diff --git a/0002-security-add-MANAGER_MOUNT_NAMESPACE-flag.patch b/0002-security-add-MANAGER_MOUNT_NAMESPACE-flag.patch index 29716d6..cc361b6 100644 --- a/0002-security-add-MANAGER_MOUNT_NAMESPACE-flag.patch +++ b/0002-security-add-MANAGER_MOUNT_NAMESPACE-flag.patch @@ -42,10 +42,11 @@ index ca7a6af6d..507be44a2 100644 char *baselabel; virSecurityManagerDACChownCallback chownCallback; }; -@@ -238,6 +239,15 @@ virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr, +@@ -237,6 +238,15 @@ virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr, + priv->dynamicOwnership = dynamicOwnership; } - void ++void +virSecurityDACSetMountNamespace(virSecurityManagerPtr mgr, + bool mountNamespace) +{ @@ -54,10 +55,9 @@ index ca7a6af6d..507be44a2 100644 +} + + -+void + void virSecurityDACSetChownCallback(virSecurityManagerPtr mgr, virSecurityManagerDACChownCallback chownCallback) - { diff --git a/src/security/security_dac.h b/src/security/security_dac.h index 846cefbb5..97681c961 100644 --- a/src/security/security_dac.h diff --git a/0003-security-dac-relabel-spice-rendernode.patch b/0003-security-dac-relabel-spice-rendernode.patch index 4a92ba1..a105ef2 100644 --- a/0003-security-dac-relabel-spice-rendernode.patch +++ b/0003-security-dac-relabel-spice-rendernode.patch @@ -20,10 +20,11 @@ diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 507be44a2..349dbe81d 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c -@@ -1381,6 +1381,54 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManagerPtr mgr, +@@ -1380,6 +1380,54 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManagerPtr mgr, + } - static int ++static int +virSecurityDACSetGraphicsLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def, + virDomainGraphicsDefPtr gfx) @@ -71,10 +72,9 @@ index 507be44a2..349dbe81d 100644 +} + + -+static int + static int virSecurityDACSetInputLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, - virDomainInputDefPtr input) @@ -1491,6 +1539,11 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr, rc = -1; } diff --git a/0004-qemu-ensure-TLS-clients-always-verify-the-server-cer.patch b/0004-qemu-ensure-TLS-clients-always-verify-the-server-cer.patch new file mode 100644 index 0000000..433eb05 --- /dev/null +++ b/0004-qemu-ensure-TLS-clients-always-verify-the-server-cer.patch @@ -0,0 +1,72 @@ +From: "Daniel P. Berrange" +Date: Thu, 5 Oct 2017 17:54:28 +0100 +Subject: [PATCH] qemu: ensure TLS clients always verify the server certificate + +The default_tls_x509_verify (and related) parameters in qemu.conf +control whether the QEMU TLS servers request & verify certificates +from clients. This works as a simple access control system for +servers by requiring the CA to issue certs to permitted clients. +This use of client certificates is disabled by default, since it +requires extra work to issue client certificates. + +Unfortunately the code was using this configuration parameter when +setting up both TLS clients and servers in QEMU. The result was that +TLS clients for character devices and disk devices had verification +turned off, meaning they would ignore errors while validating the +server certificate. + +This allows for trivial MITM attacks between client and server, +as any certificate returned by the attacker will be accepted by +the client. + +This is assigned CVE-2017-1000256 / LSN-2017-0002 + +Reviewed-by: Eric Blake +Signed-off-by: Daniel P. Berrange +(cherry picked from commit 441d3eb6d1be940a67ce45a286602a967601b157) +(cherry picked from commit dc6c41798d1eb5c52c75365ffa22f7672709dfa7) +--- + src/qemu/qemu_command.c | 2 +- + tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args | 2 +- + .../qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c +index 9a27987d4..ae78cd17e 100644 +--- a/src/qemu/qemu_command.c ++++ b/src/qemu/qemu_command.c +@@ -718,7 +718,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath, + if (virJSONValueObjectCreate(propsret, + "s:dir", path, + "s:endpoint", (isListen ? "server": "client"), +- "b:verify-peer", verifypeer, ++ "b:verify-peer", (isListen ? verifypeer : true), + NULL) < 0) + goto cleanup; + +diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args +index 5aff7734e..ab5f7e27f 100644 +--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args ++++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args +@@ -26,7 +26,7 @@ server,nowait \ + localport=1111 \ + -device isa-serial,chardev=charserial0,id=serial0 \ + -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ +-endpoint=client,verify-peer=no \ ++endpoint=client,verify-peer=yes \ + -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ + tls-creds=objcharserial1_tls0 \ + -device isa-serial,chardev=charserial1,id=serial1 \ +diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args +index 91f1fe0cd..2567abbfa 100644 +--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args ++++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args +@@ -31,7 +31,7 @@ localport=1111 \ + data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\ + keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \ + -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ +-endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \ ++endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \ + -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ + tls-creds=objcharserial1_tls0 \ + -device isa-serial,chardev=charserial1,id=serial1 \ diff --git a/0005-qemu-Move-snapshot-disk-validation-functions-into-on.patch b/0005-qemu-Move-snapshot-disk-validation-functions-into-on.patch new file mode 100644 index 0000000..5a4b3f0 --- /dev/null +++ b/0005-qemu-Move-snapshot-disk-validation-functions-into-on.patch @@ -0,0 +1,177 @@ +From: Peter Krempa +Date: Wed, 15 Nov 2017 13:15:57 +0100 +Subject: [PATCH] qemu: Move snapshot disk validation functions into one + +Move the code so that both the new image and old image can be verified +in the same function. + +(cherry picked from commit 8ffdeed455650557df531aafc66c20b31bd4e0c4) +--- + src/qemu/qemu_driver.c | 91 ++++++++++++++++++++------------------------------ + 1 file changed, 36 insertions(+), 55 deletions(-) + +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index 1f9264639..57f0c2bf4 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -13793,17 +13793,19 @@ qemuDomainSnapshotCreateActiveInternal(virConnectPtr conn, + + + static int +-qemuDomainSnapshotPrepareDiskExternalBackingInactive(virDomainDiskDefPtr disk) ++qemuDomainSnapshotPrepareDiskExternalInactive(virDomainSnapshotDiskDefPtr snapdisk, ++ virDomainDiskDefPtr domdisk) + { +- int actualType = virStorageSourceGetActualType(disk->src); ++ int domDiskType = virStorageSourceGetActualType(domdisk->src); ++ int snapDiskType = virStorageSourceGetActualType(snapdisk->src); + +- switch ((virStorageType) actualType) { ++ switch ((virStorageType) domDiskType) { + case VIR_STORAGE_TYPE_BLOCK: + case VIR_STORAGE_TYPE_FILE: +- return 0; ++ break; + + case VIR_STORAGE_TYPE_NETWORK: +- switch ((virStorageNetProtocol) disk->src->protocol) { ++ switch ((virStorageNetProtocol) domdisk->src->protocol) { + case VIR_STORAGE_NET_PROTOCOL_NONE: + case VIR_STORAGE_NET_PROTOCOL_NBD: + case VIR_STORAGE_NET_PROTOCOL_RBD: +@@ -13820,7 +13822,7 @@ qemuDomainSnapshotPrepareDiskExternalBackingInactive(virDomainDiskDefPtr disk) + virReportError(VIR_ERR_INTERNAL_ERROR, + _("external inactive snapshots are not supported on " + "'network' disks using '%s' protocol"), +- virStorageNetProtocolTypeToString(disk->src->protocol)); ++ virStorageNetProtocolTypeToString(domdisk->src->protocol)); + return -1; + } + break; +@@ -13831,7 +13833,23 @@ qemuDomainSnapshotPrepareDiskExternalBackingInactive(virDomainDiskDefPtr disk) + case VIR_STORAGE_TYPE_LAST: + virReportError(VIR_ERR_INTERNAL_ERROR, + _("external inactive snapshots are not supported on " +- "'%s' disks"), virStorageTypeToString(actualType)); ++ "'%s' disks"), virStorageTypeToString(domDiskType)); ++ return -1; ++ } ++ ++ switch ((virStorageType) snapDiskType) { ++ case VIR_STORAGE_TYPE_BLOCK: ++ case VIR_STORAGE_TYPE_FILE: ++ break; ++ ++ case VIR_STORAGE_TYPE_NETWORK: ++ case VIR_STORAGE_TYPE_DIR: ++ case VIR_STORAGE_TYPE_VOLUME: ++ case VIR_STORAGE_TYPE_NONE: ++ case VIR_STORAGE_TYPE_LAST: ++ virReportError(VIR_ERR_INTERNAL_ERROR, ++ _("external inactive snapshots are not supported on " ++ "'%s' disks"), virStorageTypeToString(snapDiskType)); + return -1; + } + +@@ -13840,33 +13858,27 @@ qemuDomainSnapshotPrepareDiskExternalBackingInactive(virDomainDiskDefPtr disk) + + + static int +-qemuDomainSnapshotPrepareDiskExternalBackingActive(virDomainDiskDefPtr disk) ++qemuDomainSnapshotPrepareDiskExternalActive(virDomainSnapshotDiskDefPtr snapdisk, ++ virDomainDiskDefPtr domdisk) + { +- if (disk->device == VIR_DOMAIN_DISK_DEVICE_LUN) { ++ int actualType = virStorageSourceGetActualType(snapdisk->src); ++ ++ if (domdisk->device == VIR_DOMAIN_DISK_DEVICE_LUN) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("external active snapshots are not supported on scsi " + "passthrough devices")); + return -1; + } + +- return 0; +-} +- +- +-static int +-qemuDomainSnapshotPrepareDiskExternalOverlayActive(virDomainSnapshotDiskDefPtr disk) +-{ +- int actualType = virStorageSourceGetActualType(disk->src); +- + switch ((virStorageType) actualType) { + case VIR_STORAGE_TYPE_BLOCK: + case VIR_STORAGE_TYPE_FILE: +- return 0; ++ break; + + case VIR_STORAGE_TYPE_NETWORK: +- switch ((virStorageNetProtocol) disk->src->protocol) { ++ switch ((virStorageNetProtocol) snapdisk->src->protocol) { + case VIR_STORAGE_NET_PROTOCOL_GLUSTER: +- return 0; ++ break; + + case VIR_STORAGE_NET_PROTOCOL_NONE: + case VIR_STORAGE_NET_PROTOCOL_NBD: +@@ -13883,7 +13895,7 @@ qemuDomainSnapshotPrepareDiskExternalOverlayActive(virDomainSnapshotDiskDefPtr d + virReportError(VIR_ERR_INTERNAL_ERROR, + _("external active snapshots are not supported on " + "'network' disks using '%s' protocol"), +- virStorageNetProtocolTypeToString(disk->src->protocol)); ++ virStorageNetProtocolTypeToString(snapdisk->src->protocol)); + return -1; + + } +@@ -13903,31 +13915,6 @@ qemuDomainSnapshotPrepareDiskExternalOverlayActive(virDomainSnapshotDiskDefPtr d + } + + +-static int +-qemuDomainSnapshotPrepareDiskExternalOverlayInactive(virDomainSnapshotDiskDefPtr disk) +-{ +- int actualType = virStorageSourceGetActualType(disk->src); +- +- switch ((virStorageType) actualType) { +- case VIR_STORAGE_TYPE_BLOCK: +- case VIR_STORAGE_TYPE_FILE: +- return 0; +- +- case VIR_STORAGE_TYPE_NETWORK: +- case VIR_STORAGE_TYPE_DIR: +- case VIR_STORAGE_TYPE_VOLUME: +- case VIR_STORAGE_TYPE_NONE: +- case VIR_STORAGE_TYPE_LAST: +- virReportError(VIR_ERR_INTERNAL_ERROR, +- _("external inactive snapshots are not supported on " +- "'%s' disks"), virStorageTypeToString(actualType)); +- return -1; +- } +- +- return 0; +-} +- +- + static int + qemuDomainSnapshotPrepareDiskExternal(virConnectPtr conn, + virDomainDiskDefPtr disk, +@@ -13945,16 +13932,10 @@ qemuDomainSnapshotPrepareDiskExternal(virConnectPtr conn, + if (virStorageTranslateDiskSourcePool(conn, disk) < 0) + return -1; + +- if (qemuDomainSnapshotPrepareDiskExternalBackingInactive(disk) < 0) +- return -1; +- +- if (qemuDomainSnapshotPrepareDiskExternalOverlayInactive(snapdisk) < 0) ++ if (qemuDomainSnapshotPrepareDiskExternalInactive(snapdisk, disk) < 0) + return -1; + } else { +- if (qemuDomainSnapshotPrepareDiskExternalBackingActive(disk) < 0) +- return -1; +- +- if (qemuDomainSnapshotPrepareDiskExternalOverlayActive(snapdisk) < 0) ++ if (qemuDomainSnapshotPrepareDiskExternalActive(snapdisk, disk) < 0) + return -1; + } + diff --git a/0006-qemu-block-Add-function-to-check-if-storage-source-a.patch b/0006-qemu-block-Add-function-to-check-if-storage-source-a.patch new file mode 100644 index 0000000..c751455 --- /dev/null +++ b/0006-qemu-block-Add-function-to-check-if-storage-source-a.patch @@ -0,0 +1,55 @@ +From: Peter Krempa +Date: Tue, 14 Nov 2017 15:34:46 +0100 +Subject: [PATCH] qemu: block: Add function to check if storage source allows + concurrent access + +Storage source format backing a shared device (e.g. running a cluster +filesystem) needs to support the sharing so that metadata are not +corrupted. Add a central function