Sync with v1.1.2-maint
Rebuild for libswan soname bump (bz #1009701) CVE-2013-4311: Insecure polkit usage (bz #1009539, bz #1005332) CVE-2013-4296: Invalid free memory stats (bz #1006173, bz #1009667) CVE-2013-4297: Invalid free in NBDDeviceAssociate (bz #1006505, bz #1006511) Fix virsh block-commit abort (bz #1010056)
This commit is contained in:
parent
40d99010e1
commit
adeaf839fd
@ -1,7 +1,7 @@
|
|||||||
From cc80f2dc06d46cb32a5cd6d12c6c47ddf64e72b6 Mon Sep 17 00:00:00 2001
|
From 0f30e63c7d763278204f99e10ba47b08457f1d41 Mon Sep 17 00:00:00 2001
|
||||||
From: Cole Robinson <crobinso@redhat.com>
|
From: Cole Robinson <crobinso@redhat.com>
|
||||||
Date: Mon, 2 Sep 2013 11:23:59 +0100
|
Date: Mon, 2 Sep 2013 11:23:59 +0100
|
||||||
Subject: [PATCH 1/8] qemu: Set QEMU_AUDIO_DRV=none with -nographic
|
Subject: [PATCH] qemu: Set QEMU_AUDIO_DRV=none with -nographic
|
||||||
|
|
||||||
On my machine, a guest fails to boot if it has a sound card, but not
|
On my machine, a guest fails to boot if it has a sound card, but not
|
||||||
graphical device/display is configured, because pulseaudio fails to
|
graphical device/display is configured, because pulseaudio fails to
|
||||||
@ -3568,6 +3568,3 @@ index 29cf9c3..26038a0 100644
|
|||||||
/usr/bin/qemu -S -M pc -m 214 -smp 1 -nographic -monitor \
|
/usr/bin/qemu -S -M pc -m 214 -smp 1 -nographic -monitor \
|
||||||
unix:/tmp/test-monitor,server,nowait -no-acpi -boot c -usb -hda \
|
unix:/tmp/test-monitor,server,nowait -no-acpi -boot c -usb -hda \
|
||||||
/dev/HostVG/QEMUGuest1 -net none -serial none -parallel none
|
/dev/HostVG/QEMUGuest1 -net none -serial none -parallel none
|
||||||
--
|
|
||||||
1.8.3.1
|
|
||||||
|
|
||||||
|
@ -1,8 +1,7 @@
|
|||||||
From 79c38961565eb2d352f101cbd6806314894614cb Mon Sep 17 00:00:00 2001
|
From 1bab38008dbfb16329e73b419fd9871e6f15990c Mon Sep 17 00:00:00 2001
|
||||||
From: Cole Robinson <crobinso@redhat.com>
|
From: Cole Robinson <crobinso@redhat.com>
|
||||||
Date: Fri, 30 Aug 2013 12:41:30 -0400
|
Date: Fri, 30 Aug 2013 12:41:30 -0400
|
||||||
Subject: [PATCH 2/8] domain_conf: Add default memballoon in PostParse
|
Subject: [PATCH] domain_conf: Add default memballoon in PostParse callbacks
|
||||||
callbacks
|
|
||||||
|
|
||||||
This should be a no-op change for now.
|
This should be a no-op change for now.
|
||||||
---
|
---
|
||||||
@ -76,6 +75,3 @@ index cb64de6..6cb4f4f 100644
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
--
|
|
||||||
1.8.3.1
|
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
From 5ed47b89c6cb59c9ec5169bcc99a67e9a75fb2af Mon Sep 17 00:00:00 2001
|
From d85bc1315cc00800ed6d4a1baeda9a91c34e52c4 Mon Sep 17 00:00:00 2001
|
||||||
From: Cole Robinson <crobinso@redhat.com>
|
From: Cole Robinson <crobinso@redhat.com>
|
||||||
Date: Fri, 30 Aug 2013 12:41:31 -0400
|
Date: Fri, 30 Aug 2013 12:41:31 -0400
|
||||||
Subject: [PATCH 3/8] qemu: Don't add default memballoon device on ARM
|
Subject: [PATCH] qemu: Don't add default memballoon device on ARM
|
||||||
|
|
||||||
And add test cases for a basic working ARM guest.
|
And add test cases for a basic working ARM guest.
|
||||||
---
|
---
|
||||||
@ -189,6 +189,3 @@ index fac83b2..92433ef 100644
|
|||||||
if (virTestGetDebug()) {
|
if (virTestGetDebug()) {
|
||||||
char *caps_str;
|
char *caps_str;
|
||||||
|
|
||||||
--
|
|
||||||
1.8.3.1
|
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
From 20f2f4c07d8e8d4373094473114ae16909fe4005 Mon Sep 17 00:00:00 2001
|
From c72361536b151a2b9bd839bd528671bafbd5dee2 Mon Sep 17 00:00:00 2001
|
||||||
From: Cole Robinson <crobinso@redhat.com>
|
From: Cole Robinson <crobinso@redhat.com>
|
||||||
Date: Fri, 30 Aug 2013 12:41:32 -0400
|
Date: Fri, 30 Aug 2013 12:41:32 -0400
|
||||||
Subject: [PATCH 4/8] qemu: Fix specifying char devs for ARM
|
Subject: [PATCH] qemu: Fix specifying char devs for ARM
|
||||||
|
|
||||||
QEMU ARM boards don't give us any way to explicitly wire in
|
QEMU ARM boards don't give us any way to explicitly wire in
|
||||||
a -chardev, so use the old style -serial options.
|
a -chardev, so use the old style -serial options.
|
||||||
@ -154,6 +154,3 @@ index dfe8142..abe0060 100644
|
|||||||
if ((logfd = qemuDomainOpenLog(driver, vm, pos)) < 0)
|
if ((logfd = qemuDomainOpenLog(driver, vm, pos)) < 0)
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
--
|
|
||||||
1.8.3.1
|
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
From 5772cbdfb807842685d05665f285745ca79acc89 Mon Sep 17 00:00:00 2001
|
From c8e47add2fe77905523f6112ceb6b844337f6d3f Mon Sep 17 00:00:00 2001
|
||||||
From: Cole Robinson <crobinso@redhat.com>
|
From: Cole Robinson <crobinso@redhat.com>
|
||||||
Date: Fri, 30 Aug 2013 12:41:33 -0400
|
Date: Fri, 30 Aug 2013 12:41:33 -0400
|
||||||
Subject: [PATCH 5/8] qemu: Don't try to allocate PCI addresses for ARM
|
Subject: [PATCH] qemu: Don't try to allocate PCI addresses for ARM
|
||||||
|
|
||||||
---
|
---
|
||||||
src/qemu/qemu_command.c | 16 ++++++++++++++--
|
src/qemu/qemu_command.c | 16 ++++++++++++++--
|
||||||
@ -41,6 +41,3 @@ index a8e532c..87345c7 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (obj && obj->privateData) {
|
if (obj && obj->privateData) {
|
||||||
--
|
|
||||||
1.8.3.1
|
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
From 019eccdb20e824aabb12da3699664ba2625ef4b4 Mon Sep 17 00:00:00 2001
|
From e534a73a71655d45a0b0af98b4b9b9176d701fb3 Mon Sep 17 00:00:00 2001
|
||||||
From: Cole Robinson <crobinso@redhat.com>
|
From: Cole Robinson <crobinso@redhat.com>
|
||||||
Date: Fri, 30 Aug 2013 12:41:34 -0400
|
Date: Fri, 30 Aug 2013 12:41:34 -0400
|
||||||
Subject: [PATCH 6/8] domain_conf: Add disk bus=sd, wire it up for qemu
|
Subject: [PATCH] domain_conf: Add disk bus=sd, wire it up for qemu
|
||||||
|
|
||||||
This corresponds to '-sd' and '-drive if=sd' on the qemu command line.
|
This corresponds to '-sd' and '-drive if=sd' on the qemu command line.
|
||||||
Needed for many ARM boards which don't provide any other way to
|
Needed for many ARM boards which don't provide any other way to
|
||||||
@ -144,6 +144,3 @@ index 87345c7..6733709 100644
|
|||||||
ignore_value(VIR_STRDUP(def->dst, "sda"));
|
ignore_value(VIR_STRDUP(def->dst, "sda"));
|
||||||
} else if (def->bus == VIR_DOMAIN_DISK_BUS_VIRTIO) {
|
} else if (def->bus == VIR_DOMAIN_DISK_BUS_VIRTIO) {
|
||||||
ignore_value(VIR_STRDUP(def->dst, "vda"));
|
ignore_value(VIR_STRDUP(def->dst, "vda"));
|
||||||
--
|
|
||||||
1.8.3.1
|
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
From 7a73b81f1021c76d02fe54f927cd033fe949590f Mon Sep 17 00:00:00 2001
|
From b09ab6961b8dd60691839f0b1a5f259925819425 Mon Sep 17 00:00:00 2001
|
||||||
From: Cole Robinson <crobinso@redhat.com>
|
From: Cole Robinson <crobinso@redhat.com>
|
||||||
Date: Fri, 30 Aug 2013 12:41:35 -0400
|
Date: Fri, 30 Aug 2013 12:41:35 -0400
|
||||||
Subject: [PATCH 7/8] qemu: Fix networking for ARM guests
|
Subject: [PATCH] qemu: Fix networking for ARM guests
|
||||||
|
|
||||||
Similar to the chardev bit, ARM boards depend on the old style '-net nic'
|
Similar to the chardev bit, ARM boards depend on the old style '-net nic'
|
||||||
for actually instantiating net devices. But we can't block out
|
for actually instantiating net devices. But we can't block out
|
||||||
@ -204,6 +204,3 @@ index cb6106f..6ecabbf 100644
|
|||||||
|
|
||||||
virObjectUnref(driver.config);
|
virObjectUnref(driver.config);
|
||||||
virObjectUnref(driver.caps);
|
virObjectUnref(driver.caps);
|
||||||
--
|
|
||||||
1.8.3.1
|
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
From 1ec41110747764f89f522e9e010326944da8d96d Mon Sep 17 00:00:00 2001
|
From cddd76962c2a0fcbb8c80240d234b7d0d657324d Mon Sep 17 00:00:00 2001
|
||||||
From: Cole Robinson <crobinso@redhat.com>
|
From: Cole Robinson <crobinso@redhat.com>
|
||||||
Date: Fri, 30 Aug 2013 12:41:36 -0400
|
Date: Fri, 30 Aug 2013 12:41:36 -0400
|
||||||
Subject: [PATCH 8/8] qemu: Support virtio-mmio transport for virtio on ARM
|
Subject: [PATCH] qemu: Support virtio-mmio transport for virtio on ARM
|
||||||
|
|
||||||
Starting with qemu 1.6, the qemu-system-arm vexpress-a9 model has a
|
Starting with qemu 1.6, the qemu-system-arm vexpress-a9 model has a
|
||||||
hardcoded virtio-mmio transport which enables attaching all virtio
|
hardcoded virtio-mmio transport which enables attaching all virtio
|
||||||
@ -446,6 +446,3 @@ index 6ecabbf..ae8cc3b 100644
|
|||||||
|
|
||||||
virObjectUnref(driver.config);
|
virObjectUnref(driver.config);
|
||||||
virObjectUnref(driver.caps);
|
virObjectUnref(driver.caps);
|
||||||
--
|
|
||||||
1.8.3.1
|
|
||||||
|
|
||||||
|
@ -0,0 +1,26 @@
|
|||||||
|
From 580025d7a58ee4c07312d33aa78186dbe7e0d9ee Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michal Privoznik <mprivozn@redhat.com>
|
||||||
|
Date: Tue, 3 Sep 2013 18:56:06 +0200
|
||||||
|
Subject: [PATCH] virFileNBDDeviceAssociate: Avoid use of uninitialized
|
||||||
|
variable
|
||||||
|
|
||||||
|
The @qemunbd variable can be used uninitialized.
