Fix TPM2 passthrough (bz #1486240)

Fix spice GL qemu:///system rendernode permissions (bz #1460804)
Fix on_reboot=destroy setting (bz #1476866)
Fix disk images in /dev/shm (bz #1482146)

0004-daemon-Don-t-run-if-in-a-Fedora-live-VM.patch

@@ -1,35 +0,0 @@
-From: Cole Robinson <crobinso@redhat.com>
-Date: Tue, 30 May 2017 18:35:04 -0400
-Subject: [PATCH] daemon: Don't run if in a Fedora live VM
-
-Only start libvirtd if not in a VM OR if not in a Fedora live env,
-via systemd unit conditions. It checks Fedora live env by looking
-for the rd.live.image option on the kernel command line.
-
-Roundabout way to prevent the 'default' network killing connectivity
-of the livecd running in a VM
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1146232
-
-Not upstream, will likely need some kind of different permanent solution
----
- daemon/libvirtd.service.in | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/daemon/libvirtd.service.in b/daemon/libvirtd.service.in
-index fbaf02f3b..86ee988fa 100644
---- a/daemon/libvirtd.service.in
-+++ b/daemon/libvirtd.service.in
-@@ -16,6 +16,12 @@ After=local-fs.target
- After=remote-fs.target
- Documentation=man:libvirtd(8)
- Documentation=http://libvirt.org
-+# This says, start libvirtd if not in a VM OR if not in a Fedora live env
-+# Roundabout way to prevent the 'default' network killing connectivity
-+# of the livecd running in a VM
-+# https://bugzilla.redhat.com/show_bug.cgi?id=1146232
-+ConditionVirtualization=|0
-+ConditionKernelCommandLine=|!rd.live.image
- 
- [Service]
- Type=notify

0104-tpm-Use-dev-null-for-cancel-path-if-none-was-found.patch

@@ -0,0 +1,34 @@
+From: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Date: Thu, 29 Jun 2017 14:01:11 -0400
+Subject: [PATCH] tpm: Use /dev/null for cancel path if none was found
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+TPM 2 does not implement sysfs files for cancellation of commands.
+We therefore use /dev/null for the cancel path passed to QEMU.
+
+Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Tested-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit dfbb15b75433e520fb1b905c1c3e28753e53e4a5)
+---
+ src/util/virtpm.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/src/util/virtpm.c b/src/util/virtpm.c
+index 6d9b0657a..d5c10da38 100644
+--- a/src/util/virtpm.c
++++ b/src/util/virtpm.c
+@@ -61,9 +61,7 @@ virTPMCreateCancelPath(const char *devpath)
+                 VIR_FREE(path);
+             }
+             if (!path)
+-                virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+-                               _("No usable sysfs TPM cancel file could be "
+-                                 "found"));
++                ignore_value(VIR_STRDUP(path, "/dev/null"));
+         } else {
+             virReportError(VIR_ERR_INTERNAL_ERROR,
+                            _("TPM device path %s is invalid"), devpath);

