Debian

Available patches from Ubuntu

To see Ubuntu differences wrt. to Debian, write down a grep-dctrl query identifying the packages you're interested in:
grep-dctrl -n -sPackage Sources.Debian
(e.g. -FPackage linux-ntfs or linux-ntfs)

Modified packages are listed below:

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: libvirt

libvirt (5.4.0-0ubuntu5) eoan; urgency=medium * No-change upload with strops.h and sys/strops.h removed in glibc. -- Matthias Klose <doko@ubuntu.com> Thu, 05 Sep 2019 11:00:53 +0000 libvirt (5.4.0-0ubuntu4) eoan; urgency=medium * d/p/ubuntu/lp-1828495-*: make libvirt able to handle arch_capabilities cpu features for the Host. (LP: 1828495 - not closing yet as guest caps are still need fixups to work well LP: 1841066) -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 20 Aug 2019 10:50:08 +0200 libvirt (5.4.0-0ubuntu3) eoan; urgency=medium * SECURITY UPDATE: virDomainSaveImageGetXMLDesc does not check for read-only connection - debian/patches/CVE-2019-10161.patch: add check to src/libvirt-domain.c, src/qemu/qemu_driver.c, src/remote/remote_protocol.x. - CVE-2019-10161 * SECURITY UPDATE: virDomainManagedSaveDefineXML does not check for read-only connection - debian/patches/CVE-2019-10166.patch: add check to src/libvirt-domain.c. - CVE-2019-10166 * SECURITY UPDATE: virConnectGetDomainCapabilities does not check for read-only connection - debian/patches/CVE-2019-10167.patch: add check to src/libvirt-domain.c. - CVE-2019-10167 * SECURITY UPDATE: virConnect*HypervisorCPU do not check for read-only connection - debian/patches/CVE-2019-10168.patch: add checks to src/libvirt-host.c. - CVE-2019-10168 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 02 Jul 2019 08:08:33 -0400 libvirt (5.4.0-0ubuntu2) eoan; urgency=medium * d/p/ubuntu-aa/lp-1833040-Add-openGraphicsFD-rule-for-named-profile.patch: avoid issues with remote screen connections like virt-manager due to apparmor changes in libvirt 5.1 (LP: #1833040) -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 19 Jun 2019 14:34:54 +0200 libvirt (5.4.0-0ubuntu1) eoan; urgency=medium * Merged with Debian git 5.3.0-1~1.gbp7b1637 and upstreams 5.4 release Among many other new features and fixes this includes fixes for: LP: #1759509 - virsh dompmwakeup fails to wake VM from dompmsuspend state Remaining changes: - Disable libssh2 support (universe dependency) - Disable firewalld support (universe dependency) - Set qemu-group to kvm (for compat with older ubuntu) - Additional apport package-hook - Autostart default bridged network (As upstream does, but not Debian). In addition to just enabling it our solution provides: + do not autostart if subnet is already taken (e.g. in guests). + iterate some alternative subnets before giving up - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is the group based access to libvirt functions as it was used in Ubuntu for quite long. + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests due to the group access change. + d/libvirt-daemon-system.postinst: add users in sudo to the libvirt group. - ubuntu/parallel-shutdown.patch: set parallel shutdown by default. - Update Vcs-Git and Vcs-Browser fields to point to launchpad - Xen related - d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The section that adapts the path of the emulator to the Debian/Ubuntu packaging is kept. - d/p/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch: auto set VRAM to minimum requirements - d/p/ubuntu/xen-default-uri.patch: set default URI on xen hosts - Add libxl log directory - libvirt-uri.sh: Automatically switch default libvirt URI for users on Xen dom0 via user profile (was missing on changelogs before) - d/p/ubuntu/apibuild-skip-libvirt-common.h: drop libvirt-common.h from included_files to avoid build failures due to duplicate definitions. - Update README.Debian with Ubuntu changes - Enable some additional features on ppc64el and s390x (for arch parity) + systemtap, zfs, numa and numad on s390x. + systemtap on ppc64el. - d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making vmlinuz available and accessible (Debian bug 848314) - d/t/control, d/t/smoke-lxc: fix up lxc smoke test isolation - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx - Further upstreamed apparmor Delta, especially any new one Our former delta is split into logical pieces and is either Ubuntu only or is part of a continuous upstreaming effort. Listing related remaining changes in debian/patches/ubuntu-aa/: + 0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch: apparmor: Allow pygrub to run on Debian/Ubuntu + 0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch: apparmor, libvirt-qemu: Allow read access to overcommit_memory + 0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch: apparmor, libvirt-qemu: Allow owner read access to @{PROC}/*/auxv + 0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch: apparmor, virt-aa-helper: Allow access to tmp directories + ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch: apparmor, virt-aa-helper: Allow various storage pools and image locations + 0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch: apparmor, virt-aa-helper: Add openvswitch support + 0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor, libvirt-qemu: Add 9p support + 0030-virt-aa-helper-Complete-9p-support.patch: virt-aa-helper: add l to 9p file options. + 0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch: virt-aa-helper: Ask for no deny rule for readonly disk (renamed and reworded, was virt-aa-helper-no-explicity-deny-for-basefiles.patch) + 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: apparmor, libvirt-qemu: Allow reading charm-specific ceph config + 0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow commands executed by ubuntu only kvm wrapper on ppc64el (LP 1686621 LP 1680384 LP 1784023) + 0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch: apparmor, virt-aa-helper: access for snapped nova + d/p/ubuntu-aa/0050-local-include-for-libvirt-qemu.patch, d/libvirt-daemon-system.postinst: provide a local apparmor include for abstraction/libvirt-qemu (LP: 1786019) + d/p/ubuntu-aa/lp-1815910-allow-vhost-net.patch: avoid apparmor issues with vhost-net/vhost-vsock/vhost-scsi hotplug (LP: 1815910) - d/rules: enable build time self tests on all architectures - dnsmasq related enhancements + run dnsmasq as libvirt-dnsmasq (LP: 1743718) + d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group + d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group on purge + d/p/ubuntu/dnsmasq-as-priv-user: write dnsmasq config with user libvirt-dnsmasq and adapt the self tests to expect that config + d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users group + Add dnsmasq configuration to work with system wide dnsmasq-base - debian/rules: disable the netcf backend. (LP: 1764314) - debian/control: drop libnetcf from Build-Depends. - debian/patches/ubuntu/ovmf_paths.patch: adjust paths to secboot.fd UEFI Secure Boot enabled variants of the OVMF firmware and variable store for the paths where we ship these files in Ubuntu. - d/rules: install virtlockd correctly with defaults file (LP: 1729516) - d/rules: also check build time self test results on all architectures - d/p/ubuntu/set-default-machine-to-ubuntu.patch: to select default machine type correctly with newer qemu/libvirt - d/t/control: fix smoke-qemu-session by ensuring the service will run installing libvirt-daemon-system - d/t/smoke-lxc: fix smoke-lxc by ignoring potential issues on destroy as long as the following undefine succeeds - avoid service dependency issues on upgrade (LP: 1786179) This will in the long term be resolved in dh_* tools, but to let an upgrade work for now we need to drop the sysV scripts (which we don't use anyway) and slightly modify the systemd service to work with todays dh_systemd_start properly. Can be dropped once Debian bug 905772 is resolved in dh_* tools and libvirt uses those new code. - d/libvirt-daemon-system.virtlogd.init: removed sysV init file - d/libvirt-daemon-system.libvirtd.init: removed sysV init file - debian/libvirt-daemon-system.maintscript: rm_conffile for virtlogd and lbivirtd sysV init file - d/p/ubuntu/avoid-restarting-virtlog-socket.patch: drop Also references to virtlogd/virtlockd sockets as they would imply a restart of virtlogd breaking it. - d/t/smoke-lxc: use systemd instead of sysV to restart the service * Added Changes: - Refreshed patches to match new upstream - d/p/Reduce-udevadm-settle-timeout-to-10-seconds.patch - d/p/ubuntu/ubuntu_machine_type.patch - d/control: Revert iptables/ebtables dependency as Eoan still is on 1.6.x This can be dropped once >=1.8.1 - d/rules: adapt iptables binary paths present in Eoan (LP: #1832297) This can be dropped once >=1.8.1 - d/p/ubuntu/dnsmasq-as-priv-user: update to include the new test nat-network-mtu - revert [c3c4cd4] drop in helper for firewalld as it is disabled on Ubuntu [can be squashed with the disabling of firewalld on next merge] - d/libvirt0.symbols: bump symbol versions for 5.4.0 - d/rules: add --no-restart-after-upgrade to services that are supposed to stay up through upgrades - this also applies to related sockets. * Dropped Changes (upstream) - d/p/ubuntu-aa/lp-1804766-*: Allow rendering node access as needed for the ease use of mdev and gl devices (LP: 1804766) - d/p/ubuntu/lp-1771662-*: fix handling of VFs without associated PF (LP: 1771662) - d/p/ubuntu/lp-1825195-*.patch: fix issues with old guests that defined the never functional osxsave and ospke features (LP: 1825195). - d/p/ubuntu-aa/lp-1829223-virt-aa-helper-allow-vhost-scsi.patch fix vhost-scsi hotplug in virt-aa-helper (LP: 1829223) - SECURITY UPDATE: Add support for md-clear functionality + debian/patches/ubuntu/md-clear.patch: Define md-clear CPUID bit in src/cpu_map/x86_features.xml. + CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 - Implement further apparmor rules for usage of gl enabled graphics (LP: 1815452) + d/p/ubuntu-aa/lp-1815452-more-gl-rules.patch + d/p/ubuntu-aa/lp-1815452-virt-aa-helper-rule.patch - Implement further apparmor rules for usage of gl enabled graphics with nvidia cards (LP: 1817943) + d/p/ubuntu-aa/lp-1817943-nvidia-gl-rules.patch + d/p/ubuntu-aa/lp-1817943-devices-in-sysfs.patch * Dropped Changes (in Debian) - d/rules: strip -Bsymbolic-functions from linker flags as it breaks libvirt tests -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 07 Jun 2019 11:55:52 +0200 libvirt (5.3.0-1~1.gbp7b1637) UNRELEASED; urgency=medium ** SNAPSHOT build @7b1637605da9224c46ebf3a243fa725d643e7556 ** [ Guido Günther ] * [fb43676] d/control: Drop dh-autoreconf build-dep. Not needed for dh compat > 10. * [81d21d5] d/not-installed: Use multi-arch dirs. Files moved during the dh12 switch. * [428ad14] New upstream version 5.3.0~rc2 * [641e532] New upstream version 5.3.0 [ Christian Ehrhardt ] * [c28c3b3] d/libvirt0.install: install translations * [c3c4cd4] d/libvirt-daemon-system.install: drop in helper for firewalld * [3e8b43c] d/not-installed: ignore default files /etc/sysconfig * [c223d7f] d/libvirt-daemon-system.examples: ship sysctl config as example * [f19acf6] d/libvirt-daemon-system.install: ship libxl-sanlock.conf (Closes: #919484) [ Andrea Bolognani ] * [6a2eae3] Simplify and improve watch file. -- Guido Günther <agx@sigxcpu.org> Mon, 06 May 2019 13:06:27 +0200

Modifications :
  1. Download patch debian/libvirt-daemon.dnsmasq

    --- 5.2.0-2/debian/libvirt-daemon.dnsmasq 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/libvirt-daemon.dnsmasq 2019-08-14 05:26:37.000000000 +0000 @@ -0,0 +1,2 @@ +bind-interfaces +except-interface=virbr0
  2. Download patch debian/libvirt0.symbols

    --- 5.2.0-2/debian/libvirt0.symbols 2019-04-10 07:14:14.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/libvirt0.symbols 2019-08-20 08:50:08.000000000 +0000 @@ -119,7 +119,9 @@ libvirt.so.0 libvirt0 #MINVER# *@LIBVIRT_4.10.0 4.10.0 *@LIBVIRT_5.0.0 5.0.0 *@LIBVIRT_5.2.0 5.2.0~rc1 - *@LIBVIRT_PRIVATE_5.2.0 5.2.0~rc1 + *@LIBVIRT_5.3.0 5.3.0 + *@LIBVIRT_5.4.0 5.4.0 + *@LIBVIRT_PRIVATE_5.4.0 5.4.0 libvirt-qemu.so.0 libvirt0 #MINVER# *@LIBVIRT_QEMU_0.8.3 0.8.3 @@ -141,4 +143,4 @@ libvirt-admin.so.0 libvirt0 #MINVER# *@LIBVIRT_ADMIN_1.3.0 1.2.18 *@LIBVIRT_ADMIN_2.0.0 2.0.0~rc1 *@LIBVIRT_ADMIN_3.0.0 3.0.0 - *@LIBVIRT_ADMIN_PRIVATE_5.2.0 5.2.0~rc1 + *@LIBVIRT_ADMIN_PRIVATE_5.4.0 5.4.0
  3. Download patch debian/patches/ubuntu-aa/0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch

    --- 5.2.0-2/debian/patches/ubuntu-aa/0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu-aa/0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,30 @@ +From 0631bc4d4a3758319d2c7e61a26c32dbfdf6b07a Mon Sep 17 00:00:00 2001 +From: Jamie Strandboge <jamie@ubuntu.com> +Date: Tue, 23 May 2017 17:15:01 +0200 +Subject: [PATCH 03/33] apparmor, libvirt-qemu: Allow read access to + overcommit_memory + +Allow qemu to read @{PROC}/sys/vm/overcommit_memory. + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Signed-off-by: Stefan Bader <stefan.bader@canonical.com> +--- + src/security/apparmor/libvirt-qemu | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu +index 899bf6c..e990ab4 100644 +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -26,6 +26,7 @@ + # only modify its comm value or those in its thread group. + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/sys/kernel/cap_last_cap r, ++ @{PROC}/sys/vm/overcommit_memory r, + + # For hostdev access. The actual devices will be added dynamically + /sys/bus/usb/devices/ r, +-- +2.7.4 +
  4. Download patch debian/patches/ubuntu-aa/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch

    --- 5.2.0-2/debian/patches/ubuntu-aa/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu-aa/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch 2019-08-14 05:26:37.000000000 +0000 @@ -0,0 +1,43 @@ +From df20057fd2774cd61d86a6f0a7f05a545e1bd862 Mon Sep 17 00:00:00 2001 +From: Serge Hallyn <serge.hallyn@ubuntu.com> +Date: Wed, 10 May 2017 15:16:30 +0200 +Subject: [PATCH 31/33] virt-aa-helper: Ask for no deny rule for readonly disk + elements + +Just because a disk element only requests read access doesn't mean +there may not be another readwrite request. + +Using 'R' when creating the apparmor rule will prevent an implicit +write-deny rule to be created alongside. This does not mean write +is allowed but it would cause a denial message and probably more +relevant, allows to add write access later. + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1554031 + +Review note: Investigate whether instead of dropping explicit deny +write it would be possible to create explicit blockcommit rules +(LP: #1692441). + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Signed-off-by: Stefan Bader <stefan.bader@canonical.com> +--- + src/security/virt-aa-helper.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/src/security/virt-aa-helper.c ++++ b/src/security/virt-aa-helper.c +@@ -894,11 +894,11 @@ add_file_path(virDomainDiskDefPtr disk, + + if (depth == 0) { + if (disk->src->readonly) +- ret = vah_add_file(buf, path, "rk"); ++ ret = vah_add_file(buf, path, "Rk"); + else + ret = vah_add_file(buf, path, "rwk"); + } else { +- ret = vah_add_file(buf, path, "rk"); ++ ret = vah_add_file(buf, path, "Rk"); + } + + if (ret != 0)
  5. Download patch debian/patches/ubuntu/xen-default-uri.patch

    --- 5.2.0-2/debian/patches/ubuntu/xen-default-uri.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu/xen-default-uri.patch 2019-08-14 05:26:37.000000000 +0000 @@ -0,0 +1,28 @@ +Description: Xen default URI + Add some additional code which sets LIBVIRT_DEFAULT_URI if running in + a Xen control domain. The built-in detection does not really work because + qemu (not accelerated/KVM) is is still available as conntection driver. + Though very unlikely desired as the default then. +Forwarded: no +Author: Stefan Bader <stefan.bader@canonical.com> + +Index: libvirt-1.3.1/tools/libvirt-guests.sh.in +=================================================================== +--- libvirt-1.3.1.orig/tools/libvirt-guests.sh.in 2016-03-02 11:22:16.413519687 +0100 ++++ libvirt-1.3.1/tools/libvirt-guests.sh.in 2016-03-04 14:41:00.806625419 +0100 +@@ -61,6 +61,15 @@ VAR_SUBSYS_LIBVIRT_GUESTS="$localstatedi + + RETVAL=0 + ++# Default URI is not correct in the Xen case as the non-accelerated ++# qemu driver also gets initialized. ++if [ -f "/proc/xen/capabilities" ]; then ++ if [ "$(cat /proc/xen/capabilities)" = "control_d" ]; then ++ LIBVIRT_DEFAULT_URI="xen:///" ++ export LIBVIRT_DEFAULT_URI ++ fi ++fi ++ + # retval COMMAND ARGUMENTS... + # run command with arguments and convert non-zero return value to 1 and set + # the global return variable
  6. Download patch debian/patches/ubuntu/set-default-machine-to-ubuntu.patch

    --- 5.2.0-2/debian/patches/ubuntu/set-default-machine-to-ubuntu.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu/set-default-machine-to-ubuntu.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,45 @@ +Description: set default machine type to ubuntu + Upstream qemu is about to change the default machine type to q35. + But libvirt has sort of an API-contract that guarantees to have the + default be at a "pc" type. + Note: it can not be overemphasized that users/tools should choose a type + themselves in any cases possible + . + Due to those changes in qemu libvirt now ignores the qemu default type. + But we want the latest distro machine type the default. + Qemu only provides max one alias per type, so we can not set "ubuntu" + which is the default we provided for users asking for the latest type + matching the current series AND at the same time an alias to "pc" which + is what libvirt now explicitly selects. + . + The lowest amount of confusion is to let libvirt select "ubuntu" instead of + "pc" as the default. That matches all former Ubuntu releases where "ubuntu" + was the default qemu provided and libvirt picked up and at the same time it + stays a pc-based type as required by libvirt. + . + Distro-only: as the machine types only are that way to maintain + differences between pure upstream and derived qemu implementation. +Forwarded: not-needed +Author: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Last-Update: 2019-01-10 + +--- a/src/qemu/qemu_capabilities.c ++++ b/src/qemu/qemu_capabilities.c +@@ -2207,7 +2207,7 @@ static const char *preferredMachines[] = + + "integratorcp", /* VIR_ARCH_AARCH64 */ + "axis-dev88", /* VIR_ARCH_CRIS */ +- "pc", /* VIR_ARCH_I686 */ ++ "ubuntu", /* VIR_ARCH_I686 */ + NULL, /* VIR_ARCH_ITANIUM (doesn't exist in QEMU any more) */ + "lm32-evr", /* VIR_ARCH_LM32 */ + +@@ -2239,7 +2239,7 @@ static const char *preferredMachines[] = + "SS-5", /* VIR_ARCH_SPARC */ + "sun4u", /* VIR_ARCH_SPARC64 */ + "puv3", /* VIR_ARCH_UNICORE32 */ +- "pc", /* VIR_ARCH_X86_64 */ ++ "ubuntu", /* VIR_ARCH_X86_64 */ + + "sim", /* VIR_ARCH_XTENSA */ + "sim", /* VIR_ARCH_XTENSAEB */
  7. Download patch debian/patches/ubuntu/parallel-shutdown.patch

    --- 5.2.0-2/debian/patches/ubuntu/parallel-shutdown.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu/parallel-shutdown.patch 2019-08-14 05:26:37.000000000 +0000 @@ -0,0 +1,25 @@ +Description: enhance default shutdown behavior + Modify the default config to do 10 parallel shutdown requests and reduce + the timeout to 120s/2m. +Forwarded: no +Author: Stefan Bader <stefan.bader@canonical.com> + +--- a/tools/libvirt-guests.sysconf ++++ b/tools/libvirt-guests.sysconf +@@ -28,14 +28,14 @@ + # "ON_SHUTDOWN" is set to "shutdown". If Set to 0, guests will be shutdown one + # after another. Number of guests on shutdown at any time will not exceed number + # set in this variable. +-#PARALLEL_SHUTDOWN=0 ++PARALLEL_SHUTDOWN=10 + + # Number of seconds we're willing to wait for a guest to shut down. If parallel + # shutdown is enabled, this timeout applies as a timeout for shutting down all + # guests on a single URI defined in the variable URIS. If this is 0, then there + # is no time out (use with caution, as guests might not respond to a shutdown + # request). The default value is 300 seconds (5 minutes). +-#SHUTDOWN_TIMEOUT=300 ++SHUTDOWN_TIMEOUT=120 + + # If non-zero, try to bypass the file system cache when saving and + # restoring guests, even though this may give slower operation for
  8. Download patch build-aux/header-ifdef.pl

    --- 5.2.0-2/build-aux/header-ifdef.pl 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/build-aux/header-ifdef.pl 2019-04-27 10:31:34.854092843 +0000 @@ -0,0 +1,161 @@ +#!/usr/bin/perl +# +# Validate that header files follow a standard layout: +# +# /* +# ...copyright header... +# */ +# <one blank line> +# #ifndef SYMBOL +# # define SYMBOL +# ....content.... +# #endif /* SYMBOL */ +# +# For any file ending priv.h, before the #ifndef +# We will have a further section +# +# #ifndef SYMBOL_ALLOW +# # error .... +# #endif /* SYMBOL_ALLOW */ +# <one blank line> + +use strict; +use warnings; + +my $STATE_COPYRIGHT_COMMENT = 0; +my $STATE_COPYRIGHT_BLANK = 1; +my $STATE_PRIV_START = 2; +my $STATE_PRIV_ERROR = 3; +my $STATE_PRIV_END = 4; +my $STATE_PRIV_BLANK = 5; +my $STATE_GUARD_START = 6; +my $STATE_GUARD_DEFINE = 7; +my $STATE_GUARD_END = 8; +my $STATE_EOF = 9; +my $STATE_PRAGMA = 10; + +my $file = " "; +my $ret = 0; +my $ifdef = ""; +my $ifdefpriv = ""; + +my $state = $STATE_EOF; +my $mistake = 0; + +sub mistake { + my $msg = shift; + warn $msg; + $mistake = 1; + $ret = 1; +} + +while (<>) { + if (not $file eq $ARGV) { + if ($state == $STATE_COPYRIGHT_COMMENT) { + &mistake("$file: missing copyright comment"); + } elsif ($state == $STATE_COPYRIGHT_BLANK) { + &mistake("$file: missing blank line after copyright header"); + } elsif ($state == $STATE_PRIV_START) { + &mistake("$file: missing '#ifndef $ifdefpriv'"); + } elsif ($state == $STATE_PRIV_ERROR) { + &mistake("$file: missing '# error ...priv allow...'"); + } elsif ($state == $STATE_PRIV_END) { + &mistake("$file: missing '#endif /* $ifdefpriv */'"); + } elsif ($state == $STATE_PRIV_BLANK) { + &mistake("$file: missing blank line after priv header check"); + } elsif ($state == $STATE_GUARD_START) { + &mistake("$file: missing '#ifndef $ifdef'"); + } elsif ($state == $STATE_GUARD_DEFINE) { + &mistake("$file: missing '# define $ifdef'"); + } elsif ($state == $STATE_GUARD_END) { + &mistake("$file: missing '#endif /* $ifdef */'"); + } + + $ifdef = uc $ARGV; + $ifdef =~ s,.*/,,; + $ifdef =~ s,[^A-Z0-9],_,g; + $ifdef =~ s,__+,_,g; + unless ($ifdef =~ /^LIBVIRT_/ && $ARGV !~ /libvirt_internal.h/) { + $ifdef = "LIBVIRT_" . $ifdef; + } + $ifdefpriv = $ifdef . "_ALLOW"; + + $file = $ARGV; + $state = $STATE_COPYRIGHT_COMMENT; + $mistake = 0; + } + + if ($mistake || + $ARGV =~ /config-post\.h$/ || + $ARGV =~ /vbox_(CAPI|XPCOM)/) { + $state = $STATE_EOF; + next; + } + + if ($state == $STATE_COPYRIGHT_COMMENT) { + if (m,\*/,) { + $state = $STATE_COPYRIGHT_BLANK; + } + } elsif ($state == $STATE_COPYRIGHT_BLANK) { + if (! /^$/) { + &mistake("$file: missing blank line after copyright header"); + } + if ($ARGV =~ /priv\.h$/) { + $state = $STATE_PRIV_START; + } else { + $state = $STATE_GUARD_START; + } + } elsif ($state == $STATE_PRIV_START) { + if (/^$/) { + &mistake("$file: too many blank lines after copyright header"); + } elsif (/#ifndef $ifdefpriv$/) { + $state = $STATE_PRIV_ERROR; + } else { + &mistake("$file: missing '#ifndef $ifdefpriv'"); + } + } elsif ($state == $STATE_PRIV_ERROR) { + if (/# error ".*"$/) { + $state = $STATE_PRIV_END; + } else { + &mistake("$file: missing '# error ...priv allow...'"); + } + } elsif ($state == $STATE_PRIV_END) { + if (m,#endif /\* $ifdefpriv \*/,) { + $state = $STATE_PRIV_BLANK; + } else { + &mistake("$file: missing '#endif /* $ifdefpriv */'"); + } + } elsif ($state == $STATE_PRIV_BLANK) { + if (! /^$/) { + &mistake("$file: missing blank line after priv guard"); + } + $state = $STATE_GUARD_START; + } elsif ($state == $STATE_GUARD_START) { + if (/^$/) { + &mistake("$file: too many blank lines after copyright header"); + } elsif(/#pragma once/) { + $state = $STATE_PRAGMA; + } elsif (/#ifndef $ifdef$/) { + $state = $STATE_GUARD_DEFINE; + } else { + &mistake("$file: missing '#ifndef $ifdef'"); + } + } elsif ($state == $STATE_GUARD_DEFINE) { + if (/# define $ifdef$/) { + $state = $STATE_GUARD_END; + } else { + &mistake("$file: missing '# define $ifdef'"); + } + } elsif ($state == $STATE_GUARD_END) { + if (m,#endif /\* $ifdef \*/$,) { + $state = $STATE_EOF; + } + } elsif ($state == $STATE_PRAGMA) { + next; + } elsif ($state == $STATE_EOF) { + die "$file: unexpected content after '#endif /* $ifdef */'"; + } else { + die "$file: unexpected state $state"; + } +} +exit $ret;
  9. Download patch debian/tests/control

