Rebase to new stable branch version 1.48.4
resolves: rhbz#2059285
This commit is contained in:
parent
3fd2f945f8
commit
8a4b914681
@ -1,4 +1,4 @@
|
|||||||
From 18472273bb58eff008a0c1aacfe7c21dec6705a1 Mon Sep 17 00:00:00 2001
|
From e3ebd50abde3b05db86c8965868c866152cd3287 Mon Sep 17 00:00:00 2001
|
||||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||||
Date: Thu, 28 Apr 2022 13:16:54 +0100
|
Date: Thu, 28 Apr 2022 13:16:54 +0100
|
||||||
Subject: [PATCH] New API: guestfs_device_name returning the drive name
|
Subject: [PATCH] New API: guestfs_device_name returning the drive name
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From e77853fd91466181e9963392fbc97d0bf97b8492 Mon Sep 17 00:00:00 2001
|
From b97b90779d5ea261d5e737f073bb4ec5dc546511 Mon Sep 17 00:00:00 2001
|
||||||
From: Laszlo Ersek <lersek@redhat.com>
|
From: Laszlo Ersek <lersek@redhat.com>
|
||||||
Date: Mon, 2 May 2022 10:56:00 +0200
|
Date: Mon, 2 May 2022 10:56:00 +0200
|
||||||
Subject: [PATCH] guestfs_readdir(): rewrite with FileOut transfer, to lift
|
Subject: [PATCH] guestfs_readdir(): rewrite with FileOut transfer, to lift
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From ba6c7a9a609d650c07d26ee4777f18a6730f4028 Mon Sep 17 00:00:00 2001
|
From 62cd6c9d2dd62dd24cc04b16437bfb816a6f4357 Mon Sep 17 00:00:00 2001
|
||||||
From: Laszlo Ersek <lersek@redhat.com>
|
From: Laszlo Ersek <lersek@redhat.com>
|
||||||
Date: Mon, 2 May 2022 10:56:01 +0200
|
Date: Mon, 2 May 2022 10:56:01 +0200
|
||||||
Subject: [PATCH] guestfs_readdir(): minimize the number of send_file_write()
|
Subject: [PATCH] guestfs_readdir(): minimize the number of send_file_write()
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From 0279a052dcb859f0c421d2efb92cf3b3d549dcd7 Mon Sep 17 00:00:00 2001
|
From e4901a4e83f0ab59a525095d2fe1c7f1a38c0aac Mon Sep 17 00:00:00 2001
|
||||||
From: Laszlo Ersek <lersek@redhat.com>
|
From: Laszlo Ersek <lersek@redhat.com>
|
||||||
Date: Wed, 4 May 2022 15:41:52 +0200
|
Date: Wed, 4 May 2022 15:41:52 +0200
|
||||||
Subject: [PATCH] lib: launch-direct: ignore drive "iface" parameter
|
Subject: [PATCH] lib: launch-direct: ignore drive "iface" parameter
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From 3db215d52abd929364fe65da74e2f393ee196818 Mon Sep 17 00:00:00 2001
|
From f13297315495144775f6249e9e24dc5f18f6f902 Mon Sep 17 00:00:00 2001
|
||||||
From: Laszlo Ersek <lersek@redhat.com>
|
From: Laszlo Ersek <lersek@redhat.com>
|
||||||
Date: Wed, 4 May 2022 15:41:53 +0200
|
Date: Wed, 4 May 2022 15:41:53 +0200
|
||||||
Subject: [PATCH] lib: drive_create_data, drive: remove field "iface"
|
Subject: [PATCH] lib: drive_create_data, drive: remove field "iface"
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From 2fba4170207b5fef8887ef7003725f7f2deea85b Mon Sep 17 00:00:00 2001
|
From f408b24d8d8f5b5f4e1a25c1046c3a18107c8d80 Mon Sep 17 00:00:00 2001
|
||||||
From: Laszlo Ersek <lersek@redhat.com>
|
From: Laszlo Ersek <lersek@redhat.com>
|
||||||
Date: Wed, 4 May 2022 15:41:54 +0200
|
Date: Wed, 4 May 2022 15:41:54 +0200
|
||||||
Subject: [PATCH] lib: rename VALID_FORMAT_IFACE to VALID_FORMAT
|
Subject: [PATCH] lib: rename VALID_FORMAT_IFACE to VALID_FORMAT
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From 052163a725b8eb430b1f56ee86825cf35c5012d7 Mon Sep 17 00:00:00 2001
|
From 431ca828e9f7d7a6c7e315b410f381304986ba44 Mon Sep 17 00:00:00 2001
|
||||||
From: Laszlo Ersek <lersek@redhat.com>
|
From: Laszlo Ersek <lersek@redhat.com>
|
||||||
Date: Wed, 4 May 2022 15:41:55 +0200
|
Date: Wed, 4 May 2022 15:41:55 +0200
|
||||||
Subject: [PATCH] tests/regressions: remove "iface"-based restrictions
|
Subject: [PATCH] tests/regressions: remove "iface"-based restrictions
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From decf2b497b47e8a49b2384144b198979df2be8eb Mon Sep 17 00:00:00 2001
|
From 8f800b369ada05ea690cebb0bb5e0fed0ba1c548 Mon Sep 17 00:00:00 2001
|
||||||
From: Laszlo Ersek <lersek@redhat.com>
|
From: Laszlo Ersek <lersek@redhat.com>
|
||||||
Date: Tue, 10 May 2022 12:27:57 +0200
|
Date: Tue, 10 May 2022 12:27:57 +0200
|
||||||
Subject: [PATCH] generator/customize: invert SELinux relabeling default
|
Subject: [PATCH] generator/customize: invert SELinux relabeling default
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From d09099b1da8da93c11aaf51c94e7e456256d6fe9 Mon Sep 17 00:00:00 2001
|
From 4cfba19fa2b087c4b2c5a1b67aa70eb16e9d5a59 Mon Sep 17 00:00:00 2001
|
||||||
From: Laszlo Ersek <lersek@redhat.com>
|
From: Laszlo Ersek <lersek@redhat.com>
|
||||||
Date: Wed, 25 May 2022 09:19:58 +0200
|
Date: Wed, 25 May 2022 09:19:58 +0200
|
||||||
Subject: [PATCH] generator/customize: reintroduce "--selinux-relabel" as a
|
Subject: [PATCH] generator/customize: reintroduce "--selinux-relabel" as a
|
@ -1,46 +0,0 @@
|
|||||||
From ec3fcb5bf880ce25dc98047903e9d0a090c151f0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Laszlo Ersek <lersek@redhat.com>
|
|
||||||
Date: Wed, 11 May 2022 05:26:48 +0200
|
|
||||||
Subject: [PATCH] update common submodule
|
|
||||||
|
|
||||||
Laszlo Ersek (2):
|
|
||||||
mlcustomize: refresh generated files
|
|
||||||
remove non-generated "--selinux-relabel" options
|
|
||||||
|
|
||||||
Richard W.M. Jones (2):
|
|
||||||
options/uri.c: Fix missing word in error message
|
|
||||||
options/uri.c: Free variable on error path
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1554735
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2075718
|
|
||||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
|
||||||
(cherry picked from commit 08c4ac90f5a3c08b48444e2faf3d0f58d6ddc206)
|
|
||||||
---
|
|
||||||
common | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
Submodule common 0a231b3e6..48527b876:
|
|
||||||
diff --git a/common/options/uri.c b/common/options/uri.c
|
|
||||||
index 6b696fc2d..84d393c1e 100644