|
||||||
|
|
||||||
|
(cherry picked from commit 2dba0323ff0cec31bdcea9dd3b2428af297401f2)
|
||||||
|
---
|
||||||
|
src/util/virfile.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/util/virfile.c b/src/util/virfile.c
|
||||||
|
index 2b07ac9..7af0843 100644
|
||||||
|
--- a/src/util/virfile.c
|
||||||
|
+++ b/src/util/virfile.c
|
||||||
|
@@ -732,7 +732,7 @@ int virFileNBDDeviceAssociate(const char *file,
|
||||||
|
char **dev)
|
||||||
|
{
|
||||||
|
char *nbddev;
|
||||||
|
- char *qemunbd;
|
||||||
|
+ char *qemunbd = NULL;
|
||||||
|
virCommandPtr cmd = NULL;
|
||||||
|
int ret = -1;
|
||||||
|
const char *fmtstr = NULL;
|
23
0102-Fix-AM_LDFLAGS-typo.patch
Normal file
23
0102-Fix-AM_LDFLAGS-typo.patch
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
From a0ed55a9ab7c90723490363febabd27fa59877c8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
|
||||||
|
Date: Sun, 1 Sep 2013 09:53:03 +0200
|
||||||
|
Subject: [PATCH] Fix AM_LDFLAGS typo (cherry picked from commit
|
||||||
|
fe502de3bcdd76a0d256206111945ca7e4f4388a)
|
||||||
|
|
||||||
|
---
|
||||||
|
src/Makefile.am | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/Makefile.am b/src/Makefile.am
|
||||||
|
index 636bcbc..19dfb81 100644
|
||||||
|
--- a/src/Makefile.am
|
||||||
|
+++ b/src/Makefile.am
|
||||||
|
@@ -1455,7 +1455,7 @@ libvirt_driver_nwfilter_la_CFLAGS = \
|
||||||
|
-I$(top_srcdir)/src/access \
|
||||||
|
-I$(top_srcdir)/src/conf \
|
||||||
|
$(AM_CFLAGS)
|
||||||
|
-libvirt_driver_nwfilter_la_LDFLAGS = $(LD_AMFLAGS)
|
||||||
|
+libvirt_driver_nwfilter_la_LDFLAGS = $(AM_LDFLAGS)
|
||||||
|
libvirt_driver_nwfilter_la_LIBADD = $(LIBPCAP_LIBS) $(LIBNL_LIBS) $(DBUS_LIBS)
|
||||||
|
if WITH_DRIVER_MODULES
|
||||||
|
libvirt_driver_nwfilter_la_LIBADD += ../gnulib/lib/libgnu.la
|
88
0103-Pass-AM_LDFLAGS-to-driver-modules-too.patch
Normal file
88
0103-Pass-AM_LDFLAGS-to-driver-modules-too.patch
Normal file
@ -0,0 +1,88 @@
|
|||||||
|
From bd4e7f927fcc2edcba29e441973389ad845d648c Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
|
||||||
|
Date: Sun, 1 Sep 2013 08:50:58 +0200
|
||||||
|
Subject: [PATCH] Pass AM_LDFLAGS to driver modules too
|
||||||
|
|
||||||
|
This gives us a RO got, otherwise Debian's lintian complains:
|
||||||
|
|
||||||
|
W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so
|
||||||
|
W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_storage.so
|
||||||
|
W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_uml.so
|
||||||
|
W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_vbox.so
|
||||||
|
W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_xen.so
|
||||||
|
W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_nwfilter.so
|
||||||
|
W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_storage.so
|
||||||
|
W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_uml.so
|
||||||
|
W: libvirt-sanlock: hardening-no-relro usr/lib/libvirt/lock-driver/sanlock.so
|
||||||
|
(cherry picked from commit f1f0e53b0814aab3c093f1219da95c0f836cdf4a)
|
||||||
|
---
|
||||||
|
src/Makefile.am | 14 +++++++-------
|
||||||
|
1 file changed, 7 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/Makefile.am b/src/Makefile.am
|
||||||
|
index 19dfb81..097682c 100644
|
||||||
|
--- a/src/Makefile.am
|
||||||
|
+++ b/src/Makefile.am
|
||||||
|
@@ -1000,7 +1000,7 @@ libvirt_driver_xen_la_LIBADD = libvirt_driver_xen_impl.la
|
||||||
|
if WITH_DRIVER_MODULES
|
||||||
|
mod_LTLIBRARIES += libvirt_driver_xen.la
|
||||||
|
libvirt_driver_xen_la_LIBADD += ../gnulib/lib/libgnu.la
|
||||||
|
-libvirt_driver_xen_la_LDFLAGS = -module -avoid-version
|
||||||
|
+libvirt_driver_xen_la_LDFLAGS = -module -avoid-version $(AM_LDFLAGS)
|
||||||
|
else
|
||||||
|
noinst_LTLIBRARIES += libvirt_driver_xen.la
|
||||||
|
# Stateful, so linked to daemon instead
|
||||||
|
@@ -1050,7 +1050,7 @@ libvirt_driver_vbox_la_LIBADD = libvirt_driver_vbox_impl.la
|
||||||
|
if WITH_DRIVER_MODULES
|
||||||
|
mod_LTLIBRARIES += libvirt_driver_vbox.la
|
||||||
|
libvirt_driver_vbox_la_LIBADD += ../gnulib/lib/libgnu.la
|
||||||
|
-libvirt_driver_vbox_la_LDFLAGS = -module -avoid-version
|
||||||
|
+libvirt_driver_vbox_la_LDFLAGS = -module -avoid-version $(AM_LDFLAGS)
|
||||||
|
else
|
||||||
|
noinst_LTLIBRARIES += libvirt_driver_vbox.la
|
||||||
|
# GPLv2-only license requries that it be linked into
|
||||||
|
@@ -1083,7 +1083,7 @@ libvirt_driver_libxl_la_LIBADD = libvirt_driver_libxl_impl.la
|
||||||
|
if WITH_DRIVER_MODULES
|
||||||
|
mod_LTLIBRARIES += libvirt_driver_libxl.la
|
||||||
|
libvirt_driver_libxl_la_LIBADD += ../gnulib/lib/libgnu.la
|
||||||
|
-libvirt_driver_libxl_la_LDFLAGS = -module -avoid-version
|
||||||
|
+libvirt_driver_libxl_la_LDFLAGS = -module -avoid-version $(AM_LDFLAGS)
|
||||||
|
else
|
||||||
|
noinst_LTLIBRARIES += libvirt_driver_libxl.la
|
||||||
|
# Stateful, so linked to daemon instead
|
||||||
|
@@ -1108,7 +1108,7 @@ libvirt_driver_qemu_la_LIBADD = libvirt_driver_qemu_impl.la
|
||||||
|
if WITH_DRIVER_MODULES
|
||||||
|
mod_LTLIBRARIES += libvirt_driver_qemu.la
|
||||||
|
libvirt_driver_qemu_la_LIBADD += ../gnulib/lib/libgnu.la
|
||||||
|
-libvirt_driver_qemu_la_LDFLAGS = -module -avoid-version
|
||||||
|
+libvirt_driver_qemu_la_LDFLAGS = -module -avoid-version $(AM_LDFLAGS)
|
||||||
|
else
|
||||||
|
noinst_LTLIBRARIES += libvirt_driver_qemu.la
|
||||||
|
# Stateful, so linked to daemon instead
|
||||||
|
@@ -1184,7 +1184,7 @@ libvirt_driver_uml_la_LIBADD = libvirt_driver_uml_impl.la
|
||||||
|
if WITH_DRIVER_MODULES
|
||||||
|
mod_LTLIBRARIES += libvirt_driver_uml.la
|
||||||
|
libvirt_driver_uml_la_LIBADD += ../gnulib/lib/libgnu.la
|
||||||
|
-libvirt_driver_uml_la_LDFLAGS = -module -avoid-version
|
||||||
|
+libvirt_driver_uml_la_LDFLAGS = -module -avoid-version $(AM_LDFLAGS)
|
||||||
|
else
|
||||||
|
noinst_LTLIBRARIES += libvirt_driver_uml.la
|
||||||
|
# Stateful, so linked to daemon instead
|
||||||
|
@@ -1361,7 +1361,7 @@ libvirt_driver_storage_la_LIBADD = libvirt_driver_storage_impl.la
|
||||||
|
if WITH_DRIVER_MODULES
|
||||||
|
mod_LTLIBRARIES += libvirt_driver_storage.la
|
||||||
|
libvirt_driver_storage_la_LIBADD += ../gnulib/lib/libgnu.la
|
||||||
|
-libvirt_driver_storage_la_LDFLAGS = -module -avoid-version
|
||||||
|
+libvirt_driver_storage_la_LDFLAGS = -module -avoid-version $(AM_LDFLAGS)
|
||||||
|
else
|
||||||
|
noinst_LTLIBRARIES += libvirt_driver_storage.la
|
||||||
|
# Stateful, so linked to daemon instead
|
||||||
|
@@ -2114,7 +2114,7 @@ if WITH_SANLOCK
|
||||||
|
lockdriver_LTLIBRARIES += sanlock.la
|
||||||
|
sanlock_la_SOURCES = $(LOCK_DRIVER_SANLOCK_SOURCES)
|
||||||
|
sanlock_la_CFLAGS = -I$(top_srcdir)/src/conf $(AM_CFLAGS)
|
||||||
|
-sanlock_la_LDFLAGS = -module -avoid-version
|
||||||
|
+sanlock_la_LDFLAGS = -module -avoid-version $(AM_LDFLAGS)
|
||||||
|
sanlock_la_LIBADD = -lsanlock_client \
|
||||||
|
../gnulib/lib/libgnu.la
|
||||||
|
|
125
0104-build-fix-build-with-latest-rawhide-kernel-headers.patch
Normal file
125
0104-build-fix-build-with-latest-rawhide-kernel-headers.patch
Normal file
@ -0,0 +1,125 @@
|
|||||||
|
From bcba68498f698dedfdc83687c72e0e6dd7dc0e96 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Eric Blake <eblake@redhat.com>
|
||||||
|
Date: Fri, 13 Sep 2013 10:11:26 -0600
|
||||||
|
Subject: [PATCH] build: fix build with latest rawhide kernel headers
|
||||||
|
|
||||||
|
Bother those kernel developers. In the latest rawhide, kernel
|
||||||
|
and glibc have now been unified so that <netinet/in.h> and
|
||||||
|
<linux/in6.h> no longer clash; but <linux/if_bridge.h> is still
|
||||||
|
not self-contained. Because of the latest header change, the
|
||||||
|
build is failing with:
|
||||||
|
|
||||||
|
checking for linux/param.h... no
|
||||||
|
configure: error: You must install kernel-headers in order to compile libvirt with QEMU or LXC support
|
||||||
|
|
||||||
|
with details:
|
||||||
|
|
||||||
|
In file included from conftest.c:561:0:
|
||||||
|
/usr/include/linux/in6.h:71:18: error: field 'flr_dst' has incomplete type
|
||||||
|
struct in6_addr flr_dst;
|
||||||
|
|
||||||
|
We need a workaround to avoid our workaround :)
|
||||||
|
|
||||||
|
* configure.ac (NETINET_LINUX_WORKAROUND): New test.
