30 changed files with 3719 additions and 2122 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,4 @@
-SOURCES/libguestfs.keyring
+/clog
-SOURCES/nbdkit-1.24.0.tar.gz
+/nbdkit-*.tar.gz
 /nbdkit-*.tar.gz.sig
 /*~
--- a/.nbdkit.metadata
+++ b/.nbdkit.metadata
@ -1,2 +0,0 @@
 1bbc40f501a7fef9eef2a39b701a71aee2fea7c4 SOURCES/libguestfs.keyring
 069720cc0d1502b007652101d293a57d7b4d7c41 SOURCES/nbdkit-1.24.0.tar.gz
--- a/0001-vram-Skip-listing-devices-when-no-platforms-are-foun.patch
+++ b/0001-vram-Skip-listing-devices-when-no-platforms-are-foun.patch
@ -0,0 +1,59 @@
 From cad6894ec6dc18b318d0948fadf5833ecd75cb0f Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Sun, 26 Oct 2025 22:25:10 +0000
 Subject: [PATCH] vram: Skip listing devices when no platforms are found
 In a chroot-type test environment, tests/test-dump-plugin.sh failed
 with:
  + nbdkit vram --dump-plugin
  nbdkit: error: clGetPlatformIDs: error -1001 (unknown OpenCL error)
 -1001 is the extended error CL_PLATFORM_NOT_FOUND_KHR
 ---
 plugins/vram/opencl-errors.h | 3 +++
 plugins/vram/vram.c          | 7 +++++++
 2 files changed, 10 insertions(+)
 diff --git a/plugins/vram/opencl-errors.h b/plugins/vram/opencl-errors.h
 index b5d185fc..dd6fba92 100644
 --- a/plugins/vram/opencl-errors.h
 +++ b/plugins/vram/opencl-errors.h
@@ -101,6 +101,9 @@ opencl_errstr (cl_int err)
     case_return_string(CL_INVALID_COMPILER_OPTIONS       );
     case_return_string(CL_INVALID_LINKER_OPTIONS         );
     case_return_string(CL_INVALID_DEVICE_PARTITION_COUNT );
 +
 +    /* Extended. */
 +    case_return_string(CL_PLATFORM_NOT_FOUND_KHR         );
   default: return "unknown OpenCL error";
   }
 }
 diff --git a/plugins/vram/vram.c b/plugins/vram/vram.c
 index 4b391e22..9819f0db 100644
 --- a/plugins/vram/vram.c
 +++ b/plugins/vram/vram.c
@@ -41,6 +41,7 @@
 #define CL_TARGET_OPENCL_VERSION 200 /* OpenCL >= 2.0 */
 #include <CL/cl.h>
 +#include <CL/cl_ext.h>
 #define NBDKIT_API_VERSION 2
 #include <nbdkit-plugin.h>
@@ -126,6 +127,12 @@ get_all_devices (void)
   /* Build the list of all devices from all platforms as a flat list. */
   what = "clGetPlatformIDs";
   r = clGetPlatformIDs (0, NULL, &num_platforms);
 +  if (r == CL_PLATFORM_NOT_FOUND_KHR) {
 +    /* OpenCL seems to return this when no platform is detected at
 +     * all, so just return the empty list in this case.
 +     */
 +    return;
 +  }
   if (r != CL_SUCCESS) goto err;
   platform_ids = calloc (num_platforms, sizeof platform_ids[0]);
   if (!platform_ids) {
 -- 
 2.47.3
--- a/0002-linuxdisk-Fix-parsing-of-last-line-of-du-command-out.patch
+++ b/0002-linuxdisk-Fix-parsing-of-last-line-of-du-command-out.patch
@ -0,0 +1,71 @@
 From 01b8e557ce129b2f4677061ba04bbb5ff2a703eb Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Mon, 27 Oct 2025 09:15:47 +0000
 Subject: [PATCH] linuxdisk: Fix parsing of last line of 'du' command output
 A recent change to glibc breaks this code.  Previously we could read
 the lines of output from the 'du' command until getline(3) returned
 EOF, and the 'line' buffer would contain the last line read.  However
 after this change, glibc now sets line[0] = '\0' in the EOF case,
 breaking the last line of output that we wanted to parse.
 https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=33eff78c8b28adc4963987880e10d96761f2a167
 We also previously didn't handle the unlikely case where 'du' produces
 no output at all.  Fix both problems here.
 ---
 plugins/linuxdisk/filesystem.c | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)
 diff --git a/plugins/linuxdisk/filesystem.c b/plugins/linuxdisk/filesystem.c
 index 3e4e2f3a..283af61a 100644
 --- a/plugins/linuxdisk/filesystem.c
 +++ b/plugins/linuxdisk/filesystem.c
@@ -148,7 +148,7 @@ create_filesystem (struct virtual_disk *disk)
 static int64_t
 estimate_size (void)
 {
 -  CLEANUP_FREE char *command = NULL, *line = NULL;
 +  CLEANUP_FREE char *command = NULL, *line = NULL, *lastline = NULL;
   size_t len = 0;
   FILE *fp;
   int64_t ret;
@@ -177,8 +177,16 @@ estimate_size (void)
   /* Ignore everything up to the last line. */
   len = 0;
 -  while (getline (&line, &len, fp) != -1)
 -    /* empty */;
 +  while (getline (&line, &len, fp) != -1) {
 +    nbdkit_debug ("du: %s", line);
 +    free (lastline);
 +    lastline = strndup (line, len);
 +    if (lastline == NULL) {
 +      nbdkit_error ("strndup: %m");
 +      pclose (fp);
 +      return -1;
 +    }
 +  }
   if (ferror (fp)) {
     nbdkit_error ("getline failed: %m");
     pclose (fp);
@@ -193,9 +201,14 @@ estimate_size (void)
   if (exit_status_to_nbd_error (r, "pclose: du") == -1)
     return -1;
 +  if (lastline == NULL) {
 +    nbdkit_error ("no output from du command");
 +    return -1;
 +  }
 +
   /* Parse the last line. */
 -  if (sscanf (line, "%" SCNi64, &ret) != 1 || ret < 0) {
 -    nbdkit_error ("could not parse last line of output: %s", line);
 +  if (sscanf (lastline, "%" SCNi64, &ret) != 1 || ret < 0) {
 +    nbdkit_error ("could not parse last line from du command: %s", lastline);
     return -1;
   }
 -- 
 2.47.3
--- a/0003-vram-Skip-listing-devices-when-no-devices-found-in-p.patch
+++ b/0003-vram-Skip-listing-devices-when-no-devices-found-in-p.patch
@ -0,0 +1,42 @@
 From df5e7d1b6f2cbc3e3adbb85312490b148ad0b2fc Mon Sep 17 00:00:00 2001
 From: Eric Blake <eblake@redhat.com>
 Date: Sun, 26 Oct 2025 22:25:10 +0000
 Subject: [PATCH] vram: Skip listing devices when no devices found in platform
 On my laptop, right after installing clinfo and building vram,
 clGetDeviceIDs found an AMD device, but was unable to connect to it
 (probably further drivers needed), resulting in:
  + nbdkit vram --dump-plugin
  ...
  nbdkit: error: clGetDeviceIDs: error -1 (CL_DEVICE_NOT_FOUND)
 Similar to the previous fix when a platform is not available, it is
 easy to gracefully handle no devices found in a platform.