    --- 5.2.0-2/debian/tests/control 2018-03-18 09:53:51.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/tests/control 2019-08-20 08:50:08.000000000 +0000 @@ -3,12 +3,13 @@ Depends: libvirt-clients Restrictions: allow-stderr Tests: smoke-qemu-session -Depends: libvirt-daemon, libvirt-clients, libxml2-utils, qemu-system, qemu-kvm +Depends: libvirt-daemon-system, libvirt-clients, libxml2-utils, qemu-system, qemu-kvm, + linux-image-amd64 [amd64] | linux-generic [amd64] Restrictions: allow-stderr, isolation-container Tests: smoke-lxc Depends: libvirt-daemon-system, libvirt-clients, libxml2-utils -Restrictions: allow-stderr, needs-root +Restrictions: allow-stderr, needs-root, isolation-machine Tests: build-test Depends: libvirt-dev, build-essential, pkg-config
  10. Download patch debian/libvirt-daemon-system.examples

    --- 5.2.0-2/debian/libvirt-daemon-system.examples 2018-07-08 11:11:33.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/libvirt-daemon-system.examples 2019-08-20 08:50:08.000000000 +0000 @@ -1,3 +1,4 @@ src/remote/libvirtd.conf src/remote/libvirtd.policy src/remote/libvirtd.sasl +src/remote/libvirtd.sysctl
  11. Download patch debian/patches/ubuntu/daemon-augeas-fix-expected.patch

    --- 5.2.0-2/debian/patches/ubuntu/daemon-augeas-fix-expected.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu/daemon-augeas-fix-expected.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,28 @@ +Description: Fix the expected augeas output for 'make check' + This never used to run for us because we never build-depended on + augeas-tools. +Author: Serge Hallyn <serge.hallyn@ubuntu.com> +Forwarded: no + +This is only needed in combination with + d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch and makes the tests +match the slightly different default configuration. + +Index: libvirt/daemon/test_libvirtd.aug.in +=================================================================== +--- libvirt.orig/src/remote/test_libvirtd.aug.in ++++ libvirt/src/remote/test_libvirtd.aug.in +@@ -9,13 +9,8 @@ module Test_libvirtd = + { "listen_addr" = "192.168.0.1" } + { "mdns_adv" = "1" } + { "mdns_name" = "Virtualization Host Joe Demo" } +- { "unix_sock_group" = "libvirt" } +- { "unix_sock_ro_perms" = "0777" } +- { "unix_sock_rw_perms" = "0770" } + { "unix_sock_admin_perms" = "0700" } + { "unix_sock_dir" = "/var/run/libvirt" } +- { "auth_unix_ro" = "none" } +- { "auth_unix_rw" = "none" } + { "auth_tcp" = "sasl" } + { "auth_tls" = "none" } + { "access_drivers"
  12. Download patch debian/libvirt-daemon-system.dirs

    --- 5.2.0-2/debian/libvirt-daemon-system.dirs 2018-03-18 09:53:51.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/libvirt-daemon-system.dirs 2019-08-14 05:26:37.000000000 +0000 @@ -1,3 +1,4 @@ +/usr/share/apport/package-hooks /var/lib/libvirt/boot /var/lib/libvirt/images /var/lib/libvirt/qemu @@ -8,6 +9,8 @@ /var/log/libvirt/qemu /var/log/libvirt/uml /var/log/libvirt/lxc +/var/log/libvirt/libxl /etc/libvirt/hooks +/etc/dnsmasq.d-available /usr/share/polkit-1/rules.d/ /var/lib/polkit-1/localauthority/10-vendor.d/
  13. Download patch debian/patches/ubuntu-aa/lp-1833040-Add-openGraphicsFD-rule-for-named-profile.patch

    --- 5.2.0-2/debian/patches/ubuntu-aa/lp-1833040-Add-openGraphicsFD-rule-for-named-profile.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu-aa/lp-1833040-Add-openGraphicsFD-rule-for-named-profile.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,39 @@ +From 18ffb1670ec8d7ee6e309177a08a24be139c173a Mon Sep 17 00:00:00 2001 +From: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Date: Wed, 19 Jun 2019 09:04:55 +0200 +Subject: [PATCH] apparmor: Add openGraphicsFD rule for named profile + +Commit a3ab6d42 changed the libvirtd profile to a named profile +but neglected to accommodate the change in the qemu profile +ptrace and signal rules. +Later on 4ec3cf9a fixed that for ptrace and signal but openGraphicsFD +is still missing. + +As a result, libvirtd is unable to open UI on libvirt >=5.1 e.g. with +virt-manager. + +Add openGraphicsFD rule that references the libvirtd profile +by name in addition to full binary path. + +Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1833040 + +Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> + +Origin: backport, https://libvirt.org/git/?p=libvirt.git;a=commit;h=18ffb167 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1833040 +Last-Update: 2019-06-19 + +--- + src/security/apparmor/libvirt-qemu | 1 + + 1 file changed, 1 insertion(+) + +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -214,6 +214,7 @@ + /sys/firmware/devicetree/** r, + + # allow connect with openGraphicsFD to work ++ unix (send, receive) type=stream addr=none peer=(label=libvirtd), + unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), + + # allow access to charm-specific ceph config (LP: #1403648).
  14. Download patch docs/auditlog.html

    --- 5.2.0-2/docs/auditlog.html 2019-03-28 08:58:09.849593630 +0000 +++ 5.4.0-0ubuntu5/docs/auditlog.html 2019-05-28 10:47:06.392518040 +0000 @@ -6,7 +6,7 @@ Do not edit this file. Changes will be lost. --> <!-- - This page was generated at Thu Mar 28 08:58:09 UTC 2019. + This page was generated at Tue May 28 10:47:06 UTC 2019. --> <head> <meta charset="UTF-8"/> @@ -19,40 +19,11 @@ <meta name="theme-color" content="#ffffff"/> <title>libvirt: Audit log</title> <meta name="description" content="libvirt, virtualization, virtualization API"/> - <script type="text/javascript"> - <!-- - - function init() { - window.addEventListener('scroll', function(e){ - var distanceY = window.pageYOffset || document.documentElement.scrollTop, - shrinkOn = 94 - home = document.getElementById("home"); - links = document.getElementById("jumplinks"); - search = document.getElementById("search"); - body = document.getElementById("body"); - if (distanceY > shrinkOn) { - if (home.className != "navhide") { - body.className = "navhide" - home.className = "navhide" - links.className = "navhide" - search.className = "navhide" - } - } else { - if (home.className == "navhide") { - body.className = "" - home.className = "" - links.className = "" - search.className = "" - } - } - }); - } - window.onload = init(); - - --> + <script type="text/javascript" src="js/main.js"> + <!--// forces non-empty element--> </script> </head> - <body> + <body onload="pageload()"> <div id="body"> <div id="content"> <h1>Audit log</h1> @@ -660,12 +631,31 @@ </ul> </div> <div id="search"> - <form action="search.php" enctype="application/x-www-form-urlencoded" method="get"> + <form id="simplesearch" action="https://www.google.com/search" enctype="application/x-www-form-urlencoded" method="get"> <div> - <input name="query" type="text" size="12" value=""/> + <input id="searchsite" name="sitesearch" type="hidden" value="libvirt.org"/> + <input id="searchq" name="q" type="text" size="12" value=""/> <input name="submit" type="submit" value="Go"/> </div> </form> + <div id="advancedsearch"> + <span> + <input type="radio" name="what" id="whatwebsite" checked="checked" value="website"/> + <label for="whatwebsite">Website</label> + </span> + <span> + <input type="radio" name="what" id="whatwiki" value="wiki"/> + <label for="whatwiki">Wiki</label> + </span> + <span> + <input type="radio" name="what" id="whatdevs" value="devs"/> + <label for="whatdevs">Developers list</label> + </span> + <span> + <input type="radio" name="what" id="whatusers" value="users"/> + <label for="whatusers">Users list</label> + </span> + </div> </div> </div> <div id="footer">
  15. Download patch build-aux/minimize-po.pl

    --- 5.2.0-2/build-aux/minimize-po.pl 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/build-aux/minimize-po.pl 2018-04-26 12:45:28.717155766 +0000 @@ -0,0 +1,37 @@ +#!/usr/bin/perl + +my @block; +my $msgstr = 0; +my $empty = 0; +my $unused = 0; +my $fuzzy = 0; +while (<>) { + if (/^$/) { + if (!$empty && !$unused && !$fuzzy) { + print @block; + } + @block = (); + $msgstr = 0; + $fuzzy = 0; + push @block, $_; + } else { + if (/^msgstr/) { + $msgstr = 1; + $empty = 1; + } + if (/^#.*fuzzy/) { + $fuzzy = 1; + } + if (/^#~ msgstr/) { + $unused = 1; + } + if ($msgstr && /".+"/) { + $empty = 0; + } + push @block, $_; + } +} + +if (@block && !$empty && !$unused) { + print @block; +}
  16. Download patch debian/patches/ubuntu/lp-1828495-cpu_x86-Introduce-virCPUx86FeatureFilter-MSR.patch

    --- 5.2.0-2/debian/patches/ubuntu/lp-1828495-cpu_x86-Introduce-virCPUx86FeatureFilter-MSR.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu/lp-1828495-cpu_x86-Introduce-virCPUx86FeatureFilter-MSR.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,119 @@ +From bcfed7f1c84cbff21d129a79cbd675b0cd51613c Mon Sep 17 00:00:00 2001 +From: Jiri Denemark <jdenemar@redhat.com> +Date: Wed, 19 Jun 2019 21:59:12 +0200 +Subject: [PATCH] cpu_x86: Introduce virCPUx86FeatureFilter*MSR +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This functions may be used as a virCPUDefFeatureFilter callbacks for +virCPUDefCheckFeatures, virCPUDefFilerFeatures, and similar functions to +select (virCPUx86FeatureFilterSelectMSR) or drop +(virCPUx86FeatureFilterDropMSR) features reported via MSR. + +Signed-off-by: Jiri Denemark <jdenemar@redhat.com> +Reviewed-by: Ján Tomko <jtomko@redhat.com> + +Origin: backport, https://libvirt.org/git/?p=libvirt.git;a=commit;h=bcfed7f1 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1828495 +Last-Update: 2019-08-20 + +--- + src/cpu/cpu_x86.c | 57 ++++++++++++++++++++++++++++++++++++++++ + src/cpu/cpu_x86.h | 6 +++++ + src/libvirt_private.syms | 3 ++- + 3 files changed, 65 insertions(+), 1 deletion(-) + +--- a/src/cpu/cpu_x86.c ++++ b/src/cpu/cpu_x86.c +@@ -3353,6 +3353,63 @@ virCPUx86DataAddFeature(virCPUDataPtr cp + } + + ++static bool ++virCPUx86FeatureIsMSR(const char *name) ++{ ++ virCPUx86FeaturePtr feature; ++ virCPUx86DataIterator iter; ++ virCPUx86DataItemPtr item; ++ virCPUx86MapPtr map; ++ ++ if (!(map = virCPUx86GetMap())) ++ return false; ++ ++ if (!(feature = x86FeatureFind(map, name)) && ++ !(feature = x86FeatureFindInternal(name))) ++ return false; ++ ++ virCPUx86DataIteratorInit(&iter, &feature->data); ++ while ((item = virCPUx86DataNext(&iter))) { ++ if (item->type == VIR_CPU_X86_DATA_MSR) ++ return true; ++ } ++ ++ return false; ++} ++ ++ ++/** ++ * virCPUx86FeatureFilterSelectMSR: ++ * ++ * This is a callback for functions filtering features in virCPUDef. The result ++ * will contain only MSR features. ++ * ++ * Returns true if @name is an MSR feature, false otherwise. ++ */ ++bool ++virCPUx86FeatureFilterSelectMSR(const char *name, ++ void *opaque ATTRIBUTE_UNUSED) ++{ ++ return virCPUx86FeatureIsMSR(name); ++} ++ ++ ++/** ++ * virCPUx86FeatureFilterDropMSR: ++ * ++ * This is a callback for functions filtering features in virCPUDef. The result ++ * will not contain any MSR feature. ++ * ++ * Returns true if @name is not an MSR feature, false otherwise. ++ */ ++bool ++virCPUx86FeatureFilterDropMSR(const char *name, ++ void *opaque ATTRIBUTE_UNUSED) ++{ ++ return !virCPUx86FeatureIsMSR(name); ++} ++ ++ + struct cpuArchDriver cpuDriverX86 = { + .name = "x86", + .arch = archs, +--- a/src/cpu/cpu_x86.h ++++ b/src/cpu/cpu_x86.h +@@ -42,6 +42,12 @@ uint32_t virCPUx86DataGetSignature(virCP + int virCPUx86DataSetVendor(virCPUDataPtr cpuData, + const char *vendor); + ++bool virCPUx86FeatureFilterSelectMSR(const char *name, ++ void *opaque); ++ ++bool virCPUx86FeatureFilterDropMSR(const char *name, ++ void *opaque); ++ + int virCPUx86DataAddFeature(virCPUDataPtr cpuData, + const char *name); + +--- a/src/libvirt_private.syms ++++ b/src/libvirt_private.syms +@@ -1250,7 +1250,8 @@ virCPUx86DataAddFeature; + virCPUx86DataGetSignature; + virCPUx86DataSetSignature; + virCPUx86DataSetVendor; +- ++virCPUx86FeatureFilterDropMSR; ++virCPUx86FeatureFilterSelectMSR; + + # datatypes.h + virConnectClass;
  17. Download patch docs/404.html

    --- 5.2.0-2/docs/404.html 2019-03-28 08:58:10.124590777 +0000 +++ 5.4.0-0ubuntu5/docs/404.html 2019-05-28 10:47:06.741514986 +0000 @@ -6,7 +6,7 @@ Do not edit this file. Changes will be lost. --> <!-- - This page was generated at Thu Mar 28 08:58:10 UTC 2019. + This page was generated at Tue May 28 10:47:06 UTC 2019. --> <head> <meta charset="UTF-8"/> @@ -19,40 +19,11 @@ <meta name="theme-color" content="#ffffff"/> <title>libvirt: 404 page not found</title> <meta name="description" content="libvirt, virtualization, virtualization API"/> - <script type="text/javascript"> - <!-- - - function init() { - window.addEventListener('scroll', function(e){ - var distanceY = window.pageYOffset || document.documentElement.scrollTop, - shrinkOn = 94 - home = document.getElementById("home"); - links = document.getElementById("jumplinks"); - search = document.getElementById("search"); - body = document.getElementById("body"); - if (distanceY > shrinkOn) { - if (home.className != "navhide") { - body.className = "navhide" - home.className = "navhide" - links.className = "navhide" - search.className = "navhide" - } - } else { - if (home.className == "navhide") { - body.className = "" - home.className = "" - links.className = "" - search.className = "" - } - } - }); - } - window.onload = init(); - - --> + <script type="text/javascript" src="/js/main.js"> + <!--// forces non-empty element--> </script> </head> - <body> + <body onload="pageload()"> <div id="body"> <div id="content"> <h1>404 page not found</h1> @@ -86,12 +57,31 @@ </ul> </div> <div id="search"> - <form action="/search.php" enctype="application/x-www-form-urlencoded" method="get"> + <form id="simplesearch" action="https://www.google.com/search" enctype="application/x-www-form-urlencoded" method="get"> <div> - <input name="query" type="text" size="12" value=""/> + <input id="searchsite" name="sitesearch" type="hidden" value="libvirt.org"/> + <input id="searchq" name="q" type="text" size="12" value=""/> <input name="submit" type="submit" value="Go"/> </div> </form> + <div id="advancedsearch"> + <span> + <input type="radio" name="what" id="whatwebsite" checked="checked" value="website"/> + <label for="whatwebsite">Website</label> + </span> + <span> + <input type="radio" name="what" id="whatwiki" value="wiki"/> + <label for="whatwiki">Wiki</label> + </span> + <span> + <input type="radio" name="what" id="whatdevs" value="devs"/> + <label for="whatdevs">Developers list</label> + </span> + <span> + <input type="radio" name="what" id="whatusers" value="users"/> + <label for="whatusers">Users list</label> + </span> + </div> </div> </div> <div id="footer">
  18. Download patch debian/rules

    --- 5.2.0-2/debian/rules 2019-04-22 06:55:18.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/rules 2019-08-20 08:50:08.000000000 +0000 @@ -5,15 +5,18 @@ DEB_BUILDDATE=$(shell dpkg-parsechangelo DEB_BUILDUSER=$(shell dpkg-parsechangelog -SMaintainer) NULL= +# If the build environment sets -Bsymbolic-functions, which is often used as +# hardening option, that would break libvirt build time self-testing. +# Therefore let dpkg-buildflag strip that option if present. +export DEB_LDFLAGS_MAINT_STRIP = -Wl,-Bsymbolic-functions + ifneq (,$(findstring $(DEB_HOST_ARCH_OS), linux)) ifneq (,$(findstring $(DEB_HOST_ARCH), i386 amd64)) WITH_VBOX = --with-vbox - FAIL_CHECK = 1 else WITH_VBOX = --without-vbox endif ifneq (,$(findstring $(DEB_HOST_ARCH), i386 amd64 armhf arm64)) - MAKE_CHECK = 1 WITH_XEN = --with-xen WITH_LIBXL = --with-libxl XEN_ENABLED = 1 @@ -21,6 +24,8 @@ ifneq (,$(findstring $(DEB_HOST_ARCH_OS) WITH_XEN = --without-xen WITH_LIBXL = --without-libxl endif + MAKE_CHECK = 1 + FAIL_CHECK = 1 WITH_STORAGE_LVM = --with-storage-lvm WITH_STORAGE_ISCSI = --with-storage-iscsi WITH_STORAGE_DISK = --with-storage-disk @@ -32,21 +37,21 @@ ifneq (,$(findstring $(DEB_HOST_ARCH_OS) WITH_MACVTAP = --with-macvtap WITH_NETWORK = --with-network WITH_OPENVZ = --with-openvz - WITH_NETCF = --with-netcf + WITH_NETCF = --without-netcf WITH_SANLOCK = --with-sanlock WITH_INIT_SCRIPT = --with-init-script=systemd WITH_SYSTEMD = --with-systemd-daemon - WITH_FIREWALLD = --with-firewalld + WITH_FIREWALLD = --without-firewalld WITH_AUDIT = --with-audit WITH_SELINUX = --with-selinux --with-secdriver-selinux --with-selinux-mount=/sys/fs/selinux WITH_APPARMOR = --with-apparmor --with-secdriver-apparmor --with-apparmor-profiles WITH_NSS_PLUGIN = --with-nss-plugin - ifneq (,$(findstring $(DEB_HOST_ARCH), amd64 armel armhf i386 ia64 powerpc s390)) + ifneq (,$(findstring $(DEB_HOST_ARCH), amd64 armel armhf i386 ia64 powerpc ppc64el s390 s390x)) WITH_DTRACE = --with-dtrace else WITH_DTRACE = --without-dtrace endif - ifneq (,$(findstring $(DEB_HOST_ARCH), amd64 arm64 i386 ia64 mips mipsel powerpc ppc64el)) + ifneq (,$(findstring $(DEB_HOST_ARCH), amd64 arm64 i386 ia64 mips mipsel powerpc ppc64el s390x)) WITH_NUMA = --with-numactl --with-numad else WITH_NUMA = --without-numactl --without-numad @@ -93,12 +98,12 @@ DEB_CONFIGURE_EXTRA_ARGS := \ --disable-rpath \ --with-qemu \ --with-qemu-user=libvirt-qemu \ - --with-qemu-group=libvirt-qemu \ + --with-qemu-group=kvm \ $(WITH_OPENVZ) \ --with-avahi \ --with-sasl \ --with-yajl \ - --with-ssh2 \ + --without-ssh2 \ --with-polkit \ $(WITH_UDEV) \ --with-storage-fs \ @@ -150,14 +155,13 @@ LOGROTATE = $(basename $(basename $(notd EXAMPLES_DIR = $(CURDIR)/debian/libvirt-doc/usr/share/doc/libvirt-doc/examples/ %: - dh $@ --builddirectory=$(DEB_BUILDDIR) --with autoreconf + dh $@ --builddirectory=$(DEB_BUILDDIR) override_dh_auto_configure: - IPTABLES_PATH=/usr/sbin/iptables \ - IP6TABLES_PATH=/usr/sbin/ip6tables \ + IPTABLES_PATH=/sbin/iptables \ + IP6TABLES_PATH=/sbin/ip6tables \ EBTABLES_PATH=/usr/sbin/ebtables \ dh_auto_configure -- $(DEB_CONFIGURE_EXTRA_ARGS) $(shell dpkg-buildflags --export=configure) - mkdir -p debian/build/docs/internals override_dh_auto_test: export LD_PRELOAD=""; \ @@ -170,6 +174,17 @@ override_dh_auto_test: fi override_dh_install-arch: + mkdir -p debian/tmp/usr/share/apport/package-hooks + cp -f debian/libvirt-daemon.apport \ + debian/tmp/usr/share/apport/package-hooks/source_libvirt.py + # copy dnsmasq configuration + mkdir -p debian/tmp/etc/dnsmasq.d-available + cp debian/libvirt-daemon.dnsmasq \ + debian/tmp/etc/dnsmasq.d-available/libvirt-daemon + # Add profile script to automatically set default URI + mkdir -p debian/tmp/etc/profile.d + cp -f debian/libvirt-uri.sh debian/tmp/etc/profile.d/ + dh_install # Copy upstream files to debian/ so dh_* can find them @@ -206,6 +221,7 @@ endif ifeq ($(XEN_ENABLED), 1) dh_install -p libvirt-daemon-system etc/libvirt/libxl.conf dh_install -p libvirt-daemon-system etc/libvirt/libxl-lockd.conf + dh_install -p libvirt-daemon-system etc/libvirt/libxl-sanlock.conf endif set -e; for l in $(LOGROTATE); do \ @@ -225,15 +241,17 @@ endif override_dh_installinit: dh_installinit -p libvirt-daemon-system --name=virtlogd --no-stop-on-upgrade + dh_installinit -p libvirt-daemon-system --name=virtlockd --no-stop-on-upgrade dh_installinit -p libvirt-daemon-system --name=libvirtd --restart-after-upgrade -- defaults 28 72 dh_installinit -p libvirt-daemon-system --name=libvirt-guests --no-stop-on-upgrade -- defaults 29 71 override_dh_installsystemd: dh_installsystemd -p libvirt-daemon-system --restart-after-upgrade libvirtd.service - dh_installsystemd -p libvirt-daemon-system --no-stop-on-upgrade $(LIBVIRT_SYSTEM_SERVICES) + dh_installsystemd -p libvirt-daemon-system --no-stop-on-upgrade --no-restart-after-upgrade $(LIBVIRT_SYSTEM_SERVICES) override_dh_installdocs: - dh_installdocs + dh_installdocs -plibvirt-doc --doc-main-package libvirt-doc + dh_installdocs -Nlibvirt-doc # Remove binaries and object files examples [ ! -d $(EXAMPLES_DIR) ] || find $(EXAMPLES_DIR) -name "*.o" -type f -delete -o -name .libs -type d -exec rm -rf {} \; rm -f $(EXAMPLES_DIR)domain-events/events-c/event-test \ @@ -257,6 +275,3 @@ override_dh_auto_clean: override_dh_installchangelogs: dh_installchangelogs -plibvirt0 dh_installchangelogs -Nlibvirt0 -XChangeLog - -override_dh_missing: - dh_missing --list-missing
  19. Download patch debian/patches/ubuntu-aa/0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch

    --- 5.2.0-2/debian/patches/ubuntu-aa/0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu-aa/0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,33 @@ +From 8db2fc32dd0edc1b6a8b7841201e50971234cedf Mon Sep 17 00:00:00 2001 +From: Serge Hallyn <serge.hallyn@ubuntu.com> +Date: Thu, 11 May 2017 16:45:40 +0200 +Subject: [PATCH 21/33] apparmor, virt-aa-helper: Add openvswitch support + +Add permission to read under /var/run. This is required for +some openvswitch info. + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1513367 + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Stefan Bader <stefan.bader@canonical.com> +--- + src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper +index 9cd6e68..396890c 100644 +--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper ++++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper +@@ -38,6 +38,9 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { + /usr/{lib,lib64}/libvirt/virt-aa-helper mr, + /{usr/,}sbin/apparmor_parser Ux, + ++ # for openvswitch ++ /{,var/}run/** rw, ++ + /etc/apparmor.d/libvirt/* r, + /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + +-- +2.7.4 +
  20. Download patch debian/patches/ubuntu/Allow-libvirt-group-to-access-the-socket.patch

    --- 5.2.0-2/debian/patches/ubuntu/Allow-libvirt-group-to-access-the-socket.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu/Allow-libvirt-group-to-access-the-socket.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,64 @@ +From: Guido Guenther <agx@sigxcpu.org> +Date: Thu, 26 Jun 2008 20:01:38 +0200 +Subject: Allow libvirt group to access the socket +Forwarded: no + +This is the group based access to libvirt functions as it was used +in Ubuntu for quite long. + +Debian uses root + policykit for the same. But since Ubuntu did it +the group based way for so long people are used to that, so we keep it. + +There are some related tests (if augeas is enabled as build depend) that need +to be adapted in their expected output, that is done in: + d/p/ubuntu/daemon-augeas-fix-expected.patch + + +Index: libvirt/daemon/libvirtd.conf +=================================================================== +--- libvirt.orig/src/remote/libvirtd.conf 2016-07-13 16:12:30.306986666 +0200 ++++ libvirt/src/remote/libvirtd.conf 2016-07-13 16:12:30.146986668 +0200 +@@ -82,14 +82,14 @@ + # without becoming root. + # + # This is restricted to 'root' by default. +-#unix_sock_group = "libvirt" ++unix_sock_group = "libvirt" + + # Set the UNIX socket permissions for the R/O socket. This is used + # for monitoring VM status only + # + # Default allows any user. If setting group ownership, you may want to + # restrict this too. +-#unix_sock_ro_perms = "0777" ++unix_sock_ro_perms = "0777" + + # Set the UNIX socket permissions for the R/W socket. This is used + # for full management of VMs +@@ -99,7 +99,7 @@ + # + # If not using PolicyKit and setting group ownership for access + # control, then you may want to relax this too. +-#unix_sock_rw_perms = "0770" ++unix_sock_rw_perms = "0770" + + # Set the UNIX socket permissions for the admin interface socket. + # +@@ -138,7 +138,7 @@ + # + # To restrict monitoring of domains you may wish to enable + # an authentication mechanism here +-#auth_unix_ro = "none" ++auth_unix_ro = "none" + + # Set an authentication scheme for UNIX read-write sockets + # By default socket permissions only allow root. If PolicyKit +@@ -147,7 +147,7 @@ + # + # If the unix_sock_rw_perms are changed you may wish to enable + # an authentication mechanism here +-#auth_unix_rw = "none" ++auth_unix_rw = "none" + + # Change the authentication scheme for TCP sockets. + #
  21. Download patch debian/patches/ubuntu-aa/0029-appmor-libvirt-qemu-Add-9p-support.patch

