_CFLAGS) libvirt_driver_interface_la_LIBADD += $(UDEV_LIBS) endif endif +endif if WITH_DRIVER_MODULES libvirt_driver_interface_la_LIBADD += ../gnulib/lib/libgnu.la libvirt_driver_interface_la_LDFLAGS += -module -avoid-version Index: libvirt-1.1.2/tools/virsh.c =================================================================== --- libvirt-1.1.2.orig/tools/virsh.c +++ libvirt-1.1.2/tools/virsh.c @@ -2864,6 +2864,8 @@ vshShowVersion(vshControl *ctl ATTRIBUTE vshPrint(ctl, " Interface"); # if defined(WITH_NETCF) vshPrint(ctl, " netcf"); +# elif defined(WITH_NETCONTROL) + vshPrint(ctl, " netcontrol"); # elif defined(WITH_UDEV) vshPrint(ctl, " udev"); # endif Index: libvirt-1.1.2/src/interface/interface_backend_netcf.c =================================================================== --- libvirt-1.1.2.orig/src/interface/interface_backend_netcf.c +++ libvirt-1.1.2/src/interface/interface_backend_netcf.c @@ -23,7 +23,12 @@ #include <config.h> -#include <netcf.h> +#ifdef WITH_NETCONTROL +# include <netcontrol/netcf.h> +# include <netcontrol/logger.h> +#else +# include <netcf.h> +#endif #include "virerror.h" #include "datatypes.h" @@ -54,6 +59,38 @@ static void interfaceDriverUnlock(struct virMutexUnlock(&driver->lock); } +#ifdef WITH_NETCONTROL +static void +interface_nc_log_driver(const char *category, + int priority, + const char *func, + const char *file, + long long line, + const char *msg, + size_t len ATTRIBUTE_UNUSED) +{ + int vp; + + switch(priority) { + case NC_LOG_FATAL: + case NC_LOG_ERROR: + vp = VIR_LOG_ERROR; + break; + case NC_LOG_WARN: + vp = VIR_LOG_WARN; + break; + case NC_LOG_INFO: + vp = VIR_LOG_INFO; + break; + case NC_LOG_DEBUG: + default: + vp = VIR_LOG_DEBUG; + break; + } + virLogMessage(VIR_LOG_FROM_FILE, vp, file, line, func, 0, "%s", msg); +} +#endif + /* * Get a minimal virInterfaceDef containing enough metadata * for access control checks to be performed. Currently @@ -164,6 +201,10 @@ static virDrvOpenStatus netcfInterfaceOp goto mutex_error; } +#ifdef WITH_NETCONTROL + nc_logger_redirect_to(interface_nc_log_driver); +#endif + /* open netcf */ if (ncf_init(&driverState->netcf, NULL) != 0) { Index: libvirt-1.1.2/src/interface/interface_driver.c =================================================================== --- libvirt-1.1.2.orig/src/interface/interface_driver.c +++ libvirt-1.1.2/src/interface/interface_driver.c @@ -28,8 +28,15 @@ interfaceRegister(void) { if (netcfIfaceRegister() == 0) return 0; #endif /* WITH_NETCF */ +#ifdef WITH_NETCONTROL + /* Attempt to load the netcontrol based backend, which is a slightly + patched netcf backend */ + if (netcfIfaceRegister() == 0) + return 0; +#endif /* WITH_NETCONTROL */ #if WITH_UDEV - /* If there's no netcf or it failed to load, register the udev backend */ + /* If there's no netcf or netcontrol, or it failed to load, register the + udev backend */ if (udevIfaceRegister() == 0) return 0; #endif /* WITH_UDEV */ Index: libvirt-1.1.2/m4/virt-netcontrol.m4 =================================================================== --- /dev/null +++ libvirt-1.1.2/m4/virt-netcontrol.m4 @@ -0,0 +1,35 @@ +dnl The libnetcontrol library +dnl +dnl Copyright (C) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +dnl +dnl This library is free software; you can redistribute it and/or +dnl modify it under the terms of the GNU Lesser General Public +dnl License as published by the Free Software Foundation; either +dnl version 2.1 of the License, or (at your option) any later version. +dnl +dnl This library is distributed in the hope that it will be useful, +dnl but WITHOUT ANY WARRANTY; without even the implied warranty of +dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +dnl Lesser General Public License for more details. +dnl +dnl You should have received a copy of the GNU Lesser General Public +dnl License along with this library. If not, see +dnl <http://www.gnu.org/licenses/>. +dnl + +AC_DEFUN([LIBVIRT_CHECK_NETCONTROL],[ + LIBVIRT_CHECK_PKG([NETCONTROL], [netcontrol], [0.2.0]) + + if test "$with_netcontrol" = "yes" ; then + old_CFLAGS="$CFLAGS" + old_LIBS="$CFLAGS" + CFLAGS="$CFLAGS $NETCONTROL_CFLAGS" + LIBS="$LIBS $NETCONTROL_LIBS" + CFLAGS="$old_CFLAGS" + LIBS="$old_LIBS" + fi +]) + +AC_DEFUN([LIBVIRT_RESULT_NETCONTROL],[ + LIBVIRT_RESULT_LIB([NETCONTROL]) +]) ++++++ libvirtd-defaults.patch ++++++ Index: libvirt-1.1.2/daemon/libvirtd.conf =================================================================== --- libvirt-1.1.2.orig/daemon/libvirtd.conf +++ libvirt-1.1.2/daemon/libvirtd.conf @@ -18,8 +18,8 @@ # It is necessary to setup a CA and issue server certificates before # using this capability. # -# This is enabled by default, uncomment this to disable it -#listen_tls = 0 +# This is disabled by default, uncomment this to enable it +#listen_tls = 1 # Listen for unencrypted TCP connections on the public TCP/IP port. # NB, must pass the --listen flag to the libvirtd process for this to Index: libvirt-1.1.2/daemon/libvirtd-config.c =================================================================== --- libvirt-1.1.2.orig/daemon/libvirtd-config.c +++ libvirt-1.1.2/daemon/libvirtd-config.c @@ -222,7 +222,7 @@ daemonConfigNew(bool privileged ATTRIBUT if (VIR_ALLOC(data) < 0) return NULL; - data->listen_tls = 1; + data->listen_tls = 0; data->listen_tcp = 0; if (VIR_STRDUP(data->tls_port, LIBVIRTD_TLS_PORT) < 0 || ++++++ libvirtd-init-script.patch ++++++ Adjust libvirtd sysconfig file to conform to SUSE standards Index: libvirt-1.1.2/daemon/libvirtd.sysconf =================================================================== --- libvirt-1.1.2.orig/daemon/libvirtd.sysconf +++ libvirt-1.1.2/daemon/libvirtd.sysconf @@ -1,16 +1,25 @@ +## Path: System/Virtualization/libvirt + +## Type: string +## Default: /etc/libvirt/libvirtd.conf # Override the default config file # NOTE: This setting is no longer honoured if using # systemd. Set '--config /etc/libvirt/libvirtd.conf' # in LIBVIRTD_ARGS instead. -#LIBVIRTD_CONFIG=/etc/libvirt/libvirtd.conf +LIBVIRTD_CONFIG=/etc/libvirt/libvirtd.conf -# Listen for TCP/IP connections -# NB. must setup TLS/SSL keys prior to using this -#LIBVIRTD_ARGS="--listen" +## Type: string +## Default: --listen +# Arguments to pass to libvirtd +LIBVIRTD_ARGS="--listen" +## Type: string +## Default: none # Override Kerberos service keytab for SASL/GSSAPI #KRB5_KTNAME=/etc/libvirt/krb5.tab +## Type: string +## Default: none # Override the QEMU/SDL default audio driver probing when # starting virtual machines using SDL graphics # @@ -20,5 +29,7 @@ # #SDL_AUDIODRIVER=pulse -# Override the maximum number of opened files -#LIBVIRTD_NOFILES_LIMIT=2048 +## Type: integer +## Default: 2048 +## Override the maximum number of opened files +LIBVIRTD_NOFILES_LIMIT=2048 ++++++ libvirtd-relocation-server.fw ++++++ ## Name: Libvirtd Relocation Server ## Description: Enables libvirtd plain relocation service TCP="49152:49215" ++++++ libvirtd.init ++++++ #!/bin/sh # the following is the LSB init header see # http://www.linux-foundation.org/spec//booksets/LSB-Core-generic/LSB-Core-ge… # ### BEGIN INIT INFO # Provides: libvirtd # Required-Start: $network $remote_fs # Should-Start: xend cgconfig # Default-Start: 3 5 # Required-Stop: $network $remote_fs # Should-Stop: xend cgconfig # Default-Stop: 0 1 2 4 6 # Short-Description: daemon for libvirt virtualization API # Description: This is a daemon for managing QEMU guest instances # and libvirt virtual networks # See http://libvirt.org ### END INIT INFO LIBVIRTD_BIN=/usr/sbin/libvirtd LIBVIRTD_PIDFILE=/var/run/libvirtd.pid test -x $LIBVIRTD_BIN || { echo "$LIBVIRD_BIN not installed"; if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; } . /etc/rc.status rc_reset test -f /etc/sysconfig/libvirtd && . /etc/sysconfig/libvirtd LIBVIRTD_CONFIG_ARGS= if [ -n "$LIBVIRTD_CONFIG" ] then LIBVIRTD_CONFIG_ARGS="--config $LIBVIRTD_CONFIG" fi case "$1" in start) if [ -e $LIBVIRTD_PIDFILE ]; then if checkproc $LIBVIRTD_BIN ; then echo -n "libvirtd is already running." rc_status -v exit else echo "Removing stale PID file $LIBVIRTD_PIDFILE." rm -f $LIBVIRTD_PIDFILE fi fi echo -n "Starting libvirtd " mkdir -p /var/cache/libvirt rm -rf /var/cache/libvirt/* # LIBVIRTD_NOFILES_LIMIT from /etc/sysconfig/libvirtd is not handled # automatically if [ -n "$LIBVIRTD_NOFILES_LIMIT" ]; then ulimit -n "$LIBVIRTD_NOFILES_LIMIT" fi startproc $LIBVIRTD_BIN --daemon $LIBVIRTD_CONFIG_ARGS $LIBVIRTD_ARGS rc_status -v ;; stop) echo -n "Shutting down libvirtd " rm -rf /var/cache/libvirt/* killproc -TERM $LIBVIRTD_BIN > /dev/null 2>&1 rm -f $LIBVIRTD_PIDFILE rc_status -v ;; try-restart) $0 status >/dev/null && $0 restart rc_status ;; restart) $0 stop $0 start rc_status ;; reload) killproc -HUP $LIBVIRTD_BIN rc_status -v ;; status) echo -n "Checking status of libvirtd " checkproc $LIBVIRTD_BIN rc_status -v ;; *) echo "Usage: $0 {start|stop|restart|try-restart|reload|status}" rc_failed 2 rc_exit ;; esac rc_exit ++++++ libxl-hvm-vnc.patch ++++++ Index: libvirt-1.1.2/src/libxl/libxl_conf.c =================================================================== --- libvirt-1.1.2.orig/src/libxl/libxl_conf.c +++ libvirt-1.1.2/src/libxl/libxl_conf.c @@ -524,6 +524,30 @@ libxlMakeChrdevStr(virDomainChrDefPtr de } static int +libxlFixupDomBuildInfo(virDomainDefPtr def, libxl_domain_config *d_config) +{ + libxl_domain_build_info *b_info = &d_config->b_info; + int hvm = STREQ(def->os.type, "hvm"); + libxl_device_vfb vfb; + + if (!hvm) + return 0; + + if (d_config->num_vfbs) { + vfb = d_config->vfbs[0]; + if (libxl_defbool_val(vfb.vnc.enable)) + memcpy(&b_info->u.hvm.vnc, &vfb.vnc, sizeof(libxl_vnc_info)); + else if (libxl_defbool_val(vfb.sdl.enable)) + memcpy(&b_info->u.hvm.sdl, &vfb.sdl, sizeof(libxl_sdl_info)); + else + return -1; + } + + return 0; +} + + +static int libxlMakeDomBuildInfo(virDomainObjPtr vm, libxl_domain_config *d_config) { virDomainDefPtr def = vm->def; @@ -1040,6 +1064,9 @@ libxlBuildDomainConfig(libxlDriverPrivat if (libxlMakeVfbList(driver, def, d_config) < 0) return -1; + if (libxlFixupDomBuildInfo(def, d_config) < 0) + return -1; + d_config->on_reboot = def->onReboot; d_config->on_poweroff = def->onPoweroff; d_config->on_crash = def->onCrash; ++++++ support-managed-pci-xen-driver.patch ++++++ >From 5aeda96eafd230af55343e7ef835e081ded484aa Mon Sep 17 00:00:00 2001 From: Chunyan Liu <cyliu(a)suse.com> Date: Fri, 25 Jan 2013 17:37:14 +0800 Subject: [PATCH] support managed pci devices in xen driver --- src/xenxs/xen_sxpr.c | 22 ++++++++-------------- src/xenxs/xen_xm.c | 28 +++++++++++++++++++++++++++- 2 files changed, 35 insertions(+), 15 deletions(-) Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c =================================================================== --- libvirt-1.1.2.orig/src/xenxs/xen_sxpr.c +++ libvirt-1.1.2/src/xenxs/xen_sxpr.c @@ -993,6 +993,7 @@ xenParseSxprPCI(virDomainDefPtr def, int busID; int slotID; int funcID; + bool managed; node = cur->u.s.car; if (!sexpr_lookup(node, "dev")) @@ -1040,11 +1041,13 @@ xenParseSxprPCI(virDomainDefPtr def, goto error; } + managed = sexpr_int(node, "dev/opts/managed"); + if (!