Rebased to version 0.10.2.8

CVE-2013-4311: Insecure polkit usage (bz #1009539, bz #1005332) CVE-2013-4296: Invalid free memory stats (bz #1006173, bz #1009667) CVE-2013-4291: Supplementary groups handling (bz #1006509, bz #1006511) Fix LXC container creation if selinux disabled (bz #977114) Fix virsh change-media with block disk type (bz #951192)
Rebased to version 0.10.2.7
2013-09-20 17:30:22 -04:00 · 2013-08-01 19:32:09 -04:00 · 2013-06-12 18:35:13 -04:00 · 2013-06-12 18:16:33 -04:00 · 2013-06-12 17:57:01 -04:00 · 2013-05-19 18:57:02 -04:00
4 changed files with 704 additions and 40 deletions
--- a/libvirt-dbus.patch
+++ b/libvirt-dbus.patch
@ -0,0 +1,225 @@
+Return-Path: alexl@redhat.com
+Received: from zmta04.collab.prod.int.phx2.redhat.com (LHLO
+ zmta04.collab.prod.int.phx2.redhat.com) (10.5.81.11) by
+ zmail20.collab.prod.int.phx2.redhat.com with LMTP; Tue, 9 Oct 2012 11:26:38
+ -0400 (EDT)
+Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23])
+	by zmta04.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id D4096D0927
+	for <alexl@mail.corp.redhat.com>; Tue,  9 Oct 2012 11:26:38 -0400 (EDT)
+Received: from localhost.localdomain (ovpn01.gateway.prod.ext.phx2.redhat.com [10.5.9.1])
+	by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id q99FQV93016417;
+	Tue, 9 Oct 2012 11:26:33 -0400
+From: Alexander Larsson <alexl@redhat.com>
+To: libvir-list@redhat.com
+Cc: Alexander Larsson <alexl@redhat.com>
+Subject: [PATCH 1/2] virdbus: Add virDBusGetSessionBus helper
+Date: Tue,  9 Oct 2012 17:26:28 +0200
+Message-Id: <1349796389-6122-2-git-send-email-alexl@redhat.com>
+In-Reply-To: <1349796389-6122-1-git-send-email-alexl@redhat.com>
+References: <1349796389-6122-1-git-send-email-alexl@redhat.com>
+X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
+
+This splits out some common code from virDBusGetSystemBus and
+uses it to implement a new virDBusGetSessionBus helper.
+---
+ src/libvirt_private.syms |  1 +
+ src/util/virdbus.c       | 84 ++++++++++++++++++++++++++++++++++++------------
+ src/util/virdbus.h       |  1 +
+ 3 files changed, 66 insertions(+), 20 deletions(-)
+
+diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
+index a8c81e7..88f1b2f 100644
+--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
+@@ -1310,6 +1310,7 @@ virConsoleOpen;
+ 
+ # virdbus.h
+ virDBusGetSystemBus;
+virDBusGetSessionBus;
+ 
+ 
+ # virdomainlist.h
+diff --git a/src/util/virdbus.c b/src/util/virdbus.c
+index 4acce12..2dc7265 100644
+--- a/src/util/virdbus.c
+++ b/src/util/virdbus.c
+@@ -32,40 +32,49 @@
+ #ifdef HAVE_DBUS
+ 
+ static DBusConnection *systembus = NULL;
+-static virOnceControl once = VIR_ONCE_CONTROL_INITIALIZER;
+-static DBusError dbuserr;
+static DBusConnection *sessionbus = NULL;
+static virOnceControl systemonce = VIR_ONCE_CONTROL_INITIALIZER;
+static virOnceControl sessiononce = VIR_ONCE_CONTROL_INITIALIZER;
+static DBusError systemdbuserr;
+static DBusError sessiondbuserr;
+ 
+ static dbus_bool_t virDBusAddWatch(DBusWatch *watch, void *data);
+ static void virDBusRemoveWatch(DBusWatch *watch, void *data);
+ static void virDBusToggleWatch(DBusWatch *watch, void *data);
+ 
+-static void virDBusSystemBusInit(void)
+static DBusConnection *virDBusBusInit(DBusBusType type, DBusError *dbuserr)
+ {
+    DBusConnection *bus;
+
+     /* Allocate and initialize a new HAL context */
+     dbus_connection_set_change_sigpipe(FALSE);
+     dbus_threads_init_default();
+ 
+-    dbus_error_init(&dbuserr);
+-    if (!(systembus = dbus_bus_get(DBUS_BUS_SYSTEM, &dbuserr)))
+-        return;
+    dbus_error_init(dbuserr);
+    if (!(bus = dbus_bus_get(type, dbuserr)))
+        return NULL;
+ 
+-    dbus_connection_set_exit_on_disconnect(systembus, FALSE);
+    dbus_connection_set_exit_on_disconnect(bus, FALSE);
+ 
+     /* Register dbus watch callbacks */
+-    if (!dbus_connection_set_watch_functions(systembus,
+    if (!dbus_connection_set_watch_functions(bus,
+                                              virDBusAddWatch,
+                                              virDBusRemoveWatch,
+                                              virDBusToggleWatch,
+-                                             NULL, NULL)) {
+-        systembus = NULL;
+-        return;
+                                             bus, NULL)) {
+        return NULL;
+     }
+    return bus;
+ }
+ 
+static void virDBusSystemBusInit(void)
+{
+    systembus = virDBusBusInit (DBUS_BUS_SYSTEM, &systemdbuserr);
+}
+ 
+ DBusConnection *virDBusGetSystemBus(void)
+ {
+-    if (virOnce(&once, virDBusSystemBusInit) < 0) {