|
|
||||||
--- a/common/options/uri.c
|
|
||||||
+++ b/common/options/uri.c
|
|
||||||
@@ -135,7 +135,7 @@ parse (const char *arg, char **path_ret, char **protocol_ret,
|
|
||||||
socket = query_get (uri, "socket");
|
|
||||||
|
|
||||||
if (uri->server && STRNEQ (uri->server, "") && socket) {
|
|
||||||
- fprintf (stderr, _("%s: %s: cannot both a server name and a socket query parameter\n"),
|
|
||||||
+ fprintf (stderr, _("%s: %s: cannot have both a server name and a socket query parameter\n"),
|
|
||||||
getprogname (), arg);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
@@ -347,6 +347,7 @@ make_server (xmlURIPtr uri, const char *socket, char ***ret)
|
|
||||||
*ret = malloc (sizeof (char *) * 2);
|
|
||||||
if (*ret == NULL) {
|
|
||||||
perror ("malloc");
|
|
||||||
+ free (server);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
(*ret)[0] = server;
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 0bba553b311f448c50ba6b3dd934b88387302d01 Mon Sep 17 00:00:00 2001
|
From 010cd5ff441166c01125fc588398a1fb8367a852 Mon Sep 17 00:00:00 2001
|
||||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||||
Date: Mon, 29 Jul 2013 14:47:56 +0100
|
Date: Mon, 29 Jul 2013 14:47:56 +0100
|
||||||
Subject: [PATCH] RHEL: Disable unsupported remote drive protocols
|
Subject: [PATCH] RHEL: Disable unsupported remote drive protocols
|
@ -1,4 +1,4 @@
|
|||||||
From 046e64463e958fb0d2abb6ef6330a6757803a759 Mon Sep 17 00:00:00 2001
|
From d59942a7a3d1ca2248a94099d28f7555378d7993 Mon Sep 17 00:00:00 2001
|
||||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||||
Date: Tue, 7 Jul 2015 09:28:03 -0400
|
Date: Tue, 7 Jul 2015 09:28:03 -0400
|
||||||
Subject: [PATCH] RHEL: Reject use of libguestfs-winsupport features except for
|
Subject: [PATCH] RHEL: Reject use of libguestfs-winsupport features except for
|
@ -1,4 +1,4 @@
|
|||||||
From 0598660ad71cce8c55e6af3b6f0c9afda6d70bcb Mon Sep 17 00:00:00 2001
|
From c1ff450bcee1465f0eaca00a4d6c8c731f175488 Mon Sep 17 00:00:00 2001
|
||||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||||
Date: Tue, 29 Jun 2021 15:29:11 +0100
|
Date: Tue, 29 Jun 2021 15:29:11 +0100
|
||||||
Subject: [PATCH] RHEL: Create /etc/crypto-policies/back-ends/opensslcnf.config
|
Subject: [PATCH] RHEL: Create /etc/crypto-policies/back-ends/opensslcnf.config
|
||||||
@ -9,7 +9,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1977214#c13
|
|||||||
1 file changed, 8 insertions(+)
|
1 file changed, 8 insertions(+)
|
||||||
|
|
||||||
diff --git a/appliance/init b/appliance/init
|
diff --git a/appliance/init b/appliance/init
|
||||||
index 7076821d2..fe6497b4d 100755
|
index 19aa151b7..e67d88280 100755
|
||||||
--- a/appliance/init
|
--- a/appliance/init
|
||||||
+++ b/appliance/init
|
+++ b/appliance/init
|
||||||
@@ -76,6 +76,14 @@ if ! test -e /etc/mtab; then
|
@@ -76,6 +76,14 @@ if ! test -e /etc/mtab; then
|
@ -1,4 +1,4 @@
|
|||||||
From 7f5b5b3ac884fbe215267c32a88e3740bd9f0117 Mon Sep 17 00:00:00 2001
|
From d451e0e42c75429279426e9eb5a7701cd4681d07 Mon Sep 17 00:00:00 2001
|
||||||
From: Geoff Amey <gamey@datto.com>
|
From: Geoff Amey <gamey@datto.com>
|
||||||
Date: Wed, 15 Jun 2022 17:06:56 -0400
|
Date: Wed, 15 Jun 2022 17:06:56 -0400
|
||||||
Subject: [PATCH] php: add arginfo to php bindings
|
Subject: [PATCH] php: add arginfo to php bindings
|
@ -1,4 +1,4 @@
|
|||||||
From 17eb49e3373e46f92768bdca0733e811603bcc80 Mon Sep 17 00:00:00 2001
|
From 51ea2e3af9caa434e847ca74a86f5de5ade6058f Mon Sep 17 00:00:00 2001
|
||||||
From: Laszlo Ersek <lersek@redhat.com>
|
From: Laszlo Ersek <lersek@redhat.com>
|
||||||
Date: Thu, 30 Jun 2022 14:20:47 +0200
|
Date: Thu, 30 Jun 2022 14:20:47 +0200
|
||||||
Subject: [PATCH] introduce the "clevis_luks_unlock" API
|
Subject: [PATCH] introduce the "clevis_luks_unlock" API
|
@ -1,42 +0,0 @@
|
|||||||
From ad24b9f4d6950dd681e65ea9d1de334119ec9ec7 Mon Sep 17 00:00:00 2001
|
|
||||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
|
||||||
Date: Thu, 26 May 2022 14:02:58 +0100
|
|
||||||
Subject: [PATCH] build: Pick first field in ID_LIKE
|
|
||||||
|
|
||||||
CentOS Stream has:
|
|
||||||
|
|
||||||
ID_LIKE="rhel fedora"
|
|
||||||
|
|
||||||
which confused the existing script. If there are multiple "likes"
|
|
||||||
arbitrarily pick the first one in the list.
|
|
||||||
|
|
||||||
Fixes: commit 63b722b6c094f3a35a5e72f0ae3236a58ddda110
|
|
||||||
(cherry picked from commit 7afbf5ee4415f6fa2553898d3af238e794062096)
|
|
||||||
---
|
|
||||||
m4/guestfs-appliance.m4 | 10 +++++-----
|
|
||||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/m4/guestfs-appliance.m4 b/m4/guestfs-appliance.m4
|
|
||||||
index 4e63ef435..19db4fc7e 100644
|
|
||||||
--- a/m4/guestfs-appliance.m4
|
|
||||||
+++ b/m4/guestfs-appliance.m4
|
|
||||||
@@ -106,11 +106,11 @@ AC_ARG_WITH([distro],
|
|
||||||
cat /etc/os-release >&AS_MESSAGE_LOG_FD
|
|
||||||
DISTRO="$(
|
|
||||||
. /etc/os-release
|
|
||||||
- if test -n "$ID_LIKE"; then
|
|
||||||
- echo $ID_LIKE | tr '@<:@:lower:@:>@' '@<:@:upper:@:>@'
|
|
||||||
- else
|
|
||||||
- echo $ID | tr '@<:@:lower:@:>@' '@<:@:upper:@:>@'
|
|
||||||
- fi
|
|
||||||
+ ( if test -n "$ID_LIKE"; then
|
|
||||||
+ echo $ID_LIKE | $AWK '{print $1}'
|
|
||||||
+ else
|
|
||||||
+ echo $ID
|
|
||||||
+ fi ) | tr '@<:@:lower:@:>@' '@<:@:upper:@:>@'
|
|
||||||
)"
|
|
||||||
AS_CASE([$DISTRO],
|
|
||||||
[FEDORA | RHEL | CENTOS | ALMALINUX | CLOUDLINUX | ROCKY],
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -0,0 +1,69 @@
|
|||||||
|
From 5ae97d7d83d8cdb6e8428774282167dd774aaf70 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
Date: Thu, 30 Jun 2022 14:20:48 +0200
|
||||||
|
Subject: [PATCH] guestfish, guestmount: enable networking for "--key
|
||||||
|
ID:clevis"
|
||||||
|
|
||||||
|
Call the C-language helper key_store_requires_network() in guestfish and
|
||||||
|
guestmount.
