import OL nbdkit-1.40.4-4.el10_0

2025-08-12 11:38:52 +00:00
24 changed files with 2512 additions and 951 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
 SOURCES/libguestfs.keyring
-SOURCES/nbdkit-1.24.0.tar.gz
+SOURCES/nbdkit-1.40.4.tar.gz
--- a/.nbdkit.metadata
+++ b/.nbdkit.metadata
@ -1,2 +1,2 @@
-1bbc40f501a7fef9eef2a39b701a71aee2fea7c4 SOURCES/libguestfs.keyring
-069720cc0d1502b007652101d293a57d7b4d7c41 SOURCES/nbdkit-1.24.0.tar.gz
+cc1b37b9cfafa515aab3eefd345ecc59aac2ce7b SOURCES/libguestfs.keyring
+b2efd184db679430aa17e70f69077fff4df7f7dd SOURCES/nbdkit-1.40.4.tar.gz
--- a/SOURCES/0001-cache-cow-Fix-data-corruption-in-zero-and-trim-on-un.patch
+++ b/SOURCES/0001-cache-cow-Fix-data-corruption-in-zero-and-trim-on-un.patch
@ -1,82 +0,0 @@
-From 99788909d9ec36e3210cf85976fe5b18da690ddd Mon Sep 17 00:00:00 2001
-From: "Richard W.M. Jones" <rjones@redhat.com>
-Date: Wed, 4 Aug 2021 20:24:59 +0100
-Subject: [PATCH] cache, cow: Fix data corruption in zero and trim on unaligned
- tail
-
-Commit eb6009b092 ("cache, cow: Reduce use of bounce-buffer") first
-introduced in nbdkit 1.14 added an optimization of the
-read-modify-write mechanism used for unaligned heads and tails when
-zeroing in the cache layer.
-
-Unfortunately the part applied to the tail contained a mistake: It
-zeroes the end of the buffer rather than the beginning.  This causes
-data corruption when you use the zero or trim function with an offset
-and count which is not aligned to the block size.
-
-Although the bug has been around for years, a recent change made it
-more likely to happen.  Commit c1905b0a28 ("cache, cow: Use a 64K
-block size by default") increased the default block size from 4K to
-64K.  Most filesystems use a 4K block size so operations like fstrim
-will make 4K-aligned requests, and with a 4K block size also in the
-cache or cow filter the unaligned case would never have been hit
-before.
-
-We can demonstrate the bug simply by filling a buffer with data
-(100000 bytes in the example), and then trimming that data, which
-ought to zero it out.
-
-Before this commit there is data visible after the trim:
-
-$ nbdkit --filter=cow data "0x21 * 100000" --run 'nbdsh -u $uri -c "h.trim(100000, 0)" ; nbdcopy $uri - | hexdump -C'
-00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
-*
-00018000  21 21 21 21 21 21 21 21  21 21 21 21 21 21 21 21  |!!!!!!!!!!!!!!!!|
-*
-000186a0
-
-After this commit the trim completely clears the data:
-
-$ nbdkit --filter=cow data "0x21 * 100000" --run 'nbdsh -u $uri -c "h.trim(100000, 0)" ; nbdcopy $uri - | hexdump -C'
-00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
-*
-000186a0
-
-Thanks: Ming Xie for finding the bug
-Fixes: commit eb6009b092ae642ed25f133d487dd40ef7bf70f8
-(cherry picked from commit a0ae7b2158598ce48ac31706319007f716d01c87)
-(cherry picked from commit c0b15574647672cb5c48178333acdd07424692ef)
---
- filters/cache/cache.c | 2 +-
- filters/cow/cow.c     | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/filters/cache/cache.c b/filters/cache/cache.c
-index 91dcc43d..0616cc7b 100644
--- a/filters/cache/cache.c
-+++ b/filters/cache/cache.c
-@@ -493,7 +493,7 @@ cache_zero (struct nbdkit_next_ops *next_ops, void *nxdata,
-     ACQUIRE_LOCK_FOR_CURRENT_SCOPE (&lock);
-     r = blk_read (next_ops, nxdata, blknum, block, err);
-     if (r != -1) {
-      memset (&block[count], 0, blksize - count);
-+      memset (block, 0, count);
-       r = blk_write (next_ops, nxdata, blknum, block, flags, err);
-     }
-     if (r == -1)
-diff --git a/filters/cow/cow.c b/filters/cow/cow.c
-index 51ca64a4..1cfcc4e7 100644
--- a/filters/cow/cow.c
-+++ b/filters/cow/cow.c
-@@ -419,7 +419,7 @@ cow_zero (struct nbdkit_next_ops *next_ops, void *nxdata,
-     ACQUIRE_LOCK_FOR_CURRENT_SCOPE (&lock);
-     r = blk_read (next_ops, nxdata, blknum, block, err);
-     if (r != -1) {
-      memset (&block[count], 0, BLKSIZE - count);
-+      memset (block, 0, count);
-       r = blk_write (blknum, block, err);
-     }
-     if (r == -1)
-- 
-2.31.1
-
--- a/SOURCES/0001-vddk-Include-stdbool.h.patch
+++ b/SOURCES/0001-vddk-Include-stdbool.h.patch
@ -0,0 +1,28 @@
+From 9f86b51b4d8110ee82f2c67c3939c85ce0ec1ea9 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Mon, 6 Jan 2025 15:22:05 +0000
+Subject: [PATCH] vddk: Include <stdbool.h>
+
+Since this file uses booleans.
+
+Acked-by: Eric Blake <eblake@redhat.com>
+(cherry picked from commit fe855addae44e45e2344a33bd3857c561587f12e)
+---
+ plugins/vddk/worker.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/plugins/vddk/worker.c b/plugins/vddk/worker.c
+index 467d00ca..5982fcea 100644
+--- a/plugins/vddk/worker.c
+++ b/plugins/vddk/worker.c
+@@ -34,6 +34,7 @@
+ 
+ #include <stdio.h>
+ #include <stdlib.h>
+#include <stdbool.h>
+ #include <stdint.h>
+ #include <inttypes.h>
+ 
+-- 
+2.43.0
+
--- a/SOURCES/0002-server-CVE-2021-3716-reset-structured-replies-on-sta.patch
+++ b/SOURCES/0002-server-CVE-2021-3716-reset-structured-replies-on-sta.patch
@ -1,94 +0,0 @@
-From 6b9d4380df9bd0be91f49aad8c4f47b4e672adde Mon Sep 17 00:00:00 2001
-From: Eric Blake <eblake@redhat.com>
-Date: Mon, 16 Aug 2021 13:43:29 -0500
-Subject: [PATCH] server: CVE-2021-3716 reset structured replies on starttls
-
-https://nostarttls.secvuln.info/ pointed out a series of CVEs in
-common implementation flaw in various SMTP and IMAP clients and
-servers, all with a common thread of improperly caching plaintext
-state across the STARTTLS encryption boundary; and recommended that
-other protocols with a STARTTLS operation perform a similar audit.
-
-It turns out that nbdkit has the same vulnerability in regards to the
-NBD protocol: when nbdkit is run in opportunistic TLS mode, an
-attacker is able to inject a plaintext NBD_OPT_STRUCTURED_REPLY before
-proxying everything else a client sends to the server; if the server
-then acts on that plaintext request (as nbdkit did before this patch),
-then the server ends up sending structured replies to at least
-NBD_CMD_READ, even though the client was assuming that the transition
-to TLS has ruled out a MitM attack.