+    if (virOnce(&systemonce, virDBusSystemBusInit) < 0) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                        _("Unable to run one time DBus initializer"));
+         return NULL;
+@@ -74,7 +83,7 @@ DBusConnection *virDBusGetSystemBus(void)
+     if (!systembus) {
+         virReportError(VIR_ERR_INTERNAL_ERROR,
+                        _("Unable to get DBus system bus connection: %s"),
+-                       dbuserr.message ? dbuserr.message : "watch setup failed");
+                       systemdbuserr.message ? systemdbuserr.message : "watch setup failed");
+         return NULL;
+     }
+ 
+@@ -82,13 +91,45 @@ DBusConnection *virDBusGetSystemBus(void)
+ }
+ 
+ 
+static void virDBusSessionBusInit(void)
+{
+    sessionbus = virDBusBusInit (DBUS_BUS_SESSION, &sessiondbuserr);
+}
+
+DBusConnection *virDBusGetSessionBus(void)
+{
+    if (virOnce(&sessiononce, virDBusSessionBusInit) < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                       _("Unable to run one time DBus initializer"));
+        return NULL;
+    }
+
+    if (!sessionbus) {
+        virReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("Unable to get DBus session bus connection: %s"),
+                       sessiondbuserr.message ? sessiondbuserr.message : "watch setup failed");
+        return NULL;
+    }
+
+    return sessionbus;
+}
+
+struct virDBusWatch
+{
+    int watch;
+    DBusConnection *bus;
+};
+
+ static void virDBusWatchCallback(int fdatch ATTRIBUTE_UNUSED,
+                                  int fd ATTRIBUTE_UNUSED,
+                                  int events, void *opaque)
+ {
+     DBusWatch *watch = opaque;
+    struct virDBusWatch *info;
+     int dbus_flags = 0;
+ 
+    info = dbus_watch_get_data(watch);
+
+     if (events & VIR_EVENT_HANDLE_READABLE)
+         dbus_flags |= DBUS_WATCH_READABLE;
+     if (events & VIR_EVENT_HANDLE_WRITABLE)
+@@ -100,7 +141,7 @@ static void virDBusWatchCallback(int fdatch ATTRIBUTE_UNUSED,
+ 
+     (void)dbus_watch_handle(watch, dbus_flags);
+ 
+-    while (dbus_connection_dispatch(systembus) == DBUS_DISPATCH_DATA_REMAINS)
+    while (dbus_connection_dispatch(info->bus) == DBUS_DISPATCH_DATA_REMAINS)
+         /* keep dispatching while data remains */;
+ }
+ 
+@@ -120,18 +161,13 @@ static int virDBusTranslateWatchFlags(int dbus_flags)
+ }
+ 
+ 
+-struct virDBusWatch
+-{
+-    int watch;
+-};
+-
+ static void virDBusWatchFree(void *data) {
+     struct virDBusWatch *info = data;
+     VIR_FREE(info);
+ }
+ 
+ static dbus_bool_t virDBusAddWatch(DBusWatch *watch,
+-                                  void *data ATTRIBUTE_UNUSED)
+                                   void *data)
+ {
+     int flags = 0;
+     int fd;
+@@ -148,6 +184,7 @@ static dbus_bool_t virDBusAddWatch(DBusWatch *watch,
+ # else
+     fd = dbus_watch_get_fd(watch);
+ # endif
+    info->bus = (DBusConnection *)data;
+     info->watch = virEventAddHandle(fd, flags,
+                                     virDBusWatchCallback,
+                                     watch, NULL);
+@@ -194,4 +231,11 @@ DBusConnection *virDBusGetSystemBus(void)
+     return NULL;
+ }
+ 
+DBusConnection *virDBusGetSessionBus(void)
+{
+    virReportError(VIR_ERR_INTERNAL_ERROR,
+                   "%s", _("DBus support not compiled into this binary"));
+    return NULL;
+}
+
+ #endif /* ! HAVE_DBUS */
+diff --git a/src/util/virdbus.h b/src/util/virdbus.h
+index 27dca00..e443fbe 100644
+--- a/src/util/virdbus.h
+++ b/src/util/virdbus.h
+@@ -30,5 +30,6 @@
+ # include "internal.h"
+ 
+ DBusConnection *virDBusGetSystemBus(void);
+DBusConnection *virDBusGetSessionBus(void);
+ 
+ #endif /* __VIR_DBUS_H__ */
+-- 
+1.7.12.1
+
--- a/libvirt-save-with-session.patch
+++ b/libvirt-save-with-session.patch
@ -0,0 +1,303 @@
+Return-Path: alexl@redhat.com
+Received: from zmta06.collab.prod.int.phx2.redhat.com (LHLO
+ zmta06.collab.prod.int.phx2.redhat.com) (10.5.81.13) by
+ zmail20.collab.prod.int.phx2.redhat.com with LMTP; Tue, 9 Oct 2012 11:26:39
+ -0400 (EDT)
+Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23])
+	by zmta06.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id D4A8516044F
+	for <alexl@mail.corp.redhat.com>; Tue,  9 Oct 2012 11:26:39 -0400 (EDT)
+Received: from localhost.localdomain (ovpn01.gateway.prod.ext.phx2.redhat.com [10.5.9.1])
+	by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id q99FQV94016417;
+	Tue, 9 Oct 2012 11:26:34 -0400
+From: Alexander Larsson <alexl@redhat.com>
+To: libvir-list@redhat.com
+Cc: Alexander Larsson <alexl@redhat.com>
+Subject: [PATCH 2/2] Shut down session libvirtd cleanly
+Date: Tue,  9 Oct 2012 17:26:29 +0200
+Message-Id: <1349796389-6122-3-git-send-email-alexl@redhat.com>
