Update to 0.8.2 release. Fix CVE-2010-2237, CVE-2010-2238, CVE-2010-2239, CVE-2010-2242

Fix parsing certain USB sysfs files (bz 598272)
Sanitize pool target paths (bz 494005)
Add qemu.conf for clear emulator capabilities
Prevent libvirtd inside a VM from breaking network access (bz 235961)
Mention --all in 'virsh list' docs (bz 575512)
Initscript fixes (bz 565238)
List wireless interfaces via nodedev-list (bz 596928)

.cvsignore

@@ -2,4 +2,4 @@
 *.rpm
 i686
 x86_64
-libvirt-*.tar.xz
+libvirt-*.tar.gz

0001-cpu-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch

@@ -1,32 +0,0 @@
-From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
-Date: Mon, 21 May 2018 23:05:07 +0100
-Subject: [PATCH] cpu: define the 'ssbd' CPUID feature bit (CVE-2018-3639)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-New microcode introduces the "Speculative Store Bypass Disable"
-CPUID feature bit. This needs to be exposed to guest OS to allow
-them to protect against CVE-2018-3639.
-
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
-Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
-(cherry picked from commit 1dbca2eccad58d91a5fd33962854f1a653638182)
----
- src/cpu/cpu_map.xml | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
-index 00a43b172c..245aec3309 100644
---- a/src/cpu/cpu_map.xml
-+++ b/src/cpu/cpu_map.xml
-@@ -298,6 +298,9 @@
-     <feature name='spec-ctrl'>
-       <cpuid eax_in='0x07' ecx_in='0x00' edx='0x04000000'/>
-     </feature>
-+    <feature name='ssbd'>
-+      <cpuid eax_in='0x07' ecx_in='0x00' edx='0x80000000'/>
-+    </feature>
- 
-     <!-- Processor Extended State Enumeration sub leaf 1 -->
-     <feature name='xsaveopt'>

0002-tests-force-use-of-NORMAL-TLS-priority-in-test-suite.patch

@@ -1,65 +0,0 @@
-From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
-Date: Mon, 5 Mar 2018 12:46:16 +0000
-Subject: [PATCH] tests: force use of "NORMAL" TLS priority in test suite
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When generating certificates we rely on GNUTLS' built-in default setup
-for the ciphers used in the certs. We then currently run with the distro
-specific TLS priority setup which can be much stronger, to the extent
-that the certificates we generate are considered untrustworthy. We don't
-care about the quality of the ciphers we use in the test suite, so just
-force the priority to "NORMAL" which should ensure our certs are
-accepted by GNUTLS.
-
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
----
- tests/virnettlscontexttest.c | 4 ++--
- tests/virnettlssessiontest.c | 4 ++--
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c
-index 089c10e964..86647f3014 100644
---- a/tests/virnettlscontexttest.c
-+++ b/tests/virnettlscontexttest.c
-@@ -72,7 +72,7 @@ static int testTLSContextInit(const void *opaque)
-                                          data->crt,
-                                          KEYFILE,
-                                          NULL,
--                                         NULL,
-+                                         "NORMAL",
-                                          true,
-                                          true);
-     } else {
-@@ -80,7 +80,7 @@ static int testTLSContextInit(const void *opaque)
-                                          NULL,
-                                          data->crt,
-                                          KEYFILE,
--                                         NULL,
-+                                         "NORMAL",
-                                          true,
-                                          true);
-     }
-diff --git a/tests/virnettlssessiontest.c b/tests/virnettlssessiontest.c
-index 6d639e5b16..7e85607181 100644
---- a/tests/virnettlssessiontest.c
-+++ b/tests/virnettlssessiontest.c
-@@ -113,7 +113,7 @@ static int testTLSSessionInit(const void *opaque)
-                                            data->servercrt,
-                                            KEYFILE,
-                                            data->wildcards,
--                                           NULL,
-+                                           "NORMAL",
-                                            false,
-                                            true);
- 
-@@ -121,7 +121,7 @@ static int testTLSSessionInit(const void *opaque)
-                                            NULL,
-                                            data->clientcrt,
-                                            KEYFILE,
--                                           NULL,
-+                                           "NORMAL",
-                                            false,
-                                            true);
- 

0003-cpu-define-the-virt-ssbd-CPUID-feature-bit-CVE-2018-.patch

@@ -1,42 +0,0 @@
-From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
-Date: Mon, 21 May 2018 23:05:08 +0100
-Subject: [PATCH] cpu: define the 'virt-ssbd' CPUID feature bit (CVE-2018-3639)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Some AMD processors only support a non-architectural means of
-enabling Speculative Store Bypass Disable. To allow simplified
-handling in virtual environments, hypervisors will expose an
-architectural definition through CPUID bit 0x80000008_EBX[25].
-This needs to be exposed to guest OS running on AMD x86 hosts to
-allow them to protect against CVE-2018-3639.
-
-Note that since this CPUID bit won't be present in the host CPUID
-results on physical hosts, it will not be enabled automatically
-in guests configured with "host-model" CPU unless using QEMU
-version >= 2.9.0. Thus for older versions of QEMU, this feature
-must be manually enabled using policy=force. Guests using the
-"host-passthrough" CPU mode do not need special handling.
-
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
-Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
-(cherry picked from commit 9267342206ce17f6933d57a3128cdc504d5945c9)
----
- src/cpu/cpu_map.xml | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
-index 245aec3309..96daa0f9af 100644
---- a/src/cpu/cpu_map.xml
-+++ b/src/cpu/cpu_map.xml
-@@ -433,6 +433,9 @@
-     <feature name='ibpb'>
-       <cpuid eax_in='0x80000008' ebx='0x00001000'/>
-     </feature>
-+    <feature name='virt-ssbd'>
-+      <cpuid eax_in='0x80000008' ebx='0x02000000'/>
-+    </feature>
- 
-     <!-- models -->
-     <model name='486'>

0004-lockd-fix-typo-in-virtlockd-admin.socket.patch

@@ -1,31 +0,0 @@
-From: Jim Fehlig <jfehlig@suse.com>
-Date: Wed, 14 Mar 2018 16:42:39 -0600
-Subject: [PATCH] lockd: fix typo in virtlockd-admin.socket
-
-Commit ce7ae55ea1 introduced a typo in virtlockd-admin socket file
-
-/usr/lib/systemd/system/virtlockd-admin.socket:7: Unknown lvalue
-'Server' in section 'Socket'
-
-Change 'Server' to 'Service'.
-
-Signed-off-by: Jim Fehlig <jfehlig@suse.com>
-Reviewed-by: Erik Skultety <eskultet@redhat.com>
-Signed-off-by: Cole Robinson <crobinso@redhat.com>
----
- src/locking/virtlockd-admin.socket.in | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/locking/virtlockd-admin.socket.in b/src/locking/virtlockd-admin.socket.in
-index 1fa0a3dc33..2a7500f3d0 100644
---- a/src/locking/virtlockd-admin.socket.in
-+++ b/src/locking/virtlockd-admin.socket.in
-@@ -4,7 +4,7 @@ Before=libvirtd.service
- 
- [Socket]
- ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock
--Server=virtlockd.service
-+Service=virtlockd.service
- 
- [Install]
- WantedBy=sockets.target

0005-nwfilter-increase-pcap-buffer-size-to-be-compatible-.patch

@@ -1,105 +0,0 @@
-From: Laine Stump <laine@laine.org>
-Date: Wed, 25 Apr 2018 17:12:03 -0400
-Subject: [PATCH] nwfilter: increase pcap buffer size to be compatible with
- TPACKET_V3
-
-When an nwfilter rule sets the parameter CTRL_IP_LEARNING to "dhcp",
-this turns on the "dhcpsnoop" thread, which uses libpcap to monitor
-traffic on the domain's tap device and extract the IP address from the
-DHCP response.
-
-If libpcap on the host is built with HAVE_TPACKET3 defined (to enable
-support for TPACKET_V3), the dhcpsnoop code's initialization of the
-libpcap socket would fail with the following error:
-
-  virNWFilterSnoopDHCPOpen:1134 : internal error: pcap_setfilter: can't remove kernel filter: Bad file descriptor
-
-It turns out that this was because TPACKET_V3 requires a larger buffer
-size than libvirt was setting (we were setting it to 128k). Changing
-the buffer size to 256k eliminates the error, and the dhcpsnoop thread
-once again works properly.
-
-A fuller explanation of why TPACKET_V3 requires such a large buffer,
-for future git spelunkers:
-
-libpcap calls setsockopt(... SOL_PACKET, PACKET_RX_RING...) to setup a
-ring buffer for receiving packets; two of the attributes sent to this
-API are called tp_frame_size, and tp_frame_nr. If libpcap was built
-with HAVE_TPACKET3 defined, tp_trame_size is set to MAXIMUM_SNAPLEN
-(defined in libpcap sources as 262144) and tp_frame_nr is set to:
-
- [the buffer size we set, i.e. PCAP_BUFFERSIZE i.e. 262144] / tp_frame_size.
-
-So if PCAP_BUFFERSIZE < MAXIMUM_SNAPLEN, then tp_frame_nr (the number
-of frames in the ring buffer) is 0, which is nonsensical. This same
-value is later used as a multiplier to determine the size for a call
-to malloc() (which would also fail).
-
-(NB: if HAVE_TPACKET3 is *not* defined, then tp_frame_size is set to
-the snaplen set by the user (in our case 576) plus a small amount to
-account for ethernet headers, so 256k is far more than adequate)
-
-Since the TPACKET_V3 code in libpcap actually reads multiple packets
-into each frame, it's not a problem to have only a single frame
-(especially when we are monitoring such infrequent traffic), so it's
-okay to set this relatively small buffer size (in comparison to the
-default, which is 2MB), which is important since every guest using
-dhcp snooping in a nwfilter rule will hold 2 of these buffers for the
-entire life of the guest.
-
-Thanks to Christian Ehrhardt for discovering that buffer size was the
-problem (this was not at all obvious from the error that was logged!)
-
-Resolves: https://bugzilla.redhat.com/1547237
-Fixes: https://bugs.launchpad.net/libvirt/+bug/1758037
-
-Signed-off-by: Laine Stump <laine@laine.org>
-Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> (V1)
-Reviewed-by: John Ferlan <jferlan@redhat.com>
-Tested-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
-Signed-off-by: Cole Robinson <crobinso@redhat.com>
----
- src/nwfilter/nwfilter_dhcpsnoop.c | 22 +++++++++++++++++++---
- 1 file changed, 19 insertions(+), 3 deletions(-)
-
-diff --git a/src/nwfilter/nwfilter_dhcpsnoop.c b/src/nwfilter/nwfilter_dhcpsnoop.c
-index 6069e70460..50cfb944a2 100644
---- a/src/nwfilter/nwfilter_dhcpsnoop.c
-+++ b/src/nwfilter/nwfilter_dhcpsnoop.c
-@@ -256,10 +256,21 @@ struct _virNWFilterDHCPDecodeJob {
- # define DHCP_BURST_INTERVAL_S  10 /* sec */
- 
- /*
-- * libpcap 1.5 requires a 128kb buffer
-- * 128 kb is bigger than (DHCP_PKT_BURST * PCAP_PBUFSIZE / 2)
-+ * NB: Any libpcap built with HAVE_TPACKET3 will require
-+ * PCAP_BUFFERSIZE to be at least 262144 (although
-+ * pcap_set_buffer_size() with a lower value will succeed, and the
-+ * error will only show up later when pcap_setfilter() is called).
-+ *
-+ * It is possible that in the future libpcap could increase the
-+ * minimum size even further, but due to the fact that each guest
-+ * using dhcp snooping keeps 2 pcap sockets open (and thus 2 buffers
-+ * allocated) for the life of the guest, we want to minimize the
-+ * length of the buffer, so instead of leaving it at the default size
-+ * (2MB), we are setting it to the minimum viable size and including
-+ * this clue in the source to help quickly resolve the problem when/if
-+ * it reoccurs.
-  */
--# define PCAP_BUFFERSIZE        (128 * 1024)
-+# define PCAP_BUFFERSIZE        (256 * 1024)
- 
- # define MAX_QUEUED_JOBS        (DHCP_PKT_BURST + 2 * DHCP_PKT_RATE)
- 
-@@ -1114,6 +1125,11 @@ virNWFilterSnoopDHCPOpen(const char *ifname, virMacAddr *mac,
-         goto cleanup_nohandle;
-     }
- 
-+    /* IMPORTANT: If there is any failure of *any* pcap_* function
-+     * during setup of the socket, look to the comment where
-+     * PCAP_BUFFERSIZE is defined. It may be too small, even if the
-+     * generated error doesn't imply that.
-+     */
-     if (pcap_set_snaplen(handle, PCAP_PBUFSIZE) < 0 ||
-         pcap_set_buffer_size(handle, PCAP_BUFFERSIZE) < 0 ||
-         pcap_activate(handle) < 0) {