(dev = virDomainHostdevDefAlloc())) goto error; dev->mode = VIR_DOMAIN_HOSTDEV_MODE_SUBSYS; - dev->managed = false; + dev->managed = managed ? true : false; dev->source.subsys.type = VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI; dev->source.subsys.u.pci.addr.domain = domainID; dev->source.subsys.u.pci.addr.bus = busID; @@ -1990,11 +1993,15 @@ static void xenFormatSxprPCI(virDomainHostdevDefPtr def, virBufferPtr buf) { - virBufferAsprintf(buf, "(dev (domain 0x%04x)(bus 0x%02x)(slot 0x%02x)(func 0x%x))", + virBufferAsprintf(buf, "(dev (domain 0x%04x)(bus 0x%02x)(slot 0x%02x)(func 0x%x)", def->source.subsys.u.pci.addr.domain, def->source.subsys.u.pci.addr.bus, def->source.subsys.u.pci.addr.slot, def->source.subsys.u.pci.addr.function); + + if (def->managed) + virBufferAddLit(buf, "(opts (managed 1))"); + virBufferAddLit(buf, ")"); } @@ -2013,12 +2020,6 @@ xenFormatSxprOnePCI(virDomainHostdevDefP virBufferPtr buf, int detach) { - if (def->managed) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", - _("managed PCI devices not supported with XenD")); - return -1; - } - virBufferAddLit(buf, "(pci "); xenFormatSxprPCI(def, buf); if (detach) @@ -2073,12 +2074,6 @@ xenFormatSxprAllPCI(virDomainDefPtr def, for (i = 0; i < def->nhostdevs; i++) { if (def->hostdevs[i]->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS && def->hostdevs[i]->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI) { - if (def->hostdevs[i]->managed) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", - _("managed PCI devices not supported with XenD")); - return -1; - } - xenFormatSxprPCI(def->hostdevs[i], buf); } } Index: libvirt-1.1.2/src/xenxs/xen_xm.c =================================================================== --- libvirt-1.1.2.orig/src/xenxs/xen_xm.c +++ libvirt-1.1.2/src/xenxs/xen_xm.c @@ -802,6 +802,8 @@ xenParseXM(virConfPtr conf, int xendConf int busID; int slotID; int funcID; + char *opt; + int managed = 0; domain[0] = bus[0] = slot[0] = func[0] = '\0'; @@ -811,6 +813,11 @@ xenParseXM(virConfPtr conf, int xendConf /* pci=['0000:00:1b.0','0000:00:13.0'] */ if (!(key = list->str)) goto skippci; + + opt = strchr(key, ','); + if (opt) + opt++; + if (!(nextkey = strchr(key, ':'))) goto skippci; @@ -859,10 +866,30 @@ xenParseXM(virConfPtr conf, int xendConf if (virStrToLong_i(func, NULL, 16, &funcID) < 0) goto skippci; + if (opt) { + char opt_managed[2]; + char *data; + + opt_managed[0] = '\0'; + data = strchr(opt, '='); + data++; + + if (STRPREFIX(opt, "managed=")) { + if (virStrncpy(opt_managed, data, 1, sizeof(opt_managed)) == NULL) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("managed option %s too big for destination"), + data); + goto skippci; + } + } + if (virStrToLong_i(opt_managed, NULL, 10, &managed) < 0) + goto skippci; + } + if (!(hostdev = virDomainHostdevDefAlloc())) goto cleanup; - hostdev->managed = false; + hostdev->managed = managed ? true : false; hostdev->source.subsys.type = VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI; hostdev->source.subsys.u.pci.addr.domain = domainID; hostdev->source.subsys.u.pci.addr.bus = busID; ++++++ suse-qemu-conf.patch ++++++ Index: libvirt-1.1.2/src/qemu/qemu.conf =================================================================== --- libvirt-1.1.2.orig/src/qemu/qemu.conf +++ libvirt-1.1.2/src/qemu/qemu.conf @@ -175,7 +175,16 @@ # a special value; security_driver can be set to that value in # isolation, but it cannot appear in a list of drivers. # +# SUSE Note: +# Currently, Apparmor is the default security framework in SUSE +# distros. If Apparmor is enabled on the host, libvirtd is +# generously confined but users must opt-in to confine qemu +# instances. Change this to 'apparmor' to enable Apparmor +# confinement of qemu instances. +# #security_driver = "selinux" +# security_driver = "apparmor" +security_driver = "none" # If set to non-zero, then the default security labeling # will make guests confined. If set to zero, then guests @@ -371,6 +380,15 @@ #allow_disk_format_probing = 1 +# SUSE note: +# Many lock managers, sanlock included, will kill the resources +# they protect when terminated. E.g. the sanlock daemon will kill +# any virtual machines for which it holds disk leases when the +# daemon is stopped or restarted. Administrators must be vigilant +# when enabling a lock manager since simply updating the manager +# may cause it to be restarted, potentially killing the resources +# it protects. +# # To enable 'Sanlock' project based locking of the file # content (to prevent two VMs writing to the same # disk), uncomment this ++++++ systemd-service-xen.patch ++++++ Index: libvirt-1.1.2/daemon/libvirtd.service.in =================================================================== --- libvirt-1.1.2.orig/daemon/libvirtd.service.in +++ libvirt-1.1.2/daemon/libvirtd.service.in @@ -9,6 +9,8 @@ Before=libvirt-guests.service After=network.target After=dbus.service After=iscsid.service +Wants=xencommons.service +After=xencommons.service [Service] Type=notify ++++++ virtlockd-init-script.patch ++++++ Adjust virtlockd init files to conform to SUSE standards Index: libvirt-1.1.2/src/locking/virtlockd.sysconf =================================================================== --- libvirt-1.1.2.orig/src/locking/virtlockd.sysconf +++ libvirt-1.1.2/src/locking/virtlockd.sysconf @@ -1,3 +1,7 @@ +## Path: System/Virtualization/virtlockd + +## Type: string +## Default: "" # # Pass extra arguments to virtlockd #VIRTLOCKD_ARGS= Index: libvirt-1.1.2/src/locking/virtlockd.init.in =================================================================== --- libvirt-1.1.2.orig/src/locking/virtlockd.init.in +++ libvirt-1.1.2/src/locking/virtlockd.init.in @@ -4,11 +4,13 @@ # http://www.linux-foundation.org/spec//booksets/LSB-Core-generic/LSB-Core-ge… # ### BEGIN INIT INFO -# Provides: virtlockd -# Default-Start: 3 4 5 +# Provides: virtlockd +# Required-Start: $network $remote_fs +# Default-Start: 3 4 5 +# Required-Stop: $network $remote_fs # Short-Description: virtual machine lock manager -# Description: This is a daemon for managing locks -# on virtual machine disk images +# Description: This is a daemon for managing locks +# on virtual machine disk images ### END INIT INFO # the following is chkconfig init header @@ -23,35 +25,33 @@ # pidfile: @localstatedir@/run/libvirt/virtlockd.pid # -# Source function library. -. @sysconfdir@/rc.d/init.d/functions +. @sysconfdir@/rc.status +rc_reset SERVICE=virtlockd -PROCESS=virtlockd -PIDFILE=@localstatedir@/run/libvirt/lockd/$SERVICE.pid +PROCESS=@sbindir@/virtlockd +PIDDIR=@localstatedir@/run/libvirt/lockd/ +PIDFILE=$PIDDIR/$SERVICE.pid VIRTLOCKD_ARGS= test -f @sysconfdir@/sysconfig/virtlockd && . @sysconfdir@/sysconfig/virtlockd -RETVAL=0 - start() { - echo -n $"Starting $SERVICE daemon: " - daemon --pidfile $PIDFILE --check $SERVICE $PROCESS --daemon $VIRTLOCKD_ARGS + echo -n $"Starting $SERVICE " + test -d $PIDDIR || mkdir -p $PIDDIR + startproc -p $PIDFILE $PROCESS --pid-file $PIDFILE --daemon $VIRTLOCKD_ARGS RETVAL=$? - echo - [ $RETVAL -eq 0 ] && touch @localstatedir@/lock/subsys/$SERVICE + rc_status -v } stop() { - echo -n $"Stopping $SERVICE daemon: " + echo -n $"Stopping $SERVICE " - killproc -p $PIDFILE $PROCESS + killproc -p $PIDFILE $PROCESS > /dev/null 2>&1 RETVAL=$? - echo + rc_status -v if [ $RETVAL -eq 0 ]; then - rm -f @localstatedir@/lock/subsys/$SERVICE rm -f $PIDFILE fi } @@ -65,9 +65,7 @@ reload() { echo -n $"Reloading $SERVICE configuration: " killproc -p $PIDFILE $PROCESS -HUP - RETVAL=$? - echo - return $RETVAL + rc_status } # See how we were called. @@ -76,18 +74,20 @@ case "$1" in $1 ;; status) - status -p $PIDFILE $PROCESS - RETVAL=$? + echo -n "Checking status of $SERVICE " + checkproc $PROCESS + rc_status -v ;; force-reload) reload ;; condrestart|try-restart) - [ -f @localstatedir@/lock/subsys/$SERVICE ] && restart || : + $0 status >/dev/null && restart || : ;; *) echo $"Usage: $0 {start|stop|status|restart|condrestart|reload|force-reload|try-restart}" - exit 2 + rc_failed 2 + rc_exit ;; esac -exit $RETVAL +rc_exit ++++++ xen-name-for-devid.patch ++++++ Do not search xenstore for disk/network/PCI device IDs Disk, network, and PCI devices can be referenced by name in Xen, e.g. when modifying their configuration or remvoving them. As such, don't search xenstore for a device ID corresponding to these devices. Instead, search the devices contained in the domain definition and use the devices's target name if found. Note that for network devices, the mac address is used for the device name. For PCI devices, the bdf (bus:dev:fun) specifier is used for the device name. This approach allows removing a disk/network/PCI device when domain is inactive. We obviously can't search xenstore when the domain is inactive. Index: libvirt-1.1.2/src/xen/xend_internal.c =================================================================== --- libvirt-1.1.2.orig/src/xen/xend_internal.c +++ libvirt-1.1.2/src/xen/xend_internal.c @@ -70,7 +70,7 @@ #define XEND_RCV_BUF_MAX_LEN (256 * 1024) static int -virDomainXMLDevID(virConnectPtr conn, virDomainDefPtr domain, +virDomainXMLDevID(virConnectPtr conn ATTRIBUTE_UNUSED, virDomainDefPtr domain, virDomainDeviceDefPtr dev, char *class, char *ref, int ref_len); @@ -3314,18 +3314,18 @@ xenDaemonDomainBlockPeek(virConnectPtr c * Returns 0 in case of success, -1 in case of failure. */ static int -virDomainXMLDevID(virConnectPtr conn, +virDomainXMLDevID(virConnectPtr conn ATTRIBUTE_UNUSED, virDomainDefPtr def, virDomainDeviceDefPtr dev, char *class, char *ref, int ref_len) { - xenUnifiedPrivatePtr priv = conn->privateData; - char *xref; - char *tmp; + unsigned int i; if (dev->type == VIR_DOMAIN_DEVICE_DISK) { + if (dev->data.disk->dst == NULL) + return -1; if (dev->data.disk->driverName && STREQ(dev->data.disk->driverName, "tap")) strcpy(class, "tap"); @@ -3335,19 +3335,17 @@ virDomainXMLDevID(virConnectPtr conn, else strcpy(class, "vbd"); - if (dev->data.disk->dst == NULL) - return -1; - xenUnifiedLock(priv); - xref = xenStoreDomainGetDiskID(conn, def->id, - dev->data.disk->dst); - xenUnifiedUnlock(priv); - if (xref == NULL) - return -1; - - tmp = virStrcpy(ref, xref, ref_len); - VIR_FREE(xref); - if (tmp == NULL) - return -1; + /* For disks, the device name can be used directly. */ + for (i = 0; i < def->ndisks; i++) { + virDomainDiskDefPtr disk = def->disks[i]; + if (STREQ(dev->data.disk->dst, disk->dst)) { + if (virStrcpy(ref, disk->dst, ref_len) == NULL) + return -1; + else + return 0; + } + } + return -1; } else if (dev->type == VIR_DOMAIN_DEVICE_NET) { char mac[VIR_MAC_STRING_BUFLEN]; virDomainNetDefPtr netdef = dev->data.net; @@ -3355,16 +3353,22 @@ virDomainXMLDevID(virConnectPtr conn, strcpy(class, "vif"); - xenUnifiedLock(priv); - xref = xenStoreDomainGetNetworkID(conn, def->id, mac); - xenUnifiedUnlock(priv); - if (xref == NULL) - return -1; - - tmp = virStrcpy(ref, xref, ref_len); - VIR_FREE(xref); - if (tmp == NULL) - return -1; + /* For nics, the mac address can be used directly. */ + for (i = 0; i < def->nnets; i++) { + char dst_mac[30]; + virDomainNetDefPtr dst_net = def->nets[i]; + snprintf(dst_mac, sizeof(dst_mac), "%02x:%02x:%02x:%02x:%02x:%02x", + dst_net->mac.addr[0], dst_net->mac.addr[1], + dst_net->mac.addr[2], dst_net->mac.addr[3], + dst_net->mac.addr[4], dst_net->mac.addr[5]); + if (STREQ(mac, dst_mac)) { + if (virStrcpy(ref, dst_mac, ref_len) == NULL) + return -1; + else + return 0; + } + } + return -1; } else if (dev->type == VIR_DOMAIN_DEVICE_HOSTDEV && dev->data.hostdev->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS && dev->data.hostdev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI) { @@ -3380,17 +3384,44 @@ virDomainXMLDevID(virConnectPtr conn, strcpy(class, "pci"); - xenUnifiedLock(priv); - xref = xenStoreDomainGetPCIID(conn, def->id, bdf); - xenUnifiedUnlock(priv); - VIR_FREE(bdf); - if (xref == NULL) - return -1; + /* For PCI devices, the device BFD can be used directly. */ + for (i = 0 ; i < def->nhostdevs ; i++) { + char *dst_bdf; + virDomainHostdevDefPtr hostdev = def->hostdevs[i]; + + if (hostdev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS) + continue; + if (hostdev->source.subsys.type != VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI) + continue; + + if (virAsprintf(&dst_bdf, "%04x:%02x:%02x.