for checking this. + +(cherry picked from commit 1fc3cd8731640aefc48bbd9fc489f21cb99c6f67) +--- + src/qemu/qemu_block.c | 15 +++++++++++++++ + src/qemu/qemu_block.h | 3 +++ + 2 files changed, 18 insertions(+) + +diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c +index 7fb12ea5a..4c0a5eb78 100644 +--- a/src/qemu/qemu_block.c ++++ b/src/qemu/qemu_block.c +@@ -379,6 +379,21 @@ qemuBlockGetNodeData(virJSONValuePtr data) + } + + ++/** ++ * qemuBlockStorageSourceSupportsConcurrentAccess: ++ * @src: disk storage source ++ * ++ * Returns true if the given storage format supports concurrent access from two ++ * separate processes. ++ */ ++bool ++qemuBlockStorageSourceSupportsConcurrentAccess(virStorageSourcePtr src) ++{ ++ /* no need to check in backing chain since only RAW storage supports this */ ++ return src->format == VIR_STORAGE_FILE_RAW; ++} ++ ++ + /** + * qemuBlockStorageSourceBuildHostsJSONSocketAddress: + * @src: disk storage source +diff --git a/src/qemu/qemu_block.h b/src/qemu/qemu_block.h +index f0a2c9aa7..ebf3149ce 100644 +--- a/src/qemu/qemu_block.h ++++ b/src/qemu/qemu_block.h +@@ -53,6 +53,9 @@ qemuBlockNodeNamesDetect(virQEMUDriverPtr driver, + virHashTablePtr + qemuBlockGetNodeData(virJSONValuePtr data); + ++bool ++qemuBlockStorageSourceSupportsConcurrentAccess(virStorageSourcePtr src); ++ + virJSONValuePtr + qemuBlockStorageSourceGetBackendProps(virStorageSourcePtr src); + diff --git a/0007-qemu-domain-Reject-shared-disk-access-if-backing-for.patch b/0007-qemu-domain-Reject-shared-disk-access-if-backing-for.patch new file mode 100644 index 0000000..f5f24db --- /dev/null +++ b/0007-qemu-domain-Reject-shared-disk-access-if-backing-for.patch @@ -0,0 +1,146 @@ +From: Peter Krempa +Date: Tue, 14 Nov 2017 15:37:09 +0100 +Subject: [PATCH] qemu: domain: Reject shared disk access if backing format + does not support it + +Disk sharing between two VMs may corrupt the images if the format driver +does not support it. Check that the user declared use of a supported +storage format when they want to share the disk. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1511480 +(cherry picked from commit 3b03a27cd00c2f032661d2bf8905795425752fc7) +--- + src/qemu/qemu_domain.c | 29 +++++++++++++++++++++- + .../qemuxml2argv-disk-drive-shared-qcow.xml | 28 +++++++++++++++++++++ + .../qemuxml2argv-disk-drive-shared.args | 2 +- + .../qemuxml2argv-disk-drive-shared.xml | 2 +- + tests/qemuxml2argvtest.c | 1 + + 5 files changed, 59 insertions(+), 3 deletions(-) + create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-qcow.xml + +diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c +index b98ffffae..42d17c1b0 100644 +--- a/src/qemu/qemu_domain.c ++++ b/src/qemu/qemu_domain.c +@@ -25,6 +25,7 @@ + + #include "qemu_domain.h" + #include "qemu_alias.h" ++#include "qemu_block.h" + #include "qemu_cgroup.h" + #include "qemu_command.h" + #include "qemu_process.h" +@@ -3299,6 +3300,29 @@ qemuDomainRedirdevDefValidate(const virDomainRedirdevDef *def) + } + + ++static int ++qemuDomainDeviceDefValidateDisk(const virDomainDiskDef *disk) ++{ ++ if (disk->src->shared && !disk->src->readonly) { ++ if (disk->src->format <= VIR_STORAGE_FILE_AUTO) { ++ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, ++ _("shared access for disk '%s' requires use of " ++ "explicitly specified disk format"), disk->dst); ++ return -1; ++ } ++ ++ if (!qemuBlockStorageSourceSupportsConcurrentAccess(disk->src)) { ++ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, ++ _("shared access for disk '%s' requires use of " ++ "supported storage format"), disk->dst); ++ return -1; ++ } ++ } ++ ++ return 0; ++} ++ ++ + static int + qemuDomainDeviceDefValidate(const virDomainDeviceDef *dev, + const virDomainDef *def ATTRIBUTE_UNUSED, +@@ -3308,7 +3332,10 @@ qemuDomainDeviceDefValidate(const virDomainDeviceDef *dev, + virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver); + int ret = -1; + +- if (dev->type == VIR_DOMAIN_DEVICE_NET) { ++ if (dev->type == VIR_DOMAIN_DEVICE_DISK) { ++ if (qemuDomainDeviceDefValidateDisk(dev->data.disk) < 