0105-security-add-MANAGER_MOUNT_NAMESPACE-flag.patch

@@ -0,0 +1,108 @@
+From: Cole Robinson <crobinso@redhat.com>
+Date: Sun, 27 Aug 2017 11:23:47 -0400
+Subject: [PATCH] security: add MANAGER_MOUNT_NAMESPACE flag
+
+The VIR_SECURITY_MANAGER_MOUNT_NAMESPACE flag informs the DAC driver
+if mount namespaces are in use for the VM. Will be used for future
+changes.
+
+Wire it up in the qemu driver
+
+(cherry picked from commit 321031e482425dfeae0f125cdac6df870f079efd)
+---
+ src/qemu/qemu_driver.c          |  2 ++
+ src/security/security_dac.c     | 10 ++++++++++
+ src/security/security_dac.h     |  3 +++
+ src/security/security_manager.c |  4 +++-
+ src/security/security_manager.h |  1 +
+ 5 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index ce844bb04..555a1009b 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -417,6 +417,8 @@ qemuSecurityInit(virQEMUDriverPtr driver)
+     if (virQEMUDriverIsPrivileged(driver)) {
+         if (cfg->dynamicOwnership)
+             flags |= VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP;
++        if (virBitmapIsBitSet(cfg->namespaces, QEMU_DOMAIN_NS_MOUNT))
++            flags |= VIR_SECURITY_MANAGER_MOUNT_NAMESPACE;
+         if (!(mgr = qemuSecurityNewDAC(QEMU_DRIVER_NAME,
+                                        cfg->user,
+                                        cfg->group,
+diff --git a/src/security/security_dac.c b/src/security/security_dac.c
+index 922e48494..1f8d279bf 100644
+--- a/src/security/security_dac.c
++++ b/src/security/security_dac.c
+@@ -57,6 +57,7 @@ struct _virSecurityDACData {
+     gid_t *groups;
+     int ngroups;
+     bool dynamicOwnership;
++    bool mountNamespace;
+     char *baselabel;
+     virSecurityManagerDACChownCallback chownCallback;
+ };
+@@ -238,6 +239,15 @@ virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
+ }
+ 
+ void
++virSecurityDACSetMountNamespace(virSecurityManagerPtr mgr,
++                                bool mountNamespace)
++{
++    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
++    priv->mountNamespace = mountNamespace;
++}
++
++
++void
+ virSecurityDACSetChownCallback(virSecurityManagerPtr mgr,
+                                virSecurityManagerDACChownCallback chownCallback)
+ {
+diff --git a/src/security/security_dac.h b/src/security/security_dac.h
+index 846cefbb5..97681c961 100644
+--- a/src/security/security_dac.h
++++ b/src/security/security_dac.h
+@@ -32,6 +32,9 @@ int virSecurityDACSetUserAndGroup(virSecurityManagerPtr mgr,
+ void virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
+                                        bool dynamic);
+ 
++void virSecurityDACSetMountNamespace(virSecurityManagerPtr mgr,
++                                     bool mountNamespace);
++
+ void virSecurityDACSetChownCallback(virSecurityManagerPtr mgr,
+                                     virSecurityManagerDACChownCallback chownCallback);
+ 
+diff --git a/src/security/security_manager.c b/src/security/security_manager.c
+index 6c777db1e..b2d04d4b9 100644
+--- a/src/security/security_manager.c
++++ b/src/security/security_manager.c
+@@ -146,7 +146,8 @@ virSecurityManagerNewDAC(const char *virtDriver,
+     virSecurityManagerPtr mgr;
+ 
+     virCheckFlags(VIR_SECURITY_MANAGER_NEW_MASK |
+-                  VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP, NULL);
++                  VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP |
++                  VIR_SECURITY_MANAGER_MOUNT_NAMESPACE, NULL);
+ 
+     mgr = virSecurityManagerNewDriver(&virSecurityDriverDAC,
+                                       virtDriver,
+@@ -161,6 +162,7 @@ virSecurityManagerNewDAC(const char *virtDriver,
+     }
+ 
+     virSecurityDACSetDynamicOwnership(mgr, flags & VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP);
++    virSecurityDACSetMountNamespace(mgr, flags & VIR_SECURITY_MANAGER_MOUNT_NAMESPACE);
+     virSecurityDACSetChownCallback(mgr, chownCallback);
+ 
+     return mgr;
+diff --git a/src/security/security_manager.h b/src/security/security_manager.h
+index 238e66cd0..96937a892 100644
+--- a/src/security/security_manager.h
++++ b/src/security/security_manager.h
+@@ -36,6 +36,7 @@ typedef enum {
+     VIR_SECURITY_MANAGER_REQUIRE_CONFINED   = 1 << 2,
+     VIR_SECURITY_MANAGER_PRIVILEGED         = 1 << 3,
+     VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP  = 1 << 4,
++    VIR_SECURITY_MANAGER_MOUNT_NAMESPACE    = 1 << 5,
+ } virSecurityManagerNewFlags;
+ 
+ # define VIR_SECURITY_MANAGER_NEW_MASK  \

