src/libxl/libxl_conf.h | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 allow libxl to find default path to pygrub.

The Xen debian packages relocate pygrub into
/usr/lib/xen-X.Y/bin/pygrub, not /usr/bin/pygrub. Since libxl knows to
DTRT with a bare "pygrub" just use that by default.

tools/virsh.pod | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 remove-rhism.diff

src/Makefile.am | 3 0 + 3 - 0 !
src/Makefile.in | 3 0 + 3 - 0 !
2 files changed, 6 deletions(-)

 don't enable default network on boot

to not interfere with existing network configurations

src/xen/xen_hypervisor.c | 2 1 + 1 - 0 !
tests/xencapsdata/xen-i686-pae-hvm.xml | 2 1 + 1 - 0 !
tests/xencapsdata/xen-ia64-be-hvm.xml | 2 1 + 1 - 0 !
tests/xencapsdata/xen-ia64-hvm.xml | 2 1 + 1 - 0 !
tests/xencapsdata/xen-x86_64-hvm.xml | 4 2 + 2 - 0 !
5 files changed, 6 insertions(+), 6 deletions(-)

 fix debian specific path to hvm loader

Closes: #517059

tools/libvirt-guests.sh.in | 45 28 + 17 - 0 !
tools/libvirt-guests.sysconf | 4 2 + 2 - 0 !
2 files changed, 30 insertions(+), 19 deletions(-)

 debianize libvirt-guests

src/qemu/qemu_monitor_text.c | 10 9 + 1 - 0 !
1 file changed, 9 insertions(+), 1 deletion(-)

 patch qemumonitortextgetmigrationstatus to intercept unknown command
 'info migrate'

Debian package kvm up to version 72 has not implemented the command 'info migrate'.
This command interface returns help page of info commands and looks like this:

gnulib/tests/test-nonblocking-pipe.sh | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 disable gnulib's test-nonplocking-pipe.sh

since it fails on at least sparc and mips from time to time.

Issue reported upstresm.

tests/virnetsockettest.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 disable failing virnetsockettest

until we debugged the interaction with pbuilder

src/rpc/virnetserver.c | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

 don't fail if we can't setup avahi

src/util/virutil.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 reduce udevadm settle timeout to 10 seconds

This isn't a proper fix but it will make virt-manager at least start.

Closes: #663931

daemon/libvirtd.service.in | 4 2 + 2 - 0 !
tools/libvirt-guests.service.in | 2 1 + 1 - 0 !
2 files changed, 3 insertions(+), 3 deletions(-)

 debianize systemd service files

docs/schemas/capability.rng | 4 2 + 2 - 0 !
src/xen/xen_hypervisor.c | 6 2 + 4 - 0 !
tests/xencapsdata/xen-i686-pae-hvm.xml | 6 3 + 3 - 0 !
tests/xencapsdata/xen-i686-pae.xml | 2 1 + 1 - 0 !
tests/xencapsdata/xen-i686.xml | 2 1 + 1 - 0 !
tests/xencapsdata/xen-ia64-be-hvm.xml | 6 3 + 3 - 0 !
tests/xencapsdata/xen-ia64-be.xml | 2 1 + 1 - 0 !
tests/xencapsdata/xen-ia64-hvm.xml | 6 3 + 3 - 0 !
tests/xencapsdata/xen-ia64.xml | 2 1 + 1 - 0 !
tests/xencapsdata/xen-ppc64.xml | 2 1 + 1 - 0 !
tests/xencapsdata/xen-x86_64-hvm.xml | 10 5 + 5 - 0 !
tests/xencapsdata/xen-x86_64.xml | 2 1 + 1 - 0 !
12 files changed, 24 insertions(+), 26 deletions(-)

 allow xen toolstack to find it's binaries

Closes: #685749

tests/vircgrouptest.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 skip vircgrouptest

We don't have a mock for nodeGetCPUCount yet so we fail in a chroot
without sysfs mounted.

tools/virsh.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 use sensible-editor as fallback