%0x", + hostdev->source.subsys.u.pci.addr.domain, + hostdev->source.subsys.u.pci.addr.bus, + hostdev->source.subsys.u.pci.addr.slot, + hostdev->source.subsys.u.pci.addr.function) < 0) { + virReportOOMError(); + VIR_FREE(bdf); + return -1; + } - tmp = virStrcpy(ref, xref, ref_len); - VIR_FREE(xref); - if (tmp == NULL) - return -1; + if (STREQ(bdf, dst_bdf)) { + if (virStrcpy(ref, dst_bdf, ref_len) == NULL) { + virReportOOMError(); + VIR_FREE(dst_bdf); + VIR_FREE(bdf); + return -1; + } + else { + VIR_FREE(dst_bdf); + VIR_FREE(bdf); + return 0; + } + } + VIR_FREE(dst_bdf); + } + + VIR_FREE(bdf); + return -1; } else { virReportError(VIR_ERR_OPERATION_INVALID, "%s", _("hotplug of device type not supported")); ++++++ xen-pv-cdrom.patch ++++++ Index: libvirt-1.1.2/src/xenxs/xen_sxpr.c =================================================================== --- libvirt-1.1.2.orig/src/xenxs/xen_sxpr.c +++ libvirt-1.1.2/src/xenxs/xen_sxpr.c @@ -327,7 +327,7 @@ error: static int xenParseSxprDisks(virDomainDefPtr def, const struct sexpr *root, - int hvm, + int hvm ATTRIBUTE_UNUSED, int xendConfigVersion) { const struct sexpr *cur, *node; @@ -378,7 +378,6 @@ xenParseSxprDisks(virDomainDefPtr def, /* There is a case without the uname to the CD-ROM device */ offset = strchr(dst, ':'); if (!offset || - !hvm || STRNEQ(offset, ":cdrom")) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("domain information incomplete, vbd has no src")); -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit python3-psutil for openSUSE:Factory
by root＠hilbert.suse.de 05 Feb '15

05 Feb '15

Hello community, here is the log from the commit of package python3-psutil for openSUSE:Factory checked in at 2015-02-05 11:01:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python3-psutil (Old) and /work/SRC/openSUSE:Factory/.python3-psutil.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "python3-psutil" Changes: -------- --- /work/SRC/openSUSE:Factory/python3-psutil/python3-psutil.changes 2015-01-08 23:02:43.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.python3-psutil.new/python3-psutil.changes 2015-02-05 11:01:40.000000000 +0100 @@ -1,0 +2,9 @@ +Wed Feb 4 17:57:45 UTC 2015 - arun(a)gmx.de + +- specfile: update copyright year + +- update to version 2.2.1: + * #496: [Linux] fix "ValueError: ambiguos inode with multiple PIDs + references" (patch by Bruno Binet) + +------------------------------------------------------------------- Old: ---- psutil-2.2.0.tar.gz New: ---- psutil-2.2.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python3-psutil.spec ++++++ --- /var/tmp/diff_new_pack.zRa0sA/_old 2015-02-05 11:01:41.000000000 +0100 +++ /var/tmp/diff_new_pack.zRa0sA/_new 2015-02-05 11:01:41.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package python3-psutil # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: python3-psutil -Version: 2.2.0 +Version: 2.2.1 Release: 0 Summary: A process utilities module for Python License: BSD-3-Clause ++++++ psutil-2.2.0.tar.gz -> psutil-2.2.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/psutil-2.2.0/CREDITS new/psutil-2.2.1/CREDITS --- old/psutil-2.2.0/CREDITS 2015-01-03 15:01:37.000000000 +0100 +++ new/psutil-2.2.1/CREDITS 2015-02-02 14:01:33.000000000 +0100 @@ -276,3 +276,7 @@ N: karthikrev I: 568 + +N: Bruno Binet +E: bruno.binet(a)gmail.com +I: 572 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/psutil-2.2.0/HISTORY.rst new/psutil-2.2.1/HISTORY.rst --- old/psutil-2.2.0/HISTORY.rst 2015-01-06 16:30:48.000000000 +0100 +++ new/psutil-2.2.1/HISTORY.rst 2015-02-02 14:01:12.000000000 +0100 @@ -1,5 +1,14 @@ Bug tracker at https://github.com/giampaolo/psutil/issues +2.2.1 - 2015-02-02 +================== + +**Bug fixes** + +- #496: [Linux] fix "ValueError: ambiguos inode with multiple PIDs references" + (patch by Bruno Binet) + + 2.2.0 - 2015-01-06 ================== diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/psutil-2.2.0/PKG-INFO new/psutil-2.2.1/PKG-INFO --- old/psutil-2.2.0/PKG-INFO 2015-01-06 16:38:32.000000000 +0100 +++ new/psutil-2.2.1/PKG-INFO 2015-02-02 14:09:59.000000000 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: psutil -Version: 2.2.0 +Version: 2.2.1 Summary: psutil is a cross-platform library for retrieving information onrunning processes and system utilization (CPU, memory, disks, network)in Python. Home-page: https://github.com/giampaolo/psutil Author: Giampaolo Rodola diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/psutil-2.2.0/psutil/__init__.py new/psutil-2.2.1/psutil/__init__.py --- old/psutil-2.2.0/psutil/__init__.py 2015-01-03 15:16:25.000000000 +0100 +++ new/psutil-2.2.1/psutil/__init__.py 2015-01-20 15:56:42.000000000 +0100 @@ -13,7 +13,7 @@ from __future__ import division __author__ = "Giampaolo Rodola'" -__version__ = "2.2.0" +__version__ = "2.2.1" version_info = tuple([int(num) for num in __version__.split('.')]) __all__ = [ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/psutil-2.2.0/psutil/_pslinux.py new/psutil-2.2.1/psutil/_pslinux.py --- old/psutil-2.2.0/psutil/_pslinux.py 2015-01-03 14:43:59.000000000 +0100 +++ new/psutil-2.2.1/psutil/_pslinux.py 2015-02-02 14:00:19.000000000 +0100 @@ -446,12 +446,12 @@ _, laddr, raddr, status, _, _, _, _, _, inode = \ line.split()[:10] if inode in inodes: - # We assume inet sockets are unique, so we error - # out if there are multiple references to the - # same inode. We won't do this for UNIX sockets. - if len(inodes[inode]) > 1 and family != socket.AF_UNIX: - raise ValueError("ambiguos inode with multiple " - "PIDs references") + # # We assume inet sockets are unique, so we error + # # out if there are multiple references to the + # # same inode. We won't do this for UNIX sockets. + # if len(inodes[inode]) > 1 and family != socket.AF_UNIX: + # raise ValueError("ambiguos inode with multiple " + # "PIDs references") pid, fd = inodes[inode][0] else: pid, fd = None, -1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/psutil-2.2.0/psutil.egg-info/PKG-INFO new/psutil-2.2.1/psutil.egg-info/PKG-INFO --- old/psutil-2.2.0/psutil.egg-info/PKG-INFO 2015-01-06 16:38:32.000000000 +0100 +++ new/psutil-2.2.1/psutil.egg-info/PKG-INFO 2015-02-02 14:09:58.000000000 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: psutil -Version: 2.2.0 +Version: 2.2.1 Summary: psutil is a cross-platform library for retrieving information onrunning processes and system utilization (CPU, memory, disks, network)in Python. Home-page: https://github.com/giampaolo/psutil Author: Giampaolo Rodola diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/psutil-2.2.0/test/test_psutil.py new/psutil-2.2.1/test/test_psutil.py --- old/psutil-2.2.0/test/test_psutil.py 2015-01-05 19:51:17.000000000 +0100 +++ new/psutil-2.2.1/test/test_psutil.py 2015-01-20 15:56:42.000000000 +0100 @@ -2341,6 +2341,7 @@ self.assertTrue(ret >= 0) def connections(self, ret): + self.assertEqual(len(ret), len(set(ret))) for conn in ret: check_connection(conn) -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit python3-gunicorn for openSUSE:Factory
by root＠hilbert.suse.de 05 Feb '15

05 Feb '15

Hello community, here is the log from the commit of package python3-gunicorn for openSUSE:Factory checked in at 2015-02-05 11:01:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python3-gunicorn (Old) and /work/SRC/openSUSE:Factory/.python3-gunicorn.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "python3-gunicorn" Changes: -------- --- /work/SRC/openSUSE:Factory/python3-gunicorn/python3-gunicorn.changes 2015-02-01 12:30:42.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.python3-gunicorn.new/python3-gunicorn.changes 2015-02-05 11:01:39.000000000 +0100 @@ -1,0 +2,8 @@ +Wed Feb 4 17:55:49 UTC 2015 - arun(a)gmx.de + +- update to version 19.2.1: + * expose loglevel in the Logger class + * fix :issue: "977" fix initial crash + * document security mailing-list in the contributing page. + +------------------------------------------------------------------- Old: ---- gunicorn-19.2.0.tar.gz New: ---- gunicorn-19.2.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python3-gunicorn.spec ++++++ --- /var/tmp/diff_new_pack.wAKPez/_old 2015-02-05 11:01:40.000000000 +0100 +++ /var/tmp/diff_new_pack.wAKPez/_new 2015-02-05 11:01:40.000000000 +0100 @@ -17,7 +17,7 @@ Name: python3-gunicorn -Version: 19.2.0 +Version: 19.2.1 Release: 0 Summary: WSGI HTTP Server for UNIX License: MIT ++++++ gunicorn-19.2.0.tar.gz -> gunicorn-19.2.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gunicorn-19.2.0/PKG-INFO new/gunicorn-19.2.1/PKG-INFO --- old/gunicorn-19.2.0/PKG-INFO 2015-01-30 15:35:16.000000000 +0100 +++ new/gunicorn-19.2.1/PKG-INFO 2015-02-04 14:44:35.000000000 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: gunicorn -Version: 19.2.0 +Version: 19.2.1 Summary: WSGI HTTP Server for UNIX Home-page: http://gunicorn.org Author: Benoit Chesneau diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gunicorn-19.2.0/docs/source/2015-news.rst new/gunicorn-19.2.1/docs/source/2015-news.rst --- old/gunicorn-19.2.0/docs/source/2015-news.rst 2015-01-30 15:34:02.000000000 +0100 +++ new/gunicorn-19.2.1/docs/source/2015-news.rst 2015-02-04 14:43:49.000000000 +0100 @@ -6,8 +6,30 @@ Please see :doc:`news` for the latest changes. +19.2.1 / 2015/02/4 +================== + +Changes +------- + +Logging ++++++++ + +- expose loglevel in the Logger class + +AsyncIO worker (gaiohttp) ++++++++++++++++++++++++++ + +- fix :issue:`977` fix initial crash + +Documentation ++++++++++++++ + +- document security mailing-list in the contributing page. + + 19.2 / 2015/01/30 -=================== +================= Changes ------- @@ -16,21 +38,21 @@ ++++ - optimize the sync workers when listening on a single interface -- add `--sendfile` settings to enable/disable sendfile. fix issue:`856` . -- add the selectors module to the code base. issue:`886` +- add `--sendfile` settings to enable/disable sendfile. fix :issue:`856` . +- add the selectors module to the code base. :issue:`886` - add `--max-requests-jitter` setting to set the maximum jitter to add to the max-requests setting. -- fix issue:`899` propagate proxy_protocol_info to keep-alive requests -- fix issue:`863` worker timeout: dynamic timeout has been removed +- fix :issue:`899` propagate proxy_protocol_info to keep-alive requests +- fix :issue:`863` worker timeout: dynamic timeout has been removed - fix: Avoid world writable file Logging +++++++ -- fix issue:`941` set logconfig default to paster more trivially +- fix :issue:`941` set logconfig default