Hello community,
here is the log from the commit of package libvirt for openSUSE:Factory checked
in at 2017-11-21 15:22:54
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libvirt (Old)
and /work/SRC/openSUSE:Factory/.libvirt.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libvirt"
Tue Nov 21 15:22:54 2017 rev:240 rq:542717 version:3.9.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/libvirt/libvirt.changes 2017-11-10
14:38:32.892969500 +0100
+++ /work/SRC/openSUSE:Factory/.libvirt.new/libvirt.changes 2017-11-21
15:23:12.009156024 +0100
@@ -1,0 +2,14 @@
+Fri Nov 17 21:59:28 UTC 2017 - jfeh...@suse.com
+
+- apparmor: allow libvirtd to send signals to unconfined processes
+ suse-apparmor-signal.patch
+ boo#1065123
+
+-------------------------------------------------------------------
+Fri Nov 17 18:37:43 UTC 2017 - jfeh...@suse.com
+
+- qemu: Tolerate storage source private data being NULL
+ 8056721c-qemu-null-storage-source.patch
+ bsc#1068752
+
+-------------------------------------------------------------------
New:
----
8056721c-qemu-null-storage-source.patch
suse-apparmor-signal.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libvirt.spec ++++++
--- /var/tmp/diff_new_pack.udMiPg/_old 2017-11-21 15:23:19.380888809 +0100
+++ /var/tmp/diff_new_pack.udMiPg/_new 2017-11-21 15:23:19.384888664 +0100
@@ -300,6 +300,7 @@
Source99: baselibs.conf
Source100: %{name}-rpmlintrc
# Upstream patches
+Patch0: 8056721c-qemu-null-storage-source.patch
# Patches pending upstream review
Patch100: libxl-dom-reset.patch
Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch
@@ -322,14 +323,15 @@
Patch206: suse-qemu-conf.patch
Patch207: suse-ovmf-paths.patch
Patch208: suse-apparmor-libnl-paths.patch
-Patch209: support-managed-pci-xen-driver.patch
-Patch210: xen-sxpr-disk-type.patch
-Patch211: libxl-support-block-script.patch
-Patch212: apparmor-no-mount.patch
-Patch213: qemu-apparmor-screenshot.patch
-Patch214: libvirt-suse-netcontrol.patch
-Patch215: lxc-wait-after-eth-del.patch
-Patch216: libxl-qemu-emulator-caps.patch
+Patch209: suse-apparmor-signal.patch
+Patch210: support-managed-pci-xen-driver.patch
+Patch211: xen-sxpr-disk-type.patch
+Patch212: libxl-support-block-script.patch
+Patch213: apparmor-no-mount.patch
+Patch214: qemu-apparmor-screenshot.patch
+Patch215: libvirt-suse-netcontrol.patch
+Patch216: lxc-wait-after-eth-del.patch
+Patch217: libxl-qemu-emulator-caps.patch
# SLES-Only patches
%if ! 0%{?is_opensuse}
Patch400: virt-create-rootfs.patch
@@ -876,6 +878,7 @@
%prep
%setup -q
+%patch0 -p1
%patch100 -p1
%patch101 -p1
%patch102 -p1
@@ -903,6 +906,7 @@
%patch214 -p1
%patch215 -p1
%patch216 -p1
+%patch217 -p1
%if ! 0%{?is_opensuse}
%patch400 -p1
%endif
++++++ 8056721c-qemu-null-storage-source.patch ++++++
commit 8056721cbb75a717604a1f7971440726d9d85045
Author: Peter Krempa <pkre...@redhat.com>
Date: Thu Nov 9 12:51:25 2017 +0100
qemu: Tolerate storage source private data being NULL
In some cases it does not make sense to pursue that the private data
will be allocated (especially when we don't need to put anything in it).
Ensure that the code works without it.