0106-security-dac-relabel-spice-rendernode.patch

@@ -0,0 +1,101 @@
+From: Cole Robinson <crobinso@redhat.com>
+Date: Mon, 17 Jul 2017 08:57:57 -0400
+Subject: [PATCH] security: dac: relabel spice rendernode
+
+For a logged in user this a path like /dev/dri/renderD128 will have
+default ownership root:video which won't work for the qemu:qemu user,
+so we need to chown it.
+
+We only do this when mount namespaces are enabled in the qemu driver,
+so the chown'ing doesn't interfere with other users of the shared
+render node path
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1460804
+(cherry picked from commit 98931187eefdec6f2dea5cb82ab6d23a3ffa6634)
+---
+ src/security/security_dac.c | 58 +++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 58 insertions(+)
+
+diff --git a/src/security/security_dac.c b/src/security/security_dac.c
+index 1f8d279bf..5f13bcee8 100644
+--- a/src/security/security_dac.c
++++ b/src/security/security_dac.c
+@@ -1380,6 +1380,54 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManagerPtr mgr,
+ 
+ 
+ static int
++virSecurityDACSetGraphicsLabel(virSecurityManagerPtr mgr,
++                               virDomainDefPtr def,
++                               virDomainGraphicsDefPtr gfx)
++
++{
++    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
++    virSecurityLabelDefPtr seclabel;
++    uid_t user;
++    gid_t group;
++
++    /* Skip chowning the shared render file if namespaces are disabled */
++    if (!priv->mountNamespace)
++        return 0;
++
++    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
++    if (seclabel && !seclabel->relabel)
++        return 0;
++
++    if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
++        return -1;
++
++    if (gfx->type == VIR_DOMAIN_GRAPHICS_TYPE_SPICE &&
++        gfx->data.spice.gl == VIR_TRISTATE_BOOL_YES &&
++        gfx->data.spice.rendernode) {
++        if (virSecurityDACSetOwnership(priv, NULL,
++                                       gfx->data.spice.rendernode,
++                                       user, group) < 0)
++            return -1;
++    }
++
++    return 0;
++}
++
++
++static int
++virSecurityDACRestoreGraphicsLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
++                               virDomainDefPtr def ATTRIBUTE_UNUSED,
++                               virDomainGraphicsDefPtr gfx ATTRIBUTE_UNUSED)
++
++{
++    /* The only graphics labelling we do is dependent on mountNamespaces,
++       in which case 'restoring' the label doesn't actually accomplish
++       anything, so there's nothing to do here */
++    return 0;
++}
++
++
++static int
+ virSecurityDACSetInputLabel(virSecurityManagerPtr mgr,
+                             virDomainDefPtr def,
+                             virDomainInputDefPtr input)
+@@ -1489,6 +1537,11 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
+             rc = -1;
+     }
+ 
++    for (i = 0; i < def->ngraphics; i++) {
++        if (virSecurityDACRestoreGraphicsLabel(mgr, def, def->graphics[i]) < 0)
++            return -1;
++    }
++
+     for (i = 0; i < def->ninputs; i++) {
+         if (virSecurityDACRestoreInputLabel(mgr, def, def->inputs[i]) < 0)
+             rc = -1;
+@@ -1602,6 +1655,11 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
+             return -1;
+     }
+ 
++    for (i = 0; i < def->ngraphics; i++) {
++        if (virSecurityDACSetGraphicsLabel(mgr, def, def->graphics[i]) < 0)
++            return -1;
++    }
++
+     for (i = 0; i < def->ninputs; i++) {
+         if (virSecurityDACSetInputLabel(mgr, def, def->inputs[i]) < 0)
+             return -1;