 Signed-off-by: Eric Blake <eblake@redhat.com>
 ---
 plugins/vram/vram.c | 7 +++++++
 1 file changed, 7 insertions(+)
 diff --git a/plugins/vram/vram.c b/plugins/vram/vram.c
 index 9819f0db..64cfe0fa 100644
 --- a/plugins/vram/vram.c
 +++ b/plugins/vram/vram.c
@@ -147,6 +147,13 @@ get_all_devices (void)
     what = "clGetDeviceIDs";
     r = clGetDeviceIDs (platform_ids[pl_i], CL_DEVICE_TYPE_ALL, 0, NULL,
                         &num_devices);
 +    if (r == CL_DEVICE_NOT_FOUND) {
 +      /* OpenCL seems to return this when the platform is found but
 +       * the vendor's library is not configured to access devices
 +       * within the platform; skip over this platform.
 +       */
 +      continue;
 +    }
     if (r != CL_SUCCESS) goto err;
     free (device_ids);
     device_ids = calloc (num_devices, sizeof device_ids[0]);
 -- 
 2.47.3
--- a/0004-Fix-mke2fs-command-line.patch
+++ b/0004-Fix-mke2fs-command-line.patch
@ -0,0 +1,41 @@
 From ae9a7cf9167bc35aa7278f55af1049ea4aa871e6 Mon Sep 17 00:00:00 2001
 From: Mykola Ivanets <stenavin@gmail.com>
 Date: Wed, 29 Oct 2025 23:53:03 +0200
 Subject: [PATCH] Fix mke2fs command line
 Man page says:
 The file system size is specified by fs-size.  If fs-size does not have
 a suffix, it is interpreted as power-of-two kilobytes, unless the -b
 blocksize option is specified, in which case fs-size is interpreted as
 the number of blocksize blocks.  If the fs-size is suffixed by 'k', 'm',
 'g', 't' (either upper-case or lower-case), then it is interpreted in
 power-of-two kilobytes, megabytes, gigabytes, terabytes, etc.  If
 fs-size is omitted, mke2fs will create the file system based on the
 device size.
 We could add '-b 1' parameter and specify fs-size, or just remove
 fs-size parameter, in this case mke2fs will create the file system based
 on device size.  I prefer later option just because it will avoid
 duplicating fs-size specification twice (in the previous 'truncate'
 command and in 'mke2fs').
 ---
 tests/Makefile.am | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/tests/Makefile.am b/tests/Makefile.am
 index 53cc00d1..2a7e9623 100644
 --- a/tests/Makefile.am
 +++ b/tests/Makefile.am
@@ -1895,7 +1895,7 @@ ext2.img: disk test-ext2-exportname.sh
 	cp $< ext2.img.d/disks/disk.img
 	echo /disks/disk.img > ext2.img.d/manifest
 	$(TRUNCATE) -s 2147483648 $@-t
 -	mke2fs -q -F -t ext4 -d ext2.img.d $@-t 2147483648
 +	mke2fs -q -F -t ext4 -d ext2.img.d $@-t
 	rm -r ext2.img.d
 	mv $@-t $@
 -- 
 2.47.3
--- a/0005-vram-Fix-trim-command.patch
+++ b/0005-vram-Fix-trim-command.patch
@ -0,0 +1,31 @@
 From 258822bde3eb4923b309431c6e4d71932e83932d Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Sat, 1 Nov 2025 09:33:37 +0000
 Subject: [PATCH] vram: Fix trim command
 Fix missing updates in the loop, which caused trim operations to spin
 forever.
 Fixes: commit e35fb68748ecd1ebab63308db3c9a6ccca12ebcb
 ---
 plugins/vram/vram.c | 4 ++++
 1 file changed, 4 insertions(+)
 diff --git a/plugins/vram/vram.c b/plugins/vram/vram.c
 index 64cfe0fa..63e7d5c7 100644
 --- a/plugins/vram/vram.c
 +++ b/plugins/vram/vram.c
@@ -811,6 +811,10 @@ vram_trim (void *handle, uint32_t count, uint64_t offset, uint32_t flags)
   /* Aligned body */
   while (count >= BUFFER_SIZE) {
     free_buffer (bufnum);
 +
 +    count -= BUFFER_SIZE;
 +    offset += BUFFER_SIZE;
 +    bufnum++;
   }
   return 0;
 -- 
 2.47.3
--- a/0006-vram-Link-to-radeontop-1.patch
+++ b/0006-vram-Link-to-radeontop-1.patch
@ -0,0 +1,26 @@
 From 1c501d5c7162ac41e6e49767cdcb8632d5e6535d Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Sat, 1 Nov 2025 09:34:47 +0000
 Subject: [PATCH] vram: Link to radeontop(1)
 This tool is a top-like tool for AMD Radeon cards, very useful when
 observing GPU and Video RAM usage in real time.
 ---
 plugins/vram/nbdkit-vram-plugin.pod | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/plugins/vram/nbdkit-vram-plugin.pod b/plugins/vram/nbdkit-vram-plugin.pod
 index b99eb67f..5363a4ca 100644
 --- a/plugins/vram/nbdkit-vram-plugin.pod
 +++ b/plugins/vram/nbdkit-vram-plugin.pod
@@ -158,6 +158,7 @@ L<nbdkit(1)>,
 L<nbdkit-plugin(3)>,
 L<nbdkit-memory-plugin(1)>,
 L<clinfo(1)>,
 +L<radeontop(1)>,
 L<fstrim(8)>.
 =head1 AUTHORS
 -- 
 2.47.3
--- a/0007-vram-Obey-trim-FUA-flag-by-calling-vram_flush.patch
+++ b/0007-vram-Obey-trim-FUA-flag-by-calling-vram_flush.patch
@ -0,0 +1,29 @@
 From af18957aa91b61f627c2a56724b717c2dbdbf001 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Sat, 1 Nov 2025 19:05:01 +0000
 Subject: [PATCH] vram: Obey trim FUA flag by calling vram_flush
 Further fix to the vram trim operation, so now we (kind of) obey the
 FUA flag by calling vram_flush.  Since vram_flush does nothing right
 now, this actually makes no difference.