+In-Reply-To: <1349796389-6122-1-git-send-email-alexl@redhat.com>
+References: <1349796389-6122-1-git-send-email-alexl@redhat.com>
+X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
+
+When the session dies or when the system is going to be shut down
+we save all active VMs and exit libvirtd.
+
+Additionally whenever there is an active domain we hold a
+shutdown inhibitor to avoid shutting down before all the
+VMs are saved.
+---
+ daemon/libvirtd.c | 244 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 244 insertions(+)
+
+diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c
+index b49acc5..c3bf2ce 100644
+--- a/daemon/libvirtd.c
+++ b/daemon/libvirtd.c
+@@ -98,6 +98,11 @@
+ 
+ #include "configmake.h"
+ 
+#ifdef HAVE_DBUS
+# include <dbus/dbus.h>
+# include "virdbus.h"
+#endif
+
+ #if HAVE_SASL
+ virNetSASLContextPtr saslCtxt = NULL;
+ #endif
+@@ -769,6 +774,212 @@ static int daemonSetupSignals(virNetServerPtr srv)
+     return 0;
+ }
+ 
+#ifdef HAVE_DBUS
+
+static DBusConnection *sessionBus;
+static DBusConnection *systemBus;
+static virConnectPtr sessionConnection;
+static int numActiveDomains;
+static bool hasInhibit;
+static bool callingInhibit;
+static int inhibitFd = -1;
+
+static void runSaveAllDomains(void *opaque)
+{
+    virNetServerPtr srv = opaque;
+    int numDomains, i;
+    int state;
+    virDomainPtr *domains = NULL;
+    unsigned int *flags = NULL;
+
+    numDomains = virConnectListAllDomains(sessionConnection, &domains,  VIR_CONNECT_LIST_DOMAINS_ACTIVE);
+    if (numDomains < 0)
+        goto cleanup;
+
+    if (VIR_ALLOC_N(flags, numDomains) < 0) {
+        virReportOOMError();
+        goto cleanup;
+    }
+
+    /* First we pause all VMs to make them stop dirtying
+       pages, etc. We remember if any VMs were paused so
+       we can restore that on resume. */
+    for (i = 0 ; i < numDomains ; i++) {
+        flags[i] = VIR_DOMAIN_SAVE_RUNNING;
+        if (virDomainGetState (domains[i], &state, NULL, 0) == 0) {
+            if (state == VIR_DOMAIN_PAUSED) {
+                flags[i] = VIR_DOMAIN_SAVE_PAUSED;
+            }
+        }
+        virDomainSuspend (domains[i]);
+    }
+
+    /* Then we save the VMs to disk */
+    for (i = 0 ; i < numDomains ; i++)
+        virDomainManagedSave (domains[i], flags[i]);
+
+    VIR_FREE (domains);
+    VIR_FREE (flags);
+
+ cleanup:
+    if (domains != NULL) {
+        for (i = 0 ; i < numDomains ; i++)
+            virDomainFree (domains[i]);
+        VIR_FREE (domains);
+    }
+    if (flags != NULL)
+        VIR_FREE (flags);
+
+    /* We don't need any shutdown inhibit lock anymore now */
+    if (inhibitFd != -1) {
+        if (VIR_CLOSE (inhibitFd) < 0)
+            virReportSystemError(errno, "%s", _("failed to close file"));
+        inhibitFd = -1;
+    }
+
+    /* Exit libvirtd cleanly */
+    virNetServerQuit (srv);
+}
+
+/* We do this in a thread to not block the main loop */
+static void saveAllDomains(virNetServerPtr srv)
+{
+    virThread thr;
+    virObjectRef(srv);
+    if (virThreadCreate(&thr, false, runSaveAllDomains, srv) < 0) {
+        virObjectUnref(srv);
+    }
+}
+
+static void gotInhibitReply (DBusPendingCall *pending,
+                             void            *opaque ATTRIBUTE_UNUSED)
+{
+    DBusMessage *reply;
+    int fd;
+
+    callingInhibit = false;
+
+    reply = dbus_pending_call_steal_reply (pending);
+    if (reply == NULL)
+        return;
+
+    if (dbus_message_get_args (reply, NULL,
+                                DBUS_TYPE_UNIX_FD, &fd,
+                                DBUS_TYPE_INVALID)) {
+        if (hasInhibit)
+            inhibitFd = fd;
+        else {
+            /* We stopped the last VM since we made the inhibit call */
+            if (VIR_CLOSE (fd) < 0) {
+                virReportSystemError(errno, "%s", _("failed to close file"));
+            }
+        }
+    }
+    dbus_message_unref (reply);
+}
+
+/* As per: http://www.freedesktop.org/wiki/Software/systemd/inhibit */
+static void callInhibit(const char *what,
+                        const char *who,
+                        const char *why,
+                        const char *mode)
+{
+    DBusMessage *message;
+    DBusPendingCall *pendingReply;
+
+    if (systemBus == NULL)
+        return;
+
+    /* Only one outstanding call at a time */
+    if (callingInhibit)
+        return;
+
+    message = dbus_message_new_method_call ("org.freedesktop.login1",
+                                            "/org/freedesktop/login1",
+                                            "org.freedesktop.login1.Manager",
+                                            "Inhibit");
