Hi,
On Thu, Dec 05, 2019 at 12:56:17PM +0100, Michal Arbet wrote:
> Hi,
>
> Debdiff is empty.
> Please, could you resend ?
odd, where did that go. Updated one attached.
-- Guido
>
> Thanks,
> Michal Arbet ( kevko )
>
> čt 5. 12. 2019 v 1:01 odesílatel Guido Günther <a...@sigxcpu.org> napsal:
>
> > Hi,
> > On Wed, Nov 27, 2019 at 05:52:33PM +0100, Guido Günther wrote:
> > > Hi,
> > > On Wed, Nov 27, 2019 at 04:17:13PM +0000, Adam D. Barratt wrote:
> > > > Control: tags -1 -confirmed +moreinfo
> > > >
> > > > Hi,
> > > >
> > > > On 2019-11-27 16:07, Guido Günther wrote:
> > > > > Hi Adam,
> > > > > On Wed, Nov 27, 2019 at 01:21:40PM +0000, Adam D. Barratt wrote:
> > > > > > Control: tags -1 + confirmed
> > > > > >
> > > > > > On 2019-11-27 13:05, Michal Arbet wrote:
> > > > > > > I've added a patch from upstream ( sid already included it in new
> > > > > > > version ).
> > > > > > > Check current debdiff in attachment.
> > > > > >
> > > > > > That looks OK, assuming it's been build- and runtime-tested on a
> > > > > > buster
> > > > > > system.
> > > > >
> > > > > It would be nice to coordinate such things with the package
> > > > > maintainers. I've had question's regarding these patches which
> > weren't
> > > > > answered yet:
> > > > >
> > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944248#26
> > > >
> > > > Apologies for that, we tend to assume that people making such requests
> > > > either work on the package or have had that co-ordination discussion
> > > > already.
> > > >
> > > > In this case I'll put the request on hold until we hear back.
> > >
> > > Thanks.I intend to look at the particular issue and fold it into the
> > > update with
> > >
> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939036
> > >
> > > which is still pending.
> >
> > Attached is the debdiff with #933036 included as well. O.k. to upload to
> > stable-p-u?
> > Cheers,
> > -- Guido
> >
> > > -- Guido
> > >
> > > >
> > > > Regards,
> > > >
> > > > Adam
> > > >
> >
diff --git a/debian/changelog b/debian/changelog
index 5618e49bd1..3f69690532 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+libvirt (5.0.0-4+deb10u1) buster; urgency=medium
+
+ [ Tobias Wolter ]
+ * [711f612] apparmor: Allow one to run pygrup
+
+ [ Guido Günther ]
+ * [3bcbf56] Don't render osxsave, ospke into QEMU comman line.
+ This helps newer QEMU with some configs generated by virt-install.
+ Thanks to Michal Arbet for digging out the patches (Closes: #944248)
+
+ -- Guido Günther <a...@sigxcpu.org> Thu, 05 Dec 2019 00:22:14 +0100
+
libvirt (5.0.0-4) unstable; urgency=medium
* [0fdc2af] Fix multiple CVEs related to privilege escalations on R/O
diff --git a/debian/patches/apparmor-Allow-run-pygrup.patch b/debian/patches/apparmor-Allow-run-pygrup.patch
new file mode 100644
index 0000000000..5678aad517
--- /dev/null
+++ b/debian/patches/apparmor-Allow-run-pygrup.patch
@@ -0,0 +1,20 @@
+From: Tobias Wolter <t...@b1-systems.de>
+Date: Wed, 21 Aug 2019 10:27:05 +0200
+Subject: apparmor: Allow run pygrup
+
+---
+ src/security/apparmor/usr.sbin.libvirtd | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd
+index c7c52c6..477788e 100644
+--- a/src/security/apparmor/usr.sbin.libvirtd
++++ b/src/security/apparmor/usr.sbin.libvirtd
+@@ -85,6 +85,7 @@
+ /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
+ /usr/{lib,lib64}/xen/bin/* Ux,
+ /usr/lib/xen-*/bin/libxl-save-helper PUx,
++ /usr/lib/xen-*/bin/pygrub PUx,
+
+ # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
+ # read and run an ebtables script.
diff --git a/debian/patches/qemu-Drop-qemuFeatureNoEffect.patch b/debian/patches/qemu-Drop-qemuFeatureNoEffect.patch
new file mode 100644
index 0000000000..3890d9646e
--- /dev/null
+++ b/debian/patches/qemu-Drop-qemuFeatureNoEffect.patch
@@ -0,0 +1,88 @@
+From: Jiri Denemark <jdene...@redhat.com>
+Date: Thu, 6 Jun 2019 14:39:52 +0200
+Subject: qemu: Drop qemuFeatureNoEffect
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+We already have virQEMUCapsCPUFilterFeatures for filtering features
+which QEMU does not know about. Let's move osxsave and ospke from
+qemuFeatureNoEffect there.
