diff --git a/libvirt-add-default-spice-channel.patch b/libvirt-add-default-spice-channel.patch new file mode 100644 index 0000000..dc4bf15 --- /dev/null +++ b/libvirt-add-default-spice-channel.patch @@ -0,0 +1,180 @@ +From f3997733f0bca081d71848e66ca7d728b4c0a864 Mon Sep 17 00:00:00 2001 +From: Alon Levy +Date: Tue, 8 May 2012 20:42:44 +0300 +Subject: [PATCH] domain_conf: add "default" to list of valid spice channels + +qemu's behavior in this case is to change the spice server behavior to +require secure connection to any channel not otherwise specified as +being in plaintext mode. libvirt doesn't currently allow requesting this +(via plaintext-channel=). + +RHBZ: 819499 + +Signed-off-by: Alon Levy +(cherry picked from commit ba97e4edc6aa439a4f1e70855cf4503181efdb7f) +Signed-off-by: Cole Robinson +--- + docs/formatdomain.html.in | 7 +++++++ + docs/schemas/domaincommon.rng | 9 +++++++++ + src/conf/domain_conf.c | 20 ++++++++++++++++++++ + src/conf/domain_conf.h | 1 + + src/qemu/qemu_command.c | 13 +++++++++++++ + .../qemuxml2argv-graphics-spice.args | 2 +- + .../qemuxml2argv-graphics-spice.xml | 2 +- + 7 files changed, 52 insertions(+), 2 deletions(-) + +diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in +index e33913f..4a70b0f 100644 +--- a/docs/formatdomain.html.in ++++ b/docs/formatdomain.html.in +@@ -2913,6 +2913,13 @@ qemu-kvm -net nic,model=? /dev/null + Since 0.9.3 + NB, this may not be supported by all hypervisors. + "spice" since 0.8.6. ++ The defaultMode attribute sets the default channel ++ security policy, valid values are secure, ++ insecure and the default any ++ (which is secure if possible, but falls back to insecure ++ rather than erroring out if no secure path is ++ available). "defaultMode" since ++ 0.9.12. +