|
||||||
|
* src/util/virnetdevbridge.c (includes): Use it.
|
||||||
|
|
||||||
|
Signed-off-by: Eric Blake <eblake@redhat.com>
|
||||||
|
(cherry picked from commit e62e0094dcd0ca1484491a9cc62919473b647f11)
|
||||||
|
---
|
||||||
|
configure.ac | 39 +++++++++++++++++++++++++++++----------
|
||||||
|
src/util/virnetdevbridge.c | 24 ++++++++++++++----------
|
||||||
|
2 files changed, 43 insertions(+), 20 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index f853e03..1956717 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -1003,18 +1003,37 @@ dnl check for kernel headers required by src/bridge.c
|
||||||
|
dnl
|
||||||
|
if test "$with_linux" = "yes"; then
|
||||||
|
if test "$with_qemu" = "yes" || test "$with_lxc" = "yes" ; then
|
||||||
|
+ # Various kernel versions have headers that are not self-standing, but
|
||||||
|
+ # yet are incompatible with the corresponding glibc headers. In order
|
||||||
|
+ # to guarantee compilation across a wide range of versions (from RHEL 5
|
||||||
|
+ # to rawhide), we first have to probe whether glibc and kernel can be
|
||||||
|
+ # used in tandem; and if not, provide workarounds that ensure that
|
||||||
|
+ # ABI-compatible IPv6 types are present for use by the kernel headers.
|
||||||
|
+ # These probes mirror the usage in virnetdevbridge.c
|
||||||
|
+ AC_CACHE_CHECK(
|
||||||
|
+ [whether <linux/*.h> and <netinet/*.h> headers are compatible],
|
||||||
|
+ [lv_cv_netinet_linux_compatible],
|
||||||
|
+ [AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
||||||
|
+ #include <netinet/in.h>
|
||||||
|
+ #include <linux/in6.h>
|
||||||
|
+ ]])],
|
||||||
|
+ [lv_cv_netinet_linux_compatible=yes],
|
||||||
|
+ [lv_cv_netinet_linux_compatible=no])])
|
||||||
|
+ if test "x$lv_cv_netinet_linux_compatible" != xyes; then
|
||||||
|
+ AC_DEFINE([NETINET_LINUX_WORKAROUND], [1],
|
||||||
|
+ [define to 1 if Linux kernel headers require a workaround to avoid
|
||||||
|
+ compilation errors when mixed with glibc netinet headers])
|
||||||
|
+ fi
|
||||||
|
AC_CHECK_HEADERS([linux/param.h linux/sockios.h linux/if_bridge.h linux/if_tun.h],,
|
||||||
|
[AC_MSG_ERROR([You must install kernel-headers in order to compile libvirt with QEMU or LXC support])],
|
||||||
|
- [[/* The kernel folks broke their headers when used with particular
|
||||||
|
- * glibc versions; although the structs are ABI compatible, the
|
||||||
|
- * C type system doesn't like struct redefinitions. We work around
|
||||||
|
- * the problem here in the same manner as in virnetdevbridge.c. */
|
||||||
|
- #include <netinet/in.h>
|
||||||
|
- #define in6_addr in6_addr_
|
||||||
|
- #define sockaddr_in6 sockaddr_in6_
|
||||||
|
- #define ipv6_mreq ipv6_mreq_
|
||||||
|
- #define in6addr_any in6addr_any_
|
||||||
|
- #define in6addr_loopback in6addr_loopback_
|
||||||
|
+ [[#include <netinet/in.h>
|
||||||
|
+ #if NETINET_LINUX_WORKAROUND
|
||||||
|
+ # define in6_addr in6_addr_
|
||||||
|
+ # define sockaddr_in6 sockaddr_in6_
|
||||||
|
+ # define ipv6_mreq ipv6_mreq_
|
||||||
|
+ # define in6addr_any in6addr_any_
|
||||||
|
+ # define in6addr_loopback in6addr_loopback_
|
||||||
|
+ #endif
|
||||||
|
#include <linux/in6.h>
|
||||||
|
]])
|
||||||
|
fi
|
||||||
|
diff --git a/src/util/virnetdevbridge.c b/src/util/virnetdevbridge.c
|
||||||
|
index e4daa27..1a3740a 100644
|
||||||
|
--- a/src/util/virnetdevbridge.c
|
||||||
|
+++ b/src/util/virnetdevbridge.c
|
||||||
|
@@ -39,22 +39,26 @@
|
||||||
|
#ifdef __linux__
|
||||||
|
# include <linux/sockios.h>
|
||||||
|
# include <linux/param.h> /* HZ */
|
||||||
|
+# if NETINET_LINUX_WORKAROUND
|
||||||
|
/* Depending on the version of kernel vs. glibc, there may be a collision
|
||||||
|
* between <net/in.h> and kernel IPv6 structures. The different types
|
||||||
|
* are ABI compatible, but choke the C type system; work around it by
|
||||||
|
* using temporary redefinitions. */
|
||||||
|
-# define in6_addr in6_addr_
|
||||||
|
-# define sockaddr_in6 sockaddr_in6_
|
||||||
|
-# define ipv6_mreq ipv6_mreq_
|
||||||
|
-# define in6addr_any in6addr_any_
|
||||||
|
-# define in6addr_loopback in6addr_loopback_
|
||||||
|
+# define in6_addr in6_addr_
|
||||||
|
+# define sockaddr_in6 sockaddr_in6_
|
||||||
|
+# define ipv6_mreq ipv6_mreq_
|
||||||
|
+# define in6addr_any in6addr_any_
|
||||||
|
+# define in6addr_loopback in6addr_loopback_
|
||||||
|
+# endif
|
||||||
|
# include <linux/in6.h>
|
||||||
|
# include <linux/if_bridge.h> /* SYSFS_BRIDGE_ATTR */
|
||||||
|
-# undef in6_addr
|
||||||
|
-# undef sockaddr_in6
|
||||||
|
-# undef ipv6_mreq
|
||||||
|
-# undef in6addr_any
|
||||||
|
-# undef in6addr_loopback
|
||||||
|
+# if NETINET_LINUX_WORKAROUND
|
||||||
|
+# undef in6_addr
|
||||||
|
+# undef sockaddr_in6
|
||||||
|
+# undef ipv6_mreq
|
||||||
|
+# undef in6addr_any
|
||||||
|
+# undef in6addr_loopback
|
||||||
|
+# endif
|
||||||
|
|
||||||
|
# define JIFFIES_TO_MS(j) (((j)*1000)/HZ)
|
||||||
|
# define MS_TO_JIFFIES(ms) (((ms)*HZ)/1000)
|
154
0105-Also-store-user-group-ID-values-in-virIdentity.patch
Normal file
154
0105-Also-store-user-group-ID-values-in-virIdentity.patch
Normal file
@ -0,0 +1,154 @@
|
|||||||
|
From 2fb7c4d202da975a1498fd205cc3e1bc49595d3c Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Daniel P. Berrange" <berrange@redhat.com>
|
||||||
|
Date: Thu, 22 Aug 2013 16:00:01 +0100
|
||||||
|
Subject: [PATCH] Also store user & group ID values in virIdentity
|
||||||
|
|
||||||
|
Future improvements to the polkit code will require access to
|
||||||
|
the numeric user ID, not merely user name.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
||||||
|
(cherry picked from commit db7a5688c05f3fd60d9d2b74c72427eb9ee9c176)
|
||||||
|
---
|
||||||
|
src/rpc/virnetserverclient.c | 18 ++++++++++++++++++
|
||||||
|
src/util/viridentity.c | 23 +++++++++++++++++++----
|
||||||
|
src/util/viridentity.h | 2 ++
|
||||||
|
3 files changed, 39 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/rpc/virnetserverclient.c b/src/rpc/virnetserverclient.c
|
||||||
|
index 83d5cf1..19c4100 100644
|
||||||
|
--- a/src/rpc/virnetserverclient.c
|
||||||
|
+++ b/src/rpc/virnetserverclient.c
|
||||||
|
@@ -652,7 +652,9 @@ virNetServerClientCreateIdentity(virNetServerClientPtr client)
|
||||||
|
char *processid = NULL;
|
||||||
|
char *processtime = NULL;
|
||||||
|
char *username = NULL;
|
||||||
|
+ char *userid = NULL;
|
||||||
|
char *groupname = NULL;
|
||||||
|
+ char *groupid = NULL;
|
||||||
|
#if WITH_SASL
|
||||||
|
char *saslname = NULL;
|
||||||
|
#endif
|
||||||
|
@@ -672,8 +674,12 @@ virNetServerClientCreateIdentity(virNetServerClientPtr client)
|
||||||
|
|
||||||
|
if (!(username = virGetUserName(uid)))
|
||||||
|
goto cleanup;
|
||||||
|
+ if (virAsprintf(&userid, "%d", (int)uid) < 0)
|
||||||
|
+ goto cleanup;
|
||||||
|
if (!(groupname = virGetGroupName(gid)))
|
||||||
|
goto cleanup;
|
||||||
|
+ if (virAsprintf(&userid, "%d", (int)gid) < 0)
|
||||||
|
+ goto cleanup;
|
||||||
|
if (virAsprintf(&processid, "%llu",
|
||||||
|
(unsigned long long)pid) < 0)
|
||||||
|
goto cleanup;
|
||||||
|
@@ -710,11 +716,21 @@ virNetServerClientCreateIdentity(virNetServerClientPtr client)
|
||||||
|
VIR_IDENTITY_ATTR_UNIX_USER_NAME,
|
||||||
|
username) < 0)
|
||||||
|
goto error;
|
||||||
|
+ if (userid &&
|
||||||
|
+ virIdentitySetAttr(ret,
|
||||||
|
