Rebuild for wireshark soname change rhbz#2031322

Now with missing patches Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2021-12-13 15:33:14 +00:00 · 2021-12-13 15:21:21 +00:00 · 2021-07-27 14:18:27 -04:00 · 2021-07-02 16:32:25 -04:00 · 2021-06-29 09:51:22 -04:00 · 2021-02-03 14:23:33 -05:00
20 changed files with 1856 additions and 3336 deletions
@@ -0,0 +1,31 @@
+[suppress_function]
+symbol_version_regexp = LIBVIRT_PRIVATE.*
+soname_regexp = libvirt\\.so.*
+
+[suppress_function]
+symbol_version_regexp = LIBVIRT_ADMIN_PRIVATE.*
+soname_regexp = libvirt-admin\\.so.*
+
+[suppress_variable]
+symbol_version_regexp = LIBVIRT_PRIVATE.*
+soname_regexp = libvirt\\.so.*
+
+[suppress_variable]
+symbol_version_regexp = LIBVIRT_ADMIN_PRIVATE.*
+soname_regexp = libvirt-admin\\.so.*
+
+[suppress_function]
+symbol_version_regexp = .*
+soname_regexp = libvirt_storage_.*\\.so.*
+
+[suppress_variable]
+symbol_version_regexp = .*
+soname_regexp = libvirt_storage_.*\\.so.*
+
+[suppress_function]
+symbol_version_regexp = .*
+soname_regexp = libvirt_driver_.*\\.so.*
+
+[suppress_variable]
+symbol_version_regexp = .*
+soname_regexp = libvirt_driver_.*\\.so.*
@@ -2,4 +2,4 @@
 *.rpm
 i686
 x86_64
-libvirt-*.tar.gz
+libvirt-*.tar.xz
@@ -0,0 +1,56 @@
+From: Laine Stump <laine@redhat.com>
+Date: Thu, 21 Jan 2021 16:01:06 -0500
+Subject: [PATCH] build: support explicitly disabling netcf
+
+placing "-Dnetcf=disabled" on the meson commandline was ignored,
+meaning that even with that option the build would get WITH_NETCF if
+the netcf-devel package was found - the only way to disable it was to
+uninstall netcf-devel.
+
+This patch adds the small bit of logic to check the netcf meson
+commandline option (in addition to whether netcf-devel is installed)
+before defining WITH_NETCF.
+
+Signed-off-by: Laine Stump <laine@redhat.com>
+Reviewed-by: Neal Gompa <ngompa13@gmail.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit 06169a115d46d8870a96d293c2faf6ea87e71020)
+---
+ meson.build | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/meson.build b/meson.build
+index b5164f68ed..e9d6d9f82e 100644
+--- a/meson.build
+++ b/meson.build
+@@ -1155,8 +1155,10 @@ libm_dep = cc.find_library('m', required : false)
+ 
+ netcf_version = '0.1.8'
+ netcf_dep = dependency('netcf', version: '>=' + netcf_version, required: get_option('netcf'))
+-if netcf_dep.found()
+-  conf.set('WITH_NETCF', 1)
+if not get_option('netcf').disabled()
+  if netcf_dep.found()
+    conf.set('WITH_NETCF', 1)
+  endif
+ endif
+ 
+ have_gnu_gettext_tools = false
+@@ -1550,7 +1552,7 @@ elif get_option('driver_hyperv').enabled()
+   error('openwsman is required for the Hyper-V driver')
+ endif
+ 
+-if not get_option('driver_interface').disabled() and conf.has('WITH_LIBVIRTD') and (udev_dep.found() or netcf_dep.found())
+if not get_option('driver_interface').disabled() and conf.has('WITH_LIBVIRTD') and (udev_dep.found() or conf.has('WITH_NETCF'))
+   conf.set('WITH_INTERFACE', 1)
+ elif get_option('driver_interface').enabled()
+   error('Requested the Interface driver without netcf or udev and libvirtd support')
+@@ -2362,7 +2364,7 @@ libs_summary = {
+   'libssh': libssh_dep.found(),
+   'libssh2': libssh2_dep.found(),
+   'libutil': libutil_dep.found(),
+-  'netcf': netcf_dep.found(),
+  'netcf': conf.has('WITH_NETCF'),
+   'NLS': have_gnu_gettext_tools,
+   'numactl': numactl_dep.found(),
+   'openwsman': openwsman_dep.found(),
@@ -1,66 +0,0 @@
-From d519f225d79a61451cfa62b463ea3083e9367353 Mon Sep 17 00:00:00 2001
-From: Michal Privoznik <mprivozn@redhat.com>
-Date: Tue, 1 Oct 2013 15:04:48 +0200
-Subject: [PATCH] qemu_hotplug: Allow QoS update in qemuDomainChangeNet
-
-The qemuDomainChangeNet() is called when 'virsh update-device' is
-invoked on a NIC. Currently, we fail to update the QoS even though
-we have routines for that.
-
-Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
-(cherry picked from commit 9fa10d3901a14997f724fe50ad8a33d7f0d23abe)
---
- src/qemu/qemu_hotplug.c | 19 +++++++++++++++++--
- 1 file changed, 17 insertions(+), 2 deletions(-)
-
-diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
-index f06930e..818c726 100644
--- a/src/qemu/qemu_hotplug.c
-+++ b/src/qemu/qemu_hotplug.c
-@@ -1799,6 +1799,7 @@ qemuDomainChangeNet(virQEMUDriverPtr driver,
-     bool needFilterChange = false;
-     bool needLinkStateChange = false;
-     bool needReplaceDevDef = false;
-+    bool needBandwidthSet = false;
-     int ret = -1;
- 
-     if (!devslot || !(olddev = *devslot)) {
-@@ -2062,8 +2063,6 @@ qemuDomainChangeNet(virQEMUDriverPtr driver,
-         virDomainNetGetActualDirectMode(olddev) != virDomainNetGetActualDirectMode(olddev) ||
-         !virNetDevVPortProfileEqual(virDomainNetGetActualVirtPortProfile(olddev),
-                                     virDomainNetGetActualVirtPortProfile(newdev)) ||
-        !virNetDevBandwidthEqual(virDomainNetGetActualBandwidth(olddev),
-                                 virDomainNetGetActualBandwidth(newdev)) ||
-         !virNetDevVlanEqual(virDomainNetGetActualVlan(olddev),
-                             virDomainNetGetActualVlan(newdev))) {
-         needReconnect = true;
-@@ -2072,6 +2071,10 @@ qemuDomainChangeNet(virQEMUDriverPtr driver,
-     if (olddev->linkstate != newdev->linkstate)
-         needLinkStateChange = true;
- 
-+    if (!virNetDevBandwidthEqual(virDomainNetGetActualBandwidth(olddev),
-+                                 virDomainNetGetActualBandwidth(newdev)))
-+        needBandwidthSet = true;
-+
-     /* FINALLY - actually perform the required actions */
- 
-     if (needReconnect) {
-@@ -2081,6 +2084,18 @@ qemuDomainChangeNet(virQEMUDriverPtr driver,
-         goto cleanup;
-     }
- 
-+    if (needBandwidthSet) {
-+        if (virNetDevBandwidthSet(newdev->ifname,
-+                                  virDomainNetGetActualBandwidth(newdev),
-+                                  false) < 0) {
-+            virReportError(VIR_ERR_INTERNAL_ERROR,
-+                           _("cannot set bandwidth limits on %s"),
-+                           newdev->ifname);
-+            goto cleanup;
-+        }
-+        needReplaceDevDef = true;
-+    }
-+
-     if (needBridgeChange) {
-         if (qemuDomainChangeNetBridge(dom->conn, vm, olddev, newdev) < 0)
-             goto cleanup;
@@ -0,0 +1,72 @@
+From: wangjian <wangjian161@huawei.com>
+Date: Fri, 26 Mar 2021 11:21:16 +0800
+Subject: [PATCH] node_device_udev: Serialize access to pci_get_strings)_
+
+Since the functions provided by libpciaccess are not thread-safe,
+when the udev-event and nodedev-init threads of libvirt call the
+pci_get_strings function provided by libpaciaccess at the same
+time the following can happen:
+
+nodedev-init thread:
+nodeStateInitializeEnumerate ->
+  udevEnumerateDevices->
+    udevProcessDeviceListEntry ->
+      udevAddOneDevice ->
+        udevGetDeviceDetails->
+          udevProcessPCI ->
+            udevTranslatePCIIds ->
+              pci_get_strings -> (libpciaccess)
+                find_device_name ->
+                  populate_vendor ->
+                    d = realloc( vend->devices, (vend->num_devices + 1), * sizeof( struct pci_device_leaf ) );
+                    vend->num_devices++;
+
+udev-event thread:
+udevEventHandleThread ->
+  udevHandleOneDevice ->
+    udevAddOneDevice->
+      udevGetDeviceDetails->
+        udevProcessPCI ->
+          udevTranslatePCIIds ->
+            pci_get_strings -> (libpciaccess)
+              find_device_name ->
+                populate_vendor ->
+                  d = realloc( vend->devices, (vend->num_devices + 1), * sizeof( struct pci_device_leaf ) );
+                  vend->num_devices++;
+
+Signed-off-by: WangJian <wangjian161@huawei.com>
