Version in base suite: 5.0.0-4 Base version: libvirt_5.0.0-4 Target version: libvirt_5.0.0-4+deb10u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/libv/libvirt/libvirt_5.0.0-4.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/libv/libvirt/libvirt_5.0.0-4+deb10u1.dsc changelog | 12 ++ patches/apparmor-Allow-run-pygrup.patch | 20 +++ patches/qemu-Drop-qemuFeatureNoEffect.patch | 88 +++++++++++++++ patches/qemu-do-not-define-known-no-op-features.patch | 105 ++++++++++++++++++ patches/series | 3 5 files changed, 228 insertions(+) diff -Nru libvirt-5.0.0/debian/changelog libvirt-5.0.0/debian/changelog --- libvirt-5.0.0/debian/changelog 2019-06-17 17:05:40.000000000 +0000 +++ libvirt-5.0.0/debian/changelog 2019-12-04 23:22:14.000000000 +0000 @@ -1,3 +1,15 @@ +libvirt (5.0.0-4+deb10u1) buster; urgency=medium + + [ Tobias Wolter ] + * [711f612] apparmor: Allow one to run pygrub + + [ Guido Günther ] + * [3bcbf56] Don't render osxsave, ospke into QEMU comman line. + This helps newer QEMU with some configs generated by virt-install. + Thanks to Michal Arbet for digging out the patches (Closes: #944248) + + -- Guido Günther Thu, 05 Dec 2019 00:22:14 +0100 + libvirt (5.0.0-4) unstable; urgency=medium * [0fdc2af] Fix multiple CVEs related to privilege escalations on R/O diff -Nru libvirt-5.0.0/debian/patches/apparmor-Allow-run-pygrup.patch libvirt-5.0.0/debian/patches/apparmor-Allow-run-pygrup.patch --- libvirt-5.0.0/debian/patches/apparmor-Allow-run-pygrup.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-5.0.0/debian/patches/apparmor-Allow-run-pygrup.patch 2019-12-04 23:22:14.000000000 +0000 @@ -0,0 +1,20 @@ +From: Tobias Wolter +Date: Wed, 21 Aug 2019 10:27:05 +0200 +Subject: apparmor: Allow run pygrup + +--- + src/security/apparmor/usr.sbin.libvirtd | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd +index c7c52c6..477788e 100644 +--- a/src/security/apparmor/usr.sbin.libvirtd ++++ b/src/security/apparmor/usr.sbin.libvirtd +@@ -85,6 +85,7 @@ + /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, + /usr/{lib,lib64}/xen/bin/* Ux, + /usr/lib/xen-*/bin/libxl-save-helper PUx, ++ /usr/lib/xen-*/bin/pygrub PUx, + + # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to + # read and run an ebtables script. diff -Nru libvirt-5.0.0/debian/patches/qemu-Drop-qemuFeatureNoEffect.patch libvirt-5.0.0/debian/patches/qemu-Drop-qemuFeatureNoEffect.patch --- libvirt-5.0.0/debian/patches/qemu-Drop-qemuFeatureNoEffect.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-5.0.0/debian/patches/qemu-Drop-qemuFeatureNoEffect.patch 2019-12-04 23:22:14.000000000 +0000 @@ -0,0 +1,88 @@ +From: Jiri Denemark +Date: Thu, 6 Jun 2019 14:39:52 +0200 +Subject: qemu: Drop qemuFeatureNoEffect +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +We already have virQEMUCapsCPUFilterFeatures for filtering features +which QEMU does not know about. Let's move osxsave and ospke from +qemuFeatureNoEffect there. + +Signed-off-by: Jiri Denemark +Reviewed-by: Ján Tomko +(cherry picked from commit b12865260a0f24ab86ddaf3547b2f2e2c595d429) +--- + src/qemu/qemu_capabilities.c | 9 ++++++++- + src/qemu/qemu_command.c | 24 ++---------------------- + 2 files changed, 10 insertions(+), 23 deletions(-) + +diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c +index f504db7..64203de 100644 +--- a/src/qemu/qemu_capabilities.c ++++ b/src/qemu/qemu_capabilities.c +@@ -2748,6 +2748,11 @@ virQEMUCapsProbeQMPSEVCapabilities(virQEMUCapsPtr