+ VIR_IDENTITY_ATTR_UNIX_USER_ID,
|
||||||
|
+ userid) < 0)
|
||||||
|
+ goto error;
|
||||||
|
if (groupname &&
|
||||||
|
virIdentitySetAttr(ret,
|
||||||
|
VIR_IDENTITY_ATTR_UNIX_GROUP_NAME,
|
||||||
|
groupname) < 0)
|
||||||
|
goto error;
|
||||||
|
+ if (groupid &&
|
||||||
|
+ virIdentitySetAttr(ret,
|
||||||
|
+ VIR_IDENTITY_ATTR_UNIX_GROUP_ID,
|
||||||
|
+ groupid) < 0)
|
||||||
|
+ goto error;
|
||||||
|
if (processid &&
|
||||||
|
virIdentitySetAttr(ret,
|
||||||
|
VIR_IDENTITY_ATTR_UNIX_PROCESS_ID,
|
||||||
|
@@ -745,7 +761,9 @@ virNetServerClientCreateIdentity(virNetServerClientPtr client)
|
||||||
|
|
||||||
|
cleanup:
|
||||||
|
VIR_FREE(username);
|
||||||
|
+ VIR_FREE(userid);
|
||||||
|
VIR_FREE(groupname);
|
||||||
|
+ VIR_FREE(groupid);
|
||||||
|
VIR_FREE(processid);
|
||||||
|
VIR_FREE(processtime);
|
||||||
|
VIR_FREE(seccontext);
|
||||||
|
diff --git a/src/util/viridentity.c b/src/util/viridentity.c
|
||||||
|
index 781f660..03c375b 100644
|
||||||
|
--- a/src/util/viridentity.c
|
||||||
|
+++ b/src/util/viridentity.c
|
||||||
|
@@ -133,7 +133,9 @@ int virIdentitySetCurrent(virIdentityPtr ident)
|
||||||
|
virIdentityPtr virIdentityGetSystem(void)
|
||||||
|
{
|
||||||
|
char *username = NULL;
|
||||||
|
+ char *userid = NULL;
|
||||||
|
char *groupname = NULL;
|
||||||
|
+ char *groupid = NULL;
|
||||||
|
char *seccontext = NULL;
|
||||||
|
virIdentityPtr ret = NULL;
|
||||||
|
#if WITH_SELINUX
|
||||||
|
@@ -147,8 +149,13 @@ virIdentityPtr virIdentityGetSystem(void)
|
||||||
|
|
||||||
|
if (!(username = virGetUserName(getuid())))
|
||||||
|
goto cleanup;
|
||||||
|
+ if (virAsprintf(&userid, "%d", (int)getuid()) < 0)
|
||||||
|
+ goto cleanup;
|
||||||
|
+
|
||||||
|
if (!(groupname = virGetGroupName(getgid())))
|
||||||
|
goto cleanup;
|
||||||
|
+ if (virAsprintf(&groupid, "%d", (int)getgid()) < 0)
|
||||||
|
+ goto cleanup;
|
||||||
|
|
||||||
|
#if WITH_SELINUX
|
||||||
|
if (getcon(&con) < 0) {
|
||||||
|
@@ -166,16 +173,22 @@ virIdentityPtr virIdentityGetSystem(void)
|
||||||
|
if (!(ret = virIdentityNew()))
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
|
- if (username &&
|
||||||
|
- virIdentitySetAttr(ret,
|
||||||
|
+ if (virIdentitySetAttr(ret,
|
||||||
|
VIR_IDENTITY_ATTR_UNIX_USER_NAME,
|
||||||
|
username) < 0)
|
||||||
|
goto error;
|
||||||
|
- if (groupname &&
|
||||||
|
- virIdentitySetAttr(ret,
|
||||||
|
+ if (virIdentitySetAttr(ret,
|
||||||
|
+ VIR_IDENTITY_ATTR_UNIX_USER_ID,
|
||||||
|
+ userid) < 0)
|
||||||
|
+ goto error;
|
||||||
|
+ if (virIdentitySetAttr(ret,
|
||||||
|
VIR_IDENTITY_ATTR_UNIX_GROUP_NAME,
|
||||||
|
groupname) < 0)
|
||||||
|
goto error;
|
||||||
|
+ if (virIdentitySetAttr(ret,
|
||||||
|
+ VIR_IDENTITY_ATTR_UNIX_GROUP_ID,
|
||||||
|
+ groupid) < 0)
|
||||||
|
+ goto error;
|
||||||
|
if (seccontext &&
|
||||||
|
virIdentitySetAttr(ret,
|
||||||
|
VIR_IDENTITY_ATTR_SELINUX_CONTEXT,
|
||||||
|
@@ -188,7 +201,9 @@ virIdentityPtr virIdentityGetSystem(void)
|
||||||
|
|
||||||
|
cleanup:
|
||||||
|
VIR_FREE(username);
|
||||||
|
+ VIR_FREE(userid);
|
||||||
|
VIR_FREE(groupname);
|
||||||
|
+ VIR_FREE(groupid);
|
||||||
|
VIR_FREE(seccontext);
|
||||||
|
VIR_FREE(processid);
|
||||||
|
return ret;
|
||||||
|
diff --git a/src/util/viridentity.h b/src/util/viridentity.h
|
||||||
|
index 4bae8d6..a240c2d 100644
|
||||||
|
--- a/src/util/viridentity.h
|
||||||
|
+++ b/src/util/viridentity.h
|
||||||
|
@@ -29,7 +29,9 @@ typedef virIdentity *virIdentityPtr;
|
||||||
|
|
||||||
|
typedef enum {
|
||||||
|
VIR_IDENTITY_ATTR_UNIX_USER_NAME,
|
||||||
|
+ VIR_IDENTITY_ATTR_UNIX_USER_ID,
|
||||||
|
VIR_IDENTITY_ATTR_UNIX_GROUP_NAME,
|
||||||
|
+ VIR_IDENTITY_ATTR_UNIX_GROUP_ID,
|
||||||
|
VIR_IDENTITY_ATTR_UNIX_PROCESS_ID,
|
||||||
|
VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME,
|
||||||
|
VIR_IDENTITY_ATTR_SASL_USER_NAME,
|
@ -0,0 +1,68 @@
|
|||||||
|
From fe544fd4c18d6982e652a1d5cd016816c609b72c Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Daniel P. Berrange" <berrange@redhat.com>
|
||||||
|
Date: Wed, 28 Aug 2013 15:22:05 +0100
|
||||||
|
Subject: [PATCH] Ensure system identity includes process start time
|
||||||
|
|
||||||
|
The polkit access driver will want to use the process start
|
||||||
|
time field. This was already set for network identities, but
|
||||||
|
not for the system identity.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
||||||
|
(cherry picked from commit e65667c0c6e016d42abea077e31628ae43f57b74)
|
||||||
|
---
|
||||||
|
src/util/viridentity.c | 16 ++++++++++++++++
|
||||||
|
1 file changed, 16 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/util/viridentity.c b/src/util/viridentity.c
|
||||||
|
index 03c375b..f681f85 100644
|
||||||
|
--- a/src/util/viridentity.c
|
||||||
|
+++ b/src/util/viridentity.c
|
||||||
|
@@ -35,6 +35,7 @@
|
||||||
|
#include "virthread.h"
|
||||||
|
#include "virutil.h"
|
||||||
|
#include "virstring.h"
|
||||||
|
+#include "virprocess.h"
|
||||||
|
|
||||||
|
#define VIR_FROM_THIS VIR_FROM_IDENTITY
|
||||||
|
|
||||||
|
@@ -142,11 +143,20 @@ virIdentityPtr virIdentityGetSystem(void)
|
||||||
|
security_context_t con;
|
||||||
|
#endif
|
||||||
|
char *processid = NULL;
|
||||||
|
+ unsigned long long timestamp;
|
||||||
|
+ char *processtime = NULL;
|
||||||
|
|
||||||
|
if (virAsprintf(&processid, "%llu",
|
||||||
|
(unsigned long long)getpid()) < 0)
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
|
+ if (virProcessGetStartTime(getpid(), ×tamp) < 0)
|
||||||
|
+ goto cleanup;
|
||||||
|
+
|
||||||
|
+ if (timestamp != 0 &&
|
||||||
|
+ virAsprintf(&processtime, "%llu", timestamp) < 0)
|
||||||
|
+ goto cleanup;
|
||||||
|
+
|
||||||
|
if (!(username = virGetUserName(getuid())))
|
||||||
|
goto cleanup;
|
||||||
|
if (virAsprintf(&userid, "%d", (int)getuid()) < 0)
|
||||||
|
@@ -198,6 +208,11 @@ virIdentityPtr virIdentityGetSystem(void)
|
||||||
|
VIR_IDENTITY_ATTR_UNIX_PROCESS_ID,
|
||||||
|
processid) < 0)
|
||||||
|
goto error;
|
||||||
|
+ if (processtime &&
|
||||||
|
+ virIdentitySetAttr(ret,
|
||||||
|
+ VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME,
|
||||||
|
+ processtime) < 0)
|
||||||
|
+ goto error;
|
||||||
|
|
||||||
|
cleanup:
|
||||||
|
VIR_FREE(username);
|
||||||
|
@@ -206,6 +221,7 @@ cleanup:
|
||||||
|
VIR_FREE(groupid);
|
||||||
|
VIR_FREE(seccontext);
|
||||||
|
VIR_FREE(processid);
|
||||||
|
+ VIR_FREE(processtime);
|
||||||
|
return ret;
|
||||||
|
|
||||||
|
error:
|
178
0107-Add-support-for-using-3-arg-pkcheck-syntax-for-proce.patch
Normal file
178
0107-Add-support-for-using-3-arg-pkcheck-syntax-for-proce.patch
Normal file
@ -0,0 +1,178 @@
|
|||||||
|
From dcba8ce65b0ee9f18dca6ac4bdbb57f5cbcc75c6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Daniel P. Berrange" <berrange@redhat.com>
|
||||||
|
Date: Wed, 28 Aug 2013 15:25:40 +0100
|
||||||
|
Subject: [PATCH] Add support for using 3-arg pkcheck syntax for process
|
||||||
|
(CVE-2013-4311)
|
||||||
|
|
||||||
|
With the existing pkcheck (pid, start time) tuple for identifying
|
||||||
|
the process, there is a race condition, where a process can make
|
||||||
|
a libvirt RPC call and in another thread exec a setuid application,
|
||||||
|
causing it to change to effective UID 0. This in turn causes polkit
|
||||||
|
to do its permission check based on the wrong UID.