    --- 5.2.0-2/debian/patches/ubuntu-aa/0029-appmor-libvirt-qemu-Add-9p-support.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu-aa/0029-appmor-libvirt-qemu-Add-9p-support.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,34 @@ +From 0e7ed68253072d77b2997b316d37403a275c3d2f Mon Sep 17 00:00:00 2001 +From: Stefan Bader <stefan.bader@canonical.com> +Date: Fri, 19 May 2017 09:48:52 +0200 +Subject: [PATCH 29/33] appmor, libvirt-qemu: Add 9p support + +Add fowner and fsetid to libvirt-qemu profile. + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1378434 + +Note: While upstreaming Serge and Guido were not very happy +with granting those permissions unconditionally. Instead they +thought it would be better to do this in virt-aa-helper only +if 9p filesystem is in use. + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Signed-off-by: Stefan Bader <stefan.bader@canonical.com> +--- + src/security/apparmor/libvirt-qemu | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -13,6 +13,10 @@ + capability setgid, + capability setuid, + ++ # for 9p ++ capability fsetid, ++ capability fowner, ++ + network inet stream, + network inet6 stream, +
  22. Download patch debian/patches/debian/Don-t-enable-default-network-on-boot.patch

    --- 5.2.0-2/debian/patches/debian/Don-t-enable-default-network-on-boot.patch 2019-04-10 07:14:14.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/debian/Don-t-enable-default-network-on-boot.patch 2019-08-20 08:50:08.000000000 +0000 @@ -9,10 +9,10 @@ to not interfere with existing network c 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/src/Makefile.in b/src/Makefile.in -index fe2d19f..2700a1d 100644 +index 99217f9..e9e5ee0 100644 --- a/src/Makefile.in +++ b/src/Makefile.in -@@ -13398,8 +13398,7 @@ lxc/lxc_controller_dispatch.h: $(srcdir)/rpc/gendispatch.pl \ +@@ -13426,8 +13426,7 @@ lxc/lxc_controller_dispatch.h: $(srcdir)/rpc/gendispatch.pl \ @WITH_NETWORK_TRUE@ $(DESTDIR)$(confdir)/qemu/networks/default.xml && \ @WITH_NETWORK_TRUE@ rm $(DESTDIR)$(confdir)/qemu/networks/default.xml.t; } @WITH_NETWORK_TRUE@ ( cd $(DESTDIR)$(confdir)/qemu/networks/autostart && \ @@ -23,10 +23,10 @@ index fe2d19f..2700a1d 100644 @WITH_FIREWALLD_ZONE_TRUE@@WITH_NETWORK_TRUE@ $(INSTALL_DATA) $(srcdir)/network/libvirt.zone \ @WITH_FIREWALLD_ZONE_TRUE@@WITH_NETWORK_TRUE@ $(DESTDIR)$(prefix)/lib/firewalld/zones/libvirt.xml diff --git a/src/network/Makefile.inc.am b/src/network/Makefile.inc.am -index cbaaa7e..cb0228d 100644 +index 3fed59c..13ae858 100644 --- a/src/network/Makefile.inc.am +++ b/src/network/Makefile.inc.am -@@ -85,8 +85,7 @@ install-data-network: +@@ -87,8 +87,7 @@ install-data-network: $(DESTDIR)$(confdir)/qemu/networks/default.xml && \ rm $(DESTDIR)$(confdir)/qemu/networks/default.xml.t; } ( cd $(DESTDIR)$(confdir)/qemu/networks/autostart && \
  23. Download patch debian/libvirt-doc.docs

    --- 5.2.0-2/debian/libvirt-doc.docs 2016-09-09 13:54:40.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/libvirt-doc.docs 2019-08-20 08:50:08.000000000 +0000 @@ -1,9 +1,11 @@ docs/*.rng docs/*.png docs/*.xml -docs/*.html +docs/*.html docs/*.gif docs/*.css docs/html/ docs/devhelp/ +docs/internals/ +docs/logos/ examples/
  24. Download patch debian/tests/smoke-lxc

    --- 5.2.0-2/debian/tests/smoke-lxc 2018-03-18 09:53:51.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/tests/smoke-lxc 2019-08-20 08:50:08.000000000 +0000 @@ -37,9 +37,9 @@ virsh start ${DOMAIN} grep -qs "starting up" /var/log/libvirt/lxc/sl.log check_domain # Make sure a restart doesn't termiante the domain -/etc/init.d/libvirtd restart +systemctl restart libvirtd check_domain -virsh destroy ${DOMAIN} +virsh destroy ${DOMAIN} || true virsh undefine ${DOMAIN} CLEANED_UP=1 set +x
  25. Download patch debian/patches/ubuntu/apibuild-skip-libvirt-common.h

    --- 5.2.0-2/debian/patches/ubuntu/apibuild-skip-libvirt-common.h 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu/apibuild-skip-libvirt-common.h 2019-08-14 05:26:37.000000000 +0000 @@ -0,0 +1,31 @@ +Description: apibuild.py: drop libvirt-common.h from included_files + It's leading to build failure due to duplicate definitions. Remove + it until it is properly fixed upstream + . + The build issue really only occurs on launchpad for main. + It does not: + - in sbuild + - in autopkgtest builds + - in bileto + Also we can't send upstream until we found the trigger as the local + call to apibuild.py works as well. + That said we have to keep this as a delta until we had the time to + figure out the real trigger for this to occur. + . + Interestingly when on bileto it doesn't run apibuild at all, instead it + uses xsltproc to generat (bug on its own). +Author: Serge Hallyn <serge.hallyn@ubuntu.com> +Forwarded: no + +Index: libvirt/docs/apibuild.py +=================================================================== +--- libvirt.orig/docs/apibuild.py ++++ libvirt/docs/apibuild.py +@@ -21,7 +21,6 @@ debugsym=None + # C parser analysis code + # + included_files = { +- "libvirt-common.h": "header with general libvirt API definitions", + "libvirt-domain.h": "header with general libvirt API definitions", + "libvirt-domain-snapshot.h": "header with general libvirt API definitions", + "libvirt-event.h": "header with general libvirt API definitions",
  26. Download patch debian/libvirt-uri.sh

    --- 5.2.0-2/debian/libvirt-uri.sh 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/libvirt-uri.sh 2019-08-14 05:26:37.000000000 +0000 @@ -0,0 +1,27 @@ +#!/bin/sh +# libvirt-uri.sh - Automatically switch default libvirt URI for user +# Copyright (C) 2015 Canonical Ltd. +# +# Authors: Stefan Bader <stefan.bader@canonical.com> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, version 3 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +LIBVIRT_DEFAULT_URI="qemu:///system" +if [ -f /proc/xen/capabilities ]; then + if [ "$(cat /proc/xen/capabilities)" = "control_d" ]; then + LIBVIRT_DEFAULT_URI="xen:///" + fi +fi + +export LIBVIRT_DEFAULT_URI +
  27. Download patch debian/libvirt-daemon-system.virtlogd.init

    --- 5.2.0-2/debian/libvirt-daemon-system.virtlogd.init 2018-03-18 09:53:51.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/libvirt-daemon-system.virtlogd.init 1970-01-01 00:00:00.000000000 +0000 @@ -1,161 +0,0 @@ -#! /bin/sh -# -# Init script for virtlogd -# -# (c) 2015 Guido Guenther <agx@sigxcpu.org> -# based on the skeletons that comes with dh_make -# -### BEGIN INIT INFO -# Provides: virtlogd -# Required-Start: $local_fs $remote_fs $syslog -# Required-Stop: $local_fs $remote_fs $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Libvirt logging daemon -### END INIT INFO - -PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin -export PATH -DAEMON=/usr/sbin/virtlogd -NAME=virtlogd -DESC="libvirt logging daemon" - -test -x $DAEMON || exit 0 -. /lib/lsb/init-functions - -PIDFILE=/var/run/$NAME.pid -DODTIME=1 # Time to wait for the server to die, in seconds - -# Include libvirtd defaults if available -if [ -f /etc/default/virtlogd ] ; then - . /etc/default/virtlogd -fi - -running_pid() -{ - # Check if a given process pid's cmdline matches a given name - pid=$1 - name=$2 - [ -z "$pid" ] && return 1 - [ ! -d /proc/$pid ] && return 1 - cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1` - # Is this the expected child? - [ "$cmd" != "$name" ] && return 1 - return 0 -} - -running() -{ -# Check if the process is running looking at /proc -# (works for all users) - # No pidfile, probably no daemon present - [ ! -f "$PIDFILE" ] && return 1 - # Obtain the pid and check it against the binary name - pid=`cat $PIDFILE` - running_pid $pid $DAEMON || return 1 - return 0 -} - -force_stop() { -# Forcefully kill the process - [ ! -f "$PIDFILE" ] && return - if running ; then - kill -15 $pid - # Is it really dead? - [ -n "$DODTIME" ] && sleep "$DODTIME"s - if running ; then - kill -9 $pid - [ -n "$DODTIME" ] && sleep "$DODTIME"s - if running ; then - echo "Cannot kill $LABEL (pid=$pid)!" - exit 1 - fi - fi - fi - rm -f $PIDFILE - return 0 -} - -case "$1" in - start) - log_daemon_msg "Starting $DESC" "$NAME" - if running ; then - log_progress_msg "already running" - log_end_msg 0 - exit 0 - fi - rm -f $PIDFILE - start-stop-daemon --start --quiet --pidfile $PIDFILE \ - --exec $DAEMON -- -d $VIRTLOGD_ARGS - if running; then - log_end_msg 0 - else - log_end_msg 1 - fi - ;; - stop) - log_daemon_msg "Stopping $DESC" "$NAME" - if ! running ; then - log_progress_msg "not running" - log_end_msg 0 - exit 0 - fi - start-stop-daemon --stop --quiet --pidfile $PIDFILE \ - --exec $DAEMON - log_end_msg 0 - ;; - force-stop) - log_daemon_msg "Forcefully stopping $DESC" "$NAME" - force_stop - if ! running; then - log_end_msg 0 - else - log_end_msg 1 - fi - ;; - restart) - log_daemon_msg "Restarting $DESC" "$DAEMON" - start-stop-daemon --oknodo --stop --quiet --pidfile \ - /var/run/$NAME.pid --exec $DAEMON - [ -n "$DODTIME" ] && sleep $DODTIME - start-stop-daemon --start --quiet --pidfile \ - /var/run/$NAME.pid --exec $DAEMON -- -d $libvirtd_opts - if running; then - log_end_msg 0 - else - log_end_msg 1 - fi - ;; - reload|force-reload) - if running; then - log_daemon_msg "Reloading configuration of $DESC" "$NAME" - start-stop-daemon --stop --signal 1 --quiet --pidfile \ - /var/run/$NAME.pid --exec $DAEMON - log_end_msg 0 - else - log_warning_msg "libvirtd not running, doing nothing." - fi - ;; - status) - log_daemon_msg "Checking status of $DESC" "$NAME" - if running ; then - log_progress_msg "running" - log_end_msg 0 - else - log_progress_msg "not running" - log_end_msg 1 - if [ -f "$PIDFILE" ] ; then - exit 1 - else - exit 3 - fi - fi - ;; - *) - N=/etc/init.d/libvirtd - echo "Usage: $N {start|stop|restart|reload|force-reload|status|force-stop}" >&2 - exit 1 - ;; -esac - -exit 0
  28. Download patch debian/control

    --- 5.2.0-2/debian/control 2019-04-18 17:03:13.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/control 2019-08-20 08:50:08.000000000 +0000 @@ -1,12 +1,12 @@ Source: libvirt Section: libs Priority: optional -Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org> Uploaders: Guido Günther <agx@sigxcpu.org>, Laurent Léonard <laurent@open-minds.org> Build-Depends: bash-completion, debhelper (>= 12~), - dh-autoreconf, dh-apparmor [linux-any], libxml2-dev (>= 2.9.2+really2.9.1+dfsg1-0.2), libncurses5-dev, @@ -34,17 +34,16 @@ Build-Depends: libnl-route-3-dev [linux-any], libyajl-dev, libpcap0.8-dev, - libnuma-dev [amd64 arm64 i386 ia64 mips mipsel powerpc ppc64 ppc64el], - numad [amd64 arm64 i386 ia64 mips mipsel powerpc ppc64 ppc64el], + libnuma-dev [amd64 arm64 i386 ia64 mips mipsel powerpc ppc64 ppc64el s390x], + numad [amd64 arm64 i386 ia64 mips mipsel powerpc ppc64 ppc64el s390x], radvd [linux-any], - libnetcf-dev (>= 1:0.2.3-3~) [linux-any], libsanlock-dev [linux-any], libaudit-dev [linux-any], libselinux1-dev (>= 2.0.82) [linux-any], libapparmor-dev [linux-any], libdbus-1-dev [linux-any], nfs-common, - systemtap-sdt-dev [amd64 armel armhf i386 ia64 powerpc s390], + systemtap-sdt-dev [amd64 armel armhf i386 ia64 powerpc ppc64el s390 s390x], python, xsltproc, zfsutils [kfreebsd-amd64 kfreebsd-i386], @@ -60,7 +59,7 @@ Build-Depends: # for lxc fuse support libfuse-dev [linux-any], # for libssh2 connection URIs - libssh2-1-dev, +# libssh2-1-dev, # for qemu-bridge-helper qemu-system-common, # For "make check" @@ -69,11 +68,14 @@ Build-Depends: dnsmasq-base, openssh-client, netcat-openbsd, - iptables (>= 1.8.1) [linux-any], + ebtables [linux-any], + iptables [linux-any], qemu-utils, Build-Conflicts: dpkg-dev (= 1.15.3) -Vcs-Git: https://salsa.debian.org/libvirt-team/libvirt.git -Vcs-Browser: https://salsa.debian.org/libvirt-team/libvirt +XS-Debian-Vcs-Git: https://salsa.debian.org/libvirt-team/libvirt.git +XS-Debian-Vcs-Browser: https://salsa.debian.org/libvirt-team/libvirt +Vcs-Git: https://git.launchpad.net/~usd-import-team/ubuntu/+source/libvirt +Vcs-Browser: https://git.launchpad.net/~usd-import-team/ubuntu/+source/libvirt Homepage: https://libvirt.org/ Standards-Version: 4.1.1 @@ -107,9 +109,9 @@ Recommends: qemu-kvm | qemu (>= 0.9.1), libxml2-utils, netcat-openbsd, + libvirt-daemon-driver-storage-rbd, Suggests: libvirt-daemon-driver-storage-gluster, - libvirt-daemon-driver-storage-rbd, libvirt-daemon-driver-storage-zfs, libvirt-daemon-system, numad, @@ -184,12 +186,13 @@ Depends: lsb-base, libvirt-clients (= ${binary:Version}), libvirt-daemon (= ${binary:Version}), - iptables (>= 1.8.1-1) [linux-any] | firewalld, + iptables (>= 1.4.10) [linux-any] | firewalld, logrotate, policykit-1, Recommends: dmidecode, dnsmasq-base (>= 2.46-1), + ebtables [linux-any], iproute2, parted, Section: admin
  29. Download patch docs/architecture.html

    --- 5.2.0-2/docs/architecture.html 2019-03-28 08:58:10.185590144 +0000 +++ 5.4.0-0ubuntu5/docs/architecture.html 2019-05-28 10:47:05.818523062 +0000 @@ -6,7 +6,7 @@ Do not edit this file. Changes will be lost. --> <!-- - This page was generated at Thu Mar 28 08:58:10 UTC 2019. + This page was generated at Tue May 28 10:47:05 UTC 2019. --> <head> <meta charset="UTF-8"/> @@ -19,40 +19,11 @@ <meta name="theme-color" content="#ffffff"/> <title>libvirt: libvirt architecture</title> <meta name="description" content="libvirt, virtualization, virtualization API"/> - <script type="text/javascript"> - <!-- - - function init() { - window.addEventListener('scroll', function(e){ - var distanceY = window.pageYOffset || document.documentElement.scrollTop, - shrinkOn = 94 - home = document.getElementById("home"); - links = document.getElementById("jumplinks"); - search = document.getElementById("search"); - body = document.getElementById("body"); - if (distanceY > shrinkOn) { - if (home.className != "navhide") { - body.className = "navhide" - home.className = "navhide" - links.className = "navhide" - search.className = "navhide" - } - } else { - if (home.className == "navhide") { - body.className = "" - home.className = "" - links.className = "" - search.className = "" - } - } - }); - } - window.onload = init(); - - --> + <script type="text/javascript" src="js/main.js"> + <!--// forces non-empty element--> </script> </head> - <body> + <body onload="pageload()"> <div id="body"> <div id="content"> <h1>libvirt architecture</h1> @@ -162,12 +133,31 @@ unsupported functions are initialized to </ul> </div> <div id="search"> - <form action="search.php" enctype="application/x-www-form-urlencoded" method="get"> + <form id="simplesearch" action="https://www.google.com/search" enctype="application/x-www-form-urlencoded" method="get"> <div> - <input name="query" type="text" size="12" value=""/> + <input id="searchsite" name="sitesearch" type="hidden" value="libvirt.org"/> + <input id="searchq" name="q" type="text" size="12" value=""/> <input name="submit" type="submit" value="Go"/> </div> </form> + <div id="advancedsearch"> + <span> + <input type="radio" name="what" id="whatwebsite" checked="checked" value="website"/> + <label for="whatwebsite">Website</label> + </span> + <span> + <input type="radio" name="what" id="whatwiki" value="wiki"/> + <label for="whatwiki">Wiki</label> + </span> + <span> + <input type="radio" name="what" id="whatdevs" value="devs"/> + <label for="whatdevs">Developers list</label> + </span> + <span> + <input type="radio" name="what" id="whatusers" value="users"/> + <label for="whatusers">Users list</label> + </span> + </div> </div> </div> <div id="footer">
  30. Download patch debian/patches/ubuntu/lp-1828495-qemu-Probe-host-CPU-after-capabilities.patch
  31. Download patch debian/patches/ubuntu/lp-1828495-conf-Introduce-virCPUDefCheckFeatures.patch

    --- 5.2.0-2/debian/patches/ubuntu/lp-1828495-conf-Introduce-virCPUDefCheckFeatures.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu/lp-1828495-conf-Introduce-virCPUDefCheckFeatures.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,100 @@ +From 4e6f58b8d55d44fa9f80736b2745b44710f6e25a Mon Sep 17 00:00:00 2001 +From: Jiri Denemark <jdenemar@redhat.com> +Date: Wed, 19 Jun 2019 19:01:30 +0200 +Subject: [PATCH] conf: Introduce virCPUDefCheckFeatures +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This API can be used to check whether a CPU definition contains features +matching a given filter. + +Signed-off-by: Jiri Denemark <jdenemar@redhat.com> +Reviewed-by: Ján Tomko <jtomko@redhat.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=4e6f58b8 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1828495 +Last-Update: 2019-08-20 + +--- + src/conf/cpu_conf.c | 33 +++++++++++++++++++++++++++++++++ + src/conf/cpu_conf.h | 6 ++++++ + src/libvirt_private.syms | 1 + + 3 files changed, 40 insertions(+) + +diff --git a/src/conf/cpu_conf.c b/src/conf/cpu_conf.c +index 675d214c50..7d16a05283 100644 +--- a/src/conf/cpu_conf.c ++++ b/src/conf/cpu_conf.c +@@ -930,6 +930,39 @@ virCPUDefFilterFeatures(virCPUDefPtr cpu, + } + + ++/** ++ * virCPUDefCheckFeatures: ++ * ++ * Check CPU features for which @filter reports true and store them in a NULL ++ * terminated list returned via @features. ++ * ++ * Returns the number of features matching @filter or -1 on error. ++ */ ++int ++virCPUDefCheckFeatures(virCPUDefPtr cpu, ++ virCPUDefFeatureFilter filter, ++ void *opaque, ++ char ***features) ++{ ++ VIR_AUTOSTRINGLIST list = NULL; ++ size_t n = 0; ++ size_t i; ++ ++ *features = NULL; ++ ++ for (i = 0; i < cpu->nfeatures; i++) { ++ if (filter(cpu->features[i].name, opaque)) { ++ if (virStringListAdd(&list, cpu->features[i].name) < 0) ++ return -1; ++ n++; ++ } ++ } ++ ++ VIR_STEAL_PTR(*features, list); ++ return n; ++} ++ ++ + bool + virCPUDefIsEqual(virCPUDefPtr src, + virCPUDefPtr dst, +diff --git a/src/conf/cpu_conf.h b/src/conf/cpu_conf.h +index 906ef5368e..19ce816ec2 100644 +--- a/src/conf/cpu_conf.h ++++ b/src/conf/cpu_conf.h +@@ -224,6 +224,12 @@ virCPUDefFilterFeatures(virCPUDefPtr cpu, + virCPUDefFeatureFilter filter, + void *opaque); + ++int ++virCPUDefCheckFeatures(virCPUDefPtr cpu, ++ virCPUDefFeatureFilter filter, ++ void *opaque, ++ char ***features); ++ + virCPUDefPtr * + virCPUDefListParse(const char **xmlCPUs, + unsigned int ncpus, +diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms +index ab2e4bc6fe..90a6d10666 100644 +--- a/src/libvirt_private.syms ++++ b/src/libvirt_private.syms +@@ -73,6 +73,7 @@ virCapabilitiesSetNetPrefix; + virCPUCacheModeTypeFromString; + virCPUCacheModeTypeToString; + virCPUDefAddFeature; ++virCPUDefCheckFeatures; + virCPUDefCopy; + virCPUDefCopyModel; + virCPUDefCopyModelFilter; +-- +2.22.0 +
  32. Download patch debian/patches/CVE-2019-10166.patch

    --- 5.2.0-2/debian/patches/CVE-2019-10166.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/CVE-2019-10166.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,32 @@ +From db0b78457f183e4c7ac45bc94de86044a1e2056a Mon Sep 17 00:00:00 2001 +From: =?utf8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com> +Date: Fri, 14 Jun 2019 09:14:53 +0200 +Subject: [PATCH] api: disallow virDomainManagedSaveDefineXML on read-only connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +The virDomainManagedSaveDefineXML can be used to alter the domain's +config used for managedsave or even execute arbitrary emulator binaries. +Forbid it on read-only connections. + +Fixes: CVE-2019-10166 +Reported-by: Matthias Gerstner <mgerstner@suse.de> +Signed-off-by: Ján Tomko <jtomko@redhat.com> +Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> +--- + src/libvirt-domain.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +Index: libvirt-5.4.0/src/libvirt-domain.c +=================================================================== +--- libvirt-5.4.0.orig/src/libvirt-domain.c 2019-07-02 08:07:17.357822825 -0400 ++++ libvirt-5.4.0/src/libvirt-domain.c 2019-07-02 08:07:17.357822825 -0400 +@@ -9563,6 +9563,7 @@ virDomainManagedSaveDefineXML(virDomainP + + virCheckDomainReturn(domain, -1); + conn = domain->conn; ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->domainManagedSaveDefineXML) { + int ret;
  33. Download patch config-post.h

    --- 5.2.0-2/config-post.h 2019-02-25 23:24:58.952183806 +0000 +++ 5.4.0-0ubuntu5/config-post.h 2019-04-27 10:31:34.855092834 +0000 @@ -44,7 +44,6 @@ # undef WITH_SYSTEMD_DAEMON # undef WITH_VIRTUALPORT # undef WITH_YAJL -# undef WITH_YAJL2 #endif /*
  34. Download patch debian/patches/remote-enforce-ACL-write-permission-for-getting-guest-tim.patch

    --- 5.2.0-2/debian/patches/remote-enforce-ACL-write-permission-for-getting-guest-tim.patch 2019-04-10 07:14:14.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/remote-enforce-ACL-write-permission-for-getting-guest-tim.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,40 +0,0 @@ -From: =?utf-8?b?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= <berrange@redhat.com> -Date: Wed, 3 Apr 2019 15:00:50 +0100 -Subject: remote: enforce ACL write permission for getting guest time & - hostname -MIME-Version: 1.0 -Content-Type: text/plain; charset="utf-8" -Content-Transfer-Encoding: 8bit - -Getting the guest time and hostname both require use of guest agent -commands. These must not be allowed for read-only users, so the -permissions check must validate "write" permission not "read". - -Fixes CVE-2019-3886 -Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> ---- - src/remote/remote_protocol.x | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x -index 74be4b3..11f44ee 100644 ---- a/src/remote/remote_protocol.x -+++ b/src/remote/remote_protocol.x -@@ -5513,7 +5513,7 @@ enum remote_procedure { - - /** - * @generate: both -- * @acl: domain:read -+ * @acl: domain:write - */ - REMOTE_PROC_DOMAIN_GET_HOSTNAME = 277, - -@@ -5908,7 +5908,7 @@ enum remote_procedure { - - /** - * @generate: none -- * @acl: domain:read -+ * @acl: domain:write - */ - REMOTE_PROC_DOMAIN_GET_TIME = 337, -
  35. Download patch docs/api.html

    --- 5.2.0-2/docs/api.html 2019-03-28 08:58:09.407598215 +0000 +++ 5.4.0-0ubuntu5/docs/api.html 2019-05-28 10:47:05.636524654 +0000 @@ -6,7 +6,7 @@ Do not edit this file. Changes will be lost. --> <!-- - This page was generated at Thu Mar 28 08:58:09 UTC 2019. + This page was generated at Tue May 28 10:47:05 UTC 2019. --> <head> <meta charset="UTF-8"/> @@ -19,40 +19,11 @@ <meta name="theme-color" content="#ffffff"/> <title>libvirt: The libvirt API concepts</title> <meta name="description" content="libvirt, virtualization, virtualization API"/> - <script type="text/javascript"> - <!-- - - function init() { - window.addEventListener('scroll', function(e){ - var distanceY = window.pageYOffset || document.documentElement.scrollTop, - shrinkOn = 94 - home = document.getElementById("home"); - links = document.getElementById("jumplinks"); - search = document.getElementById("search"); - body = document.getElementById("body"); - if (distanceY > shrinkOn) { - if (home.className != "navhide") { - body.className = "navhide" - home.className = "navhide" - links.className = "navhide" - search.className = "navhide" - } - } else { - if (home.className == "navhide") { - body.className = "" - home.className = "" - links.className = "" - search.className = "" - } - } - }); - } - window.onload = init(); - - --> + <script type="text/javascript" src="js/main.js"> + <!--// forces non-empty element--> </script> </head> - <body> + <body onload="pageload()"> <div id="body"> <div id="content"> <h1>The libvirt API concepts</h1> @@ -328,12 +299,31 @@ </ul> </div> <div id="search"> - <form action="search.php" enctype="application/x-www-form-urlencoded" method="get"> + <form id="simplesearch" action="https://www.google.com/search" enctype="application/x-www-form-urlencoded" method="get"> <div> - <input name="query" type="text" size="12" value=""/> + <input id="searchsite" name="sitesearch" type="hidden" value="libvirt.org"/> + <input id="searchq" name="q" type="text" size="12" value=""/> <input name="submit" type="submit" value="Go"/> </div> </form> + <div id="advancedsearch"> + <span> + <input type="radio" name="what" id="whatwebsite" checked="checked" value="website"/> + <label for="whatwebsite">Website</label> + </span> + <span> + <input type="radio" name="what" id="whatwiki" value="wiki"/> + <label for="whatwiki">Wiki</label> + </span> + <span> + <input type="radio" name="what" id="whatdevs" value="devs"/> + <label for="whatdevs">Developers list</label> + </span> + <span> + <input type="radio" name="what" id="whatusers" value="users"/> + <label for="whatusers">Users list</label> + </span> + </div> </div> </div> <div id="footer">
  36. Download patch ChangeLog
  37. Download patch debian/patches/ubuntu/lp-1828495-cpu_conf-Introduce-virCPUDefFilterFeatures.patch