0006-util-don-t-check-for-parallel-iteration-in-hash-rela.patch

@@ -1,253 +0,0 @@
-From: Vincent Bernat <vincent@bernat.im>
-Date: Tue, 10 Apr 2018 08:27:15 +0200
-Subject: [PATCH] util: don't check for parallel iteration in hash-related
- functions
-
-This is the responsability of the caller to apply the correct lock
-before using these functions. Moreover, the use of a simple boolean
-was still racy: two threads may check the boolean and "lock" it
-simultaneously.
-
-Users of functions from src/util/virhash.c have to be checked for
-correctness. Lookups and iteration should hold a RO
-lock. Modifications should hold a RW lock.
-
-Most important uses seem to be covered. Callers have now a greater
-responsability, notably the ability to execute some operations while
-iterating were reliably forbidden before are now accepted.
-
-Signed-off-by: Vincent Bernat <vincent@bernat.im>
-(cherry picked from commit 4d7384eb9ddef2008cb0cc165eb808f74bc83d6b)
----
- src/util/virhash.c  | 37 --------------------
- tests/virhashtest.c | 83 ---------------------------------------------
- 2 files changed, 120 deletions(-)
-
-diff --git a/src/util/virhash.c b/src/util/virhash.c
-index 0ffbfcce2c..475c2b0281 100644
---- a/src/util/virhash.c
-+++ b/src/util/virhash.c
-@@ -41,12 +41,6 @@ VIR_LOG_INIT("util.hash");
- 
- /* #define DEBUG_GROW */
- 
--#define virHashIterationError(ret) \
--    do { \
--        VIR_ERROR(_("Hash operation not allowed during iteration")); \
--        return ret; \
--    } while (0)
--
- /*
-  * A single entry in the hash table
-  */
-@@ -66,10 +60,6 @@ struct _virHashTable {
-     uint32_t seed;
-     size_t size;
-     size_t nbElems;
--    /* True iff we are iterating over hash entries. */
--    bool iterating;
--    /* Pointer to the current entry during iteration. */
--    virHashEntryPtr current;
-     virHashDataFree dataFree;
-     virHashKeyCode keyCode;
-     virHashKeyEqual keyEqual;
-@@ -339,9 +329,6 @@ virHashAddOrUpdateEntry(virHashTablePtr table, const void *name,
-     if ((table == NULL) || (name == NULL))
-         return -1;
- 
--    if (table->iterating)
--        virHashIterationError(-1);
--
-     key = virHashComputeKey(table, name);
- 
-     /* Check for duplicate entry */
-@@ -551,9 +538,6 @@ virHashRemoveEntry(virHashTablePtr table, const void *name)
-     nextptr = table->table + virHashComputeKey(table, name);
-     for (entry = *nextptr; entry; entry = entry->next) {
-         if (table->keyEqual(entry->name, name)) {
--            if (table->iterating && table->current != entry)
--                virHashIterationError(-1);
--
-             if (table->dataFree)
-                 table->dataFree(entry->payload, entry->name);
-             if (table->keyFree)
-@@ -593,18 +577,11 @@ virHashForEach(virHashTablePtr table, virHashIterator iter, void *data)
-     if (table == NULL || iter == NULL)
-         return -1;
- 
--    if (table->iterating)
--        virHashIterationError(-1);
--
--    table->iterating = true;
--    table->current = NULL;
-     for (i = 0; i < table->size; i++) {
-         virHashEntryPtr entry = table->table[i];
-         while (entry) {
-             virHashEntryPtr next = entry->next;
--            table->current = entry;
-             ret = iter(entry->payload, entry->name, data);
--            table->current = NULL;
- 
-             if (ret < 0)
-                 goto cleanup;
-@@ -615,7 +592,6 @@ virHashForEach(virHashTablePtr table, virHashIterator iter, void *data)
- 
-     ret = 0;
-  cleanup:
--    table->iterating = false;
-     return ret;
- }
- 
-@@ -643,11 +619,6 @@ virHashRemoveSet(virHashTablePtr table,
-     if (table == NULL || iter == NULL)
-         return -1;
- 
--    if (table->iterating)
--        virHashIterationError(-1);
--
--    table->iterating = true;
--    table->current = NULL;
-     for (i = 0; i < table->size; i++) {
-         virHashEntryPtr *nextptr = table->table + i;
- 
-@@ -667,7 +638,6 @@ virHashRemoveSet(virHashTablePtr table,
-             }
-         }
-     }
--    table->iterating = false;
- 
-     return count;
- }
-@@ -723,23 +693,16 @@ void *virHashSearch(const virHashTable *ctable,
-     if (table == NULL || iter == NULL)
-         return NULL;
- 
--    if (table->iterating)
--        virHashIterationError(NULL);
--
--    table->iterating = true;
--    table->current = NULL;
-     for (i = 0; i < table->size; i++) {
-         virHashEntryPtr entry;
-         for (entry = table->table[i]; entry; entry = entry->next) {
-             if (iter(entry->payload, entry->name, data)) {
--                table->iterating = false;
-                 if (name)
-                     *name = table->keyCopy(entry->name);
-                 return entry->payload;
-             }
-         }
-     }
--    table->iterating = false;
- 
-     return NULL;
- }
-diff --git a/tests/virhashtest.c b/tests/virhashtest.c
-index 3b85b62c30..e9c03c1afb 100644
---- a/tests/virhashtest.c
-+++ b/tests/virhashtest.c
-@@ -221,32 +221,6 @@ testHashRemoveForEachAll(void *payload ATTRIBUTE_UNUSED,
- }
- 
- 
--const int testHashCountRemoveForEachForbidden = ARRAY_CARDINALITY(uuids);
--
--static int
--testHashRemoveForEachForbidden(void *payload ATTRIBUTE_UNUSED,
--                               const void *name,
--                               void *data)
--{
--    virHashTablePtr hash = data;
--    size_t i;
--
--    for (i = 0; i < ARRAY_CARDINALITY(uuids_subset); i++) {
--        if (STREQ(uuids_subset[i], name)) {
--            int next = (i + 1) % ARRAY_CARDINALITY(uuids_subset);
--
--            if (virHashRemoveEntry(hash, uuids_subset[next]) == 0) {
--                VIR_TEST_VERBOSE(
--                        "\nentry \"%s\" should not be allowed to be removed",
--                        uuids_subset[next]);
--            }
--            break;
--        }
--    }
--    return 0;
--}
--
--
- static int
- testHashRemoveForEach(const void *data)
- {
-@@ -303,61 +277,6 @@ testHashSteal(const void *data ATTRIBUTE_UNUSED)
- }
- 
- 
--static int
--testHashIter(void *payload ATTRIBUTE_UNUSED,
--             const void *name ATTRIBUTE_UNUSED,
--             void *data ATTRIBUTE_UNUSED)
--{
--    return 0;
--}
--
--static int
--testHashForEachIter(void *payload ATTRIBUTE_UNUSED,
--                    const void *name ATTRIBUTE_UNUSED,
--                    void *data)
--{
--    virHashTablePtr hash = data;
--
--    if (virHashAddEntry(hash, uuids_new[0], NULL) == 0)
--        VIR_TEST_VERBOSE("\nadding entries in ForEach should be forbidden");
--
--    if (virHashUpdateEntry(hash, uuids_new[0], NULL) == 0)
--        VIR_TEST_VERBOSE("\nupdating entries in ForEach should be forbidden");
--
--    if (virHashSteal(hash, uuids_new[0]) != NULL)
--        VIR_TEST_VERBOSE("\nstealing entries in ForEach should be forbidden");
--
--    if (virHashSteal(hash, uuids_new[0]) != NULL)
--        VIR_TEST_VERBOSE("\nstealing entries in ForEach should be forbidden");
--
--    if (virHashForEach(hash, testHashIter, NULL) >= 0)
--        VIR_TEST_VERBOSE("\niterating through hash in ForEach"
--                " should be forbidden");
--    return 0;
--}
--
--static int
--testHashForEach(const void *data ATTRIBUTE_UNUSED)
--{
--    virHashTablePtr hash;
--    int ret = -1;
--
--    if (!(hash = testHashInit(0)))
--        return -1;
--
--    if (virHashForEach(hash, testHashForEachIter, hash)) {
--        VIR_TEST_VERBOSE("\nvirHashForEach didn't go through all entries");
--        goto cleanup;
--    }
--
--    ret = 0;
--
-- cleanup:
--    virHashFree(hash);
--    return ret;
--}
--
--
- static int
- testHashRemoveSetIter(const void *payload ATTRIBUTE_UNUSED,
-                       const void *name,
-@@ -628,9 +547,7 @@ mymain(void)
-     DO_TEST("Remove", Remove);
-     DO_TEST_DATA("Remove in ForEach", RemoveForEach, Some);
-     DO_TEST_DATA("Remove in ForEach", RemoveForEach, All);
--    DO_TEST_DATA("Remove in ForEach", RemoveForEach, Forbidden);
-     DO_TEST("Steal", Steal);
--    DO_TEST("Forbidden ops in ForEach", ForEach);
-     DO_TEST("RemoveSet", RemoveSet);
-     DO_TEST("Search", Search);
-     DO_TEST("GetItems", GetItems);