|
||||||
|
|
||||||
|
(Short log for the "common" submodule, commit range
|
||||||
|
35467027f657..af6cb55bc58a:
|
||||||
|
|
||||||
|
Laszlo Ersek (12):
|
||||||
|
options: fix UUID comparison logic bug in get_keys()
|
||||||
|
mltools/tools_utils: remove unused function "key_store_to_cli"
|
||||||
|
mltools/tools_utils: allow multiple "--key" options for OCaml tools too
|
||||||
|
options: replace NULL-termination with number-of-elements in get_keys()
|
||||||
|
options: wrap each passphrase from get_keys() into a struct
|
||||||
|
options: add back-end for LUKS decryption with Clevis+Tang
|
||||||
|
options: introduce selector type "key_clevis"
|
||||||
|
options: generalize "--key" selector parsing for C-language utilities
|
||||||
|
mltools/tools_utils-c: handle internal type error with abort()
|
||||||
|
mltools/tools_utils: generalize "--key" selector parsing for OCaml utils
|
||||||
|
options, mltools/tools_utils: parse "--key ID:clevis" options
|
||||||
|
options, mltools/tools_utils: add helper for network dependency
|
||||||
|
).
|
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453
|
||||||
|
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
|
||||||
|
Message-Id: <20220630122048.19335-4-lersek@redhat.com>
|
||||||
|
(cherry picked from commit 6a5b44f538065a9f661510234a4235bf38348213)
|
||||||
|
---
|
||||||
|
fish/fish.c | 3 +++
|
||||||
|
fuse/guestmount.c | 4 ++++
|
||||||
|
2 files changed, 7 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/fish/fish.c b/fish/fish.c
|
||||||
|
index 23d9bb94f..19e3d2799 100644
|
||||||
|
--- a/fish/fish.c
|
||||||
|
+++ b/fish/fish.c
|
||||||
|
@@ -476,6 +476,9 @@ main (int argc, char *argv[])
|
||||||
|
/* If we've got drives to add, add them now. */
|
||||||
|
add_drives (drvs);
|
||||||
|
|
||||||
|
+ if (key_store_requires_network (ks) && guestfs_set_network (g, 1) == -1)
|
||||||
|
+ exit (EXIT_FAILURE);
|
||||||
|
+
|
||||||
|
/* If we've got mountpoints or prepared drives or -i option, we must
|
||||||
|
* launch the guest and mount them.
|
||||||
|
*/
|
||||||
|
diff --git a/fuse/guestmount.c b/fuse/guestmount.c
|
||||||
|
index 77c534828..3c6d57bde 100644
|
||||||
|
--- a/fuse/guestmount.c
|
||||||
|
+++ b/fuse/guestmount.c
|
||||||
|
@@ -348,6 +348,10 @@ main (int argc, char *argv[])
|
||||||
|
|
||||||
|
/* Do the guest drives and mountpoints. */
|
||||||
|
add_drives (drvs);
|
||||||
|
+
|
||||||
|
+ if (key_store_requires_network (ks) && guestfs_set_network (g, 1) == -1)
|
||||||
|
+ exit (EXIT_FAILURE);
|
||||||
|
+
|
||||||
|
if (guestfs_launch (g) == -1)
|
||||||
|
exit (EXIT_FAILURE);
|
||||||
|
if (inspector)
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -1,119 +0,0 @@
|
|||||||
From 20eb220c0b1c8a7aaaadcc26fe5fdeae681341b4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Laszlo Ersek <lersek@redhat.com>
|
|
||||||
Date: Mon, 30 May 2022 16:10:27 +0200
|
|
||||||
Subject: [PATCH] appliance, daemon: disable lvm2 devicesfile
|
|
||||||
|
|
||||||
In guestfs-tools commit 4fe8a03cd2d3 ('sysprep: remove lvm2's default
|
|
||||||
"system.devices" file', 2022-04-11), we disabled the use of LVM2's new
|
|
||||||
"devicesfile" feature, which could interfere with the cloning of virtual
|
|
||||||
machines.
|
|
||||||
|
|
||||||
We suspected in
|
|
||||||
|
|
||||||
https://bugzilla.redhat.com/show_bug.cgi?id=2072493#c6
|
|
||||||
|
|
||||||
that the same lvm2 feature could affect the libguestfs appliance itself,
|
|
||||||
but decided in
|
|
||||||
|
|
||||||
https://bugzilla.redhat.com/show_bug.cgi?id=2072493#c8
|
|
||||||
https://bugzilla.redhat.com/show_bug.cgi?id=2072493#c10
|
|
||||||
|
|
||||||
that this would not be the case, because "appliance/init" already
|
|
||||||
constructed a pristine LVM_SYSTEM_DIR.
|
|
||||||
|
|
||||||
Unfortunately, that's not enough: due to the "use_devicesfile=1" default
|
|
||||||
(on RHEL9 anyway), some "lvm" invocation, possibly inside the
|
|
||||||
lvm-set-filter API, *creates* "$LVM_SYSTEM_DIR/devices/system.devices".
|
|
||||||
And then we get (minimally) warnings such as
|
|
||||||
|
|
||||||
> Please remove the lvm.conf global_filter, it is ignored with the devices
|
|
||||||
> file.
|
|
||||||
> Please remove the lvm.conf filter, it is ignored with the devices file.
|
|
||||||
|
|
||||||
when using the lvm-set-filter API.
|
|
||||||
|
|
||||||
Explicitly disable the "devices file" in "appliance/init", and also
|
|
||||||
whenever we rewrite "lvm.conf" -- that is, in set_filter()
|
|
||||||
[daemon/lvm-filter.c]. In the former, check for the feature by locating
|
|
||||||
the devicesfile-related utilities "lvmdevices" and "vgimportdevices". In
|
|
||||||
the C code, invoke the utilities with the "--help" option instead. (In
|
|
||||||
"appliance/init", I thought it was best not to call any lvm2 utilities
|
|
||||||
even with "--help", with our lvm2.conf still under construction there.) If
|
|
||||||
either utility is available, set "use_devicesfile = 0".