qemuCaps, + } + + ++/* ++ * Filter for features which should never be passed to QEMU. Either because ++ * QEMU never supported them or they were dropped as they never did anything ++ * useful. ++ */ + bool + virQEMUCapsCPUFilterFeatures(const char *name, + void *opaque) +@@ -2759,7 +2764,9 @@ virQEMUCapsCPUFilterFeatures(const char *name, + + if (STREQ(name, "cmt") || + STREQ(name, "mbm_total") || +- STREQ(name, "mbm_local")) ++ STREQ(name, "mbm_local") || ++ STREQ(name, "osxsave") || ++ STREQ(name, "ospke")) + return false; + + return true; +diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c +index dbb3d74..26c28fe 100644 +--- a/src/qemu/qemu_command.c ++++ b/src/qemu/qemu_command.c +@@ -6844,27 +6844,6 @@ qemuBuildGlobalControllerCommandLine(virCommandPtr cmd, + return 0; + } + +-/** +- * qemuFeatureNoEffect: +- * @feature: CPU Feature +- * +- * Returns true, if the feature is known to have (never had) an effect on QEMU. +- * Those features might be dropped in qemu without a longer deprecation cycle +- * and must therefore be known e.g. to no more define them on command line. +- */ +-static bool +-qemuFeatureNoEffect(virCPUFeatureDefPtr feature) +-{ +- if (!feature->name) +- return false; +- +- if (STREQ(feature->name, "osxsave")) +- return true; +- if (STREQ(feature->name, "ospke")) +- return true; +- +- return false; +-} + + static int + qemuBuildCpuModelArgStr(virQEMUDriverPtr driver, +@@ -6933,7 +6912,8 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr driver, + virBufferAsprintf(buf, ",vendor=%s", cpu->vendor_id); + + for (i = 0; i < cpu->nfeatures; i++) { +- if (qemuFeatureNoEffect(&(cpu->features[i]))) ++ if (!virQEMUCapsCPUFilterFeatures(cpu->features[i].name, ++ (virArch *)&def->os.arch)) + continue; + switch ((virCPUFeaturePolicy) cpu->features[i].policy) { + case VIR_CPU_FEATURE_FORCE: diff -Nru libvirt-5.0.0/debian/patches/qemu-do-not-define-known-no-op-features.patch libvirt-5.0.0/debian/patches/qemu-do-not-define-known-no-op-features.patch --- libvirt-5.0.0/debian/patches/qemu-do-not-define-known-no-op-features.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-5.0.0/debian/patches/qemu-do-not-define-known-no-op-features.patch 2019-12-04 23:22:14.000000000 +0000 @@ -0,0 +1,105 @@ +From: Christian Ehrhardt +Date: Thu, 25 Apr 2019 11:04:29 +0200 +Subject: qemu: do not define known no-op features + +Qemu dropped cpu features for osxsave and ospke [1][2]. +The reason for the instant removal is that those features were never +configurable as discussed in [3]. + +Fortunately the use cases adding those flags in the past are rare, but +they exist. One that I identified are e.g. older virt-install when used +with --cpu=host-model and there always could be the case of a user +adding it to the guest xml. + +This triggers an issue like: + qemu-system-x86_64: can't apply global Broadwell-noTSX-x86_64- + cpu.osxsave=on: Property '.osxsave' not found + +Ensure that this does no more break spawning newer qemu versions by +not rendering those features into the qemu command line. + +Fixes: https://bugs.launchpad.net/fedora/+source/qemu/+bug/1825195 +Resolves: https://bugzilla.redhat.com/1644848 + +[1]: https://git.qemu.org/?p=qemu.git;a=commit;h=f1a2352 +[2]: https://git.qemu.org/?p=qemu.git;a=commit;h=9ccb978 +[3]: https://www.mail-archive.com/qemu-devel@nongnu.org/msg561877.html + +Signed-off-by: Christian Ehrhardt +Reviewed-by: Daniel Henrique Barboza +Tested-by: Daniel Henrique