0007-esx-Fix-double-free-and-freeing-static-strings-in-es.patch

@@ -1,64 +0,0 @@
-From: Matthias Bolte <matthias.bolte@googlemail.com>
-Date: Thu, 2 Aug 2018 17:33:37 +0200
-Subject: [PATCH] esx: Fix double-free and freeing static strings in
- esxDomainSetAutostart
-
-Since commit ae83e02f3dd7fe99fed5d8159a35b666fafeafd5#l3393 the
-newPowerInfo pointer itself is used to track the ownership of the
-AutoStartPowerInfo object to make Coverity understand the code better.
-This broke the code that unset some members of the AutoStartPowerInfo
-object that should not be freed the normal way.
-
-Instead, transfer ownership of the AutoStartPowerInfo object to the
-HostAutoStartManagerConfig object before filling in the values that
-need special handling. This allows to free the AutoStartPowerInfo
-directly without having to deal with the special values, or to let
-the old (now restored) logic handle the special values again.
-
-Signed-off-by: Matthias Bolte <matthias.bolte@googlemail.com>
-Tested-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
-Reviewed-by: John Ferlan <jferlan@redhat.com>
-(cherry picked from commit 3ad77f853230f870efa396636e008292c7f2b1c0)
----
- src/esx/esx_driver.c | 14 ++++----------
- 1 file changed, 4 insertions(+), 10 deletions(-)
-
-diff --git a/src/esx/esx_driver.c b/src/esx/esx_driver.c
-index b065cdc513..9a7006c6e5 100644
---- a/src/esx/esx_driver.c
-+++ b/src/esx/esx_driver.c
-@@ -3422,7 +3422,10 @@ esxDomainSetAutostart(virDomainPtr domain, int autostart)
-     if (esxVI_AutoStartPowerInfo_Alloc(&newPowerInfo) < 0 ||
-         esxVI_Int_Alloc(&newPowerInfo->startOrder) < 0 ||
-         esxVI_Int_Alloc(&newPowerInfo->startDelay) < 0 ||
--        esxVI_Int_Alloc(&newPowerInfo->stopDelay) < 0) {
-+        esxVI_Int_Alloc(&newPowerInfo->stopDelay) < 0 ||
-+        esxVI_AutoStartPowerInfo_AppendToList(&spec->powerInfo,
-+                                              newPowerInfo) < 0) {
-+        esxVI_AutoStartPowerInfo_Free(&newPowerInfo);
-         goto cleanup;
-     }
- 
-@@ -3434,13 +3437,6 @@ esxDomainSetAutostart(virDomainPtr domain, int autostart)
-     newPowerInfo->stopDelay->value = -1; /* use system default */
-     newPowerInfo->stopAction = (char *)"none";
- 
--    if (esxVI_AutoStartPowerInfo_AppendToList(&spec->powerInfo,
--                                              newPowerInfo) < 0) {
--        goto cleanup;
--    }
--
--    newPowerInfo = NULL;
--
-     if (esxVI_ReconfigureAutostart
-           (priv->primary,
-            priv->primary->hostSystem->configManager->autoStartManager,
-@@ -3462,8 +3458,6 @@ esxDomainSetAutostart(virDomainPtr domain, int autostart)
-     esxVI_AutoStartDefaults_Free(&defaults);
-     esxVI_AutoStartPowerInfo_Free(&powerInfoList);
- 
--    esxVI_AutoStartPowerInfo_Free(&newPowerInfo);
--
-     return result;
- }
- 

0008-cpu_x86-Do-not-cache-microcode-version.patch

@@ -1,55 +0,0 @@
-From 8d6ab7976fa691763fc05a154f2bab865d435b00 Mon Sep 17 00:00:00 2001
-From: Jiri Denemark <jdenemar@redhat.com>
-Date: Fri, 5 Apr 2019 11:33:32 +0200
-Subject: [PATCH 1/4] cpu_x86: Do not cache microcode version
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The microcode version checks are used to invalidate cached CPU data we
-get from QEMU. To minimize /proc/cpuinfo parsing the microcode version
-was only read when libvirtd started and cached for the daemon's
-lifetime. However, the CPU microcode can change anytime (updating the
-microcode package can automatically upload it to the CPU) and we need to
-stop caching it to avoid using stale CPU model data.
-
-Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
-Reviewed-by: Ján Tomko <jtomko@redhat.com>
-(cherry picked from commit be46f613261d3b655a1f15afd635087e68a9c39b)
----
- src/cpu/cpu_x86.c | 5 +----
- 1 file changed, 1 insertion(+), 4 deletions(-)
-
-diff --git a/src/cpu/cpu_x86.c b/src/cpu/cpu_x86.c
-index b2398c5ad2..38cab15c59 100644
---- a/src/cpu/cpu_x86.c
-+++ b/src/cpu/cpu_x86.c
-@@ -154,7 +154,6 @@ struct _virCPUx86Map {
- };
- 
- static virCPUx86MapPtr cpuMap;
--static unsigned int microcodeVersion;
- 
- int virCPUx86DriverOnceInit(void);
- VIR_ONCE_GLOBAL_INIT(virCPUx86Driver);
-@@ -1413,8 +1412,6 @@ virCPUx86DriverOnceInit(void)
-     if (!(cpuMap = virCPUx86LoadMap()))
-         return -1;
- 
--    microcodeVersion = virHostCPUGetMicrocodeVersion();
--
-     return 0;
- }
- 
-@@ -2454,7 +2451,7 @@ virCPUx86GetHost(virCPUDefPtr cpu,
-         goto cleanup;
- 
-     ret = x86DecodeCPUData(cpu, cpuData, models);
--    cpu->microcodeVersion = microcodeVersion;
-+    cpu->microcodeVersion = virHostCPUGetMicrocodeVersion();
- 
-  cleanup:
-     virCPUx86DataFree(cpuData);
--- 
-2.21.0
-