|
|
||||||
|
|
||||||
Cc: David Teigland <teigland@redhat.com>
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1965941
|
|
||||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
|
||||||
Message-Id: <20220530141027.16167-1-lersek@redhat.com>
|
|
||||||
Acked-by: Richard W.M. Jones <rjones@redhat.com>
|
|
||||||
[lersek@redhat.com: style fix: break "devicesfile_feature" in the function
|
|
||||||
definition to a new line]
|
|
||||||
(cherry picked from commit 8fc4d167153a23ab91befafb2f7083db2d312ef8)
|
|
||||||
---
|
|
||||||
appliance/init | 11 +++++++++++
|
|
||||||
daemon/lvm-filter.c | 20 ++++++++++++++++++++
|
|
||||||
2 files changed, 31 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/appliance/init b/appliance/init
|
|
||||||
index fe6497b4d..e67d88280 100755
|
|
||||||
--- a/appliance/init
|
|
||||||
+++ b/appliance/init
|
|
||||||
@@ -142,6 +142,17 @@ mdadm -As --auto=yes --no-degraded
|
|
||||||
# Empty LVM configuration file means "all defaults".
|
|
||||||
mkdir -p /tmp/lvm
|
|
||||||
touch /tmp/lvm/lvm.conf
|
|
||||||
+
|
|
||||||
+# If lvm2 supports a "devices file", we need to disable its use
|
|
||||||
+# (RHBZ#1965941).
|
|
||||||
+if command -v lvmdevices || command -v vgimportdevices; then
|
|
||||||
+ {
|
|
||||||
+ printf 'devices {\n'
|
|
||||||
+ printf '\tuse_devicesfile = 0\n'
|
|
||||||
+ printf '}\n'
|
|
||||||
+ } >> /tmp/lvm/lvm.conf
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
LVM_SYSTEM_DIR=/tmp/lvm
|
|
||||||
export LVM_SYSTEM_DIR
|
|
||||||
lvmetad
|
|
||||||
diff --git a/daemon/lvm-filter.c b/daemon/lvm-filter.c
|
|
||||||
index c6dd35156..00b36f826 100644
|
|
||||||
--- a/daemon/lvm-filter.c
|
|
||||||
+++ b/daemon/lvm-filter.c
|
|
||||||
@@ -68,6 +68,19 @@ free_lvm_system_dir (void)
|
|
||||||
free (lvm_system_dir);
|
|
||||||
}
|
|
||||||
|
|
||||||
+static bool
|
|
||||||
+devicesfile_feature (void)
|
|
||||||
+{
|
|
||||||
+ static bool checked, available;
|
|
||||||
+
|
|
||||||
+ if (!checked) {
|
|
||||||
+ checked = true;
|
|
||||||
+ available = command (NULL, NULL, "lvmdevices", "--help", NULL) == 0 ||
|
|
||||||
+ command (NULL, NULL, "vgimportdevices", "--help", NULL) == 0;
|
|
||||||
+ }
|
|
||||||
+ return available;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/* Rewrite the 'filter = [ ... ]' line in lvm.conf. */
|
|
||||||
static int
|
|
||||||
set_filter (char *const *filters)
|
|
||||||
@@ -88,6 +101,13 @@ set_filter (char *const *filters)
|
|
||||||
}
|
|
||||||
|
|
||||||
fprintf (fp, "devices {\n");
|
|
||||||
+
|
|
||||||
+ /* If lvm2 supports a "devices file", we need to disable its use
|
|
||||||
+ * (RHBZ#1965941).
|
|
||||||
+ */
|
|
||||||
+ if (devicesfile_feature ())
|
|
||||||
+ fprintf (fp, " use_devicesfile = 0\n");
|
|
||||||
+
|
|
||||||
for (j = 0; filter_types[j] != NULL; ++j) {
|
|
||||||
fprintf (fp, " %s = [\n", filter_types[j]);
|
|
||||||
fprintf (fp, " ");
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -1,99 +0,0 @@
|
|||||||
From fc0fd56abc2778a8473e9d421c73c9099dade4c4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Laszlo Ersek <lersek@redhat.com>
|
|
||||||
Date: Tue, 28 Jun 2022 13:54:16 +0200
|
|
||||||
Subject: [PATCH] docs/guestfs-security: document CVE-2022-2211
|
|
||||||
|
|
||||||
Short log for the common submodule, commit range
|
|
||||||
f8de5508fe75..35467027f657:
|
|
||||||
|
|
||||||
Laszlo Ersek (2):
|
|
||||||
mlcustomize: factor out pkg install/update/uninstall from guestfs-tools
|
|
||||||
options: fix buffer overflow in get_keys() [CVE-2022-2211]
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2100862
|
|
||||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
|
||||||
Message-Id: <20220628115418.5376-2-lersek@redhat.com>
|
|
||||||
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
|
|
||||||
(cherry picked from commit 99844660b48ed809e37378262c65d63df6ce4a53)
|
|
||||||
---
|
|
||||||
common | 2 +-
|
|
||||||
docs/guestfs-security.pod | 28 ++++++++++++++++++++++++++++
|
|
||||||
2 files changed, 29 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
Submodule common f8de5508f..35467027f:
|
|
||||||
diff --git a/common/options/keys.c b/common/options/keys.c
|
|
||||||
index 798315c2e..d27a7123e 100644
|
|
||||||
--- a/common/options/keys.c
|
|
||||||
+++ b/common/options/keys.c
|
|
||||||
@@ -128,17 +128,23 @@ read_first_line_from_file (const char *filename)
|
|
||||||
char **
|
|
||||||
get_keys (struct key_store *ks, const char *device, const char *uuid)
|
|
||||||
{
|
|
||||||
- size_t i, j, len;
|
|
||||||
+ size_t i, j, nmemb;
|
|
||||||
char **r;
|
|
||||||
char *s;
|
|
||||||
|
|
||||||
/* We know the returned list must have at least one element and not
|
|
||||||
* more than ks->nr_keys.
|
|
||||||
*/
|
|
||||||
- len = 1;
|
|
||||||
- if (ks)
|
|
||||||
- len = MIN (1, ks->nr_keys);
|
|
||||||
- r = calloc (len+1, sizeof (char *));
|
|
||||||
+ nmemb = 1;
|
|
||||||
+ if (ks && ks->nr_keys > nmemb)
|
|
||||||
+ nmemb = ks->nr_keys;
|
|
||||||
+
|
|
||||||
+ /* make room for the terminating NULL */
|
|
||||||
+ if (nmemb == (size_t)-1)
|
|
||||||
+ error (EXIT_FAILURE, 0, _("size_t overflow"));
|
|
||||||
+ nmemb++;
|
|
||||||
+
|
|
||||||
+ r = calloc (nmemb, sizeof (char *));
|
|
||||||
if (r == NULL)
|
|
||||||
error (EXIT_FAILURE, errno, "calloc");
|
|
||||||
|
|
||||||
diff --git a/docs/guestfs-security.pod b/docs/guestfs-security.pod
|
|
||||||
index 9ceef5623..efa35b29d 100644
|
|
||||||
--- a/docs/guestfs-security.pod
|
|
||||||
+++ b/docs/guestfs-security.pod
|
|
||||||
@@ -406,6 +406,34 @@ The libvirt backend is not affected.
|
|
||||||
The solution is to update qemu to a version containing the fix (see
|
|
||||||
L<https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html>).