 ---
 plugins/vram/vram.c | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/plugins/vram/vram.c b/plugins/vram/vram.c
 index 63e7d5c7..fe8bf60e 100644
 --- a/plugins/vram/vram.c
 +++ b/plugins/vram/vram.c
@@ -817,6 +817,9 @@ vram_trim (void *handle, uint32_t count, uint64_t offset, uint32_t flags)
     bufnum++;
   }
 +  if (flags & NBDKIT_FLAG_FUA && vram_flush (handle, 0) == -1)
 +    return -1;
 +
   return 0;
 }
 -- 
 2.47.3
--- a/SOURCES/0001-cache-cow-Fix-data-corruption-in-zero-and-trim-on-un.patch
+++ b/SOURCES/0001-cache-cow-Fix-data-corruption-in-zero-and-trim-on-un.patch
@ -1,82 +0,0 @@
 From 99788909d9ec36e3210cf85976fe5b18da690ddd Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Wed, 4 Aug 2021 20:24:59 +0100
 Subject: [PATCH] cache, cow: Fix data corruption in zero and trim on unaligned
 tail
 Commit eb6009b092 ("cache, cow: Reduce use of bounce-buffer") first
 introduced in nbdkit 1.14 added an optimization of the
 read-modify-write mechanism used for unaligned heads and tails when
 zeroing in the cache layer.
 Unfortunately the part applied to the tail contained a mistake: It
 zeroes the end of the buffer rather than the beginning.  This causes
 data corruption when you use the zero or trim function with an offset
 and count which is not aligned to the block size.
 Although the bug has been around for years, a recent change made it
 more likely to happen.  Commit c1905b0a28 ("cache, cow: Use a 64K
 block size by default") increased the default block size from 4K to
 64K.  Most filesystems use a 4K block size so operations like fstrim
 will make 4K-aligned requests, and with a 4K block size also in the
 cache or cow filter the unaligned case would never have been hit
 before.
 We can demonstrate the bug simply by filling a buffer with data
 (100000 bytes in the example), and then trimming that data, which
 ought to zero it out.
 Before this commit there is data visible after the trim:
 $ nbdkit --filter=cow data "0x21 * 100000" --run 'nbdsh -u $uri -c "h.trim(100000, 0)" ; nbdcopy $uri - | hexdump -C'
 00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 *
 00018000  21 21 21 21 21 21 21 21  21 21 21 21 21 21 21 21  |!!!!!!!!!!!!!!!!|
 *
 000186a0
 After this commit the trim completely clears the data:
 $ nbdkit --filter=cow data "0x21 * 100000" --run 'nbdsh -u $uri -c "h.trim(100000, 0)" ; nbdcopy $uri - | hexdump -C'
 00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 *
 000186a0
 Thanks: Ming Xie for finding the bug
 Fixes: commit eb6009b092ae642ed25f133d487dd40ef7bf70f8
 (cherry picked from commit a0ae7b2158598ce48ac31706319007f716d01c87)
 (cherry picked from commit c0b15574647672cb5c48178333acdd07424692ef)
 ---
 filters/cache/cache.c | 2 +-
 filters/cow/cow.c     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 diff --git a/filters/cache/cache.c b/filters/cache/cache.c
 index 91dcc43d..0616cc7b 100644
 --- a/filters/cache/cache.c
 +++ b/filters/cache/cache.c
@@ -493,7 +493,7 @@ cache_zero (struct nbdkit_next_ops *next_ops, void *nxdata,
     ACQUIRE_LOCK_FOR_CURRENT_SCOPE (&lock);
     r = blk_read (next_ops, nxdata, blknum, block, err);
     if (r != -1) {
 -      memset (&block[count], 0, blksize - count);
 +      memset (block, 0, count);
       r = blk_write (next_ops, nxdata, blknum, block, flags, err);
     }
     if (r == -1)
 diff --git a/filters/cow/cow.c b/filters/cow/cow.c
 index 51ca64a4..1cfcc4e7 100644
 --- a/filters/cow/cow.c
 +++ b/filters/cow/cow.c
@@ -419,7 +419,7 @@ cow_zero (struct nbdkit_next_ops *next_ops, void *nxdata,
     ACQUIRE_LOCK_FOR_CURRENT_SCOPE (&lock);
     r = blk_read (next_ops, nxdata, blknum, block, err);
     if (r != -1) {
 -      memset (&block[count], 0, BLKSIZE - count);
 +      memset (block, 0, count);
       r = blk_write (blknum, block, err);
     }
     if (r == -1)
 -- 
 2.31.1
--- a/SOURCES/0002-server-CVE-2021-3716-reset-structured-replies-on-sta.patch
+++ b/SOURCES/0002-server-CVE-2021-3716-reset-structured-replies-on-sta.patch
@ -1,94 +0,0 @@
 From 6b9d4380df9bd0be91f49aad8c4f47b4e672adde Mon Sep 17 00:00:00 2001
 From: Eric Blake <eblake@redhat.com>
 Date: Mon, 16 Aug 2021 13:43:29 -0500
 Subject: [PATCH] server: CVE-2021-3716 reset structured replies on starttls
 https://nostarttls.secvuln.info/ pointed out a series of CVEs in
 common implementation flaw in various SMTP and IMAP clients and
 servers, all with a common thread of improperly caching plaintext
 state across the STARTTLS encryption boundary; and recommended that
 other protocols with a STARTTLS operation perform a similar audit.
 It turns out that nbdkit has the same vulnerability in regards to the
 NBD protocol: when nbdkit is run in opportunistic TLS mode, an
 attacker is able to inject a plaintext NBD_OPT_STRUCTURED_REPLY before
 proxying everything else a client sends to the server; if the server
 then acts on that plaintext request (as nbdkit did before this patch),
 then the server ends up sending structured replies to at least
 NBD_CMD_READ, even though the client was assuming that the transition
 to TLS has ruled out a MitM attack.
 On the bright side, nbdkit's behavior on a second
 NBD_OPT_STRUCTURED_REPLY was to still reply with success, so a client
 that always requests structured replies after starting TLS sees no
 difference in behavior (that is, qemu 2.12 and later are immune) (had
 nbdkit given an error to the second request, that may have caused
 confusion to more clients).  And there is always the mitigation of
 using --tls=require, which lets nbdkit reject the MitM message
 pre-encryption.  However, nbd-client 3.15 to the present do not
 understand structured replies, and I have confirmed that a MitM
 attacker can thus cause a denial-of-service attack that does not
 trigger until the client does its first encrypted NBD_CMD_READ.
 The NBD spec has been recently tightened to declare the nbdkit
 behavior to be a security hole:
 https://github.com/NetworkBlockDevice/nbd/commit/77e55378096aa
 Fixes: eaa4c6e9a2c4bd (server: Minimal implementation of NBD Structured Replies.)