|
||||||
|
|
||||||
|
To address this, libvirt must get the UID the caller had at time
|
||||||
|
of connect() (from SO_PEERCRED) and pass a (pid, start time, uid)
|
||||||
|
triple to the pkcheck program.
|
||||||
|
|
||||||
|
This fix requires that libvirt is re-built against a version of
|
||||||
|
polkit that has the fix for its CVE-2013-4288, so that libvirt
|
||||||
|
can see 'pkg-config --variable pkcheck_supports_uid polkit-gobject-1'
|
||||||
|
|
||||||
|
Signed-off-by: Colin Walters <walters@redhat.com>
|
||||||
|
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
||||||
|
(cherry picked from commit 922b7fda77b094dbf022d625238262ea05335666)
|
||||||
|
---
|
||||||
|
configure.ac | 8 ++++++++
|
||||||
|
daemon/remote.c | 22 ++++++++++++++++++---
|
||||||
|
libvirt.spec.in | 3 +--
|
||||||
|
src/access/viraccessdriverpolkit.c | 40 +++++++++++++++++++++++++++++++++-----
|
||||||
|
4 files changed, 63 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index 1956717..8baf6fa 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -1203,6 +1203,14 @@ if test "x$with_polkit" = "xyes" || test "x$with_polkit" = "xcheck"; then
|
||||||
|
AC_PATH_PROG([PKCHECK_PATH],[pkcheck], [], [/usr/sbin:$PATH])
|
||||||
|
if test "x$PKCHECK_PATH" != "x" ; then
|
||||||
|
AC_DEFINE_UNQUOTED([PKCHECK_PATH],["$PKCHECK_PATH"],[Location of pkcheck program])
|
||||||
|
+ AC_MSG_CHECKING([whether pkcheck supports uid value])
|
||||||
|
+ pkcheck_supports_uid=`$PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1`
|
||||||
|
+ if test "x$pkcheck_supports_uid" = "xtrue"; then
|
||||||
|
+ AC_MSG_RESULT([yes])
|
||||||
|
+ AC_DEFINE_UNQUOTED([PKCHECK_SUPPORTS_UID], 1, [Pass uid to pkcheck])
|
||||||
|
+ else
|
||||||
|
+ AC_MSG_RESULT([no])
|
||||||
|
+ fi
|
||||||
|
AC_DEFINE_UNQUOTED([WITH_POLKIT], 1,
|
||||||
|
[use PolicyKit for UNIX socket access checks])
|
||||||
|
AC_DEFINE_UNQUOTED([WITH_POLKIT1], 1,
|
||||||
|
diff --git a/daemon/remote.c b/daemon/remote.c
|
||||||
|
index 6ace7af..b5395dd 100644
|
||||||
|
--- a/daemon/remote.c
|
||||||
|
+++ b/daemon/remote.c
|
||||||
|
@@ -2738,10 +2738,12 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED,
|
||||||
|
int status = -1;
|
||||||
|
char *ident = NULL;
|
||||||
|
bool authdismissed = 0;
|
||||||
|
+ bool supportsuid = false;
|
||||||
|
char *pkout = NULL;
|
||||||
|
struct daemonClientPrivate *priv =
|
||||||
|
virNetServerClientGetPrivateData(client);
|
||||||
|
virCommandPtr cmd = NULL;
|
||||||
|
+ static bool polkitInsecureWarned;
|
||||||
|
|
||||||
|
virMutexLock(&priv->lock);
|
||||||
|
action = virNetServerClientGetReadonly(client) ?
|
||||||
|
@@ -2763,14 +2765,28 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED,
|
||||||
|
goto authfail;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (timestamp == 0) {
|
||||||
|
+ VIR_WARN("Failing polkit auth due to missing client (pid=%lld) start time",
|
||||||
|
+ (long long)callerPid);
|
||||||
|
+ goto authfail;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
VIR_INFO("Checking PID %lld running as %d",
|
||||||
|
(long long) callerPid, callerUid);
|
||||||
|
|
||||||
|
virCommandAddArg(cmd, "--process");
|
||||||
|
- if (timestamp != 0) {
|
||||||
|
- virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp);
|
||||||
|
+# ifdef PKCHECK_SUPPORTS_UID
|
||||||
|
+ supportsuid = true;
|
||||||
|
+# endif
|
||||||
|
+ if (supportsuid) {
|
||||||
|
+ virCommandAddArgFormat(cmd, "%lld,%llu,%lu",
|
||||||
|
+ (long long) callerPid, timestamp, (unsigned long) callerUid);
|
||||||
|
} else {
|
||||||
|
- virCommandAddArgFormat(cmd, "%lld", (long long) callerPid);
|
||||||
|
+ if (!polkitInsecureWarned) {
|
||||||
|
+ VIR_WARN("No support for caller UID with pkcheck. This deployment is known to be insecure.");
|
||||||
|
+ polkitInsecureWarned = true;
|
||||||
|
+ }
|
||||||
|
+ virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp);
|
||||||
|
}
|
||||||
|
virCommandAddArg(cmd, "--allow-user-interaction");
|
||||||
|
|
||||||
|
diff --git a/libvirt.spec.in b/libvirt.spec.in
|
||||||
|
index e94901a..b9c8c91 100644
|
||||||
|
--- a/libvirt.spec.in
|
||||||
|
+++ b/libvirt.spec.in
|
||||||
|
@@ -508,8 +508,7 @@ BuildRequires: cyrus-sasl-devel
|
||||||
|
%endif
|
||||||
|
%if %{with_polkit}
|
||||||
|
%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
|
||||||
|
-# Only need the binary, not -devel
|
||||||
|
-BuildRequires: polkit >= 0.93
|
||||||
|
+BuildRequires: polkit-devel >= 0.93
|
||||||
|
%else
|
||||||
|
BuildRequires: PolicyKit-devel >= 0.6
|
||||||
|
%endif
|
||||||
|
diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdriverpolkit.c
|
||||||
|
index 4c76e64..bb170b5 100644
|
||||||
|
--- a/src/access/viraccessdriverpolkit.c
|
||||||
|
+++ b/src/access/viraccessdriverpolkit.c
|
||||||
|
@@ -72,8 +72,12 @@ static char *
|
||||||
|
virAccessDriverPolkitFormatProcess(const char *actionid)
|
||||||
|
{
|
||||||
|
virIdentityPtr identity = virIdentityGetCurrent();
|
||||||
|
- const char *process = NULL;
|
||||||
|
+ const char *callerPid = NULL;
|
||||||
|
+ const char *callerTime = NULL;
|
||||||
|
+ const char *callerUid = NULL;
|
||||||
|
char *ret = NULL;
|
||||||
|
+ bool supportsuid = false;
|
||||||
|
+ static bool polkitInsecureWarned;
|
||||||
|
|
||||||
|
if (!identity) {
|
||||||
|
virAccessError(VIR_ERR_ACCESS_DENIED,
|
||||||
|
@@ -81,17 +85,43 @@ virAccessDriverPolkitFormatProcess(const char *actionid)
|
||||||
|
actionid);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
- if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, &process) < 0)
|
||||||
|
+ if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, &callerPid) < 0)
|
||||||
|
+ goto cleanup;
|
||||||
|
+ if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME, &callerTime) < 0)
|
||||||
|
+ goto cleanup;
|
||||||
|
+ if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_USER_ID, &callerUid) < 0)
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
|
- if (!process) {
|
||||||
|
+ if (!callerPid) {
|
||||||
|
virAccessError(VIR_ERR_INTERNAL_ERROR, "%s",
|
||||||
|
_("No UNIX process ID available"));
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
- if (VIR_STRDUP(ret, process) < 0)
|
||||||
|
+ if (!callerTime) {
|
||||||
|
+ virAccessError(VIR_ERR_INTERNAL_ERROR, "%s",
|
||||||
|
+ _("No UNIX process start time available"));
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
+ if (!callerUid) {
|
||||||
|
+ virAccessError(VIR_ERR_INTERNAL_ERROR, "%s",
|
||||||
|
+ _("No UNIX caller UID available"));
|
||||||
|
goto cleanup;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+#ifdef PKCHECK_SUPPORTS_UID
|
||||||
|
+ supportsuid = true;
|
||||||
|
+#endif
|
||||||
|
+ if (supportsuid) {
|
||||||
|
+ if (virAsprintf(&ret, "%s,%s,%s", callerPid, callerTime, callerUid) < 0)
|
||||||
|
+ goto cleanup;
|
||||||
|
+ } else {
|
||||||
|
+ if (!polkitInsecureWarned) {
|
||||||
|
+ VIR_WARN("No support for caller UID with pkcheck. This deployment is known to be insecure.");
|
||||||
|
+ polkitInsecureWarned = true;
|
||||||
|
+ }
|
||||||
|
+ if (virAsprintf(&ret, "%s,%s", callerPid, callerTime) < 0)
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
cleanup:
|
||||||
|
virObjectUnref(identity);
|
@ -0,0 +1,38 @@
|
|||||||
|
From 3bee40f9bd3b3c11d782b79eb90f46087d3ab9be Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Daniel P. Berrange" <berrange@redhat.com>
|
||||||
|
Date: Tue, 3 Sep 2013 16:52:06 +0100
|
||||||
|
Subject: [PATCH] Fix crash in remoteDispatchDomainMemoryStats (CVE-2013-4296)
|
||||||
|
|
||||||
|
The 'stats' variable was not initialized to NULL, so if some
|
||||||
|
early validation of the RPC call fails, it is possible to jump
|
||||||
|
to the 'cleanup' label and VIR_FREE an uninitialized pointer.
|
||||||
|
This is a security flaw, since the API can be called from a
|
||||||
|
readonly connection which can trigger the validation checks.
