Rebuild for wireshark soname change rhbz#2031322

Now with missing patches

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

.abignore

@@ -0,0 +1,31 @@
+[suppress_function]
+symbol_version_regexp = LIBVIRT_PRIVATE.*
+soname_regexp = libvirt\\.so.*
+
+[suppress_function]
+symbol_version_regexp = LIBVIRT_ADMIN_PRIVATE.*
+soname_regexp = libvirt-admin\\.so.*
+
+[suppress_variable]
+symbol_version_regexp = LIBVIRT_PRIVATE.*
+soname_regexp = libvirt\\.so.*
+
+[suppress_variable]
+symbol_version_regexp = LIBVIRT_ADMIN_PRIVATE.*
+soname_regexp = libvirt-admin\\.so.*
+
+[suppress_function]
+symbol_version_regexp = .*
+soname_regexp = libvirt_storage_.*\\.so.*
+
+[suppress_variable]
+symbol_version_regexp = .*
+soname_regexp = libvirt_storage_.*\\.so.*
+
+[suppress_function]
+symbol_version_regexp = .*
+soname_regexp = libvirt_driver_.*\\.so.*
+
+[suppress_variable]
+symbol_version_regexp = .*
+soname_regexp = libvirt_driver_.*\\.so.*

0001-Fix-padding-of-encrypted-data.patch

@@ -1,55 +0,0 @@
-From: "Daniel P. Berrange" <berrange@redhat.com>
-Date: Tue, 2 May 2017 11:32:43 +0100
-Subject: [PATCH] Fix padding of encrypted data
-
-If we are encoding a block of data that is 16 bytes in length,
-we cannot leave it as 16 bytes, we must pad it out to the next
-block boundary, 32 bytes. Without this padding, the decoder will
-incorrectly treat the last byte of plain text as the padding
-length, as it can't distinguish padded from non-padded data.
-
-The problem exhibited itself when using a 16 byte passphrase
-for a LUKS volume
-
-  $ virsh secret-set-value 55806c7d-8e93-456f-829b-607d8c198367 \
-       $(echo -n 1234567812345678 | base64)
-  Secret value set
-
-  $ virsh start demo
-  error: Failed to start domain demo
-  error: internal error: process exited while connecting to monitor: >>>>>>>>>>Len 16
-  2017-05-02T10:35:40.016390Z qemu-system-x86_64: -object \
-    secret,id=virtio-disk1-luks-secret0,data=SEtNi5vDUeyseMKHwc1c1Q==,\
-    keyid=masterKey0,iv=zm7apUB1A6dPcH53VW960Q==,format=base64: \
-    Incorrect number of padding bytes (56) found on decrypted data
-
-Notice how the padding '56' corresponds to the ordinal value of
-the character '8'.
-
-Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
-(cherry picked from commit 71890992daf37ec78b00b4ce873369421dc99731)
----
- src/util/vircrypto.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/src/util/vircrypto.c b/src/util/vircrypto.c
-index 03410a1a4..8f1e0b7b7 100644
---- a/src/util/vircrypto.c
-+++ b/src/util/vircrypto.c
-@@ -152,8 +152,14 @@ virCryptoEncryptDataAESgnutls(gnutls_cipher_algorithm_t gnutls_enc_alg,
-     uint8_t *ciphertext;
-     size_t ciphertextlen;
- 
--    /* Allocate a padded buffer, copy in the data */
--    ciphertextlen = VIR_ROUND_UP(datalen, 16);
-+    /* Allocate a padded buffer, copy in the data.
-+     *
-+     * NB, we must *always* have at least 1 byte of
-+     * padding - we can't skip it on multiples of
-+     * 16, otherwise decoder can't distinguish padded
-+     * data from non-padded data. Hence datalen + 1
-+     */
-+    ciphertextlen = VIR_ROUND_UP(datalen + 1, 16);
-     if (VIR_ALLOC_N(ciphertext, ciphertextlen) < 0)
-         return -1;
-     memcpy(ciphertext, data, datalen);