-
-On the bright side, nbdkit's behavior on a second
-NBD_OPT_STRUCTURED_REPLY was to still reply with success, so a client
-that always requests structured replies after starting TLS sees no
-difference in behavior (that is, qemu 2.12 and later are immune) (had
-nbdkit given an error to the second request, that may have caused
-confusion to more clients).  And there is always the mitigation of
-using --tls=require, which lets nbdkit reject the MitM message
-pre-encryption.  However, nbd-client 3.15 to the present do not
-understand structured replies, and I have confirmed that a MitM
-attacker can thus cause a denial-of-service attack that does not
-trigger until the client does its first encrypted NBD_CMD_READ.
-
-The NBD spec has been recently tightened to declare the nbdkit
-behavior to be a security hole:
-https://github.com/NetworkBlockDevice/nbd/commit/77e55378096aa
-Fixes: eaa4c6e9a2c4bd (server: Minimal implementation of NBD Structured Replies.)
-
-(cherry picked from commit 09a13dafb7bb3a38ab52eb5501cba786365ba7fd)
-(cherry picked from commit 6185b15a81e6915734d678f0781e31d45a7941a1)
---
- docs/nbdkit-security.pod             | 11 +++++++++--
- server/protocol-handshake-newstyle.c |  3 ++-
- 2 files changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/docs/nbdkit-security.pod b/docs/nbdkit-security.pod
-index 3a28e54d..5a4e6da8 100644
--- a/docs/nbdkit-security.pod
-+++ b/docs/nbdkit-security.pod
-@@ -10,7 +10,7 @@ For how to report new security issues, see the C<SECURITY> file in the
- top level source directory, also available online here:
- L<https://github.com/libguestfs/nbdkit/blob/master/SECURITY>
- 
-=head2 CVE-2019-14850 
-+=head2 CVE-2019-14850
- denial of service due to premature opening of back-end connection
- 
- See the full announcement and links to mitigation, tests and fixes
-@@ -26,6 +26,13 @@ See the full announcement and links to mitigation, tests and fixes
- here:
- https://www.redhat.com/archives/libguestfs/2019-September/msg00272.html
- 
-+=head2 CVE-2021-3716
-+structured read denial of service attack against starttls
-+
-+See the full announcement and links to mitigation, tests and fixes
-+here:
-+https://www.redhat.com/archives/libguestfs/2021-August/msg00083.html
-+
- =head1 SEE ALSO
- 
- L<nbdkit(1)>.
-@@ -38,4 +45,4 @@ Richard W.M. Jones
- 
- =head1 COPYRIGHT
- 
-Copyright (C) 2013-2020 Red Hat Inc.
-+Copyright (C) 2013-2021 Red Hat Inc.
-diff --git a/server/protocol-handshake-newstyle.c b/server/protocol-handshake-newstyle.c
-index 0a76a814..b94950e2 100644
--- a/server/protocol-handshake-newstyle.c
-+++ b/server/protocol-handshake-newstyle.c
-@@ -495,7 +495,8 @@ negotiate_handshake_newstyle_options (void)
-           return -1;
-         conn->using_tls = true;
-         debug ("using TLS on this connection");
-        /* Wipe out any cached default export name. */
-+        /* Wipe out any cached state. */
-+        conn->structured_replies = false;
-         for_each_backend (b) {
-           struct handle *h = get_handle (conn, b->i);
-           free (h->default_exportname);
-- 
-2.31.1
-
--- a/SOURCES/0002-vddk-Cache-the-disk-size-in-the-handle.patch
+++ b/SOURCES/0002-vddk-Cache-the-disk-size-in-the-handle.patch
@ -0,0 +1,59 @@
+From bfac699727ccf20757dcb5dc4ce1aff885025c9d Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Mon, 6 Jan 2025 16:47:55 +0000
+Subject: [PATCH] vddk: Cache the disk size in the handle
+
+No functional change here, we're just making sure we have the disk
+size (in bytes) available in the handle.
+
+Acked-by: Eric Blake <eblake@redhat.com>
+(cherry picked from commit 2ba76db4a048471e997e508715081a70356f94f3)
+---
+ plugins/vddk/vddk.c | 6 +++---
+ plugins/vddk/vddk.h | 3 +++
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/plugins/vddk/vddk.c b/plugins/vddk/vddk.c
+index 6d242515..7a830cf9 100644
+--- a/plugins/vddk/vddk.c
+++ b/plugins/vddk/vddk.c
+@@ -873,19 +873,19 @@ vddk_get_size (void *handle)
+ {
+   struct vddk_handle *h = handle;
+   VixDiskLibInfo *info;
+-  int64_t size;
+   struct command info_cmd = { .type = INFO, .ptr = &info };
+ 
+   if (send_command_and_wait (h, &info_cmd) == -1)
+     return -1;
+ 
+-  size = info->capacity * (int64_t)VIXDISKLIB_SECTOR_SIZE;
+  /* Compute the size and cache it into the handle. */
+  h->size = info->capacity * VIXDISKLIB_SECTOR_SIZE;
+ 
+   VDDK_CALL_START (VixDiskLib_FreeInfo, "info")
+     VixDiskLib_FreeInfo (info);
+   VDDK_CALL_END (VixDiskLib_FreeInfo, 0);
+ 
+-  return size;
+  return h->size;
+ }
+ 
+ /* Advertise most efficient block sizes. */
+diff --git a/plugins/vddk/vddk.h b/plugins/vddk/vddk.h
+index fb0c79a8..1d1069cc 100644
+--- a/plugins/vddk/vddk.h
+++ b/plugins/vddk/vddk.h
+@@ -165,6 +165,9 @@ struct vddk_handle {
+   command_queue commands;          /* command queue */
+   pthread_cond_t commands_cond;    /* condition (queue size 0 -> 1) */
+   uint64_t id;                     /* next command ID */
+
+  /* Cached disk size in bytes (set in get_size()). */
+  uint64_t size;
+ };
+ 
+ /* reexec.c */
+-- 
+2.43.0
+
--- a/SOURCES/0003-server-reset-meta-context-replies-on-starttls.patch
+++ b/SOURCES/0003-server-reset-meta-context-replies-on-starttls.patch
@ -1,40 +0,0 @@
-From add9b794b9dc697a1b52115c997fcfb6e06bf64c Mon Sep 17 00:00:00 2001
-From: Eric Blake <eblake@redhat.com>
-Date: Mon, 16 Aug 2021 13:43:29 -0500
-Subject: [PATCH] server: reset meta context replies on starttls
-
-Related to CVE-2021-3716, but not as severe.  No compliant client will
-send NBD_CMD_BLOCK_STATUS unless it first negotiates
-NBD_OPT_SET_META_CONTEXT.  If an attacker injects a premature
-SET_META_CONTEXT, either the client will never notice (because it
-never uses BLOCK_STATUS), or the client will overwrite the attacker's
-attempt with the client's own SET_META_CONTEXT request after
-encryption is enabled.  So I don't class this as having the potential
-to trigger denial-of-service due to any protocol mismatch between
-compliant client and server (I don't care what happens with
-non-compliant clients).
-
-Fixes: 26455d45 (server: protocol: Implement Block Status "base:allocation".)
