diff --git a/libvirt-Substitute-security_context_t-with-char.patch b/libvirt-Substitute-security_context_t-with-char.patch new file mode 100644 index 0000000000000000000000000000000000000000..93ebe82b1c9a54d3c03a163ce5a39e55bb940990 --- /dev/null +++ b/libvirt-Substitute-security_context_t-with-char.patch @@ -0,0 +1,320 @@ +From 0ca4dd0cd279448ff28beb4c88e52107531783a3 Mon Sep 17 00:00:00 2001 +From: Xu Yandong +Date: Tue, 4 Aug 2020 01:44:48 +0000 +Subject: [PATCH] Substitute security_context_t with char * + +Historically, we've used security_context_t for variables passed +to libselinux APIs. But almost 7 years ago, libselinux developers +admitted in their API that in fact, it's just a 'char *' type +[1]. Ever since then the APIs accept 'char *' instead, but they +kept the old alias just for API stability. Well, not anymore [2]. + +1: https://github.com/SELinuxProject/selinux/commit/9eb9c9327563014ad6a807814e7975424642d5b9 +2: https://github.com/SELinuxProject/selinux/commit/7a124ca2758136f49cc38efc26fb1a2d385ecfd9 + +Signed-off-by: Michal Privoznik +Reviewed-by: Andrea Bolognani +(cherry-picked from commit e71e13488dc1aa65456e54a4b41bc925821b4263) +Signed-off-by: Xu Yandong +--- + src/libvirt-lxc.c | 2 +- + src/rpc/virnetsocket.c | 2 +- + src/security/security_selinux.c | 26 +++++++++++++------------- + src/storage/storage_util.c | 2 +- + src/util/viridentity.c | 2 +- + tests/securityselinuxhelper.c | 16 ++++++++-------- + tests/securityselinuxlabeltest.c | 4 ++-- + tests/securityselinuxtest.c | 2 +- + tests/viridentitytest.c | 2 +- + 9 files changed, 29 insertions(+), 29 deletions(-) + +diff --git a/src/libvirt-lxc.c b/src/libvirt-lxc.c +index 47a06a3..25f1cfc 100644 +--- a/src/libvirt-lxc.c ++++ b/src/libvirt-lxc.c +@@ -204,7 +204,7 @@ virDomainLxcEnterSecurityLabel(virSecurityModelPtr model, + if (STREQ(model->model, "selinux")) { + #ifdef WITH_SELINUX + if (oldlabel) { +- security_context_t ctx; ++ char *ctx; + + if (getcon(&ctx) < 0) { + virReportSystemError(errno, +diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c +index 6c790cb..5537289 100644 +--- a/src/rpc/virnetsocket.c ++++ b/src/rpc/virnetsocket.c +@@ -1595,7 +1595,7 @@ int virNetSocketGetUNIXIdentity(virNetSocketPtr sock G_GNUC_UNUSED, + int virNetSocketGetSELinuxContext(virNetSocketPtr sock, + char **context) + { +- security_context_t seccon = NULL; ++ char *seccon = NULL; + int ret = -1; + + *context = NULL; +diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c +index 8aeb6e4..72d1658 100644 +--- a/src/security/security_selinux.c ++++ b/src/security/security_selinux.c +@@ -198,7 +198,7 @@ virSecuritySELinuxTransactionAppend(const char *path, + + static int + virSecuritySELinuxRememberLabel(const char *path, +- const security_context_t con) ++ const char *con) + { + return virSecuritySetRememberedLabel(SECURITY_SELINUX_NAME, + path, con); +@@ -207,7 +207,7 @@ virSecuritySELinuxRememberLabel(const char *path, + + static int + virSecuritySELinuxRecallLabel(const char *path, +- security_context_t *con) ++ char **con) + { + int rv; + +@@ -431,7 +431,7 @@ virSecuritySELinuxMCSGetProcessRange(char **sens, + int *catMin, + int *catMax) + { +- security_context_t ourSecContext = NULL; ++ char *ourSecContext = NULL; + context_t ourContext = NULL; + char *cat = NULL; + char *tmp; +@@ -530,8 +530,8 @@ virSecuritySELinuxMCSGetProcessRange(char **sens, + } + + static char * +-virSecuritySELinuxContextAddRange(security_context_t src, +- security_context_t dst) ++virSecuritySELinuxContextAddRange(char *src, ++ char *dst) + { + char *str = NULL; + char *ret = NULL; +@@ -575,7 +575,7 @@ virSecuritySELinuxGenNewContext(const char *basecontext, + context_t context = NULL; + char *ret = NULL; + char *str; +- security_context_t ourSecContext = NULL; ++ char *ourSecContext = NULL; + context_t ourContext = NULL; + + VIR_DEBUG("basecontext=%s mcs=%s isObjectContext=%d", +@@ -967,7 +967,7 @@ virSecuritySELinuxReserveLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def, + pid_t pid) + { +- security_context_t pctx; ++ char *pctx; + context_t ctx = NULL; + const char *mcs; + int rv; +@@ -1217,7 +1217,7 @@ virSecuritySELinuxGetProcessLabel(virSecurityManagerPtr mgr G_GNUC_UNUSED, + pid_t pid, + virSecurityLabelPtr sec) + { +- security_context_t ctx; ++ char *ctx; + + if (getpidcon_raw(pid, &ctx) == -1) { + virReportSystemError(errno, +@@ -1330,7 +1330,7 @@ virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr, + bool remember) + { + bool privileged = virSecurityManagerGetPrivileged(mgr); +- security_context_t econ = NULL; ++ char *econ = NULL; + int refcount; + int rc; + bool rollback = false; +@@ -1440,7 +1440,7 @@ virSecuritySELinuxFSetFilecon(int fd, char *tcon) + /* Set fcon to the appropriate label for path and mode, or return -1. */ + static int + getContext(virSecurityManagerPtr mgr G_GNUC_UNUSED, +- const char *newpath, mode_t mode, security_context_t *fcon) ++ const char *newpath, mode_t mode, char **fcon) + { + virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr); + +@@ -1457,7 +1457,7 @@ virSecuritySELinuxRestoreFileLabel(virSecurityManagerPtr mgr, + { + bool privileged = virSecurityManagerGetPrivileged(mgr); + struct stat buf; +- security_context_t fcon = NULL; ++ char *fcon = NULL; + char *newpath = NULL; + int rc; + int ret = -1; +@@ -2972,7 +2972,7 @@ virSecuritySELinuxSetDaemonSocketLabel(virSecurityManagerPtr mgr G_GNUC_UNUSED, + { + /* TODO: verify DOI */ + virSecurityLabelDefPtr secdef; +- security_context_t scon = NULL; ++ char *scon = NULL; + char *str = NULL; + int rc = -1; + +@@ -3259,7 +3259,7 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr, + int fd) + { + struct stat buf; +- security_context_t fcon = NULL; ++ char *fcon = NULL; + virSecurityLabelDefPtr secdef; + char *str = NULL, *proc = NULL, *fd_path = NULL; + int rc = -1; +diff --git a/src/storage/storage_util.c b/src/storage/storage_util.c +index 1ec1d13..4c67d3a 100644 +--- a/src/storage/storage_util.c ++++ b/src/storage/storage_util.c +@@ -1818,7 +1818,7 @@ virStorageBackendUpdateVolTargetInfoFD(virStorageSourcePtr target, + struct stat *sb) + { + #if WITH_SELINUX +- security_context_t filecon = NULL; ++ char *filecon = NULL; + #endif + + if (virStorageSourceUpdateBackingSizes(target, fd, sb) < 0) +diff --git a/src/util/viridentity.c b/src/util/viridentity.c +index 8cc2db2..2cb9042 100644 +--- a/src/util/viridentity.c ++++ b/src/util/viridentity.c +@@ -157,7 +157,7 @@ virIdentityPtr virIdentityGetSystem(void) + unsigned long long startTime; + g_autoptr(virIdentity) ret = NULL; + #if WITH_SELINUX +- security_context_t con; ++ char *con; + #endif + + if (!(ret = virIdentityNew())) +diff --git a/tests/securityselinuxhelper.c b/tests/securityselinuxhelper.c +index f89224c..63b5726 100644 +--- a/tests/securityselinuxhelper.c ++++ b/tests/securityselinuxhelper.c +@@ -58,7 +58,7 @@ static struct selabel_handle *(*real_selabel_open)(unsigned int backend, + unsigned nopts); + static void (*real_selabel_close)(struct selabel_handle *handle); + static int (*real_selabel_lookup_raw)(struct selabel_handle *handle, +- security_context_t *con, ++ char **con, + const char *key, + int type); + +@@ -94,7 +94,7 @@ static void init_syms(void) + * the virt_use_nfs bool is set. + */ + +-int getcon_raw(security_context_t *context) ++int getcon_raw(char **context) + { + if (!is_selinux_enabled()) { + errno = EINVAL; +@@ -109,12 +109,12 @@ int getcon_raw(security_context_t *context) + return 0; + } + +-int getcon(security_context_t *context) ++int getcon(char **context) + { + return getcon_raw(context); + } + +-int getpidcon_raw(pid_t pid, security_context_t *context) ++int getpidcon_raw(pid_t pid, char **context) + { + if (!is_selinux_enabled()) { + errno = EINVAL; +@@ -134,7 +134,7 @@ int getpidcon_raw(pid_t pid, security_context_t *context) + return 0; + } + +-int getpidcon(pid_t pid, security_context_t *context) ++int getpidcon(pid_t pid, char **context) + { + return getpidcon_raw(pid, context); + } +@@ -170,7 +170,7 @@ int setfilecon(const char *path, const char *con) + return setfilecon_raw(path, con); + } + +-int getfilecon_raw(const char *path, security_context_t *con) ++int getfilecon_raw(const char *path, char **con) + { + char *constr = NULL; + ssize_t len = getxattr(path, "user.libvirt.selinux", +@@ -194,7 +194,7 @@ int getfilecon_raw(const char *path, security_context_t *con) + } + + +-int getfilecon(const char *path, security_context_t *con) ++int getfilecon(const char *path, char **con) + { + return getfilecon_raw(path, con); + } +@@ -315,7 +315,7 @@ void selabel_close(struct selabel_handle *handle) + } + + int selabel_lookup_raw(struct selabel_handle *handle, +- security_context_t *con, ++ char **con, + const char *key, + int type) + { +diff --git a/tests/securityselinuxlabeltest.c b/tests/securityselinuxlabeltest.c +index 3040a36..50b447c 100644 +--- a/tests/securityselinuxlabeltest.c ++++ b/tests/securityselinuxlabeltest.c +@@ -252,7 +252,7 @@ static int + testSELinuxCheckLabels(testSELinuxFile *files, size_t nfiles) + { + size_t i; +- security_context_t ctx; ++ char *ctx; + + for (i = 0; i < nfiles; i++) { + ctx = NULL; +@@ -360,7 +360,7 @@ mymain(void) + if (virTestRun("Labelling " # name, testSELinuxLabeling, name) < 0) \ + ret = -1; + +- setcon((security_context_t)"system_r:system_u:libvirtd_t:s0:c0.c1023"); ++ setcon("system_r:system_u:libvirtd_t:s0:c0.c1023"); + + DO_TEST_LABELING("disks"); + DO_TEST_LABELING("kernel"); +diff --git a/tests/securityselinuxtest.c b/tests/securityselinuxtest.c +index 6c8314d..3f069c2 100644 +--- a/tests/securityselinuxtest.c ++++ b/tests/securityselinuxtest.c +@@ -217,7 +217,7 @@ testSELinuxGenLabel(const void *opaque) + context_t con = NULL; + context_t imgcon = NULL; + +- if (setcon_raw((security_context_t)data->pidcon) < 0) { ++ if (setcon_raw(data->pidcon) < 0) { + perror("Cannot set process security context"); + return -1; + } +diff --git a/tests/viridentitytest.c b/tests/viridentitytest.c +index 3f87af1..9a8c891 100644 +--- a/tests/viridentitytest.c ++++ b/tests/viridentitytest.c +@@ -120,7 +120,7 @@ static int testIdentityGetSystem(const void *data) + static int testSetFakeSELinuxContext(const void *data G_GNUC_UNUSED) + { + #if WITH_SELINUX +- return setcon_raw((security_context_t)data); ++ return setcon_raw(data); + #else + VIR_DEBUG("libvirt not compiled with SELinux, skipping this test"); + return EXIT_AM_SKIP; +-- +2.25.4 + diff --git a/libvirt-conf-Don-t-format-http-cookies-unless-VIR_DOMAIN_DEF.patch b/libvirt-conf-Don-t-format-http-cookies-unless-VIR_DOMAIN_DEF.patch new file mode 100644 index 0000000000000000000000000000000000000000..bb035030aa5b8315d52e37f90a76f02b66d1d604 --- /dev/null +++ b/libvirt-conf-Don-t-format-http-cookies-unless-VIR_DOMAIN_DEF.patch @@ -0,0 +1,53 @@ +From cec735e6f4001caa0395eddc9d8a0fe18e97f9eb Mon Sep 17 00:00:00 2001 +From: Xu Yandong +Date: Tue, 4 Aug 2020 08:40:36 +0000 +Subject: [PATCH] conf: Don't format http cookies unless + VIR_DOMAIN_DEF_FORMAT_SECURE is used + +Starting with 3b076391befc3fe72deb0c244ac6c2b4c100b410 +(v6.1.0-122-g3b076391be) we support http cookies. Since they may contain +somewhat sensitive information we should not format them into the XML +unless VIR_DOMAIN_DEF_FORMAT_SECURE is asserted. + +Reported-by: Han Han +Signed-off-by: Peter Krempa +Reviewed-by: Erik Skultety +(cherry-picked from commit a5b064bf4b17a9884d7d361733737fb614ad8979) +Signed-off-by: Xu Yandong +--- + src/conf/domain_conf.