0001-build-support-explicitly-disabling-netcf.patch

@@ -0,0 +1,56 @@
+From: Laine Stump <laine@redhat.com>
+Date: Thu, 21 Jan 2021 16:01:06 -0500
+Subject: [PATCH] build: support explicitly disabling netcf
+
+placing "-Dnetcf=disabled" on the meson commandline was ignored,
+meaning that even with that option the build would get WITH_NETCF if
+the netcf-devel package was found - the only way to disable it was to
+uninstall netcf-devel.
+
+This patch adds the small bit of logic to check the netcf meson
+commandline option (in addition to whether netcf-devel is installed)
+before defining WITH_NETCF.
+
+Signed-off-by: Laine Stump <laine@redhat.com>
+Reviewed-by: Neal Gompa <ngompa13@gmail.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit 06169a115d46d8870a96d293c2faf6ea87e71020)
+---
+ meson.build | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/meson.build b/meson.build
+index b5164f68ed..e9d6d9f82e 100644
+--- a/meson.build
++++ b/meson.build
+@@ -1155,8 +1155,10 @@ libm_dep = cc.find_library('m', required : false)
+ 
+ netcf_version = '0.1.8'
+ netcf_dep = dependency('netcf', version: '>=' + netcf_version, required: get_option('netcf'))
+-if netcf_dep.found()
+-  conf.set('WITH_NETCF', 1)
++if not get_option('netcf').disabled()
++  if netcf_dep.found()
++    conf.set('WITH_NETCF', 1)
++  endif
+ endif
+ 
+ have_gnu_gettext_tools = false
+@@ -1550,7 +1552,7 @@ elif get_option('driver_hyperv').enabled()
+   error('openwsman is required for the Hyper-V driver')
+ endif
+ 
+-if not get_option('driver_interface').disabled() and conf.has('WITH_LIBVIRTD') and (udev_dep.found() or netcf_dep.found())
++if not get_option('driver_interface').disabled() and conf.has('WITH_LIBVIRTD') and (udev_dep.found() or conf.has('WITH_NETCF'))
+   conf.set('WITH_INTERFACE', 1)
+ elif get_option('driver_interface').enabled()
+   error('Requested the Interface driver without netcf or udev and libvirtd support')
+@@ -2362,7 +2364,7 @@ libs_summary = {
+   'libssh': libssh_dep.found(),
+   'libssh2': libssh2_dep.found(),
+   'libutil': libutil_dep.found(),
+-  'netcf': netcf_dep.found(),
++  'netcf': conf.has('WITH_NETCF'),
+   'NLS': have_gnu_gettext_tools,
+   'numactl': numactl_dep.found(),
+   'openwsman': openwsman_dep.found(),

0002-node_device_udev-Serialize-access-to-pci_get_strings.patch

@@ -0,0 +1,72 @@
+From: wangjian <wangjian161@huawei.com>
+Date: Fri, 26 Mar 2021 11:21:16 +0800
+Subject: [PATCH] node_device_udev: Serialize access to pci_get_strings)_
+
+Since the functions provided by libpciaccess are not thread-safe,
+when the udev-event and nodedev-init threads of libvirt call the
+pci_get_strings function provided by libpaciaccess at the same
+time the following can happen:
+
+nodedev-init thread:
+nodeStateInitializeEnumerate ->
+  udevEnumerateDevices->
+    udevProcessDeviceListEntry ->
+      udevAddOneDevice ->
+        udevGetDeviceDetails->
+          udevProcessPCI ->
+            udevTranslatePCIIds ->
+              pci_get_strings -> (libpciaccess)
+                find_device_name ->
+                  populate_vendor ->
+                    d = realloc( vend->devices, (vend->num_devices + 1), * sizeof( struct pci_device_leaf ) );
+                    vend->num_devices++;
+
+udev-event thread:
+udevEventHandleThread ->
+  udevHandleOneDevice ->
+    udevAddOneDevice->
+      udevGetDeviceDetails->
+        udevProcessPCI ->
+          udevTranslatePCIIds ->
+            pci_get_strings -> (libpciaccess)
+              find_device_name ->
+                populate_vendor ->
+                  d = realloc( vend->devices, (vend->num_devices + 1), * sizeof( struct pci_device_leaf ) );
+                  vend->num_devices++;
+
+Signed-off-by: WangJian <wangjian161@huawei.com>
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit 59788a5caea5f292c86e07a31ee2b853d68db87e)
+---
+ src/node_device/node_device_udev.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/node_device/node_device_udev.c b/src/node_device/node_device_udev.c
+index 55a2731681..6f0defe908 100644
+--- a/src/node_device/node_device_udev.c
++++ b/src/node_device/node_device_udev.c
+@@ -328,6 +328,7 @@ udevGenerateDeviceName(struct udev_device *device,
+     return 0;
+ }
+ 
++static virMutex pciaccessMutex = VIR_MUTEX_INITIALIZER;
+ 
+ static int
+ udevTranslatePCIIds(unsigned int vendor,
+@@ -346,12 +347,14 @@ udevTranslatePCIIds(unsigned int vendor,
+     m.device_class_mask = 0;
+     m.match_data = 0;
+ 
+-    /* pci_get_strings returns void */
++    /* pci_get_strings returns void and unfortunately is not thread safe. */
++    virMutexLock(&pciaccessMutex);
+     pci_get_strings(&m,
+                     &device_name,
+                     &vendor_name,
+                     NULL,
+                     NULL);
++    virMutexUnlock(&pciaccessMutex);
+ 
+     *vendor_string = g_strdup(vendor_name);
+     *product_string = g_strdup(device_name);