 (cherry picked from commit 09a13dafb7bb3a38ab52eb5501cba786365ba7fd)
 (cherry picked from commit 6185b15a81e6915734d678f0781e31d45a7941a1)
 ---
 docs/nbdkit-security.pod             | 11 +++++++++--
 server/protocol-handshake-newstyle.c |  3 ++-
 2 files changed, 11 insertions(+), 3 deletions(-)
 diff --git a/docs/nbdkit-security.pod b/docs/nbdkit-security.pod
 index 3a28e54d..5a4e6da8 100644
 --- a/docs/nbdkit-security.pod
 +++ b/docs/nbdkit-security.pod
@@ -10,7 +10,7 @@ For how to report new security issues, see the C<SECURITY> file in the
 top level source directory, also available online here:
 L<https://github.com/libguestfs/nbdkit/blob/master/SECURITY>
 -=head2 CVE-2019-14850 
 +=head2 CVE-2019-14850
 denial of service due to premature opening of back-end connection
 See the full announcement and links to mitigation, tests and fixes
@@ -26,6 +26,13 @@ See the full announcement and links to mitigation, tests and fixes
 here:
 https://www.redhat.com/archives/libguestfs/2019-September/msg00272.html
 +=head2 CVE-2021-3716
 +structured read denial of service attack against starttls
 +
 +See the full announcement and links to mitigation, tests and fixes
 +here:
 +https://www.redhat.com/archives/libguestfs/2021-August/msg00083.html
 +
 =head1 SEE ALSO
 L<nbdkit(1)>.
@@ -38,4 +45,4 @@ Richard W.M. Jones
 =head1 COPYRIGHT
 -Copyright (C) 2013-2020 Red Hat Inc.
 +Copyright (C) 2013-2021 Red Hat Inc.
 diff --git a/server/protocol-handshake-newstyle.c b/server/protocol-handshake-newstyle.c
 index 0a76a814..b94950e2 100644
 --- a/server/protocol-handshake-newstyle.c
 +++ b/server/protocol-handshake-newstyle.c
@@ -495,7 +495,8 @@ negotiate_handshake_newstyle_options (void)
           return -1;
         conn->using_tls = true;
         debug ("using TLS on this connection");
 -        /* Wipe out any cached default export name. */
 +        /* Wipe out any cached state. */
 +        conn->structured_replies = false;
         for_each_backend (b) {
           struct handle *h = get_handle (conn, b->i);
           free (h->default_exportname);
 -- 
 2.31.1
--- a/SOURCES/0003-server-reset-meta-context-replies-on-starttls.patch
+++ b/SOURCES/0003-server-reset-meta-context-replies-on-starttls.patch
@ -1,40 +0,0 @@
 From add9b794b9dc697a1b52115c997fcfb6e06bf64c Mon Sep 17 00:00:00 2001
 From: Eric Blake <eblake@redhat.com>
 Date: Mon, 16 Aug 2021 13:43:29 -0500
 Subject: [PATCH] server: reset meta context replies on starttls
 Related to CVE-2021-3716, but not as severe.  No compliant client will
 send NBD_CMD_BLOCK_STATUS unless it first negotiates
 NBD_OPT_SET_META_CONTEXT.  If an attacker injects a premature
 SET_META_CONTEXT, either the client will never notice (because it
 never uses BLOCK_STATUS), or the client will overwrite the attacker's
 attempt with the client's own SET_META_CONTEXT request after
 encryption is enabled.  So I don't class this as having the potential
 to trigger denial-of-service due to any protocol mismatch between
 compliant client and server (I don't care what happens with
 non-compliant clients).
 Fixes: 26455d45 (server: protocol: Implement Block Status "base:allocation".)
 (cherry picked from commit 6c5faac6a37077cf2366388a80862bb00616d0d8)
 (cherry picked from commit 814d8103fb4b581dc01dfd25d2cd81596576f211)
 ---
 server/protocol-handshake-newstyle.c | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/server/protocol-handshake-newstyle.c b/server/protocol-handshake-newstyle.c
 index b94950e2..eb0f3961 100644
 --- a/server/protocol-handshake-newstyle.c
 +++ b/server/protocol-handshake-newstyle.c
@@ -497,6 +497,9 @@ negotiate_handshake_newstyle_options (void)
         debug ("using TLS on this connection");
         /* Wipe out any cached state. */
         conn->structured_replies = false;
 +        free (conn->exportname_from_set_meta_context);
 +        conn->exportname_from_set_meta_context = NULL;
 +        conn->meta_context_base_allocation = false;
         for_each_backend (b) {
           struct handle *h = get_handle (conn, b->i);
           free (h->default_exportname);
 -- 
 2.31.1
--- a/SOURCES/0004-cow-Fix-for-qemu-6.1-which-requires-backing-format.patch
+++ b/SOURCES/0004-cow-Fix-for-qemu-6.1-which-requires-backing-format.patch
@ -1,59 +0,0 @@
 From 3c2879a38c299b725091cea45329879e3f46fc99 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Tue, 31 Aug 2021 11:23:27 +0100
 Subject: [PATCH] cow: Fix for qemu 6.1 which requires backing format
 The diffing example in the manual created a qcow2 file with a backing
 file but did not specify the backing format.  However qemu 6.1 now
 requires this and fails with:
  qemu-img: cow-diff.qcow2: Backing file specified without backing format
 or:
  qemu-img: Could not change the backing file to 'cow-base.img': backing format must be specified
 Fix the example by adding the -F option to the command line.
 Also there was a test of this rebasing sequence which failed, so this
 commit updates the test too.
 (cherry picked from commit 618290ef33ce13b75c1a79fea1f1ffb327b5ba07)
 ---
 filters/cow/nbdkit-cow-filter.pod | 4 ++--
 tests/test-cow.sh                 | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)
 diff --git a/filters/cow/nbdkit-cow-filter.pod b/filters/cow/nbdkit-cow-filter.pod
 index 4d5ae856..510bdd40 100644
 --- a/filters/cow/nbdkit-cow-filter.pod
 +++ b/filters/cow/nbdkit-cow-filter.pod
@@ -101,8 +101,8 @@ At the end, disconnect the client.
 Run these C<qemu-img> commands to construct a qcow2 file containing
 the differences:
 - qemu-img create -f qcow2 -b nbd:localhost diff.qcow2
 - qemu-img rebase -b disk.img diff.qcow2
 + qemu-img create -F raw -b nbd:localhost -f qcow2 diff.qcow2
 + qemu-img rebase -F raw -b disk.img -f qcow2 diff.qcow2
 F<diff.qcow2> now contains the differences between the base
 (F<disk.img>) and the changes stored in nbdkit-cow-filter.  C<nbdkit>
 diff --git a/tests/test-cow.sh b/tests/test-cow.sh
 index 8772afd7..edc4c223 100755
 --- a/tests/test-cow.sh
 +++ b/tests/test-cow.sh
@@ -72,8 +72,8 @@ fi
 # If we have qemu-img, try the hairy rebase operation documented
 # in the nbdkit-cow-filter manual.
 if qemu-img --version >/dev/null 2>&1; then
 -    qemu-img create -f qcow2 -b nbd:unix:$sock cow-diff.qcow2
 -    time qemu-img rebase -b cow-base.img cow-diff.qcow2
 +    qemu-img create -F raw -b nbd:unix:$sock -f qcow2 cow-diff.qcow2
 +    time qemu-img rebase -F raw -b cow-base.img -f qcow2 cow-diff.qcow2
     qemu-img info cow-diff.qcow2
     # This checks the file we created exists.
 -- 
 2.31.1
--- a/SOURCES/0005-vddk-Include-VDDK-major-library-version-in-dump-plug.patch
+++ b/SOURCES/0005-vddk-Include-VDDK-major-library-version-in-dump-plug.patch
@ -1,141 +0,0 @@
 From 9e20e2696fdb68008c9b4f1c36298f813320e381 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Sat, 23 Oct 2021 16:16:39 +0100
 Subject: [PATCH] vddk: Include VDDK major library version in --dump-plugin
 output
 Although it doesn't seem to be possible to get the precise VDDK
 version, With a relatively simple change we can at least return the
 VDDK major version.  Currently this can be 5, 6 or 7.
