[Pkg-libvirt-commits] [Git][libvirt-team/libvirt][debian/experimental] 6 commits: Rediff patches
Guido Günther
gitlab at salsa.debian.org
Thu May 9 18:30:07 BST 2019
Guido Günther pushed to branch debian/experimental at Libvirt Packaging Team / libvirt
Commits:
baef7156 by Andrea Bolognani at 2019-05-09T17:29:39Z
Rediff patches
The patches
api-disallow-virDomainGetHostname-for-read-only-connectio.patch
remote-enforce-ACL-write-permission-for-getting-guest-tim.patch
tests-Avoid-writing-into-HOME-during-virsh-snapshot.patch
are included in libvirt 5.3.0 and have thus been dropped.
- - - - -
82a1edc7 by Andrea Bolognani at 2019-05-09T17:29:39Z
Bump symbol versions
- - - - -
7eb0e32f by Andrea Bolognani at 2019-05-09T17:29:39Z
Revert "Warn about uninstalled files"
Now that we're using debhelper compat 12, we get this
behavior without needing to opt into it.
This reverts commit 84269a295e7281df37acaea460ac42f83622b672.
Gbp-Dch: Ignore
- - - - -
92f3b3a8 by Andrea Bolognani at 2019-05-09T17:29:40Z
Don't explicitly enable autoreconf sequence for dh
It's enabled by default since debhelper compat 10.
Gbp-Dch: Ignore
- - - - -
73fccd9a by Andrea Bolognani at 2019-05-09T17:29:40Z
Specify --doc-main-package for dh_installdocs
Starting with compat 11, debhelper tries to detect this
itself, but unfortunately it's getting it wrong for us and
picking libvirt-dev instead of libvirt-doc.
Fixes doc-base-file-references-missing-file Lintian error.
- - - - -
33732546 by Andrea Bolognani at 2019-05-09T17:29:40Z
Don't create docs/internals manually
This might have been necessary in the past, but right now
it's not doing anything useful.
Gbp-Dch: Ignore
- - - - -
11 changed files:
- debian/libvirt0.symbols
- debian/patches/Reduce-udevadm-settle-timeout-to-10-seconds.patch
- − debian/patches/api-disallow-virDomainGetHostname-for-read-only-connectio.patch
- debian/patches/debian/Debianize-libvirt-guests.patch
- debian/patches/debian/Don-t-enable-default-network-on-boot.patch
- debian/patches/debian/Prefer-sbin-over-usr-sbin.patch
- debian/patches/debian/Use-upstreams-polkit-rule.patch
- − debian/patches/remote-enforce-ACL-write-permission-for-getting-guest-tim.patch
- debian/patches/series
- − debian/patches/tests-Avoid-writing-into-HOME-during-virsh-snapshot.patch
- debian/rules
Changes:
=====================================
debian/libvirt0.symbols
=====================================
@@ -119,7 +119,8 @@ libvirt.so.0 libvirt0 #MINVER#
*@LIBVIRT_4.10.0 4.10.0
*@LIBVIRT_5.0.0 5.0.0
*@LIBVIRT_5.2.0 5.2.0~rc1
- *@LIBVIRT_PRIVATE_5.2.0 5.2.0~rc1
+ *@LIBVIRT_5.3.0 5.3.0
+ *@LIBVIRT_PRIVATE_5.3.0 5.3.0
libvirt-qemu.so.0 libvirt0 #MINVER#
*@LIBVIRT_QEMU_0.8.3 0.8.3
@@ -141,4 +142,4 @@ libvirt-admin.so.0 libvirt0 #MINVER#
*@LIBVIRT_ADMIN_1.3.0 1.2.18
*@LIBVIRT_ADMIN_2.0.0 2.0.0~rc1
*@LIBVIRT_ADMIN_3.0.0 3.0.0
- *@LIBVIRT_ADMIN_PRIVATE_5.2.0 5.2.0~rc1
+ *@LIBVIRT_ADMIN_PRIVATE_5.3.0 5.3.0
=====================================
debian/patches/Reduce-udevadm-settle-timeout-to-10-seconds.patch
=====================================
@@ -10,10 +10,10 @@ Closes: #663931
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/util/virutil.c b/src/util/virutil.c
-index 0d58f1e..2858505 100644
+index e5917d3..e24b5c3 100644
--- a/src/util/virutil.c
+++ b/src/util/virutil.c
-@@ -1655,7 +1655,7 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *groups, int ngroups,
+@@ -1483,7 +1483,7 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *groups, int ngroups,
void virWaitForDevices(void)
{
# ifdef UDEVADM
=====================================
debian/patches/api-disallow-virDomainGetHostname-for-read-only-connectio.patch deleted