+
+Signed-off-by: Jiri Denemark <jdene...@redhat.com>
+Reviewed-by: Ján Tomko <jto...@redhat.com>
+(cherry picked from commit b12865260a0f24ab86ddaf3547b2f2e2c595d429)
+---
+ src/qemu/qemu_capabilities.c | 9 ++++++++-
+ src/qemu/qemu_command.c | 24 ++----------------------
+ 2 files changed, 10 insertions(+), 23 deletions(-)
+
+diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
+index f504db7..64203de 100644
+--- a/src/qemu/qemu_capabilities.c
++++ b/src/qemu/qemu_capabilities.c
+@@ -2748,6 +2748,11 @@ virQEMUCapsProbeQMPSEVCapabilities(virQEMUCapsPtr qemuCaps,
+ }
+
+
++/*
++ * Filter for features which should never be passed to QEMU. Either because
++ * QEMU never supported them or they were dropped as they never did anything
++ * useful.
++ */
+ bool
+ virQEMUCapsCPUFilterFeatures(const char *name,
+ void *opaque)
+@@ -2759,7 +2764,9 @@ virQEMUCapsCPUFilterFeatures(const char *name,
+
+ if (STREQ(name, "cmt") ||
+ STREQ(name, "mbm_total") ||
+- STREQ(name, "mbm_local"))
++ STREQ(name, "mbm_local") ||
++ STREQ(name, "osxsave") ||
++ STREQ(name, "ospke"))
+ return false;
+
+ return true;
+diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
+index dbb3d74..26c28fe 100644
+--- a/src/qemu/qemu_command.c
++++ b/src/qemu/qemu_command.c
+@@ -6844,27 +6844,6 @@ qemuBuildGlobalControllerCommandLine(virCommandPtr cmd,
+ return 0;
+ }
+
+-/**
+- * qemuFeatureNoEffect:
+- * @feature: CPU Feature
+- *
+- * Returns true, if the feature is known to have (never had) an effect on QEMU.
+- * Those features might be dropped in qemu without a longer deprecation cycle
+- * and must therefore be known e.g. to no more define them on command line.
+- */
+-static bool
+-qemuFeatureNoEffect(virCPUFeatureDefPtr feature)
+-{
+- if (!feature->name)
+- return false;
+-
+- if (STREQ(feature->name, "osxsave"))
+- return true;
+- if (STREQ(feature->name, "ospke"))
+- return true;
+-
+- return false;
+-}
+
+ static int
+ qemuBuildCpuModelArgStr(virQEMUDriverPtr driver,
+@@ -6933,7 +6912,8 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr driver,
+ virBufferAsprintf(buf, ",vendor=%s", cpu->vendor_id);
+
+ for (i = 0; i < cpu->nfeatures; i++) {
+- if (qemuFeatureNoEffect(&(cpu->features[i])))
++ if (!virQEMUCapsCPUFilterFeatures(cpu->features[i].name,
++ (virArch *)&def->os.arch))
+ continue;
+ switch ((virCPUFeaturePolicy) cpu->features[i].policy) {
+ case VIR_CPU_FEATURE_FORCE:
diff --git a/debian/patches/qemu-do-not-define-known-no-op-features.patch b/debian/patches/qemu-do-not-define-known-no-op-features.patch
new file mode 100644
index 0000000000..18f342076c
--- /dev/null
+++ b/debian/patches/qemu-do-not-define-known-no-op-features.patch
@@ -0,0 +1,105 @@
+From: Christian Ehrhardt <christian.ehrha...@canonical.com>
+Date: Thu, 25 Apr 2019 11:04:29 +0200
+Subject: qemu: do not define known no-op features
+
+Qemu dropped cpu features for osxsave and ospke [1][2].
+The reason for the instant removal is that those features were never
+configurable as discussed in [3].
+
+Fortunately the use cases adding those flags in the past are rare, but
+they exist. One that I identified are e.g. older virt-install when used
+with --cpu=host-model and there always could be the case of a user
+adding it to the guest xml.
+
+This triggers an issue like:
+ qemu-system-x86_64: can't apply global Broadwell-noTSX-x86_64-
+ cpu.osxsave=on: Property '.osxsave' not found
+
+Ensure that this does no more break spawning newer qemu versions by
+not rendering those features into the qemu command line.