+

+ When SPICE has both a normal and TLS secured TCP port +diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng +index 5bcf1b9..30ab4c6 100644 +--- a/docs/schemas/domaincommon.rng ++++ b/docs/schemas/domaincommon.rng +@@ -1779,6 +1779,15 @@ + + + ++ ++ ++ ++ any ++ secure ++ insecure ++ ++ ++ + + + +diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c +index d017ea4..2b21b11 100644 +--- a/src/conf/domain_conf.c ++++ b/src/conf/domain_conf.c +@@ -6069,6 +6069,8 @@ virDomainGraphicsDefParseXML(xmlNodePtr node, + char *port = virXMLPropString(node, "port"); + char *tlsPort; + char *autoport; ++ char *defaultMode; ++ int defaultModeVal; + + if (port) { + if (virStrToLong_i(port, NULL, 10, &def->data.spice.port) < 0) { +@@ -6101,6 +6103,20 @@ virDomainGraphicsDefParseXML(xmlNodePtr node, + VIR_FREE(autoport); + } + ++ def->data.spice.defaultMode = VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_MODE_ANY; ++ ++ if ((defaultMode = virXMLPropString(node, "defaultMode")) != NULL) { ++ if ((defaultModeVal = virDomainGraphicsSpiceChannelModeTypeFromString(defaultMode)) < 0) { ++ virDomainReportError(VIR_ERR_INTERNAL_ERROR, ++ _("unknown default spice channel mode %s"), ++ defaultMode); ++ VIR_FREE(defaultMode); ++ goto error; ++ } ++ def->data.spice.defaultMode = defaultModeVal; ++ VIR_FREE(defaultMode); ++ } ++ + if (def->data.spice.port == -1 && def->data.spice.tlsPort == -1) { + /* Legacy compat syntax, used -1 for auto-port */ + def->data.spice.autoport = 1; +@@ -12111,6 +12127,10 @@ virDomainGraphicsDefFormat(virBufferPtr buf, + virBufferEscapeString(buf, " keymap='%s'", + def->data.spice.keymap); + ++ if (def->data.spice.defaultMode != VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_MODE_ANY) ++ virBufferAsprintf(buf, " defaultMode='%s'", ++ virDomainGraphicsSpiceChannelModeTypeToString(def->data.spice.defaultMode)); ++ + virDomainGraphicsAuthDefFormatAttr(buf, &def->data.spice.auth, flags); + break; + +diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h +index a2fea00..62eaafb 100644 +--- a/src/conf/domain_conf.h ++++ b/src/conf/domain_conf.h +@@ -1233,6 +1233,7 @@ struct _virDomainGraphicsDef { + virDomainGraphicsAuthDef auth; + unsigned int autoport :1; + int channels[VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_LAST]; ++ int defaultMode; /* enum virDomainGraphicsSpiceChannelMode */ + int image; + int jpeg; + int zlib; +diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c +index 55e772f..f411712 100644 +--- a/src/qemu/qemu_command.c ++++ b/src/qemu/qemu_command.c +@@ -5499,6 +5499,7 @@ qemuBuildCommandLine(virConnectPtr conn, + const char *listenAddr = NULL; + char *netAddr = NULL; + int ret; ++ int defaultMode = def->graphics[0]->data.spice.defaultMode; + + if (!qemuCapsGet(qemuCaps, QEMU_CAPS_SPICE)) { + qemuReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", +@@ -5582,6 +5583,18 @@ qemuBuildCommandLine(virConnectPtr conn, + virBufferAsprintf(&opt, ",x509-dir=%s", + driver->spiceTLSx509certdir); + ++ switch (defaultMode) { ++ case VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_MODE_SECURE: ++ virBufferAsprintf(&opt, ",tls-channel=default"); ++ break; ++ case VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_MODE_INSECURE: ++ virBufferAsprintf(&opt, ",plaintext-channel=default"); ++ break; ++ case VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_MODE_ANY: ++ /* nothing */ ++ break; ++ } ++ + for (i = 0 ; i < VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_LAST ; i++) { + int mode = def->graphics[0]->data.spice.channels[i]; + switch (mode) { +diff --git a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice.args b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice.args +index c9fdb99..698e39c 100644 +--- a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice.args ++++ b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice.args +@@ -2,7 +2,7 @@ LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=spice \ + /usr/bin/qemu -S -M pc -m 214 -smp 1 -nodefaults -monitor \ + unix:/tmp/test-monitor,server,nowait -no-acpi -boot c -hda \ + /dev/HostVG/QEMUGuest1 -usb -spice port=5903,tls-port=5904,addr=127.0.0.1,\ +-x509-dir=/etc/pki/libvirt-spice,tls-channel=main,plaintext-channel=inputs,\ ++x509-dir=/etc/pki/libvirt-spice,tls-channel=default,tls-channel=main,plaintext-channel=inputs,\ + image-compression=auto_glz,jpeg-wan-compression=auto,zlib-glz-wan-compression=auto,\ + playback-compression=on,streaming-video=filter,disable-copy-paste -vga \ + qxl -global qxl.vram_size=18874368 -device qxl,id=video1,vram_size=33554432,bus=pci.0,addr=0x4 \ +diff --git a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice.xml b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice.xml +index 8930b60..a3789f2 100644 +--- a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice.xml ++++ b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice.xml +@@ -22,7 +22,7 @@ + + + +- ++ + + + +-- +1.7.7.6 + diff --git a/libvirt-add-usbredir-spice-channel.patch b/libvirt-add-usbredir-spice-channel.patch new file mode 100644 index 0000000..ebbd5d1 --- /dev/null +++ b/libvirt-add-usbredir-spice-channel.patch @@ -0,0 +1,182 @@ +From 3c3816ed226e766aa76624de7d159cdd1ee67913 Mon Sep 17 00:00:00 2001 +From: Alon Levy +Date: Tue, 8 May 2012 16:00:28 +0300 +Subject: [PATCH] domain_conf: add "usbredir" to list of valid spice channels + +Add "usbredir" channel to list of recognized spice channels. + +RHBZ: 819498 + +Signed-off-by: Alon Levy +(cherry picked from commit 4e78ffb63489071c4100678ed88d3111284555e8) +Signed-off-by: Cole Robinson +--- + docs/formatdomain.html.in | 8 ++- + docs/schemas/domaincommon.rng | 1 + + src/conf/domain_conf.c | 3 +- + src/conf/domain_conf.h | 1 + + .../qemuxml2argv-graphics-spice-usb-redir.args | 16 ++++++ + .../qemuxml2argv-graphics-spice-usb-redir.xml | 53 ++++++++++++++++++++ + tests/qemuxml2argvtest.c | 6 ++ + 7 files changed, 84 insertions(+), 4 deletions(-) + create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-usb-redir.args + create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-usb-redir.xml + +diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in +index 801e1ec..e33913f 100644 +--- a/docs/formatdomain.html.in ++++ b/docs/formatdomain.html.in +@@ -2922,9 +2922,11 @@ qemu-kvm -net nic,model=? /dev/null + main <graphics> element. Valid channel names + include main, display, + inputs, cursor, +- playback, record; +- and since +- 0.8.8: smartcard. ++ playback, record ++ (all since 0.8.6); ++ smartcard (since ++ 0.8.8); and usbredir ++ (since 0.9.12). +