|
||||||
|
|
||||||
|
This was introduced in release v0.9.1 onwards by
|
||||||
|
|
||||||
|
commit 158ba8730e44b7dd07a21ab90499996c5dec080a
|
||||||
|
Author: Daniel P. Berrange <berrange@redhat.com>
|
||||||
|
Date: Wed Apr 13 16:21:35 2011 +0100
|
||||||
|
|
||||||
|
Merge all returns paths from dispatcher into single path
|
||||||
|
|
||||||
|
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
||||||
|
(cherry picked from commit e7f400a110e2e3673b96518170bfea0855dd82c0)
|
||||||
|
---
|
||||||
|
daemon/remote.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/daemon/remote.c b/daemon/remote.c
|
||||||
|
index b5395dd..afd9fb5 100644
|
||||||
|
--- a/daemon/remote.c
|
||||||
|
+++ b/daemon/remote.c
|
||||||
|
@@ -1146,7 +1146,7 @@ remoteDispatchDomainMemoryStats(virNetServerPtr server ATTRIBUTE_UNUSED,
|
||||||
|
remote_domain_memory_stats_ret *ret)
|
||||||
|
{
|
||||||
|
virDomainPtr dom = NULL;
|
||||||
|
- struct _virDomainMemoryStat *stats;
|
||||||
|
+ struct _virDomainMemoryStat *stats = NULL;
|
||||||
|
int nr_stats;
|
||||||
|
size_t i;
|
||||||
|
int rv = -1;
|
@ -0,0 +1,59 @@
|
|||||||
|
From f19543baee399bf6b3d91da38fa0b7025f233dee Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simone Gotti <simone.gotti@gmail.com>
|
||||||
|
Date: Thu, 19 Sep 2013 15:08:29 +0200
|
||||||
|
Subject: [PATCH] virsh: add missing "async" option in opts_block_commit
|
||||||
|
|
||||||
|
After commit 8aecd351266a66efa59b7f7be77bf66693d99ce0 it'll detect
|
||||||
|
that a required option is not defined and it will assert and exit with:
|
||||||
|
|
||||||
|
virsh.c:1364: vshCommandOpt: Assertion `valid->name' failed.
|
||||||
|
|
||||||
|
Problem has been latent since commit ed23b106.
|
||||||
|
|
||||||
|
Signed-off-by: Eric Blake <eblake@redhat.com>
|
||||||
|
(cherry picked from commit fe64499dd14315b2d9d62cdf421bd3c97a46b7ac)
|
||||||
|
---
|
||||||
|
tools/virsh-domain.c | 4 ++++
|
||||||
|
tools/virsh.pod | 7 +++++--
|
||||||
|
2 files changed, 9 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c
|
||||||
|
index 568d61d..da6ab87 100644
|
||||||
|
--- a/tools/virsh-domain.c
|
||||||
|
+++ b/tools/virsh-domain.c
|
||||||
|
@@ -1544,6 +1544,10 @@ static const vshCmdOptDef opts_block_commit[] = {
|
||||||
|
.type = VSH_OT_INT,
|
||||||
|
.help = N_("with --wait, abort if copy exceeds timeout (in seconds)")
|
||||||
|
},
|
||||||
|
+ {.name = "async",
|
||||||
|
+ .type = VSH_OT_BOOL,
|
||||||
|
+ .help = N_("with --wait, don't wait for cancel to finish")
|
||||||
|
+ },
|
||||||
|
{.name = NULL}
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/tools/virsh.pod b/tools/virsh.pod
|
||||||
|
index 0ae5178..2864f3d 100644
|
||||||
|
--- a/tools/virsh.pod
|
||||||
|
+++ b/tools/virsh.pod
|
||||||
|
@@ -737,7 +737,7 @@ I<domif-setlink>) will accept the MAC address printed by this command.
|
||||||
|
|
||||||
|
=item B<blockcommit> I<domain> I<path> [I<bandwidth>]
|
||||||
|
{[I<base>] | [I<--shallow>]} [I<top>] [I<--delete>]
|
||||||
|
-[I<--wait> [I<--verbose>] [I<--timeout> B<seconds>]]
|
||||||
|
+[I<--wait> [I<--verbose>] [I<--timeout> B<seconds>] [I<--async>]]
|
||||||
|
|
||||||
|
Reduce the length of a backing image chain, by committing changes at the
|
||||||
|
top of the chain (snapshot or delta files) into backing images. By
|
||||||
|
@@ -756,7 +756,10 @@ operation can be checked with B<blockjob>. However, if I<--wait> is
|
||||||
|
specified, then this command will block until the operation completes,
|
||||||
|
or cancel the operation if the optional I<timeout> in seconds elapses
|
||||||
|
or SIGINT is sent (usually with C<Ctrl-C>). Using I<--verbose> along
|
||||||
|
-with I<--wait> will produce periodic status updates.
|
||||||
|
+with I<--wait> will produce periodic status updates. If job cancellation
|
||||||
|
+is triggered, I<--async> will return control to the user as fast as
|
||||||
|
+possible, otherwise the command may continue to block a little while
|
||||||
|
+longer until the job is done cleaning up.
|
||||||
|
|
||||||
|
I<path> specifies fully-qualified path of the disk; it corresponds
|
||||||
|
to a unique target name (<target dev='name'/>) or source file (<source
|
@ -0,0 +1,38 @@
|
|||||||
|
From b4e1fb2febb00173b1489634262169554e8f6a1d Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Daniel P. Berrange" <berrange@redhat.com>
|
||||||
|
Date: Mon, 23 Sep 2013 12:46:25 +0100
|
||||||
|
Subject: [PATCH] Fix typo in identity code which is pre-requisite for
|
||||||
|
CVE-2013-4311
|
||||||
|
|
||||||
|
The fix for CVE-2013-4311 had a pre-requisite enhancement
|
||||||
|
to the identity code
|
||||||
|
|
||||||
|
commit db7a5688c05f3fd60d9d2b74c72427eb9ee9c176
|
||||||
|
Author: Daniel P. Berrange <berrange@redhat.com>
|
||||||
|
Date: Thu Aug 22 16:00:01 2013 +0100
|
||||||
|
|
||||||
|
Also store user & group ID values in virIdentity
|
||||||
|
|
||||||
|
This had a typo which caused the group ID to overwrite the
|
||||||
|
user ID string. This meant any checks using this would have
|
||||||
|
the wrong ID value. This only affected the ACL code, not the
|
||||||
|
initial polkit auth. It also leaked memory.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
||||||
|
---
|
||||||
|
src/rpc/virnetserverclient.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/rpc/virnetserverclient.c b/src/rpc/virnetserverclient.c
|
||||||
|
index 19c4100..0b9ab52 100644
|
||||||
|
--- a/src/rpc/virnetserverclient.c
|
||||||
|
+++ b/src/rpc/virnetserverclient.c
|
||||||
|
@@ -678,7 +678,7 @@ virNetServerClientCreateIdentity(virNetServerClientPtr client)
|
||||||
|
goto cleanup;
|
||||||
|
if (!(groupname = virGetGroupName(gid)))
|
||||||
|
goto cleanup;
|
||||||
|
- if (virAsprintf(&userid, "%d", (int)gid) < 0)
|
||||||
|
+ if (virAsprintf(&groupid, "%d", (int)gid) < 0)
|
||||||
|
goto cleanup;
|
||||||
|
if (virAsprintf(&processid, "%llu",
|
||||||
|
(unsigned long long)pid) < 0)
|
69
0111-Add-a-virNetSocketNewConnectSockFD-method.patch
Normal file
69
0111-Add-a-virNetSocketNewConnectSockFD-method.patch
Normal file
@ -0,0 +1,69 @@
|
|||||||
|
From 9e7cec4d755341cfb4c27c16aa59b22135612f0e Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Daniel P. Berrange" <berrange@redhat.com>
|
||||||
|
Date: Mon, 23 Sep 2013 12:46:26 +0100
|
||||||
|
Subject: [PATCH] Add a virNetSocketNewConnectSockFD method
|
||||||
|
|
||||||
|
To allow creation of a virNetSocketPtr instance from a pre-opened
|
||||||
|
socketpair FD, add a virNetSocketNewConnectSockFD method.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
||||||
|
---
|
||||||
|
src/libvirt_private.syms | 1 +
|
||||||
|
src/rpc/virnetsocket.c | 18 ++++++++++++++++++
|
||||||
|
src/rpc/virnetsocket.h | 2 ++
|
||||||
|
3 files changed, 21 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
|
||||||
|
index 35f0f1b..873d93d 100644
|
||||||
|
--- a/src/libvirt_private.syms
|
||||||
|
+++ b/src/libvirt_private.syms
|
||||||
|
@@ -1008,6 +1008,7 @@ virNetSocketLocalAddrString;
|
||||||
|
virNetSocketNewConnectCommand;
|
||||||
|
virNetSocketNewConnectExternal;
|
||||||
|
virNetSocketNewConnectLibSSH2;
|
||||||
|
+virNetSocketNewConnectSockFD;
|
||||||
|
virNetSocketNewConnectSSH;
|
||||||
|
virNetSocketNewConnectTCP;
|
||||||
|
virNetSocketNewConnectUNIX;
|
||||||
|
diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
|
||||||
|
index ae81512..b311aae 100644
|
||||||
|
--- a/src/rpc/virnetsocket.c
|
||||||
|
+++ b/src/rpc/virnetsocket.c
|
||||||
|
@@ -884,6 +884,24 @@ int virNetSocketNewConnectExternal(const char **cmdargv,
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
+int virNetSocketNewConnectSockFD(int sockfd,
|
||||||
|
+ virNetSocketPtr *retsock)
|
||||||
|
+{
|
||||||
|
+ virSocketAddr localAddr;
|
||||||
|
+
|
||||||
|
+ localAddr.len = sizeof(localAddr.data);
|
||||||
|
+ if (getsockname(sockfd, &localAddr.data.sa, &localAddr.len) < 0) {
|
||||||
|
+ virReportSystemError(errno, "%s", _("Unable to get local socket name"));