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit 59788a5caea5f292c86e07a31ee2b853d68db87e)
+---
+ src/node_device/node_device_udev.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/node_device/node_device_udev.c b/src/node_device/node_device_udev.c
+index 55a2731681..6f0defe908 100644
+--- a/src/node_device/node_device_udev.c
+++ b/src/node_device/node_device_udev.c
+@@ -328,6 +328,7 @@ udevGenerateDeviceName(struct udev_device *device,
+     return 0;
+ }
+ 
+static virMutex pciaccessMutex = VIR_MUTEX_INITIALIZER;
+ 
+ static int
+ udevTranslatePCIIds(unsigned int vendor,
+@@ -346,12 +347,14 @@ udevTranslatePCIIds(unsigned int vendor,
+     m.device_class_mask = 0;
+     m.match_data = 0;
+ 
+-    /* pci_get_strings returns void */
+    /* pci_get_strings returns void and unfortunately is not thread safe. */
+    virMutexLock(&pciaccessMutex);
+     pci_get_strings(&m,
+                     &device_name,
+                     &vendor_name,
+                     NULL,
+                     NULL);
+    virMutexUnlock(&pciaccessMutex);
+ 
+     *vendor_string = g_strdup(vendor_name);
+     *product_string = g_strdup(device_name);
@@ -1,57 +0,0 @@
-From 658f4b3c39c9bdd490a44175742f8259dd10b84f Mon Sep 17 00:00:00 2001
-From: Michal Privoznik <mprivozn@redhat.com>
-Date: Wed, 2 Oct 2013 09:18:02 +0200
-Subject: [PATCH] virNetDevBandwidthEqual: Make it more robust
-
-So far the virNetDevBandwidthEqual() expected both ->in and ->out items
-to be allocated for both @a and @b compared. This is not necessary true
-for all our code. For instance, running 'update-device' twice over a NIC
-with the very same XML results in SIGSEGV-ing in this function.
-
-Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
-(cherry picked from commit ee02fbc8e4a24c1347761ceff2ddb2c108e9611c)
---
- src/util/virnetdevbandwidth.c | 26 ++++++++++++++++++++------
- 1 file changed, 20 insertions(+), 6 deletions(-)
-
-diff --git a/src/util/virnetdevbandwidth.c b/src/util/virnetdevbandwidth.c
-index 42b0a50..17f4fa3 100644
--- a/src/util/virnetdevbandwidth.c
-+++ b/src/util/virnetdevbandwidth.c
-@@ -335,16 +335,30 @@ virNetDevBandwidthEqual(virNetDevBandwidthPtr a,
-         return false;
- 
-     /* in */
-    if (a->in->average != b->in->average ||
-        a->in->peak != b->in->peak ||
-        a->in->burst != b->in->burst)
-+    if (a->in) {
-+        if (!b->in)
-+            return false;
-+
-+        if (a->in->average != b->in->average ||
-+            a->in->peak != b->in->peak ||
-+            a->in->burst != b->in->burst)
-+            return false;
-+    } else if (b->in) {
-         return false;
-+    }
- 
-     /*out*/
-    if (a->out->average != b->out->average ||
-        a->out->peak != b->out->peak ||
-        a->out->burst != b->out->burst)
-+    if (a->out) {
-+        if (!b->out)
-+            return false;
-+
-+        if (a->out->average != b->out->average ||
-+            a->out->peak != b->out->peak ||
-+            a->out->burst != b->out->burst)
-+            return false;
-+    } else if (b->out) {
-         return false;
-+    }
- 
-     return true;
- }
@@ -1,105 +0,0 @@
-From 56c170544f7a71749ef63fef650c71787c05e8af Mon Sep 17 00:00:00 2001
-From: "Daniel P. Berrange" <berrange@redhat.com>
-Date: Thu, 3 Oct 2013 14:06:58 +0100
-Subject: [PATCH] Remove virConnectPtr arg from virNWFilterDefParse*
-
-None of the virNWFilterDefParse* methods require a virConnectPtr
-arg, so just drop it
-
-Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
- src/conf/nwfilter_conf.c       | 15 ++++++---------
- src/conf/nwfilter_conf.h       |  6 ++----
- src/nwfilter/nwfilter_driver.c |  2 +-
- tests/nwfilterxml2xmltest.c    |  2 +-
- 4 files changed, 10 insertions(+), 15 deletions(-)
-
-diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c
-index 3456b77..c009921 100644
--- a/src/conf/nwfilter_conf.c
-+++ b/src/conf/nwfilter_conf.c
-@@ -2634,8 +2634,7 @@ cleanup:
- 
- 
- static virNWFilterDefPtr
-virNWFilterDefParse(virConnectPtr conn ATTRIBUTE_UNUSED,
-                    const char *xmlStr,
-+virNWFilterDefParse(const char *xmlStr,
-                     const char *filename) {
-     virNWFilterDefPtr def = NULL;
-     xmlDocPtr xml;
-@@ -2650,18 +2649,16 @@ virNWFilterDefParse(virConnectPtr conn ATTRIBUTE_UNUSED,
- 
- 
- virNWFilterDefPtr
-virNWFilterDefParseString(virConnectPtr conn,
-                          const char *xmlStr)
-+virNWFilterDefParseString(const char *xmlStr)
- {
-    return virNWFilterDefParse(conn, xmlStr, NULL);
-+    return virNWFilterDefParse(xmlStr, NULL);
- }
- 
- 
- virNWFilterDefPtr
-virNWFilterDefParseFile(virConnectPtr conn,
-                        const char *filename)
-+virNWFilterDefParseFile(const char *filename)
- {
-    return virNWFilterDefParse(conn, NULL, filename);
-+    return virNWFilterDefParse(NULL, filename);
- }
- 
- 
-@@ -3056,7 +3053,7 @@ virNWFilterObjLoad(virConnectPtr conn,
-     virNWFilterDefPtr def;
-     virNWFilterObjPtr nwfilter;
- 
-    if (!(def = virNWFilterDefParseFile(conn, path))) {
-+    if (!(def = virNWFilterDefParseFile(path))) {
-         return NULL;
-     }
- 
-diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
-index 5d04cff..faa7527 100644
--- a/src/conf/nwfilter_conf.h
-+++ b/src/conf/nwfilter_conf.h
-@@ -713,10 +713,8 @@ int virNWFilterLoadAllConfigs(virConnectPtr conn,
- char *virNWFilterConfigFile(const char *dir,
-                             const char *name);
- 
-virNWFilterDefPtr virNWFilterDefParseString(virConnectPtr conn,
-                                            const char *xml);
-virNWFilterDefPtr virNWFilterDefParseFile(virConnectPtr conn,
-                                          const char *filename);
-+virNWFilterDefPtr virNWFilterDefParseString(const char *xml);
-+virNWFilterDefPtr virNWFilterDefParseFile(const char *filename);
- 
- void virNWFilterObjLock(virNWFilterObjPtr obj);
- void virNWFilterObjUnlock(virNWFilterObjPtr obj);
-diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c
-index 1ed28a2..c2afdfc 100644
--- a/src/nwfilter/nwfilter_driver.c
-+++ b/src/nwfilter/nwfilter_driver.c
-@@ -566,7 +566,7 @@ nwfilterDefineXML(virConnectPtr conn,
-     nwfilterDriverLock(driver);
-     virNWFilterCallbackDriversLock();
- 
-    if (!(def = virNWFilterDefParseString(conn, xml)))
-+    if (!(def = virNWFilterDefParseString(xml)))
-         goto cleanup;
- 
-     if (virNWFilterDefineXMLEnsureACL(conn, def) < 0)
-diff --git a/tests/nwfilterxml2xmltest.c b/tests/nwfilterxml2xmltest.c
-index 84e61da..14191a6 100644
--- a/tests/nwfilterxml2xmltest.c
-+++ b/tests/nwfilterxml2xmltest.c
-@@ -36,7 +36,7 @@ testCompareXMLToXMLFiles(const char *inxml, const char *outxml,
- 
-     virResetLastError();
- 
-    if (!(dev = virNWFilterDefParseString(NULL, inXmlData))) {
-+    if (!(dev = virNWFilterDefParseString(inXmlData))) {
-         if (expect_error) {
-             virResetLastError();
-             goto done;
@@ -0,0 +1,53 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Thu, 24 Jun 2021 16:58:09 +0200
+Subject: [PATCH] virSetUIDGIDWithCaps: Don't drop CAP_SETPCAP right away
+
+There are few cases where we execute a virCommand with all caps
+cleared (virCommandClearCaps()). For instance
+dnsmasqCapsRefreshInternal() does just that. This means, that
+after fork() and before exec() the virSetUIDGIDWithCaps() is
+called. But since the caller did not want to change anything,
+just drop capabilities, these are the values of arguments:
+
+  virSetUIDGIDWithCaps (uid=-1, gid=-1, groups=0x0, ngroups=0,
+                        capBits=0, clearExistingCaps=true)
+
+This means that indeed all capabilities will be dropped,
+including CAP_SETPCAP. But this capability controls whether
+capabilities can be set, IOW whether capng_apply() succeeds.