Closes: #594444

src/locking/virtlockd.service.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 debianize virtlockd

src/libvirt_private.syms | 1 1 + 0 - 0 !
src/qemu/qemu_cgroup.c | 11 10 + 1 - 0 !
src/qemu/qemu_cgroup.h | 2 1 + 1 - 0 !
src/qemu/qemu_process.c | 4 2 + 2 - 0 !
src/util/vircgroup.c | 11 11 + 0 - 0 !
src/util/vircgroup.h | 5 5 + 0 - 0 !
6 files changed, 30 insertions(+), 4 deletions(-)

 qemu: use systemd's terminatemachine to kill all processes

If we don't properly clean up all processes in the
machine-<vmname>.scope systemd won't remove the cgroup and subsequent vm
starts fail with

  'CreateMachine: File exists'

Additional processes can e.g. be added via

  echo $PID > /sys/fs/cgroup/systemd/machine.slice/machine-${VMNAME}.scope/tasks

but there are other cases like

  http://bugs.debian.org/761521

Invoke TerminateMachine to be on the safe side since systemd tracks the
cgroup anyway. This is a noop if all processes have terminated already.

Closes: #761521

src/libvirt.c | 3 2 + 1 - 0 !
src/remote/remote_protocol.x | 1 1 + 0 - 0 !
2 files changed, 3 insertions(+), 1 deletion(-)

 cve-2014-7823: dumpxml: security hole with migratable flag

Commit 28f8dfd (v1.0.0) introduced a security hole: in at least
the qemu implementation of virDomainGetXMLDesc, the use of the
flag VIR_DOMAIN_XML_MIGRATABLE (which is usable from a read-only
connection) triggers the implicit use of VIR_DOMAIN_XML_SECURE
prior to calling qemuDomainFormatXML.  However, the use of
VIR_DOMAIN_XML_SECURE is supposed to be restricted to read-write
clients only.  This patch treats the migratable flag as requiring
the same permissions, rather than analyzing what might break if
migratable xml no longer includes secret information.

Fortunately, the information leak is low-risk: all that is gated
by the VIR_DOMAIN_XML_SECURE flag is the VNC connection password;
but VNC passwords are already weak (FIPS forbids their use, and
on a non-FIPS machine, anyone stupid enough to trust a max-8-byte
password sent in plaintext over the network deserves what they
get).  SPICE offers better security than VNC, and all other
secrets are properly protected by use of virSecret associations
rather than direct output in domain XML.

* src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_GET_XML_DESC):
Tighten rules on use of migratable flag.
* src/libvirt-domain.c (virDomainGetXMLDesc): Likewise.

Signed-off-by: Eric Blake <eblake@redhat.com>
(cherry picked from commit b1674ad5a97441b7e1bd5f5ebaff498ef2fbb11b)

Conflicts:
	src/libvirt-domain.c - file split from older src/libvirt.c
Signed-off-by: Eric Blake <eblake@redhat.com>

src/util/viruri.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 util: prepare uri formatting for libxml2 >= 2.9.2

Since commit 8eb55d782a2b9afacc7938694891cc6fad7b42a5 libxml2 removes
two slashes from the URI when there is no server part.  This is fixed
with beb7281055dbf0ed4d041022a67c6c5cfd126f25, but only if the calling
application calls xmlSaveUri() on URI that xmlURIParse() parsed.  And
that is not the case in virURIFormat().  virURIFormat() accepts
virURIPtr that can be created without parsing it and we do that when we
format network storage paths for gluster for example.  Even though
virStorageSourceParseBackingURI() uses virURIParse(), it throws that data
structure right away.

Since we want to format URIs as URIs and not absolute URIs or opaque
URIs (see RFC 3986), we can specify that with a special hack thanks to
commit beb7281055dbf0ed4d041022a67c6c5cfd126f25, by setting port to -1.

This fixes qemuxml2argvtest test where the disk-drive-network-gluster
case was failing.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>

src/qemu/qemu_driver.c | 20 13 + 7 - 0 !
1 file changed, 13 insertions(+), 7 deletions(-)

 cve-2014-8131: fix possible deadlock and segfault in
 qemuConnectGetAllDomainStats()

When user doesn't have read access on one of the domains he requested,
the for loop could exit abruptly or continue and override pointer which
pointed to locked object.