-(cherry picked from commit 6c5faac6a37077cf2366388a80862bb00616d0d8)
-(cherry picked from commit 814d8103fb4b581dc01dfd25d2cd81596576f211)
---
- server/protocol-handshake-newstyle.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/server/protocol-handshake-newstyle.c b/server/protocol-handshake-newstyle.c
-index b94950e2..eb0f3961 100644
--- a/server/protocol-handshake-newstyle.c
-+++ b/server/protocol-handshake-newstyle.c
-@@ -497,6 +497,9 @@ negotiate_handshake_newstyle_options (void)
-         debug ("using TLS on this connection");
-         /* Wipe out any cached state. */
-         conn->structured_replies = false;
-+        free (conn->exportname_from_set_meta_context);
-+        conn->exportname_from_set_meta_context = NULL;
-+        conn->meta_context_base_allocation = false;
-         for_each_backend (b) {
-           struct handle *h = get_handle (conn, b->i);
-           free (h->default_exportname);
-- 
-2.31.1
-
--- a/SOURCES/0003-vddk-do_extents-Mark-some-local-variables-const.patch
+++ b/SOURCES/0003-vddk-do_extents-Mark-some-local-variables-const.patch
@ -0,0 +1,34 @@
+From dff3fc3b97aab79f6ee168a9b9dd2dff05425439 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Mon, 6 Jan 2025 15:37:54 +0000
+Subject: [PATCH] vddk: do_extents: Mark some local variables const
+
+These are never changed in the code (they are fields copied out from
+the *cmd struct), so mark them as const.
+
+Acked-by: Eric Blake <eblake@redhat.com>
+(cherry picked from commit 24fd7df460ae31fe3f72b5100ca3dbe138bbadbe)
+---
+ plugins/vddk/worker.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/plugins/vddk/worker.c b/plugins/vddk/worker.c
+index 5982fcea..bc015d16 100644
+--- a/plugins/vddk/worker.c
+++ b/plugins/vddk/worker.c
+@@ -388,9 +388,9 @@ add_extent (struct nbdkit_extents *extents,
+ static int
+ do_extents (struct command *cmd, struct vddk_handle *h)
+ {
+-  uint32_t count = cmd->count;
+-  uint64_t offset = cmd->offset;
+-  bool req_one = cmd->req_one;
+  const uint32_t count = cmd->count;
+  const uint64_t offset = cmd->offset;
+  const bool req_one = cmd->req_one;
+   struct nbdkit_extents *extents = cmd->ptr;
+   uint64_t position, end, start_sector;
+ 
+-- 
+2.43.0
+
--- a/SOURCES/0004-cow-Fix-for-qemu-6.1-which-requires-backing-format.patch
+++ b/SOURCES/0004-cow-Fix-for-qemu-6.1-which-requires-backing-format.patch
@ -1,59 +0,0 @@
-From 3c2879a38c299b725091cea45329879e3f46fc99 Mon Sep 17 00:00:00 2001
-From: "Richard W.M. Jones" <rjones@redhat.com>
-Date: Tue, 31 Aug 2021 11:23:27 +0100
-Subject: [PATCH] cow: Fix for qemu 6.1 which requires backing format
-
-The diffing example in the manual created a qcow2 file with a backing
-file but did not specify the backing format.  However qemu 6.1 now
-requires this and fails with:
-
-  qemu-img: cow-diff.qcow2: Backing file specified without backing format
-
-or:
-
-  qemu-img: Could not change the backing file to 'cow-base.img': backing format must be specified
-
-Fix the example by adding the -F option to the command line.
-
-Also there was a test of this rebasing sequence which failed, so this
-commit updates the test too.
-
-(cherry picked from commit 618290ef33ce13b75c1a79fea1f1ffb327b5ba07)
---
- filters/cow/nbdkit-cow-filter.pod | 4 ++--
- tests/test-cow.sh                 | 4 ++--
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/filters/cow/nbdkit-cow-filter.pod b/filters/cow/nbdkit-cow-filter.pod
-index 4d5ae856..510bdd40 100644
--- a/filters/cow/nbdkit-cow-filter.pod
-+++ b/filters/cow/nbdkit-cow-filter.pod
-@@ -101,8 +101,8 @@ At the end, disconnect the client.
- Run these C<qemu-img> commands to construct a qcow2 file containing
- the differences:
- 
- qemu-img create -f qcow2 -b nbd:localhost diff.qcow2
- qemu-img rebase -b disk.img diff.qcow2
-+ qemu-img create -F raw -b nbd:localhost -f qcow2 diff.qcow2
-+ qemu-img rebase -F raw -b disk.img -f qcow2 diff.qcow2
- 
- F<diff.qcow2> now contains the differences between the base
- (F<disk.img>) and the changes stored in nbdkit-cow-filter.  C<nbdkit>
-diff --git a/tests/test-cow.sh b/tests/test-cow.sh
-index 8772afd7..edc4c223 100755
--- a/tests/test-cow.sh
-+++ b/tests/test-cow.sh
-@@ -72,8 +72,8 @@ fi
- # If we have qemu-img, try the hairy rebase operation documented
- # in the nbdkit-cow-filter manual.
- if qemu-img --version >/dev/null 2>&1; then
-    qemu-img create -f qcow2 -b nbd:unix:$sock cow-diff.qcow2
-    time qemu-img rebase -b cow-base.img cow-diff.qcow2
-+    qemu-img create -F raw -b nbd:unix:$sock -f qcow2 cow-diff.qcow2
-+    time qemu-img rebase -F raw -b cow-base.img -f qcow2 cow-diff.qcow2
-     qemu-img info cow-diff.qcow2
- 
-     # This checks the file we created exists.
-- 
-2.31.1
-
--- a/SOURCES/0004-vddk-do_extents-Exit-the-function-if-we-hit-req_one-.patch
+++ b/SOURCES/0004-vddk-do_extents-Exit-the-function-if-we-hit-req_one-.patch
@ -0,0 +1,31 @@
+From 5f7e5399aa4b208cb6aa0c51dbea59f73fd4d5f3 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Mon, 6 Jan 2025 16:39:51 +0000
+Subject: [PATCH] vddk: do_extents: Exit the function if we hit req_one
+ condition
+
+No change to the functionality, since the code previously called
+'return 0' immediately following the loop.
+
+Acked-by: Eric Blake <eblake@redhat.com>
+(cherry picked from commit 2f4d71f8f704d89d69cd635791c3239d2f44d631)
+---
+ plugins/vddk/worker.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/plugins/vddk/worker.c b/plugins/vddk/worker.c
+index bc015d16..112111e3 100644
+--- a/plugins/vddk/worker.c
+++ b/plugins/vddk/worker.c
+@@ -471,7 +471,7 @@ do_extents (struct command *cmd, struct vddk_handle *h)
+      * overlapping the original offset we're done.
+      */
+     if (req_one && position > offset)
+-      break;
+      return 0;
+   }
+ 
+   return 0;
+-- 
+2.43.0
+
--- a/SOURCES/0005-vddk-Include-VDDK-major-library-version-in-dump-plug.patch
+++ b/SOURCES/0005-vddk-Include-VDDK-major-library-version-in-dump-plug.patch
@ -1,141 +0,0 @@
-From 9e20e2696fdb68008c9b4f1c36298f813320e381 Mon Sep 17 00:00:00 2001
-From: "Richard W.M. Jones" <rjones@redhat.com>
-Date: Sat, 23 Oct 2021 16:16:39 +0100
-Subject: [PATCH] vddk: Include VDDK major library version in --dump-plugin
- output
-
-Although it doesn't seem to be possible to get the precise VDDK
-version, With a relatively simple change we can at least return the
-VDDK major version.  Currently this can be 5, 6 or 7.