=====================================
@@ -1,30 +0,0 @@
-From: =?utf-8?b?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= <berrange at redhat.com>
-Date: Wed, 3 Apr 2019 15:00:49 +0100
-Subject: api: disallow virDomainGetHostname for read-only connections
-MIME-Version: 1.0
-Content-Type: text/plain; charset="utf-8"
-Content-Transfer-Encoding: 8bit
-
-The virDomainGetHostname API is fetching guest information and this may
-involve use of an untrusted guest agent. As such its use must be
-forbidden on a read-only connection to libvirt.
-
-Fixes CVE-2019-3886
-Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
----
- src/libvirt-domain.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
-index be5b1f6..baf2182 100644
---- a/src/libvirt-domain.c
-+++ b/src/libvirt-domain.c
-@@ -11031,6 +11031,8 @@ virDomainGetHostname(virDomainPtr domain, unsigned int flags)
- virCheckDomainReturn(domain, NULL);
- conn = domain->conn;
-
-+ virCheckReadOnlyGoto(domain->conn->flags, error);
-+
- if (conn->driver->domainGetHostname) {
- char *ret;
- ret = conn->driver->domainGetHostname(domain, flags);
=====================================
debian/patches/debian/Debianize-libvirt-guests.patch
=====================================
@@ -9,7 +9,7 @@ Origin: vendor
2 files changed, 30 insertions(+), 19 deletions(-)
diff --git a/tools/libvirt-guests.sh.in b/tools/libvirt-guests.sh.in
-index 4bc6e86..9ec4064 100644
+index 4bc6e86..f94f1b3 100644
--- a/tools/libvirt-guests.sh.in
+++ b/tools/libvirt-guests.sh.in
@@ -1,5 +1,17 @@
=====================================
debian/patches/debian/Don-t-enable-default-network-on-boot.patch
=====================================
@@ -9,10 +9,10 @@ to not interfere with existing network configurations
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/src/Makefile.in b/src/Makefile.in
-index fe2d19f..2700a1d 100644
+index 99217f9..e9e5ee0 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
-@@ -13398,8 +13398,7 @@ lxc/lxc_controller_dispatch.h: $(srcdir)/rpc/gendispatch.pl \
+@@ -13426,8 +13426,7 @@ lxc/lxc_controller_dispatch.h: $(srcdir)/rpc/gendispatch.pl \
@WITH_NETWORK_TRUE@ $(DESTDIR)$(confdir)/qemu/networks/default.xml && \
@WITH_NETWORK_TRUE@ rm $(DESTDIR)$(confdir)/qemu/networks/default.xml.t; }
@WITH_NETWORK_TRUE@ ( cd $(DESTDIR)$(confdir)/qemu/networks/autostart && \
@@ -23,10 +23,10 @@ index fe2d19f..2700a1d 100644
@WITH_FIREWALLD_ZONE_TRUE@@WITH_NETWORK_TRUE@ $(INSTALL_DATA) $(srcdir)/network/libvirt.zone \
@WITH_FIREWALLD_ZONE_TRUE@@WITH_NETWORK_TRUE@ $(DESTDIR)$(prefix)/lib/firewalld/zones/libvirt.xml
diff --git a/src/network/Makefile.inc.am b/src/network/Makefile.inc.am
-index cbaaa7e..cb0228d 100644
+index 3fed59c..13ae858 100644
--- a/src/network/Makefile.inc.am
+++ b/src/network/Makefile.inc.am
-@@ -85,8 +85,7 @@ install-data-network:
+@@ -87,8 +87,7 @@ install-data-network:
$(DESTDIR)$(confdir)/qemu/networks/default.xml && \
rm $(DESTDIR)$(confdir)/qemu/networks/default.xml.t; }
( cd $(DESTDIR)$(confdir)/qemu/networks/autostart && \
=====================================
debian/patches/debian/Prefer-sbin-over-usr-sbin.patch
=====================================
@@ -11,10 +11,10 @@ Closes: #895145
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
-index 880a3a7..307aff0 100644
+index dcd78f6..1b77c97 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -110,7 +110,7 @@ then
+@@ -116,7 +116,7 @@ then
fi
dnl Where we look for daemons and admin binaries during configure
=====================================
debian/patches/debian/Use-upstreams-polkit-rule.patch
=====================================
@@ -9,10 +9,10 @@ As of 1.2.16 upstream ships a Polkit rule like Debian does.