 (cherry picked from commit 8700649d147948897f3b97810a1dff37924bdd6e)
 ---
 plugins/vddk/nbdkit-vddk-plugin.pod |  4 ++++
 plugins/vddk/vddk.c                 | 29 +++++++++++++++++++----------
 tests/test-vddk-real-dump-plugin.sh |  2 ++
 3 files changed, 25 insertions(+), 10 deletions(-)
 diff --git a/plugins/vddk/nbdkit-vddk-plugin.pod b/plugins/vddk/nbdkit-vddk-plugin.pod
 index 8b14eda0..822b96be 100644
 --- a/plugins/vddk/nbdkit-vddk-plugin.pod
 +++ b/plugins/vddk/nbdkit-vddk-plugin.pod
@@ -417,6 +417,10 @@ at runtime.
 If this is printed then the C<nfchostport=PORT> parameter is supported
 by this build.
 +=item C<vddk_library_version=...>
 +
 +The VDDK major library version: 5, 6, 7, ...
 +
 =item C<vddk_dll=...>
 Prints the full path to the VDDK shared library.  Since this requires
 diff --git a/plugins/vddk/vddk.c b/plugins/vddk/vddk.c
 index 69193504..291283f4 100644
 --- a/plugins/vddk/vddk.c
 +++ b/plugins/vddk/vddk.c
@@ -77,6 +77,7 @@ int vddk_debug_datapath = 1;
 static void *dl;                           /* dlopen handle */
 static bool init_called;                   /* was InitEx called */
 static __thread int error_suppression;     /* threadlocal error suppression */
 +static int library_version;                /* VDDK major: 5, 6, 7, ... */
 static enum { NONE = 0, ZLIB, FASTLZ, SKIPZ } compression; /* compression */
 static char *config;                       /* config */
@@ -297,7 +298,10 @@ vddk_config (const char *key, const char *value)
 static void
 load_library (bool load_error_is_fatal)
 {
 -  static const char *sonames[] = {
 +  static struct {
 +    const char *soname;
 +    int library_version;
 +  } libs[] = {
     /* Prefer the newest library in case multiple exist.  Check two
      * possible directories: the usual VDDK installation puts .so
      * files in an arch-specific subdirectory of $libdir (our minimum
@@ -305,12 +309,13 @@ load_library (bool load_error_is_fatal)
      * but our testsuite is easier to write if we point libdir
      * directly to a stub .so.
      */
 -    "lib64/libvixDiskLib.so.7",
 -    "libvixDiskLib.so.7",
 -    "lib64/libvixDiskLib.so.6",
 -    "libvixDiskLib.so.6",
 -    "lib64/libvixDiskLib.so.5",
 -    "libvixDiskLib.so.5",
 +    { "lib64/libvixDiskLib.so.7", 7 },
 +    { "libvixDiskLib.so.7",       7 },
 +    { "lib64/libvixDiskLib.so.6", 6 },
 +    { "libvixDiskLib.so.6",       6 },
 +    { "lib64/libvixDiskLib.so.5", 5 },
 +    { "libvixDiskLib.so.5",       5 },
 +    { NULL }
   };
   size_t i;
   CLEANUP_FREE char *orig_error = NULL;
@@ -323,19 +328,20 @@ load_library (bool load_error_is_fatal)
     }
   }
 -  for (i = 0; i < sizeof sonames / sizeof sonames[0]; ++i) {
 +  for (i = 0; libs[i].soname != NULL; ++i) {
     CLEANUP_FREE char *path;
     /* Set the full path so that dlopen will preferentially load the
      * system libraries from the same directory.
      */
 -    if (asprintf (&path, "%s/%s", libdir, sonames[i]) == -1) {
 +    if (asprintf (&path, "%s/%s", libdir, libs[i].soname) == -1) {
       nbdkit_error ("asprintf: %m");
       exit (EXIT_FAILURE);
     }
     dl = dlopen (path, RTLD_NOW);
     if (dl != NULL) {
 +      library_version = libs[i].library_version;
       /* Now that we found the library, ensure that LD_LIBRARY_PATH
        * includes its directory for all future loads.  This may modify
        * path in-place and/or re-exec nbdkit, but that's okay.
@@ -356,10 +362,12 @@ load_library (bool load_error_is_fatal)
                   "If '%s' is located on a non-standard path you may need to\n"
                   "set libdir=/path/to/vmware-vix-disklib-distrib.\n\n"
                   "See nbdkit-vddk-plugin(1) man page section \"LIBRARY LOCATION\" for details.",
 -                  orig_error ? : "(unknown error)", sonames[0]);
 +                  orig_error ? : "(unknown error)", libs[0].soname);
     exit (EXIT_FAILURE);
   }
 +  assert (library_version >= 5);
 +
   /* Load symbols. */
 #define STUB(fn,ret,args)                                         \
   do {                                                            \
@@ -474,6 +482,7 @@ vddk_dump_plugin (void)
   printf ("vddk_default_libdir=%s\n", VDDK_LIBDIR);
   printf ("vddk_has_nfchostport=1\n");
 +  printf ("vddk_library_version=%d\n", library_version);
 #if defined(HAVE_DLADDR)
   /* It would be nice to print the version of VDDK from the shared
 diff --git a/tests/test-vddk-real-dump-plugin.sh b/tests/test-vddk-real-dump-plugin.sh
 index 1479e416..59c79693 100755
 --- a/tests/test-vddk-real-dump-plugin.sh
 +++ b/tests/test-vddk-real-dump-plugin.sh
@@ -51,10 +51,12 @@ rm -f $files
 cleanup_fn rm -f $files
 nbdkit -f -v vddk libdir="$vddkdir" --dump-plugin > $out
 +cat $out
 # Check the vddk_* entries are set.
 grep ^vddk_default_libdir= $out
 grep ^vddk_has_nfchostport= $out
 +grep ^vddk_library_version= $out
 grep ^vddk_dll= $out
 dll="$(grep ^vddk_dll $out | cut -d= -f2)"
 -- 
 2.31.1
--- a/SOURCES/0006-vddk-Only-print-vddk_library_version-when-we-managed.patch
+++ b/SOURCES/0006-vddk-Only-print-vddk_library_version-when-we-managed.patch
@ -1,55 +0,0 @@
 From b8b376cf39d97c9f523a9867612126088b43c523 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Sat, 23 Oct 2021 19:50:52 +0100
 Subject: [PATCH] vddk: Only print vddk_library_version when we managed to load
 the library
 Because --dump-plugin calls load_library (false) it won't fail if we
 didn't manage to load the library.  This results in library_version
 being 0, which we printed incorrectly.