This also fixes few crashes pointed out in
https://bugzilla.redhat.com/show_bug.cgi?id=1510323
Index: libvirt-3.9.0/src/qemu/qemu_command.c
===================================================================
--- libvirt-3.9.0.orig/src/qemu/qemu_command.c
+++ libvirt-3.9.0/src/qemu/qemu_command.c
@@ -1362,12 +1362,17 @@ qemuBuildDriveSourceStr(virDomainDiskDef
{
int actualType = virStorageSourceGetActualType(disk->src);
qemuDomainStorageSourcePrivatePtr srcpriv =
QEMU_DOMAIN_STORAGE_SOURCE_PRIVATE(disk->src);
- qemuDomainSecretInfoPtr secinfo = srcpriv->secinfo;
- qemuDomainSecretInfoPtr encinfo = srcpriv->encinfo;
+ qemuDomainSecretInfoPtr secinfo = NULL;
+ qemuDomainSecretInfoPtr encinfo = NULL;
virJSONValuePtr srcprops = NULL;
char *source = NULL;
int ret = -1;
+ if (srcpriv) {
+ secinfo = srcpriv->secinfo;
+ encinfo = srcpriv->encinfo;
+ }
+
if (qemuDiskSourceNeedsProps(disk->src) &&
!(srcprops = qemuDiskSourceGetProps(disk->src)))
goto cleanup;
@@ -2239,8 +2244,13 @@ qemuBuildDiskDriveCommandLine(virCommand
bool driveBoot = false;
virDomainDiskDefPtr disk = def->disks[i];
qemuDomainStorageSourcePrivatePtr srcPriv =
QEMU_DOMAIN_STORAGE_SOURCE_PRIVATE(disk->src);
- qemuDomainSecretInfoPtr secinfo = srcPriv->secinfo;
- qemuDomainSecretInfoPtr encinfo = srcPriv->encinfo;
+ qemuDomainSecretInfoPtr secinfo = NULL;
+ qemuDomainSecretInfoPtr encinfo = NULL;
+
+ if (srcPriv) {
+ secinfo = srcPriv->secinfo;
+ encinfo = srcPriv->encinfo;
+ }
if (disk->info.bootIndex) {
bootindex = disk->info.bootIndex;
Index: libvirt-3.9.0/src/qemu/qemu_hotplug.c
===================================================================
--- libvirt-3.9.0.orig/src/qemu/qemu_hotplug.c
+++ libvirt-3.9.0/src/qemu/qemu_hotplug.c
@@ -259,6 +259,7 @@ qemuDomainChangeEjectableMedia(virQEMUDr
qemuDomainObjPrivatePtr priv = vm->privateData;
qemuDomainDiskPrivatePtr diskPriv = QEMU_DOMAIN_DISK_PRIVATE(disk);
qemuDomainStorageSourcePrivatePtr srcPriv =
QEMU_DOMAIN_STORAGE_SOURCE_PRIVATE(disk->src);
+ qemuDomainSecretInfoPtr secinfo = NULL;
const char *format = NULL;
char *sourcestr = NULL;
@@ -268,6 +269,9 @@ qemuDomainChangeEjectableMedia(virQEMUDr
goto cleanup;
}
+ if (srcPriv)
+ secinfo = srcPriv->secinfo;
+
if (disk->device != VIR_DOMAIN_DISK_DEVICE_FLOPPY &&
disk->device != VIR_DOMAIN_DISK_DEVICE_CDROM) {
virReportError(VIR_ERR_INTERNAL_ERROR,
@@ -300,7 +304,7 @@ qemuDomainChangeEjectableMedia(virQEMUDr
}
if (!virStorageSourceIsEmpty(newsrc)) {
- if (qemuGetDriveSourceString(newsrc, srcPriv->secinfo, &sourcestr) < 0)
+ if (qemuGetDriveSourceString(newsrc, secinfo, &sourcestr) < 0)
goto error;
if (virStorageSourceGetActualType(newsrc) != VIR_STORAGE_TYPE_DIR) {
@@ -371,8 +375,8 @@ qemuDomainAttachDiskGeneric(virConnectPt
virJSONValuePtr secobjProps = NULL;
virJSONValuePtr encobjProps = NULL;
qemuDomainStorageSourcePrivatePtr srcPriv;
- qemuDomainSecretInfoPtr secinfo;
- qemuDomainSecretInfoPtr encinfo;
+ qemuDomainSecretInfoPtr secinfo = NULL;
+ qemuDomainSecretInfoPtr encinfo = NULL;
if (qemuDomainPrepareDisk(driver, vm, disk, NULL, false) < 0)
goto cleanup;
@@ -384,13 +388,16 @@ qemuDomainAttachDiskGeneric(virConnectPt
goto error;
srcPriv = QEMU_DOMAIN_STORAGE_SOURCE_PRIVATE(disk->src);
- secinfo = srcPriv->secinfo;
+ if (srcPriv) {
+ secinfo = srcPriv->secinfo;
+ encinfo = srcPriv->encinfo;
+ }
+
if (secinfo && secinfo->type == VIR_DOMAIN_SECRET_INFO_TYPE_AES) {
if (qemuBuildSecretInfoProps(secinfo, &secobjProps) < 0)
goto error;
}
- encinfo = srcPriv->encinfo;
if (encinfo && qemuBuildSecretInfoProps(encinfo, &encobjProps) < 0)
goto error;
++++++ suse-apparmor-signal.patch ++++++
apparmor: allow libvirtd to send signals to unconfined processes
When confinement of QEMU/KVM domains is not enforced (security_default_confined
= 0),
qemu processes run unconfined. Add a rule to the libvirtd apparmor profile
allowing
sending signals to unconfined processes. Without the rule, libvirtd
is unable to signal QEMU/KVM domains. E.g. 'virsh destroy dom' results in the
following denial in audit.log
type=AVC msg=audit(1510951646.581:939): apparmor="DENIED" operation="signal"
profile="/usr/sbin/libvirtd" pid=18891 comm="libvirtd" requested_mask="send"
denied_mask="send" signal=term peer="unconfined"
Index: libvirt-3.9.0/examples/apparmor/usr.sbin.libvirtd
===================================================================
--- libvirt-3.9.0.orig/examples/apparmor/usr.sbin.libvirtd
+++ libvirt-3.9.0/examples/apparmor/usr.sbin.libvirtd
@@ -60,6 +60,9 @@
signal (send) peer=/usr/sbin/dnsmasq,
signal (read, send) peer=libvirt-*,
+ # When confinement is not enforced (security_default_confined = 0), qemu
+ # processes run unconfined, hence 'peer=unconfined'
+ signal send set=(hup,kill,term) peer=unconfined,
# Very lenient profile for libvirtd since we want to first focus on confining
# the guests. Guests will have a very restricted profile.