0002-spec-Add-support-for-building-the-zfs-storage-driver.patch

@@ -1,90 +0,0 @@
-From: Neal Gompa <ngompa13@gmail.com>
-Date: Mon, 17 Jul 2017 11:32:46 -0400
-Subject: [PATCH] spec: Add support for building the zfs storage driver
-
-Where it can be supported in Fedora, the driver is built and made
-available as a subpackage.
-
-Signed-off-by: Neal Gompa <ngompa13@gmail.com>
-(cherry picked from commit 9af764e86aef7dfb0191a9561bf1d1abf941da05)
----
- libvirt.spec.in | 31 +++++++++++++++++++++++++++++++
- 1 file changed, 31 insertions(+)
-
-diff --git a/libvirt.spec.in b/libvirt.spec.in
-index 8eb67fa2e..f9a705e7c 100644
---- a/libvirt.spec.in
-+++ b/libvirt.spec.in
-@@ -70,6 +70,13 @@
- %define with_storage_gluster 0%{!?_without_storage_gluster:1}
- %define with_numactl          0%{!?_without_numactl:1}
- 
-+# F25+ has zfs-fuse
-+%if 0%{?fedora} >= 25
-+    %define with_storage_zfs      0%{!?_without_storage_zfs:1}
-+%else
-+    %define with_storage_zfs      0
-+%endif
-+
- # A few optional bits off by default, we enable later
- %define with_fuse          0%{!?_without_fuse:0}
- %define with_cgconfig      0%{!?_without_cgconfig:0}
-@@ -113,6 +120,12 @@
-     %endif
- %endif
- 
-+# zfs-fuse is not available on some architectures
-+%ifarch s390 s390x aarch64
-+    %define with_storage_zfs 0
-+%endif
-+
-+
- # RHEL doesn't ship OpenVZ, VBox, UML, PowerHypervisor,
- # VMware, libxenserver (xenapi), libxenlight (Xen 4.1 and newer),
- # or HyperV.
-@@ -364,6 +377,12 @@ BuildRequires: glusterfs-devel >= 3.4.1
- %if %{with_storage_sheepdog}
- BuildRequires: sheepdog
- %endif
-+%if %{with_storage_zfs}
-+# Support any conforming implementation of zfs. On stock Fedora
-+# this is zfs-fuse, but could be zfsonlinux upstream RPMs
-+BuildRequires: /sbin/zfs
-+BuildRequires: /sbin/zpool
-+%endif
- %if %{with_numactl}
- # For QEMU/LXC numa info
- BuildRequires: numactl-devel
-@@ -597,6 +616,11 @@ Requires: device-mapper
- # For Sheepdog support
- Requires: sheepdog
- %endif
-+%if %{with_storage_zfs}
-+# Support any conforming implementation of zfs
-+Requires: /sbin/zfs
-+Requires: /sbin/zpool
-+%endif
- %if %{with_qemu}
- # From QEMU RPMs
- Requires: /usr/bin/qemu-img
-@@ -1063,6 +1087,12 @@ rm -rf .git
-     %define arg_storage_gluster --without-storage-gluster
- %endif
- 
-+%if %{with_storage_zfs}
-+    %define arg_storage_zfs --with-storage-zfs
-+%else
-+    %define arg_storage_zfs --without-storage-zfs
-+%endif
-+
- %if %{with_numactl}
-     %define arg_numactl --with-numactl
- %else
-@@ -1170,6 +1200,7 @@ rm -f po/stamp-po
-            %{?arg_storage_rbd} \
-            %{?arg_storage_sheepdog} \
-            %{?arg_storage_gluster} \
-+           %{?arg_storage_zfs} \
-            %{?arg_numactl} \
-            %{?arg_numad} \
-            --with-capng \