 Resolve this problem by not printing the vddk_library_version entry in
 this case.
 Fixes: commit 8700649d147948897f3b97810a1dff37924bdd6e
 (cherry picked from commit a3fba12c3e9c2113009f556360ae0bd04c45f6bb)
 ---
 plugins/vddk/nbdkit-vddk-plugin.pod | 1 +
 plugins/vddk/vddk.c                 | 9 ++++++++-
 2 files changed, 9 insertions(+), 1 deletion(-)
 diff --git a/plugins/vddk/nbdkit-vddk-plugin.pod b/plugins/vddk/nbdkit-vddk-plugin.pod
 index 822b96be..c56faddc 100644
 --- a/plugins/vddk/nbdkit-vddk-plugin.pod
 +++ b/plugins/vddk/nbdkit-vddk-plugin.pod
@@ -420,6 +420,7 @@ by this build.
 =item C<vddk_library_version=...>
 The VDDK major library version: 5, 6, 7, ...
 +If this is omitted it means the library could not be loaded.
 =item C<vddk_dll=...>
 diff --git a/plugins/vddk/vddk.c b/plugins/vddk/vddk.c
 index 291283f4..96615749 100644
 --- a/plugins/vddk/vddk.c
 +++ b/plugins/vddk/vddk.c
@@ -482,7 +482,14 @@ vddk_dump_plugin (void)
   printf ("vddk_default_libdir=%s\n", VDDK_LIBDIR);
   printf ("vddk_has_nfchostport=1\n");
 -  printf ("vddk_library_version=%d\n", library_version);
 +
 +  /* Because load_library (false) we might not have loaded VDDK, in
 +   * which case we didn't set library_version.  Note this cannot
 +   * happen in the normal (non-debug-plugin) path because there we use
 +   * load_library (true).
 +   */
 +  if (library_version > 0)
 +    printf ("vddk_library_version=%d\n", library_version);
 #if defined(HAVE_DLADDR)
   /* It would be nice to print the version of VDDK from the shared
 -- 
 2.31.1
--- a/SOURCES/0007-vddk-Add-support-for-VDDK-8.0.0.patch
+++ b/SOURCES/0007-vddk-Add-support-for-VDDK-8.0.0.patch
@ -1,53 +0,0 @@
 From e850f65053d89ad54c27280f48506da5eb631a68 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Fri, 18 Nov 2022 09:43:19 +0000
 Subject: [PATCH] vddk: Add support for VDDK 8.0.0
 There are no changes in any of the structures or enums that we rely on.
 Reported-by: Ming Xie
 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2143889
 (cherry picked from commit dbe12ed499baeea94d603db55cad9e971e0ebcf0)
 ---
 plugins/vddk/nbdkit-vddk-plugin.pod | 2 +-
 plugins/vddk/vddk.c                 | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)
 diff --git a/plugins/vddk/nbdkit-vddk-plugin.pod b/plugins/vddk/nbdkit-vddk-plugin.pod
 index c56faddc..c94c41eb 100644
 --- a/plugins/vddk/nbdkit-vddk-plugin.pod
 +++ b/plugins/vddk/nbdkit-vddk-plugin.pod
@@ -419,7 +419,7 @@ by this build.
 =item C<vddk_library_version=...>
 -The VDDK major library version: 5, 6, 7, ...
 +The VDDK major library version: 5, 6, 7, 8, ...
 If this is omitted it means the library could not be loaded.
 =item C<vddk_dll=...>
 diff --git a/plugins/vddk/vddk.c b/plugins/vddk/vddk.c
 index 96615749..2140789a 100644
 --- a/plugins/vddk/vddk.c
 +++ b/plugins/vddk/vddk.c
@@ -77,7 +77,7 @@ int vddk_debug_datapath = 1;
 static void *dl;                           /* dlopen handle */
 static bool init_called;                   /* was InitEx called */
 static __thread int error_suppression;     /* threadlocal error suppression */
 -static int library_version;                /* VDDK major: 5, 6, 7, ... */
 +static int library_version;                /* VDDK major: 5, 6, 7, 8, ... */
 static enum { NONE = 0, ZLIB, FASTLZ, SKIPZ } compression; /* compression */
 static char *config;                       /* config */
@@ -309,6 +309,8 @@ load_library (bool load_error_is_fatal)
      * but our testsuite is easier to write if we point libdir
      * directly to a stub .so.
      */
 +    { "lib64/libvixDiskLib.so.8", 8 },
 +    { "libvixDiskLib.so.8",       8 },
     { "lib64/libvixDiskLib.so.7", 7 },
     { "libvixDiskLib.so.7",       7 },
     { "lib64/libvixDiskLib.so.6", 6 },
 -- 
 2.31.1
--- a/SOURCES/nbdkit-1.24.0.tar.gz.sig
+++ b/SOURCES/nbdkit-1.24.0.tar.gz.sig
@ -1,17 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQJFBAABCAAvFiEE93dPsa0HSn6Mh2fqkXOPc+G3aKAFAl/3RBgRHHJpY2hAYW5u
 ZXhpYS5vcmcACgkQkXOPc+G3aKBIIRAAmgoGrmJ8aYO7z+kKgNFjd/p0QxRTZhS/
 ol59ojG6jIzN2x/C2PFbRmPB6HJTEg4anrDX04WrP6R+lID1RrH9pTFQabv0YDQC
 z49oeXAqINYHvAqgFUJCwlymd7BHEYUudLlK3yu7gQKxMM+J/2v0glpxrtLM7KlD
 vvSZkVfbvHlCWIbMWLWIaRHeoWZIXNOjsAp3uEWN2YgikDoxbXVKoh07JoQx5tJ5
 2U+a/zo4BQuRspjnhmWc252ZF/8d954/L8J+2mKvbRRf2iAmsqPgS+MNi7WKWO4K
 w7/urKn0osuOaArs5xYHJnApmJ9U88CzZpoHQkYhcGgnDOipW9ByJRzT41vVQPW5
 IluQODpZUuawWtRIwV/Eoi+LaV2gINAL48Afr02UFYj4gmYQ5TeayLP7NKRQO0VL
 jwL4Z3a0cDyUX4i1OArn2ll8THfiog38HfLb70AG1l3P1BVoVVBYWCYbs4xgC9IK
 LWkjPKuGXvkGVfZi0nCGdPTOoB1CqCXUvKHXm52FCHg12uJMrBQEivodBoCTbtl0
 fSjULQcfrovUEb4d/rDAX7EgJbFS+1jDnodaFHsmNToo3CqfkMBdhLkxG3XExwjy
 OOR34wZssjTLsLlWH/RPucWD25RDy1vdPBska9QvvO7W0p+aOtFbnttkTh5cqs45
 rHg/sDEiaLA=
 =OrsS
 -----END PGP SIGNATURE-----
--- a/SPECS/nbdkit.spec
+++ b/SPECS/nbdkit.spec
--- a/SOURCES/copy-patches.sh
+++ b/SOURCES/copy-patches.sh
@ -6,7 +6,7 @@ set -e
 # directory.  Use it like this:
 #   ./copy-patches.sh
-rhel_version=8.8
+rhel_version=10.2
 # Check we're in the right directory.
 if [ ! -f nbdkit.spec ]; then
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,6 @@
 --- !Policy
 product_versions:
  - rhel-*
 decision_context: osci_compose_gate
 rules:
  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
--- a/libguestfs.keyring
+++ b/libguestfs.keyring
--- a/23
+++ b/23
@ -0,0 +1,23 @@
 #!/bin/bash -
 # Generate RPM provides automatically for nbdkit packages and filters.
 # Copyright (C) 2009-2022 Red Hat Inc.
 # To test:
 # find /usr/lib64/nbdkit/plugins | ./nbdkit-find-provides VER REL
 # find /usr/lib64/nbdkit/filters | ./nbdkit-find-provides VER REL
 ver="$1"
 rel="$2"
 function process_file
 {
    if [[ $1 =~ /plugins/nbdkit-.*-plugin ]] ||
       [[ $1 =~ /filters/nbdkit-.*-filter ]]; then
        echo "Provides:" "$(basename $1 .so)" "=" "$ver-$rel"
    fi
 }
 while read line; do
    process_file "$line"
 done
--- a/nbdkit.attr
+++ b/nbdkit.attr
@ -0,0 +1,3 @@
 %__nbdkit_provides %{_rpmconfigdir}/nbdkit-find-provides %{version} %{release}
 %__nbdkit_path     %{_libdir}/nbdkit/(plugins|filters)/nbdkit-.*-(plugin|filter)(\.so)?$
 %__nbdkit_flags    exeonly
--- a/nbdkit.fc
+++ b/nbdkit.fc
@ -0,0 +1,3 @@
 /usr/sbin/nbdkit	 --    gen_context(system_u:object_r:nbdkit_exec_t,s0)
 /usr/lib/systemd/system/nbdkit.*	gen_context(system_u:object_r:nbdkit_unit_file_t,s0)
--- a/nbdkit.if
+++ b/nbdkit.if
@ -0,0 +1,207 @@
 ## <summary>policy for nbdkit</summary>
 ########################################
 ## <summary>
 ##    Execute nbdkit_exec_t in the nbdkit domain.
 ## </summary>
 ## <param name="domain">
 ## <summary>
 ##    Domain allowed to transition.
 ## </summary>
 ## </param>
 #
 interface(`nbdkit_domtrans',`
 	gen_require(`
 		type nbdkit_t, nbdkit_exec_t;
 	')
 	corecmd_search_bin($1)
 	domtrans_pattern($1, nbdkit_exec_t, nbdkit_t)
 ')
 ######################################
 ## <summary>
 ##    Execute nbdkit in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##    <summary>
 ##    Domain allowed access.
 ##    </summary>
 ## </param>
 #
 interface(`nbdkit_exec',`
 	gen_require(`
 		type nbdkit_exec_t;
 	')
 	corecmd_search_bin($1)
 	can_exec($1, nbdkit_exec_t)
 ')
 ########################################
 ## <summary>
 ##    Execute nbdkit in the nbdkit domain, and
 ##    allow the specified role the nbdkit domain.
 ## </summary>
 ## <param name="domain">
 ##    <summary>
 ##    Domain allowed to transition
 ##    </summary>
 ## </param>
 ## <param name="role">
 ##    <summary>
 ##    The role to be allowed the nbdkit domain.
 ##    </summary>
 ## </param>
 #
 interface(`nbdkit_run',`
 	gen_require(`
 		type nbdkit_t;
 		attribute_role nbdkit_roles;
 	')
 	nbdkit_domtrans($1)
 	roleattribute $2 nbdkit_roles;
 ')
 ########################################
 ## <summary>
 ##    Role access for nbdkit
 ## </summary>
 ## <param name="role">
 ##    <summary>
 ##    Role allowed access
 ##    </summary>
 ## </param>
 ## <param name="domain">
 ##    <summary>
 ##    User domain for the role
 ##    </summary>
 ## </param>
 #
 interface(`nbdkit_role',`
 	gen_require(`
 		type nbdkit_t;
 		attribute_role nbdkit_roles;
 	')
 	roleattribute $1 nbdkit_roles;
 	nbdkit_domtrans($2)
 	ps_process_pattern($2, nbdkit_t)
 	allow $2 nbdkit_t:process { signull signal sigkill };
 ')
 ########################################
 ## <summary>
 ##	Allow attempts to connect to nbdkit
 ##	with a unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
 interface(`nbdkit_stream_connect',`
 	gen_require(`
 		type nbdkit_t;
 	')
 	allow $1 nbdkit_t:unix_stream_socket connectto;
 ')
 ########################################
 ## <summary>
 ##      Allow nbdkit_exec_t to be an entrypoint
 ##      of the specified domain
 ## </summary>
 ## <param name="domain">
 ##      <summary>
 ##      Domain allowed access.
 ##      </summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`nbdkit_entrypoint',`
        gen_require(`
                type nbdkit_exec_t;
        ')
        allow $1 nbdkit_exec_t:file entrypoint;
 ')
 # ----------------------------------------------------------------------
 # RWMJ: See:
 # https://issues.redhat.com/browse/RHEL-5174?focusedId=23387259&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-23387259
 # Remove this when virt.if gets updated.
 ########################################
 #
 # Interface compatibility blocks
 #
 # The following definitions ensure compatibility with distribution policy
 # versions that do not contain given interfaces (epel, or older Fedora
 # releases).
 # Each block tests for existence of given interface and defines it if needed.
 #
 ########################################
 ## <summary>
 ##      Read and write to svirt_image dirs.
 ## </summary>
 ## <param name="domain">
 ##      <summary>
 ##      Domain allowed access.
 ##      </summary>
 ## </param>
 #
 ifndef(`virt_rw_svirt_image_dirs',`
 	interface(`virt_rw_svirt_image_dirs',`
 		gen_require(`
 			type svirt_image_t;
 		')
 		allow $1 svirt_image_t:dir rw_dir_perms;
 	')
 ')
 ########################################
 ## <summary>
 ##      Create svirt_image sock_files.
 ## </summary>
 ## <param name="domain">
 ##      <summary>
 ##      Domain allowed access.
 ##      </summary>
 ## </param>
 #
 ifndef(`virt_create_svirt_image_sock_files',`
 	interface(`virt_create_svirt_image_sock_files',`
 		gen_require(`
 			type svirt_image_t;
 		')
 		allow $1 svirt_image_t:sock_file create_sock_file_perms;
 	')
 ')