0009-qemu-Don-t-cache-microcode-version.patch

@@ -1,155 +0,0 @@
-From cb6bcb0312a33a0b6a48d0ee1f368c9080e4a13d Mon Sep 17 00:00:00 2001
-From: Jiri Denemark <jdenemar@redhat.com>
-Date: Fri, 12 Apr 2019 21:21:05 +0200
-Subject: [PATCH 2/4] qemu: Don't cache microcode version
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-My earlier commit be46f61326 was incomplete. It removed caching of
-microcode version in the CPU driver, which means the capabilities XML
-will see the correct microcode version. But it is also cached in the
-QEMU capabilities cache where it is used to detect whether we need to
-reprobe QEMU. By missing the second place, the original commit
-be46f61326 made the situation even worse since libvirt would report
-correct microcode version while still using the old host CPU model
-(visible in domain capabilities XML).
-
-Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
-Reviewed-by: Ján Tomko <jtomko@redhat.com>
-(cherry picked from commit 673c62a3b7855a0685d8f116e227c402720b9ee9)
-
-CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
-
-Conflicts:
-	src/qemu/qemu_capabilities.c
-            - virQEMUCapsCacheLookupByArch refactoring (commits
-              7948ad4129a and 1a3de67001c) are missing
-            - commit a7424faff0f "Force QMP capability probing" is
-              missing downstream
-
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
----
- src/qemu/qemu_capabilities.c | 12 ++++++++----
- src/qemu/qemu_capabilities.h |  3 +--
- src/qemu/qemu_driver.c       |  9 +--------
- tests/testutilsqemu.c        |  2 +-
- 4 files changed, 11 insertions(+), 15 deletions(-)
-
-diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
-index b5eb8cf46a..17eb6579bf 100644
---- a/src/qemu/qemu_capabilities.c
-+++ b/src/qemu/qemu_capabilities.c
-@@ -5343,7 +5343,7 @@ virQEMUCapsNewData(const char *binary,
-                                            priv->libDir,
-                                            priv->runUid,
-                                            priv->runGid,
--                                           priv->microcodeVersion,
-+                                           virHostCPUGetMicrocodeVersion(),
-                                            priv->kernelVersion,
-                                            false);
- }
-@@ -5427,8 +5427,7 @@ virFileCachePtr
- virQEMUCapsCacheNew(const char *libDir,
-                     const char *cacheDir,
-                     uid_t runUid,
--                    gid_t runGid,
--                    unsigned int microcodeVersion)
-+                    gid_t runGid)
- {
-     char *capsCacheDir = NULL;
-     virFileCachePtr cache = NULL;
-@@ -5452,7 +5451,6 @@ virQEMUCapsCacheNew(const char *libDir,
- 
-     priv->runUid = runUid;
-     priv->runGid = runGid;
--    priv->microcodeVersion = microcodeVersion;
- 
-     if (uname(&uts) == 0 &&
-         virAsprintf(&priv->kernelVersion, "%s %s", uts.release, uts.version) < 0)
-@@ -5473,8 +5471,11 @@ virQEMUCapsPtr
- virQEMUCapsCacheLookup(virFileCachePtr cache,
-                        const char *binary)
- {
-+    virQEMUCapsCachePrivPtr priv = virFileCacheGetPriv(cache);
-     virQEMUCapsPtr ret = NULL;
- 
-+    priv->microcodeVersion = virHostCPUGetMicrocodeVersion();
-+
-     ret = virFileCacheLookup(cache, binary);
- 
-     VIR_DEBUG("Returning caps %p for %s", ret, binary);
-@@ -5520,10 +5521,13 @@ virQEMUCapsPtr
- virQEMUCapsCacheLookupByArch(virFileCachePtr cache,
-                              virArch arch)
- {
-+    virQEMUCapsCachePrivPtr priv = virFileCacheGetPriv(cache);
-     virQEMUCapsPtr ret = NULL;
-     virArch target;
-     struct virQEMUCapsSearchData data = { .arch = arch };
- 
-+    priv->microcodeVersion = virHostCPUGetMicrocodeVersion();
-+
-     ret = virFileCacheLookupByFunc(cache, virQEMUCapsCompareArch, &data);
-     if (!ret) {
-         /* If the first attempt at finding capabilities has failed, try
-diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
-index c2ec2be193..7fd51f5fa0 100644
---- a/src/qemu/qemu_capabilities.h
-+++ b/src/qemu/qemu_capabilities.h
-@@ -524,8 +524,7 @@ void virQEMUCapsFilterByMachineType(virQEMUCapsPtr qemuCaps,
- virFileCachePtr virQEMUCapsCacheNew(const char *libDir,
-                                     const char *cacheDir,
-                                     uid_t uid,
--                                    gid_t gid,
--                                    unsigned int microcodeVersion);
-+                                    gid_t gid);
- virQEMUCapsPtr virQEMUCapsCacheLookup(virFileCachePtr cache,
-                                       const char *binary);
- virQEMUCapsPtr virQEMUCapsCacheLookupCopy(virFileCachePtr cache,
-diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
-index 96454c17c0..bb38904090 100644
---- a/src/qemu/qemu_driver.c
-+++ b/src/qemu/qemu_driver.c
-@@ -610,8 +610,6 @@ qemuStateInitialize(bool privileged,
-     char *hugepagePath = NULL;
-     char *memoryBackingPath = NULL;
-     size_t i;
--    virCPUDefPtr hostCPU = NULL;
--    unsigned int microcodeVersion = 0;
- 
-     if (VIR_ALLOC(qemu_driver) < 0)
-         return -1;
-@@ -831,15 +829,10 @@ qemuStateInitialize(bool privileged,
-         run_gid = cfg->group;
-     }
- 
--    if ((hostCPU = virCPUProbeHost(virArchFromHost())))
--        microcodeVersion = hostCPU->microcodeVersion;
--    virCPUDefFree(hostCPU);
--
-     qemu_driver->qemuCapsCache = virQEMUCapsCacheNew(cfg->libDir,
-                                                      cfg->cacheDir,
-                                                      run_uid,
--                                                     run_gid,
--                                                     microcodeVersion);
-+                                                     run_gid);
-     if (!qemu_driver->qemuCapsCache)
-         goto error;
- 
-diff --git a/tests/testutilsqemu.c b/tests/testutilsqemu.c
-index f8182033fc..2c7124bf26 100644
---- a/tests/testutilsqemu.c
-+++ b/tests/testutilsqemu.c
-@@ -603,7 +603,7 @@ int qemuTestDriverInit(virQEMUDriver *driver)
- 
-     /* Using /dev/null for libDir and cacheDir automatically produces errors
-      * upon attempt to use any of them */
--    driver->qemuCapsCache = virQEMUCapsCacheNew("/dev/null", "/dev/null", 0, 0, 0);
-+    driver->qemuCapsCache = virQEMUCapsCacheNew("/dev/null", "/dev/null", 0, 0);
-     if (!driver->qemuCapsCache)
-         goto error;
- 
--- 
-2.21.0
-