    --- 5.2.0-2/debian/patches/ubuntu/lp-1828495-cpu_conf-Introduce-virCPUDefFilterFeatures.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu/lp-1828495-cpu_conf-Introduce-virCPUDefFilterFeatures.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,88 @@ +From c145b660b8225f73db16660461077ef931730939 Mon Sep 17 00:00:00 2001 +From: Jiri Denemark <jdenemar@redhat.com> +Date: Fri, 7 Jun 2019 14:07:10 +0200 +Subject: [PATCH] cpu_conf: Introduce virCPUDefFilterFeatures +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This new internal API can be used for in place filtering of CPU features +in virCPUDef. + +Signed-off-by: Jiri Denemark <jdenemar@redhat.com> +Reviewed-by: Ján Tomko <jtomko@redhat.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=c145b660 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1828495 +Last-Update: 2019-08-20 + +--- + src/conf/cpu_conf.c | 22 ++++++++++++++++++++++ + src/conf/cpu_conf.h | 5 +++++ + src/libvirt_private.syms | 1 + + 3 files changed, 28 insertions(+) + +diff --git a/src/conf/cpu_conf.c b/src/conf/cpu_conf.c +index 825df88246..675d214c50 100644 +--- a/src/conf/cpu_conf.c ++++ b/src/conf/cpu_conf.c +@@ -908,6 +908,28 @@ virCPUDefFindFeature(virCPUDefPtr def, + } + + ++int ++virCPUDefFilterFeatures(virCPUDefPtr cpu, ++ virCPUDefFeatureFilter filter, ++ void *opaque) ++{ ++ size_t i = 0; ++ ++ while (i < cpu->nfeatures) { ++ if (filter(cpu->features[i].name, opaque)) { ++ i++; ++ continue; ++ } ++ ++ VIR_FREE(cpu->features[i].name); ++ if (VIR_DELETE_ELEMENT_INPLACE(cpu->features, i, cpu->nfeatures) < 0) ++ return -1; ++ } ++ ++ return 0; ++} ++ ++ + bool + virCPUDefIsEqual(virCPUDefPtr src, + virCPUDefPtr dst, +diff --git a/src/conf/cpu_conf.h b/src/conf/cpu_conf.h +index 562e0de531..906ef5368e 100644 +--- a/src/conf/cpu_conf.h ++++ b/src/conf/cpu_conf.h +@@ -219,6 +219,11 @@ virCPUFeatureDefPtr + virCPUDefFindFeature(virCPUDefPtr def, + const char *name); + ++int ++virCPUDefFilterFeatures(virCPUDefPtr cpu, ++ virCPUDefFeatureFilter filter, ++ void *opaque); ++ + virCPUDefPtr * + virCPUDefListParse(const char **xmlCPUs, + unsigned int ncpus, +diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms +index 0e6a39b59b..228cd929b4 100644 +--- a/src/libvirt_private.syms ++++ b/src/libvirt_private.syms +@@ -77,6 +77,7 @@ virCPUDefCopy; + virCPUDefCopyModel; + virCPUDefCopyModelFilter; + virCPUDefCopyWithoutModel; ++virCPUDefFilterFeatures; + virCPUDefFindFeature; + virCPUDefFormat; + virCPUDefFormatBuf; +-- +2.22.0 +
  38. Download patch debian/patches/tests-Avoid-writing-into-HOME-during-virsh-snapshot.patch

    --- 5.2.0-2/debian/patches/tests-Avoid-writing-into-HOME-during-virsh-snapshot.patch 2019-04-10 07:14:14.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/tests-Avoid-writing-into-HOME-during-virsh-snapshot.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,98 +0,0 @@ -From: Eric Blake <eblake@redhat.com> -Date: Wed, 27 Mar 2019 13:42:45 -0500 -Subject: tests: Avoid writing into $HOME during virsh-snapshot -MIME-Version: 1.0 -Content-Type: text/plain; charset="utf-8" -Content-Transfer-Encoding: 8bit - -In a constrained CI environment, where it is intentional that attempts -to write outside the current directory will fail, virsh-snapshot was -failing: - - error: invalid argument: parent s3 for snapshot s2 not found - error: marker -+error: Failed to create '/home/travis/.cache/libvirt/virsh': Permission denied -FAIL virsh-snapshot (exit status: 1) - -But we've already solved the problem in virsh-uriprecedence: tell -virsh to use XDG locations pointing to somewhere we can write rather -than its default of falling back to $HOME with the test being at risk -of breaking due to the user's environment and/or unacceptably altering -the user's normal cache. Hoist that solution into test-lib.sh, so -that all scripts can use it as needed. While at it, fix a latent typo -where XDG_RUNTIME_HOME was set to a literal relative directory name -"XDG_CACHE_HOME" (the typo did not affect virsh-uriprecedence, but -could matter to other clients). - -Fixes: 280a2b41 -Fixes: 398de147 -Reported-by: Daniel P. Berrangé <berrange@redhat.com> -Signed-off-by: Eric Blake <eblake@redhat.com> - -(cherry picked from commit b18866086516b6fb1dc5bcc45dcde7b8df324850) ---- - tests/test-lib.sh | 13 +++++++++++++ - tests/virsh-snapshot | 2 ++ - tests/virsh-uriprecedence | 12 +----------- - 3 files changed, 16 insertions(+), 11 deletions(-) - -diff --git a/tests/test-lib.sh b/tests/test-lib.sh -index 49e8d22..ef5a47b 100644 ---- a/tests/test-lib.sh -+++ b/tests/test-lib.sh -@@ -222,6 +222,19 @@ mkfifo_or_skip_() - fi - } - -+# Create mock XDG files/directories to avoid permission problems. -+# As it points inside $test_dir_, it is automatically cleaned. -+mock_xdg_() -+{ -+ export XDG_CONFIG_HOME="$t_/.config" -+ export XDG_CACHE_HOME="$t_/.cache" -+ export XDG_RUNTIME_HOME="$XDG_CACHE_HOME" -+ -+ mkdir -p "$XDG_CONFIG_HOME/libvirt" "$XDG_CONFIG_HOME/virsh" -+ mkdir -p "$XDG_CACHE_HOME/libvirt" "$XDG_CACHE_HOME/virsh" -+ mkdir -p "$XDG_RUNTIME_HOME/libvirt" "$XDG_RUNTIME_HOME/virsh" -+} -+ - test_dir_=$(pwd) - - this_test_() { echo "./$0" | sed 's,.*/,,'; } -diff --git a/tests/virsh-snapshot b/tests/virsh-snapshot -index fb8a99d..cb498cf 100755 ---- a/tests/virsh-snapshot -+++ b/tests/virsh-snapshot -@@ -26,6 +26,8 @@ fi - - fail=0 - -+mock_xdg_ || framework_failure -+ - # The test driver loses states between restarts, so we perform a script - # with some convenient markers for later post-processing of output. - $abs_top_builddir/tools/virsh --connect test:///default >out 2>err ' -diff --git a/tests/virsh-uriprecedence b/tests/virsh-uriprecedence -index 564e3dc..fd6ce10 100755 ---- a/tests/virsh-uriprecedence -+++ b/tests/virsh-uriprecedence -@@ -11,17 +11,7 @@ virsh_cmd="$virsh_bin" - counter=0 - ret=0 - --cleanup_() { rm -rf "$tmphome"; } -- --# Create all mock files/directories to avoid permission problems --tmphome="$PWD/tmp_home" --export XDG_CONFIG_HOME="$tmphome/.config" --export XDG_CACHE_HOME="$tmphome/.cache" --export XDG_RUNTIME_HOME="XDG_CACHE_HOME" -- --mkdir -p "$XDG_CONFIG_HOME/libvirt" "$XDG_CONFIG_HOME/virsh" --mkdir -p "$XDG_CACHE_HOME/libvirt" "$XDG_CACHE_HOME/virsh" --mkdir -p "$XDG_RUNTIME_HOME/libvirt" "$XDG_RUNTIME_HOME/virsh" -+mock_xdg_ || framework_failure - - is_uri_good() - {
  39. Download patch debian/patches/CVE-2019-10167.patch

    --- 5.2.0-2/debian/patches/CVE-2019-10167.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/CVE-2019-10167.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,30 @@ +From 8afa68bac0cf99d1f8aaa6566685c43c22622f26 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com> +Date: Fri, 14 Jun 2019 09:16:14 +0200 +Subject: [PATCH] api: disallow virConnectGetDomainCapabilities on read-only connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +This API can be used to execute arbitrary emulators. +Forbid it on read-only connections. + +Fixes: CVE-2019-10167 +Signed-off-by: Ján Tomko <jtomko@redhat.com> +Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> +--- + src/libvirt-domain.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +Index: libvirt-5.4.0/src/libvirt-domain.c +=================================================================== +--- libvirt-5.4.0.orig/src/libvirt-domain.c 2019-07-02 08:07:23.601906092 -0400 ++++ libvirt-5.4.0/src/libvirt-domain.c 2019-07-02 08:07:23.601906092 -0400 +@@ -11360,6 +11360,7 @@ virConnectGetDomainCapabilities(virConne + virResetLastError(); + + virCheckConnectReturn(conn, NULL); ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->connectGetDomainCapabilities) { + char *ret;
  40. Download patch configure.ac

    --- 5.2.0-2/configure.ac 2019-03-26 13:50:10.423395813 +0000 +++ 5.4.0-0ubuntu5/configure.ac 2019-05-25 07:29:35.084518879 +0000 @@ -16,15 +16,21 @@ dnl You should have received a copy of t dnl License along with this library. If not, see dnl <http://www.gnu.org/licenses/>. -AC_INIT([libvirt], [5.2.0], [libvir-list@redhat.com], [], [https://libvirt.org]) +AC_INIT([libvirt], [5.4.0], [libvir-list@redhat.com], [], [https://libvirt.org]) AC_CONFIG_SRCDIR([src/libvirt.c]) AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_HEADERS([config.h]) AH_BOTTOM([#include <config-post.h>]) AC_CONFIG_MACRO_DIR([m4]) -dnl Make automake keep quiet about wildcards & other GNUmake-isms; also keep -dnl quiet about the fact that we intentionally cater to automake 1.9 -AM_INIT_AUTOMAKE([-Wno-portability -Wno-obsolete tar-pax no-dist-gzip dist-xz subdir-objects]) +dnl Make automake keep quiet about wildcards & other GNUmake-isms +AM_INIT_AUTOMAKE([ + foreign + -Wno-portability + tar-pax + no-dist-gzip + dist-xz + subdir-objects + ]) dnl older automake's default of ARFLAGS=cru is noisy on newer binutils; dnl we don't really need the 'u' even in older toolchains. Then there is dnl older libtool, which spelled it AR_FLAGS @@ -174,13 +180,13 @@ want_ifconfig=no dnl Make some notes about which OS we're compiling for, as the lxc and qemu dnl drivers require linux headers, and storage_mpath, dtrace, and nwfilter dnl are also linux specific. The "network" and storage_fs drivers are known -dnl to not work on MacOS X presently, so we also make a note if compiling +dnl to not work on macOS presently, so we also make a note if compiling dnl for that -with_linux=no with_osx=no with_freebsd=no with_win=no with_cygwin=no +with_linux=no with_macos=no with_freebsd=no with_win=no with_cygwin=no case $host in *-*-linux*) with_linux=yes ;; - *-*-darwin*) with_osx=yes ;; + *-*-darwin*) with_macos=yes ;; *-*-freebsd*) with_freebsd=yes ;; *-*-mingw* | *-*-msvc* ) with_win=yes ;; *-*-cygwin*) with_cygwin=yes ;; @@ -408,19 +414,6 @@ dnl LIBVIRT_CHECK_EXTERNAL_PROGRAMS - -dnl Specific dir for HTML output ? -LIBVIRT_ARG_WITH([HTML_DIR], [path to base html directory], - ['$(datadir)/doc']) -LIBVIRT_ARG_WITH([HTML_SUBDIR], [directory used under html-dir], - ['$(PACKAGE)-$(VERSION)/html']) -if test "x$with_html_subdir" != "x" ; then - HTML_DIR="$with_html_dir/$with_html_subdir" -else - HTML_DIR="$with_html_dir" -fi -AC_SUBST([HTML_DIR]) - dnl if --prefix is /usr, don't use /usr/var for localstatedir dnl or /usr/etc for sysconfdir dnl as this makes a lot of things break in testing situations @@ -621,9 +614,9 @@ if test "$with_libvirtd" = "no"; then with_storage_vstorage=no fi -dnl storage-fs does not work on MacOS X +dnl storage-fs does not work on macOS -if test "$with_osx" = "yes"; then +if test "$with_macos" = "yes"; then with_storage_fs=no fi
  41. Download patch debian/patches/ubuntu-aa/0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch

    --- 5.2.0-2/debian/patches/ubuntu-aa/0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu-aa/0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,28 @@ +From 6beb6d41a87fae5499e12034233e5c8def1f56da Mon Sep 17 00:00:00 2001 +From: Stefan Bader <stefan.bader@canonical.com> +Date: Tue, 23 May 2017 17:18:39 +0200 +Subject: [PATCH 07/33] apparmor, libvirt-qemu: Allow owner read access to + @{PROC}/*/auxv + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Signed-off-by: Stefan Bader <stefan.bader@canonical.com> +--- + src/security/apparmor/libvirt-qemu | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu +index 7e99eb4..597d282 100644 +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -30,6 +30,7 @@ + # only modify its comm value or those in its thread group. + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/sys/kernel/cap_last_cap r, ++ owner @{PROC}/*/auxv r, + @{PROC}/sys/vm/overcommit_memory r, + + # For hostdev access. The actual devices will be added dynamically +-- +2.7.4 +
  42. Download patch debian/patches/ubuntu/lp-1828495-qemu-Probe-for-max-x86_64-cpu-type.patch

    --- 5.2.0-2/debian/patches/ubuntu/lp-1828495-qemu-Probe-for-max-x86_64-cpu-type.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu/lp-1828495-qemu-Probe-for-max-x86_64-cpu-type.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,128 @@ +From 2a4c23210674b453f91569f0f4b9fd5ebe8d7906 Mon Sep 17 00:00:00 2001 +From: Jiri Denemark <jdenemar@redhat.com> +Date: Mon, 10 Jun 2019 16:46:10 +0200 +Subject: [PATCH] qemu: Probe for max-x86_64-cpu type +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We will use it to check whether QEMU supports a specific CPU property. + +Signed-off-by: Jiri Denemark <jdenemar@redhat.com> +Reviewed-by: Ján Tomko <jtomko@redhat.com> + +Origin: backport, https://libvirt.org/git/?p=libvirt.git;a=commit;h=2a4c2321 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1828495 +Last-Update: 2019-08-20 + +--- + src/qemu/qemu_capabilities.c | 2 ++ + src/qemu/qemu_capabilities.h | 1 + + tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml | 1 + + tests/qemucapabilitiesdata/caps_2.11.0.x86_64.xml | 1 + + tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 + + tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml | 1 + + tests/qemucapabilitiesdata/caps_3.0.0.x86_64.xml | 1 + + tests/qemucapabilitiesdata/caps_3.1.0.x86_64.xml | 1 + + tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml | 1 + + tests/qemucapabilitiesdata/caps_4.1.0.x86_64.xml | 1 + + 10 files changed, 11 insertions(+) + +--- a/src/qemu/qemu_capabilities.c ++++ b/src/qemu/qemu_capabilities.c +@@ -525,6 +525,7 @@ VIR_ENUM_IMPL(virQEMUCaps, + "virtio-pci-non-transitional", + "overcommit", + "query-current-machine", ++ "x86-max-cpu", + ); + + +@@ -1113,6 +1114,7 @@ struct virQEMUCapsStringFlags virQEMUCap + { "virtio-scsi-pci-non-transitional", QEMU_CAPS_VIRTIO_PCI_TRANSITIONAL }, + { "virtio-serial-pci-transitional", QEMU_CAPS_VIRTIO_PCI_TRANSITIONAL }, + { "virtio-serial-pci-non-transitional", QEMU_CAPS_VIRTIO_PCI_TRANSITIONAL }, ++ { "max-x86_64-cpu", QEMU_CAPS_X86_MAX_CPU }, + }; + + static struct virQEMUCapsStringFlags virQEMUCapsDevicePropsVirtioBalloon[] = { +--- a/src/qemu/qemu_capabilities.h ++++ b/src/qemu/qemu_capabilities.h +@@ -507,6 +507,7 @@ typedef enum { /* virQEMUCapsFlags group + QEMU_CAPS_VIRTIO_PCI_TRANSITIONAL, /* virtio *-pci-{non-}transitional devices */ + QEMU_CAPS_OVERCOMMIT, /* -overcommit */ + QEMU_CAPS_QUERY_CURRENT_MACHINE, /* query-current-machine command */ ++ QEMU_CAPS_X86_MAX_CPU, /* max-x86_64-cpu type exists */ + + QEMU_CAPS_LAST /* this must always be the last item */ + } virQEMUCapsFlags; +--- a/tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml ++++ b/tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml +@@ -180,6 +180,7 @@ + <flag name='mch'/> + <flag name='egl-headless'/> + <flag name='iothread.poll-max-ns'/> ++ <flag name='x86-max-cpu'/> + <version>2010000</version> + <kvmVersion>0</kvmVersion> + <microcodeVersion>43100805</microcodeVersion> +--- a/tests/qemucapabilitiesdata/caps_2.11.0.x86_64.xml ++++ b/tests/qemucapabilitiesdata/caps_2.11.0.x86_64.xml +@@ -186,6 +186,7 @@ + <flag name='mch.extended-tseg-mbytes'/> + <flag name='egl-headless'/> + <flag name='iothread.poll-max-ns'/> ++ <flag name='x86-max-cpu'/> + <version>2011000</version> + <kvmVersion>0</kvmVersion> + <microcodeVersion>43100806</microcodeVersion> +--- a/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml ++++ b/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml +@@ -194,6 +194,7 @@ + <flag name='memory-backend-memfd.hugetlb'/> + <flag name='iothread.poll-max-ns'/> + <flag name='memory-backend-file.align'/> ++ <flag name='x86-max-cpu'/> + <version>2011090</version> + <kvmVersion>0</kvmVersion> + <microcodeVersion>43100807</microcodeVersion> +--- a/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml ++++ b/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml +@@ -174,6 +174,7 @@ + <flag name='vhost-vsock'/> + <flag name='mch'/> + <flag name='iothread.poll-max-ns'/> ++ <flag name='x86-max-cpu'/> + <version>2009000</version> + <kvmVersion>0</kvmVersion> + <microcodeVersion>43100765</microcodeVersion> +--- a/tests/qemucapabilitiesdata/caps_3.0.0.x86_64.xml ++++ b/tests/qemucapabilitiesdata/caps_3.0.0.x86_64.xml +@@ -197,6 +197,7 @@ + <flag name='iothread.poll-max-ns'/> + <flag name='memory-backend-file.align'/> + <flag name='nvdimm.unarmed'/> ++ <flag name='x86-max-cpu'/> + <version>3000000</version> + <kvmVersion>0</kvmVersion> + <microcodeVersion>43100757</microcodeVersion> +--- a/tests/qemucapabilitiesdata/caps_3.1.0.x86_64.xml ++++ b/tests/qemucapabilitiesdata/caps_3.1.0.x86_64.xml +@@ -200,6 +200,7 @@ + <flag name='memory-backend-file.pmem'/> + <flag name='nvdimm.unarmed'/> + <flag name='overcommit'/> ++ <flag name='x86-max-cpu'/> + <version>3000092</version> + <kvmVersion>0</kvmVersion> + <microcodeVersion>43100758</microcodeVersion> +--- a/tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml ++++ b/tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml +@@ -202,6 +202,7 @@ + <flag name='virtio-pci-non-transitional'/> + <flag name='overcommit'/> + <flag name='query-current-machine'/> ++ <flag name='x86-max-cpu'/> + <version>4000000</version> + <kvmVersion>0</kvmVersion> + <microcodeVersion>43100758</microcodeVersion>
  43. Download patch debian/patches/CVE-2019-10161.patch

    --- 5.2.0-2/debian/patches/CVE-2019-10161.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/CVE-2019-10161.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,80 @@ +From aed6a032cead4386472afb24b16196579e239580 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com> +Date: Fri, 14 Jun 2019 08:47:42 +0200 +Subject: [PATCH] api: disallow virDomainSaveImageGetXMLDesc on read-only connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +The virDomainSaveImageGetXMLDesc API is taking a path parameter, +which can point to any path on the system. This file will then be +read and parsed by libvirtd running with root privileges. + +Forbid it on read-only connections. + +Fixes: CVE-2019-10161 +Reported-by: Matthias Gerstner <mgerstner@suse.de> +Signed-off-by: Ján Tomko <jtomko@redhat.com> +Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> +--- + src/libvirt-domain.c | 11 ++--------- + src/qemu/qemu_driver.c | 2 +- + src/remote/remote_protocol.x | 3 +-- + 3 files changed, 4 insertions(+), 12 deletions(-) + +Index: libvirt-5.4.0/src/libvirt-domain.c +=================================================================== +--- libvirt-5.4.0.orig/src/libvirt-domain.c 2019-07-02 08:07:11.273742204 -0400 ++++ libvirt-5.4.0/src/libvirt-domain.c 2019-07-02 08:07:11.269742150 -0400 +@@ -1073,8 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn + * previously by virDomainSave() or virDomainSaveFlags(). + * + * No security-sensitive data will be included unless @flags contains +- * VIR_DOMAIN_SAVE_IMAGE_XML_SECURE; this flag is rejected on read-only +- * connections. ++ * VIR_DOMAIN_SAVE_IMAGE_XML_SECURE. + * + * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of + * error. The caller must free() the returned value. +@@ -1090,13 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectP + + virCheckConnectReturn(conn, NULL); + virCheckNonNullArgGoto(file, error); +- +- if ((conn->flags & VIR_CONNECT_RO) && +- (flags & VIR_DOMAIN_SAVE_IMAGE_XML_SECURE)) { +- virReportError(VIR_ERR_OPERATION_DENIED, "%s", +- _("virDomainSaveImageGetXMLDesc with secure flag")); +- goto error; +- } ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->domainSaveImageGetXMLDesc) { + char *ret; +Index: libvirt-5.4.0/src/qemu/qemu_driver.c +=================================================================== +--- libvirt-5.4.0.orig/src/qemu/qemu_driver.c 2019-07-02 08:07:11.273742204 -0400 ++++ libvirt-5.4.0/src/qemu/qemu_driver.c 2019-07-02 08:07:11.269742150 -0400 +@@ -7038,7 +7038,7 @@ qemuDomainSaveImageGetXMLDesc(virConnect + if (fd < 0) + goto cleanup; + +- if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0) ++ if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0) + goto cleanup; + + ret = qemuDomainDefFormatXML(driver, def, flags); +Index: libvirt-5.4.0/src/remote/remote_protocol.x +=================================================================== +--- libvirt-5.4.0.orig/src/remote/remote_protocol.x 2019-07-02 08:07:11.273742204 -0400 ++++ libvirt-5.4.0/src/remote/remote_protocol.x 2019-07-02 08:07:11.273742204 -0400 +@@ -5242,8 +5242,7 @@ enum remote_procedure { + /** + * @generate: both + * @priority: high +- * @acl: domain:read +- * @acl: domain:read_secure:VIR_DOMAIN_SAVE_IMAGE_XML_SECURE ++ * @acl: domain:write + */ + REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235, +
  44. Download patch debian/libvirt-daemon.apport

    --- 5.2.0-2/debian/libvirt-daemon.apport 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/libvirt-daemon.apport 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,22 @@ +'''apport package hook for libvirt source package + +(c) 2009-2011 Canonical Ltd. +Author: +Jamie Strandboge <jamie@ubuntu.com> + +''' + +from apport.hookutils import * +from os import path +import re + +def add_info(report): + attach_conffiles(report, 'libvirt-daemon-system') + attach_related_packages(report, ['apparmor', 'libapparmor1', + 'libapparmor-perl', 'apparmor-utils', 'auditd', 'libaudit0']) + + # get apparmor stuff. + attach_mac_events(report, ['/usr/lib/libvirt/virt-aa-helper', + '/usr/sbin/libvirtd', + 'libvirt-.*']) +
  45. Download patch build-aux/prohibit-duplicate-header.pl

    --- 5.2.0-2/build-aux/prohibit-duplicate-header.pl 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/build-aux/prohibit-duplicate-header.pl 2017-09-28 10:15:42.639719682 +0000 @@ -0,0 +1,26 @@ +#!/usr/bin/env perl + +use strict; + +my $file = " "; +my $ret = 0; +my %includes = ( ); +my $lineno = 0; + +while (<>) { + if (not $file eq $ARGV) { + %includes = ( ); + $file = $ARGV; + $lineno = 0; + } + $lineno++; + if (/^# *include *[<"]([^>"]*\.h)[">]/) { + $includes{$1}++; + if ($includes{$1} == 2) { + $ret = 1; + print STDERR "$ARGV:$lineno: $_"; + print STDERR "Do not include a header more than once per file\n"; + } + } +} +exit $ret;
  46. Download patch debian/patches/debian/Use-upstreams-polkit-rule.patch