0107-qemu-Honour-on_reboot.patch

@@ -0,0 +1,63 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 31 Jul 2017 16:55:58 +0200
+Subject: [PATCH] qemu: Honour <on_reboot/>
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1476866
+
+For some reason, we completely ignore <on_reboot/> setting for
+domains. The implementation is simply not there. It never was.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit 3ee9bdbe351c0b80d4c469571ef31df3f1b148ea)
+---
+ src/qemu/qemu_process.c | 27 ++++++++++++++++++++++++---
+ 1 file changed, 24 insertions(+), 3 deletions(-)
+
+diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
+index 992a7174b..7588212ba 100644
+--- a/src/qemu/qemu_process.c
++++ b/src/qemu/qemu_process.c
+@@ -487,6 +487,7 @@ qemuProcessHandleReset(qemuMonitorPtr mon ATTRIBUTE_UNUSED,
+     virObjectEventPtr event;
+     qemuDomainObjPrivatePtr priv;
+     virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
++    int ret = -1;
+ 
+     virObjectLock(vm);
+ 
+@@ -498,12 +499,32 @@ qemuProcessHandleReset(qemuMonitorPtr mon ATTRIBUTE_UNUSED,
+     if (virDomainSaveStatus(driver->xmlopt, cfg->stateDir, vm, driver->caps) < 0)
+         VIR_WARN("Failed to save status on vm %s", vm->def->name);
+ 
+-    virObjectUnlock(vm);
++    if (vm->def->onReboot == VIR_DOMAIN_LIFECYCLE_DESTROY ||
++        vm->def->onReboot == VIR_DOMAIN_LIFECYCLE_PRESERVE) {
+ 
+-    qemuDomainEventQueue(driver, event);
++        if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_MODIFY) < 0)
++            goto cleanup;
++
++        if (!virDomainObjIsActive(vm)) {
++            VIR_DEBUG("Ignoring RESET event from inactive domain %s",
++                      vm->def->name);
++            goto endjob;
++        }
++
++        qemuProcessStop(driver, vm, VIR_DOMAIN_SHUTOFF_DESTROYED,
++                        QEMU_ASYNC_JOB_NONE, 0);
++        virDomainAuditStop(vm, "destroyed");
++        qemuDomainRemoveInactive(driver, vm);
++     endjob:
++        qemuDomainObjEndJob(driver, vm);
++    }
+ 
++    ret = 0;
++ cleanup:
++    virObjectUnlock(vm);
++    qemuDomainEventQueue(driver, event);
+     virObjectUnref(cfg);
+-    return 0;
++    return ret;
+ }
+ 
+ 