0010-cputest-Add-data-for-Intel-R-Xeon-R-CPU-E3-1225-v5.patch

@@ -1,886 +0,0 @@
-From 36151b10d3e1f8f92f4ad6b8200ce5355b7f96f0 Mon Sep 17 00:00:00 2001
-From: Jiri Denemark <jdenemar@redhat.com>
-Date: Fri, 5 Apr 2019 11:19:30 +0200
-Subject: [PATCH 3/4] cputest: Add data for Intel(R) Xeon(R) CPU E3-1225 v5
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
-(cherry picked from commit 5cd9db3ac11e88846cbcf95fad9f6fae9d880dee)
-
-CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
-
-Conflicts:
-	tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
-	tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
-            - intel-pt feature is missing
-
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
----
- tests/cputest.c                               |   1 +
- .../x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml |   7 +
- .../x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml  |   8 +
- .../x86_64-cpuid-Xeon-E3-1225-v5-guest.xml    |  27 +
- .../x86_64-cpuid-Xeon-E3-1225-v5-host.xml     |  28 +
- .../x86_64-cpuid-Xeon-E3-1225-v5-json.xml     |  11 +
- .../x86_64-cpuid-Xeon-E3-1225-v5.json         | 652 ++++++++++++++++++
- .../x86_64-cpuid-Xeon-E3-1225-v5.sig          |   4 +
- .../x86_64-cpuid-Xeon-E3-1225-v5.xml          |  47 ++
- 9 files changed, 785 insertions(+)
- create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml
- create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml
- create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
- create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
- create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
- create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.json
- create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.sig
- create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.xml
-
-diff --git a/tests/cputest.c b/tests/cputest.c
-index 1e79edbef7..2df1d28e39 100644
---- a/tests/cputest.c
-+++ b/tests/cputest.c
-@@ -1189,6 +1189,7 @@ mymain(void)
-     DO_TEST_CPUID(VIR_ARCH_X86_64, "Phenom-B95", JSON_HOST);
-     DO_TEST_CPUID(VIR_ARCH_X86_64, "Ryzen-7-1800X-Eight-Core", JSON_HOST);
-     DO_TEST_CPUID(VIR_ARCH_X86_64, "Xeon-5110", JSON_NONE);
-+    DO_TEST_CPUID(VIR_ARCH_X86_64, "Xeon-E3-1225-v5", JSON_MODELS);
-     DO_TEST_CPUID(VIR_ARCH_X86_64, "Xeon-E3-1245-v5", JSON_MODELS);
-     DO_TEST_CPUID(VIR_ARCH_X86_64, "Xeon-E5-2609-v3", JSON_MODELS);
-     DO_TEST_CPUID(VIR_ARCH_X86_64, "Xeon-E5-2623-v4", JSON_MODELS);
-diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml
-new file mode 100644
-index 0000000000..ce51903e53
---- /dev/null
-+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml
-@@ -0,0 +1,7 @@
-+<!-- Features disabled by QEMU -->
-+<cpudata arch='x86'>
-+  <cpuid eax_in='0x00000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x0800c1fc' edx='0xb0600000'/>
-+  <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x02000000' ecx='0x00000000' edx='0x00000000'/>
-+  <cpuid eax_in='0x0000000d' ecx_in='0x01' eax='0x00000008' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
-+  <cpuid eax_in='0x80000007' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000100'/>
-+</cpudata>
-diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml
-new file mode 100644
-index 0000000000..0deca9fba6
---- /dev/null
-+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml
-@@ -0,0 +1,8 @@
-+<!-- Features enabled by QEMU -->
-+<cpudata arch='x86'>
-+  <cpuid eax_in='0x00000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0xf7fa3203' edx='0x0f8bfbff'/>
-+  <cpuid eax_in='0x00000006' ecx_in='0x00' eax='0x00000004' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
-+  <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x009c4fbb' ecx='0x00000000' edx='0x8c000000'/>
-+  <cpuid eax_in='0x0000000d' ecx_in='0x01' eax='0x00000007' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
-+  <cpuid eax_in='0x80000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000121' edx='0x2c100800'/>
-+</cpudata>
-diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
-new file mode 100644
-index 0000000000..141c01c841
---- /dev/null
-+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
-@@ -0,0 +1,27 @@
-+<cpu mode='custom' match='exact'>
-+  <model fallback='forbid'>Skylake-Client-IBRS</model>
-+  <vendor>Intel</vendor>
-+  <feature policy='require' name='ds'/>
-+  <feature policy='require' name='acpi'/>
-+  <feature policy='require' name='ss'/>
-+  <feature policy='require' name='ht'/>
-+  <feature policy='require' name='tm'/>
-+  <feature policy='require' name='pbe'/>
-+  <feature policy='require' name='dtes64'/>
-+  <feature policy='require' name='monitor'/>
-+  <feature policy='require' name='ds_cpl'/>
-+  <feature policy='require' name='vmx'/>
-+  <feature policy='require' name='smx'/>
-+  <feature policy='require' name='est'/>
-+  <feature policy='require' name='tm2'/>
-+  <feature policy='require' name='xtpr'/>
-+  <feature policy='require' name='pdcm'/>
-+  <feature policy='require' name='osxsave'/>
-+  <feature policy='require' name='tsc_adjust'/>
-+  <feature policy='require' name='clflushopt'/>
-+  <feature policy='require' name='stibp'/>
-+  <feature policy='require' name='ssbd'/>
-+  <feature policy='require' name='xsaves'/>
-+  <feature policy='require' name='pdpe1gb'/>
-+  <feature policy='require' name='invtsc'/>
-+</cpu>
-diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
-new file mode 100644
-index 0000000000..53bfc9728d
---- /dev/null
-+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
-@@ -0,0 +1,28 @@
-+<cpu>
-+  <arch>x86_64</arch>
-+  <model>Skylake-Client-IBRS</model>
-+  <vendor>Intel</vendor>
-+  <feature name='ds'/>
-+  <feature name='acpi'/>
-+  <feature name='ss'/>
-+  <feature name='ht'/>
-+  <feature name='tm'/>
-+  <feature name='pbe'/>
-+  <feature name='dtes64'/>
-+  <feature name='monitor'/>
-+  <feature name='ds_cpl'/>
-+  <feature name='vmx'/>
-+  <feature name='smx'/>
-+  <feature name='est'/>
-+  <feature name='tm2'/>
-+  <feature name='xtpr'/>
-+  <feature name='pdcm'/>
-+  <feature name='osxsave'/>
-+  <feature name='tsc_adjust'/>
-+  <feature name='clflushopt'/>
-+  <feature name='stibp'/>
-+  <feature name='ssbd'/>
-+  <feature name='xsaves'/>
-+  <feature name='pdpe1gb'/>
-+  <feature name='invtsc'/>
-+</cpu>
-diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
-new file mode 100644
-index 0000000000..1f321db273
---- /dev/null
-+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
-@@ -0,0 +1,11 @@
-+<cpu mode='custom' match='exact'>
-+  <model fallback='forbid'>Skylake-Client-IBRS</model>
-+  <vendor>Intel</vendor>
-+  <feature policy='require' name='ss'/>
-+  <feature policy='require' name='hypervisor'/>
-+  <feature policy='require' name='tsc_adjust'/>
-+  <feature policy='require' name='clflushopt'/>
-+  <feature policy='require' name='stibp'/>
-+  <feature policy='require' name='ssbd'/>
-+  <feature policy='require' name='pdpe1gb'/>
-+</cpu>
-diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.json b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.json
-new file mode 100644
-index 0000000000..084747556b
---- /dev/null
-+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.json
-@@ -0,0 +1,652 @@
-+{
-+  "return": {
-+    "model": {
-+      "name": "base",
-+      "props": {
-+        "phys-bits": 0,
-+        "core-id": -1,
-+        "xlevel": 2147483656,
-+        "cmov": true,
-+        "ia64": false,
-+        "aes": true,
-+        "mmx": true,
-+        "rdpid": false,
-+        "arat": true,
-+        "gfni": false,
-+        "pause-filter": false,
-+        "xsavec": true,
-+        "intel-pt": false,
-+        "osxsave": false,
-+        "hv-frequencies": false,
-+        "tsc-frequency": 0,
-+        "xd": true,
-+        "hv-vendor-id": "",
-+        "kvm-asyncpf": true,
-+        "kvm_asyncpf": true,
-+        "perfctr_core": false,
-+        "perfctr-core": false,
-+        "mpx": true,
-+        "pbe": false,
-+        "decodeassists": false,
-+        "avx512cd": false,
-+        "sse4_1": true,
-+        "sse4.1": true,
-+        "sse4-1": true,
-+        "family": 6,
-+        "legacy-cache": true,
-+        "vmware-cpuid-freq": true,
-+        "avx512f": false,
-+        "msr": true,
-+        "mce": true,
-+        "mca": true,
-+        "hv-runtime": false,
-+        "xcrypt": false,
-+        "thread-id": -1,
-+        "min-level": 13,
-+        "xgetbv1": true,
-+        "cid": false,
-+        "hv-relaxed": false,
-+        "hv-crash": false,
-+        "ds": false,
-+        "fxsr": true,
-+        "xsaveopt": true,
-+        "xtpr": false,
-+        "avx512vl": false,
-+        "avx512-vpopcntdq": false,
-+        "phe": false,
-+        "extapic": false,
-+        "3dnowprefetch": true,
-+        "avx512vbmi2": false,
-+        "cr8legacy": false,
-+        "stibp": true,
-+        "cpuid-0xb": true,
-+        "xcrypt-en": false,
-+        "kvm_pv_eoi": true,
-+        "apic-id": 4294967295,
-+        "pn": false,
-+        "dca": false,
-+        "vendor": "GenuineIntel",
-+        "pku": false,
-+        "smx": false,
-+        "cmp_legacy": false,
-+        "cmp-legacy": false,
-+        "node-id": -1,
-+        "avx512-4fmaps": false,
-+        "vmcb_clean": false,
-+        "vmcb-clean": false,
-+        "3dnowext": false,
-+        "hle": true,
-+        "npt": false,
-+        "memory": "/machine/unattached/system[0]",
-+        "clwb": false,
-+        "lbrv": false,
-+        "adx": true,
-+        "ss": true,
-+        "pni": true,
-+        "svm_lock": false,
-+        "svm-lock": false,
-+        "pfthreshold": false,
-+        "smep": true,
-+        "smap": true,
-+        "x2apic": true,
-+        "avx512vbmi": false,
-+        "avx512vnni": false,
-+        "hv-stimer": false,
-+        "i64": true,
-+        "flushbyasid": false,
-+        "f16c": true,
-+        "ace2-en": false,
-+        "pat": true,
-+        "pae": true,
-+        "sse": true,
-+        "phe-en": false,
-+        "kvm_nopiodelay": true,
-+        "kvm-nopiodelay": true,
-+        "tm": false,
-+        "kvmclock-stable-bit": true,
-+        "hypervisor": true,
-+        "socket-id": -1,
-+        "pcommit": false,
-+        "syscall": true,
-+        "level": 13,
-+        "avx512dq": false,
-+        "svm": false,
-+        "full-cpuid-auto-level": true,
-+        "hv-reset": false,
-+        "invtsc": false,
-+        "sse3": true,
-+        "sse2": true,
-+        "ssbd": true,
-+        "est": false,
-+        "avx512ifma": false,
-+        "tm2": false,
-+        "kvm-pv-eoi": true,
-+        "cx8": true,
-+        "kvm_mmu": false,
-+        "kvm-mmu": false,
-+        "sse4_2": true,
-+        "sse4.2": true,
-+        "sse4-2": true,
-+        "pge": true,
-+        "fill-mtrr-mask": true,
-+        "avx512bitalg": false,
-+        "nodeid_msr": false,
-+        "pdcm": false,
-+        "movbe": true,
-+        "model": 94,
-+        "nrip_save": false,
-+        "nrip-save": false,
-+        "kvm_pv_unhalt": true,
-+        "ssse3": true,
-+        "sse4a": false,
-+        "invpcid": true,
-+        "pdpe1gb": true,
-+        "tsc-deadline": true,
-+        "fma": true,
-+        "cx16": true,
-+        "de": true,
-+        "enforce": false,
-+        "stepping": 3,
-+        "xsave": true,
-+        "clflush": true,
-+        "skinit": false,
-+        "tsc": true,
-+        "tce": false,
-+        "fpu": true,
-+        "ibs": false,
-+        "ds_cpl": false,
-+        "ds-cpl": false,
-+        "host-phys-bits": true,
-+        "fma4": false,
-+        "la57": false,
-+        "osvw": false,
-+        "check": true,
-+        "hv-spinlocks": -1,
-+        "pmu": false,
-+        "pmm": false,
-+        "apic": true,
-+        "spec-ctrl": true,
-+        "min-xlevel2": 0,
-+        "tsc-adjust": true,
-+        "tsc_adjust": true,
-+        "kvm-steal-time": true,
-+        "kvm_steal_time": true,
-+        "kvmclock": true,
-+        "l3-cache": true,
-+        "lwp": false,
-+        "ibpb": false,
-+        "xop": false,
-+        "avx": true,
-+        "ospke": false,
-+        "ace2": false,
-+        "avx512bw": false,
-+        "acpi": false,
-+        "hv-vapic": false,
-+        "fsgsbase": true,
-+        "ht": false,
-+        "nx": true,
-+        "pclmulqdq": true,
-+        "mmxext": false,
-+        "vaes": false,
-+        "popcnt": true,
-+        "xsaves": false,
-+        "tcg-cpuid": true,
-+        "lm": true,
-+        "umip": false,
-+        "pse": true,
-+        "avx2": true,
-+        "sep": true,
-+        "pclmuldq": true,
-+        "virt-ssbd": false,
-+        "x-hv-max-vps": -1,
-+        "nodeid-msr": false,
-+        "md-clear": true,
-+        "kvm": true,
-+        "misalignsse": false,
-+        "min-xlevel": 2147483656,
-+        "kvm-pv-unhalt": true,
-+        "bmi2": true,
-+        "bmi1": true,
-+        "realized": false,
-+        "tsc_scale": false,
-+        "tsc-scale": false,
-+        "topoext": false,
-+        "hv-vpindex": false,