    --- 5.2.0-2/debian/patches/debian/Use-upstreams-polkit-rule.patch 2019-04-10 07:14:14.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/debian/Use-upstreams-polkit-rule.patch 2019-08-20 08:50:08.000000000 +0000 @@ -9,10 +9,10 @@ As of 1.2.16 upstream ships a Polkit rul 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/Makefile.in b/src/Makefile.in -index 2700a1d..4abd388 100644 +index e9e5ee0..c780453 100644 --- a/src/Makefile.in +++ b/src/Makefile.in -@@ -13447,12 +13447,12 @@ lxc/lxc_controller_dispatch.h: $(srcdir)/rpc/gendispatch.pl \ +@@ -13475,12 +13475,12 @@ lxc/lxc_controller_dispatch.h: $(srcdir)/rpc/gendispatch.pl \ @WITH_LIBVIRTD_TRUE@@WITH_POLKIT_TRUE@ $(DESTDIR)$(polkitactionsdir)/org.libvirt.unix.policy @WITH_LIBVIRTD_TRUE@@WITH_POLKIT_TRUE@ $(MKDIR_P) $(DESTDIR)$(polkitrulesdir) @WITH_LIBVIRTD_TRUE@@WITH_POLKIT_TRUE@ $(INSTALL_DATA) $(srcdir)/remote/libvirtd.rules \ @@ -28,10 +28,10 @@ index 2700a1d..4abd388 100644 .PHONY: \ diff --git a/src/remote/Makefile.inc.am b/src/remote/Makefile.inc.am -index dccecf8..c1916bd 100644 +index 0671424..9e7227d 100644 --- a/src/remote/Makefile.inc.am +++ b/src/remote/Makefile.inc.am -@@ -213,12 +213,12 @@ install-polkit: +@@ -221,12 +221,12 @@ install-polkit: $(DESTDIR)$(polkitactionsdir)/org.libvirt.unix.policy $(MKDIR_P) $(DESTDIR)$(polkitrulesdir) $(INSTALL_DATA) $(srcdir)/remote/libvirtd.rules \
  47. Download patch debian/patches/CVE-2019-10168.patch

    --- 5.2.0-2/debian/patches/CVE-2019-10168.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/CVE-2019-10168.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,41 @@ +From bf6c2830b6c338b1f5699b095df36f374777b291 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com> +Date: Fri, 14 Jun 2019 09:17:39 +0200 +Subject: [PATCH] api: disallow virConnect*HypervisorCPU on read-only connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +These APIs can be used to execute arbitrary emulators. +Forbid them on read-only connections. + +Fixes: CVE-2019-10168 +Signed-off-by: Ján Tomko <jtomko@redhat.com> +Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> +--- + src/libvirt-host.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +diff --git a/src/libvirt-host.c b/src/libvirt-host.c +index e20d6ee..2978825 100644 +--- a/src/libvirt-host.c ++++ b/src/libvirt-host.c +@@ -1041,6 +1041,7 @@ virConnectCompareHypervisorCPU(virConnectPtr conn, + + virCheckConnectReturn(conn, VIR_CPU_COMPARE_ERROR); + virCheckNonNullArgGoto(xmlCPU, error); ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->connectCompareHypervisorCPU) { + int ret; +@@ -1234,6 +1235,7 @@ virConnectBaselineHypervisorCPU(virConnectPtr conn, + + virCheckConnectReturn(conn, NULL); + virCheckNonNullArgGoto(xmlCPUs, error); ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->connectBaselineHypervisorCPU) { + char *cpu; +-- +1.7.1 +
  48. Download patch build-aux/check-spacing.pl
  49. Download patch debian/patches/ubuntu-aa/0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch

    --- 5.2.0-2/debian/patches/ubuntu-aa/0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu-aa/0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,25 @@ +From 5bc815f6a88f5e00613f6794c3c338abb45526fc Mon Sep 17 00:00:00 2001 +From: Stefan Bader <stefan.bader@canonical.com> +Date: Thu, 11 May 2017 16:19:24 +0200 +Subject: [PATCH 17/33] apparmor, virt-aa-helper: Allow access to tmp + directories + +Done by importing user-tmp abstraction which includes per-user +and globale tmp directories. + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Stefan Bader <stefan.bader@canonical.com> +--- + src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 1 + + 1 file changed, 1 insertion(+) + +--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper ++++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper +@@ -4,6 +4,7 @@ + profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { + #include <abstractions/base> + #include <abstractions/nameservice> ++ #include <abstractions/user-tmp> + + # needed for searching directories + capability dac_override,
  50. Download patch debian/libvirt-daemon-system.libvirtd.init
  51. Download patch debian/libvirt-daemon.README.Debian

    --- 5.2.0-2/debian/libvirt-daemon.README.Debian 2019-04-11 10:24:28.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/libvirt-daemon.README.Debian 2019-08-20 08:50:08.000000000 +0000 @@ -42,30 +42,11 @@ EOF This makes dnsmasq only bind to the loopback interface by default so libvirtd can handle the virtual bridges. -Bridged network -=============== -libvirt can use the qemu-bridge-helper to create bridged network interfaces for -session domains. For this to work the helper must have the capability to create -TUN/TAP devices or must have the SUID permission set. -This can be done by running the following command as the user root: - - setcap cap_net_admin+ep /usr/lib/qemu/qemu-bridge-helper - -The allowed bridges must be configured in the file '/etc/qemu/bridge.conf'. For -each bridge add a line like 'allow br0'. - Access Control ============== -Access to the libvirt managing tasks is controlled by PolicyKit. To ease -configuration membership in the "libvirt" group is sufficient. If you want to -manage VMs as non-root you need to add a user to that group. - -Note that this will allow users in this group to use all of libvirt's -API including modifying files on the host. For finer grained access -control have a look at libvirt's ACLs. - -System QEMU/KVM processes are run as user and group libvirt-qemu. This can be -adjusted via /etc/libvirt/qemu.conf. +Access to the libvirt socket is controlled by membership in the "libvirtd" +group. +If you want to manage VMs as non root you need to add a user to that group. QEMU/KVM: Dropping Capabilties ============================== @@ -116,3 +97,82 @@ model. See for further details. -- Guido Günther <agx@sigxcpu.org> Wen, 24 Dec 2014 09:55:41 +0200 + +AppArmor Profile +================ +Libvirt now contains AppArmor integration when using KVM or QEMU using +libvirt's sVirt infrastructure. Libvirtd can be configured to launch virtual +machines that are confined by uniquely restrictive AppArmor profiles. This +feature significantly improves virtualization in Ubuntu by providing user-space +host protection as well as guest isolation. + +In the sVirt model, if a profile is loaded for the libvirtd daemon, then each +qemu:///system QEMU virtual machine will have a profile created for it when +the virtual machine is started if one does not already exist. This generated +profile is based on a template file and uses a profile name based on the UUID +of the QEMU virtual machine and contains rules allowing access to only the +files it needs to run, such as its disks, pid file and log files. Just before +the QEMU virtual machine is started, the libvirtd daemon will change into this +unique profile, preventing the QEMU process from accessing any file resources +that are present in another QEMU process or the host machine. + +The AppArmor sVirt implementation is flexible in that it allows a user to +customize the template file in /etc/apparmor.d/libvirt/TEMPLATE for +site-specific access for all newly created QEMU virtual machines. When a +new profile is generated, two files are created: + + /etc/apparmor.d/libvirt/libvirt-<uuid> + /etc/apparmor.d/libvirt/libvirt-<uuid>.files + +The former can be fine-tuned by the administrator to allow custom access for +this particular QEMU virtual machine, and the latter will be updated +appropriately when required file access changes, such as when a disk is added. +This flexibility allows for situations such as having one virtual machine in +complain mode with all others in enforce mode. + +Profiles for /usr/sbin/libvirtd, /usr/lib/libvirt/virt-aa-helper (a helper +program which the libvirtd daemon uses instead of manipulating AppArmor +directly), and /etc/apparmor.d/abstractions/libvirt-qemu are used to configure +AppArmor confinement with sVirt. Administrators of libvirt in production +environments are encouraged to review these files (especially 'libvirt-qemu') +to ensure that only the access required is given to the virtual machines. + +If the sVirt security model is active, then the node capabilities XML will +include its details. If a virtual machine is currently protected by the +security model, then the guest XML will include its assigned profile name. If +enabled at compile time, the sVirt security model will be activated if AppArmor +is available on the host OS and a profile for the libvirtd daemon is loaded +when libvirtd is started. To disable sVirt, and revert to the basic level of +AppArmor protection (host protection only), the /etc/libvirt/qemu.conf file can +be used to change the setting to security_driver="none". Users may also +disable AppArmor integration through AppArmor itself by performing: + +$ sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.libvirtd +$ sudo ln -s /etc/apparmor.d/usr.sbin.libvirtd /etc/apparmor.d/disable/usr.sbin.libvirtd + +If your system uses AppArmor, please note that the shipped profile works with +the default installation, and changes in your configuration may require changes +to the installed apparmor profile. Before filing a bug against this software, +please see https://wiki.ubuntu.com/DebuggingApparmor before filing a bug +against this software. + +qemu:///system +-------------- +Adding users to the libvirtd group effectively grants them root access. In +Ubuntu, users in the sudo group (who already have 'sudo' access) are added to +this group automatically. + +Virtual machines started from qemu:///system may run with or without root +privileges. As discussed above, in Ubuntu Qemu/KVM virtual machines are fully +isolated and confined by the AppArmor security driver. Users can adjust this +/etc/libvirt/qemu.conf so that virtual machines started under qemu:///system +run as a non-privileged user (new in libvirt 0.7). The 'libvirt-qemu' user and +'kvm' group are configured for this purpose. In Ubuntu, libvirt runs virtual +machines with non-root privileges as well as fully confined by AppArmor. + +While the current non-root implementation does reduce the privileges of virtual +machines running under qemu:///system, continuing to use a MAC system such as +AppArmor is important because without the MAC system all VMs will still run +under the same user and there is no guest isolation. Additionally, if each VM +ran under its own user, an attacker could potentially break out of the VM and +have unconfined user access to the host machine.
  52. Download patch cfg.mk

    --- 5.2.0-2/cfg.mk 2019-03-26 13:50:10.422395823 +0000 +++ 5.4.0-0ubuntu5/cfg.mk 2019-05-25 07:29:35.083518888 +0000 @@ -133,7 +133,6 @@ useless_free_options = \ --name=virDomainNetDefFree \ --name=virDomainObjFree \ --name=virDomainSmartcardDefFree \ - --name=virDomainSnapshotDefFree \ --name=virDomainSnapshotObjFree \ --name=virDomainSoundDefFree \ --name=virDomainVideoDefFree \ @@ -211,7 +210,6 @@ useless_free_options = \ # y virDomainInputDefFree # y virDomainNetDefFree # y virDomainObjFree -# y virDomainSnapshotDefFree # n virDomainSnapshotFree (returns int) # n virDomainSnapshotFreeName (returns int) # y virDomainSnapshotObjFree @@ -809,11 +807,11 @@ sc_prohibit_cross_inclusion: sc_require_enum_last_marker: @$(VC_LIST_EXCEPT) | xargs \ $(GREP) -A1 -nE '^[^#]*VIR_ENUM_IMPL *\(' /dev/null \ - | $(SED) -ne '/VIR_ENUM_IMPL[^,]*,$$/N' \ - -e '/VIR_ENUM_IMPL[^,]*,[^,]*[^_,][^L,][^A,][^S,][^T,],/p' \ + | $(SED) -ne '/VIR_ENUM_IMPL.*,$$/N' \ + -e '/VIR_ENUM_IMPL[^,]*,[^,]*,[^,]*[^_,][^L,][^A,][^S,][^T,],/p' \ -e '/VIR_ENUM_IMPL[^,]*,[^,]\{0,4\},/p' \ | $(GREP) . && \ - { echo '$(ME): enum impl needs to use _LAST marker' 1>&2; \ + { echo '$(ME): enum impl needs _LAST marker on second line' 1>&2; \ exit 1; } || : # In Python files we don't want to end lines with a semicolon like in C @@ -1083,6 +1081,19 @@ sc_prohibit_class: halt='use klass instead of class or _class' \ $(_sc_search_regexp) +# The dirent "d_type" field is non-portable and even when it +# exists some filesystems will only ever return DT_UNKNOWN. +# This field should only be used by code which is exclusively +# run platforms supporting "d_type" and must expect DT_UNKNOWN. +# We blacklist it to discourage accidental usage which has +# happened many times. Add an exclude rule if it is genuinely +# needed and the above restrictions are acceptable. +sc_prohibit_dirent_d_type: + @prohibit='(->|\.)d_type' \ + in_vc_files='\.[chx]$$' \ + halt='do not use the d_type field in "struct dirent"' \ + $(_sc_search_regexp) + # We don't use this feature of maint.mk. prev_version_file = /dev/null @@ -1113,7 +1124,7 @@ maint.mk Makefile: _autogen_error # though, as it would be quite pointless ifeq (2,$(_dry_run_result)$(_clean_requested)) $(info INFO: running autogen.sh is required, running it now...) - $(shell touch $(srcdir)/AUTHORS $(srcdir)/ChangeLog) + $(shell touch $(srcdir)/AUTHORS) maint.mk Makefile: _autogen endif endif @@ -1272,10 +1283,10 @@ exclude_file_name_regexp--sc_prohibit_xm exclude_file_name_regexp--sc_prohibit_return_as_function = \.py$$ exclude_file_name_regexp--sc_require_config_h = \ - ^(examples/|tools/virsh-edit\.c$$) + ^(examples/|tools/virsh-edit\.c$$|tests/virmockstathelpers.c) exclude_file_name_regexp--sc_require_config_h_first = \ - ^(examples/|tools/virsh-edit\.c$$) + ^(examples/|tools/virsh-edit\.c$$|tests/virmockstathelpers.c) exclude_file_name_regexp--sc_trailing_blank = \ /sysinfodata/.*\.data|/virhostcpudata/.*\.cpuinfo|^gnulib/local/.*/.*diff$$ @@ -1337,3 +1348,6 @@ exclude_file_name_regexp--sc_prohibit_re exclude_file_name_regexp--sc_prohibit_cross_inclusion = \ ^(src/util/virclosecallbacks\.h|src/util/virhostdev\.h)$$ + +exclude_file_name_regexp--sc_prohibit_dirent_d_type = \ + ^(src/util/vircgroup.c)$
  53. Download patch debian/not-installed

    --- 5.2.0-2/debian/not-installed 2019-04-12 07:39:51.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/not-installed 2019-08-20 08:50:08.000000000 +0000 @@ -1,6 +1,26 @@ # libtool files for the shared libraries, not needed by end user usr/lib/*/*libvirt*.la -usr/lib/libvirt/storage-file/libvirt_storage*.la -usr/lib/libvirt/storage-backend/libvirt_storage_backend*.la -usr/lib/libvirt/lock-driver/*.la -usr/lib/libvirt/connection-driver/*.la +usr/lib/*/libvirt/storage-file/libvirt_storage*.la +usr/lib/*/libvirt/storage-backend/libvirt_storage_backend*.la +usr/lib/*/libvirt/lock-driver/*.la +usr/lib/*/libvirt/connection-driver/*.la +# debianized versions are in /etc/default +etc/sysconfig/* +# Installed in examples already +usr/lib/sysctl.d/60-libvirtd.conf +# installed via d/libvirt-doc.docs already +# Ignore those placed by make install +# list them explicitly to trigger if other (sub)paths are added later +usr/share/doc/libvirt-*/html/*.rng +usr/share/doc/libvirt-*/html/*.png +usr/share/doc/libvirt-*/html/*.xml +usr/share/doc/libvirt-*/html/*.html +usr/share/doc/libvirt-*/html/*.gif +usr/share/doc/libvirt-*/html/*.css +usr/share/doc/libvirt-*/html/html/* +usr/share/doc/libvirt-*/html/internals/* +usr/share/doc/libvirt-*/html/logos/* +# also already installed from docs/devhelp/ via d/libvirt-doc.docs +usr/share/gtk-doc/html/libvirt/ +# do not add fonts (part of docs) +usr/share/doc/libvirt-*/html/fonts/*
  54. Download patch debian/patches/ubuntu/ubuntu-libxl-qemu-path.patch

    --- 5.2.0-2/debian/patches/ubuntu/ubuntu-libxl-qemu-path.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu/ubuntu-libxl-qemu-path.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,31 @@ +From: Stefan Bader <stefan.bader@canonical.com> +Date: Wed, 27 May 2015 14:57:05 +0200 +Subject: ubuntu: libxl: Set common qemu path + +Upstream Xen assumes that qemu-system-x86 is shipped as part of the Xen +package. However, since this is now merged back into common qemu and +we (and Debian) do not ship an additional binary, the binary is not +found under the LIBXL_EXECBIN_DIR. So instead, refer to the common +path (/usr/bin). + +*Update Artful* +This change is still needed but was split from the qemu-dm compat bits +that were in the same patch before. Those changes are logically a different +change and could be dropped as that old compat is no more needed. + +BugLink: http://bugs.launchpad.net/bugs/1459600 +Last-Update: 2019-01-08 + +Signed-off-by: Stefan Bader <stefan.bader@canonical.com> + +--- a/src/libxl/libxl_capabilities.c ++++ b/src/libxl/libxl_capabilities.c +@@ -531,7 +531,7 @@ libxlCapsInitGuests(libxl_ctx *ctx, virC + (guest_archs[i].pvh ? VIR_DOMAIN_OSTYPE_XENPVH : + VIR_DOMAIN_OSTYPE_XEN), + guest_archs[i].arch, +- LIBXL_EXECBIN_DIR "/qemu-system-i386", ++ "/usr/bin/qemu-system-i386", + (guest_archs[i].hvm ? + LIBXL_FIRMWARE_DIR "/hvmloader" : + NULL),
  55. Download patch debian/libvirt-daemon-system.maintscript

    --- 5.2.0-2/debian/libvirt-daemon-system.maintscript 2019-04-07 10:37:11.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/libvirt-daemon-system.maintscript 2019-08-20 08:50:08.000000000 +0000 @@ -1 +1,4 @@ rm_conffile /etc/logrotate.d/libvirtd.uml 5.0.0-2~ +# drop sysV scripts to avoid upgrade issues with virtlogd-admin.socket (LP: #1786179) +rm_conffile /etc/init.d/virtlogd 4.6.0-1ubuntu1 libvirt-daemon-system +rm_conffile /etc/init.d/libvirtd 4.6.0-1ubuntu1 libvirt-daemon-system
  56. Download patch configure
  57. Download patch ChangeLog-old
  58. Download patch docs/apps.html

    --- 5.2.0-2/docs/apps.html 2019-04-03 07:06:10.387708282 +0000 +++ 5.4.0-0ubuntu5/docs/apps.html 2019-05-28 10:47:05.667524383 +0000 @@ -6,7 +6,7 @@ Do not edit this file. Changes will be lost. --> <!-- - This page was generated at Wed Apr 3 07:06:10 UTC 2019. + This page was generated at Tue May 28 10:47:05 UTC 2019. --> <head> <meta charset="UTF-8"/> @@ -19,40 +19,11 @@ <meta name="theme-color" content="#ffffff"/> <title>libvirt: Applications using libvirt</title> <meta name="description" content="libvirt, virtualization, virtualization API"/> - <script type="text/javascript"> - <!-- - - function init() { - window.addEventListener('scroll', function(e){ - var distanceY = window.pageYOffset || document.documentElement.scrollTop, - shrinkOn = 94 - home = document.getElementById("home"); - links = document.getElementById("jumplinks"); - search = document.getElementById("search"); - body = document.getElementById("body"); - if (distanceY > shrinkOn) { - if (home.className != "navhide") { - body.className = "navhide" - home.className = "navhide" - links.className = "navhide" - search.className = "navhide" - } - } else { - if (home.className == "navhide") { - body.className = "" - home.className = "" - links.className = "" - search.className = "" - } - } - }); - } - window.onload = init(); - - --> + <script type="text/javascript" src="js/main.js"> + <!--// forces non-empty element--> </script> </head> - <body> + <body onload="pageload()"> <div id="body"> <div id="content"> <h1>Applications using libvirt</h1> @@ -207,6 +178,14 @@ machines. It is a command line tool for developers that makes it very fast and easy to deploy and re-deploy an environment of vm's. </dd> + <dt> + <a href="https://github.com/virt-lightning/virt-lightning">virt-lightning</a> + </dt> + <dd> + Virt-Lightning uses libvirt, cloud-init and libguestfs to allow anyone + to quickly start a new VM. Very much like a container CLI, but with a + virtual machine. + </dd> </dl> <h2> <a id="configmgmt">Configuration Management</a> @@ -658,12 +637,31 @@ </ul> </div> <div id="search"> - <form action="search.php" enctype="application/x-www-form-urlencoded" method="get"> + <form id="simplesearch" action="https://www.google.com/search" enctype="application/x-www-form-urlencoded" method="get"> <div> - <input name="query" type="text" size="12" value=""/> + <input id="searchsite" name="sitesearch" type="hidden" value="libvirt.org"/> + <input id="searchq" name="q" type="text" size="12" value=""/> <input name="submit" type="submit" value="Go"/> </div> </form> + <div id="advancedsearch"> + <span> + <input type="radio" name="what" id="whatwebsite" checked="checked" value="website"/> + <label for="whatwebsite">Website</label> + </span> + <span> + <input type="radio" name="what" id="whatwiki" value="wiki"/> + <label for="whatwiki">Wiki</label> + </span> + <span> + <input type="radio" name="what" id="whatdevs" value="devs"/> + <label for="whatdevs">Developers list</label> + </span> + <span> + <input type="radio" name="what" id="whatusers" value="users"/> + <label for="whatusers">Users list</label> + </span> + </div> </div> </div> <div id="footer">
  59. Download patch debian/libvirt-daemon.install

    --- 5.2.0-2/debian/libvirt-daemon.install 2019-04-22 06:55:18.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/libvirt-daemon.install 2019-08-20 08:50:08.000000000 +0000 @@ -1,3 +1,4 @@ +usr/share/apport/package-hooks/source_libvirt.py usr/sbin/* usr/lib/libvirt/libvirt_* usr/lib/libvirt/libvirt-guests.sh
  60. Download patch build-aux/mock-noinline.pl

    --- 5.2.0-2/build-aux/mock-noinline.pl 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/build-aux/mock-noinline.pl 2019-04-27 10:31:34.855092834 +0000 @@ -0,0 +1,75 @@ +#!/usr/bin/env perl + +my %noninlined; +my %mocked; + +# Functions in public header don't get the noinline annotation +# so whitelist them here +$noninlined{"virEventAddTimeout"} = 1; +# This one confuses the script as its defined in the mock file +# but is actually just a local helper +$noninlined{"virMockStatRedirect"} = 1; + +foreach my $arg (@ARGV) { + if ($arg =~ /\.h$/) { + #print "Scan header $arg\n"; + &scan_annotations($arg); + } elsif ($arg =~ /mock\.c$/) { + #print "Scan mock $arg\n"; + &scan_overrides($arg); + } +} + +my $warned = 0; +foreach my $func (keys %mocked) { + next if exists $noninlined{$func}; + + $warned++; + print STDERR "$func is mocked at $mocked{$func} but missing noinline annotation\n"; +} + +exit $warned ? 1 : 0; + + +sub scan_annotations { + my $file = shift; + + open FH, $file or die "cannot read $file: $!"; + + my $func; + while (<FH>) { + if (/^\s*(\w+)\(/ || /^(?:\w+\*?\s+)+(?:\*\s*)?(\w+)\(/) { + my $name = $1; + if ($name !~ /ATTRIBUTE/) { + $func = $name; + } + } elsif (/^\s*$/) { + $func = undef; + } + if (/ATTRIBUTE_NOINLINE/) { + if (defined $func) { + $noninlined{$func} = 1; + } + } + } + + close FH +} + +sub scan_overrides { + my $file = shift; + + open FH, $file or die "cannot read $file: $!"; + + my $func; + while (<FH>) { + if (/^(\w+)\(/ || /^\w+\s*(?:\*\s*)?(\w+)\(/) { + my $name = $1; + if ($name =~ /^vir/) { + $mocked{$name} = "$file:$."; + } + } + } + + close FH +}
  61. Download patch debian/patches/debian/Prefer-sbin-over-usr-sbin.patch

    --- 5.2.0-2/debian/patches/debian/Prefer-sbin-over-usr-sbin.patch 2019-04-10 07:14:14.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/debian/Prefer-sbin-over-usr-sbin.patch 2019-08-20 08:50:08.000000000 +0000 @@ -11,10 +11,10 @@ Closes: #895145 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac -index 880a3a7..307aff0 100644 +index dcd78f6..1b77c97 100644 --- a/configure.ac +++ b/configure.ac -@@ -110,7 +110,7 @@ then +@@ -116,7 +116,7 @@ then fi dnl Where we look for daemons and admin binaries during configure
  62. Download patch debian/patches/ubuntu/lp-1828495-qemu-Drop-MSR-features-from-host-model-with-old-QEMU.patch

    --- 5.2.0-2/debian/patches/ubuntu/lp-1828495-qemu-Drop-MSR-features-from-host-model-with-old-QEMU.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu/lp-1828495-qemu-Drop-MSR-features-from-host-model-with-old-QEMU.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,83 @@ +From 2674d00ed484091faf2b6e6b1efe58ee9a72b96b Mon Sep 17 00:00:00 2001 +From: Jiri Denemark <jdenemar@redhat.com> +Date: Wed, 19 Jun 2019 22:22:09 +0200 +Subject: [PATCH] qemu: Drop MSR features from host-model with old QEMU +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +With QEMU versions which lack "unavailable-features" we use CPUID based +detection of features which were enabled or disabled once QEMU starts. +Thus using MSR features with host-model would result in all of them +being marked as disabled in the active domain definition even though +QEMU did not actually disable them. + +Let's make sure we add MSR features to host-model only when +"unavailable-features" property is supported by QEMU. + +Signed-off-by: Jiri Denemark <jdenemar@redhat.com> +Reviewed-by: Ján Tomko <jtomko@redhat.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=2674d00e +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1828495 +Last-Update: 2019-08-20 + +--- + src/qemu/qemu_capabilities.c | 15 +++++++++++++++ + tests/domaincapsschemadata/qemu_3.1.0.x86_64.xml | 1 - + tests/domaincapsschemadata/qemu_4.0.0.x86_64.xml | 1 - + 3 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c +index 4134f319ac..02e84edc15 100644 +--- a/src/qemu/qemu_capabilities.c ++++ b/src/qemu/qemu_capabilities.c +@@ -3193,6 +3193,21 @@ virQEMUCapsInitHostCPUModel(virQEMUCapsPtr qemuCaps, + goto error; + } + ++ if (ARCH_IS_X86(qemuCaps->arch) && ++ !virQEMUCapsGet(qemuCaps, QEMU_CAPS_CPU_UNAVAILABLE_FEATURES)) { ++ if (cpu && ++ virCPUDefFilterFeatures(cpu, virCPUx86FeatureFilterDropMSR, NULL) < 0) ++ goto error; ++ ++ if (migCPU && ++ virCPUDefFilterFeatures(migCPU, virCPUx86FeatureFilterDropMSR, NULL) < 0) ++ goto error; ++ ++ if (fullCPU && ++ virCPUDefFilterFeatures(fullCPU, virCPUx86FeatureFilterDropMSR, NULL) < 0) ++ goto error; ++ } ++ + virQEMUCapsSetHostModel(qemuCaps, type, cpu, migCPU, fullCPU); + + cleanup: +diff --git a/tests/domaincapsschemadata/qemu_3.1.0.x86_64.xml b/tests/domaincapsschemadata/qemu_3.1.0.x86_64.xml +index dfd186afba..ca3baab88c 100644 +--- a/tests/domaincapsschemadata/qemu_3.1.0.x86_64.xml ++++ b/tests/domaincapsschemadata/qemu_3.1.0.x86_64.xml +@@ -42,7 +42,6 @@ + <feature policy='require' name='xsaves'/> + <feature policy='require' name='pdpe1gb'/> + <feature policy='require' name='invtsc'/> +- <feature policy='require' name='skip-l1dfl-vmentry'/> + </mode> + <mode name='custom' supported='yes'> + <model usable='yes'>qemu64</model> +diff --git a/tests/domaincapsschemadata/qemu_4.0.0.x86_64.xml b/tests/domaincapsschemadata/qemu_4.0.0.x86_64.xml +index 36f6f1e94d..cba841d844 100644 +--- a/tests/domaincapsschemadata/qemu_4.0.0.x86_64.xml ++++ b/tests/domaincapsschemadata/qemu_4.0.0.x86_64.xml +@@ -42,7 +42,6 @@ + <feature policy='require' name='xsaves'/> + <feature policy='require' name='pdpe1gb'/> + <feature policy='require' name='invtsc'/> +- <feature policy='require' name='skip-l1dfl-vmentry'/> + </mode> + <mode name='custom' supported='yes'> + <model usable='yes'>qemu64</model> +-- +2.22.0 +
  63. Download patch debian/libvirt0.install