+    if (message == NULL)
+        return;
+
+    dbus_message_append_args (message,
+                              DBUS_TYPE_STRING, &what,
+                              DBUS_TYPE_STRING, &who,
+                              DBUS_TYPE_STRING, &why,
+                              DBUS_TYPE_STRING, &mode,
+                              DBUS_TYPE_INVALID);
+
+    pendingReply = NULL;
+    if (dbus_connection_send_with_reply (systemBus, message,
+                                         &pendingReply,
+                                         25*1000)) {
+        dbus_pending_call_set_notify (pendingReply,
+                                      gotInhibitReply,
+                                      NULL, NULL);
+        callingInhibit = true;
+    }
+    dbus_message_unref (message);
+}
+
+
+static void numActiveDomainsChanged(void)
+{
+    if (numActiveDomains > 0 && !hasInhibit) {
+        callInhibit("shutdown", _("Libvirt"), _("Virtual machines need to be saved"), "delay");
+        hasInhibit = true;
+    } else if (numActiveDomains == 0 && hasInhibit) {
+        if (inhibitFd != -1) {
+            if (VIR_CLOSE (inhibitFd) < 0) {
+                virReportSystemError(errno, "%s", _("failed to close file"));
+            }
+            inhibitFd = -1;
+        }
+        hasInhibit = false;
+    }
+}
+
+static int lifecycleEventCallback(virConnectPtr conn ATTRIBUTE_UNUSED,
+                                  virDomainPtr dom ATTRIBUTE_UNUSED,
+                                  int event,
+                                  int detail ATTRIBUTE_UNUSED,
+                                  void *opaque ATTRIBUTE_UNUSED)
+{
+    if (event == VIR_DOMAIN_EVENT_STOPPED)
+        numActiveDomains--;
+    else if (event == VIR_DOMAIN_EVENT_STARTED)
+        numActiveDomains++;
+
+    numActiveDomainsChanged();
+
+    return 0;
+}
+
+static DBusHandlerResult handleSessionMessageFunc(DBusConnection  *connection ATTRIBUTE_UNUSED,
+                                                  DBusMessage     *message,
+                                                  void            *userData)
+{
+    virNetServerPtr srv = userData;
+
+    if (dbus_message_is_signal(message, DBUS_INTERFACE_LOCAL, "Disconnected")) {
+        saveAllDomains (srv);
+    }
+
+    return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+}
+
+static DBusHandlerResult handleSystemMessageFunc(DBusConnection  *connection ATTRIBUTE_UNUSED,
+                                                 DBusMessage     *message,
+                                                 void            *userData)
+{
+    virNetServerPtr srv = userData;
+
+    if (dbus_message_is_signal(message, "org.freedesktop.login1.Manager", "PrepareForShutdown")) {
+        saveAllDomains (srv);
+    }
+
+    return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+}
+#endif
+
+ static void daemonRunStateInit(void *opaque)
+ {
+     virNetServerPtr srv = opaque;
+@@ -785,6 +996,39 @@ static void daemonRunStateInit(void *opaque)
+         return;
+     }
+ 
+#ifdef HAVE_DBUS
+    /* Tie the non-priviledged libvirtd to the session/shutdown lifecycle */
+    if (!virNetServerIsPrivileged(srv)) {
+
+        sessionBus = virDBusGetSessionBus ();
+        if (sessionBus != NULL) {
+            dbus_connection_add_filter(sessionBus,
+                                       handleSessionMessageFunc, srv, NULL);
+        }
+
+        systemBus = virDBusGetSystemBus ();
+        if (systemBus != NULL) {
+            dbus_connection_add_filter(systemBus,
+                                       handleSystemMessageFunc, srv, NULL);
+            dbus_bus_add_match(systemBus,
+                               "type='signal',sender='org.freedesktop.login1', interface='org.freedesktop.login1.Manager'",
+                               NULL);
+        }
+
+        sessionConnection = virConnectOpen("qemu:///session");
+        if (sessionConnection != NULL) {
+            numActiveDomains = virConnectNumOfDomains(sessionConnection);
+            virConnectDomainEventRegisterAny(sessionConnection,
+                                             NULL,
+                                             VIR_DOMAIN_EVENT_ID_LIFECYCLE,
+                                             VIR_DOMAIN_EVENT_CALLBACK (lifecycleEventCallback),
+                                             NULL, NULL);
+            numActiveDomainsChanged();
+        }
+
+    }
+#endif
+
+     /* Only now accept clients from network */
+     virNetServerUpdateServices(srv, true);
+     virObjectUnref(srv);
+-- 
+1.7.12.1
+
--- a/libvirt.spec
+++ b/libvirt.spec
@ -53,7 +53,13 @@