0003-Avoid-hidden-cgroup-mount-points.patch

@@ -1,150 +0,0 @@
-From: Juan Hernandez <jhernand@redhat.com>
-Date: Thu, 6 Jul 2017 17:03:31 +0200
-Subject: [PATCH] Avoid hidden cgroup mount points
-
-Currently the scan of the /proc/mounts file used to find cgroup mount
-points doesn't take into account that mount points may hidden by other
-mount points. For, example in certain Kubernetes environments the
-/proc/mounts contains the following lines:
-
-  cgroup /sys/fs/cgroup/net_prio,net_cls cgroup ...
-  tmpfs /sys/fs/cgroup tmpfs ...
-  cgroup /sys/fs/cgroup/net_cls,net_prio cgroup ...
-
-In this particular environment the first mount point is hidden by the
-second one. The correct mount point is the third one, but libvirt will
-never process it because it only checks the first mount point for each
-controller (net_cls in this case). So libvirt will try to use the first
-mount point, which doesn't actually exist, and the complete detection
-process will fail.
-
-To avoid that issue this patch changes the virCgroupDetectMountsFromFile
-function so that when there are duplicates it takes the information from
-the last line in /proc/mounts. This requires removing the previous
-explicit condition to skip duplicates, and adding code to free the
-memory used by the processing of duplicated lines.
-
-Related-To: https://bugzilla.redhat.com/1468214
-Related-To: https://github.com/kubevirt/libvirt/issues/4
-Signed-off-by: Juan Hernandez <jhernand@redhat.com>
-(cherry picked from commit dacd160d7479e0ec2d8a63f102145fd30636a1c8)
----
- src/util/vircgroup.c                | 23 ++++++++++++++---------
- tests/vircgroupdata/kubevirt.mounts | 25 +++++++++++++++++++++++++
- tests/vircgroupdata/kubevirt.parsed | 10 ++++++++++
- tests/vircgrouptest.c               |  1 +
- 4 files changed, 50 insertions(+), 9 deletions(-)
- create mode 100644 tests/vircgroupdata/kubevirt.mounts
- create mode 100644 tests/vircgroupdata/kubevirt.parsed
-
-diff --git a/src/util/vircgroup.c b/src/util/vircgroup.c
-index f2477d5e9..322f7fb54 100644
---- a/src/util/vircgroup.c
-+++ b/src/util/vircgroup.c
-@@ -396,6 +396,7 @@ virCgroupDetectMountsFromFile(virCgroupPtr group,
-             const char *typestr = virCgroupControllerTypeToString(i);
-             int typelen = strlen(typestr);
-             char *tmp = entry.mnt_opts;
-+            struct virCgroupController *controller = &group->controllers[i];
-             while (tmp) {
-                 char *next = strchr(tmp, ',');
-                 int len;
-@@ -405,18 +406,22 @@ virCgroupDetectMountsFromFile(virCgroupPtr group,
-                 } else {
-                     len = strlen(tmp);
-                 }
--                /* NB, the same controller can appear >1 time in mount list
--                 * due to bind mounts from one location to another. Pick the
--                 * first entry only
--                 */
--                if (typelen == len && STREQLEN(typestr, tmp, len) &&
--                    !group->controllers[i].mountPoint) {
-+
-+                if (typelen == len && STREQLEN(typestr, tmp, len)) {
-                     char *linksrc;
-                     struct stat sb;
-                     char *tmp2;
- 
--                    if (VIR_STRDUP(group->controllers[i].mountPoint,
--                                   entry.mnt_dir) < 0)
-+                    /* Note that the lines in /proc/mounts have the same
-+                     * order than the mount operations, and that there may
-+                     * be duplicates due to bind mounts. This means
-+                     * that the same mount point may be processed more than
-+                     * once. We need to save the results of the last one,
-+                     * and we need to be careful to release the memory used
-+                     * by previous processing. */
-+                    VIR_FREE(controller->mountPoint);
-+                    VIR_FREE(controller->linkPoint);
-+                    if (VIR_STRDUP(controller->mountPoint, entry.mnt_dir) < 0)
-                         goto error;
- 
-                     tmp2 = strrchr(entry.mnt_dir, '/');
-@@ -452,7 +457,7 @@ virCgroupDetectMountsFromFile(virCgroupPtr group,
-                                 VIR_WARN("Expecting a symlink at %s for controller %s",
-                                          linksrc, typestr);
-                             } else {
--                                group->controllers[i].linkPoint = linksrc;
-+                                controller->linkPoint = linksrc;
-                             }
-                         }
-                     }
-diff --git a/tests/vircgroupdata/kubevirt.mounts b/tests/vircgroupdata/kubevirt.mounts
-new file mode 100644
-index 000000000..ca036196b
---- /dev/null
-+++ b/tests/vircgroupdata/kubevirt.mounts
-@@ -0,0 +1,25 @@
-+rootfs / rootfs rw 0 0
-+proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
-+udev /dev devtmpfs rw,nosuid,relatime,size=10240k,nr_inodes=1006404,mode=755 0 0
-+devpts /dev/pts devpts rw,relatime,gid=5,mode=620,ptmxmode=000 0 0
-+sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
-+/dev/sda1 / ext4 rw,noatime,data=ordered 0 0
-+tmpfs /run tmpfs rw,nodev,relatime,size=812296k,mode=755 0 0
-+mqueue /dev/mqueue mqueue rw,nosuid,nodev,noexec,relatime 0 0
-+shm /dev/shm tmpfs rw,nosuid,nodev,noexec,relatime 0 0
-+debugfs /sys/kernel/debug debugfs rw,nosuid,nodev,noexec,relatime 0 0
-+cgroup_root /sys/fs/cgroup tmpfs rw,nosuid,nodev,noexec,relatime,size=10240k,mode=755 0 0
-+openrc /sys/fs/cgroup/openrc cgroup rw,nosuid,nodev,noexec,relatime,release_agent=/lib64/rc/sh/cgroup-release-agent.sh,name=openrc 0 0
-+cpuset /some/random/location/cpuset cgroup rw,nosuid,nodev,noexec,relatime,cpuset 0 0
-+cpuset /sys/fs/cgroup/cpuset cgroup rw,nosuid,nodev,noexec,relatime,cpuset 0 0
-+cpu /sys/fs/cgroup/cpu cgroup rw,nosuid,nodev,noexec,relatime,cpu 0 0
-+cpuacct /some/random/location/cpuset cgroup rw,nosuid,nodev,noexec,relatime,cpuacct 0 0
-+cpuacct /sys/fs/cgroup/cpuacct cgroup rw,nosuid,nodev,noexec,relatime,cpuacct 0 0
-+memory /sys/fs/cgroup/memory cgroup rw,nosuid,nodev,noexec,relatime,memory 0 0
-+devices /sys/fs/cgroup/devices cgroup rw,nosuid,nodev,noexec,relatime,devices 0 0
-+freezer /sys/fs/cgroup/freezer cgroup rw,nosuid,nodev,noexec,relatime,freezer 0 0
-+blkio /sys/fs/cgroup/blkio cgroup rw,nosuid,nodev,noexec,relatime,blkio 0 0
-+perf_event /sys/fs/cgroup/perf_event cgroup rw,nosuid,nodev,noexec,relatime,perf_event 0 0
-+hugetlb /sys/fs/cgroup/hugetlb cgroup rw,nosuid,nodev,noexec,relatime,hugetlb 0 0
-+binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,nosuid,nodev,noexec,relatime 0 0
-+freezer /some/random/location/freezer cgroup rw,nosuid,nodev,noexec,relatime,freezer 0 0
-diff --git a/tests/vircgroupdata/kubevirt.parsed b/tests/vircgroupdata/kubevirt.parsed
-new file mode 100644
-index 000000000..694870723
---- /dev/null
-+++ b/tests/vircgroupdata/kubevirt.parsed
-@@ -0,0 +1,10 @@
-+cpu          /sys/fs/cgroup/cpu
-+cpuacct      /sys/fs/cgroup/cpuacct
-+cpuset       /sys/fs/cgroup/cpuset
-+memory       /sys/fs/cgroup/memory
-+devices      /sys/fs/cgroup/devices
-+freezer      /some/random/location/freezer
-+blkio        /sys/fs/cgroup/blkio
-+net_cls      <null>
-+perf_event   /sys/fs/cgroup/perf_event
-+name=systemd <null>
-diff --git a/tests/vircgrouptest.c b/tests/vircgrouptest.c
-index f55ef74a1..cf0315f16 100644
---- a/tests/vircgrouptest.c
-+++ b/tests/vircgrouptest.c
-@@ -885,6 +885,7 @@ mymain(void)
-     DETECT_MOUNTS("cgroups3");
-     DETECT_MOUNTS("all-in-one");
-     DETECT_MOUNTS("no-cgroups");
-+    DETECT_MOUNTS("kubevirt");
- 
-     if (virTestRun("New cgroup for self", testCgroupNewForSelf, NULL) < 0)
-         ret = -1;