|
|
||||||
|
|
||||||
+=head2 CVE-2022-2211
|
|
||||||
+
|
|
||||||
+L<https://bugzilla.redhat.com/CVE-2022-2211>
|
|
||||||
+
|
|
||||||
+The C<get_keys> function in F<libguestfs-common/options/keys.c> collects
|
|
||||||
+those I<--key> options from the command line into a new array that match
|
|
||||||
+a particular block device that's being decrypted for inspection. The
|
|
||||||
+function intends to size the result array such that potentially all
|
|
||||||
+I<--key> options, plus a terminating C<NULL> element, fit into it. The
|
|
||||||
+code mistakenly uses the C<MIN> macro instead of C<MAX>, and therefore
|
|
||||||
+only one element is allocated before the C<NULL> terminator.
|
|
||||||
+
|
|
||||||
+Passing precisely two I<--key ID:...> options on the command line for
|
|
||||||
+the encrypted block device C<ID> causes C<get_keys> to overwrite the
|
|
||||||
+terminating C<NULL>, leading to an out-of-bounds read in
|
|
||||||
+C<decrypt_mountables>, file F<libguestfs-common/options/decrypt.c>.
|
|
||||||
+
|
|
||||||
+Passing more than two I<--key ID:...> options on the command line for
|
|
||||||
+the encrypted block device C<ID> causes C<get_keys> itself to perform
|
|
||||||
+out-of-bounds writes. The most common symptom is a crash with C<SIGSEGV>
|
|
||||||
+later on.
|
|
||||||
+
|
|
||||||
+This issue affects -- broadly speaking -- all libguestfs-based utilities
|
|
||||||
+that accept I<--key>, namely: C<guestfish>, C<guestmount>, C<virt-cat>,
|
|
||||||
+C<virt-customize>, C<virt-diff>, C<virt-edit>, C<virt-get-kernel>,
|
|
||||||
+C<virt-inspector>, C<virt-log>, C<virt-ls>, C<virt-sparsify>,
|
|
||||||
+C<virt-sysprep>, C<virt-tail>, C<virt-v2v>.
|
|
||||||
+
|
|
||||||
=head1 SEE ALSO
|
|
||||||
|
|
||||||
L<guestfs(3)>,
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -1,414 +0,0 @@
|
|||||||
From 212708dee7c5c483dd0ce76889f7e20abba7f859 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Laszlo Ersek <lersek@redhat.com>
|
|
||||||
Date: Thu, 30 Jun 2022 14:20:48 +0200
|
|
||||||
Subject: [PATCH] guestfish, guestmount: enable networking for "--key
|
|
||||||
ID:clevis"
|
|
||||||
|
|
||||||
Call the C-language helper key_store_requires_network() in guestfish and
|
|
||||||
guestmount.
|
|
||||||
|
|
||||||
(Short log for the "common" submodule, commit range
|
|
||||||
35467027f657..af6cb55bc58a:
|
|
||||||
|
|
||||||
Laszlo Ersek (12):
|
|
||||||
options: fix UUID comparison logic bug in get_keys()
|
|
||||||
mltools/tools_utils: remove unused function "key_store_to_cli"
|
|
||||||
mltools/tools_utils: allow multiple "--key" options for OCaml tools too
|
|
||||||
options: replace NULL-termination with number-of-elements in get_keys()
|
|
||||||
options: wrap each passphrase from get_keys() into a struct
|
|
||||||
options: add back-end for LUKS decryption with Clevis+Tang
|
|
||||||
options: introduce selector type "key_clevis"
|
|
||||||
options: generalize "--key" selector parsing for C-language utilities
|
|
||||||
mltools/tools_utils-c: handle internal type error with abort()
|
|
||||||
mltools/tools_utils: generalize "--key" selector parsing for OCaml utils
|
|
||||||
options, mltools/tools_utils: parse "--key ID:clevis" options
|
|
||||||
options, mltools/tools_utils: add helper for network dependency
|
|
||||||
).
|
|
||||||
|
|
||||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453
|
|
||||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
|
||||||
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
|
|
||||||
Message-Id: <20220630122048.19335-4-lersek@redhat.com>
|
|
||||||
(cherry picked from commit 6a5b44f538065a9f661510234a4235bf38348213)
|
|
||||||
---
|
|
||||||
common | 2 +-
|
|
||||||
fish/fish.c | 3 +++
|
|
||||||
fuse/guestmount.c | 4 ++++
|
|
||||||
3 files changed, 8 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
Submodule common 35467027f..af6cb55bc:
|
|
||||||
diff --git a/common/options/decrypt.c b/common/options/decrypt.c
|
|
||||||
index 1cd7b627e..97c8b88d1 100644
|
|
||||||
--- a/common/options/decrypt.c
|
|
||||||
+++ b/common/options/decrypt.c
|
|
||||||
@@ -124,10 +124,10 @@ decrypt_mountables (guestfs_h *g, const char * const *mountables,
|
|
||||||
while ((mountable = *mnt_scan++) != NULL) {
|
|
||||||
CLEANUP_FREE char *type = NULL;
|
|
||||||
CLEANUP_FREE char *uuid = NULL;
|
|
||||||
- CLEANUP_FREE_STRING_LIST char **keys = NULL;
|
|
||||||
+ struct matching_key *keys;
|
|
||||||
+ size_t nr_matches;
|
|
||||||
CLEANUP_FREE char *mapname = NULL;
|
|
||||||
- const char * const *key_scan;
|
|
||||||
- const char *key;
|
|
||||||
+ size_t scan;
|
|
||||||
|
|
||||||
type = guestfs_vfs_type (g, mountable);
|
|
||||||
if (type == NULL)
|
|
||||||
@@ -144,33 +144,45 @@ decrypt_mountables (guestfs_h *g, const char * const *mountables,
|
|
||||||
/* Grab the keys that we should try with this device, based on device name,
|
|
||||||
* or UUID (if any).
|
|
||||||
*/
|
|
||||||
- keys = get_keys (ks, mountable, uuid);
|
|
||||||
- assert (keys[0] != NULL);
|
|
||||||
+ keys = get_keys (ks, mountable, uuid, &nr_matches);
|
|
||||||
+ assert (nr_matches > 0);
|
|
||||||
|
|
||||||
/* Generate a node name for the plaintext (decrypted) device node. */
|
|
||||||
if (uuid == NULL || asprintf (&mapname, "luks-%s", uuid) == -1)
|
|
||||||
mapname = make_mapname (mountable);
|
|
||||||
|
|
||||||
/* Try each key in turn. */
|
|
||||||
- key_scan = (const char * const *)keys;
|
|
||||||
- while ((key = *key_scan++) != NULL) {
|
|
||||||
+ for (scan = 0; scan < nr_matches; ++scan) {
|
|
||||||
+ struct matching_key *key = keys + scan;
|
|
||||||
int r;
|
|
||||||
|
|
||||||
guestfs_push_error_handler (g, NULL, NULL);
|
|
||||||
- r = guestfs_cryptsetup_open (g, mountable, key, mapname, -1);
|
|
||||||
+ assert (key->clevis == (key->passphrase == NULL));
|
|
||||||
+ if (key->clevis)
|
|
||||||
+#ifdef GUESTFS_HAVE_CLEVIS_LUKS_UNLOCK
|
|
||||||
+ r = guestfs_clevis_luks_unlock (g, mountable, mapname);
|
|
||||||
+#else
|
|
||||||
+ error (EXIT_FAILURE, 0,
|
|
||||||
+ _("'clevis_luks_unlock', needed for decrypting %s, is "
|
|
||||||
+ "unavailable in this libguestfs version"), mountable);
|
|
||||||
+#endif
|
|
||||||
+ else
|
|
||||||
+ r = guestfs_cryptsetup_open (g, mountable, key->passphrase, mapname,
|
|
||||||
+ -1);
|
|
||||||
guestfs_pop_error_handler (g);
|
|
||||||
|
|
||||||
if (r == 0)
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (key == NULL)
|
|
||||||
+ if (scan == nr_matches)
|
|
||||||
error (EXIT_FAILURE, 0,
|
|
||||||
_("could not find key to open LUKS encrypted %s.\n\n"
|
|
||||||
"Try using --key on the command line.\n\n"
|
|
||||||
"Original error: %s (%d)"),
|
|
||||||
mountable, guestfs_last_error (g), guestfs_last_errno (g));
|
|
||||||
|
|
||||||
+ free_keys (keys, nr_matches);
|
|
||||||
decrypted_some = true;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/common/options/key-option.pod b/common/options/key-option.pod
|
|
||||||
index 90a3b15c5..6bc04df17 100644
|
|
||||||
--- a/common/options/key-option.pod
|
|
||||||
+++ b/common/options/key-option.pod
|
|
||||||
@@ -14,4 +14,13 @@ Use the specified C<KEY_STRING> as passphrase.
