Package: libvirt / 5.0.0-4.1

Metadata

Package Version Patches format
libvirt 5.0.0-4.1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
debian/Debianize libvirt guests.patch | (download)

tools/libvirt-guests.sh.in | 45 28 + 17 - 0 !
tools/libvirt-guests.sysconf | 4 2 + 2 - 0 !
2 files changed, 30 insertions(+), 19 deletions(-)

 debianize libvirt-guests

debian/Debianize systemd service files.patch | (download)

src/remote/libvirtd.service.in | 4 2 + 2 - 0 !
tools/libvirt-guests.service.in | 2 1 + 1 - 0 !
2 files changed, 3 insertions(+), 3 deletions(-)

 debianize systemd service files


debian/Debianize virtlockd.patch | (download)

src/locking/virtlockd.service.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 debianize virtlockd


debian/Debianize virtlogd.patch | (download)

src/logging/virtlogd.service.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 debianize virtlogd


openpty Skip test if no pty is available.patch | (download)

gnulib/tests/test-openpty.c | 9 7 + 2 - 0 !
1 file changed, 7 insertions(+), 2 deletions(-)

 openpty: skip test if no pty is available

In chroots for package builds with recent debootstrap there may be
no ptys or they might not be accessible. This both manifests as ENOENT
on Linux.

Works around #817236

Disable gnulib s test nonplocking pipe.sh.patch | (download)

gnulib/tests/test-nonblocking-pipe.sh | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 disable gnulib's test-nonplocking-pipe.sh

since it fails on at least sparc and mips from time to time.

Issue reported upstresm.

Skip vircgrouptest.patch | (download)

tests/vircgrouptest.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 skip vircgrouptest

We don't have a mock for nodeGetCPUCount yet so we fail in a chroot
without sysfs mounted.

debian/Don t enable default network on boot.patch | (download)

src/Makefile.in | 3 1 + 2 - 0 !
src/network/Makefile.inc.am | 3 1 + 2 - 0 !
2 files changed, 2 insertions(+), 4 deletions(-)

 don't enable default network on boot

to not interfere with existing network configurations

test posix_openpt don t fail on EACCESS.patch | (download)

gnulib/tests/test-posix_openpt.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 test-posix_openpt: don't fail on eaccess

In chroots created with recent debootstrap /dev/ptmx might not be accessible.

Works around #817236

Reduce udevadm settle timeout to 10 seconds.patch | (download)

src/util/virutil.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 reduce udevadm settle timeout to 10 seconds

This isn't a proper fix but it will make virt-manager at least start.

Closes: #663931

debian/Use upstreams polkit rule.patch | (download)

src/Makefile.in | 4 2 + 2 - 0 !
src/remote/Makefile.inc.am | 4 2 + 2 - 0 !
2 files changed, 4 insertions(+), 4 deletions(-)

 use upstreams polkit rule

As of 1.2.16 upstream ships a Polkit rule like Debian does.

debian/apparmor_profiles_local_include.patch | (download)

src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 1 1 + 0 - 0 !
src/security/apparmor/usr.sbin.libvirtd | 3 3 + 0 - 0 !
2 files changed, 4 insertions(+)

 apparmor_profiles_local_include

Include local apparmor profile

Set defaults for zfs tools.patch | (download)

m4/virt-storage-zfs.m4 | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 set defaults for zfs tools

so we don't have to build-depend on a program in contrib

Pass GPG_TTY env var to the ssh binary.patch | (download)

src/rpc/virnetsocket.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 pass gpg_tty env var to the ssh binary

gpg-agent(1) can emulate the OpenSSH Agent protocol (which provides
pubkey-authentication using an authentication-capable OpenPGP key, in
addition to the usual identity files).  However for a console-based
password prompt to work, the 'GPG_TTY' environment variable needs to be
set to the current TTY.  Furthermore, curses-based password prompts also
require the 'TERM' environment variable to be set to the terminal type.

apparmor Allow virt aa helper to access the name service .patch | (download)

src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 apparmor: allow virt-aa-helper to access the name service switch

Closes: #882979

debian/Prefer sbin over usr sbin.patch | (download)

configure.ac | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 prefer /sbin over /usr/sbin

If libvirt is built in a chroot with merged /usr it will otherwise
break on non /usr merged systems.

Closes: #895145

virt aa helper generate rules for gl enabled graphics dev.patch | (download)

src/security/virt-aa-helper.c | 14 14 + 0 - 0 !
tests/virt-aa-helper-test | 6 6 + 0 - 0 !
2 files changed, 20 insertions(+)

 virt-aa-helper: generate rules for gl enabled graphics devices

This adds the virt-aa-helper support for gl enabled graphics devices to
generate rules for the needed rendernode paths.