to paster more trivially - add statsd-prefix config setting: set the prefix to use when emitting statsd metrics -- issue:`832` log to console by default +- :issue:`832` log to console by default Thread Worker +++++++++++++ @@ -40,7 +62,7 @@ Eventlet Worker +++++++++++++++ -- fix issue:`867` Fix eventlet shutdown to actively shut down the workers. +- fix :issue:`867` Fix eventlet shutdown to actively shut down the workers. Documentation +++++++++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gunicorn-19.2.0/docs/source/community.rst new/gunicorn-19.2.1/docs/source/community.rst --- old/gunicorn-19.2.0/docs/source/community.rst 2015-01-21 23:12:39.000000000 +0100 +++ new/gunicorn-19.2.1/docs/source/community.rst 2015-02-04 08:26:34.000000000 +0100 @@ -31,3 +31,10 @@ Bug reports, enhancement requests and tasks generally go in the `Github issue tracker <http://github.com/benoitc/gunicorn/issues>`_. + +Security Issues +=============== + +The security mailing list is a place to report security issues. Only +developers are subscribed to it. To post a message to the list use the address +to `security(a)gunicorn.org <mailto:security@gunicorn.org>`_ . diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gunicorn-19.2.0/docs/source/conf.py new/gunicorn-19.2.1/docs/source/conf.py --- old/gunicorn-19.2.0/docs/source/conf.py 2015-01-30 15:34:02.000000000 +0100 +++ new/gunicorn-19.2.1/docs/source/conf.py 2015-02-04 08:23:01.000000000 +0100 @@ -2,7 +2,10 @@ # # Gunicorn documentation build configuration file # -import sys, os + +import os +import sys +import time DOCS_DIR = os.path.abspath(os.path.dirname(__file__)) @@ -19,7 +22,7 @@ # General information about the project. project = u'Gunicorn' -copyright = u'2009-2015, Benoit Chesneau' +copyright = u'2009-%s, Benoit Chesneau' % time.strftime('%Y') # gunicorn version import gunicorn release = version = gunicorn.__version__ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gunicorn-19.2.0/docs/source/news.rst new/gunicorn-19.2.1/docs/source/news.rst --- old/gunicorn-19.2.0/docs/source/news.rst 2015-01-30 15:34:02.000000000 +0100 +++ new/gunicorn-19.2.1/docs/source/news.rst 2015-02-04 14:43:51.000000000 +0100 @@ -2,8 +2,30 @@ Changelog ========= +19.2.1 / 2015/02/4 +================== + +Changes +------- + +Logging ++++++++ + +- expose loglevel in the Logger class + +AsyncIO worker (gaiohttp) ++++++++++++++++++++++++++ + +- fix :issue:`977` fix initial crash + +Documentation ++++++++++++++ + +- document security mailing-list in the contributing page. + + 19.2 / 2015/01/30 -=================== +================= Changes ------- @@ -12,12 +34,12 @@ ++++ - optimize the sync workers when listening on a single interface -- add `--sendfile` settings to enable/disable sendfile. fix issue:`856` . -- add the selectors module to the code base. issue:`886` +- add `--sendfile` settings to enable/disable sendfile. fix :issue:`856` . +- add the selectors module to the code base. :issue:`886` - fix :pr:`862` add `--max-requests-jitter` setting to set the maximum jitter to add to the max-requests setting. -- fix issue:`899` propagate proxy_protocol_info to keep-alive requests -- fix issue:`863` worker timeout: dynamic timeout has been removed, fix a race +- fix :issue:`899` propagate proxy_protocol_info to keep-alive requests +- fix :issue:`863` worker timeout: dynamic timeout has been removed, fix a race condition error - fix: Avoid world writable file - fix :issue:`917`: the deprecated ``--debug`` option has been removed. @@ -25,10 +47,10 @@ Logging +++++++ -- fix issue:`941` set logconfig default to paster more trivially +- fix :issue:`941` set logconfig default to paster more trivially - add statsd-prefix config setting: set the prefix to use when emitting statsd metrics -- issue:`832` log to console by default +- :issue:`832` log to console by default - fix :issue:`845`: set the gunicorn loggers from the paste config Thread Worker @@ -39,7 +61,7 @@ Eventlet Worker +++++++++++++++ -- fix issue:`867` Fix eventlet shutdown to actively shut down the workers. +- fix :issue:`867` Fix eventlet shutdown to actively shut down the workers. Documentation +++++++++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gunicorn-19.2.0/gunicorn/__init__.py new/gunicorn-19.2.1/gunicorn/__init__.py --- old/gunicorn-19.2.0/gunicorn/__init__.py 2015-01-21 23:12:39.000000000 +0100 +++ new/gunicorn-19.2.1/gunicorn/__init__.py 2015-02-04 14:38:13.000000000 +0100 @@ -3,6 +3,6 @@ # This file is part of gunicorn released under the MIT license. # See the NOTICE for more information. -version_info = (19, 2, 0) +version_info = (19, 2, 1) __version__ = ".".join([str(v) for v in version_info]) SERVER_SOFTWARE = "gunicorn/%s" % __version__ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gunicorn-19.2.0/gunicorn/glogging.py new/gunicorn-19.2.1/gunicorn/glogging.py --- old/gunicorn-19.2.0/gunicorn/glogging.py 2015-01-21 23:12:39.000000000 +0100 +++ new/gunicorn-19.2.1/gunicorn/glogging.py 2015-02-04 09:10:53.000000000 +0100 @@ -171,12 +171,13 @@ self.access_log.propagate = False self.error_handlers = [] self.access_handlers = [] + self.loglevel = logging.INFO self.cfg = cfg self.setup(cfg) def setup(self, cfg): - loglevel = self.LOG_LEVELS.get(cfg.loglevel.lower(), logging.INFO) - self.error_log.setLevel(loglevel) + self.loglevel = self.LOG_LEVELS.get(cfg.loglevel.lower(), logging.INFO) + self.error_log.setLevel(self.loglevel) self.access_log.setLevel(logging.INFO) # set gunicorn.error handler diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gunicorn-19.2.0/gunicorn/http/__init__.py new/gunicorn-19.2.1/gunicorn/http/__init__.py --- old/gunicorn-19.2.0/gunicorn/http/__init__.py 2015-01-21 23:12:39.000000000 +0100 +++ new/gunicorn-19.2.1/gunicorn/http/__init__.py 2015-02-04 08:23:01.000000000 +0100 @@ -6,4 +6,4 @@ from gunicorn.http.message import Message, Request from gunicorn.http.parser import RequestParser -__all__ = [Message, Request, RequestParser] +__all__ = ['Message', 'Request', 'RequestParser'] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gunicorn-19.2.0/gunicorn/http/parser.py new/gunicorn-19.2.1/gunicorn/http/parser.py --- old/gunicorn-19.2.0/gunicorn/http/parser.py 2015-01-21 23:12:39.000000000 +0100 +++ new/gunicorn-19.2.1/gunicorn/http/parser.py 2015-02-04 08:23:01.000000000 +0100 @@ -9,8 +9,9 @@ class Parser(object): - def __init__(self, mesg_class, cfg, source): - self.mesg_class = mesg_class + mesg_class = None + + def __init__(self, cfg, source): self.cfg = cfg if hasattr(source, "recv"): self.unreader = SocketUnreader(source) @@ -47,5 +48,4 @@ class RequestParser(Parser): - def __init__(self, *args, **kwargs): - super(RequestParser, self).__init__(Request, *args, **kwargs) + mesg_class = Request diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gunicorn-19.2.0/gunicorn/workers/_gaiohttp.py new/gunicorn-19.2.1/gunicorn/workers/_gaiohttp.py --- old/gunicorn-19.2.0/gunicorn/workers/_gaiohttp.py 2015-01-21 23:12:39.000000000 +0100 +++ new/gunicorn-19.2.1/gunicorn/workers/_gaiohttp.py 2015-02-04 10:06:59.000000000 +0100 @@ -5,6 +5,7 @@ import asyncio import functools +import logging import os import gunicorn.workers.base as base @@ -44,11 +45,14 @@ return proto def factory(self, wsgi, addr): + # are we in debug level + is_debug = self.log.loglevel == logging.DEBUG + proto = WSGIServerHttpProtocol( wsgi, readpayload=True, loop=self.loop, log=self.log, - debug=self.cfg.debug, + debug=is_debug, keep_alive=self.cfg.keepalive, access_log=self.log.access_log, access_log_format=self.cfg.access_log_format) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gunicorn-19.2.0/gunicorn.egg-info/PKG-INFO new/gunicorn-19.2.1/gunicorn.egg-info/PKG-INFO --- old/gunicorn-19.2.0/gunicorn.egg-info/PKG-INFO 2015-01-30 15:35:15.000000000 +0100 +++ new/gunicorn-19.2.1/gunicorn.egg-info/PKG-INFO 2015-02-04 14:44:35.000000000 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: gunicorn -Version: 19.2.0 +Version: 19.2.1 Summary: WSGI HTTP Server for UNIX Home-page: http://gunicorn.org Author: Benoit Chesneau diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gunicorn-19.2.0/setup.cfg new/gunicorn-19.2.1/setup.cfg --- old/gunicorn-19.2.0/setup.cfg 2015-01-30 15:35:16.000000000 +0100 +++ new/gunicorn-19.2.1/setup.cfg 2015-02-04 14:44:35.000000000 +0100 @@ -11,7 +11,7 @@ universal = 1 [egg_info] +tag_svn_revision = 0 tag_build = tag_date = 0 -tag_svn_revision = 0 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit gnome-multi-writer for openSUSE:Factory
by root＠hilbert.suse.de 05 Feb '15

05 Feb '15

Hello community, here is the log from the commit of package gnome-multi-writer for openSUSE:Factory checked in at 2015-02-05 11:01:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gnome-multi-writer (Old) and /work/SRC/openSUSE:Factory/.gnome-multi-writer.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "gnome-multi-writer" Changes: -------- --- /work/SRC/openSUSE:Factory/gnome-multi-writer/gnome-multi-writer.changes 2015-02-03 11:39:35.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.gnome-multi-writer.new/gnome-multi-writer.changes 2015-02-05 11:01:36.000000000 +0100 @@ -1,0 +2,21 @@ +Tue Jan 20 07:30:16 UTC 2015 - badshah400(a)gmail.com + +- Update to version 3.15.4: + + Show the size next to the device name when the device is idle. + + Bugs fixed: + - Add a translatable version of a generic flash drive. + - Add quirks for the 36 port MegaHub. + - Don't proceed to the copy phase if unmounting failed. + - Fix crash when libusb context creation fails. + - Never use the USB platform ID for the hub label. + - Support root hubs with bus numbers >= 8. + - Try to get the icon name hint from UDisks. + - Unmount all partitions when a device is inserted. + +------------------------------------------------------------------- +Sat Jan 10 09:06:05 UTC 2015 - dimstar(a)opensuse.org + +- Add docbook-utils-minimal BuildRequires: enable building of the + man pages. + +------------------------------------------------------------------- Old: ---- gnome-multi-writer-3.15.2.tar.xz New: ---- gnome-multi-writer-3.15.4.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnome-multi-writer.spec ++++++ --- /var/tmp/diff_new_pack.PoGHIT/_old 2015-02-05 11:01:37.000000000 +0100 +++ /var/tmp/diff_new_pack.PoGHIT/_new 2015-02-05 11:01:37.000000000 +0100 @@ -18,13 +18,14 @@ Name: gnome-multi-writer -Version: 3.15.2 +Version: 3.15.4 Release: 0 Summary: Write an ISO file to multiple USB devices at once License: GPL-2.0+ Group: System/GUI/GNOME Url: https://wiki.gnome.org/Apps/MultiWriter -Source: http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz +Source: http://download.gnome.org/sources/gnome-multi-writer/3.15/%{name}-%{version… +BuildRequires: docbook-utils-minimal BuildRequires: gobject-introspection-devel >= 0.9.8 BuildRequires: hicolor-icon-theme BuildRequires: intltool >= 0.50.0 @@ -79,8 +80,8 @@ %{_datadir}/applications/org.gnome.MultiWriter.desktop %{_datadir}/appdata/org.gnome.MultiWriter.appdata.xml %{_datadir}/icons/hicolor/*/apps/gnome-multi-writer.* +%{_mandir}/man1/gnome-multi-writer.1%{?ext_man} %files lang -f %{name}.lang %defattr(-,root,root) - ++++++ gnome-multi-writer-3.15.2.tar.xz -> gnome-multi-writer-3.15.4.tar.xz ++++++ ++++ 5072 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0