|
|
||||||
|
|
||||||
Read the passphrase from F<FILENAME>.
|
|
||||||
|
|
||||||
+=item B<--key> C<ID>:clevis
|
|
||||||
+
|
|
||||||
+Attempt passphrase-less unlocking for C<ID> with Clevis, over the
|
|
||||||
+network. Please refer to L<guestfs(3)/ENCRYPTED DISKS> for more
|
|
||||||
+information on network-bound disk encryption (NBDE).
|
|
||||||
+
|
|
||||||
+Note that if any such option is present on the command line, QEMU user
|
|
||||||
+networking will be automatically enabled for the libguestfs appliance.
|
|
||||||
+
|
|
||||||
=back
|
|
||||||
diff --git a/common/options/keys.c b/common/options/keys.c
|
|
||||||
index d27a7123e..d987ae561 100644
|
|
||||||
--- a/common/options/keys.c
|
|
||||||
+++ b/common/options/keys.c
|
|
||||||
@@ -125,11 +125,12 @@ read_first_line_from_file (const char *filename)
|
|
||||||
* keystore. There may be multiple. If none are read from the
|
|
||||||
* keystore, ask the user.
|
|
||||||
*/
|
|
||||||
-char **
|
|
||||||
-get_keys (struct key_store *ks, const char *device, const char *uuid)
|
|
||||||
+struct matching_key *
|
|
||||||
+get_keys (struct key_store *ks, const char *device, const char *uuid,
|
|
||||||
+ size_t *nr_matches)
|
|
||||||
{
|
|
||||||
- size_t i, j, nmemb;
|
|
||||||
- char **r;
|
|
||||||
+ size_t i, nmemb;
|
|
||||||
+ struct matching_key *r, *match;
|
|
||||||
char *s;
|
|
||||||
|
|
||||||
/* We know the returned list must have at least one element and not
|
|
||||||
@@ -139,22 +140,20 @@ get_keys (struct key_store *ks, const char *device, const char *uuid)
|
|
||||||
if (ks && ks->nr_keys > nmemb)
|
|
||||||
nmemb = ks->nr_keys;
|
|
||||||
|
|
||||||
- /* make room for the terminating NULL */
|
|
||||||
- if (nmemb == (size_t)-1)
|
|
||||||
+ if (nmemb > (size_t)-1 / sizeof *r)
|
|
||||||
error (EXIT_FAILURE, 0, _("size_t overflow"));
|
|
||||||
- nmemb++;
|
|
||||||
|
|
||||||
- r = calloc (nmemb, sizeof (char *));
|
|
||||||
+ r = malloc (nmemb * sizeof *r);
|
|
||||||
if (r == NULL)
|
|
||||||
- error (EXIT_FAILURE, errno, "calloc");
|
|
||||||
+ error (EXIT_FAILURE, errno, "malloc");
|
|
||||||
|
|
||||||
- j = 0;
|
|
||||||
+ match = r;
|
|
||||||
|
|
||||||
if (ks) {
|
|
||||||
for (i = 0; i < ks->nr_keys; ++i) {
|
|
||||||
struct key_store_key *key = &ks->keys[i];
|
|
||||||
|
|
||||||
- if (STRNEQ (key->id, device) && (uuid && STRNEQ (key->id, uuid)))
|
|
||||||
+ if (STRNEQ (key->id, device) && (!uuid || STRNEQ (key->id, uuid)))
|
|
||||||
continue;
|
|
||||||
|
|
||||||
switch (key->type) {
|
|
||||||
@@ -162,68 +161,101 @@ get_keys (struct key_store *ks, const char *device, const char *uuid)
|
|
||||||
s = strdup (key->string.s);
|
|
||||||
if (!s)
|
|
||||||
error (EXIT_FAILURE, errno, "strdup");
|
|
||||||
- r[j++] = s;
|
|
||||||
+ match->clevis = false;
|
|
||||||
+ match->passphrase = s;
|
|
||||||
+ ++match;
|
|
||||||
break;
|
|
||||||
case key_file:
|
|
||||||
s = read_first_line_from_file (key->file.name);
|
|
||||||
- r[j++] = s;
|
|
||||||
+ match->clevis = false;
|
|
||||||
+ match->passphrase = s;
|
|
||||||
+ ++match;
|
|
||||||
+ break;
|
|
||||||
+ case key_clevis:
|
|
||||||
+ match->clevis = true;
|
|
||||||
+ match->passphrase = NULL;
|
|
||||||
+ ++match;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (j == 0) {
|
|
||||||
+ if (match == r) {
|
|
||||||
/* Key not found in the key store, ask the user for it. */
|
|
||||||
s = read_key (device);
|
|
||||||
if (!s)
|
|
||||||
error (EXIT_FAILURE, 0, _("could not read key from user"));
|
|
||||||
- r[0] = s;
|
|
||||||
+ match->clevis = false;
|
|
||||||
+ match->passphrase = s;
|
|
||||||
+ ++match;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ *nr_matches = (size_t)(match - r);
|
|
||||||
return r;
|
|
||||||
}
|
|
||||||
|
|
||||||
+void
|
|
||||||
+free_keys (struct matching_key *keys, size_t nr_matches)
|
|
||||||
+{
|
|
||||||
+ size_t i;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < nr_matches; ++i) {
|
|
||||||
+ struct matching_key *key = keys + i;
|
|
||||||
+
|
|
||||||
+ assert (key->clevis == (key->passphrase == NULL));
|
|
||||||
+ if (!key->clevis)
|
|
||||||
+ free (key->passphrase);
|
|
||||||
+ }
|
|
||||||
+ free (keys);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
struct key_store *
|
|
||||||
key_store_add_from_selector (struct key_store *ks, const char *selector)
|
|
||||||
{
|
|
||||||
- CLEANUP_FREE_STRING_LIST char **fields =
|
|
||||||
- guestfs_int_split_string (':', selector);
|
|
||||||
+ CLEANUP_FREE_STRING_LIST char **fields = NULL;
|
|
||||||
+ size_t field_count;
|
|
||||||
struct key_store_key key;
|
|
||||||
|
|
||||||
+ fields = guestfs_int_split_string (':', selector);
|
|
||||||
if (!fields)
|
|
||||||
error (EXIT_FAILURE, errno, "guestfs_int_split_string");
|
|
||||||
+ field_count = guestfs_int_count_strings (fields);
|
|
||||||
|
|
||||||
- if (guestfs_int_count_strings (fields) != 3) {
|
|
||||||
- invalid_selector:
|
|
||||||
- error (EXIT_FAILURE, 0, "invalid selector for --key: %s", selector);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /* 1: device */
|
|
||||||
+ /* field#0: ID */
|
|
||||||
+ if (field_count < 1)
|
|
||||||
+ error (EXIT_FAILURE, 0, _("selector '%s': missing ID"), selector);
|
|
||||||
key.id = strdup (fields[0]);
|
|
||||||
if (!key.id)
|
|
||||||
error (EXIT_FAILURE, errno, "strdup");
|
|
||||||
|