+ 
+   <graphics type='spice' port='-1' tlsPort='-1' autoport='yes'>
+diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
+index 0cc04af..5bcf1b9 100644
+--- a/docs/schemas/domaincommon.rng
++++ b/docs/schemas/domaincommon.rng
+@@ -1792,6 +1792,7 @@
+                     playback
+                     record
+                     smartcard
++                    usbredir
+                   
+                 
+                 
+diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
+index d886b60..d017ea4 100644
+--- a/src/conf/domain_conf.c
++++ b/src/conf/domain_conf.c
+@@ -428,7 +428,8 @@ VIR_ENUM_IMPL(virDomainGraphicsSpiceChannelName,
+               "cursor",
+               "playback",
+               "record",
+-              "smartcard");
++              "smartcard",
++              "usbredir");
+ 
+ VIR_ENUM_IMPL(virDomainGraphicsSpiceChannelMode,
+               VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_MODE_LAST,
+diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
+index 1b8741e..a2fea00 100644
+--- a/src/conf/domain_conf.h
++++ b/src/conf/domain_conf.h
+@@ -1097,6 +1097,7 @@ enum virDomainGraphicsSpiceChannelName {
+     VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_PLAYBACK,
+     VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_RECORD,
+     VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_SMARTCARD,
++    VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_USBREDIR,
+ 
+     VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_LAST
+ };
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-usb-redir.args b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-usb-redir.args
+new file mode 100644
+index 0000000..35e51a7
+--- /dev/null
++++ b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-usb-redir.args
+@@ -0,0 +1,16 @@
++LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=spice /usr/bin/qemu -S -M pc -m 214 -smp 1 -nodefconfig -nodefaults -chardev socket,id=charmonitor,path=/tmp/test-monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=readline -no-acpi -boot c \
++-device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x4.0x7 \
++-device ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0,multifunction=on,addr=0x4 \
++-device ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0x4.0x1 \
++-device ich9-usb-uhci3,masterbus=usb.0,firstport=4,bus=pci.0,addr=0x4.0x2 \
++-spice port=5903,tls-port=5904,addr=127.0.0.1,\
++x509-dir=/etc/pki/libvirt-spice,tls-channel=main,plaintext-channel=inputs,\
++tls-channel=usbredir,\
++image-compression=auto_glz,jpeg-wan-compression=auto,zlib-glz-wan-compression=auto,\
++playback-compression=on,streaming-video=filter,disable-copy-paste \
++-vga cirrus \
++-chardev socket,id=charredir0,host=localhost,port=4000 \
++-device usb-redir,chardev=charredir0,id=redir0 \
++-chardev spicevmc,id=charredir1,name=usbredir \
++-device usb-redir,chardev=charredir1,id=redir1,bus=usb.0,port=4 \
++-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-usb-redir.xml b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-usb-redir.xml
+new file mode 100644
+index 0000000..1dc23bd
+--- /dev/null
++++ b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-usb-redir.xml
+@@ -0,0 +1,53 @@
++
++  QEMUGuest1
++  c7a5fdbd-edaf-9455-926a-d65c16db1809
++  219136
++  219136
++  1
++  
++    hvm
++    
++  
++  
++  destroy
++  restart
++  destroy
++  
++    /usr/bin/qemu
++    
++      
++      
++      
++      
++      
++      
++      
++      
++      
++      
++    
++    
++      