-+        "xlevel2": 0,
-+        "clflushopt": true,
-+        "kvm-no-smi-migration": false,
-+        "monitor": false,
-+        "avx512er": false,
-+        "pmm-en": false,
-+        "pcid": true,
-+        "3dnow": false,
-+        "erms": true,
-+        "lahf-lm": true,
-+        "lahf_lm": true,
-+        "vpclmulqdq": false,
-+        "fxsr-opt": false,
-+        "hv-synic": false,
-+        "xstore": false,
-+        "fxsr_opt": false,
-+        "kvm-hint-dedicated": false,
-+        "rtm": true,
-+        "lmce": true,
-+        "hv-time": false,
-+        "perfctr-nb": false,
-+        "perfctr_nb": false,
-+        "ffxsr": false,
-+        "rdrand": true,
-+        "rdseed": true,
-+        "avx512-4vnniw": false,
-+        "vmx": false,
-+        "vme": true,
-+        "dtes64": false,
-+        "mtrr": true,
-+        "rdtscp": true,
-+        "pse36": true,
-+        "kvm-pv-tlb-flush": false,
-+        "tbm": false,
-+        "wdt": false,
-+        "pause_filter": false,
-+        "sha-ni": false,
-+        "model-id": "Intel(R) Xeon(R) CPU E3-1225 v5 @ 3.30GHz",
-+        "abm": true,
-+        "avx512pf": false,
-+        "xstore-en": false
-+      }
-+    }
-+  },
-+  "id": "model-expansion"
-+}
-+
-+{
-+  "return": [
-+    {
-+      "name": "max",
-+      "typename": "max-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": false
-+    },
-+    {
-+      "name": "host",
-+      "typename": "host-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": false
-+    },
-+    {
-+      "name": "base",
-+      "typename": "base-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": true,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "qemu64",
-+      "typename": "qemu64-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "qemu32",
-+      "typename": "qemu32-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "phenom",
-+      "typename": "phenom-x86_64-cpu",
-+      "unavailable-features": [
-+        "mmxext",
-+        "fxsr-opt",
-+        "3dnowext",
-+        "3dnow",
-+        "sse4a",
-+        "npt"
-+      ],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "pentium3",
-+      "typename": "pentium3-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "pentium2",
-+      "typename": "pentium2-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "pentium",
-+      "typename": "pentium-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "n270",
-+      "typename": "n270-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "kvm64",
-+      "typename": "kvm64-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "kvm32",
-+      "typename": "kvm32-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "cpu64-rhel6",
-+      "typename": "cpu64-rhel6-x86_64-cpu",
-+      "unavailable-features": [
-+        "sse4a"
-+      ],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "coreduo",
-+      "typename": "coreduo-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "core2duo",
-+      "typename": "core2duo-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "athlon",
-+      "typename": "athlon-x86_64-cpu",
-+      "unavailable-features": [
-+        "mmxext",
-+        "3dnowext",
-+        "3dnow"
-+      ],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "Westmere",
-+      "typename": "Westmere-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "Westmere-IBRS",
-+      "typename": "Westmere-IBRS-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "Skylake-Server",
-+      "typename": "Skylake-Server-x86_64-cpu",
-+      "unavailable-features": [
-+        "avx512f",
-+        "avx512dq",
-+        "clwb",
-+        "avx512cd",
-+        "avx512bw",
-+        "avx512vl",
-+        "avx512f",
-+        "avx512f",
-+        "avx512f"
-+      ],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "Skylake-Server-IBRS",
-+      "typename": "Skylake-Server-IBRS-x86_64-cpu",
-+      "unavailable-features": [
-+        "avx512f",
-+        "avx512dq",
-+        "clwb",
-+        "avx512cd",
-+        "avx512bw",
-+        "avx512vl",
-+        "avx512f",
-+        "avx512f",
-+        "avx512f"
-+      ],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "Skylake-Client",
-+      "typename": "Skylake-Client-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "Skylake-Client-IBRS",
-+      "typename": "Skylake-Client-IBRS-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "SandyBridge",
-+      "typename": "SandyBridge-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "SandyBridge-IBRS",
-+      "typename": "SandyBridge-IBRS-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "Penryn",
-+      "typename": "Penryn-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "Opteron_G5",
-+      "typename": "Opteron_G5-x86_64-cpu",
-+      "unavailable-features": [
-+        "sse4a",
-+        "misalignsse",
-+        "xop",
-+        "fma4",
-+        "tbm"
-+      ],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "Opteron_G4",
-+      "typename": "Opteron_G4-x86_64-cpu",
-+      "unavailable-features": [
-+        "sse4a",
-+        "misalignsse",
-+        "xop",
-+        "fma4"
-+      ],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "Opteron_G3",
-+      "typename": "Opteron_G3-x86_64-cpu",
-+      "unavailable-features": [
-+        "sse4a",
-+        "misalignsse"
-+      ],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "Opteron_G2",
-+      "typename": "Opteron_G2-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "Opteron_G1",
-+      "typename": "Opteron_G1-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "Nehalem",
-+      "typename": "Nehalem-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "Nehalem-IBRS",
-+      "typename": "Nehalem-IBRS-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "IvyBridge",
-+      "typename": "IvyBridge-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "IvyBridge-IBRS",
-+      "typename": "IvyBridge-IBRS-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "Haswell",
-+      "typename": "Haswell-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "Haswell-noTSX",
-+      "typename": "Haswell-noTSX-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "Haswell-noTSX-IBRS",
-+      "typename": "Haswell-noTSX-IBRS-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "Haswell-IBRS",
-+      "typename": "Haswell-IBRS-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "EPYC",
-+      "typename": "EPYC-x86_64-cpu",
-+      "unavailable-features": [
-+        "sha-ni",
-+        "mmxext",
-+        "fxsr-opt",
-+        "cr8legacy",
-+        "sse4a",
-+        "misalignsse",
-+        "osvw"
-+      ],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "EPYC-IBPB",
-+      "typename": "EPYC-IBPB-x86_64-cpu",
-+      "unavailable-features": [
-+        "sha-ni",
-+        "mmxext",
-+        "fxsr-opt",
-+        "cr8legacy",
-+        "sse4a",
-+        "misalignsse",
-+        "osvw",
-+        "ibpb"
-+      ],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "Conroe",
-+      "typename": "Conroe-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "Broadwell",
-+      "typename": "Broadwell-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "Broadwell-noTSX",
-+      "typename": "Broadwell-noTSX-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "Broadwell-noTSX-IBRS",
-+      "typename": "Broadwell-noTSX-IBRS-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "Broadwell-IBRS",
-+      "typename": "Broadwell-IBRS-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    },
-+    {
-+      "name": "486",
-+      "typename": "486-x86_64-cpu",
-+      "unavailable-features": [],
-+      "static": false,
-+      "migration-safe": true
-+    }
-+  ],
-+  "id": "definitions"
-+}
-diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.sig b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.sig
-new file mode 100644
-index 0000000000..7e57c2ded6
---- /dev/null
-+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.sig
-@@ -0,0 +1,4 @@
-+0506e3
-+family:     6 (0x06)
-+model:     94 (0x5e)
-+stepping:   3 (0x03)
-diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.xml
-new file mode 100644
-index 0000000000..437429d61d
---- /dev/null
-+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.xml
-@@ -0,0 +1,47 @@
-+<!-- Intel(R) Xeon(R) CPU E3-1225 v5 @ 3.30GHz -->
-+<cpudata arch='x86'>
-+  <cpuid eax_in='0x00000000' ecx_in='0x00' eax='0x00000016' ebx='0x756e6547' ecx='0x6c65746e' edx='0x49656e69'/>
-+  <cpuid eax_in='0x00000001' ecx_in='0x00' eax='0x000506e3' ebx='0x06100800' ecx='0x7ffafbff' edx='0xbfebfbff'/>
-+  <cpuid eax_in='0x00000002' ecx_in='0x00' eax='0x76036301' ebx='0x00f0b6ff' ecx='0x00000000' edx='0x00c30000'/>
-+  <cpuid eax_in='0x00000003' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
-+  <cpuid eax_in='0x00000004' ecx_in='0x00' eax='0x1c004121' ebx='0x01c0003f' ecx='0x0000003f' edx='0x00000000'/>
-+  <cpuid eax_in='0x00000004' ecx_in='0x01' eax='0x1c004122' ebx='0x01c0003f' ecx='0x0000003f' edx='0x00000000'/>
-+  <cpuid eax_in='0x00000004' ecx_in='0x02' eax='0x1c004143' ebx='0x00c0003f' ecx='0x000003ff' edx='0x00000000'/>
-+  <cpuid eax_in='0x00000004' ecx_in='0x03' eax='0x1c03c163' ebx='0x03c0003f' ecx='0x00001fff' edx='0x00000006'/>
-+  <cpuid eax_in='0x00000005' ecx_in='0x00' eax='0x00000040' ebx='0x00000040' ecx='0x00000003' edx='0x00142120'/>
-+  <cpuid eax_in='0x00000006' ecx_in='0x00' eax='0x000027f7' ebx='0x00000002' ecx='0x00000009' edx='0x00000000'/>
-+  <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x029c6fbf' ecx='0x00000000' edx='0x9c002400'/>
-+  <cpuid eax_in='0x00000008' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
-+  <cpuid eax_in='0x00000009' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
-+  <cpuid eax_in='0x0000000a' ecx_in='0x00' eax='0x07300804' ebx='0x00000000' ecx='0x00000000' edx='0x00000603'/>
-+  <cpuid eax_in='0x0000000b' ecx_in='0x00' eax='0x00000001' ebx='0x00000001' ecx='0x00000100' edx='0x00000006'/>
-+  <cpuid eax_in='0x0000000b' ecx_in='0x01' eax='0x00000004' ebx='0x00000004' ecx='0x00000201' edx='0x00000006'/>
-+  <cpuid eax_in='0x0000000c' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
-+  <cpuid eax_in='0x0000000d' ecx_in='0x00' eax='0x0000001f' ebx='0x00000440' ecx='0x00000440' edx='0x00000000'/>
-+  <cpuid eax_in='0x0000000d' ecx_in='0x01' eax='0x0000000f' ebx='0x000003c0' ecx='0x00000100' edx='0x00000000'/>
-+  <cpuid eax_in='0x0000000d' ecx_in='0x02' eax='0x00000100' ebx='0x00000240' ecx='0x00000000' edx='0x00000000'/>
-+  <cpuid eax_in='0x0000000d' ecx_in='0x03' eax='0x00000040' ebx='0x000003c0' ecx='0x00000000' edx='0x00000000'/>
-+  <cpuid eax_in='0x0000000d' ecx_in='0x04' eax='0x00000040' ebx='0x00000400' ecx='0x00000000' edx='0x00000000'/>
-+  <cpuid eax_in='0x0000000d' ecx_in='0x08' eax='0x00000080' ebx='0x00000000' ecx='0x00000001' edx='0x00000000'/>
-+  <cpuid eax_in='0x0000000e' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
-+  <cpuid eax_in='0x0000000f' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
-+  <cpuid eax_in='0x00000010' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
-+  <cpuid eax_in='0x00000011' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
-+  <cpuid eax_in='0x00000012' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
-+  <cpuid eax_in='0x00000013' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
-+  <cpuid eax_in='0x00000014' ecx_in='0x00' eax='0x00000001' ebx='0x0000000f' ecx='0x00000007' edx='0x00000000'/>
-+  <cpuid eax_in='0x00000014' ecx_in='0x01' eax='0x02490002' ebx='0x003f3fff' ecx='0x00000000' edx='0x00000000'/>
-+  <cpuid eax_in='0x00000015' ecx_in='0x00' eax='0x00000002' ebx='0x00000114' ecx='0x00000000' edx='0x00000000'/>
-+  <cpuid eax_in='0x00000016' ecx_in='0x00' eax='0x00000ce4' ebx='0x00000e74' ecx='0x00000064' edx='0x00000000'/>
-+  <cpuid eax_in='0x80000000' ecx_in='0x00' eax='0x80000008' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
-+  <cpuid eax_in='0x80000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000121' edx='0x2c100800'/>
-+  <cpuid eax_in='0x80000002' ecx_in='0x00' eax='0x65746e49' ebx='0x2952286c' ecx='0x6f655820' edx='0x2952286e'/>
-+  <cpuid eax_in='0x80000003' ecx_in='0x00' eax='0x55504320' ebx='0x2d334520' ecx='0x35323231' edx='0x20357620'/>
-+  <cpuid eax_in='0x80000004' ecx_in='0x00' eax='0x2e332040' ebx='0x48473033' ecx='0x0000007a' edx='0x00000000'/>
-+  <cpuid eax_in='0x80000005' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
-+  <cpuid eax_in='0x80000006' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x01006040' edx='0x00000000'/>
-+  <cpuid eax_in='0x80000007' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000100'/>
-+  <cpuid eax_in='0x80000008' ecx_in='0x00' eax='0x00003027' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
-+  <cpuid eax_in='0x80860000' ecx_in='0x00' eax='0x00000ce4' ebx='0x00000e74' ecx='0x00000064' edx='0x00000000'/>
-+  <cpuid eax_in='0xc0000000' ecx_in='0x00' eax='0x00000ce4' ebx='0x00000e74' ecx='0x00000064' edx='0x00000000'/>
-+</cpudata>
--- 
-2.21.0
-

