Package: libvirt / 5.0.0-2

Metadata

Package Version Patches format
libvirt 5.0.0-2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
debian/Debianize libvirt guests.patch | (download)

tools/libvirt-guests.sh.in | 45 28 + 17 - 0 !
tools/libvirt-guests.sysconf | 4 2 + 2 - 0 !
2 files changed, 30 insertions(+), 19 deletions(-)

 debianize libvirt-guests

debian/Debianize systemd service files.patch | (download)

src/remote/libvirtd.service.in | 4 2 + 2 - 0 !
tools/libvirt-guests.service.in | 2 1 + 1 - 0 !
2 files changed, 3 insertions(+), 3 deletions(-)

 debianize systemd service files


debian/Debianize virtlockd.patch | (download)

src/locking/virtlockd.service.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 debianize virtlockd


debian/Debianize virtlogd.patch | (download)

src/logging/virtlogd.service.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 debianize virtlogd


openpty Skip test if no pty is available.patch | (download)

gnulib/tests/test-openpty.c | 9 7 + 2 - 0 !
1 file changed, 7 insertions(+), 2 deletions(-)

 openpty: skip test if no pty is available

In chroots for package builds with recent debootstrap there may be
no ptys or they might not be accessible. This both manifests as ENOENT
on Linux.

Works around #817236

Disable gnulib s test nonplocking pipe.sh.patch | (download)

gnulib/tests/test-nonblocking-pipe.sh | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 disable gnulib's test-nonplocking-pipe.sh

since it fails on at least sparc and mips from time to time.

Issue reported upstresm.

Skip vircgrouptest.patch | (download)

tests/vircgrouptest.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 skip vircgrouptest

We don't have a mock for nodeGetCPUCount yet so we fail in a chroot
without sysfs mounted.

debian/Don t enable default network on boot.patch | (download)

src/Makefile.in | 3 1 + 2 - 0 !
src/network/Makefile.inc.am | 3 1 + 2 - 0 !
2 files changed, 2 insertions(+), 4 deletions(-)

 don't enable default network on boot

to not interfere with existing network configurations

test posix_openpt don t fail on EACCESS.patch | (download)

gnulib/tests/test-posix_openpt.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 test-posix_openpt: don't fail on eaccess

In chroots created with recent debootstrap /dev/ptmx might not be accessible.

Works around #817236

Reduce udevadm settle timeout to 10 seconds.patch | (download)

src/util/virutil.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 reduce udevadm settle timeout to 10 seconds

This isn't a proper fix but it will make virt-manager at least start.

Closes: #663931

debian/Use upstreams polkit rule.patch | (download)

src/Makefile.in | 4 2 + 2 - 0 !
src/remote/Makefile.inc.am | 4 2 + 2 - 0 !
2 files changed, 4 insertions(+), 4 deletions(-)

 use upstreams polkit rule

As of 1.2.16 upstream ships a Polkit rule like Debian does.

debian/apparmor_profiles_local_include.patch | (download)

src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 1 1 + 0 - 0 !
src/security/apparmor/usr.sbin.libvirtd | 3 3 + 0 - 0 !
2 files changed, 4 insertions(+)

 apparmor_profiles_local_include

Include local apparmor profile

Set defaults for zfs tools.patch | (download)

m4/virt-storage-zfs.m4 | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 set defaults for zfs tools

so we don't have to build-depend on a program in contrib

Pass GPG_TTY env var to the ssh binary.patch | (download)

src/rpc/virnetsocket.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 pass gpg_tty env var to the ssh binary

gpg-agent(1) can emulate the OpenSSH Agent protocol (which provides
pubkey-authentication using an authentication-capable OpenPGP key, in
addition to the usual identity files).  However for a console-based
password prompt to work, the 'GPG_TTY' environment variable needs to be
set to the current TTY.  Furthermore, curses-based password prompts also
require the 'TERM' environment variable to be set to the terminal type.

apparmor Allow virt aa helper to access the name service .patch | (download)

src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 apparmor: allow virt-aa-helper to access the name service switch

Closes: #882979

debian/Prefer sbin over usr sbin.patch | (download)

configure.ac | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 prefer /sbin over /usr/sbin

If libvirt is built in a chroot with merged /usr it will otherwise
break on non /usr merged systems.

Closes: #895145

virt aa helper generate rules for gl enabled graphics dev.patch | (download)

src/security/virt-aa-helper.c | 14 14 + 0 - 0 !
tests/virt-aa-helper-test | 6 6 + 0 - 0 !
2 files changed, 20 insertions(+)

 virt-aa-helper: generate rules for gl enabled graphics devices

This adds the virt-aa-helper support for gl enabled graphics devices to
generate rules for the needed rendernode paths.

Example in domain xml:
<graphics type='spice'>
  <gl enable='yes' rendernode='/dev/dri/bar'/>
</graphics>

results in:
  "/dev/dri/bar" rw,

Special cases are:
- multiple devices with rendernodes -> all are added
- non explicit rendernodes -> follow recently added virHostGetDRMRenderNode
- rendernode without opengl (in egl-headless for example) -> still add
  the node

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1757085

security aa helper allow virt aa helper to read dev dri.patch | (download)

src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 security: aa-helper: allow virt-aa-helper to read /dev/dri

Change fb01e1a44 "virt-aa-helper: generate rules for gl enabled
graphics devices" implemented the detection for gl enabled
devices in virt-aa-helper. But it will in certain cases e.g. if
no rendernode was explicitly specified need to read /dev/dri
which it currently isn't allowed.

Add a rule to the apparmor profile of virt-aa-helper itself to
be able to do that.

security aa helper generate more rules for gl devices.patch | (download)

src/security/virt-aa-helper.c | 21 20 + 1 - 0 !
1 file changed, 20 insertions(+), 1 deletion(-)

 security: aa-helper: generate more rules for gl devices

Change fb01e1a44 "virt-aa-helper: generate rules for gl enabled
graphics devices" implemented the detection for gl enabled
devices in virt-aa-helper. But further testing showed
that it will need much more access for the full gl stack
to work.

Upstream apparmor just recently split those things out and now
has two related abstractions at
https://gitlab.com/apparmor/apparmor/blob/master:
- dri-common at /profiles/apparmor.d/abstractions/dri-common
- mesa: at /profiles/apparmor.d/abstractions/mesa

If would be great to just include that for the majority of
rules, but they are not yet in any distribution so we need
to add rules inspired by them based on the testing that we
can do.

Furthermore qemu with opengl will also probe the backing device
of the rendernode for attributes which should be safe as
read-only wildcard rules.

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1815452

security aa helper nvidia rules for gl devices.patch | (download)

src/security/virt-aa-helper.c | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 security: aa-helper: nvidia rules for gl devices

security aa helper gl devices in sysfs at arbitrary depth.patch | (download)

src/security/virt-aa-helper.c | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

 security: aa-helper: gl devices in sysfs at arbitrary depth

Further testing with more devices showed that we sometimes have a
api disallow virDomainGetHostname for read only connectio.patch | (download)

src/libvirt-domain.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 api: disallow virdomaingethostname for read-only connections
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

The virDomainGetHostname API is fetching guest information and this may
involve use of an untrusted guest agent. As such its use must be
forbidden on a read-only connection to libvirt.

Fixes CVE-2019-3886
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

remote enforce ACL write permission for getting guest tim.patch | (download)

src/remote/remote_protocol.x | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 remote: enforce acl write permission for getting guest time &
 hostname
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Getting the guest time and hostname both require use of guest agent
commands. These must not be allowed for read-only users, so the
permissions check must validate "write" permission not "read".

Fixes CVE-2019-3886
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>