++    
++    
++      
++      

++    
++    
++      
++      

++    
++    
++      
++      

++    
++    
++      
++      
++    
++    
++      

++    
++    
++  
++
+diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
+index a32d4f8..b128c07 100644
+--- a/tests/qemuxml2argvtest.c
++++ b/tests/qemuxml2argvtest.c
+@@ -540,6 +540,12 @@ mymain(void)
+             QEMU_CAPS_VGA, QEMU_CAPS_VGA_QXL,
+             QEMU_CAPS_DEVICE, QEMU_CAPS_SPICE,
+             QEMU_CAPS_DEVICE_QXL_VGA);
++    DO_TEST("graphics-spice-usb-redir", false,
++            QEMU_CAPS_VGA, QEMU_CAPS_SPICE,
++            QEMU_CAPS_CHARDEV, QEMU_CAPS_DEVICE, QEMU_CAPS_NODEFCONFIG,
++            QEMU_CAPS_PCI_MULTIFUNCTION, QEMU_CAPS_USB_HUB,
++            QEMU_CAPS_ICH9_USB_EHCI1, QEMU_CAPS_USB_REDIR,
++            QEMU_CAPS_CHARDEV_SPICEVMC);
+ 
+     DO_TEST("input-usbmouse", false, NONE);
+     DO_TEST("input-usbtablet", false, NONE);
+-- 
+1.7.7.6
+
diff --git a/libvirt.spec b/libvirt.spec
index a5c6437..c27ce8b 100644
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -126,8 +126,9 @@
 %define with_hyperv 0
 %endif
 
-# Although earlier Fedora has systemd, libvirt still used sysvinit
-%if 0%{?fedora} >= 17
+# Fedora 17 / RHEL-7 are first where we use systemd. Although earlier
+# Fedora has systemd, libvirt still used sysvinit there.
+%if 0%{?fedora} >= 17 || 0%{?rhel} >= 7
 %define with_systemd 1
 %endif
 
@@ -224,7 +225,7 @@
 %define with_libpcap  0%{!?_without_libpcap:%{server_drivers}}
 %define with_macvtap  0%{!?_without_macvtap:%{server_drivers}}
 
-# numad is used to manage the CPU placement dynamically,
+# numad is used to manage the CPU and memory placement dynamically,
 # it's not available on s390[x] and ARM.
 %if 0%{?fedora} >= 17 || 0%{?rhel} >= 6
 %ifnarch s390 s390x %{arm}
@@ -272,13 +273,25 @@
 