+
+There are two calls of capng_apply() in the function. The
+CAP_SETPCAP is dropped after the first call and thus the other
+call (capng_apply(CAPNG_SELECT_BOUNDS);) fails.
+
+The solution is to keep the capability for as long as needed
+(just like CAP_SETGID and CAP_SETUID) and drop it only at the
+very end (just like CAP_SETGID and CAP_SETUID).
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1949388
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
+(cherry picked from commit 438b50dda8a863fdc988e9ab612f097cc1626e8a)
+---
+ src/util/virutil.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/src/util/virutil.c b/src/util/virutil.c
+index a0cd0f1bcd..7ae23a7061 100644
+--- a/src/util/virutil.c
+++ b/src/util/virutil.c
+@@ -1202,12 +1202,10 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *groups, int ngroups,
+     }
+ # ifdef PR_CAPBSET_DROP
+     /* If newer kernel, we need also need setpcap to change the bounding set */
+-    if ((capBits || need_setgid || need_setuid) &&
+-        !capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
+    if (!capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
+         need_setpcap = true;
+-    }
+-    if (need_setpcap)
+         capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SETPCAP);
+    }
+ # endif
+ 
+     /* Tell system we want to keep caps across uid change */
@@ -1,355 +0,0 @@
-From 0a5abfb22d5d030cc3780c44b805b5b92567b44a Mon Sep 17 00:00:00 2001
-From: "Daniel P. Berrange" <berrange@redhat.com>
-Date: Thu, 3 Oct 2013 14:06:59 +0100
-Subject: [PATCH] Don't pass virConnectPtr in nwfilter 'struct
- domUpdateCBStruct'
-
-The nwfilter driver only needs a reference to its private
-state object, not a full virConnectPtr. Update the domUpdateCBStruct
-struct to have a 'void *opaque' field instead of a virConnectPtr.
-
-Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
- src/conf/nwfilter_conf.c               | 14 +++++++++++---
- src/conf/nwfilter_conf.h               |  4 ++--
- src/nwfilter/nwfilter_dhcpsnoop.c      | 12 ++++++------
- src/nwfilter/nwfilter_driver.c         |  5 +++--
- src/nwfilter/nwfilter_gentech_driver.c | 32 ++++++++++++++++----------------
- src/nwfilter/nwfilter_gentech_driver.h | 10 +++++-----
- src/nwfilter/nwfilter_learnipaddr.c    |  6 +++---
- 7 files changed, 46 insertions(+), 37 deletions(-)
-
-diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c
-index c009921..9927f7e 100644
--- a/src/conf/nwfilter_conf.c
-+++ b/src/conf/nwfilter_conf.c
-@@ -2850,6 +2850,7 @@ virNWFilterCallbackDriversUnlock(void)
- 
- 
- static virDomainObjListIterator virNWFilterDomainFWUpdateCB;
-+static void *virNWFilterDomainFWUpdateOpaque;
- 
- /**
-  * virNWFilterInstFiltersOnAllVMs:
-@@ -2861,7 +2862,7 @@ virNWFilterInstFiltersOnAllVMs(virConnectPtr conn)
- {
-     size_t i;
-     struct domUpdateCBStruct cb = {
-        .conn = conn,
-+        .opaque = virNWFilterDomainFWUpdateOpaque,
-         .step = STEP_APPLY_CURRENT,
-         .skipInterfaces = NULL, /* not needed */
-     };
-@@ -2880,7 +2881,7 @@ virNWFilterTriggerVMFilterRebuild(virConnectPtr conn)
-     size_t i;
-     int ret = 0;
-     struct domUpdateCBStruct cb = {
-        .conn = conn,
-+        .opaque = virNWFilterDomainFWUpdateOpaque,
-         .step = STEP_APPLY_NEW,
-         .skipInterfaces = virHashCreate(0, NULL),
-     };
-@@ -3474,9 +3475,14 @@ char *virNWFilterConfigFile(const char *dir,
- }
- 
- 
-int virNWFilterConfLayerInit(virDomainObjListIterator domUpdateCB)
-+int virNWFilterConfLayerInit(virDomainObjListIterator domUpdateCB,
-+                             void *opaque)
- {
-+    if (initialized)
-+        return -1;
-+
-     virNWFilterDomainFWUpdateCB = domUpdateCB;
-+    virNWFilterDomainFWUpdateOpaque = opaque;
- 
-     initialized = true;
- 
-@@ -3495,6 +3501,8 @@ void virNWFilterConfLayerShutdown(void)
-     virMutexDestroy(&updateMutex);
- 
-     initialized = false;
-+    virNWFilterDomainFWUpdateOpaque = NULL;
-+    virNWFilterDomainFWUpdateCB = NULL;
- }
- 
- 
-diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
-index faa7527..e470615 100644
--- a/src/conf/nwfilter_conf.h
-+++ b/src/conf/nwfilter_conf.h
-@@ -586,7 +586,7 @@ enum UpdateStep {
- };
- 
- struct domUpdateCBStruct {
-    virConnectPtr conn;
-+    void *opaque;
-     enum UpdateStep step;
-     virHashTablePtr skipInterfaces;
- };
-@@ -722,7 +722,7 @@ void virNWFilterObjUnlock(virNWFilterObjPtr obj);
- void virNWFilterLockFilterUpdates(void);
- void virNWFilterUnlockFilterUpdates(void);
- 
-int virNWFilterConfLayerInit(virDomainObjListIterator domUpdateCB);
-+int virNWFilterConfLayerInit(virDomainObjListIterator domUpdateCB, void *opaque);
- void virNWFilterConfLayerShutdown(void);
- 
- int virNWFilterInstFiltersOnAllVMs(virConnectPtr conn);
-diff --git a/src/nwfilter/nwfilter_dhcpsnoop.c b/src/nwfilter/nwfilter_dhcpsnoop.c
-index 3e9f046..2bc1686 100644
--- a/src/nwfilter/nwfilter_dhcpsnoop.c
-+++ b/src/nwfilter/nwfilter_dhcpsnoop.c
-@@ -481,15 +481,15 @@ virNWFilterSnoopIPLeaseInstallRule(virNWFilterSnoopIPLeasePtr ipl,
-     /* instantiate the filters */
- 
-     if (req->ifname)
-        rc = virNWFilterInstantiateFilterLate(NULL,
-+        rc = virNWFilterInstantiateFilterLate(req->driver,
-+                                              NULL,
-                                               req->ifname,
-                                               req->ifindex,
-                                               req->linkdev,
-                                               req->nettype,
-                                               &req->macaddr,
-                                               req->filtername,
-                                              req->vars,
-                                              req->driver);
-+                                              req->vars);
- 
- exit_snooprequnlock:
-     virNWFilterSnoopReqUnlock(req);
-@@ -867,15 +867,15 @@ virNWFilterSnoopReqLeaseDel(virNWFilterSnoopReqPtr req,
-         goto skip_instantiate;
- 
-     if (ipAddrLeft) {
-        ret = virNWFilterInstantiateFilterLate(NULL,
-+        ret = virNWFilterInstantiateFilterLate(req->driver,
-+                                               NULL,
-                                                req->ifname,
-                                                req->ifindex,
-                                                req->linkdev,
-                                                req->nettype,
-                                                &req->macaddr,
-                                                req->filtername,
-                                               req->vars,
-                                               req->driver);
-+                                               req->vars);
-     } else {
-         const virNWFilterVarValuePtr dhcpsrvrs =
-             virHashLookup(req->vars->hashTable, NWFILTER_VARNAME_DHCPSERVER);
-diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c
-index c2afdfc..6e20e03 100644
--- a/src/nwfilter/nwfilter_driver.c
-+++ b/src/nwfilter/nwfilter_driver.c
-@@ -203,7 +203,8 @@ nwfilterStateInitialize(bool privileged,
- 
-     virNWFilterTechDriversInit(privileged);
- 
-    if (virNWFilterConfLayerInit(virNWFilterDomainFWUpdateCB) < 0)
-+    if (virNWFilterConfLayerInit(virNWFilterDomainFWUpdateCB,
-+                                 driverState) < 0)
-         goto err_techdrivers_shutdown;
- 
-     /*
-@@ -681,7 +682,7 @@ nwfilterInstantiateFilter(virConnectPtr conn,
-                           const unsigned char *vmuuid,
-                           virDomainNetDefPtr net)
- {
-    return virNWFilterInstantiateFilter(conn, vmuuid, net);
-+    return virNWFilterInstantiateFilter(conn->nwfilterPrivateData, vmuuid, net);
- }
- 
- 
-diff --git a/src/nwfilter/nwfilter_gentech_driver.c b/src/nwfilter/nwfilter_gentech_driver.c
-index 382d73f..5961165 100644
--- a/src/nwfilter/nwfilter_gentech_driver.c
-+++ b/src/nwfilter/nwfilter_gentech_driver.c
-@@ -800,7 +800,8 @@ err_unresolvable_vars:
-  * Call this function while holding the NWFilter filter update lock
-  */
- static int
-__virNWFilterInstantiateFilter(const unsigned char *vmuuid,
-+__virNWFilterInstantiateFilter(virNWFilterDriverStatePtr driver,
-+                               const unsigned char *vmuuid,
-                                bool teardownOld,
-                                const char *ifname,
-                                int ifindex,
-@@ -810,7 +811,6 @@ __virNWFilterInstantiateFilter(const unsigned char *vmuuid,
-                                const char *filtername,
-                                virNWFilterHashTablePtr filterparams,
-                                enum instCase useNewFilter,
-                               virNWFilterDriverStatePtr driver,