 %define with_qemu_tcg      %{with_qemu}
 # Change if we ever provide qemu-kvm binaries on non-x86 hosts
-%ifarch %{ix86} x86_64
+%if 0%{?fedora} >= 18
+%define qemu_kvm_arches    %{ix86} x86_64 ppc64 s390x
+%else
+%define qemu_kvm_arches    %{ix86} x86_64
+%endif
+
+%ifarch %{qemu_kvm_arches}
 %define with_qemu_kvm      %{with_qemu}
 %else
 %define with_qemu_kvm      0
@ -108,6 +114,7 @@
 %define with_systemd       0%{!?_without_systemd:0}
 %define with_numad         0%{!?_without_numad:0}
 %define with_firewalld     0%{!?_without_firewalld:0}
+%define with_libssh2_transport 0%{!?_without_libssh2_transport:0}

 # Non-server/HV driver defaults which are always enabled
 %define with_python        0%{!?_without_python:1}
@ -181,8 +188,8 @@
 %endif
 %endif

-# Fedora doesn't have new enough Xen for libxl until F16
-%if 0%{?fedora} && 0%{?fedora} < 16
+# Fedora doesn't have new enough Xen for libxl until F18
+%if 0%{?fedora} && 0%{?fedora} < 18
 %define with_libxl 0
 %endif

@ -229,6 +236,11 @@
 %endif
 %endif

+# Enable libssh2 transport for new enough distros
+%if 0%{?fedora} >= 17 || 0%{?rhel} >= 6
+%define with_libssh2_transport 0%{!?_without_libssh2_transport:1}
+%endif
+
 # Disable some drivers when building without libvirt daemon.
 # The logic is the same as in configure.ac
 %if ! %{with_libvirtd}
@ -294,10 +306,6 @@
 %define with_storage 0
 %endif

-# libxl driver doesn't build with Xen 4.2 in rawhide
-%if 0%{?fedora} && 0%{?fedora} >= 18
-%define with_libxl 0
-%endif

 # Force QEMU to run as non-root
 %if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
@ -317,10 +325,17 @@
 %define with_rhel5  0
 %endif

+%if 0%{?fedora} >= 18 || 0%{?rhel} >= 7
+%define with_systemd_macros 1
+%else
+%define with_systemd_macros 0
+%endif
+
+
 Summary: Library providing a simple virtualization API
 Name: libvirt
-Version: 0.10.2.1
-Release: 2%{?dist}%{?extra_release}
+Version: 0.10.2.8
+Release: 1%{?dist}%{?extra_release}
 License: LGPLv2+
 Group: Development/Libraries
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@ -330,10 +345,16 @@ URL: http://libvirt.org/
 %define mainturl stable_updates/
 %endif
 Source: http://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.gz
-# Fix qemu -> qemu-system-i386 (RHBZ#857026).
+
+# Fix qemu -> qemu-system-i386 (bz #857026).
 # keep: This patch is Fedora-specific and not upstream.
 Patch1: 0001-Use-qemu-system-i386-as-binary-instead-of-qemu.patch
-
+# Cleanly save session VMs on logout/shutdown (bz #872254)
+# keep: Fixed upstream, but using patches not suitable for stable
+Patch2: libvirt-dbus.patch
+# Cleanly save session VMs on logout/shutdown (bz #872254)
+# keep: Fixed upstream, but using patches not suitable for stable
+Patch3: libvirt-save-with-session.patch


 %if %{with_libvirtd}
@ -500,9 +521,13 @@ BuildRequires: numactl-devel
 %if %{with_capng}
 BuildRequires: libcap-ng-devel >= 0.5.0
 %endif
-%if %{with_phyp}
+%if %{with_phyp} || %{with_libssh2_transport}
+%if %{with_libssh2_transport}
+BuildRequires: libssh2-devel >= 1.3.0
+%else
 BuildRequires: libssh2-devel
 %endif
+%endif

 %if %{with_netcf}
 %if 0%{?fedora} >= 18 || 0%{?rhel} >= 7
@ -623,7 +648,7 @@ Requires: PolicyKit >= 0.6
 %if %{with_storage_fs}
 Requires: nfs-utils
 # For mkfs
-Requires: util-linux-ng
+Requires: util-linux
 # For pool-build probing for existing pools
 BuildRequires: libblkid-devel >= 2.17
 # For glusterfs
@ -683,11 +708,10 @@ Requires(postun): systemd-units
 %if %{with_numad}
 Requires: numad
 %endif
-
-# libxl driver doesn't build with Xen 4.2 in rawhide
-%if ! %{with_libxl}
-Obsoletes: libvirt-daemon-driver-libxl
-%endif
+# libvirtd depends on 'messagebus' service
+Requires: dbus
+# For uid creation during pre
+Requires(pre): shadow-utils

 %description daemon
 Server side daemon required to manage the virtualization capabilities
@ -1006,6 +1030,9 @@ Requires: cyrus-sasl
 # work correctly & doesn't have onerous dependencies
 Requires: cyrus-sasl-md5
 %endif
+%if %{with_libssh2_transport}
+Requires: libssh2 >= 1.3.0
+%endif

 %description client
 Shared libraries and client binaries needed to access to the
@ -1050,7 +1077,16 @@ of recent versions of Linux (and other OSes).