This patch fixed two issues at once.  One is that domflags might have
had QEMU_DOMAIN_STATS_HAVE_JOB even when there was no job started (this
is fixed by doing domflags |= QEMU_DOMAIN_STATS_HAVE_JOB only when the
job was acquired and cleaning domflags on every start of the loop.
Second one is that the domain is kept locked when
virConnectGetAllDomainStatsCheckACL() fails and continues the loop when
it didn't end.  Adding a simple virObjectUnlock() and clearing the
pointer ought to do.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
(cherry picked from commit 57023c0a3af4af1c547189c1f6712ed5edeb0c0b)
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>

src/qemu/qemu_driver.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 qemu: bulk stats: fix logic in monitor handling

A logic bug in qemuConnectGetAllDomainStats makes the code mark the
monitor as available when qemuDomainObjBeginJob fails, instead of when
it succeeds, as the correct flow requires.

This patch fixes the check and updates the code documentation
accordingly.

Broken by commit 57023c0a3af4af1c547189c1f6712ed5edeb0c0b.

Signed-off-by: Francesco Romani <fromani@redhat.com>
(cherry picked from commit cb104ef734dfea12cb8826dba7e2c98912c4b7e1)
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>

src/storage/storage_driver.c | 5 3 + 2 - 0 !
1 file changed, 3 insertions(+), 2 deletions(-)

 cve-2014-8135: storage: fix crash caused by no check return before
 set close

https://bugzilla.redhat.com/show_bug.cgi?id=1087104#c5

When trying to use an invalid offset to virStorageVolUpload(), libvirt
fails in virFDStreamOpenFileInternal(), although it seems libvirt does
not check the return in storageVolUpload(), and calls
virFDStreamSetInternalCloseCb() right after.  But stream doesn't have a
privateData (is NULL) yet, and the daemon crashes then.

0  0x00007f09429a9c10 in pthread_mutex_lock () from /lib64/libpthread.so.0
1  0x00007f094514dbf5 in virMutexLock (m=<optimized out>) at util/virthread.c:88
2  0x00007f09451cb211 in virFDStreamSetInternalCloseCb at fdstream.c:795
3  0x00007f092ff2c9eb in storageVolUpload at storage/storage_driver.c:2098
4  0x00007f09451f46e0 in virStorageVolUpload at libvirt.c:14000
5  0x00007f0945c78fa1 in remoteDispatchStorageVolUpload at remote_dispatch.h:14339
6  remoteDispatchStorageVolUploadHelper at remote_dispatch.h:14309
7  0x00007f094524a192 in virNetServerProgramDispatchCall at rpc/virnetserverprogram.c:437

Signed-off-by: Luyao Huang <lhuang@redhat.com>
(cherry picked from commit 87b9437f8951f9d24f9a85c6bbfff0e54df8c984)

src/qemu/qemu_driver.c | 8 6 + 2 - 0 !
1 file changed, 6 insertions(+), 2 deletions(-)

 cve-2014-8136: qemu: migration: unlock vm on failed acl check in
 protocol v2 APIs

Avoid leaving the domain locked on a failed ACL check in
qemuDomainMigratePerform() and qemuDomainMigrateFinish2().

Introduced in commit abf75aea247e (Add ACL checks into the QEMU driver).

(cherry picked from commit 2bdcd29c713dfedd813c89f56ae98f6f3898313d)

src/qemu/qemu_migration.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 qemu: fix crash in tunnelled migration

Any attempt to start a tunnelled migration with libvirtd that supports
RDMA migration (specifically commit v1.2.8-226-ged22a47) crashes
libvirtd on the destination host.

The crash is inevitable because qemuMigrationPrepareAny is always called
with NULL protocol in case of tunnelled migration.

https://bugzilla.redhat.com/show_bug.cgi?id=1147331
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>

Closes: #773503

src/lxc/lxc_process.c | 5 3 + 2 - 0 !
1 file changed, 3 insertions(+), 2 deletions(-)

 lxc: move setting ifname_guest_actual to virlxcsetupinterfaces

so it applies to interfaces of type 'direct' too.

src/lxc/lxc_container.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 lxc: don't crash on null ifname_guest_actual

src/vbox/vbox_tmpl.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 vbox: fix a bug in _machinestateinactive

This function returned non-inactive domains instead of active
domains.  This broke virConnectNumOfDefinedDomains() and
virConnectListDefinedDomains() functions.