0003-virSetUIDGIDWithCaps-Don-t-drop-CAP_SETPCAP-right-aw.patch

@@ -0,0 +1,53 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Thu, 24 Jun 2021 16:58:09 +0200
+Subject: [PATCH] virSetUIDGIDWithCaps: Don't drop CAP_SETPCAP right away
+
+There are few cases where we execute a virCommand with all caps
+cleared (virCommandClearCaps()). For instance
+dnsmasqCapsRefreshInternal() does just that. This means, that
+after fork() and before exec() the virSetUIDGIDWithCaps() is
+called. But since the caller did not want to change anything,
+just drop capabilities, these are the values of arguments:
+
+  virSetUIDGIDWithCaps (uid=-1, gid=-1, groups=0x0, ngroups=0,
+                        capBits=0, clearExistingCaps=true)
+
+This means that indeed all capabilities will be dropped,
+including CAP_SETPCAP. But this capability controls whether
+capabilities can be set, IOW whether capng_apply() succeeds.
+
+There are two calls of capng_apply() in the function. The
+CAP_SETPCAP is dropped after the first call and thus the other
+call (capng_apply(CAPNG_SELECT_BOUNDS);) fails.
+
+The solution is to keep the capability for as long as needed
+(just like CAP_SETGID and CAP_SETUID) and drop it only at the
+very end (just like CAP_SETGID and CAP_SETUID).
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1949388
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
+(cherry picked from commit 438b50dda8a863fdc988e9ab612f097cc1626e8a)
+---
+ src/util/virutil.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/src/util/virutil.c b/src/util/virutil.c
+index a0cd0f1bcd..7ae23a7061 100644
+--- a/src/util/virutil.c
++++ b/src/util/virutil.c
+@@ -1202,12 +1202,10 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *groups, int ngroups,
+     }
+ # ifdef PR_CAPBSET_DROP
+     /* If newer kernel, we need also need setpcap to change the bounding set */
+-    if ((capBits || need_setgid || need_setuid) &&
+-        !capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
++    if (!capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
+         need_setpcap = true;
+-    }
+-    if (need_setpcap)
+         capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SETPCAP);
++    }
+ # endif
+ 
+     /* Tell system we want to keep caps across uid change */