    --- 5.2.0-2/debian/libvirt0.install 2018-12-18 11:15:32.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/libvirt0.install 2019-08-20 08:50:08.000000000 +0000 @@ -5,3 +5,4 @@ usr/lib/*/libvirt-qemu.so.* usr/share/libvirt/cpu_map/* usr/share/libvirt/schemas/* usr/share/libvirt/test-screenshot.png +usr/share/locale/*/LC_MESSAGES/libvirt.mo
  64. Download patch debian/watch

    --- 5.2.0-2/debian/watch 2019-04-11 10:24:28.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/watch 2019-08-20 08:50:08.000000000 +0000 @@ -1,4 +1,4 @@ -version=3 - -opts="uversionmangle=s/\.-rc/~rc/;s/\.+$//,pgpsigurlmangle=s/$/.asc/" \ - https://libvirt.org/sources/libvirt-([\d\.]+)(-rc\d)?\.tar\.[gx]z +version=4 +opts="uversionmangle=s/-rc/~rc/,pgpmode=auto" \ +https://libvirt.org/sources/ \ + ^libvirt-((?:[\d\.]+)(?:-rc\d)?)\.tar\.[gx]z$
  65. Download patch docs/auth.html

    --- 5.2.0-2/docs/auth.html 2019-03-28 08:58:09.919592904 +0000 +++ 5.4.0-0ubuntu5/docs/auth.html 2019-05-28 10:47:06.485517226 +0000 @@ -6,7 +6,7 @@ Do not edit this file. Changes will be lost. --> <!-- - This page was generated at Thu Mar 28 08:58:09 UTC 2019. + This page was generated at Tue May 28 10:47:06 UTC 2019. --> <head> <meta charset="UTF-8"/> @@ -19,40 +19,11 @@ <meta name="theme-color" content="#ffffff"/> <title>libvirt: Connection authentication</title> <meta name="description" content="libvirt, virtualization, virtualization API"/> - <script type="text/javascript"> - <!-- - - function init() { - window.addEventListener('scroll', function(e){ - var distanceY = window.pageYOffset || document.documentElement.scrollTop, - shrinkOn = 94 - home = document.getElementById("home"); - links = document.getElementById("jumplinks"); - search = document.getElementById("search"); - body = document.getElementById("body"); - if (distanceY > shrinkOn) { - if (home.className != "navhide") { - body.className = "navhide" - home.className = "navhide" - links.className = "navhide" - search.className = "navhide" - } - } else { - if (home.className == "navhide") { - body.className = "" - home.className = "" - links.className = "" - search.className = "" - } - } - }); - } - window.onload = init(); - - --> + <script type="text/javascript" src="js/main.js"> + <!--// forces non-empty element--> </script> </head> - <body> + <body onload="pageload()"> <div id="body"> <div id="content"> <h1>Connection authentication</h1> @@ -457,12 +428,31 @@ to authenticate against Kerberos. </ul> </div> <div id="search"> - <form action="search.php" enctype="application/x-www-form-urlencoded" method="get"> + <form id="simplesearch" action="https://www.google.com/search" enctype="application/x-www-form-urlencoded" method="get"> <div> - <input name="query" type="text" size="12" value=""/> + <input id="searchsite" name="sitesearch" type="hidden" value="libvirt.org"/> + <input id="searchq" name="q" type="text" size="12" value=""/> <input name="submit" type="submit" value="Go"/> </div> </form> + <div id="advancedsearch"> + <span> + <input type="radio" name="what" id="whatwebsite" checked="checked" value="website"/> + <label for="whatwebsite">Website</label> + </span> + <span> + <input type="radio" name="what" id="whatwiki" value="wiki"/> + <label for="whatwiki">Wiki</label> + </span> + <span> + <input type="radio" name="what" id="whatdevs" value="devs"/> + <label for="whatdevs">Developers list</label> + </span> + <span> + <input type="radio" name="what" id="whatusers" value="users"/> + <label for="whatusers">Users list</label> + </span> + </div> </div> </div> <div id="footer">
  66. Download patch debian/tests/smoke-qemu-session.xml

    --- 5.2.0-2/debian/tests/smoke-qemu-session.xml 2018-03-18 09:53:51.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/tests/smoke-qemu-session.xml 2019-08-14 05:26:37.000000000 +0000 @@ -1,4 +1,4 @@ -<domain type='kvm'> +<domain type='qemu'> <name>sqs</name> <memory unit='KiB'>256000</memory> <currentMemory unit='KiB'>256000</currentMemory> @@ -18,7 +18,7 @@ <on_reboot>destroy</on_reboot> <on_crash>destroy</on_crash> <devices> - <emulator>/usr/bin/kvm</emulator> + <emulator>/usr/bin/qemu-system-x86_64</emulator> <controller type='virtio-serial' index='0'> <alias name='virtio-serial0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
  67. Download patch debian/patches/ubuntu/lp-1828495-cpu_x86-Turn-virCPUx86DataIteratorInit-into-a-functi.patch

    --- 5.2.0-2/debian/patches/ubuntu/lp-1828495-cpu_x86-Turn-virCPUx86DataIteratorInit-into-a-functi.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu/lp-1828495-cpu_x86-Turn-virCPUx86DataIteratorInit-into-a-functi.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,138 @@ +From b8e086a570b14b1f83fc07e25df6da758abe7706 Mon Sep 17 00:00:00 2001 +From: Jiri Denemark <jdenemar@redhat.com> +Date: Wed, 19 Jun 2019 21:58:01 +0200 +Subject: [PATCH] cpu_x86: Turn virCPUx86DataIteratorInit into a function +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Until now, this was a macro usable for direct initialization when a +variable is defined. Turning the macro into a function makes it more +general. + +Signed-off-by: Jiri Denemark <jdenemar@redhat.com> +Reviewed-by: Ján Tomko <jtomko@redhat.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=b8e086a5 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1828495 +Last-Update: 2019-08-20 + +--- + src/cpu/cpu_x86.c | 34 ++++++++++++++++++++++++---------- + 1 file changed, 24 insertions(+), 10 deletions(-) + +diff --git a/src/cpu/cpu_x86.c b/src/cpu/cpu_x86.c +index b6a94d483a..6eef5cef00 100644 +--- a/src/cpu/cpu_x86.c ++++ b/src/cpu/cpu_x86.c +@@ -189,8 +189,13 @@ struct _virCPUx86DataIterator { + }; + + +-#define virCPUx86DataIteratorInit(data) \ +- { data, -1 } ++static void ++virCPUx86DataIteratorInit(virCPUx86DataIteratorPtr iterator, ++ const virCPUx86Data *data) ++{ ++ virCPUx86DataIterator iter = { data, -1 }; ++ *iterator = iter; ++} + + + static bool +@@ -540,9 +545,10 @@ static int + x86DataAdd(virCPUx86Data *data1, + const virCPUx86Data *data2) + { +- virCPUx86DataIterator iter = virCPUx86DataIteratorInit(data2); ++ virCPUx86DataIterator iter; + virCPUx86DataItemPtr item; + ++ virCPUx86DataIteratorInit(&iter, data2); + while ((item = virCPUx86DataNext(&iter))) { + if (virCPUx86DataAddItem(data1, item) < 0) + return -1; +@@ -556,10 +562,11 @@ static void + x86DataSubtract(virCPUx86Data *data1, + const virCPUx86Data *data2) + { +- virCPUx86DataIterator iter = virCPUx86DataIteratorInit(data1); ++ virCPUx86DataIterator iter; + virCPUx86DataItemPtr item1; + virCPUx86DataItemPtr item2; + ++ virCPUx86DataIteratorInit(&iter, data1); + while ((item1 = virCPUx86DataNext(&iter))) { + item2 = virCPUx86DataGet(data2, item1); + virCPUx86DataItemClearBits(item1, item2); +@@ -571,10 +578,11 @@ static void + x86DataIntersect(virCPUx86Data *data1, + const virCPUx86Data *data2) + { +- virCPUx86DataIterator iter = virCPUx86DataIteratorInit(data1); ++ virCPUx86DataIterator iter; + virCPUx86DataItemPtr item1; + virCPUx86DataItemPtr item2; + ++ virCPUx86DataIteratorInit(&iter, data1); + while ((item1 = virCPUx86DataNext(&iter))) { + item2 = virCPUx86DataGet(data2, item1); + if (item2) +@@ -588,8 +596,9 @@ x86DataIntersect(virCPUx86Data *data1, + static bool + x86DataIsEmpty(virCPUx86Data *data) + { +- virCPUx86DataIterator iter = virCPUx86DataIteratorInit(data); ++ virCPUx86DataIterator iter; + ++ virCPUx86DataIteratorInit(&iter, data); + return !virCPUx86DataNext(&iter); + } + +@@ -598,10 +607,11 @@ static bool + x86DataIsSubset(const virCPUx86Data *data, + const virCPUx86Data *subset) + { +- virCPUx86DataIterator iter = virCPUx86DataIteratorInit((virCPUx86Data *)subset); ++ virCPUx86DataIterator iter; + const virCPUx86DataItem *item; + const virCPUx86DataItem *itemSubset; + ++ virCPUx86DataIteratorInit(&iter, subset); + while ((itemSubset = virCPUx86DataNext(&iter))) { + if (!(item = virCPUx86DataGet(data, itemSubset)) || + !virCPUx86DataItemMatchMasked(item, itemSubset)) +@@ -1314,11 +1324,13 @@ x86ModelCompare(virCPUx86ModelPtr model1, + virCPUx86ModelPtr model2) + { + virCPUx86CompareResult result = EQUAL; +- virCPUx86DataIterator iter1 = virCPUx86DataIteratorInit(&model1->data); +- virCPUx86DataIterator iter2 = virCPUx86DataIteratorInit(&model2->data); ++ virCPUx86DataIterator iter1; ++ virCPUx86DataIterator iter2; + virCPUx86DataItemPtr item1; + virCPUx86DataItemPtr item2; + ++ virCPUx86DataIteratorInit(&iter1, &model1->data); ++ virCPUx86DataIteratorInit(&iter2, &model2->data); + while ((item1 = virCPUx86DataNext(&iter1))) { + virCPUx86CompareResult match = SUPERSET; + +@@ -1624,10 +1636,12 @@ virCPUx86GetMap(void) + static char * + virCPUx86DataFormat(const virCPUData *data) + { +- virCPUx86DataIterator iter = virCPUx86DataIteratorInit(&data->data.x86); ++ virCPUx86DataIterator iter; + virCPUx86DataItemPtr item; + virBuffer buf = VIR_BUFFER_INITIALIZER; + ++ virCPUx86DataIteratorInit(&iter, &data->data.x86); ++ + virBufferAddLit(&buf, "<cpudata arch='x86'>\n"); + while ((item = virCPUx86DataNext(&iter))) { + virCPUx86CPUIDPtr cpuid; +-- +2.22.0 +
  68. Download patch debian/patches/series

    --- 5.2.0-2/debian/patches/series 2019-04-10 07:14:14.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/series 2019-08-20 08:50:08.000000000 +0000 @@ -14,6 +14,48 @@ Set-defaults-for-zfs-tools.patch Pass-GPG_TTY-env-var-to-the-ssh-binary.patch apparmor-Allow-virt-aa-helper-to-access-the-name-service-.patch debian/Prefer-sbin-over-usr-sbin.patch -api-disallow-virDomainGetHostname-for-read-only-connectio.patch -remote-enforce-ACL-write-permission-for-getting-guest-tim.patch -tests-Avoid-writing-into-HOME-during-virsh-snapshot.patch +CVE-2019-10161.patch +CVE-2019-10166.patch +CVE-2019-10167.patch +CVE-2019-10168.patch + +ubuntu/Allow-libvirt-group-to-access-the-socket.patch +ubuntu/daemon-augeas-fix-expected.patch +ubuntu/ubuntu_machine_type.patch +ubuntu/ubuntu-libxl-qemu-path.patch +ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch +ubuntu/xen-default-uri.patch +ubuntu/parallel-shutdown.patch +ubuntu/apibuild-skip-libvirt-common.h +ubuntu/dnsmasq-as-priv-user +ubuntu/ovmf_paths.patch +ubuntu/set-default-machine-to-ubuntu.patch +ubuntu/avoid-restarting-virtlog-socket.patch + +# Ubuntu Apparmor Changes +ubuntu-aa/0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch +ubuntu-aa/0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch +ubuntu-aa/0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch +ubuntu-aa/0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch +ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch +ubuntu-aa/0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch +ubuntu-aa/0029-appmor-libvirt-qemu-Add-9p-support.patch +ubuntu-aa/0030-virt-aa-helper-Complete-9p-support.patch +ubuntu-aa/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch +ubuntu-aa/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch +ubuntu-aa/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch +ubuntu-aa/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch +ubuntu-aa/0050-local-include-for-libvirt-qemu.patch +ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch +ubuntu-aa/lp-1833040-Add-openGraphicsFD-rule-for-named-profile.patch +ubuntu/lp-1828495-cpu_conf-Introduce-virCPUDefFilterFeatures.patch +ubuntu/lp-1828495-qemu-Probe-for-max-x86_64-cpu-type.patch +ubuntu/lp-1828495-qemu-Probe-for-unavailable-features-CPU-property.patch +ubuntu/lp-1828495-conf-Introduce-virCPUDefCheckFeatures.patch +ubuntu/lp-1828495-cpu_x86-Turn-virCPUx86DataIteratorInit-into-a-functi.patch +ubuntu/lp-1828495-cpu_x86-Introduce-virCPUx86FeatureFilter-MSR.patch +ubuntu/lp-1828495-cpu_x86-Read-CPU-features-from-IA32_ARCH_CAPABILITIE.patch +ubuntu/lp-1828495-cpu_map-Introduce-IA32_ARCH_CAPABILITIES-MSR-feature.patch +ubuntu/lp-1828495-qemu-Forbid-MSR-features-with-old-QEMU.patch +ubuntu/lp-1828495-qemu-Drop-MSR-features-from-host-model-with-old-QEMU.patch +ubuntu/lp-1828495-qemu-Probe-host-CPU-after-capabilities.patch
  69. Download patch docs/apps.html.in

    --- 5.2.0-2/docs/apps.html.in 2019-04-03 06:58:29.168072252 +0000 +++ 5.4.0-0ubuntu5/docs/apps.html.in 2019-04-27 10:31:34.856092825 +0000 @@ -99,6 +99,12 @@ machines. It is a command line tool for developers that makes it very fast and easy to deploy and re-deploy an environment of vm's. </dd> + <dt><a href="https://github.com/virt-lightning/virt-lightning">virt-lightning</a></dt> + <dd> + Virt-Lightning uses libvirt, cloud-init and libguestfs to allow anyone + to quickly start a new VM. Very much like a container CLI, but with a + virtual machine. + </dd> </dl> <h2><a id="configmgmt">Configuration Management</a></h2>
  70. Download patch debian/tests/smoke-qemu-session

    --- 5.2.0-2/debian/tests/smoke-qemu-session 2018-03-18 09:53:51.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/tests/smoke-qemu-session 2019-08-14 05:26:37.000000000 +0000 @@ -27,8 +27,13 @@ if [ $(uname -m) != "x86_64" ]; then exit 0 fi +# to be able to load our simple guest from /vmlinuz later +sudo chown $USER /initrd.img +sudo chown $USER /vmlinuz + echo echo "Running as $USER" set -x + virt-host-validate qemu || true virsh capabilities virsh capabilities | grep -qs "arch name='x86_64'"
  71. Download patch debian/patches/ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch

    --- 5.2.0-2/debian/patches/ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,37 @@ +From 4a8125774ff0745c0273a199fa8b9fb8316c2992 Mon Sep 17 00:00:00 2001 +From: Stefan Bader <stefan.bader@canonical.com> +Date: Thu, 11 May 2017 16:36:19 +0200 +Subject: [PATCH 20/33] UBUNTU-only: apparmor, virt-aa-helper: Allow various storage pools + and image locations + +Got various updates over time to include further Ubuntu specific paths. + +Forwarded: no (Ubuntu specific paths) +Signed-off-by: Stefan Bader <stefan.bader@canonical.com> +--- + src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper ++++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper +@@ -52,7 +52,19 @@ profile virt-aa-helper /usr/{lib,lib64}/ + @{HOME}/** r, + /var/lib/libvirt/images/ r, + /var/lib/libvirt/images/** r, +- /var/lib/nova/instances/_base/* r, ++ # nova base images (LP: #907269) ++ /var/lib/nova/images/** r, ++ /var/lib/nova/instances/_base/** r, ++ # nova snapshots (LP: #1244694) ++ /var/lib/nova/instances/snapshots/** r, ++ # eucalyptus (LP: #564914) ++ /var/lib/eucalyptus/instances/**/disk* r, ++ # eucalyptus loader (LP: #637544) ++ /var/lib/eucalyptus/instances/**/loader* r, ++ # for uvtool ++ /var/lib/uvtool/libvirt/images/** r, ++ # for multipass ++ /var/snap/multipass/common/data/multipassd/vault/instances/** r, + /{media,mnt,opt,srv}/** r, + # For virt-sandbox + /{,var/}run/libvirt/**/[sv]d[a-z] r,
  72. Download patch debian/patches/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch

    --- 5.2.0-2/debian/patches/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch 2019-08-14 05:26:37.000000000 +0000 @@ -0,0 +1,117 @@ +From 73efd3699e8e1b1f4521af63401184e31dd3cd97 Mon Sep 17 00:00:00 2001 +From: Stefan Bader <stefan.bader@canonical.com> +Date: Sat, 3 May 2014 17:10:29 -0400 +Subject: [PATCH 2/2] libxl: Fix up VRAM to minimum requirements + +This is a bit debatable. On one side it hides configuration errors +in a way that makes them hard to spot. On the other side there is +at least one issue with (maybe some older versions) virt-manager. +Virt-manager sets VRAM directly, not using the default memory setting +but uses too small values for libxl. Worse, those versions do not seem +to allow to change VRAM from the GUI. So switching the video type to +VGA makes the guest fail to start until one manually adapts the VRAM +size in the XML definition. +With this change this would not happen but VRAM will be bigger than +the GUI says. This would not be that different from current Cirrus +behaviour. Only that in that case qemu seems to ignore the provided +size. + +Signed-off-by: Stefan Bader <stefan.bader@canonical.com> +--- + src/libxl/libxl_conf.c | 27 ++++++++++++++++++++++++++- + 1 file changed, 26 insertions(+), 1 deletion(-) + +--- a/src/libxl/libxl_conf.c ++++ b/src/libxl/libxl_conf.c +@@ -1832,7 +1832,6 @@ + + { + libxl_domain_build_info *b_info = &d_config->b_info; +- int dm_type = libxlDomainGetEmulatorType(def); + + if (d_config->c_info.type != LIBXL_DOMAIN_TYPE_HVM) + return 0; +@@ -1842,50 +1841,45 @@ + * on the first graphics device (display). + */ + if (def->nvideos) { ++ unsigned int min_vram = 8 * 1024; ++ + switch (def->videos[0]->type) { + case VIR_DOMAIN_VIDEO_TYPE_VGA: + case VIR_DOMAIN_VIDEO_TYPE_XEN: + b_info->u.hvm.vga.kind = LIBXL_VGA_INTERFACE_TYPE_STD; +- if (dm_type == LIBXL_DEVICE_MODEL_VERSION_QEMU_XEN) { +- if (def->videos[0]->vram < 16 * 1024) { +- virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", +- _("videoram must be at least 16MB for VGA")); +- return -1; +- } +- } else { +- if (def->videos[0]->vram < 8 * 1024) { +- virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", +- _("videoram must be at least 8MB for VGA")); +- return -1; +- } ++ /* ++ * Libxl enforces a minimal VRAM size of 16M when using ++ * LIBXL_DEVICE_MODEL_VERSION_QEMU_XEN_TRADITIONAL or ++ * 8M for LIBXL_DEVICE_MODEL_VERSION_QEMU_XEN. ++ * Avoid build failures and go with the minimum if less ++ * is specified. ++ */ ++ switch (b_info->device_model_version) { ++ case LIBXL_DEVICE_MODEL_VERSION_QEMU_XEN: ++ min_vram = 8 * 1024; ++ break; ++ case LIBXL_DEVICE_MODEL_VERSION_QEMU_XEN_TRADITIONAL: ++ default: ++ min_vram = 16 * 1024; + } + break; + + case VIR_DOMAIN_VIDEO_TYPE_CIRRUS: + b_info->u.hvm.vga.kind = LIBXL_VGA_INTERFACE_TYPE_CIRRUS; +- if (dm_type == LIBXL_DEVICE_MODEL_VERSION_QEMU_XEN) { +- if (def->videos[0]->vram < 8 * 1024) { +- virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", +- _("videoram must be at least 8MB for CIRRUS")); +- return -1; +- } +- } else { +- if (def->videos[0]->vram < 4 * 1024) { +- virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", +- _("videoram must be at least 4MB for CIRRUS")); +- return -1; +- } ++ switch (b_info->device_model_version) { ++ case LIBXL_DEVICE_MODEL_VERSION_QEMU_XEN_TRADITIONAL: ++ min_vram = 4 * 1024; /* Actually the max, too */ ++ break; ++ case LIBXL_DEVICE_MODEL_VERSION_QEMU_XEN: ++ default: ++ min_vram = 8 * 1024; + } + break; + + #ifdef LIBXL_HAVE_QXL + case VIR_DOMAIN_VIDEO_TYPE_QXL: + b_info->u.hvm.vga.kind = LIBXL_VGA_INTERFACE_TYPE_QXL; +- if (def->videos[0]->vram < 128 * 1024) { +- virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", +- _("videoram must be at least 128MB for QXL")); +- return -1; +- } ++ min_vram = 128 * 1024; + break; + #endif + +@@ -1896,7 +1890,7 @@ + return -1; + } + /* vram validated for each video type, now set it */ +- b_info->video_memkb = def->videos[0]->vram; ++ b_info->video_memkb = (def->videos[0]->vram >= min_vram) ? def->videos[0]->vram : LIBXL_MEMKB_DEFAULT; + } else { + libxl_defbool_set(&b_info->u.hvm.nographic, 1); + }
  73. Download patch docs/acl.html

    --- 5.2.0-2/docs/acl.html 2019-03-28 08:58:10.233589647 +0000 +++ 5.4.0-0ubuntu5/docs/acl.html 2019-05-28 10:47:06.881513761 +0000 @@ -6,7 +6,7 @@ Do not edit this file. Changes will be lost. --> <!-- - This page was generated at Thu Mar 28 08:58:10 UTC 2019. + This page was generated at Tue May 28 10:47:06 UTC 2019. --> <head> <meta charset="UTF-8"/> @@ -19,40 +19,11 @@ <meta name="theme-color" content="#ffffff"/> <title>libvirt: Client access control</title> <meta name="description" content="libvirt, virtualization, virtualization API"/> - <script type="text/javascript"> - <!-- - - function init() { - window.addEventListener('scroll', function(e){ - var distanceY = window.pageYOffset || document.documentElement.scrollTop, - shrinkOn = 94 - home = document.getElementById("home"); - links = document.getElementById("jumplinks"); - search = document.getElementById("search"); - body = document.getElementById("body"); - if (distanceY > shrinkOn) { - if (home.className != "navhide") { - body.className = "navhide" - home.className = "navhide" - links.className = "navhide" - search.className = "navhide" - } - } else { - if (home.className == "navhide") { - body.className = "" - home.className = "" - links.className = "" - search.className = "" - } - } - }); - } - window.onload = init(); - - --> + <script type="text/javascript" src="js/main.js"> + <!--// forces non-empty element--> </script> </head> - <body> + <body onload="pageload()"> <div id="body"> <div id="content"> <h1>Client access control</h1> @@ -869,12 +840,31 @@ </ul> </div> <div id="search"> - <form action="search.php" enctype="application/x-www-form-urlencoded" method="get"> + <form id="simplesearch" action="https://www.google.com/search" enctype="application/x-www-form-urlencoded" method="get"> <div> - <input name="query" type="text" size="12" value=""/> + <input id="searchsite" name="sitesearch" type="hidden" value="libvirt.org"/> + <input id="searchq" name="q" type="text" size="12" value=""/> <input name="submit" type="submit" value="Go"/> </div> </form> + <div id="advancedsearch"> + <span> + <input type="radio" name="what" id="whatwebsite" checked="checked" value="website"/> + <label for="whatwebsite">Website</label> + </span> + <span> + <input type="radio" name="what" id="whatwiki" value="wiki"/> + <label for="whatwiki">Wiki</label> + </span> + <span> + <input type="radio" name="what" id="whatdevs" value="devs"/> + <label for="whatdevs">Developers list</label> + </span> + <span> + <input type="radio" name="what" id="whatusers" value="users"/> + <label for="whatusers">Users list</label> + </span> + </div> </div> </div> <div id="footer">
  74. Download patch debian/patches/ubuntu/lp-1828495-cpu_x86-Read-CPU-features-from-IA32_ARCH_CAPABILITIE.patch