0108-qemuDomainBuildNamespace-Move-dev-mountpoints-later.patch

@@ -0,0 +1,113 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Thu, 27 Apr 2017 16:29:21 +0200
+Subject: [PATCH] qemuDomainBuildNamespace: Move /dev/* mountpoints later
+
+When setting up mount namespace for a qemu domain the following
+steps are executed:
+
+1) get list of mountpoints under /dev/
+2) move them to /var/run/libvirt/qemu/$domName.ext
+3) start constructing new device tree under /var/run/libvirt/qemu/$domName.dev
+4) move the mountpoint of the new device tree to /dev
+5) restore original mountpoints from step 2)
+
+Note the problem with this approach is that if some device in step
+3) requires access to a mountpoint from step 2) it will fail as
+the mountpoint is not there anymore. For instance consider the
+following domain disk configuration:
+
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source file='/dev/shm/vhostmd0'/>
+      <target dev='vdb' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x0a' function='0x0'/>
+    </disk>
+
+In this case operation fails as we are unable to create vhostmd0
+in the new device tree because after step 2) there is no /dev/shm
+anymore. Leave aside fact that we shouldn't try to create devices
+living in other mountpoints. That's a separate bug that will be
+addressed later.
+
+Currently, the order described above is rearranged to:
+
+1) get list of mountpoints under /dev/
+2) start constructing new device tree under /var/run/libvirt/qemu/$domName.dev
+3) move them to /var/run/libvirt/qemu/$domName.ext
+4) move the mountpoint of the new device tree to /dev
+5) restore original mountpoints from step 3)
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Cedric Bosdonnat <cbosdonnat@suse.com>
+(cherry picked from commit a7cc039dc796f541793955598377807af48341fb)
+(cherry picked from commit 469bf7cb7a44a0798c63e4b5e4682d8e38bce66e)
+---
+ src/qemu/qemu_domain.c | 48 ++++++++++++++++++++++++------------------------
+ 1 file changed, 24 insertions(+), 24 deletions(-)
+
+diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
+index 4a127cedf..64f18f493 100644
+--- a/src/qemu/qemu_domain.c
++++ b/src/qemu/qemu_domain.c
+@@ -7854,6 +7854,30 @@ qemuDomainBuildNamespace(virQEMUDriverConfigPtr cfg,
+     if (qemuDomainSetupDev(cfg, mgr, vm, devPath) < 0)
+         goto cleanup;
+ 
++    if (qemuDomainSetupAllDisks(cfg, vm, devPath) < 0)
++        goto cleanup;
++
++    if (qemuDomainSetupAllHostdevs(cfg, vm, devPath) < 0)
++        goto cleanup;
++
++    if (qemuDomainSetupAllMemories(cfg, vm, devPath) < 0)
++        goto cleanup;
++
++    if (qemuDomainSetupAllChardevs(cfg, vm, devPath) < 0)
++        goto cleanup;
++
++    if (qemuDomainSetupTPM(cfg, vm, devPath) < 0)
++        goto cleanup;
++
++    if (qemuDomainSetupAllGraphics(cfg, vm, devPath) < 0)
++        goto cleanup;
++
++    if (qemuDomainSetupAllInputs(cfg, vm, devPath) < 0)
++        goto cleanup;
++
++    if (qemuDomainSetupAllRNGs(cfg, vm, devPath) < 0)
++        goto cleanup;
++
+     /* Save some mount points because we want to share them with the host */
+     for (i = 0; i < ndevMountsPath; i++) {
+         struct stat sb;
+@@ -7881,30 +7905,6 @@ qemuDomainBuildNamespace(virQEMUDriverConfigPtr cfg,
+             goto cleanup;
+     }
+ 
+-    if (qemuDomainSetupAllDisks(cfg, vm, devPath) < 0)
+-        goto cleanup;
+-
+-    if (qemuDomainSetupAllHostdevs(cfg, vm, devPath) < 0)
+-        goto cleanup;
+-
+-    if (qemuDomainSetupAllMemories(cfg, vm, devPath) < 0)
+-        goto cleanup;
+-
+-    if (qemuDomainSetupAllChardevs(cfg, vm, devPath) < 0)
+-        goto cleanup;
+-
+-    if (qemuDomainSetupTPM(cfg, vm, devPath) < 0)
+-        goto cleanup;
+-
+-    if (qemuDomainSetupAllGraphics(cfg, vm, devPath) < 0)
+-        goto cleanup;
+-
+-    if (qemuDomainSetupAllInputs(cfg, vm, devPath) < 0)
+-        goto cleanup;
+-
+-    if (qemuDomainSetupAllRNGs(cfg, vm, devPath) < 0)
+-        goto cleanup;
+-
+     if (virFileMoveMount(devPath, "/dev") < 0)
+         goto cleanup;
+ 