Example in domain xml:
<graphics type='spice'>
  <gl enable='yes' rendernode='/dev/dri/bar'/>
</graphics>

results in:
  "/dev/dri/bar" rw,

Special cases are:
- multiple devices with rendernodes -> all are added
- non explicit rendernodes -> follow recently added virHostGetDRMRenderNode
- rendernode without opengl (in egl-headless for example) -> still add
  the node

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1757085

vircgroup Try harder to kill cgroup.patch | (download)

src/util/vircgroup.c | 15 9 + 6 - 0 !
1 file changed, 9 insertions(+), 6 deletions(-)

 vircgroup: try harder to kill cgroup

Prior to rewrite of cgroup code we only had one backend to try.
After the rewrite the virCgroupBackendGetAll() returns both
backends (for v1 and v2). However, not both have to really be
present on the system which results in killRecursive callback
failing which in turn might mean we won't try the other backend.

At the same time, this function reports no error as it should.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
virinitctl Expose fifo paths and allow caller to cho.patch | (download)

src/libvirt_private.syms | 1 1 + 0 - 0 !
src/lxc/lxc_driver.c | 2 1 + 1 - 0 !
src/util/virinitctl.c | 67 43 + 24 - 0 !
src/util/virinitctl.h | 6 5 + 1 - 0 !
4 files changed, 50 insertions(+), 26 deletions(-)

 virinitctl: expose fifo paths and allow caller to chose one

So far the virInitctlSetRunLevel() is fully automatic. It finds
the correct fifo to use to talk to the init and it will set the
desired runlevel. Well, callers (so far there is just one) will
need to inspect the fifo a bit just before the runlevel is set.
Therefore, expose the internal list of fifos and also allow
caller to explicitly use one.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
lxc Don t reboot host on virDomainReboot.patch | (download)

src/lxc/lxc_domain.c | 90 90 + 0 - 0 !
src/lxc/lxc_domain.h | 4 4 + 0 - 0 !
src/lxc/lxc_driver.c | 17 2 + 15 - 0 !
3 files changed, 96 insertions(+), 15 deletions(-)

 lxc: don't reboot host on virdomainreboot

If the container is really a simple one (init is just bash and
the whole root is passed through) then virDomainReboot and
virDomainShutdown will talk to the actual init within the host.
Therefore, 'virsh shutdown $dom' will result in shutting down the
host. True, at that point the container is shut down too but
looks a bit harsh to me.

The solution is to check if the init inside the container is or
is not the same as the init running on the host.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
lxc Try harder to stop reboot containers.patch | (download)

src/lxc/lxc_driver.c | 40 18 + 22 - 0 !
1 file changed, 18 insertions(+), 22 deletions(-)

 lxc: try harder to stop/reboot containers

If shutting down a container via setting the runlevel fails, the
control jumps right onto endjob label and doesn't even try
sending the signal. If flags allow it, we should try both
methods.

Signed-off-by: Maxim Kozin <kolomaxes@gmail.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>

security aa helper allow virt aa helper to read dev dri.patch | (download)

src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 security: aa-helper: allow virt-aa-helper to read /dev/dri

Change fb01e1a44 "virt-aa-helper: generate rules for gl enabled
graphics devices" implemented the detection for gl enabled
devices in virt-aa-helper. But it will in certain cases e.g. if
no rendernode was explicitly specified need to read /dev/dri
which it currently isn't allowed.

Add a rule to the apparmor profile of virt-aa-helper itself to
be able to do that.

security aa helper generate more rules for gl devices.patch | (download)

src/security/virt-aa-helper.c | 21 20 + 1 - 0 !
1 file changed, 20 insertions(+), 1 deletion(-)

 security: aa-helper: generate more rules for gl devices

Change fb01e1a44 "virt-aa-helper: generate rules for gl enabled
graphics devices" implemented the detection for gl enabled
devices in virt-aa-helper. But further testing showed
that it will need much more access for the full gl stack
to work.

Upstream apparmor just recently split those things out and now
has two related abstractions at
https://gitlab.com/apparmor/apparmor/blob/master:
- dri-common at /profiles/apparmor.d/abstractions/dri-common
- mesa: at /profiles/apparmor.d/abstractions/mesa

If would be great to just include that for the majority of
rules, but they are not yet in any distribution so we need
to add rules inspired by them based on the testing that we
can do.

Furthermore qemu with opengl will also probe the backing device
of the rendernode for attributes which should be safe as
read-only wildcard rules.

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1815452

security aa helper nvidia rules for gl devices.patch | (download)

src/security/virt-aa-helper.c | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 security: aa-helper: nvidia rules for gl devices

security aa helper gl devices in sysfs at arbitrary depth.patch | (download)

src/security/virt-aa-helper.c | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

 security: aa-helper: gl devices in sysfs at arbitrary depth

Further testing with more devices showed that we sometimes have a
security/api disallow virDomainGetHostname for read only connectio.patch | (download)

src/libvirt-domain.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 api: disallow virdomaingethostname for read-only connections
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

The virDomainGetHostname API is fetching guest information and this may
involve use of an untrusted guest agent. As such its use must be
forbidden on a read-only connection to libvirt.