 Summary: Library providing a simple virtualization API
 Name: libvirt
-Version: 0.9.11.3
+Version: 0.9.11.4
 Release: 1%{?dist}%{?extra_release}
 License: LGPLv2+
 Group: Development/Libraries
-Source: http://libvirt.org/sources/libvirt-%{version}.tar.gz
-# Replace fedora-13->pc-0.14 to prep for qemu removing the latter (bz 754772)
+
+%if %(echo %{version} | grep -o \\. | wc -l) == 3
+%define mainturl stable_updates/
+%endif
+Source: http://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.gz
+
+# Replace fedora-13->pc-0.14 to prep for qemu removal (bz 754772)
+# keep: keeping this for the lifetime of F17, gone for newer releases
 Patch1: %{name}-qemu-replace-deprecated-fedora-13-machine.patch
+# Add usbredir spice channel (bz 821469)
+# keep: fedora feature backport that won't hit 0.9.11 maint
+Patch2: %{name}-add-usbredir-spice-channel.patch
+# Add default spice channel (bz 821474)
+# keep: fedora feature backport that won't hit 0.9.11 maint
+Patch3: %{name}-add-default-spice-channel.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 URL: http://libvirt.org/
@@ -327,7 +340,11 @@ BuildRequires: augeas
 BuildRequires: hal-devel
 %endif
 %if %{with_udev}
+%if 0%{?fedora} >= 18 || 0%{?rhel} >= 7
+BuildRequires: systemd-devel >= 185
+%else
 BuildRequires: libudev-devel >= 145
+%endif
 BuildRequires: libpciaccess-devel >= 0.10.9
 %endif
 %if %{with_yajl}
@@ -459,6 +476,8 @@ BuildRequires: scrub
 BuildRequires: numad
 %endif
 
+Provides: bundled(gnulib)
+
 %description
 Libvirt is a C toolkit to interact with the virtualization capabilities
 of recent versions of Linux (and other OSes). The main package includes
@@ -717,7 +736,7 @@ Group: Development/Libraries
 Requires: sanlock >= 1.8
 #for virt-sanlock-cleanup require augeas
 Requires: augeas
-Requires: %{name} = %{version}-%{release}
+Requires: %{name}-daemon = %{version}-%{release}
 
 %description lock-sanlock
 Includes the Sanlock lock manager plugin for the QEMU
@@ -740,6 +759,8 @@ of recent versions of Linux (and other OSes).
 %prep
 %setup -q
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
 
 %build
 %if ! %{with_xen}
@@ -1092,9 +1113,9 @@ if [ $1 -eq 1 ] ; then
 fi
 %else
 %if %{with_cgconfig}
-# Starting with Fedora 16, systemd automounts all cgroups, and cgconfig is
-# no longer a necessary service.
-%if 0%{?rhel} || (0%{?fedora} && 0%{?fedora} < 16)
+# Starting with Fedora 16/RHEL-7, systemd automounts all cgroups,
+# and cgconfig is no longer a necessary service.
+%if (0%{?rhel} && 0%{?rhel} < 7) || (0%{?fedora} && 0%{?fedora} < 16)
 if [ "$1" -eq "1" ]; then
 /sbin/chkconfig cgconfig on
 fi
@@ -1464,6 +1485,18 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sysctl.d/libvirtd
 %endif
 
 %changelog
+* Fri Jun 15 2012 Cole Robinson  - 0.9.11.4-1
+- Rebased to version 0.9.11.4
+- Add usbredir spice channel (bz 821469)
+- Add default spice channel (bz 821474)
+- Fix libnuma dependency (bz 812874)
+- Fix USB device attach ambiguity CVE-2012-2693 (bz 816560)
+- Add bundled(gnulib) provides (bz 821776)
+- Drop unneeded systemd unit deps (bz 824204)
+- Update qemu.conf augeas lens (bz 824672)
+- Fix several double close bugs (bz 827125)
+- Fix potential deadlock when launching sub processes (bz 828565)
+
 * Fri Apr 27 2012 Cole Robinson  - 0.9.11.3-1
 - Rebased to version 0.9.11.3
 - Abide URI username when connecting to hypervisor (bz 811397)
diff --git a/sources b/sources
index e2c63fe..5f2cfc9 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-3c598b729dabdce08ef5b8741cc1b220  libvirt-0.9.11.3.tar.gz
+b21e49d36e9d4bbd3c5b04c222702a1e  libvirt-0.9.11.4.tar.gz