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/Makefile.in b/src/Makefile.in
-index 2700a1d..4abd388 100644
+index e9e5ee0..c780453 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
-@@ -13447,12 +13447,12 @@ lxc/lxc_controller_dispatch.h: $(srcdir)/rpc/gendispatch.pl \
+@@ -13475,12 +13475,12 @@ lxc/lxc_controller_dispatch.h: $(srcdir)/rpc/gendispatch.pl \
@WITH_LIBVIRTD_TRUE@@WITH_POLKIT_TRUE@ $(DESTDIR)$(polkitactionsdir)/org.libvirt.unix.policy
@WITH_LIBVIRTD_TRUE@@WITH_POLKIT_TRUE@ $(MKDIR_P) $(DESTDIR)$(polkitrulesdir)
@WITH_LIBVIRTD_TRUE@@WITH_POLKIT_TRUE@ $(INSTALL_DATA) $(srcdir)/remote/libvirtd.rules \
@@ -28,10 +28,10 @@ index 2700a1d..4abd388 100644
.PHONY: \
diff --git a/src/remote/Makefile.inc.am b/src/remote/Makefile.inc.am
-index dccecf8..c1916bd 100644
+index 0671424..9e7227d 100644
--- a/src/remote/Makefile.inc.am
+++ b/src/remote/Makefile.inc.am
-@@ -213,12 +213,12 @@ install-polkit:
+@@ -221,12 +221,12 @@ install-polkit:
$(DESTDIR)$(polkitactionsdir)/org.libvirt.unix.policy
$(MKDIR_P) $(DESTDIR)$(polkitrulesdir)
$(INSTALL_DATA) $(srcdir)/remote/libvirtd.rules \
=====================================
debian/patches/remote-enforce-ACL-write-permission-for-getting-guest-tim.patch deleted
=====================================
@@ -1,40 +0,0 @@
-From: =?utf-8?b?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= <berrange at redhat.com>
-Date: Wed, 3 Apr 2019 15:00:50 +0100
-Subject: remote: enforce ACL write permission for getting guest time &
- hostname
-MIME-Version: 1.0
-Content-Type: text/plain; charset="utf-8"
-Content-Transfer-Encoding: 8bit
-
-Getting the guest time and hostname both require use of guest agent
-commands. These must not be allowed for read-only users, so the
-permissions check must validate "write" permission not "read".