|
||||||
- /* 2: key type */
|
|
||||||
- if (STREQ (fields[1], "key"))
|
|
||||||
+ /* field#1...: TYPE, and TYPE-specific properties */
|
|
||||||
+ if (field_count < 2)
|
|
||||||
+ error (EXIT_FAILURE, 0, _("selector '%s': missing TYPE"), selector);
|
|
||||||
+
|
|
||||||
+ if (STREQ (fields[1], "key")) {
|
|
||||||
key.type = key_string;
|
|
||||||
- else if (STREQ (fields[1], "file"))
|
|
||||||
- key.type = key_file;
|
|
||||||
- else
|
|
||||||
- goto invalid_selector;
|
|
||||||
-
|
|
||||||
- /* 3: actual key */
|
|
||||||
- switch (key.type) {
|
|
||||||
- case key_string:
|
|
||||||
+ if (field_count != 3)
|
|
||||||
+ error (EXIT_FAILURE, 0,
|
|
||||||
+ _("selector '%s': missing KEY_STRING, or too many fields"),
|
|
||||||
+ selector);
|
|
||||||
key.string.s = strdup (fields[2]);
|
|
||||||
if (!key.string.s)
|
|
||||||
error (EXIT_FAILURE, errno, "strdup");
|
|
||||||
- break;
|
|
||||||
- case key_file:
|
|
||||||
+ } else if (STREQ (fields[1], "file")) {
|
|
||||||
+ key.type = key_file;
|
|
||||||
+ if (field_count != 3)
|
|
||||||
+ error (EXIT_FAILURE, 0,
|
|
||||||
+ _("selector '%s': missing FILENAME, or too many fields"),
|
|
||||||
+ selector);
|
|
||||||
key.file.name = strdup (fields[2]);
|
|
||||||
if (!key.file.name)
|
|
||||||
error (EXIT_FAILURE, errno, "strdup");
|
|
||||||
- break;
|
|
||||||
- }
|
|
||||||
+ } else if (STREQ (fields[1], "clevis")) {
|
|
||||||
+ key.type = key_clevis;
|
|
||||||
+ if (field_count != 2)
|
|
||||||
+ error (EXIT_FAILURE, 0, _("selector '%s': too many fields"), selector);
|
|
||||||
+ } else
|
|
||||||
+ error (EXIT_FAILURE, 0, _("selector '%s': invalid TYPE"), selector);
|
|
||||||
|
|
||||||
return key_store_import_key (ks, &key);
|
|
||||||
}
|
|
||||||
@@ -252,6 +284,21 @@ key_store_import_key (struct key_store *ks, const struct key_store_key *key)
|
|
||||||
return ks;
|
|
||||||
}
|
|
||||||
|
|
||||||
+bool
|
|
||||||
+key_store_requires_network (const struct key_store *ks)
|
|
||||||
+{
|
|
||||||
+ size_t i;
|
|
||||||
+
|
|
||||||
+ if (ks == NULL)
|
|
||||||
+ return false;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < ks->nr_keys; ++i)
|
|
||||||
+ if (ks->keys[i].type == key_clevis)
|
|
||||||
+ return true;
|
|
||||||
+
|
|
||||||
+ return false;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
void
|
|
||||||
free_key_store (struct key_store *ks)
|
|
||||||
{
|
|
||||||
@@ -270,6 +317,9 @@ free_key_store (struct key_store *ks)
|
|
||||||
case key_file:
|
|
||||||
free (key->file.name);
|
|
||||||
break;
|
|
||||||
+ case key_clevis:
|
|
||||||
+ /* nothing */
|
|
||||||
+ break;
|
|
||||||
}
|
|
||||||
free (key->id);
|
|
||||||
}
|
|
||||||
diff --git a/common/options/options.h b/common/options/options.h
|
|
||||||
index 80df91a85..60d5d8064 100644
|
|
||||||
--- a/common/options/options.h
|
|
||||||
+++ b/common/options/options.h
|
|
||||||
@@ -115,6 +115,7 @@ struct key_store_key {
|
|
||||||
enum {
|
|
||||||
key_string, /* key specified as string */
|
|
||||||
key_file, /* key stored in a file */
|
|
||||||
+ key_clevis, /* key reconstructed with Clevis+Tang */
|
|
||||||
} type;
|
|
||||||
union {
|
|
||||||
struct {
|
|
||||||
@@ -134,6 +135,19 @@ struct key_store {
|
|
||||||
size_t nr_keys;
|
|
||||||
};
|
|
||||||
|
|
||||||
+/* A key matching a particular ID (pathname of the libguestfs device node that
|
|
||||||
+ * stands for the encrypted block device, or LUKS UUID).
|
|
||||||
+ */
|
|
||||||
+struct matching_key {
|
|
||||||
+ /* True iff the passphrase should be reconstructed using Clevis, talking to
|
|
||||||
+ * Tang servers over the network.
|
|
||||||
+ */
|
|
||||||
+ bool clevis;
|
|
||||||
+
|
|
||||||
+ /* Explicit passphrase, otherwise. */
|
|
||||||
+ char *passphrase;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
/* in config.c */
|
|
||||||
extern void parse_config (void);
|
|
||||||
|
|
||||||
@@ -151,9 +165,12 @@ extern void print_inspect_prompt (void);
|
|
||||||
|
|
||||||
/* in key.c */
|
|
||||||
extern char *read_key (const char *param);
|
|
||||||
-extern char **get_keys (struct key_store *ks, const char *device, const char *uuid);
|
|
||||||
+extern struct matching_key *get_keys (struct key_store *ks, const char *device,
|
|
||||||
+ const char *uuid, size_t *nr_matches);
|
|
||||||
+extern void free_keys (struct matching_key *keys, size_t nr_matches);
|
|
||||||
extern struct key_store *key_store_add_from_selector (struct key_store *ks, const char *selector);
|
|
||||||
extern struct key_store *key_store_import_key (struct key_store *ks, const struct key_store_key *key);
|
|
||||||
+extern bool key_store_requires_network (const struct key_store *ks);
|
|
||||||
extern void free_key_store (struct key_store *ks);
|
|
||||||
|
|
||||||
/* in options.c */
|
|
||||||
diff --git a/fish/fish.c b/fish/fish.c
|
|
||||||
index 23d9bb94f..19e3d2799 100644
|
|
||||||
--- a/fish/fish.c
|
|
||||||
+++ b/fish/fish.c
|
|
||||||
@@ -476,6 +476,9 @@ main (int argc, char *argv[])
|
|
||||||
/* If we've got drives to add, add them now. */
|
|
||||||
add_drives (drvs);
|
|
||||||
|
|
||||||
+ if (key_store_requires_network (ks) && guestfs_set_network (g, 1) == -1)
|
|
||||||
+ exit (EXIT_FAILURE);
|
|
||||||
+
|
|
||||||
/* If we've got mountpoints or prepared drives or -i option, we must
|
|
||||||
* launch the guest and mount them.