0011-cpu_map-Define-md-clear-CPUID-bit.patch

@@ -1,105 +0,0 @@
-From 7bde733e906a9eb513448fd58201a333a1793811 Mon Sep 17 00:00:00 2001
-From: Jiri Denemark <jdenemar@redhat.com>
-Date: Fri, 5 Apr 2019 15:11:20 +0200
-Subject: [PATCH 4/4] cpu_map: Define md-clear CPUID bit
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
-
-The bit is set when microcode provides the mechanism to invoke a flush
-of various exploitable CPU buffers by invoking the VERW instruction.
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
-Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
-(cherry picked from commit 538d873571d7a682852dc1d70e5f4478f4d64e85)
-
-Conflicts:
-	src/cpu_map/x86_features.xml
-            - no CPU map split downstream
-
-	tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-guest.xml
-	tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-host.xml
-            - test data missing downstream
-
-	tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
-	tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
-            - intel-pt feature is missing downstream
-
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
----
- src/cpu/cpu_map.xml                                        | 3 +++
- tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml | 2 +-
- tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml   | 1 +
- tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml    | 1 +
- tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml    | 1 +
- 5 files changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
-index 96daa0f9af..250e241df9 100644
---- a/src/cpu/cpu_map.xml
-+++ b/src/cpu/cpu_map.xml
-@@ -295,6 +295,9 @@
-     <feature name='avx512-4fmaps'>
-       <cpuid eax_in='0x07' ecx_in='0x00' edx='0x00000008'/>
-     </feature>
-+    <feature name='md-clear'> <!-- md_clear -->
-+      <cpuid eax_in='0x07' ecx_in='0x00' edx='0x00000400'/>
-+    </feature>
-     <feature name='spec-ctrl'>
-       <cpuid eax_in='0x07' ecx_in='0x00' edx='0x04000000'/>
-     </feature>
-diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml
-index 0deca9fba6..74763a462b 100644
---- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml
-+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml
-@@ -2,7 +2,7 @@
- <cpudata arch='x86'>
-   <cpuid eax_in='0x00000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0xf7fa3203' edx='0x0f8bfbff'/>
-   <cpuid eax_in='0x00000006' ecx_in='0x00' eax='0x00000004' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
--  <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x009c4fbb' ecx='0x00000000' edx='0x8c000000'/>
-+  <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x009c4fbb' ecx='0x00000000' edx='0x8c000400'/>
-   <cpuid eax_in='0x0000000d' ecx_in='0x01' eax='0x00000007' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
-   <cpuid eax_in='0x80000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000121' edx='0x2c100800'/>
- </cpudata>
-diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
-index 141c01c841..3b3472742e 100644
---- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
-+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
-@@ -19,6 +19,7 @@
-   <feature policy='require' name='osxsave'/>
-   <feature policy='require' name='tsc_adjust'/>
-   <feature policy='require' name='clflushopt'/>
-+  <feature policy='require' name='md-clear'/>
-   <feature policy='require' name='stibp'/>
-   <feature policy='require' name='ssbd'/>
-   <feature policy='require' name='xsaves'/>
-diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
-index 53bfc9728d..df4f97417c 100644
---- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
-+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
-@@ -20,6 +20,7 @@
-   <feature name='osxsave'/>
-   <feature name='tsc_adjust'/>
-   <feature name='clflushopt'/>
-+  <feature name='md-clear'/>
-   <feature name='stibp'/>
-   <feature name='ssbd'/>
-   <feature name='xsaves'/>
-diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
-index 1f321db273..a5591278df 100644
---- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
-+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
-@@ -5,6 +5,7 @@
-   <feature policy='require' name='hypervisor'/>
-   <feature policy='require' name='tsc_adjust'/>
-   <feature policy='require' name='clflushopt'/>
-+  <feature policy='require' name='md-clear'/>
-   <feature policy='require' name='stibp'/>
-   <feature policy='require' name='ssbd'/>
-   <feature policy='require' name='pdpe1gb'/>
--- 
-2.21.0
-

0012-cpu-remove-stibp-flag-from-test-data.patch

@@ -1,56 +0,0 @@
-From 4cb90fa2335b75a0fc39440853bd681955b326a4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
-Date: Tue, 14 May 2019 21:09:59 +0100
-Subject: [PATCH] cputest: remove stibp flag from test data
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-stibp flag doesn't exist in this maint branch.
-
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
----
- tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml | 1 -
- tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml  | 1 -
- tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml  | 1 -
- 3 files changed, 3 deletions(-)
-
-diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
-index 3b3472742e..29c1fdb80a 100644
---- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
-+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
-@@ -20,7 +20,6 @@
-   <feature policy='require' name='tsc_adjust'/>
-   <feature policy='require' name='clflushopt'/>
-   <feature policy='require' name='md-clear'/>
--  <feature policy='require' name='stibp'/>
-   <feature policy='require' name='ssbd'/>
-   <feature policy='require' name='xsaves'/>
-   <feature policy='require' name='pdpe1gb'/>
-diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
-index df4f97417c..2003ca9ef6 100644
---- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
-+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
-@@ -21,7 +21,6 @@
-   <feature name='tsc_adjust'/>
-   <feature name='clflushopt'/>
-   <feature name='md-clear'/>
--  <feature name='stibp'/>
-   <feature name='ssbd'/>
-   <feature name='xsaves'/>
-   <feature name='pdpe1gb'/>
-diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
-index a5591278df..d6529c59a3 100644
---- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
-+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
-@@ -6,7 +6,6 @@
-   <feature policy='require' name='tsc_adjust'/>
-   <feature policy='require' name='clflushopt'/>
-   <feature policy='require' name='md-clear'/>
--  <feature policy='require' name='stibp'/>
-   <feature policy='require' name='ssbd'/>
-   <feature policy='require' name='pdpe1gb'/>
- </cpu>
--- 
-2.21.0
-

0013-admin-reject-clients-unless-their-UID-matches-the-cu.patch

@@ -1,58 +0,0 @@
-From 39fb5ab3125d1669344bab94ccb71bce814d9ae2 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
-Date: Tue, 30 Apr 2019 17:26:13 +0100
-Subject: [PATCH 1/3] admin: reject clients unless their UID matches the
- current UID
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The admin protocol RPC messages are only intended for use by the user
-running the daemon. As such they should not be allowed for any client
-UID that does not match the server UID.
-
-Fixes CVE-2019-10132
-
-Reviewed-by: Ján Tomko <jtomko@redhat.com>
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
-(cherry picked from commit 96f41cd765c9e525fe28ee5abbfbf4a79b3720c7)
----
- src/admin/admin_server_dispatch.c | 22 ++++++++++++++++++++++
- 1 file changed, 22 insertions(+)
-
-diff --git a/src/admin/admin_server_dispatch.c b/src/admin/admin_server_dispatch.c
-index b78ff902c0..9f25813ae3 100644
---- a/src/admin/admin_server_dispatch.c
-+++ b/src/admin/admin_server_dispatch.c
-@@ -66,6 +66,28 @@ remoteAdmClientNew(virNetServerClientPtr client ATTRIBUTE_UNUSED,
-                    void *opaque)
- {
-     struct daemonAdmClientPrivate *priv;
-+    uid_t clientuid;
-+    gid_t clientgid;
-+    pid_t clientpid;
-+    unsigned long long timestamp;
-+
-+    if (virNetServerClientGetUNIXIdentity(client,
-+                                          &clientuid,
-+                                          &clientgid,
-+                                          &clientpid,
-+                                          &timestamp) < 0)
-+        return NULL;
-+
-+    VIR_DEBUG("New client pid %lld uid %lld",
-+              (long long)clientpid,
-+              (long long)clientuid);
-+
-+    if (geteuid() != clientuid) {
-+        virReportRestrictedError(_("Disallowing client %lld with uid %lld"),
-+                                 (long long)clientpid,
-+                                 (long long)clientuid);
-+        return NULL;
-+    }
- 
-     if (VIR_ALLOC(priv) < 0)
-         return NULL;
--- 
-2.21.0
-

0014-locking-restrict-sockets-to-mode-0600.patch

@@ -1,51 +0,0 @@
-From 41f06e6095e17b61b2af35821d204afc5c34777c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
-Date: Tue, 30 Apr 2019 16:51:37 +0100
-Subject: [PATCH 2/3] locking: restrict sockets to mode 0600
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The virtlockd daemon's only intended client is the libvirtd daemon. As
-such it should never allow clients from other user accounts to connect.
-The code already enforces this and drops clients from other UIDs, but
-we can get earlier (and thus stronger) protection against DoS by setting
-the socket permissions to 0600
-
-Fixes CVE-2019-10132
-
-Reviewed-by: Ján Tomko <jtomko@redhat.com>
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
-(cherry picked from commit f111e09468693909b1f067aa575efdafd9a262a1)
----
- src/locking/virtlockd-admin.socket.in | 1 +
- src/locking/virtlockd.socket.in       | 1 +
- 2 files changed, 2 insertions(+)
-
-diff --git a/src/locking/virtlockd-admin.socket.in b/src/locking/virtlockd-admin.socket.in
-index 2a7500f3d0..f674c492f7 100644
---- a/src/locking/virtlockd-admin.socket.in
-+++ b/src/locking/virtlockd-admin.socket.in
-@@ -5,6 +5,7 @@ Before=libvirtd.service
- [Socket]
- ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock
- Service=virtlockd.service
-+SocketMode=0600
- 
- [Install]
- WantedBy=sockets.target
-diff --git a/src/locking/virtlockd.socket.in b/src/locking/virtlockd.socket.in
-index 45e0f20235..d701b27516 100644
---- a/src/locking/virtlockd.socket.in
-+++ b/src/locking/virtlockd.socket.in
-@@ -4,6 +4,7 @@ Before=libvirtd.service
- 
- [Socket]
- ListenStream=@localstatedir@/run/libvirt/virtlockd-sock
-+SocketMode=0600
- 
- [Install]
- WantedBy=sockets.target
--- 
-2.21.0
-