0) ++ goto cleanup; ++ } else if (dev->type == VIR_DOMAIN_DEVICE_NET) { + const virDomainNetDef *net = dev->data.net; + + if (net->guestIP.nroutes || net->guestIP.nips) { +diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-qcow.xml b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-qcow.xml +new file mode 100644 +index 000000000..ca88a944b +--- /dev/null ++++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-qcow.xml +@@ -0,0 +1,28 @@ ++ ++ QEMUGuest1 ++ c7a5fdbd-edaf-9455-926a-d65c16db1809 ++ 219136 ++ 219136 ++ 1 ++ ++ hvm ++ ++ ++ ++ destroy ++ restart ++ destroy ++ ++ /usr/bin/qemu-system-i686 ++ ++ ++ ++ ++ ++
++ ++ ++ ++ ++ ++ +diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared.args b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared.args +index 502157bf8..326fde1b3 100644 +--- a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared.args ++++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared.args +@@ -19,7 +19,7 @@ server,nowait \ + -no-acpi \ + -boot c \ + -usb \ +--drive file=/dev/HostVG/QEMUGuest1,format=qcow2,if=none,id=drive-ide0-0-0,\ ++-drive file=/dev/HostVG/QEMUGuest1,format=raw,if=none,id=drive-ide0-0-0,\ + serial=XYZXYZXYZYXXYZYZYXYZY,cache=none \ + -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 \ + -drive file=/dev/HostVG/QEMUGuest2,format=raw,if=none,media=cdrom,\ +diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared.xml b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared.xml +index 9f7472378..677c2b0b7 100644 +--- a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared.xml ++++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared.xml +@@ -15,7 +15,7 @@ + + /usr/bin/qemu-system-i686 + +- ++ + + + +diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c +index 18f06e5aa..93f892229 100644 +--- a/tests/qemuxml2argvtest.c ++++ b/tests/qemuxml2argvtest.c +@@ -895,6 +895,7 @@ mymain(void) + QEMU_CAPS_DRIVE_BOOT); + DO_TEST("disk-drive-shared", + QEMU_CAPS_DRIVE_SERIAL); ++ DO_TEST_PARSE_ERROR("disk-drive-shared-qcow", NONE); + DO_TEST("disk-drive-error-policy-stop", + QEMU_CAPS_MONITOR_JSON); + DO_TEST("disk-drive-error-policy-enospace", diff --git a/0008-qemu-snapshot-Disallow-snapshot-of-unsupported-share.patch b/0008-qemu-snapshot-Disallow-snapshot-of-unsupported-share.patch new file mode 100644 index 0000000..8eedefd --- /dev/null +++ b/0008-qemu-snapshot-Disallow-snapshot-of-unsupported-share.patch @@ -0,0 +1,63 @@ +From: Peter Krempa +Date: Wed, 15 Nov 2017 13:41:01 +0100 +Subject: [PATCH] qemu: snapshot: Disallow snapshot of unsupported shared disks + +Creating a snapshot would introduce a possibly unsupported member for +sharing into the backing chain. Add a check to prevent that from +happening. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1511480 +(cherry picked from commit 9b2fbfa6f6b535b9f41a7503531d43d86d7a8868) +--- + src/qemu/qemu_driver.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index 57f0c2bf4..91119a494 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -13792,6 +13792,24 @@ qemuDomainSnapshotCreateActiveInternal(virConnectPtr conn, + } + + ++static int ++qemuDomainSnapshotPrepareDiskShared(virDomainSnapshotDiskDefPtr snapdisk, ++ virDomainDiskDefPtr domdisk) ++{ ++ if (!domdisk->src->shared || domdisk->src->readonly) ++ return 0; ++ ++ if (!qemuBlockStorageSourceSupportsConcurrentAccess(snapdisk->src)) { ++ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, ++ _("shared access for disk '%s' requires use of " ++ "supported storage format"), domdisk->dst); ++ return -1; ++ } ++ ++ return 0; ++} ++ ++ + static int + qemuDomainSnapshotPrepareDiskExternalInactive(virDomainSnapshotDiskDefPtr snapdisk, + virDomainDiskDefPtr domdisk) +@@ -13853,6 +13871,9 @@ qemuDomainSnapshotPrepareDiskExternalInactive(virDomainSnapshotDiskDefPtr snapdi + return -1; + } + ++ if (qemuDomainSnapshotPrepareDiskShared(snapdisk, domdisk) < 0) ++ return -1; ++ + return 0; + } + +@@ -13911,6 +13932,9 @@ qemuDomainSnapshotPrepareDiskExternalActive(virDomainSnapshotDiskDefPtr snapdisk + return -1; + } + ++ if (qemuDomainSnapshotPrepareDiskShared(snapdisk, domdisk) < 0) ++ return -1; ++ + return 0; + } + diff --git a/0009-qemu-Disallow-pivot-of-shared-disks-to-unsupported-s.patch b/0009-qemu-Disallow-pivot-of-shared-disks-to-unsupported-s.patch new file mode 100644 index 0000000..52ff0fb --- /dev/null +++ b/0009-qemu-Disallow-pivot-of-shared-disks-to-unsupported-s.patch @@ -0,0 +1,34 @@ +From: Peter Krempa +Date: Wed, 15 Nov 2017 14:33:11 +0100 +Subject: [PATCH] qemu: Disallow pivot of shared disks to unsupported storage + +Pivoting to a unsupported storage type might break the assumption that +shared disks will not corrupt metadata. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1511480 +(cherry picked from commit 2b41c86294786c07f53afa633fe3dce703debc3c) +--- + src/qemu/qemu_driver.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index 91119a494..208ccc9bc 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -16325,6 +16325,16 @@ qemuDomainBlockPivot(virQEMUDriverPtr driver, + goto cleanup; + } + ++ /* When pivoting to a shareable disk we need to make sure that the disk can ++ * be safely shared, since block copy might have changed the format. */ ++ if (disk->src->shared && !disk->src->readonly && ++ !qemuBlockStorageSourceSupportsConcurrentAccess(disk->mirror)) { ++ virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", ++ _("can't pivot a shared disk to a storage volume not " ++ "supporting sharing")); ++ goto cleanup; ++ } ++ + /* For active commit, the mirror is part of the already labeled + * chain. For blockcopy, we previously labeled only the top-level + * image; but if the user is reusing an external image that diff --git a/0010-qemu-caps-Add-capability-for-share-rw-disk-option.patch b/0010-qemu-caps-Add-capability-for-share-rw-disk-option.patch new file mode 100644 index 0000000..dbab755 --- /dev/null +++ b/0010-qemu-caps-Add-capability-for-share-rw-disk-option.patch @@ -0,0 +1,126 @@ +From: Peter Krempa +Date: Wed, 15 Nov 2017 15:02:58 +0100 +Subject: [PATCH] qemu: caps: Add capability for 'share-rw' disk option + +'share-rw' for the disk device configures qemu to allow concurrent +access to the backing storage. + +The capability is checked in various supported disk frontend buses since +it does not make sense to partially backport it. + +(cherry picked from commit 860a3c4bea1d24773d8a495f213d5de3ac48a462) +--- + src/qemu/qemu_capabilities.c | 14 ++++++++++++++ + src/qemu/qemu_capabilities.h | 10 ++++++++++ + tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml | 1 + + tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml | 1 + + tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml | 1 + + 5 files changed, 27 insertions(+) + +diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c +index e7ea6f47c..2de84715e 100644 +--- a/src/qemu/qemu_capabilities.c ++++ b/src/qemu/qemu_capabilities.c +@@ -439,6 +439,16 @@ VIR_ENUM_IMPL(virQEMUCaps, QEMU_CAPS_LAST, + "virtio-net.tx_queue_size", + "chardev-reconnect", + "virtio-gpu.max_outputs", ++ ++ /* 270 */ ++ "vxhs", ++ "virtio-blk.num-queues", ++ "machine.pseries.resize-hpt", ++ "vmcoreinfo", ++ "spapr-vty", ++ ++ /* 275 */ ++ "disk-share-rw", + ); + + +@@ -1702,6 +1712,7 @@ static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsVirtioBlk[] = { + { "event_idx", QEMU_CAPS_VIRTIO_BLK_EVENT_IDX }, + { "scsi", QEMU_CAPS_VIRTIO_BLK_SCSI }, + { "logical_block_size", QEMU_CAPS_BLOCKIO }, ++ { "share-rw", QEMU_CAPS_DISK_SHARE_RW }, + }; + + static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsVirtioNet[] = { +@@ -1732,10 +1743,12 @@ static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsVfioPCI[] = { + static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsSCSIDisk[] = { + { "channel", QEMU_CAPS_SCSI_DISK_CHANNEL }, + { "wwn", QEMU_CAPS_SCSI_DISK_WWN }, ++ { "share-rw", QEMU_CAPS_DISK_SHARE_RW }, + }; + + static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsIDEDrive[] = { + { "wwn", QEMU_CAPS_IDE_DRIVE_WWN }, ++ { "share-rw", QEMU_CAPS_DISK_SHARE_RW }, + }; + + static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsPiix4PM[] = { +@@ -1766,6 +1779,7 @@ static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsQ35PCIHost[] = { + + static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsUSBStorage[] = { + { "removable", QEMU_CAPS_USB_STORAGE_REMOVABLE }, ++ { "share-rw", QEMU_CAPS_DISK_SHARE_RW }, + }; + + static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsKVMPit[] = { +diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h +index f32687d4a..9c92d6b46 100644 +--- a/src/qemu/qemu_capabilities.h ++++ b/src/qemu/qemu_capabilities.h +@@ -426,6 +426,16 @@ typedef enum { + QEMU_CAPS_CHARDEV_RECONNECT, /* -chardev reconnect */ + QEMU_CAPS_VIRTIO_GPU_MAX_OUTPUTS, /* -device virtio-(vga|gpu-*),max-outputs= */ + ++ /* 270 */ ++ QEMU_CAPS_VXHS, /* -drive file.driver=vxhs via query-qmp-schema */ ++ QEMU_CAPS_VIRTIO_BLK_NUM_QUEUES, /* virtio-blk-*.num-queues */ ++ QEMU_CAPS_MACHINE_PSERIES_RESIZE_HPT, /* -machine pseries,resize-hpt */ ++ QEMU_CAPS_DEVICE_VMCOREINFO, /* -device vmcoreinfo */ ++ QEMU_CAPS_DEVICE_SPAPR_VTY, /* -device spapr-vty */ ++ ++ /* 275 */ ++ QEMU_CAPS_DISK_SHARE_RW, /* share-rw=on for concurrent disk access */ ++ + QEMU_CAPS_LAST /* this must always be the last item */ + } virQEMUCapsFlags; + +diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml b/tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml +index a373a6db6..9551907c6 100644 +--- a/tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml ++++ b/tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml +@@ -172,6 +172,7 @@ + + + ++ + 2009000 + 0 + (v2.9.0) +diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml b/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml +index e80782cfb..0a6fbd077 100644 +--- a/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml ++++ b/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml +@@ -137,6 +137,7 @@ + + + ++ + 2009000 + 0 + +diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml +index 3641d0332..1294ebdb3 100644 +--- a/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml ++++ b/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml +@@ -220,6 +220,7 @@ + + + ++ + 2009000 + 0 + (v2.9.0) diff --git a/0011-qemu-command-Mark-shared-disks-as-such-in-qemu.patch b/0011-qemu-command-Mark-shared-disks-as-such-in-qemu.patch new file mode 100644 index 0000000..0741b10 --- /dev/null +++ b/0011-qemu-command-Mark-shared-disks-as-such-in-qemu.patch @@ -0,0 +1,133 @@ +From: Peter Krempa +Date: Wed, 15 Nov 2017 15:21:14 +0100 +Subject: [PATCH] qemu: command: Mark disks as such in qemu + +Qemu has now an internal mechanism for locking images to fix specific +cases of disk corruption. This requires libvirt to mark the image as +shared so that qemu lifts certain restrictions. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1378242 +(cherry picked from commit 28907b0043fbf71085a798372ab9c816ba043b93) +--- + src/qemu/qemu_command.c | 4 +++ + .../qemuxml2argv-disk-drive-shared-locking.args | 32 +++++++++++++++++ + .../qemuxml2argv-disk-drive-shared-locking.xml | 42 ++++++++++++++++++++++ + tests/qemuxml2argvtest.c | 2 ++ + 4 files changed, 80 insertions(+) + create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-locking.args + create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-locking.xml + +diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c +index ae78cd17e..883525752 100644 +--- a/src/qemu/qemu_command.c ++++ b/src/qemu/qemu_command.c +@@ -2075,6 +2075,10 @@ qemuBuildDriveDevStr(const virDomainDef *def, + goto error; + } + ++ if (disk->src->shared && ++ virQEMUCapsGet(qemuCaps, QEMU_CAPS_DISK_SHARE_RW)) ++ virBufferAddLit(&opt, ",share-rw=on"); ++ + if (!