-
-Fixes CVE-2019-3886
-Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
----
- src/remote/remote_protocol.x | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
-index 74be4b3..11f44ee 100644
---- a/src/remote/remote_protocol.x
-+++ b/src/remote/remote_protocol.x
-@@ -5513,7 +5513,7 @@ enum remote_procedure {
-
- /**
- * @generate: both
-- * @acl: domain:read
-+ * @acl: domain:write
- */
- REMOTE_PROC_DOMAIN_GET_HOSTNAME = 277,
-
-@@ -5908,7 +5908,7 @@ enum remote_procedure {
-
- /**
- * @generate: none
-- * @acl: domain:read
-+ * @acl: domain:write
- */
- REMOTE_PROC_DOMAIN_GET_TIME = 337,
-
=====================================
debian/patches/series
=====================================
@@ -14,6 +14,3 @@ Set-defaults-for-zfs-tools.patch
Pass-GPG_TTY-env-var-to-the-ssh-binary.patch
apparmor-Allow-virt-aa-helper-to-access-the-name-service-.patch
debian/Prefer-sbin-over-usr-sbin.patch
-api-disallow-virDomainGetHostname-for-read-only-connectio.patch
-remote-enforce-ACL-write-permission-for-getting-guest-tim.patch
-tests-Avoid-writing-into-HOME-during-virsh-snapshot.patch
=====================================
debian/patches/tests-Avoid-writing-into-HOME-during-virsh-snapshot.patch deleted
=====================================
@@ -1,98 +0,0 @@
-From: Eric Blake <eblake at redhat.com>
-Date: Wed, 27 Mar 2019 13:42:45 -0500
-Subject: tests: Avoid writing into $HOME during virsh-snapshot
-MIME-Version: 1.0
-Content-Type: text/plain; charset="utf-8"
-Content-Transfer-Encoding: 8bit
-
-In a constrained CI environment, where it is intentional that attempts
-to write outside the current directory will fail, virsh-snapshot was
-failing:
-
- error: invalid argument: parent s3 for snapshot s2 not found
- error: marker
-+error: Failed to create '/home/travis/.cache/libvirt/virsh': Permission denied
-FAIL virsh-snapshot (exit status: 1)
-
-But we've already solved the problem in virsh-uriprecedence: tell
-virsh to use XDG locations pointing to somewhere we can write rather
-than its default of falling back to $HOME with the test being at risk
-of breaking due to the user's environment and/or unacceptably altering
-the user's normal cache. Hoist that solution into test-lib.sh, so
-that all scripts can use it as needed. While at it, fix a latent typo
-where XDG_RUNTIME_HOME was set to a literal relative directory name
-"XDG_CACHE_HOME" (the typo did not affect virsh-uriprecedence, but
-could matter to other clients).
-
-Fixes: 280a2b41
-Fixes: 398de147
-Reported-by: Daniel P. Berrangé <berrange at redhat.com>
-Signed-off-by: Eric Blake <eblake at redhat.com>
-
-(cherry picked from commit b18866086516b6fb1dc5bcc45dcde7b8df324850)
----
- tests/test-lib.sh | 13 +++++++++++++
- tests/virsh-snapshot | 2 ++
- tests/virsh-uriprecedence | 12 +-----------
- 3 files changed, 16 insertions(+), 11 deletions(-)
-
-diff --git a/tests/test-lib.sh b/tests/test-lib.sh
-index 49e8d22..ef5a47b 100644
---- a/tests/test-lib.sh
-+++ b/tests/test-lib.sh
-@@ -222,6 +222,19 @@ mkfifo_or_skip_()
- fi
- }
-
-+# Create mock XDG files/directories to avoid permission problems.
-+# As it points inside $test_dir_, it is automatically cleaned.
-+mock_xdg_()
-+{
-+ export XDG_CONFIG_HOME="$t_/.config"
-+ export XDG_CACHE_HOME="$t_/.cache"
-+ export XDG_RUNTIME_HOME="$XDG_CACHE_HOME"
-+
-+ mkdir -p "$XDG_CONFIG_HOME/libvirt" "$XDG_CONFIG_HOME/virsh"
-+ mkdir -p "$XDG_CACHE_HOME/libvirt" "$XDG_CACHE_HOME/virsh"
-+ mkdir -p "$XDG_RUNTIME_HOME/libvirt" "$XDG_RUNTIME_HOME/virsh"
-+}
-+
- test_dir_=$(pwd)
-
- this_test_() { echo "./$0" | sed 's,.*/,,'; }
-diff --git a/tests/virsh-snapshot b/tests/virsh-snapshot
-index fb8a99d..cb498cf 100755
---- a/tests/virsh-snapshot
-+++ b/tests/virsh-snapshot
-@@ -26,6 +26,8 @@ fi
-
- fail=0
-
-+mock_xdg_ || framework_failure
-+
- # The test driver loses states between restarts, so we perform a script
- # with some convenient markers for later post-processing of output.