0004-docs-schema-make-disk-driver-name-attribute-optional.patch

@@ -1,53 +0,0 @@
-From: Jim Fehlig <jfehlig@suse.com>
-Date: Tue, 18 Jul 2017 10:20:35 -0600
-Subject: [PATCH] docs: schema: make disk driver name attribute optional
-
-/domain/devices/disk/driver/@name is not a required or mandatory
-attribute according to formatdomain, and indeed it was agreed on
-IRC that the attribute is "optional for input, recommended (but
-not required) for output". Currently the schema requires the
-attribute, causing virt-xml-validate to fail on disk config where
-the driver name is not explicitly specified. E.g.
-
-# cat test.xml | grep -A 5 cdrom
-    <disk type='file' device='cdrom'>
-      <driver type='raw'/>
-      <target dev='hdb' bus='ide'/>
-      <readonly/>
-      <address type='drive' controller='0' bus='0' target='0' unit='1'/>
-    </disk>
-
-# virt-xml-validate test.xml
-Relax-NG validity error : Extra element devices in interleave
-test.xml:21: element devices: Relax-NG validity error : Element domain failed to validate content
-test.xml fails to validate
-
-Relaxing the name attribute to be optional fixes the validation
-
-# virt-xml-validate test.xml
-test.xml validates
-
-(cherry picked from commit b494e09d058f09b48d0fd8855edd557101294671)
----
- docs/schemas/domaincommon.rng | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
-index 9a7d03ed9..38dda780e 100644
---- a/docs/schemas/domaincommon.rng
-+++ b/docs/schemas/domaincommon.rng
-@@ -1670,9 +1670,11 @@
-     </element>
-   </define>
-   <define name="driverFormat">
--    <attribute name="name">
--      <ref name="genericName"/>
--    </attribute>
-+    <optional>
-+      <attribute name="name">
-+        <ref name="genericName"/>
-+      </attribute>
-+    </optional>
-     <optional>
-       <attribute name='type'>
-         <choice>

0004-security-fix-SELinux-label-generation-logic.patch

@@ -0,0 +1,51 @@
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 28 Jun 2021 13:09:04 +0100
+Subject: [PATCH] security: fix SELinux label generation logic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+A process can access a file if the set of MCS categories
+for the file is equal-to *or* a subset-of, the set of
+MCS categories for the process.
+
+If there are two VMs:
+
+  a) svirt_t:s0:c117
+  b) svirt_t:s0:c117,c720
+
+Then VM (b) is able to access files labelled for VM (a).
+
+IOW, we must discard case where the categories are equal
+because that is a subset of many other valid category pairs.
+
+Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
+CVE-2021-3631
+Reviewed-by: Peter Krempa <pkrempa@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 15073504dbb624d3f6c911e85557019d3620fdb2)
+---
+ src/security/security_selinux.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index 2fc6ef2616..61a871ec3d 100644
+--- a/src/security/security_selinux.c
++++ b/src/security/security_selinux.c
+@@ -389,7 +389,15 @@ virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr,
+         VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
+ 
+         if (c1 == c2) {
+-            mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
++            /*
++             * A process can access a file if the set of MCS categories
++             * for the file is equal-to *or* a subset-of, the set of
++             * MCS categories for the process.
++             *
++             * IOW, we must discard case where the categories are equal
++             * because that is a subset of other category pairs.
++             */
++            continue;
+         } else {
+             if (c1 > c2) {
+                 int t = c1;

0005-virSetUIDGIDWithCaps-Set-bounding-capabilities-only-.patch

@@ -0,0 +1,43 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Thu, 22 Jul 2021 14:26:00 +0200
+Subject: [PATCH] virSetUIDGIDWithCaps: Set bounding capabilities only with
+ CAP_SETPCAP
+
+In one of my previous patches I've tried to postpone dropping
+CAP_SETPCAP until the very end because it's needed for
+capng_apply(). What I did not realize back then was that we might
+not have the capability to begin with. Because of unknown reasons
+capng_apply() pollutes logs only for CAPNG_SELECT_BOUNDS and not
+for CAPNG_SELECT_CAPS.
+
+Reproducer is really simple: run libvirtd as a regular user.
+During its initialization, libvirtd will spawn some binaries
+(dnsmasq, qemu-*, etc.) and while doing so it will try to drop
+capabilities.
+
+Anyway, let's call capng_apply(CAPNG_SELECT_BOUNDS) only if we
+have the CAP_SETPCAP (which is tracked in need_setpcap variable).
+
+Fixes: 438b50dda8a863fdc988e9ab612f097cc1626e8a
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1924218
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Cole Robinson <crobinso@redhat.com>
+(cherry picked from commit a2476f37a7789eb9315b77bb451f4754ef4ef15b)
+---
+ src/util/virutil.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/util/virutil.c b/src/util/virutil.c
+index 7ae23a7061..333f99e91d 100644
+--- a/src/util/virutil.c
++++ b/src/util/virutil.c
+@@ -1269,7 +1269,8 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *groups, int ngroups,
+      * do this if we failed to get the capability above, so ignore the
+      * return value.
+      */
+-    capng_apply(CAPNG_SELECT_BOUNDS);
++    if (!need_setpcap)
++        capng_apply(CAPNG_SELECT_BOUNDS);
+ 
+     /* Drop the caps that allow setuid/gid (unless they were requested) */
+     if (need_setgid)