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!(*retsock = virNetSocketNew(&localAddr, NULL, true, sockfd, -1, -1)))
|
||||||
|
+ return -1;
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
virNetSocketPtr virNetSocketNewPostExecRestart(virJSONValuePtr object)
|
||||||
|
{
|
||||||
|
virSocketAddr localAddr;
|
||||||
|
diff --git a/src/rpc/virnetsocket.h b/src/rpc/virnetsocket.h
|
||||||
|
index ca9ae91..86bc2f6 100644
|
||||||
|
--- a/src/rpc/virnetsocket.h
|
||||||
|
+++ b/src/rpc/virnetsocket.h
|
||||||
|
@@ -97,6 +97,8 @@ int virNetSocketNewConnectLibSSH2(const char *host,
|
||||||
|
int virNetSocketNewConnectExternal(const char **cmdargv,
|
||||||
|
virNetSocketPtr *addr);
|
||||||
|
|
||||||
|
+int virNetSocketNewConnectSockFD(int sockfd,
|
||||||
|
+ virNetSocketPtr *retsock);
|
||||||
|
|
||||||
|
virNetSocketPtr virNetSocketNewPostExecRestart(virJSONValuePtr object);
|
||||||
|
|
305
0112-Add-test-case-for-virNetServerClient-object-identity.patch
Normal file
305
0112-Add-test-case-for-virNetServerClient-object-identity.patch
Normal file
@ -0,0 +1,305 @@
|
|||||||
|
From 7e1b75ca5d4127a86ff1eaa0dfe37b485eeb0a7a Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Daniel P. Berrange" <berrange@redhat.com>
|
||||||
|
Date: Mon, 23 Sep 2013 12:46:27 +0100
|
||||||
|
Subject: [PATCH] Add test case for virNetServerClient object identity code
|
||||||
|
|
||||||
|
Start a test case for the virNetServerClient object, which
|
||||||
|
initially checks the creation of a virIdentityPtr object.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
||||||
|
---
|
||||||
|
cfg.mk | 2 +-
|
||||||
|
tests/Makefile.am | 14 +++-
|
||||||
|
tests/virnetserverclientmock.c | 64 +++++++++++++++++
|
||||||
|
tests/virnetserverclienttest.c | 159 +++++++++++++++++++++++++++++++++++++++++
|
||||||
|
4 files changed, 237 insertions(+), 2 deletions(-)
|
||||||
|
create mode 100644 tests/virnetserverclientmock.c
|
||||||
|
create mode 100644 tests/virnetserverclienttest.c
|
||||||
|
|
||||||
|
diff --git a/cfg.mk b/cfg.mk
|
||||||
|
index 9a9616c..7f817ef 100644
|
||||||
|
--- a/cfg.mk
|
||||||
|
+++ b/cfg.mk
|
||||||
|
@@ -939,7 +939,7 @@ exclude_file_name_regexp--sc_prohibit_asprintf = \
|
||||||
|
^(bootstrap.conf$$|src/util/virstring\.[ch]$$|examples/domain-events/events-c/event-test\.c$$|tests/vircgroupmock\.c$$)
|
||||||
|
|
||||||
|
exclude_file_name_regexp--sc_prohibit_strdup = \
|
||||||
|
- ^(docs/|examples/|python/|src/util/virstring\.c$$)
|
||||||
|
+ ^(docs/|examples/|python/|src/util/virstring\.c|tests/virnetserverclientmock.c$$)
|
||||||
|
|
||||||
|
exclude_file_name_regexp--sc_prohibit_close = \
|
||||||
|
(\.p[yl]$$|^docs/|^(src/util/virfile\.c|src/libvirt\.c|tests/vircgroupmock\.c)$$)
|
||||||
|
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
||||||
|
index c800179..ae99b38 100644
|
||||||
|
--- a/tests/Makefile.am
|
||||||
|
+++ b/tests/Makefile.am
|
||||||
|
@@ -114,7 +114,7 @@ test_programs = virshtest sockettest \
|
||||||
|
nodeinfotest virbuftest \
|
||||||
|
commandtest seclabeltest \
|
||||||
|
virhashtest virnetmessagetest virnetsockettest \
|
||||||
|
- viratomictest \
|
||||||
|
+ viratomictest virnetserverclienttest \
|
||||||
|
utiltest shunloadtest \
|
||||||
|
virtimetest viruritest virkeyfiletest \
|
||||||
|
virauthconfigtest \
|
||||||
|
@@ -281,6 +281,7 @@ EXTRA_DIST += $(test_scripts)
|
||||||
|
|
||||||
|
test_libraries = libshunload.la \
|
||||||
|
libvirportallocatormock.la \
|
||||||
|
+ virnetserverclientmock.la \
|
||||||
|
vircgroupmock.la \
|
||||||
|
$(NULL)
|
||||||
|
if WITH_QEMU
|
||||||
|
@@ -611,6 +612,17 @@ virnetsockettest_SOURCES = \
|
||||||
|
virnetsockettest.c testutils.h testutils.c
|
||||||
|
virnetsockettest_LDADD = $(LDADDS)
|
||||||
|
|
||||||
|
+virnetserverclienttest_SOURCES = \
|
||||||
|
+ virnetserverclienttest.c \
|
||||||
|
+ testutils.h testutils.c
|
||||||
|
+virnetserverclienttest_LDADD = $(LDADDS)
|
||||||
|
+
|
||||||
|
+virnetserverclientmock_la_SOURCES = \
|
||||||
|
+ virnetserverclientmock.c
|
||||||
|
+virnetserverclientmock_la_CFLAGS = $(AM_CFLAGS)
|
||||||
|
+virnetserverclientmock_la_LDFLAGS = -module -avoid-version \
|
||||||
|
+ -rpath /evil/libtool/hack/to/force/shared/lib/creation
|
||||||
|
+
|
||||||
|
if WITH_GNUTLS
|
||||||
|
virnettlscontexttest_SOURCES = \
|
||||||
|
virnettlscontexttest.c \
|
||||||
|
diff --git a/tests/virnetserverclientmock.c b/tests/virnetserverclientmock.c
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..caef1e3
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/virnetserverclientmock.c
|
||||||
|
@@ -0,0 +1,64 @@
|
||||||
|
+/*
|
||||||
|
+ * Copyright (C) 2013 Red Hat, Inc.
|
||||||
|
+ *
|
||||||
|
+ * This library is free software; you can redistribute it and/or
|
||||||
|
+ * modify it under the terms of the GNU Lesser General Public
|
||||||
|
+ * License as published by the Free Software Foundation; either
|
||||||
|
+ * version 2.1 of the License, or (at your option) any later version.
|
||||||
|
+ *
|
||||||
|
+ * This library is distributed in the hope that it will be useful,
|
||||||
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
+ * Lesser General Public License for more details.
|
||||||
|
+ *
|
||||||
|
+ * You should have received a copy of the GNU Lesser General Public
|
||||||
|
+ * License along with this library. If not, see
|
||||||
|
+ * <http://www.gnu.org/licenses/>.
|
||||||
|
+ *
|
||||||
|
+ * Author: Daniel P. Berrange <berrange@redhat.com>
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#include <config.h>
|
||||||
|
+
|
||||||
|
+#include "rpc/virnetsocket.h"
|
||||||
|
+#include "virutil.h"
|
||||||
|
+#include "internal.h"
|
||||||
|
+
|
||||||
|
+int virEventAddTimeout(int frequency ATTRIBUTE_UNUSED,
|
||||||
|
+ virEventTimeoutCallback cb ATTRIBUTE_UNUSED,
|
||||||
|
+ void *opaque ATTRIBUTE_UNUSED,
|
||||||
|
+ virFreeCallback ff ATTRIBUTE_UNUSED)
|
||||||
|
+{
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+int virNetSocketGetUNIXIdentity(virNetSocketPtr sock ATTRIBUTE_UNUSED,
|
||||||
|
+ uid_t *uid,
|
||||||
|
+ gid_t *gid,
|
||||||
|
+ pid_t *pid,
|
||||||
|
+ unsigned long long *timestamp)
|
||||||
|
+{
|
||||||
|
+ *uid = 666;
|
||||||
|
+ *gid = 7337;
|
||||||
|
+ *pid = 42;
|
||||||
|
+ *timestamp = 12345678;
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+char *virGetUserName(uid_t uid ATTRIBUTE_UNUSED)
|
||||||
|
+{
|
||||||
|
+ return strdup("astrochicken");
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+char *virGetGroupName(gid_t gid ATTRIBUTE_UNUSED)
|
||||||
|
+{
|
||||||
|
+ return strdup("fictionalusers");
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+int virNetSocketGetSELinuxContext(virNetSocketPtr sock ATTRIBUTE_UNUSED,
|
||||||
|
+ char **context)
|
||||||
|
+{
|
||||||
|
+ if (!(*context = strdup("foo_u:bar_r:wizz_t:s0-s0:c0.c1023")))
|
||||||
|
+ return -1;
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
diff --git a/tests/virnetserverclienttest.c b/tests/virnetserverclienttest.c
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..1ddff3e
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/virnetserverclienttest.c
|
||||||
|
@@ -0,0 +1,159 @@
|
||||||
|
+/*
|
||||||
|
+ * Copyright (C) 2013 Red Hat, Inc.
|
||||||
|
+ *
|
||||||
|
+ * This library is free software; you can redistribute it and/or
|
||||||
|
+ * modify it under the terms of the GNU Lesser General Public
|
||||||
|
+ * License as published by the Free Software Foundation; either
|
||||||
|
+ * version 2.1 of the License, or (at your option) any later version.
|
||||||
|
+ *
|
||||||
|
+ * This library is distributed in the hope that it will be useful,
|
||||||
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
+ * Lesser General Public License for more details.
|
||||||
|
+ *
|
||||||
|
+ * You should have received a copy of the GNU Lesser General Public
|
||||||
|
+ * License along with this library. If not, see
|
||||||
|
+ * <http://www.gnu.org/licenses/>.