Fixes CVE-2019-3886
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

security/remote enforce ACL write permission for getting guest tim.patch | (download)

src/remote/remote_protocol.x | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 remote: enforce acl write permission for getting guest time &
 hostname
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Getting the guest time and hostname both require use of guest agent
commands. These must not be allowed for read-only users, so the
permissions check must validate "write" permission not "read".

Fixes CVE-2019-3886
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

security/cpu_map Define md clear CPUID bit.patch | (download)

src/cpu_map/x86_features.xml | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 cpu_map: define md-clear cpuid bit
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

security/admin reject clients unless their UID matches the current.patch | (download)

src/admin/admin_server_dispatch.c | 22 22 + 0 - 0 !
1 file changed, 22 insertions(+)

 admin: reject clients unless their uid matches the current uid
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

The admin protocol RPC messages are only intended for use by the user
running the daemon. As such they should not be allowed for any client
UID that does not match the server UID.

Fixes CVE-2019-10132

security/locking restrict sockets to mode 0600.patch | (download)

src/locking/virtlockd-admin.socket.in | 1 1 + 0 - 0 !
src/locking/virtlockd.socket.in | 1 1 + 0 - 0 !
2 files changed, 2 insertions(+)

 locking: restrict sockets to mode 0600
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

The virtlockd daemon's only intended client is the libvirtd daemon. As
such it should never allow clients from other user accounts to connect.
The code already enforces this and drops clients from other UIDs, but
we can get earlier (and thus stronger) protection against DoS by setting
the socket permissions to 0600

Fixes CVE-2019-10132

security/logging restrict sockets to mode 0600.patch | (download)

src/logging/virtlogd-admin.socket.in | 1 1 + 0 - 0 !
src/logging/virtlogd.socket.in | 1 1 + 0 - 0 !
2 files changed, 2 insertions(+)

 logging: restrict sockets to mode 0600
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

The virtlogd daemon's only intended client is the libvirtd daemon. As
such it should never allow clients from other user accounts to connect.
The code already enforces this and drops clients from other UIDs, but
we can get earlier (and thus stronger) protection against DoS by setting
the socket permissions to 0600

Fixes CVE-2019-10132

security/CVE 2019 10161 api disallow virDomainSaveImageGetXMLDesc .patch | (download)

src/libvirt-domain.c | 9 2 + 7 - 0 !
src/qemu/qemu_driver.c | 2 1 + 1 - 0 !
src/remote/remote_protocol.x | 3 1 + 2 - 0 !
3 files changed, 4 insertions(+), 10 deletions(-)

 cve-2019-10161: api: disallow virdomainsaveimagegetxmldesc on
 read-only connections
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

This is a backport of

The virDomainSaveImageGetXMLDesc API is taking a path parameter,
which can point to any path on the system. This file will then be
read and parsed by libvirtd running with root privileges.

Forbid it on read-only connections.

Fixes: CVE-2019-10161
Reported-by: Matthias Gerstner <mgerstner@suse.de>
Signed-off-by: Ján Tomko <jtomko@redhat.com>

security/api disallow virDomainManagedSaveDefineXML on read only c.patch | (download)

src/libvirt-domain.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 api: disallow virdomainmanagedsavedefinexml on read-only connections
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

The virDomainManagedSaveDefineXML can be used to alter the domain's
config used for managedsave or even execute arbitrary emulator binaries.
Forbid it on read-only connections.

Fixes: CVE-2019-10166
Reported-by: Matthias Gerstner <mgerstner@suse.de>
Signed-off-by: Ján Tomko <jtomko@redhat.com>

security/api disallow virConnectGetDomainCapabilities on read only.patch | (download)

src/libvirt-domain.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 api: disallow virconnectgetdomaincapabilities on read-only
 connections
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

This API can be used to execute arbitrary emulators.
Forbid it on read-only connections.

Fixes: CVE-2019-10167
Signed-off-by: Ján Tomko <jtomko@redhat.com>

security/api disallow virConnect HypervisorCPU on read only connec.patch | (download)

src/libvirt-host.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 api: disallow virconnect*hypervisorcpu on read-only connections
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

These APIs can be used to execute arbitrary emulators.
Forbid them on read-only connections.

Fixes: CVE-2019-10168
Signed-off-by: Ján Tomko <jtomko@redhat.com>

Include etc pki qemu in apparmor.patch | (download)

src/security/apparmor/libvirt-qemu | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 include /etc/pki/qemu in apparmor

We already permit /etc/pki/libvirt-{spice,vnc} to be read in the
apparmor profile.  However the default tls directory in qemu.conf that
we ship is /etc/pki/qemu.  So permit that as well.

Closes: #930100