 %prep
 %setup -q
+
+# Fix qemu -> qemu-system-i386 (bz #857026).
+# keep: This patch is Fedora-specific and not upstream.
 %patch1 -p1
+# Cleanly save session VMs on logout/shutdown (bz #872254)
+# keep: Fixed upstream, but using patches not suitable for stable
+%patch2 -p1
+# Cleanly save session VMs on logout/shutdown (bz #872254)
+# keep: Fixed upstream, but using patches not suitable for stable
+%patch3 -p1

 %build
 %if ! %{with_xen}
@ -1304,7 +1340,11 @@ gzip -9 ChangeLog
 %install
 rm -fr %{buildroot}

-%makeinstall SYSTEMD_UNIT_DIR=%{buildroot}%{_unitdir}
+# Avoid using makeinstall macro as it changes prefixes rather than setting
+# DESTDIR. Newer make_install macro would be better but it's not available
+# on RHEL 5, thus we need to expand it here.
+make install DESTDIR=%{?buildroot} SYSTEMD_UNIT_DIR=%{_unitdir}
+
 for i in domain-events/events-c dominfo domsuspend hellolibvirt openauth python xml/nwfilter systemtap
 do
  (cd examples/$i ; make clean ; rm -rf .deps .libs Makefile Makefile.in)
@ -1371,8 +1411,6 @@ rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/libvirtd.uml
 mv $RPM_BUILD_ROOT%{_datadir}/doc/libvirt-%{version} \
   $RPM_BUILD_ROOT%{_datadir}/doc/libvirt-docs-%{version}

-sed -i -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d/libvirt-guests
-
 %if %{with_dtrace}
 %ifarch %{power64} s390x x86_64 ia64 alpha sparc64
 mv $RPM_BUILD_ROOT%{_datadir}/systemtap/tapset/libvirt_probes.stp \
@ -1382,6 +1420,10 @@ mv $RPM_BUILD_ROOT%{_datadir}/systemtap/tapset/libvirt_qemu_probes.stp \
 %endif
 %endif

+%if 0%{?fedora} < 14 && 0%{?rhel} < 6
+rm -f $RPM_BUILD_ROOT%{_prefix}/lib/sysctl.d/libvirtd.conf
+%endif
+
 %clean
 rm -fr %{buildroot}

@ -1400,16 +1442,21 @@ make check

 %if %{with_libvirtd}
 %pre daemon
-%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
-# Normally 'setup' adds this in /etc/passwd, but this is
-# here for case of upgrades from earlier Fedora/RHEL. This
-# UID/GID pair is reserved for qemu:qemu
-getent group kvm >/dev/null || groupadd -g 36 -r kvm
-getent group qemu >/dev/null || groupadd -g 107 -r qemu
-getent passwd qemu >/dev/null || \
-  useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
-    -c "qemu user" qemu
-%endif
+    %if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
+# We want soft static allocation of well-known ids, as disk images
+# are commonly shared across NFS mounts by id rather than name; see
+# https://fedoraproject.org/wiki/Packaging:UsersAndGroups
+getent group kvm >/dev/null || groupadd -f -g 36 -r kvm
+getent group qemu >/dev/null || groupadd -f -g 107 -r qemu
+if ! getent passwd qemu >/dev/null; then
+  if ! getent passwd 107 >/dev/null; then
+    useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu
+  else
+    useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu
+  fi
+fi
+exit 0
+    %endif

 %post daemon

@ -1456,11 +1503,14 @@ done
 %endif

 %if %{with_systemd}
+%if %{with_systemd_macros}
+%systemd_post libvirtd.service
+%else
 if [ $1 -eq 1 ] ; then
    # Initial installation
    /bin/systemctl enable libvirtd.service >/dev/null 2>&1 || :
-    /bin/systemctl enable cgconfig.service >/dev/null 2>&1 || :
 fi
+%endif
 %else
 %if %{with_cgconfig}
 # Starting with Fedora 16/RHEL-7, systemd automounts all cgroups,
@ -1480,11 +1530,15 @@ fi

 %preun daemon
 %if %{with_systemd}
+%if %{with_systemd_macros}
+%systemd_preun libvirtd.service
+%else
 if [ $1 -eq 0 ] ; then
    # Package removal, not upgrade
    /bin/systemctl --no-reload disable libvirtd.service > /dev/null 2>&1 || :
    /bin/systemctl stop libvirtd.service > /dev/null 2>&1 || :
 fi
+%endif
 %else
 if [ $1 = 0 ]; then
    /sbin/service libvirtd stop 1>/dev/null 2>&1
@ -1494,12 +1548,16 @@ fi

 %postun daemon
 %if %{with_systemd}
+%if %{with_systemd_macros}
+%systemd_postun_with_restart libvirtd.service
+%else
 /bin/systemctl daemon-reload >/dev/null 2>&1 || :
 if [ $1 -ge 1 ] ; then
    # Package upgrade, not uninstall
    /bin/systemctl try-restart libvirtd.service >/dev/null 2>&1 || :
 fi
 %endif
+%endif

 %if %{with_network}
 %post daemon-config-network
@ -1530,6 +1588,9 @@ fi
 %preun client

 %if %{with_systemd}
+%if %{with_systemd_macros}
+%systemd_preun libvirt-guests.service
+%endif
 %else
 if [ $1 = 0 ]; then
    /sbin/chkconfig --del libvirt-guests
@ -1541,13 +1602,20 @@ fi

 /sbin/ldconfig
 %if %{with_systemd}
+%if %{with_systemd_macros}
+%systemd_post libvirt-guests.service
+%endif
 %else
 /sbin/chkconfig --add libvirt-guests
 %endif

-%postun client -p /sbin/ldconfig
+%postun client

+/sbin/ldconfig
 %if %{with_systemd}
+%if %{with_systemd_macros}
+%systemd_postun_with_restart libvirt-guests.service
+%endif
 %triggerun client -- libvirt < 0.9.4
 %{_bindir}/systemd-sysv-convert --save libvirt-guests >/dev/null 2>&1 ||:

@ -1600,9 +1668,7 @@ fi
 %config(noreplace) %{_sysconfdir}/sysconfig/libvirtd
 %config(noreplace) %{_sysconfdir}/libvirt/libvirtd.conf
 %if 0%{?fedora} >= 14 || 0%{?rhel} >= 6
-%config(noreplace) %{_sysconfdir}/sysctl.d/libvirtd
-%else
-rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sysctl.d/libvirtd
+%config(noreplace) %{_prefix}/lib/sysctl.d/libvirtd.conf
 %endif
 %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/
 %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/lxc/
@ -1855,11 +1921,13 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sysctl.d/libvirtd

 %{_datadir}/libvirt/cpu_map.xml

-%{_sysconfdir}/rc.d/init.d/libvirt-guests
 %if %{with_systemd}
 %{_unitdir}/libvirt-guests.service
+%else
+%{_sysconfdir}/rc.d/init.d/libvirt-guests
 %endif
 %config(noreplace) %{_sysconfdir}/sysconfig/libvirt-guests
+%attr(0755, root, root) %{_libexecdir}/libvirt-guests.sh
 %dir %attr(0755, root, root) %{_localstatedir}/lib/libvirt/

 %if %{with_sasl}
@ -1903,6 +1971,74 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sysctl.d/libvirtd
 %endif

 %changelog
+* Fri Sep 20 2013 Cole Robinson <crobinso@redhat.com> - 0.10.2.8-1
+- Rebased to version 0.10.2.8
+- CVE-2013-4311: Insecure polkit usage (bz #1009539, bz #1005332)
+- CVE-2013-4296: Invalid free memory stats (bz #1006173, bz #1009667)
+- CVE-2013-4291: Supplementary groups handling (bz #1006509, bz #1006511)
+- Fix LXC container creation if selinux disabled (bz #977114)
+- Fix virsh change-media with block disk type (bz #951192)
+
+* Thu Aug 01 2013 Cole Robinson <crobinso@redhat.com> - 0.10.2.7-1
+- Rebased to version 0.10.2.7
+- Fix crash if udev logging enabled (bz #969152)
+- Fix possible deadlock from getpwuid_r (bz #964358)
+
+* Wed Jun 12 2013 Cole Robinson <crobinso@redhat.com> - 0.10.2.6-1
+- Rebased to version 0.10.2.6
+- Fix launching qemu with ccid database property (bz #904692)
+- Don't error if disk resize isn't multiple of 512 (bz #951495)
+- Fix racey cgroup error at VM startup (bz #965169)
+- Fix crash in nwfilter at daemon shutdown (bz #967740)
+
+* Sun May 19 2013 Cole Robinson <crobinso@redhat.com> - 0.10.2.5-1
+- Rebased to version 0.10.2.5
+- Fix creating snapshot on lvm pool (bz #955371)
+- Properly escape audit paths (bz #922186)
+- Follow updated packaging guidelines for user alloc (bz #924501)
+- CVE-2013-1962 Open files DoS (bz #963789, bz #953107)
+
+* Mon Apr 01 2013 Cole Robinson <crobinso@redhat.com> - 0.10.2.4-1
+- Rebased to version 0.10.2.4
+- Fix 'Cannot parse sensitivity level in s0' error (bz #902103)
+- Fix updating NIC that has boot order set (bz #906446)
+- Fix virsh list for vmware ESX (bz #910702)
+- Fix libxl disk backend default (bz #912488)
+
+* Mon Jan 28 2013 Cole Robinson <crobinso@redhat.com> - 0.10.2.3-1
+- Rebased to version 0.10.2.3
+- Fix libxl driver to build against xen 4.2 (bz #870689)
+- Fix possible crash when destroying guests (bz #877110)
+- Fix loading sysctl file (bz #887017)
+- Fix svirt memory leak (bz #890039)
+- Fix attaching PCI netdev to VM (bz #893131)
+- Fix libvirtd segfault on shutdown (bz #903194)
+- Raise mem limit to stop qemu processes from getting OOM killed (bz #903432)
+- CVE-2013-0170 libvirt: use-after-free in virNetMessageFree() (bz #893450, bz
+  #905173)
+
+* Mon Dec 17 2012 Cole Robinson <crobinso@redhat.com> - 0.10.2.2-3
+- Fix scriplet warning when uninstalling libvirt-client (bz #888071)
+
+* Sun Dec 16 2012 Cole Robinson <crobinso@redhat.com> - 0.10.2.2-2
+- Fix conflict with NM launched dnsmasq (bz #886663)
+- Fix selinux denials when launching non-kvm qemu guests (bz #885837)
+
+* Sun Dec 09 2012 Cole Robinson <crobinso@redhat.com> - 0.10.2.2-1
+- Rebased to version 0.10.2.2
+- CVE-2012-3411: avoid open DNS proxy with dnsmasq (bz #874702, bz #882309)
+- Don't ignore address for USB disks (bz #861309)
+- Fix error with blkdeviotune (bz #872582)
+- Fix cloning LVM volume (bz #869607)
+- Fix VDSM error when libvirt doesn't format CPU topology (bz #876475)
+- Use systemd macros in spec file (bz #850186)
+
+* Thu Dec 06 2012 Cole Robinson <crobinso@redhat.com> - 0.10.2.1-4
+- Add ppc64 and s390x as KVM arches for Fedora >= 18 (bz #872545)
+
+* Tue Nov 13 2012 Cole Robinson <crobinso@redhat.com> - 0.10.2.1-3
+- Cleanly save session VMs on logout/shutdown (bz #872254)
+
 * Tue Oct 30 2012 Cole Robinson <crobinso@redhat.com> - 0.10.2.1-2
 - Disable libxl on F18 too