-
-(cherry picked from commit 8700649d147948897f3b97810a1dff37924bdd6e)
---
- plugins/vddk/nbdkit-vddk-plugin.pod |  4 ++++
- plugins/vddk/vddk.c                 | 29 +++++++++++++++++++----------
- tests/test-vddk-real-dump-plugin.sh |  2 ++
- 3 files changed, 25 insertions(+), 10 deletions(-)
-
-diff --git a/plugins/vddk/nbdkit-vddk-plugin.pod b/plugins/vddk/nbdkit-vddk-plugin.pod
-index 8b14eda0..822b96be 100644
--- a/plugins/vddk/nbdkit-vddk-plugin.pod
-+++ b/plugins/vddk/nbdkit-vddk-plugin.pod
-@@ -417,6 +417,10 @@ at runtime.
- If this is printed then the C<nfchostport=PORT> parameter is supported
- by this build.
- 
-+=item C<vddk_library_version=...>
-+
-+The VDDK major library version: 5, 6, 7, ...
-+
- =item C<vddk_dll=...>
- 
- Prints the full path to the VDDK shared library.  Since this requires
-diff --git a/plugins/vddk/vddk.c b/plugins/vddk/vddk.c
-index 69193504..291283f4 100644
--- a/plugins/vddk/vddk.c
-+++ b/plugins/vddk/vddk.c
-@@ -77,6 +77,7 @@ int vddk_debug_datapath = 1;
- static void *dl;                           /* dlopen handle */
- static bool init_called;                   /* was InitEx called */
- static __thread int error_suppression;     /* threadlocal error suppression */
-+static int library_version;                /* VDDK major: 5, 6, 7, ... */
- 
- static enum { NONE = 0, ZLIB, FASTLZ, SKIPZ } compression; /* compression */
- static char *config;                       /* config */
-@@ -297,7 +298,10 @@ vddk_config (const char *key, const char *value)
- static void
- load_library (bool load_error_is_fatal)
- {
-  static const char *sonames[] = {
-+  static struct {
-+    const char *soname;
-+    int library_version;
-+  } libs[] = {
-     /* Prefer the newest library in case multiple exist.  Check two
-      * possible directories: the usual VDDK installation puts .so
-      * files in an arch-specific subdirectory of $libdir (our minimum
-@@ -305,12 +309,13 @@ load_library (bool load_error_is_fatal)
-      * but our testsuite is easier to write if we point libdir
-      * directly to a stub .so.
-      */
-    "lib64/libvixDiskLib.so.7",
-    "libvixDiskLib.so.7",
-    "lib64/libvixDiskLib.so.6",
-    "libvixDiskLib.so.6",
-    "lib64/libvixDiskLib.so.5",
-    "libvixDiskLib.so.5",
-+    { "lib64/libvixDiskLib.so.7", 7 },
-+    { "libvixDiskLib.so.7",       7 },
-+    { "lib64/libvixDiskLib.so.6", 6 },
-+    { "libvixDiskLib.so.6",       6 },
-+    { "lib64/libvixDiskLib.so.5", 5 },
-+    { "libvixDiskLib.so.5",       5 },
-+    { NULL }
-   };
-   size_t i;
-   CLEANUP_FREE char *orig_error = NULL;
-@@ -323,19 +328,20 @@ load_library (bool load_error_is_fatal)
-     }
-   }
- 
-  for (i = 0; i < sizeof sonames / sizeof sonames[0]; ++i) {
-+  for (i = 0; libs[i].soname != NULL; ++i) {
-     CLEANUP_FREE char *path;
- 
-     /* Set the full path so that dlopen will preferentially load the
-      * system libraries from the same directory.
-      */
-    if (asprintf (&path, "%s/%s", libdir, sonames[i]) == -1) {
-+    if (asprintf (&path, "%s/%s", libdir, libs[i].soname) == -1) {
-       nbdkit_error ("asprintf: %m");
-       exit (EXIT_FAILURE);
-     }
- 
-     dl = dlopen (path, RTLD_NOW);
-     if (dl != NULL) {
-+      library_version = libs[i].library_version;
-       /* Now that we found the library, ensure that LD_LIBRARY_PATH
-        * includes its directory for all future loads.  This may modify
-        * path in-place and/or re-exec nbdkit, but that's okay.
-@@ -356,10 +362,12 @@ load_library (bool load_error_is_fatal)
-                   "If '%s' is located on a non-standard path you may need to\n"
-                   "set libdir=/path/to/vmware-vix-disklib-distrib.\n\n"
-                   "See nbdkit-vddk-plugin(1) man page section \"LIBRARY LOCATION\" for details.",
-                  orig_error ? : "(unknown error)", sonames[0]);
-+                  orig_error ? : "(unknown error)", libs[0].soname);
-     exit (EXIT_FAILURE);
-   }
- 
-+  assert (library_version >= 5);
-+
-   /* Load symbols. */
- #define STUB(fn,ret,args)                                         \
-   do {                                                            \
-@@ -474,6 +482,7 @@ vddk_dump_plugin (void)
- 
-   printf ("vddk_default_libdir=%s\n", VDDK_LIBDIR);
-   printf ("vddk_has_nfchostport=1\n");
-+  printf ("vddk_library_version=%d\n", library_version);
- 
- #if defined(HAVE_DLADDR)
-   /* It would be nice to print the version of VDDK from the shared
-diff --git a/tests/test-vddk-real-dump-plugin.sh b/tests/test-vddk-real-dump-plugin.sh
-index 1479e416..59c79693 100755
--- a/tests/test-vddk-real-dump-plugin.sh
-+++ b/tests/test-vddk-real-dump-plugin.sh
-@@ -51,10 +51,12 @@ rm -f $files
- cleanup_fn rm -f $files
- 
- nbdkit -f -v vddk libdir="$vddkdir" --dump-plugin > $out
-+cat $out
- 
- # Check the vddk_* entries are set.