    --- 5.2.0-2/debian/patches/ubuntu/lp-1828495-cpu_x86-Read-CPU-features-from-IA32_ARCH_CAPABILITIE.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu/lp-1828495-cpu_x86-Read-CPU-features-from-IA32_ARCH_CAPABILITIE.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,93 @@ +From 56b254dccc96b7339494812c9df07ccf6af3da95 Mon Sep 17 00:00:00 2001 +From: Jiri Denemark <jdenemar@redhat.com> +Date: Fri, 22 Mar 2019 16:52:21 +0100 +Subject: [PATCH] cpu_x86: Read CPU features from IA32_ARCH_CAPABILITIES MSR +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is used by the host capabilities code to construct host CPU +definition. + +Signed-off-by: Jiri Denemark <jdenemar@redhat.com> +Reviewed-by: Ján Tomko <jtomko@redhat.com> + +Origin: backport, https://libvirt.org/git/?p=libvirt.git;a=commit;h=56b254dc +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1828495 +Last-Update: 2019-08-20 + +--- + src/cpu/cpu_x86.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +--- a/src/cpu/cpu_x86.c ++++ b/src/cpu/cpu_x86.c +@@ -2392,6 +2392,19 @@ x86Encode(virArch arch, + } + + ++static int ++virCPUx86DataCheckFeature(const virCPUData *data, ++ const char *name) ++{ ++ virCPUx86MapPtr map; ++ ++ if (!(map = virCPUx86GetMap())) ++ return -1; ++ ++ return x86FeatureInData(name, &data->data.x86, map); ++} ++ ++ + #if defined(__i386__) || defined(__x86_64__) + static inline void + cpuidCall(virCPUx86CPUID *cpuid) +@@ -2738,6 +2751,28 @@ virCPUx86GetHost(virCPUDefPtr cpu, + cpuidSet(CPUX86_EXTENDED, cpuData) < 0) + goto cleanup; + ++ /* Read the IA32_ARCH_CAPABILITIES MSR (0x10a) if supported. ++ * This is best effort since there might be no way to read the MSR ++ * when we are not running as root. */ ++ if (virCPUx86DataCheckFeature(cpuData, "arch-capabilities") == 1) { ++ uint64_t msr; ++ unsigned long index = 0x10a; ++ ++ if (virHostCPUGetMSR(index, &msr) == 0) { ++ virCPUx86DataItem item = { ++ .type = VIR_CPU_X86_DATA_MSR, ++ .data.msr = { ++ .index = index, ++ .eax = msr & 0xffffffff, ++ .edx = msr >> 32, ++ }, ++ }; ++ ++ if (virCPUx86DataAdd(cpuData, &item) < 0) ++ return -1; ++ } ++ } ++ + ret = x86DecodeCPUData(cpu, cpuData, models); + cpu->microcodeVersion = virHostCPUGetMicrocodeVersion(); + +@@ -2770,19 +2805,6 @@ virCPUx86CheckFeature(const virCPUDef *c + } + + +-static int +-virCPUx86DataCheckFeature(const virCPUData *data, +- const char *name) +-{ +- virCPUx86MapPtr map; +- +- if (!(map = virCPUx86GetMap())) +- return -1; +- +- return x86FeatureInData(name, &data->data.x86, map); +-} +- +- + static virCPUDefPtr + virCPUx86Baseline(virCPUDefPtr *cpus, + unsigned int ncpus,
  75. Download patch debian/patches/ubuntu/avoid-restarting-virtlog-socket.patch

    --- 5.2.0-2/debian/patches/ubuntu/avoid-restarting-virtlog-socket.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu/avoid-restarting-virtlog-socket.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,33 @@ +Description: Avoid restarting virtlogd +. +dh_systemd_start will parse the Also lines (intended for services) but today +also will collect sockets. That would make it restart the sockets which in turn +deb-invoke-systemd knows that it has to restart the services. +. +Overall that would restart virtlogd (and virtlockd) on an upgrade which breaks +it. +. +This can be dropped once fixed in the dh_* tools and libvirt packaging in Debian +is using that new code. +. +It was discussed if dropping these lines would imply any loss of features, but +since the service already has a requires to those sockets it should be safe. +. +Forwarded: no +Forward-info: Distro specific +Author: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1786179 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905772 +Last-Update: 2018-08-13 + +--- a/src/remote/libvirtd.service.in ++++ b/src/remote/libvirtd.service.in +@@ -40,5 +40,6 @@ TasksMax=32768 + + [Install] + WantedBy=multi-user.target +-Also=virtlockd.socket +-Also=virtlogd.socket ++# Disabled until dh_*systemd* no more restarts the services via the sockets (LP: #1786179) ++#Also=virtlockd.socket ++#Also=virtlogd.socket
  76. Download patch debian/patches/ubuntu/lp-1828495-cpu_map-Introduce-IA32_ARCH_CAPABILITIES-MSR-feature.patch

    --- 5.2.0-2/debian/patches/ubuntu/lp-1828495-cpu_map-Introduce-IA32_ARCH_CAPABILITIES-MSR-feature.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu/lp-1828495-cpu_map-Introduce-IA32_ARCH_CAPABILITIES-MSR-feature.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,151 @@ +From c8ec678fd9d97189667c0121f48a220dd26856b7 Mon Sep 17 00:00:00 2001 +From: Jiri Denemark <jdenemar@redhat.com> +Date: Thu, 14 Mar 2019 15:44:38 +0100 +Subject: [PATCH] cpu_map: Introduce IA32_ARCH_CAPABILITIES MSR features +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Jiri Denemark <jdenemar@redhat.com> +Reviewed-by: Ján Tomko <jtomko@redhat.com> + +Origin: backport, https://libvirt.org/git/?p=libvirt.git;a=commit;h=c8ec678f +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1828495 +Last-Update: 2019-08-20 + +--- + src/cpu_map/x86_features.xml | 20 +++++++++++++++++++ + .../x86_64-cpuid-Core-i7-7600U-enabled.xml | 1 + + .../x86_64-cpuid-Core-i7-7600U-json.xml | 1 + + ...86_64-cpuid-Xeon-Platinum-8268-enabled.xml | 1 + + .../x86_64-cpuid-Xeon-Platinum-8268-guest.xml | 4 ++++ + .../x86_64-cpuid-Xeon-Platinum-8268-host.xml | 4 ++++ + .../x86_64-cpuid-Xeon-Platinum-8268-json.xml | 3 +++ + .../qemu_3.1.0.x86_64.xml | 1 + + .../qemu_4.0.0.x86_64.xml | 1 + + 10 files changed, 37 insertions(+) + +diff --git a/src/cpu_map/x86_features.xml b/src/cpu_map/x86_features.xml +index 370807f88e..2bed1e0372 100644 +--- a/src/cpu_map/x86_features.xml ++++ b/src/cpu_map/x86_features.xml +@@ -482,4 +482,24 @@ + <feature name='amd-no-ssb'> + <cpuid eax_in='0x80000008' ebx='0x04000000'/> + </feature> ++ ++ <!-- IA32_ARCH_CAPABILITIES features --> ++ <feature name='rdctl-no'> ++ <msr index='0x10a' edx='0x00000000' eax='0x00000001'/> ++ </feature> ++ <feature name='ibrs-all'> ++ <msr index='0x10a' edx='0x00000000' eax='0x00000002'/> ++ </feature> ++ <feature name='rsba'> ++ <msr index='0x10a' edx='0x00000000' eax='0x00000004'/> ++ </feature> ++ <feature name='skip-l1dfl-vmentry'> ++ <msr index='0x10a' edx='0x00000000' eax='0x00000008'/> ++ </feature> ++ <feature name='ssb-no'> ++ <msr index='0x10a' edx='0x00000000' eax='0x00000010'/> ++ </feature> ++ <feature name='mds-no'> ++ <msr index='0x10a' edx='0x00000000' eax='0x00000020'/> ++ </feature> + </cpus> +diff --git a/tests/cputestdata/x86_64-cpuid-Core-i7-7600U-enabled.xml b/tests/cputestdata/x86_64-cpuid-Core-i7-7600U-enabled.xml +index b1cdaa802a..58bc84577c 100644 +--- a/tests/cputestdata/x86_64-cpuid-Core-i7-7600U-enabled.xml ++++ b/tests/cputestdata/x86_64-cpuid-Core-i7-7600U-enabled.xml +@@ -5,4 +5,5 @@ + <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x009c4fbb' ecx='0x00000004' edx='0x84000000'/> + <cpuid eax_in='0x0000000d' ecx_in='0x01' eax='0x0000000f' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> + <cpuid eax_in='0x80000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000121' edx='0x2c100800'/> ++ <msr index='0x10a' edx='0x00000000' eax='0x00000008'/> + </cpudata> +diff --git a/tests/cputestdata/x86_64-cpuid-Core-i7-7600U-json.xml b/tests/cputestdata/x86_64-cpuid-Core-i7-7600U-json.xml +index 48089c6003..690081493b 100644 +--- a/tests/cputestdata/x86_64-cpuid-Core-i7-7600U-json.xml ++++ b/tests/cputestdata/x86_64-cpuid-Core-i7-7600U-json.xml +@@ -10,4 +10,5 @@ + <feature policy='require' name='ssbd'/> + <feature policy='require' name='xsaves'/> + <feature policy='require' name='pdpe1gb'/> ++ <feature policy='require' name='skip-l1dfl-vmentry'/> + </cpu> +diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-enabled.xml b/tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-enabled.xml +index 434ac1956a..313009b156 100644 +--- a/tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-enabled.xml ++++ b/tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-enabled.xml +@@ -5,4 +5,5 @@ + <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0xd19f4fbb' ecx='0x0000080c' edx='0x84000000'/> + <cpuid eax_in='0x0000000d' ecx_in='0x01' eax='0x0000000f' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> + <cpuid eax_in='0x80000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000121' edx='0x2c100800'/> ++ <msr index='0x10a' edx='0x00000000' eax='0x0000000b'/> + </cpudata> +diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-guest.xml b/tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-guest.xml +index c7e8a1fccf..988fb1dbdc 100644 +--- a/tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-guest.xml ++++ b/tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-guest.xml +@@ -30,4 +30,8 @@ + <feature policy='require' name='mbm_total'/> + <feature policy='require' name='mbm_local'/> + <feature policy='require' name='invtsc'/> ++ <feature policy='require' name='rdctl-no'/> ++ <feature policy='require' name='ibrs-all'/> ++ <feature policy='require' name='skip-l1dfl-vmentry'/> ++ <feature policy='require' name='mds-no'/> + </cpu> +diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-host.xml b/tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-host.xml +index d7482751b4..fdeafc4870 100644 +--- a/tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-host.xml ++++ b/tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-host.xml +@@ -31,4 +31,8 @@ + <feature name='mbm_total'/> + <feature name='mbm_local'/> + <feature name='invtsc'/> ++ <feature name='rdctl-no'/> ++ <feature name='ibrs-all'/> ++ <feature name='skip-l1dfl-vmentry'/> ++ <feature name='mds-no'/> + </cpu> +diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-json.xml b/tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-json.xml +index b7d12dced7..78863c61d1 100644 +--- a/tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-json.xml ++++ b/tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-json.xml +@@ -7,4 +7,7 @@ + <feature policy='require' name='umip'/> + <feature policy='require' name='pku'/> + <feature policy='require' name='xsaves'/> ++ <feature policy='require' name='rdctl-no'/> ++ <feature policy='require' name='ibrs-all'/> ++ <feature policy='require' name='skip-l1dfl-vmentry'/> + </cpu> +diff --git a/tests/domaincapsschemadata/qemu_3.1.0.x86_64.xml b/tests/domaincapsschemadata/qemu_3.1.0.x86_64.xml +index ca3baab88c..dfd186afba 100644 +--- a/tests/domaincapsschemadata/qemu_3.1.0.x86_64.xml ++++ b/tests/domaincapsschemadata/qemu_3.1.0.x86_64.xml +@@ -42,6 +42,7 @@ + <feature policy='require' name='xsaves'/> + <feature policy='require' name='pdpe1gb'/> + <feature policy='require' name='invtsc'/> ++ <feature policy='require' name='skip-l1dfl-vmentry'/> + </mode> + <mode name='custom' supported='yes'> + <model usable='yes'>qemu64</model> +diff --git a/tests/domaincapsschemadata/qemu_4.0.0.x86_64.xml b/tests/domaincapsschemadata/qemu_4.0.0.x86_64.xml +index cba841d844..36f6f1e94d 100644 +--- a/tests/domaincapsschemadata/qemu_4.0.0.x86_64.xml ++++ b/tests/domaincapsschemadata/qemu_4.0.0.x86_64.xml +@@ -42,6 +42,7 @@ + <feature policy='require' name='xsaves'/> + <feature policy='require' name='pdpe1gb'/> + <feature policy='require' name='invtsc'/> ++ <feature policy='require' name='skip-l1dfl-vmentry'/> + </mode> + <mode name='custom' supported='yes'> + <model usable='yes'>qemu64</model> +-- +2.22.0 +
  77. Download patch debian/patches/ubuntu-aa/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch

    --- 5.2.0-2/debian/patches/ubuntu-aa/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu-aa/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,33 @@ +From 4c5da648e1f1bb3fd721de59ff8b2c3614ef07a9 Mon Sep 17 00:00:00 2001 +From: Corey Bryant <corey.bryant@canonical.com> +Date: Wed, 5 Jul 2017 17:07:48 +0200 +Subject: [PATCH 34/34] apparmor:, virt-aa-helper: access for snapped nova + +Allow access to base images stored in nova-hypervisor snap's +$SNAP_COMMON directory, enabling use of the libvirt deb from the +nova-hypervisor snap (LP: #1644507). + +Author: Corey Bryant <corey.bryant@canonical.com> +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> +--- + src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper +index 387a261..63799ea 100644 +--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper ++++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper +@@ -69,6 +69,9 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { + /var/lib/nova/instances/_base/** r, + # nova snapshots (LP: #1244694) + /var/lib/nova/instances/snapshots/** r, ++ # nova base/snapshot files in snapped nova (LP: #1644507) ++ /var/snap/nova-hypervisor/common/instances/_base/** r, ++ /var/snap/nova-hypervisor/common/instances/snapshots/** r, + # eucalyptus (LP: #564914) + /var/lib/eucalyptus/instances/**/disk* r, + # eucalyptus loader (LP: #637544) +-- +2.7.4 +
  78. Download patch debian/patches/ubuntu-aa/0030-virt-aa-helper-Complete-9p-support.patch

    --- 5.2.0-2/debian/patches/ubuntu-aa/0030-virt-aa-helper-Complete-9p-support.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu-aa/0030-virt-aa-helper-Complete-9p-support.patch 2019-08-14 05:26:37.000000000 +0000 @@ -0,0 +1,36 @@ +From b6911f3285a80c6bde0574f4bdc9d4294c021bf4 Mon Sep 17 00:00:00 2001 +From: Serge Hallyn <serge.hallyn@ubuntu.com> +Date: Thu, 11 May 2017 12:21:30 +0200 +Subject: [PATCH 30/33] virt-aa-helper: Complete 9p support + +Allow links on 9p shares in addition to rw. + +Note: on review Guido wondered whether it would be possible to +allow links only if the target is below the source path. If that +is possible anyhow. + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1378434 + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Signed-off-by: Stefan Bader <stefan.bader@canonical.com> +--- + src/security/virt-aa-helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c +index 7f3b7ad..87a5481 100644 +--- a/src/security/virt-aa-helper.c ++++ b/src/security/virt-aa-helper.c +@@ -1108,7 +1108,7 @@ get_files(vahControl * ctl) + /* We don't need to add deny rw rules for readonly mounts, + * this can only lead to troubles when mounting / readonly. + */ +- if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rw", true) != 0) ++ if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rwl", true) != 0) + goto cleanup; + } + } +-- +2.7.4 +
  79. Download patch debian/patches/ubuntu/ovmf_paths.patch

    --- 5.2.0-2/debian/patches/ubuntu/ovmf_paths.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu/ovmf_paths.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,60 @@ +From: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com> +Subject: Add paths to "ms" variants of OVMF code/vars + +The "ms" Secure Boot -enabled variants of OVMF_CODE and OVMF_VARS +both should include the added label rather than just the OVMF_CODE file: +in Ubuntu, we always build OVMF_CODE with Secure Boot enabled, as we only +build it once, but the variable store in the ms.fd file additionally +includes preloaded Microsoft KEK/DB keys, as well as an ephemeral PK/KEK +key that was generated just for that purpose (for which only the public +part is available, the secret key has been deleted). The fact that a PK, +KEK, and DB keys are loaded means Secure Boot is effectively enabled and +can validate UEFI binaries. When users use the non-secboot variant, then +Secure Boot is effectively not in use due to the absence of the keys. + +--- + src/qemu/qemu.conf | 3 ++- + src/qemu/qemu_conf.c | 3 ++- + src/qemu/test_libvirtd_qemu.aug.in | 1 + + 3 files changed, 5 insertions(+), 2 deletions(-) + +Index: b/src/qemu/qemu.conf +=================================================================== +--- a/src/qemu/qemu.conf ++++ b/src/qemu/qemu.conf +@@ -726,7 +726,8 @@ + # "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd", + # "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd", + # "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd", +-# "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd" ++# "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd", ++# "/usr/share/OVMF/OVMF_CODE.ms.fd:/usr/share/OVMF/OVMF_VARS.ms.fd" + #] + + # The backend to use for handling stdout/stderr output from +Index: b/src/qemu/qemu_conf.c +=================================================================== +--- a/src/qemu/qemu_conf.c ++++ b/src/qemu/qemu_conf.c +@@ -130,7 +130,8 @@ void qemuDomainCmdlineDefFree(qemuDomain + "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd:" \ + "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd:" \ + "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd:" \ +- "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd" ++ "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd:" \ ++ "/usr/share/OVMF/OVMF_CODE.ms.fd:/usr/share/OVMF/OVMF_VARS.ms.fd" + #endif + + +Index: b/src/qemu/test_libvirtd_qemu.aug.in +=================================================================== +--- a/src/qemu/test_libvirtd_qemu.aug.in ++++ b/src/qemu/test_libvirtd_qemu.aug.in +@@ -93,6 +93,7 @@ module Test_libvirtd_qemu = + { "2" = "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd" } + { "3" = "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd" } + { "4" = "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd" } ++ { "5" = "/usr/share/OVMF/OVMF_CODE.ms.fd:/usr/share/OVMF/OVMF_VARS.ms.fd" } + } + { "stdio_handler" = "logd" } + { "gluster_debug_level" = "9" }
  80. Download patch debian/patches/ubuntu-aa/0050-local-include-for-libvirt-qemu.patch

    --- 5.2.0-2/debian/patches/ubuntu-aa/0050-local-include-for-libvirt-qemu.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu-aa/0050-local-include-for-libvirt-qemu.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,19 @@ +Description: UBUNTU-ONLY: provide a local include to tune libvirt-qemu +This is the most likely apparmor profile that a user +wants to tune, so it should have a local include to do +so without conffile trouble. + +Forwarded: no +Forward-info: Upstream can't guarantee the existance of the includes +Author: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1786019 +Last-Update: 2018-08-08 +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -226,3 +226,6 @@ + # required for sasl GSSAPI plugin + /etc/gss/mech.d/ r, + /etc/gss/mech.d/* r, ++ ++ # Site-specific additions and overrides. See local/README for details. ++ #include <local/abstractions/libvirt-qemu>
  81. Download patch debian/patches/ubuntu-aa/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch

    --- 5.2.0-2/debian/patches/ubuntu-aa/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu-aa/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,34 @@ +From b1d54d7e56da3961f9db8705f7a5eaecd6f9222c Mon Sep 17 00:00:00 2001 +From: Stefan Bader <stefan.bader@canonical.com> +Date: Tue, 23 May 2017 17:21:08 +0200 +Subject: [PATCH 32/33] apparmor, libvirt-qemu: Allow reading charm-specific + ceph config + +Allows reading ceph configuration files from (juju) charm +specific location and silence denial messages which were +occuring related to that. + +Bug-Ubuntu: http://bugs.launchpad.net/bugs/1403648 + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Signed-off-by: Stefan Bader <stefan.bader@canonical.com> +--- + src/security/apparmor/libvirt-qemu | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -197,6 +197,12 @@ + # allow connect with openGraphicsFD to work + unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), + ++ # allow access to charm-specific ceph config (LP: #1403648). ++ # No more silencing spurious denials as it can more critically hide other issues (LP: #1719579) ++ # Also allow the optional asok key that might be enabled by the charm (LP: #1779674) ++ /var/lib/charm/*/ceph.conf r, ++ /run/ceph/rbd-client-*.asok rw, ++ + # for gathering information about available host resources + /sys/devices/system/cpu/ r, + /sys/devices/system/node/ r,
  82. Download patch AUTHORS

    --- 5.2.0-2/AUTHORS 2019-04-03 07:06:57.444263043 +0000 +++ 5.4.0-0ubuntu5/AUTHORS 2019-06-03 14:14:11.285048538 +0000 @@ -93,6 +93,7 @@ Tatsuro Enokura <fj7716hz@aa.jp.fujitsu. Adam Litke <agl@us.ibm.com> Adam Walters <adam@pandorasboxen.com> +Adrian Brzezinski <adrian.brzezinski@eo.pl> Alan Pevec <apevec@redhat.com> Ales Musil <amusil@redhat.com> Alex Williamson <alex.williamson@redhat.com> @@ -103,6 +104,7 @@ Alexander Nusov <alexander.nusov@nfvexpr Alexander Todorov <atodorov@otb.bg> Alexander Vasilenko <kaperang07@gmail.com> Aline Manera <alinefm@br.ibm.com> +Allen, John <John.Allen@amd.com> Alon Levy <alevy@redhat.com> Alvaro Polo <apoloval@gmail.com> Amy Fong <amy.fong@windriver.com> @@ -281,10 +283,12 @@ Hongwei Bi <hwbi2008@gmail.com> Hu Jianwei <jiahu@redhat.com> Hu Tao <hutao@cn.fujitsu.com> Huanle Han <hanxueluo@gmail.com> +Huaqiang <huaqiang.wang@intel.com> Ian Campbell <Ian.Campbell@citrix.com> Ian Campbell <ian.campbell@citrix.com> Ian Main <imain@redhat.com> Igor Gnatenko <ignatenkobrain@fedoraproject.org> +Ilias Stamatis <stamatis.iliass@gmail.com> Ilja Livenson <ilja.livenson@gmail.com> Ishmanpreet Kaur Khera <khera.ishman@gmail.com> Ivan Baldo <ibaldo@adinet.com.uy> @@ -395,6 +399,7 @@ Maxim Kozin <kolomaxes@gmail.com> Maxim Perevedentsev <mperevedentsev@virtuozzo.com> Maxime Leroy <maxime.leroy@6wind.com> Maximilian Wilhelm <max@rfc2324.org> +Maxiwell S. Garcia <maxiwell@linux.ibm.com> Mehdi Abaakouk <sileht@redhat.com> Michael Avdienko <whitearchey@gmail.com> Michael Chapman <mike@very.puzzling.org> @@ -549,6 +554,7 @@ Sukadev Bhattiprolu <sukadev@linux.vnet. Sukrit Bhatnagar <skrtbhtngr@gmail.com> Supriya Kannery <supriyak@linux.vnet.ibm.com> Suyang Chen <dawson0xff@gmail.com> +Syed Humaid <syedhumaidbinharoon@gmail.com> Sławek Kapłoński <slawek@kaplonski.pl> Taisuke Yamada <tai@rakugaki.org> Taizo ITO <taizo.ito@hde.co.jp>
  83. Download patch debian/patches/ubuntu-aa/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch

    --- 5.2.0-2/debian/patches/ubuntu-aa/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu-aa/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,41 @@ +From a7cf113469ba32951a0cfa44a35992153ae876c8 Mon Sep 17 00:00:00 2001 +From: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Date: Tue, 4 Jul 2017 07:57:19 +0200 +Subject: [PATCH 33/33] UBUNTU-only: apparmor: for kvm.powerpc (LP: #1680384) + +The (so far) Ubuntu only kvm wrappers call a lot more on ppc. +Since this is already considered as the qemu binary it must be opened up +in apparmor to work. +So allow these extra tools executed by kvm.powerpc + +Note: this got added in 1680384 and extended by 1686621 + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> + +Author: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Forwarded: no +Forward-info: Distro specific +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1680384 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686621 +Last-Update: 2018-06-17 +--- + src/security/apparmor/libvirt-qemu | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -203,6 +203,13 @@ + /var/lib/charm/*/ceph.conf r, + /run/ceph/rbd-client-*.asok rw, + ++ # kvm.powerpc executes/accesses this ++ /{usr/,}bin/uname rmix, ++ /{usr/,}sbin/ppc64_cpu rmix, ++ /{usr/,}bin/grep rmix, ++ /sys/devices/system/cpu/subcores_per_core r, ++ /sys/devices/system/cpu/cpu*/online r, ++ + # for gathering information about available host resources + /sys/devices/system/cpu/ r, + /sys/devices/system/node/ r,
  84. Download patch debian/libvirt-daemon-system.install

    --- 5.2.0-2/debian/libvirt-daemon-system.install 2019-04-17 17:46:56.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/libvirt-daemon-system.install 2019-08-14 05:26:37.000000000 +0000 @@ -5,3 +5,4 @@ etc/libvirt/virtlockd.conf etc/libvirt/virtlogd.conf etc/sasl2/* usr/share/polkit-1 +etc/dnsmasq.d-available/libvirt-daemon
  85. Download patch debian/libvirt-clients.install

    --- 5.2.0-2/debian/libvirt-clients.install 2019-04-12 07:39:51.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/libvirt-clients.install 2019-08-20 08:50:08.000000000 +0000 @@ -4,3 +4,4 @@ etc/libvirt/libvirt.conf etc/libvirt/libvirt-admin.conf usr/share/man/man7/virkeycode-*.7 usr/share/man/man7/virkeyname-*.7 +etc/profile.d/libvirt-uri.sh
  86. Download patch debian/patches/ubuntu/lp-1828495-qemu-Forbid-MSR-features-with-old-QEMU.patch