|
|
||||||
*/
|
|
||||||
diff --git a/fuse/guestmount.c b/fuse/guestmount.c
|
|
||||||
index 77c534828..3c6d57bde 100644
|
|
||||||
--- a/fuse/guestmount.c
|
|
||||||
+++ b/fuse/guestmount.c
|
|
||||||
@@ -348,6 +348,10 @@ main (int argc, char *argv[])
|
|
||||||
|
|
||||||
/* Do the guest drives and mountpoints. */
|
|
||||||
add_drives (drvs);
|
|
||||||
+
|
|
||||||
+ if (key_store_requires_network (ks) && guestfs_set_network (g, 1) == -1)
|
|
||||||
+ exit (EXIT_FAILURE);
|
|
||||||
+
|
|
||||||
if (guestfs_launch (g) == -1)
|
|
||||||
exit (EXIT_FAILURE);
|
|
||||||
if (inspector)
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -47,8 +47,8 @@
|
|||||||
Summary: Access and modify virtual machine disk images
|
Summary: Access and modify virtual machine disk images
|
||||||
Name: libguestfs
|
Name: libguestfs
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Version: 1.48.3
|
Version: 1.48.4
|
||||||
Release: 5%{?dist}
|
Release: 1%{?dist}
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
|
|
||||||
# Build only for architectures that have a kernel
|
# Build only for architectures that have a kernel
|
||||||
@ -94,26 +94,13 @@ Patch0005: 0005-lib-drive_create_data-drive-remove-field-iface.patch
|
|||||||
Patch0006: 0006-lib-rename-VALID_FORMAT_IFACE-to-VALID_FORMAT.patch
|
Patch0006: 0006-lib-rename-VALID_FORMAT_IFACE-to-VALID_FORMAT.patch
|
||||||
Patch0007: 0007-tests-regressions-remove-iface-based-restrictions.patch
|
Patch0007: 0007-tests-regressions-remove-iface-based-restrictions.patch
|
||||||
Patch0008: 0008-generator-customize-invert-SELinux-relabeling-defaul.patch
|
Patch0008: 0008-generator-customize-invert-SELinux-relabeling-defaul.patch
|
||||||
# *NB* I modified this patch by hand to remove references to any
|
Patch0009: 0009-generator-customize-reintroduce-selinux-relabel-as-a.patch
|
||||||
# files in common/mlcustomize. This directory is not included
|
Patch0010: 0010-RHEL-Disable-unsupported-remote-drive-protocols-RHBZ.patch
|
||||||
# in the libguestfs tarball.
|
Patch0011: 0011-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch
|
||||||
Patch0009: 0009-update-common-submodule.patch
|
Patch0012: 0012-RHEL-Create-etc-crypto-policies-back-ends-opensslcnf.patch
|
||||||
Patch0010: 0010-generator-customize-reintroduce-selinux-relabel-as-a.patch
|
Patch0013: 0013-php-add-arginfo-to-php-bindings.patch
|
||||||
# *NB* This patch only references common/mlcustomize, so it is removed.
|
Patch0014: 0014-introduce-the-clevis_luks_unlock-API.patch
|
||||||
#Patch0011: 0011-update-common-submodule.patch
|
Patch0015: 0015-guestfish-guestmount-enable-networking-for-key-ID-cl.patch
|
||||||
Patch0012: 0012-RHEL-Disable-unsupported-remote-drive-protocols-RHBZ.patch
|
|
||||||
Patch0013: 0013-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch
|
|
||||||
Patch0014: 0014-RHEL-Create-etc-crypto-policies-back-ends-opensslcnf.patch
|
|
||||||
Patch0015: 0015-build-Pick-first-field-in-ID_LIKE.patch
|
|
||||||
Patch0016: 0016-appliance-daemon-disable-lvm2-devicesfile.patch
|
|
||||||
Patch0017: 0017-php-add-arginfo-to-php-bindings.patch
|
|
||||||
# *NB* I modified this patch by hand to remove references to any
|
|
||||||
# files in common/mlcustomize.
|
|
||||||
Patch0018: 0018-docs-guestfs-security-document-CVE-2022-2211.patch
|
|
||||||
Patch0019: 0019-introduce-the-clevis_luks_unlock-API.patch
|
|
||||||
# *NB* I modified this patch by hand to remove references to any
|
|
||||||
# files in common/mltools.
|
|
||||||
Patch0020: 0020-guestfish-guestmount-enable-networking-for-key-ID-cl.patch
|
|
||||||
|
|
||||||
%if 0%{patches_touch_autotools}
|
%if 0%{patches_touch_autotools}
|
||||||
BuildRequires: autoconf, automake, libtool, gettext-devel
|
BuildRequires: autoconf, automake, libtool, gettext-devel
|
||||||
@ -1149,8 +1136,8 @@ rm ocaml/html/.gitignore
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Mon Jul 04 2022 Richard W.M. Jones <rjones@redhat.com> - 1:1.48.3-5
|
* Wed Jul 06 2022 Richard W.M. Jones <rjones@redhat.com> - 1:1.48.4-1
|
||||||
- Rebase to new stable branch version 1.48.3
|
- Rebase to new stable branch version 1.48.4
|
||||||
resolves: rhbz#2059285
|
resolves: rhbz#2059285
|
||||||
- Disable 5-level page tables when using -cpu max
|
- Disable 5-level page tables when using -cpu max
|
||||||
resolves: rhbz#2084568
|
resolves: rhbz#2084568
|
||||||
|
4
sources
4
sources
@ -1,2 +1,2 @@
|
|||||||
SHA512 (libguestfs-1.48.3.tar.gz) = d88b7869e6098af1f7748dc2e8163b245ea251fcdf962a71e3735f5a1748c9e87a17be259802da3e0bb13569d7f7233b2c5a554b20a2a7758e1974a30a70b786
|
SHA512 (libguestfs-1.48.4.tar.gz) = 76b942de88fa6fb48db667054a2c4fc23dd17b0a6083cddd51f1a77fdac24c0c7acd6be5234ada955b4afa94b0d8023aab50aa152465a6bc65f0e21d4195d50c
|
||||||
SHA512 (libguestfs-1.48.3.tar.gz.sig) = f372cddfb661727c7e33505b9f038828e8341a229098c089b0b9f2167fc6308045e402cbfea653dfc0bd5343e2c9f9e2757af7923515615ac38430c132620de7
|
SHA512 (libguestfs-1.48.4.tar.gz.sig) = 4c8e1a58e60214b1189501a96c20349d1ab8ccb9be5d75389342ca40b35a561812889b363edaccb8df5b999d0d337c3572eff59a086a21ea3c77b601a600efe2
|
||||||
|
Loading…
Reference in New Issue
Block a user