-                                bool forceWithPendingReq,
-                                bool *foundNewFilter)
- {
-@@ -921,7 +921,7 @@ err_exit:
- 
- 
- static int
-_virNWFilterInstantiateFilter(virConnectPtr conn,
-+_virNWFilterInstantiateFilter(virNWFilterDriverStatePtr driver,
-                               const unsigned char *vmuuid,
-                               const virDomainNetDefPtr net,
-                               bool teardownOld,
-@@ -948,7 +948,8 @@ _virNWFilterInstantiateFilter(virConnectPtr conn,
-         goto cleanup;
-     }
- 
-    rc = __virNWFilterInstantiateFilter(vmuuid,
-+    rc = __virNWFilterInstantiateFilter(driver,
-+                                        vmuuid,
-                                         teardownOld,
-                                         net->ifname,
-                                         ifindex,
-@@ -958,7 +959,6 @@ _virNWFilterInstantiateFilter(virConnectPtr conn,
-                                         net->filter,
-                                         net->filterparams,
-                                         useNewFilter,
-                                        conn->nwfilterPrivateData,
-                                         false,
-                                         foundNewFilter);
- 
-@@ -970,22 +970,23 @@ cleanup:
- 
- 
- int
-virNWFilterInstantiateFilterLate(const unsigned char *vmuuid,
-+virNWFilterInstantiateFilterLate(virNWFilterDriverStatePtr driver,
-+                                 const unsigned char *vmuuid,
-                                  const char *ifname,
-                                  int ifindex,
-                                  const char *linkdev,
-                                  enum virDomainNetType nettype,
-                                  const virMacAddrPtr macaddr,
-                                  const char *filtername,
-                                 virNWFilterHashTablePtr filterparams,
-                                 virNWFilterDriverStatePtr driver)
-+                                 virNWFilterHashTablePtr filterparams)
- {
-     int rc;
-     bool foundNewFilter = false;
- 
-     virNWFilterLockFilterUpdates();
- 
-    rc = __virNWFilterInstantiateFilter(vmuuid,
-+    rc = __virNWFilterInstantiateFilter(driver,
-+                                        vmuuid,
-                                         true,
-                                         ifname,
-                                         ifindex,
-@@ -995,7 +996,6 @@ virNWFilterInstantiateFilterLate(const unsigned char *vmuuid,
-                                         filtername,
-                                         filterparams,
-                                         INSTANTIATE_ALWAYS,
-                                        driver,
-                                         true,
-                                         &foundNewFilter);
-     if (rc < 0) {
-@@ -1015,13 +1015,13 @@ virNWFilterInstantiateFilterLate(const unsigned char *vmuuid,
- 
- 
- int
-virNWFilterInstantiateFilter(virConnectPtr conn,
-+virNWFilterInstantiateFilter(virNWFilterDriverStatePtr driver,
-                              const unsigned char *vmuuid,
-                              const virDomainNetDefPtr net)
- {
-     bool foundNewFilter = false;
- 
-    return _virNWFilterInstantiateFilter(conn, vmuuid, net,
-+    return _virNWFilterInstantiateFilter(driver, vmuuid, net,
-                                          1,
-                                          INSTANTIATE_ALWAYS,
-                                          &foundNewFilter);
-@@ -1029,14 +1029,14 @@ virNWFilterInstantiateFilter(virConnectPtr conn,
- 
- 
- int
-virNWFilterUpdateInstantiateFilter(virConnectPtr conn,
-+virNWFilterUpdateInstantiateFilter(virNWFilterDriverStatePtr driver,
-                                    const unsigned char *vmuuid,
-                                    const virDomainNetDefPtr net,
-                                    bool *skipIface)
- {
-     bool foundNewFilter = false;
- 
-    int rc = _virNWFilterInstantiateFilter(conn, vmuuid, net,
-+    int rc = _virNWFilterInstantiateFilter(driver, vmuuid, net,
-                                            0,
-                                            INSTANTIATE_FOLLOW_NEWFILTER,
-                                            &foundNewFilter);
-@@ -1154,7 +1154,7 @@ virNWFilterDomainFWUpdateCB(virDomainObjPtr obj,
-             if ((net->filter) && (net->ifname)) {
-                 switch (cb->step) {
-                 case STEP_APPLY_NEW:
-                    ret = virNWFilterUpdateInstantiateFilter(cb->conn,
-+                    ret = virNWFilterUpdateInstantiateFilter(cb->opaque,
-                                                              vm->uuid,
-                                                              net,
-                                                              &skipIface);
-@@ -1179,7 +1179,7 @@ virNWFilterDomainFWUpdateCB(virDomainObjPtr obj,
-                     break;
- 
-                 case STEP_APPLY_CURRENT:
-                    ret = virNWFilterInstantiateFilter(cb->conn,
-+                    ret = virNWFilterInstantiateFilter(cb->opaque,
-                                                        vm->uuid,
-                                                        net);
-                     if (ret)
-diff --git a/src/nwfilter/nwfilter_gentech_driver.h b/src/nwfilter/nwfilter_gentech_driver.h
-index 4b47b4a..8528e2a 100644
--- a/src/nwfilter/nwfilter_gentech_driver.h
-+++ b/src/nwfilter/nwfilter_gentech_driver.h
-@@ -39,23 +39,23 @@ enum instCase {
- };
- 
- 
-int virNWFilterInstantiateFilter(virConnectPtr conn,
-+int virNWFilterInstantiateFilter(virNWFilterDriverStatePtr driver,
-                                  const unsigned char *vmuuid,
-                                  const virDomainNetDefPtr net);
-int virNWFilterUpdateInstantiateFilter(virConnectPtr conn,
-+int virNWFilterUpdateInstantiateFilter(virNWFilterDriverStatePtr driver,
-                                        const unsigned char *vmuuid,
-                                        const virDomainNetDefPtr net,
-                                        bool *skipIface);
- 
-int virNWFilterInstantiateFilterLate(const unsigned char *vmuuid,
-+int virNWFilterInstantiateFilterLate(virNWFilterDriverStatePtr driver,
-+                                     const unsigned char *vmuuid,
-                                      const char *ifname,
-                                      int ifindex,
-                                      const char *linkdev,
-                                      enum virDomainNetType nettype,
-                                      const virMacAddrPtr macaddr,
-                                      const char *filtername,
-                                     virNWFilterHashTablePtr filterparams,
-                                     virNWFilterDriverStatePtr driver);
-+                                     virNWFilterHashTablePtr filterparams);
- 
- int virNWFilterTeardownFilter(const virDomainNetDefPtr net);
- 
-diff --git a/src/nwfilter/nwfilter_learnipaddr.c b/src/nwfilter/nwfilter_learnipaddr.c
-index 7e67203..093158a 100644
--- a/src/nwfilter/nwfilter_learnipaddr.c
-+++ b/src/nwfilter/nwfilter_learnipaddr.c
-@@ -612,15 +612,15 @@ learnIPAddressThread(void *arg)
-                           "cache for interface %s"), inetaddr, req->ifname);
-             }
- 
-            ret = virNWFilterInstantiateFilterLate(NULL,
-+            ret = virNWFilterInstantiateFilterLate(req->driver,
-+                                                   NULL,
-                                                    req->ifname,
-                                                    req->ifindex,
-                                                    req->linkdev,
-                                                    req->nettype,
-                                                    &req->macaddr,
-                                                    req->filtername,
-                                                   req->filterparams,
-                                                   req->driver);
-+                                                   req->filterparams);
-             VIR_DEBUG("Result from applying firewall rules on "
-                       "%s with IP addr %s : %d\n", req->ifname, inetaddr, ret);
-         }
@@ -0,0 +1,51 @@
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 28 Jun 2021 13:09:04 +0100
+Subject: [PATCH] security: fix SELinux label generation logic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+A process can access a file if the set of MCS categories
+for the file is equal-to *or* a subset-of, the set of
+MCS categories for the process.