libvirt.spec

@@ -240,7 +240,7 @@
 Summary: Library providing a simple virtualization API
 Name: libvirt
 Version: 3.2.1
-Release: 5%{?dist}%{?extra_release}
+Release: 6%{?dist}%{?extra_release}
 License: LGPLv2+
 Group: Development/Libraries
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -255,24 +255,21 @@ Source: http://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.xz
 Patch0001: 0001-tests-Check-default-GIC-version-for-aarch64-virt-TCG.patch
 Patch0002: 0002-qemu-Use-GICv2-for-aarch64-virt-TCG-guests.patch
 Patch0003: 0003-gic-Remove-VIR_GIC_VERSION_DEFAULT.patch
-# Don't run libvirtd in live environment, to avoid network collision (bz
-# #1146232)
-Patch0004: 0004-daemon-Don-t-run-if-in-a-Fedora-live-VM.patch
 # Fix resuming qemu VMs suspended before libvirt 3.2.0
-Patch0005: 0005-Revert-qemu-propagate-bridge-MTU-into-qemu-host_mtu-.patch
+Patch0004: 0004-Revert-qemu-propagate-bridge-MTU-into-qemu-host_mtu-.patch
 # Fix issues with AMD CPU models, and some others
-Patch0006: 0006-cpu-Introduce-virCPUCopyMigratable.patch
+Patch0005: 0005-cpu-Introduce-virCPUCopyMigratable.patch
-Patch0007: 0007-qemu-Move-common-code-in-virQEMUCapsInitCPUModel-one.patch
+Patch0006: 0006-qemu-Move-common-code-in-virQEMUCapsInitCPUModel-one.patch
-Patch0008: 0008-qemu-Add-migratable-parameter-to-virQEMUCapsInitCPUM.patch
+Patch0007: 0007-qemu-Add-migratable-parameter-to-virQEMUCapsInitCPUM.patch
-Patch0009: 0009-qemu-Introduce-virQEMUCapsSetHostModel.patch
+Patch0008: 0008-qemu-Introduce-virQEMUCapsSetHostModel.patch
-Patch0010: 0010-qemu-Move-qemuCaps-CPU-data-copying-into-a-separate-.patch
+Patch0009: 0009-qemu-Move-qemuCaps-CPU-data-copying-into-a-separate-.patch
-Patch0011: 0011-qemu-Introduce-virQEMUCapsHostCPUDataClear.patch
+Patch0010: 0010-qemu-Introduce-virQEMUCapsHostCPUDataClear.patch
-Patch0012: 0012-qemu-Move-qemuCaps-host-CPU-data-in-a-struct.patch
+Patch0011: 0011-qemu-Move-qemuCaps-host-CPU-data-in-a-struct.patch
-Patch0013: 0013-qemu-Prepare-qemuCaps-for-multiple-host-CPU-defs.patch
+Patch0012: 0012-qemu-Prepare-qemuCaps-for-multiple-host-CPU-defs.patch
-Patch0014: 0014-qemu-Pass-migratable-host-CPU-model-to-virCPUUpdate.patch
+Patch0013: 0013-qemu-Pass-migratable-host-CPU-model-to-virCPUUpdate.patch
-Patch0015: 0015-cpu-Drop-feature-filtering-from-virCPUUpdate.patch
+Patch0014: 0014-cpu-Drop-feature-filtering-from-virCPUUpdate.patch
-Patch0016: 0016-cpu-Introduce-virCPUGetHostIsSupported.patch
+Patch0015: 0015-cpu-Introduce-virCPUGetHostIsSupported.patch
-Patch0017: 0017-qemu-Use-more-data-for-comparing-CPUs.patch
+Patch0016: 0016-qemu-Use-more-data-for-comparing-CPUs.patch
 
 # Enable ZFS storage driver (bz #1471912)
 Patch0101: 0101-spec-Add-support-for-building-the-zfs-storage-driver.patch
@@ -281,6 +278,15 @@ Patch0101: 0101-spec-Add-support-for-building-the-zfs-storage-driver.patch
 Patch0102: 0102-Avoid-hidden-cgroup-mount-points.patch
 # disk driver name=... should be optional (bz #1473091)
 Patch0103: 0103-docs-schema-make-disk-driver-name-attribute-optional.patch
+# Fix TPM2 passthrough (bz #1486240)
+Patch0104: 0104-tpm-Use-dev-null-for-cancel-path-if-none-was-found.patch
+# Fix spice GL qemu:///system rendernode permissions (bz #1460804)
+Patch0105: 0105-security-add-MANAGER_MOUNT_NAMESPACE-flag.patch
+Patch0106: 0106-security-dac-relabel-spice-rendernode.patch
+# Fix on_reboot=destroy setting (bz #1476866)
+Patch0107: 0107-qemu-Honour-on_reboot.patch
+# Fix disk images in /dev/shm (bz #1482146)
+Patch0108: 0108-qemuDomainBuildNamespace-Move-dev-mountpoints-later.patch
 
 Requires: libvirt-daemon = %{version}-%{release}
 Requires: libvirt-daemon-config-network = %{version}-%{release}
@@ -2148,6 +2154,12 @@ exit 0
 
 
 %changelog
+* Fri Sep 15 2017 Cole Robinson <crobinso@redhat.com> - 3.2.1-6
+- Fix TPM2 passthrough (bz #1486240)
+- Fix spice GL qemu:///system rendernode permissions (bz #1460804)
+- Fix on_reboot=destroy setting (bz #1476866)
+- Fix disk images in /dev/shm (bz #1482146)
+
 * Fri Aug 04 2017 Cole Robinson <crobinso@redhat.com> - 3.2.1-5
 - Enable ZFS storage driver (bz #1471912)
 - Don't use cgroup mount points from /proc/mounts that are hidden (bz