- grep ^vddk_default_libdir= $out
- grep ^vddk_has_nfchostport= $out
-+grep ^vddk_library_version= $out
- grep ^vddk_dll= $out
- 
- dll="$(grep ^vddk_dll $out | cut -d= -f2)"
-- 
-2.31.1
-
--- a/SOURCES/0005-vddk-do_extents-Avoid-reading-partial-chunk-beyond-t.patch
+++ b/SOURCES/0005-vddk-do_extents-Avoid-reading-partial-chunk-beyond-t.patch
@ -0,0 +1,202 @@
+From fe65a789da92e53bfd3f3814f1c93566f69591db Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Mon, 6 Jan 2025 15:45:35 +0000
+Subject: [PATCH] vddk: do_extents: Avoid reading partial chunk beyond the end
+ of the disk
+
+The QueryAllocatedBlocks API has (another) frustrating feature.  It
+can only query whole "chunks" (128 sectors).  If the disk size is not
+aligned to the chunk size (say the size was 129 sectors) then there's
+a bit at the end which cannot be queried.  Furthermore, the API gives
+an error in this case instead of being helpful:
+
+  VixDiskLib_QueryAllocatedBlocks: One of the parameters was invalid
+
+Fixes: https://issues.redhat.com/browse/RHEL-71694
+Reported-by: Ming Xie <mxie@redhat.com>
+Acked-by: Eric Blake <eblake@redhat.com>
+(cherry picked from commit fd918f3d1a185fd996999766c75acb9d6e22395d)
+---
+ plugins/vddk/worker.c                   | 29 ++++++++-
+ tests/Makefile.am                       |  5 +-
+ tests/test-vddk-real-unaligned-chunk.sh | 82 +++++++++++++++++++++++++
+ 3 files changed, 113 insertions(+), 3 deletions(-)
+ create mode 100755 tests/test-vddk-real-unaligned-chunk.sh
+
+diff --git a/plugins/vddk/worker.c b/plugins/vddk/worker.c
+index 112111e3..8a91250a 100644
+--- a/plugins/vddk/worker.c
+++ b/plugins/vddk/worker.c
+@@ -392,10 +392,9 @@ do_extents (struct command *cmd, struct vddk_handle *h)
+   const uint64_t offset = cmd->offset;
+   const bool req_one = cmd->req_one;
+   struct nbdkit_extents *extents = cmd->ptr;
+-  uint64_t position, end, start_sector;
+  uint64_t position, start_sector, size_sectors, last_queryable_sector, end;
+ 
+   position = offset;
+-  end = offset + count;
+ 
+   /* We can only query whole chunks.  Therefore start with the
+    * first chunk before offset.
+@@ -403,6 +402,21 @@ do_extents (struct command *cmd, struct vddk_handle *h)
+   start_sector =
+     ROUND_DOWN (offset, VIXDISKLIB_MIN_CHUNK_SIZE * VIXDISKLIB_SECTOR_SIZE)
+     / VIXDISKLIB_SECTOR_SIZE;
+
+  /* Calculate the end byte + 1 that we're going to query, normally
+   * this is offset + count.
+   *
+   * However since chunks are larger than sectors, for a disk which
+   * has size which is not aligned to the chunk size there is a part
+   * of the disk at the end that we can never query.  Reduce 'end' to
+   * the maximum possible queryable part of the disk, and we'll deal
+   * with the unaligned bit after the loop (RHEL-71694).
+   */
+  end = offset + count;
+  size_sectors = h->size / VIXDISKLIB_SECTOR_SIZE;
+  last_queryable_sector = ROUND_DOWN (size_sectors, VIXDISKLIB_MIN_CHUNK_SIZE);
+  end = MIN (end, last_queryable_sector * VIXDISKLIB_SECTOR_SIZE);
+
+   while (start_sector * VIXDISKLIB_SECTOR_SIZE < end) {
+     VixError err;
+     uint32_t i;
+@@ -474,6 +488,17 @@ do_extents (struct command *cmd, struct vddk_handle *h)
+       return 0;
+   }
+ 
+  /* If 'end' spanned beyond the last chunk of the disk, then we
+   * reduced it above to avoid reading a chunk that extends beyond the
+   * end of the underlying disk.  We have to synthesize an allocated
+   * block here, which is what VDDK's example code does
+   * (doc/samples/diskLib/vixDiskLibSample.cpp: DoGetAllocatedBlocks).
+   */
+  if (end < offset + count) {
+    if (add_extent (extents, &position, offset + count, false) == -1)
+      return -1;
+  }
+
+   return 0;
+ }
+ 
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index c0d1bdcc..94d4a219 100644
+--- a/tests/Makefile.am
+++ b/tests/Makefile.am
+@@ -188,7 +188,8 @@ if HAVE_VDDK
+ check-vddk:
+ 	$(MAKE) check TESTS="test-vddk-real.sh \
+ 	                     test-vddk-real-dump-plugin.sh \
+-	                     test-vddk-real-create.sh"
+	                     test-vddk-real-create.sh \
+	                     test-vddk-real-unaligned-chunk.sh"
+ endif HAVE_VDDK
+ 
+ #----------------------------------------------------------------------
+@@ -1172,6 +1173,7 @@ TESTS += \
+ 	test-vddk-password-interactive.sh \
+ 	test-vddk-real-create.sh \
+ 	test-vddk-real-dump-plugin.sh \
+	test-vddk-real-unaligned-chunk.sh \
+ 	test-vddk-real.sh \
+ 	test-vddk-reexec.sh \
+ 	test-vddk-run.sh \
+@@ -1204,6 +1206,7 @@ EXTRA_DIST += \
+ 	test-vddk-password-interactive.sh \
+ 	test-vddk-real-create.sh \
+ 	test-vddk-real-dump-plugin.sh \
+	test-vddk-real-unaligned-chunk.sh \
+ 	test-vddk-real.sh \
+ 	test-vddk-reexec.sh \
+ 	test-vddk-run.sh \
+diff --git a/tests/test-vddk-real-unaligned-chunk.sh b/tests/test-vddk-real-unaligned-chunk.sh
+new file mode 100755
+index 00000000..28fccd6c
+--- /dev/null
+++ b/tests/test-vddk-real-unaligned-chunk.sh
+@@ -0,0 +1,82 @@
+#!/usr/bin/env bash
+# nbdkit
+# Copyright Red Hat
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# * Neither the name of Red Hat nor the names of its contributors may be
+# used to endorse or promote products derived from this software without
+# specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR
+# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+# Regression test for https://issues.redhat.com/browse/RHEL-71694
+
+source ./functions.sh
+set -e
+set -x
+
+requires_run
+requires test "x$vddkdir" != "x"
+requires test -d "$vddkdir"
+requires test -f "$vddkdir/lib64/libvixDiskLib.so"
+requires qemu-img --version
+requires_nbdinfo
+requires $TRUNCATE --version
+requires dd --version
+requires test -r /dev/urandom
+skip_if_valgrind "because setting LD_LIBRARY_PATH breaks valgrind"
+
+# VDDK > 5.1.1 only supports x86_64.
+if [ `uname -m` != "x86_64" ]; then
+    echo "$0: unsupported architecture"
+    exit 77
+fi
+
+d=vddk-real-unaligned-chunk.d
+cleanup_fn rm -rf $d
+rm -rf $d
+mkdir $d
+
+# Create a vmdk disk which is partially sparse and the size is NOT
+# aligned to 128 sectors (chunk size).
+dd if=/dev/urandom of=$d/test.raw bs=512 count=$(( 3*128 ))
+$TRUNCATE -s $(( (4*128 + 3) * 512)) $d/test.raw
+qemu-img convert -f raw $d/test.raw -O vmdk $d/test.vmdk
+
+# Read the map using VDDK.
+export d
+nbdkit -rfv vddk libdir="$vddkdir" \
+       $PWD/$d/test.vmdk \
+       --run 'nbdinfo --map "$uri" > $d/map'
+cat $d/map
+
+# Note a few features of the expected map.  The first 3 chunks (3*128
+# sectors) are allocated, followed by a single hole chunk.  Then the
+# last 3 unaligned sectors appear allocated (even though they are not)
+# because we could not read them using the QueryAllocatedBlocks API so
+# we had to assume allocated.