Closes: #770202

src/qemu/qemu_driver.c | 2 1 + 1 - 0 !
src/remote/remote_protocol.x | 1 1 + 0 - 0 !
2 files changed, 2 insertions(+), 1 deletion(-)

 cve-2015-0236: qemu: check acls when dumping security info from save
 image

The ACL check didn't check the VIR_DOMAIN_XML_SECURE flag and the
appropriate permission for it.

src/qemu/qemu_driver.c | 2 1 + 1 - 0 !
src/remote/remote_protocol.x | 1 1 + 0 - 0 !
2 files changed, 2 insertions(+), 1 deletion(-)

 cve-2015-0236: qemu: check acls when dumping security info from
 snapshots

The ACL check didn't check the VIR_DOMAIN_XML_SECURE flag and the
appropriate permission for it. Found via code inspection while fixing
permissions for save images.

src/qemu/qemu_capabilities.c | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 

Since QEMU 1.2.0, we switched to QMP probing instead of parsing -help
(and other commands, such as -cpu ?) output. However, if QMP probing
failed, we still tried starting QEMU with various options and parsing
the output, which was guaranteed to fail because the output changed.
Let's just refuse parsing -help for QEMU >= 1.2.0.

src/security/virt-aa-helper.c | 12 11 + 1 - 0 !
1 file changed, 11 insertions(+), 1 deletion(-)

 teach virt-aa-helper to use template.qemu if the domain is kvm or
 kqemu

Closes: #786650

examples/apparmor/usr.lib.libvirt.virt-aa-helper | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 allow access to libnl-3 config files

Closes: #786650

src/qemu/qemu_migration.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix crash on live migration

this supplements 07dbec0a64783f644854a22aa0355720f0328d17.

Closes: #7788171
Thanks: Eckebrecht von Pappenheim

src/qemu/qemu_capabilities.c | 37 27 + 10 - 0 !
src/qemu/qemu_capabilities.h | 3 2 + 1 - 0 !
tests/qemuhelptest.c | 2 1 + 1 - 0 !
3 files changed, 30 insertions(+), 12 deletions(-)

 report original error when qmp probing fails with new qemu

If probing capabilities via QMP fails, we now have a check
that prevents us falling back to -help parsing. Unfortunately
the error message

  "Failed to probe capabilities for /usr/bin/qemu-kvm:
   unsupported configuration: QEMU 2.1.2 is too new for help parsing"

is proving rather unhelpful to the user. We need to be telling
them why QMP failed (the root cause), rather than they can't
use -help (the side effect).

To do this we should capture stderr during QMP probing, and
if -help parsing then sees a new QEMU version, we know that
QMP should have worked, and so we can show the messages from
stderr. The message thus becomes

  "Failed to probe capabilities for /usr/bin/qemu-kvm:
   internal error: QEMU / QMP failed: Could not access
   KVM kernel module: No such file or directory
   failed to initialize KVM: No such file or directory"

src/storage/storage_backend_fs.c | 10 9 + 1 - 0 !
1 file changed, 9 insertions(+), 1 deletion(-)

 [patch] cve-2015-5313: storage: don't allow '/' in filesystem volume
 names

The libvirt file system storage driver determines what file to
act on by concatenating the pool location with the volume name.
If a user is able to pick names like "../../../etc/passwd", then
they can escape the bounds of the pool.  For that matter,
virStoragePoolListVolumes() doesn't descend into subdirectories,
so a user really shouldn't use a name with a slash.

Normally, only privileged users can coerce libvirt into creating
or opening existing files using the virStorageVol APIs; and such
users already have full privilege to create any domain XML (so it
is not an escalation of privilege).  But in the case of
fine-grained ACLs, it is feasible that a user can be granted
storage_vol:create but not domain:write, and it violates
assumptions if such a user can abuse libvirt to access files
outside of the storage pool.