|
||||||
|
+ *
|
||||||
|
+ * Author: Daniel P. Berrange <berrange@redhat.com>
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#include <config.h>
|
||||||
|
+
|
||||||
|
+#include "testutils.h"
|
||||||
|
+#include "virerror.h"
|
||||||
|
+#include "rpc/virnetserverclient.h"
|
||||||
|
+
|
||||||
|
+#define VIR_FROM_THIS VIR_FROM_RPC
|
||||||
|
+
|
||||||
|
+#ifdef HAVE_SOCKETPAIR
|
||||||
|
+static int testIdentity(const void *opaque ATTRIBUTE_UNUSED)
|
||||||
|
+{
|
||||||
|
+ int sv[2];
|
||||||
|
+ int ret = -1;
|
||||||
|
+ virNetSocketPtr sock = NULL;
|
||||||
|
+ virNetServerClientPtr client = NULL;
|
||||||
|
+ virIdentityPtr ident = NULL;
|
||||||
|
+ const char *gotUsername = NULL;
|
||||||
|
+ const char *gotUserID = NULL;
|
||||||
|
+ const char *gotGroupname = NULL;
|
||||||
|
+ const char *gotGroupID = NULL;
|
||||||
|
+ const char *gotSELinuxContext = NULL;
|
||||||
|
+
|
||||||
|
+ if (socketpair(PF_UNIX, SOCK_STREAM, 0, sv) < 0) {
|
||||||
|
+ virReportSystemError(errno, "%s",
|
||||||
|
+ "Cannot create socket pair");
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (virNetSocketNewConnectSockFD(sv[0], &sock) < 0) {
|
||||||
|
+ virDispatchError(NULL);
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
+ sv[0] = -1;
|
||||||
|
+
|
||||||
|
+ if (!(client = virNetServerClientNew(sock, 0, false, 1,
|
||||||
|
+# ifdef WITH_GNUTLS
|
||||||
|
+ NULL,
|
||||||
|
+# endif
|
||||||
|
+ NULL, NULL, NULL, NULL))) {
|
||||||
|
+ virDispatchError(NULL);
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!(ident = virNetServerClientGetIdentity(client))) {
|
||||||
|
+ fprintf(stderr, "Failed to create identity\n");
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (virIdentityGetAttr(ident,
|
||||||
|
+ VIR_IDENTITY_ATTR_UNIX_USER_NAME,
|
||||||
|
+ &gotUsername) < 0) {
|
||||||
|
+ fprintf(stderr, "Missing username in identity\n");
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
+ if (STRNEQ_NULLABLE("astrochicken", gotUsername)) {
|
||||||
|
+ fprintf(stderr, "Want username 'astrochicken' got '%s'\n",
|
||||||
|
+ NULLSTR(gotUsername));
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (virIdentityGetAttr(ident,
|
||||||
|
+ VIR_IDENTITY_ATTR_UNIX_USER_ID,
|
||||||
|
+ &gotUserID) < 0) {
|
||||||
|
+ fprintf(stderr, "Missing user ID in identity\n");
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
+ if (STRNEQ_NULLABLE("666", gotUserID)) {
|
||||||
|
+ fprintf(stderr, "Want username '666' got '%s'\n",
|
||||||
|
+ NULLSTR(gotUserID));
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (virIdentityGetAttr(ident,
|
||||||
|
+ VIR_IDENTITY_ATTR_UNIX_GROUP_NAME,
|
||||||
|
+ &gotGroupname) < 0) {
|
||||||
|
+ fprintf(stderr, "Missing groupname in identity\n");
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
+ if (STRNEQ_NULLABLE("fictionalusers", gotGroupname)) {
|
||||||
|
+ fprintf(stderr, "Want groupname 'fictionalusers' got '%s'\n",
|
||||||
|
+ NULLSTR(gotGroupname));
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (virIdentityGetAttr(ident,
|
||||||
|
+ VIR_IDENTITY_ATTR_UNIX_GROUP_ID,
|
||||||
|
+ &gotGroupID) < 0) {
|
||||||
|
+ fprintf(stderr, "Missing group ID in identity\n");
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
+ if (STRNEQ_NULLABLE("7337", gotGroupID)) {
|
||||||
|
+ fprintf(stderr, "Want groupname '7337' got '%s'\n",
|
||||||
|
+ NULLSTR(gotGroupID));
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (virIdentityGetAttr(ident,
|
||||||
|
+ VIR_IDENTITY_ATTR_SELINUX_CONTEXT,
|
||||||
|
+ &gotSELinuxContext) < 0) {
|
||||||
|
+ fprintf(stderr, "Missing SELinux context in identity\n");
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
+ if (STRNEQ_NULLABLE("foo_u:bar_r:wizz_t:s0-s0:c0.c1023", gotSELinuxContext)) {
|
||||||
|
+ fprintf(stderr, "Want groupname 'foo_u:bar_r:wizz_t:s0-s0:c0.c1023' got '%s'\n",
|
||||||
|
+ NULLSTR(gotGroupID));
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ ret = 0;
|
||||||
|
+ cleanup:
|
||||||
|
+ virObjectUnref(sock);
|
||||||
|
+ virObjectUnref(client);
|
||||||
|
+ virObjectUnref(ident);
|
||||||
|
+ VIR_FORCE_CLOSE(sv[0]);
|
||||||
|
+ VIR_FORCE_CLOSE(sv[1]);
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+mymain(void)
|
||||||
|
+{
|
||||||
|
+ int ret = 0;
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+ if (virtTestRun("Identity", 1,
|
||||||
|
+ testIdentity, NULL) < 0)
|
||||||
|
+ ret = -1;
|
||||||
|
+
|
||||||
|
+ return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
|
||||||
|
+}
|
||||||
|
+#else
|
||||||
|
+static int
|
||||||
|
+mymain(void)
|
||||||
|
+{
|
||||||
|
+ return AM_TEST_SKIP;
|
||||||
|
+}
|
||||||
|
+#endif
|
||||||
|
+VIRT_TEST_MAIN_PRELOAD(mymain, abs_builddir "/.libs/virnetserverclientmock.so")
|
42
libvirt.spec
42
libvirt.spec
@ -13,6 +13,9 @@
|
|||||||
# touch configure.ac or Makefile.am.
|
# touch configure.ac or Makefile.am.
|
||||||
%{!?enable_autotools:%define enable_autotools 0}
|
%{!?enable_autotools:%define enable_autotools 0}
|
||||||
|
|
||||||
|
# Drop after libvirt-1.1.3 is rebased
|
||||||
|
%define enable_autotools 1
|
||||||
|
|
||||||
# A client only build will create a libvirt.so only containing
|
# A client only build will create a libvirt.so only containing
|
||||||
# the generic RPC driver, and test driver and no libvirtd
|
# the generic RPC driver, and test driver and no libvirtd
|
||||||
# Default to a full server + client build
|
# Default to a full server + client build
|
||||||
@ -366,7 +369,7 @@
|
|||||||
Summary: Library providing a simple virtualization API
|
Summary: Library providing a simple virtualization API
|
||||||
Name: libvirt
|
Name: libvirt
|
||||||
Version: 1.1.2
|
Version: 1.1.2
|
||||||
Release: 2%{?dist}%{?extra_release}
|
Release: 3%{?dist}%{?extra_release}
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
Group: Development/Libraries
|
Group: Development/Libraries
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
|
||||||
@ -387,6 +390,20 @@ Patch0006: 0006-domain_conf-Add-disk-bus-sd-wire-it-up-for-qemu.patch
|
|||||||
Patch0007: 0007-qemu-Fix-networking-for-ARM-guests.patch
|
Patch0007: 0007-qemu-Fix-networking-for-ARM-guests.patch
|
||||||
Patch0008: 0008-qemu-Support-virtio-mmio-transport-for-virtio-on-ARM.patch
|
Patch0008: 0008-qemu-Support-virtio-mmio-transport-for-virtio-on-ARM.patch
|
||||||
|
|
||||||
|
# Sync with v1.1.2-maint
|
||||||
|
Patch0101: 0101-virFileNBDDeviceAssociate-Avoid-use-of-uninitialized.patch
|
||||||
|
Patch0102: 0102-Fix-AM_LDFLAGS-typo.patch
|
||||||
|
Patch0103: 0103-Pass-AM_LDFLAGS-to-driver-modules-too.patch
|
||||||
|
Patch0104: 0104-build-fix-build-with-latest-rawhide-kernel-headers.patch
|
||||||
|
Patch0105: 0105-Also-store-user-group-ID-values-in-virIdentity.patch
|
||||||
|
Patch0106: 0106-Ensure-system-identity-includes-process-start-time.patch
|
||||||
|
Patch0107: 0107-Add-support-for-using-3-arg-pkcheck-syntax-for-proce.patch
|
||||||
|
Patch0108: 0108-Fix-crash-in-remoteDispatchDomainMemoryStats-CVE-201.patch
|
||||||
|
Patch0109: 0109-virsh-add-missing-async-option-in-opts_block_commit.patch
|
||||||
|
Patch0110: 0110-Fix-typo-in-identity-code-which-is-pre-requisite-for.patch
|
||||||
|
Patch0111: 0111-Add-a-virNetSocketNewConnectSockFD-method.patch
|
||||||
|
Patch0112: 0112-Add-test-case-for-virNetServerClient-object-identity.patch
|
||||||
|
|
||||||
%if %{with_libvirtd}
|
%if %{with_libvirtd}
|
||||||
Requires: libvirt-daemon = %{version}-%{release}
|
Requires: libvirt-daemon = %{version}-%{release}
|
||||||
%if %{with_network}
|
%if %{with_network}
|
||||||
@ -608,6 +625,7 @@ BuildRequires: audit-libs-devel
|
|||||||
BuildRequires: systemtap-sdt-devel
|
BuildRequires: systemtap-sdt-devel
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
|
||||||
%if %{with_storage_fs}
|
%if %{with_storage_fs}
|
||||||
# For mount/umount in FS driver
|
# For mount/umount in FS driver
|
||||||
BuildRequires: util-linux
|
BuildRequires: util-linux
|
||||||
@ -1172,6 +1190,20 @@ of recent versions of Linux (and other OSes).
|
|||||||
%patch0007 -p1
|
%patch0007 -p1
|
||||||
%patch0008 -p1
|
%patch0008 -p1
|
||||||
|
|
||||||
|
# Sync with v1.1.2-maint
|
||||||
|
%patch0101 -p1
|
||||||
|
%patch0102 -p1
|
||||||
|
%patch0103 -p1
|
||||||
|
%patch0104 -p1
|
||||||
|
%patch0105 -p1
|
||||||
|
%patch0106 -p1
|
||||||
|
%patch0107 -p1
|
||||||
|
%patch0108 -p1
|
||||||
|
%patch0109 -p1
|
||||||
|
%patch0110 -p1
|
||||||
|
%patch0111 -p1
|
||||||
|
%patch0112 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%if ! %{with_xen}
|
%if ! %{with_xen}
|
||||||
%define _without_xen --without-xen
|
%define _without_xen --without-xen
|
||||||
@ -2125,6 +2157,14 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Sep 23 2013 Cole Robinson <crobinso@redhat.com> - 1.1.2-3
|
||||||
|
- Sync with v1.1.2-maint
|
||||||
|
- Rebuild for libswan soname bump (bz #1009701)
|
||||||
|
- CVE-2013-4311: Insecure polkit usage (bz #1009539, bz #1005332)
|
||||||
|
- CVE-2013-4296: Invalid free memory stats (bz #1006173, bz #1009667)
|
||||||
|
- CVE-2013-4297: Invalid free in NBDDeviceAssociate (bz #1006505, bz #1006511)
|
||||||
|
- Fix virsh block-commit abort (bz #1010056)
|
||||||
|
|
||||||
* Wed Sep 18 2013 Daniel P. Berrange <berrange@redhat.com> - 1.1.2-2
|
* Wed Sep 18 2013 Daniel P. Berrange <berrange@redhat.com> - 1.1.2-2
|
||||||
- Rebuild for soname break in openswman package
|
- Rebuild for soname break in openswman package
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user