+test "$(cat $d/map)" = "\
+         0      196608    0  data
+    196608       65536    3  hole,zero
+    262144        1536    0  data"
+-- 
+2.43.0
+
--- a/SOURCES/0006-server-Fix-.zero-fallback-path.patch
+++ b/SOURCES/0006-server-Fix-.zero-fallback-path.patch
@ -0,0 +1,39 @@
+From 254edc8b3b8d67a952919a32e7aea0e1e8c26b78 Mon Sep 17 00:00:00 2001
+From: Darren Archibald <darren.archibald@oracle.com>
+Date: Wed, 6 Aug 2025 03:29:39 -0700
+Subject: [PATCH] server: Fix .zero fallback path
+
+When no efficient zero method is supported, we fall back to writing a
+buffer of actual zeroes.  However because of an omitted update to
+'offset' we would only zero out (up to) the first 64M of each range.
+nbdcopy defaults to working on blocks of 128M, leaving the second 64M
+unzeroed.
+
+This affects only backing filesystems which do not support fallocate
+FALLOC_FL_PUNCH_HOLE or FALLOC_FL_ZERO_RANGE, which turns out to be
+rare, but it does include some NFS-mounted filesystems which is where
+I saw this problem.
+
+Fixes: commit 19184d3
+Thanks: Alex Kalenyuk
+
+Signed-off-by: Darren Archibald <darren.archibald@oracle.com>
+---
+ server/plugins.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/server/plugins.c b/server/plugins.c
+index 3c7df0d..db36ce4 100644
+--- a/server/plugins.c
+++ b/server/plugins.c
+@@ -807,6 +807,7 @@ plugin_zero (struct context *c,
+     if (r == -1)
+       break;
+     count -= limit;
+    offset += limit;
+   }
+ 
+  done:
+-- 
+2.31.1
+
--- a/SOURCES/0006-vddk-Only-print-vddk_library_version-when-we-managed.patch
+++ b/SOURCES/0006-vddk-Only-print-vddk_library_version-when-we-managed.patch
@ -1,55 +0,0 @@
-From b8b376cf39d97c9f523a9867612126088b43c523 Mon Sep 17 00:00:00 2001
-From: "Richard W.M. Jones" <rjones@redhat.com>
-Date: Sat, 23 Oct 2021 19:50:52 +0100
-Subject: [PATCH] vddk: Only print vddk_library_version when we managed to load
- the library
-
-Because --dump-plugin calls load_library (false) it won't fail if we
-didn't manage to load the library.  This results in library_version
-being 0, which we printed incorrectly.
-
-Resolve this problem by not printing the vddk_library_version entry in
-this case.
-
-Fixes: commit 8700649d147948897f3b97810a1dff37924bdd6e
-(cherry picked from commit a3fba12c3e9c2113009f556360ae0bd04c45f6bb)
---
- plugins/vddk/nbdkit-vddk-plugin.pod | 1 +
- plugins/vddk/vddk.c                 | 9 ++++++++-
- 2 files changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/plugins/vddk/nbdkit-vddk-plugin.pod b/plugins/vddk/nbdkit-vddk-plugin.pod
-index 822b96be..c56faddc 100644
--- a/plugins/vddk/nbdkit-vddk-plugin.pod
-+++ b/plugins/vddk/nbdkit-vddk-plugin.pod
-@@ -420,6 +420,7 @@ by this build.
- =item C<vddk_library_version=...>
- 
- The VDDK major library version: 5, 6, 7, ...
-+If this is omitted it means the library could not be loaded.
- 
- =item C<vddk_dll=...>
- 
-diff --git a/plugins/vddk/vddk.c b/plugins/vddk/vddk.c
-index 291283f4..96615749 100644
--- a/plugins/vddk/vddk.c
-+++ b/plugins/vddk/vddk.c
-@@ -482,7 +482,14 @@ vddk_dump_plugin (void)
- 
-   printf ("vddk_default_libdir=%s\n", VDDK_LIBDIR);
-   printf ("vddk_has_nfchostport=1\n");
-  printf ("vddk_library_version=%d\n", library_version);
-+
-+  /* Because load_library (false) we might not have loaded VDDK, in
-+   * which case we didn't set library_version.  Note this cannot
-+   * happen in the normal (non-debug-plugin) path because there we use
-+   * load_library (true).
-+   */
-+  if (library_version > 0)
-+    printf ("vddk_library_version=%d\n", library_version);
- 
- #if defined(HAVE_DLADDR)
-   /* It would be nice to print the version of VDDK from the shared
-- 
-2.31.1
-
--- a/SOURCES/0007-vddk-Add-support-for-VDDK-8.0.0.patch
+++ b/SOURCES/0007-vddk-Add-support-for-VDDK-8.0.0.patch
@ -1,53 +0,0 @@
-From e850f65053d89ad54c27280f48506da5eb631a68 Mon Sep 17 00:00:00 2001
-From: "Richard W.M. Jones" <rjones@redhat.com>
-Date: Fri, 18 Nov 2022 09:43:19 +0000
-Subject: [PATCH] vddk: Add support for VDDK 8.0.0
-
-There are no changes in any of the structures or enums that we rely on.
-
-Reported-by: Ming Xie
-Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2143889
-(cherry picked from commit dbe12ed499baeea94d603db55cad9e971e0ebcf0)
---
- plugins/vddk/nbdkit-vddk-plugin.pod | 2 +-
- plugins/vddk/vddk.c                 | 4 +++-
- 2 files changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/plugins/vddk/nbdkit-vddk-plugin.pod b/plugins/vddk/nbdkit-vddk-plugin.pod
-index c56faddc..c94c41eb 100644
--- a/plugins/vddk/nbdkit-vddk-plugin.pod
-+++ b/plugins/vddk/nbdkit-vddk-plugin.pod
-@@ -419,7 +419,7 @@ by this build.
- 
- =item C<vddk_library_version=...>
- 
-The VDDK major library version: 5, 6, 7, ...
-+The VDDK major library version: 5, 6, 7, 8, ...
- If this is omitted it means the library could not be loaded.
- 
- =item C<vddk_dll=...>
-diff --git a/plugins/vddk/vddk.c b/plugins/vddk/vddk.c
-index 96615749..2140789a 100644
--- a/plugins/vddk/vddk.c
-+++ b/plugins/vddk/vddk.c
-@@ -77,7 +77,7 @@ int vddk_debug_datapath = 1;
- static void *dl;                           /* dlopen handle */
- static bool init_called;                   /* was InitEx called */
- static __thread int error_suppression;     /* threadlocal error suppression */
-static int library_version;                /* VDDK major: 5, 6, 7, ... */
-+static int library_version;                /* VDDK major: 5, 6, 7, 8, ... */
- 
- static enum { NONE = 0, ZLIB, FASTLZ, SKIPZ } compression; /* compression */
- static char *config;                       /* config */
-@@ -309,6 +309,8 @@ load_library (bool load_error_is_fatal)
-      * but our testsuite is easier to write if we point libdir
-      * directly to a stub .so.