@ -2099,7 +2235,7 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sysctl.d/libvirtd
 * Sat Jul 30 2011 Dan Hor?k <dan[at]danny.cz> - 0.9.3-3
 - xenlight available only on Xen arches

-* Wed Jul  5 2011 Peter Robinson <pbrobinson@gmail.com> - 0.9.3-2
+* Tue Jul  5 2011 Peter Robinson <pbrobinson@gmail.com> - 0.9.3-2
 - Add ARM to NUMA platform excludes

 * Mon Jul  4 2011 Daniel Veillard <veillard@redhat.com> - 0.9.3-1
@ -2439,7 +2575,7 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sysctl.d/libvirtd
 * Fri Apr  3 2009 Daniel Veillard <veillard@redhat.com> - 0.6.2-1
 - release of 0.6.2

-* Fri Mar  4 2009 Daniel Veillard <veillard@redhat.com> - 0.6.1-1
+* Wed Mar  4 2009 Daniel Veillard <veillard@redhat.com> - 0.6.1-1
 - release of 0.6.1

 * Sat Jan 31 2009 Daniel Veillard <veillard@redhat.com> - 0.6.0-1
--- a/2
+++ b/2
@ -1 +1 @@
-c090c8abc89653456e3342f9aa9f18fe  libvirt-0.10.2.1.tar.gz
+56078401a10162674dbd98846d0f607d  libvirt-0.10.2.8.tar.gz
Author	SHA1	Message	Date
Cole Robinson	5f6883e0fb	Rebased to version 0.10.2.8 CVE-2013-4311: Insecure polkit usage (bz #1009539, bz #1005332) CVE-2013-4296: Invalid free memory stats (bz #1006173, bz #1009667) CVE-2013-4291: Supplementary groups handling (bz #1006509, bz #1006511) Fix LXC container creation if selinux disabled (bz #977114) Fix virsh change-media with block disk type (bz #951192)	2013-09-20 17:30:22 -04:00
Cole Robinson	6ed21f35ce	Rebased to version 0.10.2.7 Fix crash if udev logging enabled (bz #969152) Fix possible deadlock from getpwuid_r (bz #964358)	2013-08-01 19:32:09 -04:00
Cole Robinson	fd4b7c7eda	Really fix spec dates.	2013-06-12 18:35:13 -04:00
Cole Robinson	a7685ecb49	Fix bogus spec dates	2013-06-12 18:16:33 -04:00
Cole Robinson	4987454f4d	Rebased to version 0.10.2.6 Fix launching qemu with ccid database property (bz #904692) Don't error if disk resize isn't multiple of 512 (bz #951495) Fix racey cgroup error at VM startup (bz #965169) Fix crash in nwfilter at daemon shutdown (bz #967740)	2013-06-12 17:57:01 -04:00
Cole Robinson	7d54a9531e	Rebased to version 0.10.2.5 Fix creating snapshot on lvm pool (bz #955371) Properly escape audit paths (bz #922186) Follow updated packaging guidelines for user alloc (bz #924501) CVE-2013-1962 Open files DoS (bz #963789, bz #953107)	2013-05-19 18:57:02 -04:00
Cole Robinson	ec17372ebc	Rebased to version 0.10.2.4 Fix 'Cannot parse sensitivity level in s0' error (bz #902103) Fix updating NIC that has boot order set (bz #906446) Fix virsh list for vmware ESX (bz #910702) Fix libxl disk backend default (bz #912488)	2013-04-01 17:22:27 -04:00
Cole Robinson	64e6ea2c74	Rebased to version 0.10.2.3 Fix libxl driver to build against xen 4.2 (bz #870689) Fix possible crash when destroying guests (bz #877110) Fix loading sysctl file (bz #887017) Fix svirt memory leak (bz #890039) Fix attaching PCI netdev to VM (bz #893131) Fix libvirtd segfault on shutdown (bz #903194) Raise mem limit to stop qemu processes from getting OOM killed (bz #903432) CVE-2013-0170 libvirt: use-after-free in virNetMessageFree() (bz #893450, bz #905173)	2013-01-28 15:20:46 -05:00
Cole Robinson	4877a48e58	Fix scriplet warning when uninstalling libvirt-client (bz #888071 )	2012-12-17 18:45:55 -05:00
Cole Robinson	9862314ee5	Fix conflict with NM launched dnsmasq (bz #886663 ) Fix selinux denials when launching non-kvm qemu guests (bz #885837)	2012-12-16 14:47:07 -05:00
Cole Robinson	5e3f148cab	Rebased to version 0.10.2.2 CVE-2012-3411: avoid open DNS proxy with dnsmasq (bz #874702, bz #882309) Don't ignore address for USB disks (bz #861309) Fix error with blkdeviotune (bz #872582) Fix cloning LVM volume (bz #869607) Fix VDSM error when libvirt doesn't format CPU topology (bz #876475) Use systemd macros in spec file (bz #850186)	2012-12-09 19:29:03 -05:00
Cole Robinson	8fa149f902	Add ppc64 and s390x as KVM arches for Fedora >= 18 (bz #872545 )	2012-12-06 09:19:26 -05:00
Cole Robinson	cc9cfaa90d	Cleanly save session VMs on logout/shutdown (bz #872254 )	2012-11-13 08:53:57 -05:00