Therefore, prevent all use of volume names that contain "/",
whether or not such a name is actually attempting to escape the
pool.

src/qemu/qemu.conf | 2 1 + 1 - 0 !
src/qemu/qemu_conf.c | 2 1 + 1 - 0 !
src/qemu/test_libvirtd_qemu.aug.in | 2 1 + 1 - 0 !
3 files changed, 3 insertions(+), 3 deletions(-)

 debianize-bridge-helper-path

libvirt-daemon: Expects qemu-bridge-helper in /usr/libexec/
$ strings /usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so | grep bridge-helper
/usr/libexec/qemu-bridge-helper

$ dpkg -S bridge-helper
qemu-system-common: /usr/lib/qemu/qemu-bridge-helper

Closes #816602

src/qemu/qemu_hotplug.c | 14 7 + 7 - 0 !
1 file changed, 7 insertions(+), 7 deletions(-)

 cve-2016-5008 qemu: let empty default vnc password work as
 documented

Setting an empty graphics password is documented as a way to disable
VNC/SPICE access, but QEMU does not always behaves like that. VNC would
happily accept the empty password. Let's enforce the behavior by setting
password expiration to "now".

https://bugzilla.redhat.com/show_bug.cgi?id=1180092

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
(cherry picked from commit bb848feec0f3f10e92dd8e5231ae7aa89b5598f3)

src/qemu/qemu_command.c | 10 5 + 5 - 0 !
1 file changed, 5 insertions(+), 5 deletions(-)

 qemu: specify format= iff disk source is not empty

Just recently, qemu forbade specifying format for sourceless
disks (qemu commit 39c4ae941ed992a3bb5). It kind of makes sense.
If there's no file to open, why specify its format. Anyway, I
have a domain like this:

    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <target dev='hda' bus='ide'/>
      <readonly/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>

and obviously I am unable to start it. Therefore, a fix on our
side is needed too.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>

src/qemu/qemu_monitor.c | 15 15 + 0 - 0 !
1 file changed, 15 insertions(+)

 cve-2018-5748: qemu: avoid denial of service reading from qemu
 monitor

We read from QEMU until seeing a \r\n pair to indicate a completed reply
or event. To avoid memory denial-of-service though, we must have a size
limit on amount of data we buffer. 10 MB is large enough that it ought
to cope with normal QEMU replies, and small enough that we're not
consuming unreasonable mem.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

src/qemu/qemu_agent.c | 15 15 + 0 - 0 !
1 file changed, 15 insertions(+)

 cve-2018-1064: qemu: avoid denial of service reading from qemu guest
 agent
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

V2UgcmVhZCBmcm9tIHRoZSBhZ2VudCB1bnRpbCBzZWVpbmcgYSBcclxuIHBhaXIgdG8gaW5kaWNh
dGUgYSBjb21wbGV0ZWQKcmVwbHkgb3IgZXZlbnQuIFRvIGF2b2lkIG1lbW9yeSBkZW5pYWwtb2Yt
c2VydmljZSB0aG91Z2gsIHdlIG11c3QgaGF2ZSBhCnNpemUgbGltaXQgb24gYW1vdW50IG9mIGRh
dGEgd2UgYnVmZmVyLiAxMCBNQiBpcyBsYXJnZSBlbm91Z2ggdGhhdCBpdApvdWdodCB0byBjb3Bl
IHdpdGggbm9ybWFsIGFnZW50IHJlcGxpZXMsIGFuZCBzbWFsbCBlbm91Z2ggdGhhdCB3ZSdyZSBu
b3QKY29uc3VtaW5nIHVucmVhc29uYWJsZSBtZW0uCgpUaGlzIGlzIGlkZW50aWNhbCB0byB0aGUg
ZmxhdyB3ZSBoYWQgcmVhZGluZyBmcm9tIHRoZSBRRU1VIG1vbml0b3IKYXMgQ1ZFLTIwMTgtNTc0
OCwgc28gcmF0aGVyIGVtYmFycmFzc2luZyB0aGF0IHdlIGZvcmdvdCB0byBmaXgKdGhlIGFnZW50
IGNvZGUgYXQgdGhlIHNhbWUgdGltZS4KClNpZ25lZC1vZmYtYnk6IERhbmllbCBQLiBCZXJyYW5n
w6kgPGJlcnJhbmdlQHJlZGhhdC5jb20+Cg==