-      */
-+    { "lib64/libvixDiskLib.so.8", 8 },
-+    { "libvixDiskLib.so.8",       8 },
-     { "lib64/libvixDiskLib.so.7", 7 },
-     { "libvixDiskLib.so.7",       7 },
-     { "lib64/libvixDiskLib.so.6", 6 },
-- 
-2.31.1
-
--- a/SOURCES/copy-patches.sh
+++ b/SOURCES/copy-patches.sh
@ -6,7 +6,7 @@ set -e
 # directory.  Use it like this:
 #   ./copy-patches.sh

-rhel_version=8.8
+rhel_version=10.0

 # Check we're in the right directory.
 if [ ! -f nbdkit.spec ]; then
--- a/SOURCES/nbdkit-1.24.0.tar.gz.sig
+++ b/SOURCES/nbdkit-1.24.0.tar.gz.sig
@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQJFBAABCAAvFiEE93dPsa0HSn6Mh2fqkXOPc+G3aKAFAl/3RBgRHHJpY2hAYW5u
-ZXhpYS5vcmcACgkQkXOPc+G3aKBIIRAAmgoGrmJ8aYO7z+kKgNFjd/p0QxRTZhS/
-ol59ojG6jIzN2x/C2PFbRmPB6HJTEg4anrDX04WrP6R+lID1RrH9pTFQabv0YDQC
-z49oeXAqINYHvAqgFUJCwlymd7BHEYUudLlK3yu7gQKxMM+J/2v0glpxrtLM7KlD
-vvSZkVfbvHlCWIbMWLWIaRHeoWZIXNOjsAp3uEWN2YgikDoxbXVKoh07JoQx5tJ5
-2U+a/zo4BQuRspjnhmWc252ZF/8d954/L8J+2mKvbRRf2iAmsqPgS+MNi7WKWO4K
-w7/urKn0osuOaArs5xYHJnApmJ9U88CzZpoHQkYhcGgnDOipW9ByJRzT41vVQPW5
-IluQODpZUuawWtRIwV/Eoi+LaV2gINAL48Afr02UFYj4gmYQ5TeayLP7NKRQO0VL
-jwL4Z3a0cDyUX4i1OArn2ll8THfiog38HfLb70AG1l3P1BVoVVBYWCYbs4xgC9IK
-LWkjPKuGXvkGVfZi0nCGdPTOoB1CqCXUvKHXm52FCHg12uJMrBQEivodBoCTbtl0
-fSjULQcfrovUEb4d/rDAX7EgJbFS+1jDnodaFHsmNToo3CqfkMBdhLkxG3XExwjy
-OOR34wZssjTLsLlWH/RPucWD25RDy1vdPBska9QvvO7W0p+aOtFbnttkTh5cqs45
-rHg/sDEiaLA=
-=OrsS
-----END PGP SIGNATURE-----
--- a/SOURCES/nbdkit-1.40.4.tar.gz.sig
+++ b/SOURCES/nbdkit-1.40.4.tar.gz.sig
@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJFBAABCAAvFiEE93dPsa0HSn6Mh2fqkXOPc+G3aKAFAmb3G0QRHHJpY2hAYW5u
+ZXhpYS5vcmcACgkQkXOPc+G3aKBAohAAmJ03Ebg70A6EiKf2HCI1rLC5emLCzwX+
+6YihoD7lFoYh8LPNfg7WCfG8WlrHS3kgb7zIRaqVYn5HWWs/vNAU2+R8uoHoRETe
+hvAZZuXKxDkgNM5CYT7G6sGXQnh5Gn/XNo45oypHFh/vupkjEj5KtgRHkBFivut9
+/fe9JC2IW22FhyuK3XD0zf4tI2m78bLdE4S/tyWuHSGks1cJy5oq03qOkOwFUNOb
+xPvMkPepLClxmgr5fWuKt2A4K/EgrnBOtEvT+lAfI70J12Yiz19VdKK4AV3kBfOm
+U9LrDa6jOCtEkO9leiWUl7LguzyqCsI8r/72OC+Ub/RIIqDqh7tQi7ZwcdvJCZb7
+ZtIY43/XeqFtLXh8D//FpcBwdu9O8h81aTH2s/5QaIUPoY3jCTY+3r5ENv1793YB
+Ar6uWRXt6ID4TaFWO9gPJ4+J0qJJwK39K1CmvA72xn2wBTzoZMp1DEt8Jh/Dnnnp
+74yqhisWXN4ZH+sXKhmSuDl37B0zjRtrGQltTEdcSykh2Gr92f89v87FcUh9PFrj
+cq+hjzoYNQWsjutgKEuqwSM1wmeFOok81fKfwAFqqt+damw7vSUyCXDidh8FDgHC
+l2EwibvKWAQzB+ywqRxP0cekhqqY2WEqW0JFNMLMvJRFOdwooSjB03kwTMQj7/42
+01UYnKoT2u4=
+=7H2+
+-----END PGP SIGNATURE-----
--- a/SOURCES/nbdkit-find-provides
+++ b/SOURCES/nbdkit-find-provides
@ -0,0 +1,23 @@
+#!/bin/bash -
+
+# Generate RPM provides automatically for nbdkit packages and filters.
+# Copyright (C) 2009-2022 Red Hat Inc.
+
+# To test:
+# find /usr/lib64/nbdkit/plugins | ./nbdkit-find-provides VER REL
+# find /usr/lib64/nbdkit/filters | ./nbdkit-find-provides VER REL
+
+ver="$1"
+rel="$2"
+
+function process_file
+{
+    if [[ $1 =~ /plugins/nbdkit-.*-plugin ]] ||
+       [[ $1 =~ /filters/nbdkit-.*-filter ]]; then
+        echo "Provides:" "$(basename $1 .so)" "=" "$ver-$rel"
+    fi
+}
+
+while read line; do
+    process_file "$line"
+done
--- a/SOURCES/nbdkit.attr
+++ b/SOURCES/nbdkit.attr
@ -0,0 +1,3 @@
+%__nbdkit_provides %{_rpmconfigdir}/nbdkit-find-provides %{version} %{release}
+%__nbdkit_path     %{_libdir}/nbdkit/(plugins|filters)/nbdkit-.*-(plugin|filter)(\.so)?$
+%__nbdkit_flags    exeonly
--- a/SOURCES/nbdkit.fc
+++ b/SOURCES/nbdkit.fc
@ -0,0 +1,3 @@
+/usr/sbin/nbdkit	 --    gen_context(system_u:object_r:nbdkit_exec_t,s0)
+
+/usr/lib/systemd/system/nbdkit.*	gen_context(system_u:object_r:nbdkit_unit_file_t,s0)
--- a/SOURCES/nbdkit.if
+++ b/SOURCES/nbdkit.if
@ -0,0 +1,207 @@
+## <summary>policy for nbdkit</summary>
+
+########################################
+## <summary>
+##    Execute nbdkit_exec_t in the nbdkit domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##    Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nbdkit_domtrans',`
+	gen_require(`
+		type nbdkit_t, nbdkit_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, nbdkit_exec_t, nbdkit_t)
+')
+
+######################################
+## <summary>
+##    Execute nbdkit in the caller domain.
+## </summary>
+## <param name="domain">
+##    <summary>
+##    Domain allowed access.
+##    </summary>
+## </param>
+#
+interface(`nbdkit_exec',`
+	gen_require(`
+		type nbdkit_exec_t;
+	')
+    
+	corecmd_search_bin($1)
+	can_exec($1, nbdkit_exec_t)
+')
+
+########################################
+## <summary>
+##    Execute nbdkit in the nbdkit domain, and
+##    allow the specified role the nbdkit domain.