+
+Fixes: https://bugs.launchpad.net/fedora/+source/qemu/+bug/1825195
+Resolves: https://bugzilla.redhat.com/1644848
+
+[1]: https://git.qemu.org/?p=qemu.git;a=commit;h=f1a2352
+[2]: https://git.qemu.org/?p=qemu.git;a=commit;h=9ccb978
+[3]: https://www.mail-archive.com/qemu-devel@nongnu.org/msg561877.html
+
+Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com>
+Reviewed-by: Daniel Henrique Barboza <danielhb...@gmail.com>
+Tested-by: Daniel Henrique Barboza <danielhb...@gmail.com>
+---
+ src/qemu/qemu_command.c | 23 +++++++++++++++++++++++
+ tests/qemuxml2argvdata/cpu-host-model-cmt.args | 2 +-
+ tests/qemuxml2argvdata/cpu-tsc-frequency.args | 4 ++--
+ 3 files changed, 26 insertions(+), 3 deletions(-)
+
+diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
+index 822d5f8..dbb3d74 100644
+--- a/src/qemu/qemu_command.c
++++ b/src/qemu/qemu_command.c
+@@ -6844,6 +6844,27 @@ qemuBuildGlobalControllerCommandLine(virCommandPtr cmd,
+ return 0;
+ }
+
++/**
++ * qemuFeatureNoEffect:
++ * @feature: CPU Feature
++ *
++ * Returns true, if the feature is known to have (never had) an effect on QEMU.
++ * Those features might be dropped in qemu without a longer deprecation cycle
++ * and must therefore be known e.g. to no more define them on command line.
++ */
++static bool
++qemuFeatureNoEffect(virCPUFeatureDefPtr feature)
++{
++ if (!feature->name)
++ return false;
++
++ if (STREQ(feature->name, "osxsave"))
++ return true;
++ if (STREQ(feature->name, "ospke"))
++ return true;
++
++ return false;
++}
+
+ static int
+ qemuBuildCpuModelArgStr(virQEMUDriverPtr driver,
+@@ -6912,6 +6933,8 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr driver,
+ virBufferAsprintf(buf, ",vendor=%s", cpu->vendor_id);
+
+ for (i = 0; i < cpu->nfeatures; i++) {
++ if (qemuFeatureNoEffect(&(cpu->features[i])))
++ continue;
+ switch ((virCPUFeaturePolicy) cpu->features[i].policy) {
+ case VIR_CPU_FEATURE_FORCE:
+ case VIR_CPU_FEATURE_REQUIRE:
+diff --git a/tests/qemuxml2argvdata/cpu-host-model-cmt.args b/tests/qemuxml2argvdata/cpu-host-model-cmt.args
+index 8930765..d294e7e 100644
+--- a/tests/qemuxml2argvdata/cpu-host-model-cmt.args
++++ b/tests/qemuxml2argvdata/cpu-host-model-cmt.args
+@@ -9,7 +9,7 @@ QEMU_AUDIO_DRV=none \
+ -S \
+ -machine pc,accel=tcg,usb=off,dump-guest-core=off \
+ -cpu Haswell,+vme,+ds,+acpi,+ss,+ht,+tm,+pbe,+dtes64,+monitor,+ds_cpl,+vmx,\
+-+smx,+est,+tm2,+xtpr,+pdcm,+osxsave,+f16c,+rdrand,+pdpe1gb,+abm,+lahf_lm \
+++smx,+est,+tm2,+xtpr,+pdcm,+f16c,+rdrand,+pdpe1gb,+abm,+lahf_lm \
+ -m 214 \
+ -smp 6,sockets=6,cores=1,threads=1 \
+ -uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
+diff --git a/tests/qemuxml2argvdata/cpu-tsc-frequency.args b/tests/qemuxml2argvdata/cpu-tsc-frequency.args
+index b51c200..fbfe239 100644
+--- a/tests/qemuxml2argvdata/cpu-tsc-frequency.args
++++ b/tests/qemuxml2argvdata/cpu-tsc-frequency.args
+@@ -9,8 +9,8 @@ QEMU_AUDIO_DRV=none \
+ -S \
+ -machine pc,accel=kvm,usb=off,dump-guest-core=off \
+ -cpu Haswell,+vme,+ds,+acpi,+ss,+ht,+tm,+pbe,+dtes64,+monitor,+ds_cpl,+vmx,\
+-+smx,+est,+tm2,+xtpr,+pdcm,+osxsave,+f16c,+rdrand,+pdpe1gb,+abm,+lahf_lm,\
+-+invtsc,tsc-frequency=3504000000 \
+++smx,+est,+tm2,+xtpr,+pdcm,+f16c,+rdrand,+pdpe1gb,+abm,+lahf_lm,+invtsc,\
++tsc-frequency=3504000000 \
+ -m 214 \
+ -smp 1,sockets=1,cores=1,threads=1 \
+ -uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
diff --git a/debian/patches/series b/debian/patches/series
index 3d1d86906d..a2a88c62c9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -34,3 +34,6 @@ security/api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch
security/api-disallow-virConnectGetDomainCapabilities-on-read-only.patch
security/api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch
Include-etc-pki-qemu-in-apparmor.patch
+apparmor-Allow-run-pygrup.patch
+qemu-do-not-define-known-no-op-features.patch
+qemu-Drop-qemuFeatureNoEffect.patch