+
+If there are two VMs:
+
+  a) svirt_t:s0:c117
+  b) svirt_t:s0:c117,c720
+
+Then VM (b) is able to access files labelled for VM (a).
+
+IOW, we must discard case where the categories are equal
+because that is a subset of many other valid category pairs.
+
+Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
+CVE-2021-3631
+Reviewed-by: Peter Krempa <pkrempa@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 15073504dbb624d3f6c911e85557019d3620fdb2)
+---
+ src/security/security_selinux.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index 2fc6ef2616..61a871ec3d 100644
+--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
+@@ -389,7 +389,15 @@ virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr,
+         VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
+ 
+         if (c1 == c2) {
+-            mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
+            /*
+             * A process can access a file if the set of MCS categories
+             * for the file is equal-to *or* a subset-of, the set of
+             * MCS categories for the process.
+             *
+             * IOW, we must discard case where the categories are equal
+             * because that is a subset of other category pairs.
+             */
+            continue;
+         } else {
+             if (c1 > c2) {
+                 int t = c1;
@@ -1,382 +0,0 @@
-From 1766db28533e2b5a96792aa0811e5364e0bb54d4 Mon Sep 17 00:00:00 2001
-From: "Daniel P. Berrange" <berrange@redhat.com>
-Date: Thu, 3 Oct 2013 14:07:00 +0100
-Subject: [PATCH] Remove use of virConnectPtr from all remaining nwfilter code
-
-The virConnectPtr is passed around loads of nwfilter code in
-order to provide it as a parameter to the callback registered
-by the virt drivers. None of the virt drivers use this param
-though, so it serves no purpose.
-
-Avoiding the need to pass a virConnectPtr means that the
-nwfilterStateReload method no longer needs to open a bogus
-QEMU driver connection. This addresses a race condition that
-can lead to a crash on startup.
-
-The nwfilter driver starts before the QEMU driver and registers
-some callbacks with DBus to detect firewalld reload. If the
-firewalld reload happens while the QEMU driver is still starting
-up though, the nwfilterStateReload method will open a connection
-to the partially initialized QEMU driver and cause a crash.
-
-Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
- src/conf/nwfilter_conf.c       | 49 ++++++++++++++++--------------------------
- src/conf/nwfilter_conf.h       | 14 +++++-------
- src/lxc/lxc_driver.c           |  3 +--
- src/nwfilter/nwfilter_driver.c | 42 ++++++++++++++----------------------
- src/qemu/qemu_driver.c         |  3 +--
- src/uml/uml_driver.c           |  3 +--
- 6 files changed, 43 insertions(+), 71 deletions(-)
-
-diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c
-index 9927f7e..7152aae 100644
--- a/src/conf/nwfilter_conf.c
-+++ b/src/conf/nwfilter_conf.c
-@@ -2744,8 +2744,7 @@ cleanup:
- 
- 
- static int
-_virNWFilterDefLoopDetect(virConnectPtr conn,
-                          virNWFilterObjListPtr nwfilters,
-+_virNWFilterDefLoopDetect(virNWFilterObjListPtr nwfilters,
-                           virNWFilterDefPtr def,
-                           const char *filtername)
- {
-@@ -2769,7 +2768,7 @@ _virNWFilterDefLoopDetect(virConnectPtr conn,
-             obj = virNWFilterObjFindByName(nwfilters,
-                                            entry->include->filterref);
-             if (obj) {
-                rc = _virNWFilterDefLoopDetect(conn, nwfilters,
-+                rc = _virNWFilterDefLoopDetect(nwfilters,
-                                                obj->def, filtername);
- 
-                 virNWFilterObjUnlock(obj);
-@@ -2785,7 +2784,6 @@ _virNWFilterDefLoopDetect(virConnectPtr conn,
- 
- /*
-  * virNWFilterDefLoopDetect:
- * @conn: pointer to virConnect object
-  * @nwfilters : the nwfilters to search
-  * @def : the filter definition that may add a loop and is to be tested
-  *
-@@ -2795,11 +2793,10 @@ _virNWFilterDefLoopDetect(virConnectPtr conn,
-  * Returns 0 in case no loop was detected, -1 otherwise.
-  */
- static int
-virNWFilterDefLoopDetect(virConnectPtr conn,
-                         virNWFilterObjListPtr nwfilters,
-+virNWFilterDefLoopDetect(virNWFilterObjListPtr nwfilters,
-                          virNWFilterDefPtr def)
- {
-    return _virNWFilterDefLoopDetect(conn, nwfilters, def, def->name);
-+    return _virNWFilterDefLoopDetect(nwfilters, def, def->name);
- }
- 
- int nCallbackDriver;
-@@ -2858,7 +2855,7 @@ static void *virNWFilterDomainFWUpdateOpaque;
-  * error. This should be called upon reloading of the driver.