(drivealias = qemuAliasFromDisk(disk))) + goto error; + virBufferAsprintf(&opt, ",drive=%s,id=%s", drivealias, disk->info.alias); +diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-locking.args b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-locking.args +new file mode 100644 +index 000000000..cdf17f26d +--- /dev/null ++++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-locking.args +@@ -0,0 +1,32 @@ ++LC_ALL=C \ ++PATH=/bin \ ++HOME=/home/test \ ++USER=test \ ++LOGNAME=test \ ++QEMU_AUDIO_DRV=none \ ++/usr/bin/qemu-system-i686 \ ++-name QEMUGuest1 \ ++-S \ ++-M pc \ ++-m 214 \ ++-smp 1,sockets=1,cores=1,threads=1 \ ++-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \ ++-nographic \ ++-nodefaults \ ++-chardev socket,id=charmonitor,path=/tmp/lib/domain--1-QEMUGuest1/monitor.sock,\ ++server,nowait \ ++-mon chardev=charmonitor,id=monitor,mode=readline \ ++-no-acpi \ ++-boot c \ ++-device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x3 \ ++-usb \ ++-drive file=/dev/ide,format=raw,if=none,id=drive-ide0-0-0,cache=none \ ++-device ide-drive,bus=ide.0,unit=0,share-rw=on,drive=drive-ide0-0-0,\ ++id=ide0-0-0 \ ++-drive file=/dev/scsi,format=raw,if=none,id=drive-scsi0-0-0-0,cache=none \ ++-device scsi-disk,bus=scsi0.0,channel=0,scsi-id=0,lun=0,share-rw=on,\ ++drive=drive-scsi0-0-0-0,id=scsi0-0-0-0 \ ++-drive file=/dev/virtio,format=raw,if=none,id=drive-virtio-disk0,cache=none \ ++-device virtio-blk-pci,bus=pci.0,addr=0x4,share-rw=on,drive=drive-virtio-disk0,\ ++id=virtio-disk0 \ ++-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5 +diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-locking.xml b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-locking.xml +new file mode 100644 +index 000000000..dd48857a3 +--- /dev/null ++++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-locking.xml +@@ -0,0 +1,42 @@ ++ ++ QEMUGuest1 ++ c7a5fdbd-edaf-9455-926a-d65c16db1809 ++ 219136 ++ 219136 ++ 1 ++ ++ hvm ++ ++ ++ ++ destroy ++ restart ++ destroy ++ ++ /usr/bin/qemu-system-i686 ++ ++ ++ ++ ++ ++
++ ++ ++ ++ ++ ++ ++
++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c +index 93f892229..9585fdb70 100644 +--- a/tests/qemuxml2argvtest.c ++++ b/tests/qemuxml2argvtest.c +@@ -896,6 +896,8 @@ mymain(void) + DO_TEST("disk-drive-shared", + QEMU_CAPS_DRIVE_SERIAL); + DO_TEST_PARSE_ERROR("disk-drive-shared-qcow", NONE); ++ DO_TEST("disk-drive-shared-locking", ++ QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_DISK_SHARE_RW); + DO_TEST("disk-drive-error-policy-stop", + QEMU_CAPS_MONITOR_JSON); + DO_TEST("disk-drive-error-policy-enospace", diff --git a/libvirt.spec b/libvirt.spec index d84d393..8b253c6 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -240,7 +240,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 3.7.0 -Release: 2%{?dist}%{?extra_release} +Release: 3%{?dist}%{?extra_release} License: LGPLv2+ Group: Development/Libraries BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -256,6 +256,17 @@ Patch0001: 0001-tpm-Use-dev-null-for-cancel-path-if-none-was-found.patch # Fix spice GL qemu:///system rendernode permissions (bz #1460804) Patch0002: 0002-security-add-MANAGER_MOUNT_NAMESPACE-flag.patch Patch0003: 0003-security-dac-relabel-spice-rendernode.patch +# CVE-2017-1000256: libvirt: TLS certificate verification disabled for +# clients (bz #1503687) +Patch0004: 0004-qemu-ensure-TLS-clients-always-verify-the-server-cer.patch +# Fix qemu image locking with shared disks (bz #1513447) +Patch0005: 0005-qemu-Move-snapshot-disk-validation-functions-into-on.patch +Patch0006: 0006-qemu-block-Add-function-to-check-if-storage-source-a.patch +Patch0007: 0007-qemu-domain-Reject-shared-disk-access-if-backing-for.patch +Patch0008: 0008-qemu-snapshot-Disallow-snapshot-of-unsupported-share.patch +Patch0009: 0009-qemu-Disallow-pivot-of-shared-disks-to-unsupported-s.patch +Patch0010: 0010-qemu-caps-Add-capability-for-share-rw-disk-option.patch +Patch0011: 0011-qemu-command-Mark-shared-disks-as-such-in-qemu.patch Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon-config-network = %{version}-%{release} @@ -2127,6 +2138,11 @@ exit 0 %changelog +* Mon Dec 04 2017 Cole Robinson - 3.7.0-3 +- CVE-2017-1000256: libvirt: TLS certificate verification disabled for + clients (bz #1503687) +- Fix qemu image locking with shared disks (bz #1513447) + * Fri Sep 15 2017 Cole Robinson - 3.7.0-2 - Fix TPM2 passthrough (bz #1486240) - Fix spice GL qemu:///system rendernode permissions (bz #1460804)