- $abs_top_builddir/tools/virsh --connect test:///default >out 2>err '
-diff --git a/tests/virsh-uriprecedence b/tests/virsh-uriprecedence
-index 564e3dc..fd6ce10 100755
---- a/tests/virsh-uriprecedence
-+++ b/tests/virsh-uriprecedence
-@@ -11,17 +11,7 @@ virsh_cmd="$virsh_bin"
- counter=0
- ret=0
-
--cleanup_() { rm -rf "$tmphome"; }
--
--# Create all mock files/directories to avoid permission problems
--tmphome="$PWD/tmp_home"
--export XDG_CONFIG_HOME="$tmphome/.config"
--export XDG_CACHE_HOME="$tmphome/.cache"
--export XDG_RUNTIME_HOME="XDG_CACHE_HOME"
--
--mkdir -p "$XDG_CONFIG_HOME/libvirt" "$XDG_CONFIG_HOME/virsh"
--mkdir -p "$XDG_CACHE_HOME/libvirt" "$XDG_CACHE_HOME/virsh"
--mkdir -p "$XDG_RUNTIME_HOME/libvirt" "$XDG_RUNTIME_HOME/virsh"
-+mock_xdg_ || framework_failure
-
- is_uri_good()
- {
=====================================
debian/rules
=====================================
@@ -150,14 +150,13 @@ LOGROTATE = $(basename $(basename $(notdir $(wildcard src/remote/libvirtd*.logro
EXAMPLES_DIR = $(CURDIR)/debian/libvirt-doc/usr/share/doc/libvirt-doc/examples/
%:
- dh $@ --builddirectory=$(DEB_BUILDDIR) --with autoreconf
+ dh $@ --builddirectory=$(DEB_BUILDDIR)
override_dh_auto_configure:
IPTABLES_PATH=/usr/sbin/iptables \
IP6TABLES_PATH=/usr/sbin/ip6tables \
EBTABLES_PATH=/usr/sbin/ebtables \
dh_auto_configure -- $(DEB_CONFIGURE_EXTRA_ARGS) $(shell dpkg-buildflags --export=configure)
- mkdir -p debian/build/docs/internals
override_dh_auto_test:
export LD_PRELOAD=""; \
@@ -233,7 +232,8 @@ override_dh_installsystemd:
dh_installsystemd -p libvirt-daemon-system --no-stop-on-upgrade $(LIBVIRT_SYSTEM_SERVICES)
override_dh_installdocs:
- dh_installdocs
+ dh_installdocs -plibvirt-doc --doc-main-package libvirt-doc
+ dh_installdocs -Nlibvirt-doc
# Remove binaries and object files examples
[ ! -d $(EXAMPLES_DIR) ] || find $(EXAMPLES_DIR) -name "*.o" -type f -delete -o -name .libs -type d -exec rm -rf {} \;
rm -f $(EXAMPLES_DIR)domain-events/events-c/event-test \
@@ -257,6 +257,3 @@ override_dh_auto_clean:
override_dh_installchangelogs:
dh_installchangelogs -plibvirt0
dh_installchangelogs -Nlibvirt0 -XChangeLog
-
-override_dh_missing:
- dh_missing --list-missing
View it on GitLab: https://salsa.debian.org/libvirt-team/libvirt/compare/ab67a28666fb6bebeb44314665d9f1e156073db0...337325463445acb87eecc34b6f6b26e479b73d23
--
View it on GitLab: https://salsa.debian.org/libvirt-team/libvirt/compare/ab67a28666fb6bebeb44314665d9f1e156073db0...337325463445acb87eecc34b6f6b26e479b73d23
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-commits/attachments/20190509/d24c1b1a/attachment-0001.html>
More information about the Pkg-libvirt-commits
mailing list