 ########################################
 ## <summary>
 ## 	Read and write virtlogd pipes.
 ## </summary>
 ## <param name="domain">
 ## <summary>
 ##      Domain allowed access.
 ## </summary>
 ## </param>
 #
 ifndef(`virtlogd_rw_pipes',`
 	interface(`virtlogd_rw_pipes',`
 	        gen_require(`
 	                type virtlogd_t;
 	        ')
 	        allow $1 virtlogd_t:fifo_file rw_fifo_file_perms;
 	')
 ')
--- a/nbdkit.spec
+++ b/nbdkit.spec
--- a/nbdkit.te
+++ b/nbdkit.te
@ -0,0 +1,100 @@
 policy_module(nbdkit, 1.0.0)
 ########################################
 #
 # Declarations
 #
 gen_require(`
    type unconfined_t;
 ')
 type nbdkit_t;
 type nbdkit_exec_t;
 application_domain(nbdkit_t, nbdkit_exec_t)
 mcs_constrained(nbdkit_t)
 role system_r types nbdkit_t;
 type nbdkit_home_t;
 userdom_user_home_content(nbdkit_home_t)
 type nbdkit_tmp_t;
 files_tmp_file(nbdkit_tmp_t)
 type nbdkit_unit_file_t;
 systemd_unit_file(nbdkit_unit_file_t)
 permissive nbdkit_t;
 ########################################
 #
 # nbdkit local policy
 #
 allow nbdkit_t self:capability { setgid setuid };
 allow nbdkit_t self:fifo_file rw_fifo_file_perms;
 allow nbdkit_t self:netlink_route_socket rw_netlink_socket_perms;
 allow nbdkit_t self:process { fork setsockcreate signal_perms };
 allow nbdkit_t self:tcp_socket create_stream_socket_perms;
 allow nbdkit_t self:udp_socket create_socket_perms;
 manage_dirs_pattern(nbdkit_t, nbdkit_tmp_t, nbdkit_tmp_t)
 manage_files_pattern(nbdkit_t, nbdkit_tmp_t, nbdkit_tmp_t) 
 userdom_user_tmp_filetrans(nbdkit_t, nbdkit_tmp_t, { dir file })
 manage_dirs_pattern(nbdkit_t, nbdkit_home_t, nbdkit_home_t)
 manage_files_pattern(nbdkit_t, nbdkit_home_t, nbdkit_home_t) 
 userdom_user_home_dir_filetrans(nbdkit_t, nbdkit_home_t, { dir file })
 corenet_tcp_connect_http_port(nbdkit_t)
 corenet_tcp_connect_ssh_port(nbdkit_t)
 corenet_tcp_connect_tftp_port(nbdkit_t)
 corenet_tcp_bind_generic_port(nbdkit_t)
 corenet_tcp_bind_generic_node(nbdkit_t)
 domain_use_interactive_fds(nbdkit_t)
 files_read_etc_files(nbdkit_t)
 init_abstract_socket_activation(nbdkit_t)
 init_ioctl_stream_sockets(nbdkit_t)
 init_rw_stream_sockets(nbdkit_t)
 optional_policy(`
 	auth_use_nsswitch(nbdkit_t)
 ')
 optional_policy(`
 	logging_send_syslog_msg(nbdkit_t)
 ')
 optional_policy(`
 	miscfiles_read_localization(nbdkit_t)
 	miscfiles_read_generic_certs(nbdkit_t)
 ')
 optional_policy(`
 	sysnet_dns_name_resolve(nbdkit_t)
 	sysnet_read_config(nbdkit_t)
 ')
 optional_policy(`
 	userdom_read_user_home_content_files(nbdkit_t)
 	userdom_use_inherited_user_ptys(nbdkit_t)
 ')
 optional_policy(`
 	virt_create_svirt_image_sock_files(nbdkit_t)
 	virt_read_qemu_pid_files(nbdkit_t)
 	virtlogd_rw_pipes(nbdkit_t)
 	virt_rw_svirt_image(nbdkit_t)
 	virt_rw_svirt_image_dirs(nbdkit_t)
 	virt_search_lib(nbdkit_t)
 	virt_stream_connect_svirt(nbdkit_t)
 ')
 # FIXME: It would be nice to allow libvirt to transition nbdkit_exec_t to 
 # nbdkit_t when libvirtd was started manually from the commandline (i.e. in 
 # unconfined_t), but we don't want this transition to happen automatically 
 # when starting directly from the shell. I'm not sure how to achieve this...  
 #nbdkit_domtrans(unconfined_t, nbdkit_exec_t, nbdkit_t)
--- a/2
+++ b/2
@ -0,0 +1,2 @@
 SHA512 (nbdkit-1.45.12.tar.gz) = a28da3e24c333da5b4b22961078095b1d73bb6c219e7cfae783c301b68d8e755ce839fa15bff6354b44ff7227a91eae6a8e264f3e26b5caff8d27c68905ff01b
 SHA512 (nbdkit-1.45.12.tar.gz.sig) = 93c497160f196b1a6144819742cee04b1fad663a148dbc4fd82efe73c9a1aabdcb9c01baa9ec84db17a392ae6cde468736750a878bba3e3c130507890f96a8e5
--- a/tests/basic-test.sh
+++ b/tests/basic-test.sh
@ -0,0 +1,6 @@
 #!/bin/bash -
 set -e
 set -x
 # Run nbdkit and check that nbdinfo can connect back to it.
 nbdkit -U - memory 1G --run 'nbdinfo "$uri"'
--- a/tests/tests.yml
+++ b/tests/tests.yml
@ -0,0 +1,12 @@
 - hosts: localhost
  roles:
  - role: standard-test-basic
    tags:
    - classic
    required_packages:
    - libnbd
    - nbdkit
    tests:
    - simple:
        dir: .
        run: ./basic-test.sh
		`@ -1,2 +0,0 @@`
			`1bbc40f501a7fef9eef2a39b701a71aee2fea7c4 SOURCES/libguestfs.keyring`
			`069720cc0d1502b007652101d293a57d7b4d7c41 SOURCES/nbdkit-1.24.0.tar.gz`
		`@ -0,0 +1,3 @@`
							`/usr/sbin/nbdkit -- gen_context(system_u:object_r:nbdkit_exec_t,s0)`

							`/usr/lib/systemd/system/nbdkit.* gen_context(system_u:object_r:nbdkit_unit_file_t,s0)`
		`@ -0,0 +1,2 @@`
							`SHA512 (nbdkit-1.45.12.tar.gz) = a28da3e24c333da5b4b22961078095b1d73bb6c219e7cfae783c301b68d8e755ce839fa15bff6354b44ff7227a91eae6a8e264f3e26b5caff8d27c68905ff01b`
							`SHA512 (nbdkit-1.45.12.tar.gz.sig) = 93c497160f196b1a6144819742cee04b1fad663a148dbc4fd82efe73c9a1aabdcb9c01baa9ec84db17a392ae6cde468736750a878bba3e3c130507890f96a8e5`