+## </summary>
+## <param name="domain">
+##    <summary>
+##    Domain allowed to transition
+##    </summary>
+## </param>
+## <param name="role">
+##    <summary>
+##    The role to be allowed the nbdkit domain.
+##    </summary>
+## </param>
+#
+interface(`nbdkit_run',`
+	gen_require(`
+		type nbdkit_t;
+		attribute_role nbdkit_roles;
+	')
+
+	nbdkit_domtrans($1)
+	roleattribute $2 nbdkit_roles;
+')
+
+########################################
+## <summary>
+##    Role access for nbdkit
+## </summary>
+## <param name="role">
+##    <summary>
+##    Role allowed access
+##    </summary>
+## </param>
+## <param name="domain">
+##    <summary>
+##    User domain for the role
+##    </summary>
+## </param>
+#
+interface(`nbdkit_role',`
+	gen_require(`
+		type nbdkit_t;
+		attribute_role nbdkit_roles;
+	')
+
+	roleattribute $1 nbdkit_roles;
+
+	nbdkit_domtrans($2)
+
+	ps_process_pattern($2, nbdkit_t)
+	allow $2 nbdkit_t:process { signull signal sigkill };
+')
+
+########################################
+## <summary>
+##	Allow attempts to connect to nbdkit
+##	with a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`nbdkit_stream_connect',`
+	gen_require(`
+		type nbdkit_t;
+	')
+
+	allow $1 nbdkit_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##      Allow nbdkit_exec_t to be an entrypoint
+##      of the specified domain
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`nbdkit_entrypoint',`
+        gen_require(`
+                type nbdkit_exec_t;
+        ')
+        allow $1 nbdkit_exec_t:file entrypoint;
+')
+
+# ----------------------------------------------------------------------
+# RWMJ: See:
+# https://issues.redhat.com/browse/RHEL-5174?focusedId=23387259&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-23387259
+# Remove this when virt.if gets updated.
+
+########################################
+#
+# Interface compatibility blocks
+#
+# The following definitions ensure compatibility with distribution policy
+# versions that do not contain given interfaces (epel, or older Fedora
+# releases).
+# Each block tests for existence of given interface and defines it if needed.
+#
+
+########################################
+## <summary>
+##      Read and write to svirt_image dirs.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+ifndef(`virt_rw_svirt_image_dirs',`
+	interface(`virt_rw_svirt_image_dirs',`
+		gen_require(`
+			type svirt_image_t;
+		')
+
+		allow $1 svirt_image_t:dir rw_dir_perms;
+	')
+')
+
+########################################
+## <summary>
+##      Create svirt_image sock_files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+ifndef(`virt_create_svirt_image_sock_files',`
+	interface(`virt_create_svirt_image_sock_files',`
+		gen_require(`
+			type svirt_image_t;
+		')
+
+		allow $1 svirt_image_t:sock_file create_sock_file_perms;
+	')
+')
+
+########################################
+## <summary>
+## 	Read and write virtlogd pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access.
+## </summary>
+## </param>
+#
+ifndef(`virtlogd_rw_pipes',`
+	interface(`virtlogd_rw_pipes',`
+	        gen_require(`
+	                type virtlogd_t;
+	        ')
+
+	        allow $1 virtlogd_t:fifo_file rw_fifo_file_perms;
+	')
+')
--- a/SOURCES/nbdkit.te
+++ b/SOURCES/nbdkit.te
@ -0,0 +1,100 @@
+policy_module(nbdkit, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+gen_require(`
+    type unconfined_t;
+')
+
+type nbdkit_t;
+type nbdkit_exec_t;
+application_domain(nbdkit_t, nbdkit_exec_t)
+mcs_constrained(nbdkit_t)
+role system_r types nbdkit_t;
+
+type nbdkit_home_t;
+userdom_user_home_content(nbdkit_home_t)
+
+type nbdkit_tmp_t;
+files_tmp_file(nbdkit_tmp_t)
+
+type nbdkit_unit_file_t;
+systemd_unit_file(nbdkit_unit_file_t)
+
+permissive nbdkit_t;
+
+########################################
+#
+# nbdkit local policy
+#
+allow nbdkit_t self:capability { setgid setuid };
+allow nbdkit_t self:fifo_file rw_fifo_file_perms;
+allow nbdkit_t self:netlink_route_socket rw_netlink_socket_perms;
+allow nbdkit_t self:process { fork setsockcreate signal_perms };
+allow nbdkit_t self:tcp_socket create_stream_socket_perms;
+allow nbdkit_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(nbdkit_t, nbdkit_tmp_t, nbdkit_tmp_t)
+manage_files_pattern(nbdkit_t, nbdkit_tmp_t, nbdkit_tmp_t) 
+userdom_user_tmp_filetrans(nbdkit_t, nbdkit_tmp_t, { dir file })
+
+manage_dirs_pattern(nbdkit_t, nbdkit_home_t, nbdkit_home_t)
+manage_files_pattern(nbdkit_t, nbdkit_home_t, nbdkit_home_t) 
+userdom_user_home_dir_filetrans(nbdkit_t, nbdkit_home_t, { dir file })
+
+corenet_tcp_connect_http_port(nbdkit_t)
+corenet_tcp_connect_ssh_port(nbdkit_t)
+corenet_tcp_connect_tftp_port(nbdkit_t)
+corenet_tcp_bind_generic_port(nbdkit_t)
+corenet_tcp_bind_generic_node(nbdkit_t)
+
+domain_use_interactive_fds(nbdkit_t)
+
+files_read_etc_files(nbdkit_t)
+
+init_abstract_socket_activation(nbdkit_t)
+init_ioctl_stream_sockets(nbdkit_t)
+init_rw_stream_sockets(nbdkit_t)
+
+optional_policy(`
+	auth_use_nsswitch(nbdkit_t)
+')
+
+optional_policy(`
+	logging_send_syslog_msg(nbdkit_t)
+')
+
+optional_policy(`
+	miscfiles_read_localization(nbdkit_t)
+	miscfiles_read_generic_certs(nbdkit_t)
+')
+
+optional_policy(`
+	sysnet_dns_name_resolve(nbdkit_t)
+	sysnet_read_config(nbdkit_t)
+')
+
+optional_policy(`
+	userdom_read_user_home_content_files(nbdkit_t)
+	userdom_use_inherited_user_ptys(nbdkit_t)
+')
+
+optional_policy(`
+	virt_create_svirt_image_sock_files(nbdkit_t)
+	virt_read_qemu_pid_files(nbdkit_t)
+	virtlogd_rw_pipes(nbdkit_t)
+	virt_rw_svirt_image(nbdkit_t)
+	virt_rw_svirt_image_dirs(nbdkit_t)
+	virt_search_lib(nbdkit_t)
+	virt_stream_connect_svirt(nbdkit_t)
+')
+
+
+# FIXME: It would be nice to allow libvirt to transition nbdkit_exec_t to 
+# nbdkit_t when libvirtd was started manually from the commandline (i.e. in 
+# unconfined_t), but we don't want this transition to happen automatically 
+# when starting directly from the shell. I'm not sure how to achieve this...  
+#nbdkit_domtrans(unconfined_t, nbdkit_exec_t, nbdkit_t)
--- a/SPECS/nbdkit.spec
+++ b/SPECS/nbdkit.spec