    --- 5.2.0-2/debian/patches/ubuntu/lp-1828495-qemu-Forbid-MSR-features-with-old-QEMU.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu/lp-1828495-qemu-Forbid-MSR-features-with-old-QEMU.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,77 @@ +From 8eb4a89f5f7973f50aa8b6fa0b1a45b825dda208 Mon Sep 17 00:00:00 2001 +From: Jiri Denemark <jdenemar@redhat.com> +Date: Wed, 19 Jun 2019 21:59:49 +0200 +Subject: [PATCH] qemu: Forbid MSR features with old QEMU +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Without "unavailable-features" CPU property we cannot properly detect +whether a specific MSR feature we asked for (either explicitly or +implicitly via a CPU model) was disabled by QEMU for some reason. +Because this could break migration, snapshots, and save/restore +operaions, it's better to just forbid any use of MSR features with QEMU +which lacks "unavailable-features" CPU property. + +Signed-off-by: Jiri Denemark <jdenemar@redhat.com> +Reviewed-by: Ján Tomko <jtomko@redhat.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=8eb4a89f +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1828495 +Last-Update: 2019-08-20 + +--- + src/qemu/qemu_process.c | 30 +++++++++++++++++++++++++++--- + 1 file changed, 27 insertions(+), 3 deletions(-) + +diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c +index 28aa34c62d..c9f8a0f311 100644 +--- a/src/qemu/qemu_process.c ++++ b/src/qemu/qemu_process.c +@@ -59,6 +59,7 @@ + #include "qemu_firmware.h" + + #include "cpu/cpu.h" ++#include "cpu/cpu_x86.h" + #include "datatypes.h" + #include "virlog.h" + #include "virerror.h" +@@ -5406,9 +5407,32 @@ qemuProcessStartValidate(virQEMUDriverPtr driver, + if (qemuProcessStartValidateShmem(vm) < 0) + return -1; + +- if (vm->def->cpu && +- virCPUValidateFeatures(vm->def->os.arch, vm->def->cpu) < 0) +- return -1; ++ if (vm->def->cpu) { ++ if (virCPUValidateFeatures(vm->def->os.arch, vm->def->cpu) < 0) ++ return -1; ++ ++ if (ARCH_IS_X86(vm->def->os.arch) && ++ !virQEMUCapsGet(qemuCaps, QEMU_CAPS_CPU_UNAVAILABLE_FEATURES)) { ++ VIR_AUTOSTRINGLIST features = NULL; ++ int n; ++ ++ if ((n = virCPUDefCheckFeatures(vm->def->cpu, ++ virCPUx86FeatureFilterSelectMSR, ++ NULL, ++ &features)) < 0) ++ return -1; ++ ++ if (n > 0) { ++ VIR_AUTOFREE(char *) str = NULL; ++ ++ str = virStringListJoin((const char **)features, ", "); ++ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, ++ _("Some features cannot be reliably used " ++ "with this QEMU: %s"), str); ++ return -1; ++ } ++ } ++ } + + if (qemuProcessStartValidateDisks(vm, qemuCaps) < 0) + return -1; +-- +2.22.0 +
  87. Download patch docs/api_extension.html

    --- 5.2.0-2/docs/api_extension.html 2019-03-28 08:58:10.531586555 +0000 +++ 5.4.0-0ubuntu5/docs/api_extension.html 2019-05-28 10:47:07.261510437 +0000 @@ -6,7 +6,7 @@ Do not edit this file. Changes will be lost. --> <!-- - This page was generated at Thu Mar 28 08:58:10 UTC 2019. + This page was generated at Tue May 28 10:47:07 UTC 2019. --> <head> <meta charset="UTF-8"/> @@ -19,40 +19,11 @@ <meta name="theme-color" content="#ffffff"/> <title>libvirt: Implementing a new API in Libvirt</title> <meta name="description" content="libvirt, virtualization, virtualization API"/> - <script type="text/javascript"> - <!-- - - function init() { - window.addEventListener('scroll', function(e){ - var distanceY = window.pageYOffset || document.documentElement.scrollTop, - shrinkOn = 94 - home = document.getElementById("home"); - links = document.getElementById("jumplinks"); - search = document.getElementById("search"); - body = document.getElementById("body"); - if (distanceY > shrinkOn) { - if (home.className != "navhide") { - body.className = "navhide" - home.className = "navhide" - links.className = "navhide" - search.className = "navhide" - } - } else { - if (home.className == "navhide") { - body.className = "" - home.className = "" - links.className = "" - search.className = "" - } - } - }); - } - window.onload = init(); - - --> + <script type="text/javascript" src="js/main.js"> + <!--// forces non-empty element--> </script> </head> - <body> + <body onload="pageload()"> <div id="body"> <div id="content"> <h1>Implementing a new API in Libvirt</h1> @@ -464,12 +435,31 @@ </ul> </div> <div id="search"> - <form action="search.php" enctype="application/x-www-form-urlencoded" method="get"> + <form id="simplesearch" action="https://www.google.com/search" enctype="application/x-www-form-urlencoded" method="get"> <div> - <input name="query" type="text" size="12" value=""/> + <input id="searchsite" name="sitesearch" type="hidden" value="libvirt.org"/> + <input id="searchq" name="q" type="text" size="12" value=""/> <input name="submit" type="submit" value="Go"/> </div> </form> + <div id="advancedsearch"> + <span> + <input type="radio" name="what" id="whatwebsite" checked="checked" value="website"/> + <label for="whatwebsite">Website</label> + </span> + <span> + <input type="radio" name="what" id="whatwiki" value="wiki"/> + <label for="whatwiki">Wiki</label> + </span> + <span> + <input type="radio" name="what" id="whatdevs" value="devs"/> + <label for="whatdevs">Developers list</label> + </span> + <span> + <input type="radio" name="what" id="whatusers" value="users"/> + <label for="whatusers">Users list</label> + </span> + </div> </div> </div> <div id="footer">
  88. Download patch debian/patches/ubuntu-aa/0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch

    --- 5.2.0-2/debian/patches/ubuntu-aa/0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu-aa/0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,28 @@ +From bc90a5617bd0f55294c1b0d500b2fdef9d14e189 Mon Sep 17 00:00:00 2001 +From: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Date: Tue, 4 Jul 2017 07:31:38 +0200 +Subject: [PATCH 01/33] apparmor: Allow pygrub to run on Debian/Ubuntu + +In Debian/Ubuntu the pygrub command is located under +/usr/lib/xen-<version>/bin/pygrub. + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1326003 + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Signed-off-by: Stefan Bader <stefan.bader@canonical.com> +Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> +--- + src/security/apparmor/usr.sbin.libvirtd | 1 + + 1 file changed, 1 insertion(+) + +--- a/src/security/apparmor/usr.sbin.libvirtd ++++ b/src/security/apparmor/usr.sbin.libvirtd +@@ -79,6 +79,7 @@ + /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, + /usr/{lib,lib64}/xen/bin/* Ux, + /usr/lib/xen-*/bin/libxl-save-helper PUx, ++ /usr/lib/xen-*/bin/pygrub PUx, + + # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to + # read and run an ebtables script.
  89. Download patch config.h.in

    --- 5.2.0-2/config.h.in 2019-04-03 07:00:56.000000000 +0000 +++ 5.4.0-0ubuntu5/config.h.in 2019-06-03 14:10:22.000000000 +0000 @@ -1288,9 +1288,6 @@ /* Define to 1 if you have the `sanlock_client' library (-lsanlock_client). */ #undef HAVE_LIBSANLOCK_CLIENT -/* Define to 1 if you have the `sasl2' library (-lsasl2). */ -#undef HAVE_LIBSASL2 - /* Define to 1 if you have the `selinux' library (-lselinux). */ #undef HAVE_LIBSELINUX @@ -1955,13 +1952,6 @@ /* Define to 1 if you have the `tzset' function. */ #undef HAVE_TZSET -/* whether libudev logging can be used */ -#undef HAVE_UDEV_LOGGING - -/* Define to 1 if you have the `udev_monitor_set_receive_buffer_size' - function. */ -#undef HAVE_UDEV_MONITOR_SET_RECEIVE_BUFFER_SIZE - /* Define to 1 if you have the `uname' function. */ #undef HAVE_UNAME @@ -2450,9 +2440,6 @@ /* Location or name of the udevadm program */ #undef UDEVADM -/* Location or name of the udevsettle program */ -#undef UDEVSETTLE - /* Location or name of the umount programm */ #undef UMOUNT @@ -2759,12 +2746,9 @@ /* whether libsanlock_client is available */ #undef WITH_SANLOCK -/* whether libsasl2 is available */ +/* whether libsasl2 >= 2.1.26 is available */ #undef WITH_SASL -/* whether libsasl2 is available */ -#undef WITH_SASL1 - /* whether AppArmor security driver is available */ #undef WITH_SECDRIVER_APPARMOR @@ -2825,7 +2809,7 @@ /* whether Test driver is enabled */ #undef WITH_TEST -/* whether libudev >= 145 is available */ +/* whether libudev >= 219 is available */ #undef WITH_UDEV /* whether VirtualBox driver is enabled */ @@ -2852,9 +2836,6 @@ /* whether libyajl is available */ #undef WITH_YAJL -/* whether libyajl is available */ -#undef WITH_YAJL2 - /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most significant byte first (like Motorola and SPARC, unlike Intel). */ #if defined AC_APPLE_UNIVERSAL_BUILD
  90. Download patch debian/patches/debian/Debianize-libvirt-guests.patch

    --- 5.2.0-2/debian/patches/debian/Debianize-libvirt-guests.patch 2019-04-11 10:24:28.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/debian/Debianize-libvirt-guests.patch 2019-08-20 08:50:08.000000000 +0000 @@ -9,7 +9,7 @@ Origin: vendor 2 files changed, 30 insertions(+), 19 deletions(-) diff --git a/tools/libvirt-guests.sh.in b/tools/libvirt-guests.sh.in -index 4bc6e86..9ec4064 100644 +index 4bc6e86..f94f1b3 100644 --- a/tools/libvirt-guests.sh.in +++ b/tools/libvirt-guests.sh.in @@ -1,5 +1,17 @@
  91. Download patch debian/patches/ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch

    --- 5.2.0-2/debian/patches/ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,57 @@ +Description: UBUNTU-only: apparmor: allow vhost-net/vsock + There are use case scenarios where a guest is started without vhost-net + or vhost-vsock, but later on such devices are hot added. + In the static start with such devices virt-aa-helper could generate rules + but actually doesn't have to as libvirt mediates access and passes FDs that + qemu will use. + This works fine, but on a hotplug of such devices without a static device + being present (that would have added the rule on start) we only have the + labeling calls of the security modules which do not vocer vhost-net/vsock. + The paths are considered security sensitive in general but even without + apparmor are protected by DAC due to Ubuntu by default not running guests + as root user or group. + To make people changing user/group aware this also adds a comment about it + to the qemu.conf file. + Under this constraint (warn in the .conf) we got the ack from security to + do this change for the comfort of our users until a more complex change like + new labellig calls is implemented. +Forwarded: yes (nacked, but complex solution has unknown ETA) +Author: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Origin: https://www.redhat.com/archives/libvir-list/2019-April/msg00750.html +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1815910 +Last-Update: 2019-05-15 + +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -236,6 +236,11 @@ + # for vfio hotplug on systems without static vfio (LP: #1775777) + /dev/vfio/vfio rw, + ++ # for vhost-net/vsock/scsi hotplug (LP: #1815910) ++ /dev/vhost-net rw, ++ /dev/vhost-vsock rw, ++ /dev/vhost-scsi rw, ++ + # required for sasl GSSAPI plugin + /etc/gss/mech.d/ r, + /etc/gss/mech.d/* r, +--- a/src/qemu/qemu.conf ++++ b/src/qemu/qemu.conf +@@ -433,6 +433,17 @@ + # can be used to ensure that a user id will not be interpreted as a user + # name. + # ++# By default libvirt runs VMs as non-root and uses AppArmor profiles ++# to provide host protection and VM isolation. While AppArmor ++# continues to provide this protection when the VMs are running as ++# root, /dev/vhost-net, /dev/vhost-vsock and /dev/vhost-scsi access is ++# allowed by default in the AppArmor security policy, so malicious VMs ++# running as root would have direct access to this file. If changing this ++# to run as root, you may want to remove this access from ++# /etc/apparmor.d/abstractions/libvirt-qemu. For more information, see: ++# https://launchpad.net/bugs/1815910 ++# https://www.redhat.com/archives/libvir-list/2019-April/msg00750.html ++# + # Some examples of valid values are: + # + # user = "qemu" # A user named "qemu"
  92. Download patch debian/patches/api-disallow-virDomainGetHostname-for-read-only-connectio.patch

    --- 5.2.0-2/debian/patches/api-disallow-virDomainGetHostname-for-read-only-connectio.patch 2019-04-10 07:14:14.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/api-disallow-virDomainGetHostname-for-read-only-connectio.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,30 +0,0 @@ -From: =?utf-8?b?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= <berrange@redhat.com> -Date: Wed, 3 Apr 2019 15:00:49 +0100 -Subject: api: disallow virDomainGetHostname for read-only connections -MIME-Version: 1.0 -Content-Type: text/plain; charset="utf-8" -Content-Transfer-Encoding: 8bit - -The virDomainGetHostname API is fetching guest information and this may -involve use of an untrusted guest agent. As such its use must be -forbidden on a read-only connection to libvirt. - -Fixes CVE-2019-3886 -Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> ---- - src/libvirt-domain.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c -index be5b1f6..baf2182 100644 ---- a/src/libvirt-domain.c -+++ b/src/libvirt-domain.c -@@ -11031,6 +11031,8 @@ virDomainGetHostname(virDomainPtr domain, unsigned int flags) - virCheckDomainReturn(domain, NULL); - conn = domain->conn; - -+ virCheckReadOnlyGoto(domain->conn->flags, error); -+ - if (conn->driver->domainGetHostname) { - char *ret; - ret = conn->driver->domainGetHostname(domain, flags);
  93. Download patch debian/patches/ubuntu/ubuntu_machine_type.patch

    --- 5.2.0-2/debian/patches/ubuntu/ubuntu_machine_type.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/ubuntu/ubuntu_machine_type.patch 2019-08-20 08:50:08.000000000 +0000 @@ -0,0 +1,14 @@ +Description: Extend libvirt checks for ubuntu machine types +Author: Felix Geyer <debfx@ubuntu.com> +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1379346 +Last-Update: 2015-11-24 +--- a/src/qemu/qemu_domain.c ++++ b/src/qemu/qemu_domain.c +@@ -10097,6 +10097,7 @@ qemuDomainMachineIsI440FX(const char *ma + STRPREFIX(machine, "pc-0.") || + STRPREFIX(machine, "pc-1.") || + STRPREFIX(machine, "pc-i440fx-") || ++ STREQ(machine, "ubuntu") || + STRPREFIX(machine, "rhel")) { + return true; + }
  94. Download patch debian/libvirt-daemon-system.postinst

    --- 5.2.0-2/debian/libvirt-daemon-system.postinst 2019-04-12 06:52:07.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/libvirt-daemon-system.postinst 2019-08-20 08:50:08.000000000 +0000 @@ -65,6 +65,96 @@ add_users_groups() addgroup --quiet --system $PARAMETER_GID libvirt-qemu adduser --quiet libvirt-qemu libvirt-qemu fi + + # Add each sudo user to the libvirt group + for u in $(getent group sudo | sed -e "s/^.*://" -e "s/,/ /g"); do + adduser "$u" libvirt >/dev/null || true + done + + if ! getent group libvirt-dnsmasq >/dev/null; then + addgroup --quiet --system libvirt-dnsmasq + fi + if ! getent passwd libvirt-dnsmasq >/dev/null; then + adduser --quiet \ + --system \ + --ingroup libvirt-dnsmasq \ + --disabled-login \ + --disabled-password \ + --home /var/lib/libvirt/dnsmasq \ + --no-create-home \ + --gecos "Libvirt Dnsmasq" \ + libvirt-dnsmasq + fi + # For upgrades that still have the insecure libvirt group (too much privileges) + if [ -n "$2" ] && dpkg --compare-versions -- "$2" le-nl "4.0.0-1ubuntu5~"; then + if [ "$(id -r -g -n libvirt-dnsmasq)" == "libvirt" ]; then + echo "assigning libvirt-dnsmasq a less privileged group (libvirt->libvirt-dnsmasq)" + usermod libvirt-dnsmasq -g libvirt-dnsmasq + fi + fi +} + +includes_addr() { + addr=${1} + mask=${2} + viraddr=${3} + for n in $(seq 1 4); do + curaddrcomponent=$(echo "${addr}" | awk -F. '{ print $'"${n}"' }') + tgtaddrcomponent=$(echo "${viraddr}" | awk -F. '{ print $'"${n}"' }') + cmp=$((mask/8)) + if [ "${cmp}" -ge "${n}" ]; then + if [ "${curaddrcomponent}" -ne "${tgtaddrcomponent}" ]; then + echo "false" + return + fi + elif [ "$((cmp+1))" -ge "${n}" ]; then + # do we bother comparing partial (i.e. /25)? + : + else + break + fi + done + echo "true" + return +} + +set_autostart() +{ + echo "Enabling libvirt default network" + if [ ! -e /etc/libvirt/qemu/networks/autostart/default.xml ]; then + ln -s /etc/libvirt/qemu/networks/default.xml \ + /etc/libvirt/qemu/networks/autostart/ + fi +} + +# on first install, don't set default network to autostart if we already +# have a conflicting network. Good for instance for nested libvirt. +maybe_set_autostart() +{ + # 122 is the common default, but iterate a few more options + for thirdoctet in $(seq 122 128); do + tryip="192.168.${thirdoctet}.1" + found=0 + for pair in $(ip addr show | grep "inet\>" |awk '{ print $2 }'); do + a=$(echo "$pair" | awk -F/ '{ print $1}') + m=$(echo "$pair" | awk -F/ '{ print $2}') + res=$(includes_addr "${a}" "${m}" "${tryip}") + if [ "${res}" = "true" ]; then + found=1 + fi + done + if [ $found -ne 1 ]; then + # found a free subnet + if [ "${thirdoctet}" -ne "122" ]; then + echo "Default libvirt network on 192.168.122.1/24 already taken" + echo "Changing to free 192.168.${thirdoctet}.1/24" + sed -i 's/192.168.122/192.168.'"${thirdoctet}"'/g' /etc/libvirt/qemu/networks/default.xml + fi + set_autostart + return + fi + done + echo "Not enabling default network as no free network was found" } @@ -134,6 +224,12 @@ case "$1" in # Force refresh of capabilties (#731815) rm -f /var/cache/libvirt/qemu/capabilities/*.xml + + # On an initial package install, create the default network autostart + # symlink if on a system that it will work on. + if [ -z $2 ]; then + maybe_set_autostart + fi ;; abort-upgrade|abort-remove|abort-deconfigure) @@ -147,11 +243,43 @@ esac db_stop +# dh_apparmor can't work with dir/file profile filenames, also we don't want +# the reload section of dh_apparmor - just the install of an empty include +if [ "$1" = "configure" ]; then + APP_PROFILE="/etc/apparmor.d/abstractions/libvirt-qemu" + if [ -f "$APP_PROFILE" ]; then + # Add the local/ include + LOCAL_APP_PROFILE="/etc/apparmor.d/local/abstractions/libvirt-qemu" + + test -e "$LOCAL_APP_PROFILE" || { + mkdir -p `dirname "$LOCAL_APP_PROFILE"` + install --mode 644 /dev/null "$LOCAL_APP_PROFILE" + } + fi +fi + # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# +# We need this after the debhelper generated code so that dpkg-maintscript +# can do its renamming first. +if [ "$1" = "configure" ]; then + # Configure dnsmasq + if [ -f /etc/dnsmasq.d-available/libvirt-daemon ]; then + echo "Setting up libvirt-daemon dnsmasq configuration." + mkdir -p /etc/dnsmasq.d + if [ ! -e /etc/dnsmasq.d/libvirt-daemon ]; then + ln -s /etc/dnsmasq.d-available/libvirt-daemon \ + /etc/dnsmasq.d/libvirt-daemon + fi + + # Try to restart a potential system wide dnsmasq + invoke-rc.d dnsmasq restart 2>/dev/null || true + fi +fi + exit 0
  95. Download patch debian/copyright
  96. Download patch debian/patches/ubuntu/lp-1828495-qemu-Probe-for-unavailable-features-CPU-property.patch
  97. Download patch debian/patches/ubuntu/dnsmasq-as-priv-user
  98. Download patch debian/patches/Reduce-udevadm-settle-timeout-to-10-seconds.patch

    --- 5.2.0-2/debian/patches/Reduce-udevadm-settle-timeout-to-10-seconds.patch 2019-04-10 07:14:14.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/patches/Reduce-udevadm-settle-timeout-to-10-seconds.patch 2019-08-20 08:50:08.000000000 +0000 @@ -9,16 +9,14 @@ Closes: #663931 src/util/virutil.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/src/util/virutil.c b/src/util/virutil.c -index 0d58f1e..2858505 100644 --- a/src/util/virutil.c +++ b/src/util/virutil.c -@@ -1655,7 +1655,7 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *groups, int ngroups, - void virWaitForDevices(void) - { - # ifdef UDEVADM -- const char *const settleprog[] = { UDEVADM, "settle", NULL }; -+ const char *const settleprog[] = { UDEVADM, "settle", "--timeout=10", NULL }; - # else - const char *const settleprog[] = { UDEVSETTLE, NULL }; - # endif +@@ -1488,7 +1488,7 @@ void virWaitForDevices(void) + if (!(udev = virFindFileInPath(UDEVADM))) + return; + +- if (!(cmd = virCommandNewArgList(udev, "settle", NULL))) ++ if (!(cmd = virCommandNewArgList(udev, "settle", "--timeout=10", NULL))) + return; + + /*
  99. Download patch docs/aclpolkit.html

    --- 5.2.0-2/docs/aclpolkit.html 2019-03-28 08:58:09.312599201 +0000 +++ 5.4.0-0ubuntu5/docs/aclpolkit.html 2019-05-28 10:47:05.909522266 +0000 @@ -6,7 +6,7 @@ Do not edit this file. Changes will be lost. --> <!-- - This page was generated at Thu Mar 28 08:58:09 UTC 2019. + This page was generated at Tue May 28 10:47:05 UTC 2019. --> <head> <meta charset="UTF-8"/> @@ -19,40 +19,11 @@ <meta name="theme-color" content="#ffffff"/> <title>libvirt: Polkit access control</title> <meta name="description" content="libvirt, virtualization, virtualization API"/> - <script type="text/javascript"> - <!-- - - function init() { - window.addEventListener('scroll', function(e){ - var distanceY = window.pageYOffset || document.documentElement.scrollTop, - shrinkOn = 94 - home = document.getElementById("home"); - links = document.getElementById("jumplinks"); - search = document.getElementById("search"); - body = document.getElementById("body"); - if (distanceY > shrinkOn) { - if (home.className != "navhide") { - body.className = "navhide" - home.className = "navhide" - links.className = "navhide" - search.className = "navhide" - } - } else { - if (home.className == "navhide") { - body.className = "" - home.className = "" - links.className = "" - search.className = "" - } - } - }); - } - window.onload = init(); - - --> + <script type="text/javascript" src="js/main.js"> + <!--// forces non-empty element--> </script> </head> - <body> + <body onload="pageload()"> <div id="body"> <div id="content"> <h1>Polkit access control</h1> @@ -676,12 +647,31 @@ polkit.addRule(function(action, subject) </ul> </div> <div id="search"> - <form action="search.php" enctype="application/x-www-form-urlencoded" method="get"> + <form id="simplesearch" action="https://www.google.com/search" enctype="application/x-www-form-urlencoded" method="get"> <div> - <input name="query" type="text" size="12" value=""/> + <input id="searchsite" name="sitesearch" type="hidden" value="libvirt.org"/> + <input id="searchq" name="q" type="text" size="12" value=""/> <input name="submit" type="submit" value="Go"/> </div> </form> + <div id="advancedsearch"> + <span> + <input type="radio" name="what" id="whatwebsite" checked="checked" value="website"/> + <label for="whatwebsite">Website</label> + </span> + <span> + <input type="radio" name="what" id="whatwiki" value="wiki"/> + <label for="whatwiki">Wiki</label> + </span> + <span> + <input type="radio" name="what" id="whatdevs" value="devs"/> + <label for="whatdevs">Developers list</label> + </span> + <span> + <input type="radio" name="what" id="whatusers" value="users"/> + <label for="whatusers">Users list</label> + </span> + </div> </div> </div> <div id="footer">
  100. Download patch debian/libvirt-daemon-system.postrm

    --- 5.2.0-2/debian/libvirt-daemon-system.postrm 2019-04-11 10:24:28.000000000 +0000 +++ 5.4.0-0ubuntu5/debian/libvirt-daemon-system.postrm 2019-08-20 08:50:08.000000000 +0000 @@ -25,13 +25,22 @@ case "$1" in delgroup libvirt >/dev/null || true fi + if getent group libvirt-qemu >/dev/null; then + delgroup libvirt-qemu >/dev/null || true + fi if getent passwd libvirt-qemu >/dev/null; then deluser libvirt-qemu >/dev/null || true fi - if getent group libvirt-qemu >/dev/null; then - delgroup libvirt-qemu >/dev/null || true - fi + # a running libvirt-dnsmasq will break these removals + # yet the lifecycle of the network is non-related to the pkg purge + # Therefore ignore errors on these removals, better leave a user than break + if getent group libvirt-dnsmasq >/dev/null; then + delgroup libvirt-dnsmasq --system 2>/dev/null >/dev/null || true + fi + if getent passwd libvirt-dnsmasq >/dev/null; then + deluser libvirt-dnsmasq --system 2>/dev/null >/dev/null || true + fi # Clean up logs and cached capabilities rm -rf /var/log/libvirt \ @@ -51,8 +60,21 @@ case "$1" in /var/cache/libvirt/qemu; do [ ! -d $dir ] || rmdir --ignore-fail-on-non-empty $dir done + + # Remove the link set up by postinst + rm -f /etc/libvirt/qemu/networks/autostart/default.xml + + ;; + remove) + if [ -L /etc/dnsmasq.d/libvirt-daemon ]; then + echo "Removing libvirt-daemon dnsmasq configuration" + rm -f /etc/dnsmasq.d/libvirt-daemon 2>/dev/null || true + + # Try to restart a potential system wide dnsmasq + invoke-rc.d dnsmasq restart 2>/dev/null || true + fi ;; - remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) ;; *)
  101. ...

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: libvirt-sandbox

libvirt-sandbox (0.5.1+git20160404-1ubuntu1) focal; urgency=medium * Build-depend on dh-python. * virt-sandbox: Depend on python2 instead of python. -- Matthias Klose <doko@ubuntu.com> Fri, 10 Jan 2020 15:26:54 +0100

Modifications :
  1. Download patch debian/rules

    --- 0.5.1+git20160404-1/debian/rules 2017-05-28 13:18:03.000000000 +0000 +++ 0.5.1+git20160404-1ubuntu1/debian/rules 2020-01-10 14:26:47.000000000 +0000 @@ -12,7 +12,7 @@ export DEB_BUILD_MAINT_OPTIONS = hardeni # main packaging script based on dh7 syntax %: - dh $@ --buildsystem=autoconf + dh $@ --with python2 --buildsystem=autoconf override_dh_auto_configure:
  2. Download patch debian/control

    --- 0.5.1+git20160404-1/debian/control 2017-05-28 13:18:03.000000000 +0000 +++ 0.5.1+git20160404-1ubuntu1/debian/control 2020-01-10 14:26:33.000000000 +0000 @@ -7,6 +7,7 @@ Build-Depends: autoconf, automake, debhelper (>= 9), + dh-python, python2, gtk-doc-tools, intltool, libcap-ng-dev, @@ -26,7 +27,7 @@ Package: virt-sandbox Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, - python, + python2, gir1.2-libvirt-sandbox-1.0 (= ${binary:Version}), Suggests: libguestfs-tools Description: Application sandbox toolkit
  1. libvirt
  2. libvirt-sandbox