-  */
- int
-virNWFilterInstFiltersOnAllVMs(virConnectPtr conn)
-+virNWFilterInstFiltersOnAllVMs(void)
- {
-     size_t i;
-     struct domUpdateCBStruct cb = {
-@@ -2868,15 +2865,14 @@ virNWFilterInstFiltersOnAllVMs(virConnectPtr conn)
-     };
- 
-     for (i = 0; i < nCallbackDriver; i++)
-        callbackDrvArray[i]->vmFilterRebuild(conn,
-                                             virNWFilterDomainFWUpdateCB,
-+        callbackDrvArray[i]->vmFilterRebuild(virNWFilterDomainFWUpdateCB,
-                                              &cb);
- 
-     return 0;
- }
- 
- static int
-virNWFilterTriggerVMFilterRebuild(virConnectPtr conn)
-+virNWFilterTriggerVMFilterRebuild(void)
- {
-     size_t i;
-     int ret = 0;
-@@ -2890,8 +2886,7 @@ virNWFilterTriggerVMFilterRebuild(virConnectPtr conn)
-         return -1;
- 
-     for (i = 0; i < nCallbackDriver; i++) {
-        if (callbackDrvArray[i]->vmFilterRebuild(conn,
-                                                 virNWFilterDomainFWUpdateCB,
-+        if (callbackDrvArray[i]->vmFilterRebuild(virNWFilterDomainFWUpdateCB,
-                                                  &cb) < 0)
-             ret = -1;
-     }
-@@ -2900,15 +2895,13 @@ virNWFilterTriggerVMFilterRebuild(virConnectPtr conn)
-         cb.step = STEP_TEAR_NEW; /* rollback */
- 
-         for (i = 0; i < nCallbackDriver; i++)
-            callbackDrvArray[i]->vmFilterRebuild(conn,
-                                                 virNWFilterDomainFWUpdateCB,
-+            callbackDrvArray[i]->vmFilterRebuild(virNWFilterDomainFWUpdateCB,
-                                                  &cb);
-     } else {
-         cb.step = STEP_TEAR_OLD; /* switch over */
- 
-         for (i = 0; i < nCallbackDriver; i++)
-            callbackDrvArray[i]->vmFilterRebuild(conn,
-                                                 virNWFilterDomainFWUpdateCB,
-+            callbackDrvArray[i]->vmFilterRebuild(virNWFilterDomainFWUpdateCB,
-                                                  &cb);
-     }
- 
-@@ -2919,14 +2912,13 @@ virNWFilterTriggerVMFilterRebuild(virConnectPtr conn)
- 
- 
- int
-virNWFilterTestUnassignDef(virConnectPtr conn,
-                           virNWFilterObjPtr nwfilter)
-+virNWFilterTestUnassignDef(virNWFilterObjPtr nwfilter)
- {
-     int rc = 0;
- 
-     nwfilter->wantRemoved = 1;
-     /* trigger the update on VMs referencing the filter */
-    if (virNWFilterTriggerVMFilterRebuild(conn))
-+    if (virNWFilterTriggerVMFilterRebuild())
-         rc = -1;
- 
-     nwfilter->wantRemoved = 0;
-@@ -2965,8 +2957,7 @@ cleanup:
- }
- 
- virNWFilterObjPtr
-virNWFilterObjAssignDef(virConnectPtr conn,
-                        virNWFilterObjListPtr nwfilters,
-+virNWFilterObjAssignDef(virNWFilterObjListPtr nwfilters,
-                         virNWFilterDefPtr def)
- {
-     virNWFilterObjPtr nwfilter;
-@@ -2985,7 +2976,7 @@ virNWFilterObjAssignDef(virConnectPtr conn,
-         virNWFilterObjUnlock(nwfilter);
-     }
- 
-    if (virNWFilterDefLoopDetect(conn, nwfilters, def) < 0) {
-+    if (virNWFilterDefLoopDetect(nwfilters, def) < 0) {
-         virReportError(VIR_ERR_OPERATION_FAILED,
-                        "%s", _("filter would introduce a loop"));
-         return NULL;
-@@ -3004,7 +2995,7 @@ virNWFilterObjAssignDef(virConnectPtr conn,
- 
-         nwfilter->newDef = def;
-         /* trigger the update on VMs referencing the filter */
-        if (virNWFilterTriggerVMFilterRebuild(conn)) {
-+        if (virNWFilterTriggerVMFilterRebuild()) {
-             nwfilter->newDef = NULL;
-             virNWFilterUnlockFilterUpdates();
-             virNWFilterObjUnlock(nwfilter);
-@@ -3046,8 +3037,7 @@ virNWFilterObjAssignDef(virConnectPtr conn,
- 
- 
- static virNWFilterObjPtr
-virNWFilterObjLoad(virConnectPtr conn,
-                   virNWFilterObjListPtr nwfilters,
-+virNWFilterObjLoad(virNWFilterObjListPtr nwfilters,
-                    const char *file,
-                    const char *path)
- {
-@@ -3066,7 +3056,7 @@ virNWFilterObjLoad(virConnectPtr conn,
-         return NULL;
-     }
- 
-    if (!(nwfilter = virNWFilterObjAssignDef(conn, nwfilters, def))) {
-+    if (!(nwfilter = virNWFilterObjAssignDef(nwfilters, def))) {
-         virNWFilterDefFree(def);
-         return NULL;
-     }
-@@ -3082,8 +3072,7 @@ virNWFilterObjLoad(virConnectPtr conn,
- 
- 
- int
-virNWFilterLoadAllConfigs(virConnectPtr conn,
-                          virNWFilterObjListPtr nwfilters,
-+virNWFilterLoadAllConfigs(virNWFilterObjListPtr nwfilters,
-                           const char *configDir)
- {
-     DIR *dir;
-@@ -3111,7 +3100,7 @@ virNWFilterLoadAllConfigs(virConnectPtr conn,
-         if (!(path = virFileBuildPath(configDir, entry->d_name, NULL)))
-             continue;
- 
-        nwfilter = virNWFilterObjLoad(conn, nwfilters, entry->d_name, path);
-+        nwfilter = virNWFilterObjLoad(nwfilters, entry->d_name, path);
-         if (nwfilter)
-             virNWFilterObjUnlock(nwfilter);
- 
-diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
-index e470615..29906f1 100644
--- a/src/conf/nwfilter_conf.h
-+++ b/src/conf/nwfilter_conf.h
-@@ -687,12 +687,10 @@ int virNWFilterObjSaveDef(virNWFilterDriverStatePtr driver,
- 
- int virNWFilterObjDeleteDef(virNWFilterObjPtr nwfilter);
- 
-virNWFilterObjPtr virNWFilterObjAssignDef(virConnectPtr conn,
-                                          virNWFilterObjListPtr nwfilters,
-+virNWFilterObjPtr virNWFilterObjAssignDef(virNWFilterObjListPtr nwfilters,
-                                           virNWFilterDefPtr def);
- 
-int virNWFilterTestUnassignDef(virConnectPtr conn,
-                               virNWFilterObjPtr nwfilter);
-+int virNWFilterTestUnassignDef(virNWFilterObjPtr nwfilter);
- 
- virNWFilterDefPtr virNWFilterDefParseNode(xmlDocPtr xml,
-                                           xmlNodePtr root);
-@@ -706,8 +704,7 @@ int virNWFilterSaveXML(const char *configDir,
- int virNWFilterSaveConfig(const char *configDir,
-                           virNWFilterDefPtr def);
- 
-int virNWFilterLoadAllConfigs(virConnectPtr conn,
-                              virNWFilterObjListPtr nwfilters,
-+int virNWFilterLoadAllConfigs(virNWFilterObjListPtr nwfilters,
-                               const char *configDir);
- 
- char *virNWFilterConfigFile(const char *dir,
-@@ -725,11 +722,10 @@ void virNWFilterUnlockFilterUpdates(void);
- int virNWFilterConfLayerInit(virDomainObjListIterator domUpdateCB, void *opaque);
- void virNWFilterConfLayerShutdown(void);
- 
-int virNWFilterInstFiltersOnAllVMs(virConnectPtr conn);
-+int virNWFilterInstFiltersOnAllVMs(void);
- 
- 
-typedef int (*virNWFilterRebuild)(virConnectPtr conn,
-                                  virDomainObjListIterator domUpdateCB,
-+typedef int (*virNWFilterRebuild)(virDomainObjListIterator domUpdateCB,
-                                   void *data);
- typedef void (*virNWFilterVoidCall)(void);
- 
-diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
-index 8b13f84..e3a34d6 100644
--- a/src/lxc/lxc_driver.c
-+++ b/src/lxc/lxc_driver.c
-@@ -84,8 +84,7 @@ virLXCDriverPtr lxc_driver = NULL;
- 
- /* callbacks for nwfilter */
- static int
-lxcVMFilterRebuild(virConnectPtr conn ATTRIBUTE_UNUSED,
-                   virDomainObjListIterator iter, void *data)
-+lxcVMFilterRebuild(virDomainObjListIterator iter, void *data)
- {
-     return virDomainObjListForEach(lxc_driver->domains, iter, data);
- }
-diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c
-index 6e20e03..d25c6f2 100644
--- a/src/nwfilter/nwfilter_driver.c
-+++ b/src/nwfilter/nwfilter_driver.c
-@@ -235,8 +235,7 @@ nwfilterStateInitialize(bool privileged,
- 
-     VIR_FREE(base);
- 
-    if (virNWFilterLoadAllConfigs(NULL,
-                                  &driverState->nwfilters,
-+    if (virNWFilterLoadAllConfigs(&driverState->nwfilters,
-                                   driverState->configDir) < 0)
-         goto error;
- 
-@@ -272,37 +271,28 @@ err_free_driverstate:
-  * files and update its state
-  */
- static int
-nwfilterStateReload(void) {
-    virConnectPtr conn;
-
-    if (!driverState) {
-+nwfilterStateReload(void)
-+{
-+    if (!driverState)
-         return -1;
-    }
- 
-     if (!driverState->privileged)
-         return 0;
- 
-    conn = virConnectOpen("qemu:///system");
-
-    if (conn) {
-        virNWFilterDHCPSnoopEnd(NULL);
-        /* shut down all threads -- they will be restarted if necessary */
-        virNWFilterLearnThreadsTerminate(true);
-
-        nwfilterDriverLock(driverState);
-        virNWFilterCallbackDriversLock();
-+    virNWFilterDHCPSnoopEnd(NULL);
-+    /* shut down all threads -- they will be restarted if necessary */
-+    virNWFilterLearnThreadsTerminate(true);
- 
-        virNWFilterLoadAllConfigs(conn,
-                                  &driverState->nwfilters,
-                                  driverState->configDir);
-+    nwfilterDriverLock(driverState);
-+    virNWFilterCallbackDriversLock();
- 
-        virNWFilterCallbackDriversUnlock();
-        nwfilterDriverUnlock(driverState);
-+    virNWFilterLoadAllConfigs(&driverState->nwfilters,
-+                              driverState->configDir);
- 
-        virNWFilterInstFiltersOnAllVMs(conn);
-+    virNWFilterCallbackDriversUnlock();
-+    nwfilterDriverUnlock(driverState);
- 
-        virConnectClose(conn);
-    }
-+    virNWFilterInstFiltersOnAllVMs();
- 
-     return 0;
- }
-@@ -573,7 +563,7 @@ nwfilterDefineXML(virConnectPtr conn,
-     if (virNWFilterDefineXMLEnsureACL(conn, def) < 0)
-         goto cleanup;
- 
-    if (!(nwfilter = virNWFilterObjAssignDef(conn, &driver->nwfilters, def)))
-+    if (!(nwfilter = virNWFilterObjAssignDef(&driver->nwfilters, def)))
-         goto cleanup;
- 
-     if (virNWFilterObjSaveDef(driver, nwfilter, def) < 0) {
-@@ -617,7 +607,7 @@ nwfilterUndefine(virNWFilterPtr obj) {
-     if (virNWFilterUndefineEnsureACL(obj->conn, nwfilter->def) < 0)
-         goto cleanup;
- 
-    if (virNWFilterTestUnassignDef(obj->conn, nwfilter) < 0) {
-+    if (virNWFilterTestUnassignDef(nwfilter) < 0) {
-         virReportError(VIR_ERR_OPERATION_INVALID,
-                        "%s",
-                        _("nwfilter is in use"));
-diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
-index e8bc04d..068d29f 100644
--- a/src/qemu/qemu_driver.c
-+++ b/src/qemu/qemu_driver.c
-@@ -177,8 +177,7 @@ static void
- qemuVMDriverUnlock(void) {}
- 
- static int
-qemuVMFilterRebuild(virConnectPtr conn ATTRIBUTE_UNUSED,
-                    virDomainObjListIterator iter, void *data)
-+qemuVMFilterRebuild(virDomainObjListIterator iter, void *data)
- {
-     return virDomainObjListForEach(qemu_driver->domains, iter, data);
- }
-diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c
-index 9ca352f..eb02542 100644
--- a/src/uml/uml_driver.c
-+++ b/src/uml/uml_driver.c
-@@ -148,8 +148,7 @@ static int umlMonitorCommand(const struct uml_driver *driver,
- static struct uml_driver *uml_driver = NULL;
- 
- static int
-umlVMFilterRebuild(virConnectPtr conn ATTRIBUTE_UNUSED,
-                   virDomainObjListIterator iter, void *data)
-+umlVMFilterRebuild(virDomainObjListIterator iter, void *data)
- {
-     return virDomainObjListForEach(uml_driver->domains, iter, data);
- }
@@ -0,0 +1,43 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Thu, 22 Jul 2021 14:26:00 +0200
+Subject: [PATCH] virSetUIDGIDWithCaps: Set bounding capabilities only with
+ CAP_SETPCAP
+
+In one of my previous patches I've tried to postpone dropping
+CAP_SETPCAP until the very end because it's needed for
+capng_apply(). What I did not realize back then was that we might
+not have the capability to begin with. Because of unknown reasons
+capng_apply() pollutes logs only for CAPNG_SELECT_BOUNDS and not
+for CAPNG_SELECT_CAPS.
+
+Reproducer is really simple: run libvirtd as a regular user.
+During its initialization, libvirtd will spawn some binaries
+(dnsmasq, qemu-*, etc.) and while doing so it will try to drop
+capabilities.
+
+Anyway, let's call capng_apply(CAPNG_SELECT_BOUNDS) only if we
+have the CAP_SETPCAP (which is tracked in need_setpcap variable).
+
+Fixes: 438b50dda8a863fdc988e9ab612f097cc1626e8a
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1924218
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Cole Robinson <crobinso@redhat.com>
+(cherry picked from commit a2476f37a7789eb9315b77bb451f4754ef4ef15b)
+---
+ src/util/virutil.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/util/virutil.c b/src/util/virutil.c
+index 7ae23a7061..333f99e91d 100644
+--- a/src/util/virutil.c
+++ b/src/util/virutil.c
+@@ -1269,7 +1269,8 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *groups, int ngroups,
+      * do this if we failed to get the capability above, so ignore the
+      * return value.
+      */
+-    capng_apply(CAPNG_SELECT_BOUNDS);
+    if (!need_setpcap)
+        capng_apply(CAPNG_SELECT_BOUNDS);
+ 
+     /* Drop the caps that allow setuid/gid (unless they were requested) */
+     if (need_setgid)
@@ -1,31 +0,0 @@
-From 009332c5530a3f3419578b62b44a98ff8de31ca2 Mon Sep 17 00:00:00 2001
-From: Cole Robinson <crobinso@redhat.com>
-Date: Tue, 1 Oct 2013 07:55:19 -0400
-Subject: [PATCH] qemu: cgroup: Fix crash if starting nographics guest
-
-We can dereference graphics[0] even if guest has no graphics device
-configured. I screwed this up in a216e6487255d3b65d97c7ec1fa5da63dbced902
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1014088
-(cherry picked from commit a924d9d083c215df6044387057c501d9aa338b96)
---
- src/qemu/qemu_cgroup.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
-index f95c7f2..ace7e35 100644
--- a/src/qemu/qemu_cgroup.c
-+++ b/src/qemu/qemu_cgroup.c
-@@ -490,9 +490,10 @@ qemuSetupDevicesCgroup(virQEMUDriverPtr driver,
- 
-     if (vm->def->nsounds &&
-         ((!vm->def->ngraphics && cfg->nogfxAllowHostAudio) ||
-         ((vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC &&
-+         (vm->def->graphics &&
-+          ((vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC &&
-            cfg->vncAllowHostAudio) ||
-           (vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_SDL)))) {
-+           (vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_SDL))))) {
-         rv = virCgroupAllowDeviceMajor(priv->cgroup, 'c', DEVICE_SND_MAJOR,
-                                        VIR_CGROUP_DEVICE_RW);
-         virDomainAuditCgroupMajor(vm, priv->cgroup, "allow", DEVICE_SND_MAJOR,
@@ -0,0 +1,57 @@
+From: Pavel Hrdina <phrdina@redhat.com>
+Date: Mon, 10 May 2021 15:07:09 +0200
+Subject: [PATCH] qemu_firmware: don't error out for unknown firmware features
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When QEMU introduces new firmware features libvirt will fail until we
+list that feature in our code as well which doesn't sound right.
+
+We should simply ignore the new feature until we add a proper support
+for it.