0006-qemu_firmware-don-t-error-out-for-unknown-firmware-f.patch

@@ -0,0 +1,57 @@
+From: Pavel Hrdina <phrdina@redhat.com>
+Date: Mon, 10 May 2021 15:07:09 +0200
+Subject: [PATCH] qemu_firmware: don't error out for unknown firmware features
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When QEMU introduces new firmware features libvirt will fail until we
+list that feature in our code as well which doesn't sound right.
+
+We should simply ignore the new feature until we add a proper support
+for it.
+
+Reported-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
+Reviewed-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 61d95a1073833ec4323c1ef28e71e913c55aa7b9)
+---
+ src/qemu/qemu_firmware.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
+index 639cff7459..e602de22e3 100644
+--- a/src/qemu/qemu_firmware.c
++++ b/src/qemu/qemu_firmware.c
+@@ -573,6 +573,7 @@ qemuFirmwareFeatureParse(const char *path,
+     virJSONValuePtr featuresJSON;
+     g_autoptr(qemuFirmwareFeature) features = NULL;
+     size_t nfeatures;
++    size_t nparsed = 0;
+     size_t i;
+ 
+     if (!(featuresJSON = virJSONValueObjectGetArray(doc, "features"))) {
+@@ -592,17 +593,16 @@ qemuFirmwareFeatureParse(const char *path,
+         int tmp;
+ 
+         if ((tmp = qemuFirmwareFeatureTypeFromString(tmpStr)) <= 0) {
+-            virReportError(VIR_ERR_INTERNAL_ERROR,
+-                           _("unknown feature %s"),
+-                           tmpStr);
+-            return -1;
++            VIR_DEBUG("ignoring unknown QEMU firmware feature '%s'", tmpStr);
++            continue;
+         }
+ 
+-        features[i] = tmp;
++        features[nparsed] = tmp;
++        nparsed++;
+     }
+ 
+     fw->features = g_steal_pointer(&features);
+-    fw->nfeatures = nfeatures;
++    fw->nfeatures = nparsed;
+     return 0;
+ }
+ 

0007-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch

@@ -0,0 +1,33 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 21 Jul 2021 11:22:25 +0200
+Subject: [PATCH] storage_driver: Unlock object on ACL fail in
+ storagePoolLookupByTargetPath
+
+'virStoragePoolObjListSearch' returns a locked and refed object, thus we
+must release it on ACL permission failure.
+
+Fixes: 7aa0e8c0cb8
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984318
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit 447f69dec47e1b0bd15ecd7cd49a9fd3b050fb87)
+---
+ src/storage/storage_driver.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
+index 16bc53aa46..2787c1671b 100644
+--- a/src/storage/storage_driver.c
++++ b/src/storage/storage_driver.c
+@@ -1739,8 +1739,10 @@ storagePoolLookupByTargetPath(virConnectPtr conn,
+                                            storagePoolLookupByTargetPathCallback,
+                                            cleanpath))) {
+         def = virStoragePoolObjGetDef(obj);
+-        if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0)
++        if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0) {
++            virStoragePoolObjEndAPI(&obj);
+             return NULL;
++        }
+ 
+         pool = virGetStoragePool(conn, def->name, def->uuid, NULL, NULL);
+         virStoragePoolObjEndAPI(&obj);