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c +index 914e03c..cf93a59 100644 +--- a/src/conf/domain_conf.c ++++ b/src/conf/domain_conf.c +@@ -24565,11 +24565,15 @@ virDomainSourceDefFormatSeclabel(virBufferPtr buf, + + static void + virDomainDiskSourceFormatNetworkCookies(virBufferPtr buf, +- virStorageSourcePtr src) ++ virStorageSourcePtr src, ++ unsigned int flags) + { + g_auto(virBuffer) childBuf = VIR_BUFFER_INIT_CHILD(buf); + size_t i; + ++ if (!(flags & VIR_DOMAIN_DEF_FORMAT_SECURE)) ++ return; ++ + for (i = 0; i < src->ncookies; i++) { + virBufferEscapeString(&childBuf, "", src->cookies[i]->name); + virBufferEscapeString(&childBuf, "%s\n", src->cookies[i]->value); +@@ -24630,7 +24634,7 @@ virDomainDiskSourceFormatNetwork(virBufferPtr attrBuf, + virTristateBoolTypeToString(src->sslverify)); + } + +- virDomainDiskSourceFormatNetworkCookies(childBuf, src); ++ virDomainDiskSourceFormatNetworkCookies(childBuf, src, flags); + + if (src->readahead) + virBufferAsprintf(childBuf, "\n", src->readahead); +-- +2.25.4 + diff --git a/libvirt-virstoragetest-testBackingParse-Use-VIR_DOMAIN_DEF_F.patch b/libvirt-virstoragetest-testBackingParse-Use-VIR_DOMAIN_DEF_F.patch new file mode 100644 index 0000000000000000000000000000000000000000..53b8078dad5d24a9bce06036c5f04142a9300499 --- /dev/null +++ b/libvirt-virstoragetest-testBackingParse-Use-VIR_DOMAIN_DEF_F.patch @@ -0,0 +1,40 @@ +From 18c86b74537561ab926f1b5b71a1eea7ae5d0bcb Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Tue, 4 Aug 2020 09:09:04 +0000 +Subject: [PATCH] virstoragetest: testBackingParse: Use + VIR_DOMAIN_DEF_FORMAT_SECURE when formatting xml + +We want to format even the secure information in tests. + +Signed-off-by: Peter Krempa +Reviewed-by: Erik Skultety +(cherry-picked from commit 524de6cc35d3b222f0e940bb0fd027f5482572c5) +Signed-off-by: Xu Yandong +--- + tests/virstoragetest.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tests/virstoragetest.c b/tests/virstoragetest.c +index 6e8ebeb..6d2b21c 100644 +--- a/tests/virstoragetest.c ++++ b/tests/virstoragetest.c +@@ -594,6 +594,7 @@ testBackingParse(const void *args) + g_autoptr(virStorageSource) src = NULL; + int rc; + int erc = data->rv; ++ unsigned int xmlformatflags = VIR_DOMAIN_DEF_FORMAT_SECURE; + + /* expect failure return code with NULL expected data */ + if (!data->expect) +@@ -613,7 +614,7 @@ testBackingParse(const void *args) + return -1; + } + +- if (virDomainDiskSourceFormat(&buf, src, "source", 0, false, 0, true, NULL) < 0 || ++ if (virDomainDiskSourceFormat(&buf, src, "source", 0, false, xmlformatflags, true, NULL) < 0 || + !(xml = virBufferContentAndReset(&buf))) { + fprintf(stderr, "failed to format disk source xml\n"); + return -1; +-- +2.25.4 + diff --git a/libvirt.spec b/libvirt.spec index ce888a39638f08cf9f5d10f4519e0d8d7e09eccc..7601eb9aa26cedc2dc17670e432ef38aa75b139a 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -99,7 +99,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 6.2.0 -Release: 6 +Release: 7 License: LGPLv2+ URL: https://libvirt.org/ @@ -128,6 +128,9 @@ Patch0017: libvirt-virsh-Fix-return-code-for-dump-and-migrate.patch Patch0018: libvirt-virsh-Fix-return-code-for-dump.patch Patch0019: libvirt-cpu-aarch64-enable-host-model-cpu-for-AArch64-archit.patch Patch0020: libvirt-cpu_map-add-kunpeng-920-features-as-known-features.patch +Patch0021: libvirt-Substitute-security_context_t-with-char.patch +Patch0022: libvirt-conf-Don-t-format-http-cookies-unless-VIR_DOMAIN_DEF.patch +Patch0023: libvirt-virstoragetest-testBackingParse-Use-VIR_DOMAIN_DEF_F.patch Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon-config-network = %{version}-%{release} @@ -1860,6 +1863,8 @@ exit 0 %changelog +* Tue Aug 4 2020 Xu Yandong - 6.2.0-7 +- Substitute security_context_t with char pointer. * Tue May 26 2020 Xu Yandong - 6.2.0-6 - Introduce Kunpeng-920 cpu features. * Wed May 20 2020 Xu Yandong - 6.2.0-5