+
+Reported-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
+Reviewed-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 61d95a1073833ec4323c1ef28e71e913c55aa7b9)
+---
+ src/qemu/qemu_firmware.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
+index 639cff7459..e602de22e3 100644
+--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
+@@ -573,6 +573,7 @@ qemuFirmwareFeatureParse(const char *path,
+     virJSONValuePtr featuresJSON;
+     g_autoptr(qemuFirmwareFeature) features = NULL;
+     size_t nfeatures;
+    size_t nparsed = 0;
+     size_t i;
+ 
+     if (!(featuresJSON = virJSONValueObjectGetArray(doc, "features"))) {
+@@ -592,17 +593,16 @@ qemuFirmwareFeatureParse(const char *path,
+         int tmp;
+ 
+         if ((tmp = qemuFirmwareFeatureTypeFromString(tmpStr)) <= 0) {
+-            virReportError(VIR_ERR_INTERNAL_ERROR,
+-                           _("unknown feature %s"),
+-                           tmpStr);
+-            return -1;
+            VIR_DEBUG("ignoring unknown QEMU firmware feature '%s'", tmpStr);
+            continue;
+         }
+ 
+-        features[i] = tmp;
+        features[nparsed] = tmp;
+        nparsed++;
+     }
+ 
+     fw->features = g_steal_pointer(&features);
+-    fw->nfeatures = nfeatures;
+    fw->nfeatures = nparsed;
+     return 0;
+ }
+ 
@@ -0,0 +1,33 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 21 Jul 2021 11:22:25 +0200
+Subject: [PATCH] storage_driver: Unlock object on ACL fail in
+ storagePoolLookupByTargetPath
+
+'virStoragePoolObjListSearch' returns a locked and refed object, thus we
+must release it on ACL permission failure.
+
+Fixes: 7aa0e8c0cb8
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984318
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit 447f69dec47e1b0bd15ecd7cd49a9fd3b050fb87)
+---
+ src/storage/storage_driver.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
+index 16bc53aa46..2787c1671b 100644
+--- a/src/storage/storage_driver.c
+++ b/src/storage/storage_driver.c
+@@ -1739,8 +1739,10 @@ storagePoolLookupByTargetPath(virConnectPtr conn,
+                                            storagePoolLookupByTargetPathCallback,
+                                            cleanpath))) {
+         def = virStoragePoolObjGetDef(obj);
+-        if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0)
+        if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0) {
+            virStoragePoolObjEndAPI(&obj);
+             return NULL;
+        }
+ 
+         pool = virGetStoragePool(conn, def->name, def->uuid, NULL, NULL);
+         virStoragePoolObjEndAPI(&obj);
@@ -0,0 +1,81 @@
+From 7e299ba649b1288d529c7595c0e6060c9ae0ff2a Mon Sep 17 00:00:00 2001
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 29 Nov 2021 09:57:49 +0100
+Subject: [PATCH 1/2] wireshark: Switch to tvb_bytes_to_str()
+
+When the dissector sees a byte sequence that is either an opaque
+data (xdr_opaque) or a byte sequence (xdr_bytes) it formats the
+bytes as a hex numbers using our own implementation. But
+wireshark already provides a function for it: tvb_bytes_to_str().
+NB, the reason why it returns a const string is so that callers
+don't try to free it - the string is allocated using an allocator
+which will decide when to free it.
+
+The wireshark formatter was introduced in wireshark commit of
+v1.99.2~479 and thus is present in the version we require at
+least (2.6.0).
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ tools/wireshark/src/packet-libvirt.c | 30 ++++++++--------------------
+ 1 file changed, 8 insertions(+), 22 deletions(-)
+
+diff --git a/tools/wireshark/src/packet-libvirt.c b/tools/wireshark/src/packet-libvirt.c
+index f43919b05d..cb922b8070 100644
+--- a/tools/wireshark/src/packet-libvirt.c
+++ b/tools/wireshark/src/packet-libvirt.c
+@@ -158,24 +158,6 @@ dissect_xdr_string(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf,
+     }
+ }
+ 
+-static const gchar *
+-format_xdr_bytes(guint8 *bytes, guint32 length)
+-{
+-    gchar *buf;
+-    guint32 i;
+-
+-    if (length == 0)
+-        return "";
+-    buf = wmem_alloc(wmem_packet_scope(), length*2 + 1);
+-    for (i = 0; i < length; i++) {
+-        /* We know that buf has enough size to contain
+-           2 * length + '\0' characters. */
+-        g_snprintf(buf, 2*(length - i) + 1, "%02x", bytes[i]);
+-        buf += 2;
+-    }
+-    return buf - length*2;
+-}
+-
+ static gboolean
+ dissect_xdr_opaque(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf,
+                    guint32 size)
+@@ -187,8 +169,10 @@ dissect_xdr_opaque(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf,
+     val = g_malloc(size);
+     start = xdr_getpos(xdrs);
+     if ((rc = xdr_opaque(xdrs, (caddr_t)val, size))) {
+-        proto_tree_add_bytes_format_value(tree, hf, tvb, start, xdr_getpos(xdrs) - start,
+-                                          NULL, "%s", format_xdr_bytes(val, size));
+        gint len = xdr_getpos(xdrs) - start;
+        const char *s = tvb_bytes_to_str(wmem_packet_scope(), tvb, start, len);
+
+        proto_tree_add_bytes_format_value(tree, hf, tvb, start, len, NULL, "%s", s);
+     } else {
+         proto_tree_add_item(tree, hf_libvirt_unknown, tvb, start, -1, ENC_NA);
+     }
+@@ -207,8 +191,10 @@ dissect_xdr_bytes(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf,
+ 
+     start = xdr_getpos(xdrs);
+     if (xdr_bytes(xdrs, (char **)&val, &length, maxlen)) {
+-        proto_tree_add_bytes_format_value(tree, hf, tvb, start, xdr_getpos(xdrs) - start,
+-                                          NULL, "%s", format_xdr_bytes(val, length));
+        gint len = xdr_getpos(xdrs) - start;
+        const char *s = tvb_bytes_to_str(wmem_packet_scope(), tvb, start, len);
+
+        proto_tree_add_bytes_format_value(tree, hf, tvb, start, len, NULL, "%s", s);
+         /* Seems I can't call xdr_free() for this case.
+            It will raises SEGV by referencing out of bounds call stack */
+         free(val);
+-- 
+2.33.1
+
@@ -0,0 +1,33 @@
+From 010613cfd8dae6d85602a84c5c95b2d441e1b3d1 Mon Sep 17 00:00:00 2001
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 29 Nov 2021 10:20:05 +0100
+Subject: [PATCH 2/2] wireshark: Drop needless comment in dissect_xdr_bytes()
+
+In the dissect_xdr_bytes() there's a comment that the string
+allocated by xdr_bytes() can't be freed using xdr_free(). Well,
+that is expected because xdr_bytes() used plain calloc() AND the
+string is not an XDR struct but plain 'char *' type. Passing it
+to xdr_free() must result in weird things happening.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ tools/wireshark/src/packet-libvirt.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/tools/wireshark/src/packet-libvirt.c b/tools/wireshark/src/packet-libvirt.c
+index cb922b8070..eeacbcdf0e 100644
+--- a/tools/wireshark/src/packet-libvirt.c
+++ b/tools/wireshark/src/packet-libvirt.c
+@@ -195,8 +195,6 @@ dissect_xdr_bytes(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf,
+         const char *s = tvb_bytes_to_str(wmem_packet_scope(), tvb, start, len);
+ 
+         proto_tree_add_bytes_format_value(tree, hf, tvb, start, len, NULL, "%s", s);
+-        /* Seems I can't call xdr_free() for this case.
+-           It will raises SEGV by referencing out of bounds call stack */
+         free(val);
+         return TRUE;
+     } else {
+-- 
+2.33.1
+
@@ -1,21 +0,0 @@
-# Makefile for source rpm: libvirt
-# $Id$
-NAME := libvirt
-SPECFILE = $(firstword $(wildcard *.spec))
-
-define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
-endef
-
-MAKEFILE_COMMON := $(shell $(find-makefile-common))
-
-ifeq ($(MAKEFILE_COMMON),)
-# attempt a checkout
-define checkout-makefile-common
-test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
-endef
-
-MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
-endif
-
-include $(MAKEFILE_COMMON)
@@ -1,2 +1 @@
-1835bbfa492099bce12e2934870e5611  libvirt-1.1.2.tar.gz
-b0dfe373ebe0c588b42a28c14d36a3e6  libvirt-1.1.3.tar.gz
+SHA512 (libvirt-7.0.0.tar.xz) = dd6db5ec4971cf4c6059795fd81d5a3a889b10740e34c3c92271eda1c683c99df2c8f923398065d8a7c4f987a20eb1da617d5297ba8ea5a31f154412af50c343