0008-wireshark-Switch-to-tvb_bytes_to_str.patch

@@ -0,0 +1,81 @@
+From 7e299ba649b1288d529c7595c0e6060c9ae0ff2a Mon Sep 17 00:00:00 2001
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 29 Nov 2021 09:57:49 +0100
+Subject: [PATCH 1/2] wireshark: Switch to tvb_bytes_to_str()
+
+When the dissector sees a byte sequence that is either an opaque
+data (xdr_opaque) or a byte sequence (xdr_bytes) it formats the
+bytes as a hex numbers using our own implementation. But
+wireshark already provides a function for it: tvb_bytes_to_str().
+NB, the reason why it returns a const string is so that callers
+don't try to free it - the string is allocated using an allocator
+which will decide when to free it.
+
+The wireshark formatter was introduced in wireshark commit of
+v1.99.2~479 and thus is present in the version we require at
+least (2.6.0).
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ tools/wireshark/src/packet-libvirt.c | 30 ++++++++--------------------
+ 1 file changed, 8 insertions(+), 22 deletions(-)
+
+diff --git a/tools/wireshark/src/packet-libvirt.c b/tools/wireshark/src/packet-libvirt.c
+index f43919b05d..cb922b8070 100644
+--- a/tools/wireshark/src/packet-libvirt.c
++++ b/tools/wireshark/src/packet-libvirt.c
+@@ -158,24 +158,6 @@ dissect_xdr_string(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf,
+     }
+ }
+ 
+-static const gchar *
+-format_xdr_bytes(guint8 *bytes, guint32 length)
+-{
+-    gchar *buf;
+-    guint32 i;
+-
+-    if (length == 0)
+-        return "";
+-    buf = wmem_alloc(wmem_packet_scope(), length*2 + 1);
+-    for (i = 0; i < length; i++) {
+-        /* We know that buf has enough size to contain
+-           2 * length + '\0' characters. */
+-        g_snprintf(buf, 2*(length - i) + 1, "%02x", bytes[i]);
+-        buf += 2;
+-    }
+-    return buf - length*2;
+-}
+-
+ static gboolean
+ dissect_xdr_opaque(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf,
+                    guint32 size)
+@@ -187,8 +169,10 @@ dissect_xdr_opaque(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf,
+     val = g_malloc(size);
+     start = xdr_getpos(xdrs);
+     if ((rc = xdr_opaque(xdrs, (caddr_t)val, size))) {
+-        proto_tree_add_bytes_format_value(tree, hf, tvb, start, xdr_getpos(xdrs) - start,
+-                                          NULL, "%s", format_xdr_bytes(val, size));
++        gint len = xdr_getpos(xdrs) - start;
++        const char *s = tvb_bytes_to_str(wmem_packet_scope(), tvb, start, len);
++
++        proto_tree_add_bytes_format_value(tree, hf, tvb, start, len, NULL, "%s", s);
+     } else {
+         proto_tree_add_item(tree, hf_libvirt_unknown, tvb, start, -1, ENC_NA);
+     }
+@@ -207,8 +191,10 @@ dissect_xdr_bytes(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf,
+ 
+     start = xdr_getpos(xdrs);
+     if (xdr_bytes(xdrs, (char **)&val, &length, maxlen)) {
+-        proto_tree_add_bytes_format_value(tree, hf, tvb, start, xdr_getpos(xdrs) - start,
+-                                          NULL, "%s", format_xdr_bytes(val, length));
++        gint len = xdr_getpos(xdrs) - start;
++        const char *s = tvb_bytes_to_str(wmem_packet_scope(), tvb, start, len);
++
++        proto_tree_add_bytes_format_value(tree, hf, tvb, start, len, NULL, "%s", s);
+         /* Seems I can't call xdr_free() for this case.
+            It will raises SEGV by referencing out of bounds call stack */
+         free(val);
+-- 
+2.33.1
+

0009-wireshark-Drop-needless-comment-in-dissect_xdr_bytes.patch

@@ -0,0 +1,33 @@
+From 010613cfd8dae6d85602a84c5c95b2d441e1b3d1 Mon Sep 17 00:00:00 2001
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 29 Nov 2021 10:20:05 +0100
+Subject: [PATCH 2/2] wireshark: Drop needless comment in dissect_xdr_bytes()
+
+In the dissect_xdr_bytes() there's a comment that the string
+allocated by xdr_bytes() can't be freed using xdr_free(). Well,
+that is expected because xdr_bytes() used plain calloc() AND the
+string is not an XDR struct but plain 'char *' type. Passing it
+to xdr_free() must result in weird things happening.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ tools/wireshark/src/packet-libvirt.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/tools/wireshark/src/packet-libvirt.c b/tools/wireshark/src/packet-libvirt.c
+index cb922b8070..eeacbcdf0e 100644
+--- a/tools/wireshark/src/packet-libvirt.c
++++ b/tools/wireshark/src/packet-libvirt.c
+@@ -195,8 +195,6 @@ dissect_xdr_bytes(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf,
+         const char *s = tvb_bytes_to_str(wmem_packet_scope(), tvb, start, len);
+ 
+         proto_tree_add_bytes_format_value(tree, hf, tvb, start, len, NULL, "%s", s);
+-        /* Seems I can't call xdr_free() for this case.
+-           It will raises SEGV by referencing out of bounds call stack */
+         free(val);
+         return TRUE;
+     } else {
+-- 
+2.33.1
+

Makefile

@@ -1,21 +0,0 @@
-# Makefile for source rpm: libvirt
-# $Id$
-NAME := libvirt
-SPECFILE = $(firstword $(wildcard *.spec))
-
-define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
-endef
-
-MAKEFILE_COMMON := $(shell $(find-makefile-common))
-
-ifeq ($(MAKEFILE_COMMON),)
-# attempt a checkout
-define checkout-makefile-common
-test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
-endef
-
-MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
-endif
-
-include $(MAKEFILE_COMMON)

sources

@@ -1 +1 @@
-SHA512 (libvirt-2.2.1.tar.xz) = b89a2665bea81c440afc3f9f69c26e314344f1f2fbf53f82b25bdddcc89532ddf3393902e9cf552edb827ce5d8b46b9214b5a25303b19cf0f3f085131d870518
+SHA512 (libvirt-7.0.0.tar.xz) = dd6db5ec4971cf4c6059795fd81d5a3a889b10740e34c3c92271eda1c683c99df2c8f923398065d8a7c4f987a20eb1da617d5297ba8ea5a31f154412af50c343