Barboza +--- + src/qemu/qemu_command.c | 23 +++++++++++++++++++++++ + tests/qemuxml2argvdata/cpu-host-model-cmt.args | 2 +- + tests/qemuxml2argvdata/cpu-tsc-frequency.args | 4 ++-- + 3 files changed, 26 insertions(+), 3 deletions(-) + +diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c +index 822d5f8..dbb3d74 100644 +--- a/src/qemu/qemu_command.c ++++ b/src/qemu/qemu_command.c +@@ -6844,6 +6844,27 @@ qemuBuildGlobalControllerCommandLine(virCommandPtr cmd, + return 0; + } + ++/** ++ * qemuFeatureNoEffect: ++ * @feature: CPU Feature ++ * ++ * Returns true, if the feature is known to have (never had) an effect on QEMU. ++ * Those features might be dropped in qemu without a longer deprecation cycle ++ * and must therefore be known e.g. to no more define them on command line. ++ */ ++static bool ++qemuFeatureNoEffect(virCPUFeatureDefPtr feature) ++{ ++ if (!feature->name) ++ return false; ++ ++ if (STREQ(feature->name, "osxsave")) ++ return true; ++ if (STREQ(feature->name, "ospke")) ++ return true; ++ ++ return false; ++} + + static int + qemuBuildCpuModelArgStr(virQEMUDriverPtr driver, +@@ -6912,6 +6933,8 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr driver, + virBufferAsprintf(buf, ",vendor=%s", cpu->vendor_id); + + for (i = 0; i < cpu->nfeatures; i++) { ++ if (qemuFeatureNoEffect(&(cpu->features[i]))) ++ continue; + switch ((virCPUFeaturePolicy) cpu->features[i].policy) { + case VIR_CPU_FEATURE_FORCE: + case VIR_CPU_FEATURE_REQUIRE: +diff --git a/tests/qemuxml2argvdata/cpu-host-model-cmt.args b/tests/qemuxml2argvdata/cpu-host-model-cmt.args +index 8930765..d294e7e 100644 +--- a/tests/qemuxml2argvdata/cpu-host-model-cmt.args ++++ b/tests/qemuxml2argvdata/cpu-host-model-cmt.args +@@ -9,7 +9,7 @@ QEMU_AUDIO_DRV=none \ + -S \ + -machine pc,accel=tcg,usb=off,dump-guest-core=off \ + -cpu Haswell,+vme,+ds,+acpi,+ss,+ht,+tm,+pbe,+dtes64,+monitor,+ds_cpl,+vmx,\ +-+smx,+est,+tm2,+xtpr,+pdcm,+osxsave,+f16c,+rdrand,+pdpe1gb,+abm,+lahf_lm \ +++smx,+est,+tm2,+xtpr,+pdcm,+f16c,+rdrand,+pdpe1gb,+abm,+lahf_lm \ + -m 214 \ + -smp 6,sockets=6,cores=1,threads=1 \ + -uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \ +diff --git a/tests/qemuxml2argvdata/cpu-tsc-frequency.args b/tests/qemuxml2argvdata/cpu-tsc-frequency.args +index b51c200..fbfe239 100644 +--- a/tests/qemuxml2argvdata/cpu-tsc-frequency.args ++++ b/tests/qemuxml2argvdata/cpu-tsc-frequency.args +@@ -9,8 +9,8 @@ QEMU_AUDIO_DRV=none \ + -S \ + -machine pc,accel=kvm,usb=off,dump-guest-core=off \ + -cpu Haswell,+vme,+ds,+acpi,+ss,+ht,+tm,+pbe,+dtes64,+monitor,+ds_cpl,+vmx,\ +-+smx,+est,+tm2,+xtpr,+pdcm,+osxsave,+f16c,+rdrand,+pdpe1gb,+abm,+lahf_lm,\ +-+invtsc,tsc-frequency=3504000000 \ +++smx,+est,+tm2,+xtpr,+pdcm,+f16c,+rdrand,+pdpe1gb,+abm,+lahf_lm,+invtsc,\ ++tsc-frequency=3504000000 \ + -m 214 \ + -smp 1,sockets=1,cores=1,threads=1 \ + -uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \ diff -Nru libvirt-5.0.0/debian/patches/series libvirt-5.0.0/debian/patches/series --- libvirt-5.0.0/debian/patches/series 2019-06-17 17:05:40.000000000 +0000 +++ libvirt-5.0.0/debian/patches/series 2019-12-04 23:22:14.000000000 +0000 @@ -34,3 +34,6 @@ security/api-disallow-virConnectGetDomainCapabilities-on-read-only.patch security/api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch Include-etc-pki-qemu-in-apparmor.patch +apparmor-Allow-run-pygrup.patch +qemu-do-not-define-known-no-op-features.patch +qemu-Drop-qemuFeatureNoEffect.patch