0015-logging-restrict-sockets-to-mode-0600.patch

@@ -1,51 +0,0 @@
-From f0e014133104cdb5af5c7d96a7aa6dc0f1bbb03c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
-Date: Tue, 30 Apr 2019 17:27:41 +0100
-Subject: [PATCH 3/3] logging: restrict sockets to mode 0600
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The virtlogd daemon's only intended client is the libvirtd daemon. As
-such it should never allow clients from other user accounts to connect.
-The code already enforces this and drops clients from other UIDs, but
-we can get earlier (and thus stronger) protection against DoS by setting
-the socket permissions to 0600
-
-Fixes CVE-2019-10132
-
-Reviewed-by: Ján Tomko <jtomko@redhat.com>
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
-(cherry picked from commit e37bd65f9948c1185456b2cdaa3bd6e875af680f)
----
- src/logging/virtlogd-admin.socket.in | 1 +
- src/logging/virtlogd.socket.in       | 1 +
- 2 files changed, 2 insertions(+)
-
-diff --git a/src/logging/virtlogd-admin.socket.in b/src/logging/virtlogd-admin.socket.in
-index 595e6c4c4b..5c41dfeb7b 100644
---- a/src/logging/virtlogd-admin.socket.in
-+++ b/src/logging/virtlogd-admin.socket.in
-@@ -5,6 +5,7 @@ Before=libvirtd.service
- [Socket]
- ListenStream=@localstatedir@/run/libvirt/virtlogd-admin-sock
- Service=virtlogd.service
-+SocketMode=0600
- 
- [Install]
- WantedBy=sockets.target
-diff --git a/src/logging/virtlogd.socket.in b/src/logging/virtlogd.socket.in
-index 22b9360c8d..ae48cdab9a 100644
---- a/src/logging/virtlogd.socket.in
-+++ b/src/logging/virtlogd.socket.in
-@@ -4,6 +4,7 @@ Before=libvirtd.service
- 
- [Socket]
- ListenStream=@localstatedir@/run/libvirt/virtlogd-sock
-+SocketMode=0600
- 
- [Install]
- WantedBy=sockets.target
--- 
-2.21.0
-

branch

@@ -0,0 +1 @@
+F-13

libvirt-0.8.2-01-extract-backing-store-format.patch

@@ -0,0 +1,356 @@
+From 953440bd12608a20007ee5da5ab69fbbe910bd28 Mon Sep 17 00:00:00 2001
+From: Daniel P. Berrange <berrange@redhat.com>
+Date: Mon, 14 Jun 2010 15:53:59 +0100
+Subject: [PATCH 01/11] Extract the backing store format as well as name, if available
+
+When QEMU opens a backing store for a QCow2 file, it will
+normally auto-probe for the format of the backing store,
+rather than assuming it has the same format as the referencing
+file. There is a QCow2 extension that allows an explicit format
+for the backing store to be embedded in the referencing file.
+This closes the auto-probing security hole in QEMU.
+
+This backing store format can be useful for libvirt users
+of virStorageFileGetMetadata, so extract this data and report
+it.
+
+QEMU does not require disk image backing store files to be in
+the same format the file linkee. It will auto-probe the disk
+format for the backing store when opening it. If the backing
+store was intended to be a raw file this could be a security
+hole, because a guest may have written data into its disk that
+then makes the backing store look like a qcow2 file. If it can
+trick QEMU into thinking the raw file is a qcow2 file, it can
+access arbitrary files on the host by adding further backing
+store links.
+
+To address this, callers of virStorageFileGetMeta need to be
+told of the backing store format. If no format is declared,
+they can make a decision whether to allow format probing or
+not.
+---
+ src/util/storage_file.c |  206 +++++++++++++++++++++++++++++++++++++++++------
+ src/util/storage_file.h |    2 +
+ 2 files changed, 183 insertions(+), 25 deletions(-)
+
+diff --git a/src/util/storage_file.c b/src/util/storage_file.c
+index 0adea40..80f743e 100644
+--- a/src/util/storage_file.c
++++ b/src/util/storage_file.c
+@@ -78,12 +78,33 @@ struct FileTypeInfo {
+     int qcowCryptOffset;  /* Byte offset from start of file
+                            * where to find encryption mode,
+                            * -1 if encryption is not used */
+-    int (*getBackingStore)(char **res, const unsigned char *buf, size_t buf_size);
++    int (*getBackingStore)(char **res, int *format,
++                           const unsigned char *buf, size_t buf_size);
+ };
+ 
+-static int cowGetBackingStore(char **, const unsigned char *, size_t);
+-static int qcowXGetBackingStore(char **, const unsigned char *, size_t);
+-static int vmdk4GetBackingStore(char **, const unsigned char *, size_t);
++static int cowGetBackingStore(char **, int *,
++                              const unsigned char *, size_t);
++static int qcow1GetBackingStore(char **, int *,
++                                const unsigned char *, size_t);
++static int qcow2GetBackingStore(char **, int *,
++                                const unsigned char *, size_t);
++static int vmdk4GetBackingStore(char **, int *,
++                                const unsigned char *, size_t);
++
++#define QCOWX_HDR_VERSION (4)
++#define QCOWX_HDR_BACKING_FILE_OFFSET (QCOWX_HDR_VERSION+4)
++#define QCOWX_HDR_BACKING_FILE_SIZE (QCOWX_HDR_BACKING_FILE_OFFSET+8)
++#define QCOWX_HDR_IMAGE_SIZE (QCOWX_HDR_BACKING_FILE_SIZE+4+4)
++
++#define QCOW1_HDR_CRYPT (QCOWX_HDR_IMAGE_SIZE+8+1+1)
++#define QCOW2_HDR_CRYPT (QCOWX_HDR_IMAGE_SIZE+8)
++
++#define QCOW1_HDR_TOTAL_SIZE (QCOW1_HDR_CRYPT+4+8)
++#define QCOW2_HDR_TOTAL_SIZE (QCOW2_HDR_CRYPT+4+4+8+8+4+4+8)
++
++#define QCOW2_HDR_EXTENSION_END 0
++#define QCOW2_HDR_EXTENSION_BACKING_FORMAT 0xE2792ACA
++
+ 
+ 
+ static struct FileTypeInfo const fileTypeInfo[] = {
+@@ -119,11 +140,11 @@ static struct FileTypeInfo const fileTypeInfo[] = {
+     /* QCow */
+     { VIR_STORAGE_FILE_QCOW, "QFI", NULL,
+       LV_BIG_ENDIAN, 4, 1,
+-      4+4+8+4+4, 8, 1, 4+4+8+4+4+8+1+1+2, qcowXGetBackingStore },
++      QCOWX_HDR_IMAGE_SIZE, 8, 1, QCOW1_HDR_CRYPT, qcow1GetBackingStore },
+     /* QCow 2 */
+     { VIR_STORAGE_FILE_QCOW2, "QFI", NULL,
+       LV_BIG_ENDIAN, 4, 2,
+-      4+4+8+4+4, 8, 1, 4+4+8+4+4+8, qcowXGetBackingStore },
++      QCOWX_HDR_IMAGE_SIZE, 8, 1, QCOW2_HDR_CRYPT, qcow2GetBackingStore },
+     /* VMDK 3 */
+     /* XXX Untested
+     { VIR_STORAGE_FILE_VMDK, "COWD", NULL,
+@@ -142,11 +163,14 @@ static struct FileTypeInfo const fileTypeInfo[] = {
+ 
+ static int
+ cowGetBackingStore(char **res,
++                   int *format,
+                    const unsigned char *buf,
+                    size_t buf_size)
+ {
+ #define COW_FILENAME_MAXLEN 1024
+     *res = NULL;
++    *format = VIR_STORAGE_FILE_AUTO;
++
+     if (buf_size < 4+4+ COW_FILENAME_MAXLEN)
+         return BACKING_STORE_INVALID;
+     if (buf[4+4] == '\0') /* cow_header_v2.backing_file[0] */
+@@ -160,31 +184,98 @@ cowGetBackingStore(char **res,
+     return BACKING_STORE_OK;
+ }
+ 
++
++static int
++qcow2GetBackingStoreFormat(int *format,
++                           const unsigned char *buf,
++                           size_t buf_size,
++                           size_t extension_start,
++                           size_t extension_end)
++{
++    size_t offset = extension_start;
++
++    /*
++     * The extensions take format of
++     *
++     * int32: magic
++     * int32: length
++     * byte[length]: payload
++     *
++     * Unknown extensions can be ignored by skipping
++     * over "length" bytes in the data stream.
++     */
++    while (offset < (buf_size-8) &&
++           offset < (extension_end-8)) {
++        unsigned int magic =
++            (buf[offset] << 24) +
++            (buf[offset+1] << 16) +
++            (buf[offset+2] << 8) +
++            (buf[offset+3]);
++        unsigned int len =
++            (buf[offset+4] << 24) +
++            (buf[offset+5] << 16) +
++            (buf[offset+6] << 8) +
++            (buf[offset+7]);
++
++        offset += 8;
++
++        if ((offset + len) < offset)
++            break;
++
++        if ((offset + len) > buf_size)
++            break;
++
++        switch (magic) {
++        case QCOW2_HDR_EXTENSION_END:
++            goto done;
++
++        case QCOW2_HDR_EXTENSION_BACKING_FORMAT:
++            if (buf[offset+len] != '\0')
++                break;
++            *format = virStorageFileFormatTypeFromString(
++                ((const char *)buf)+offset);
++            break;
++        }
++
++        offset += len;
++    }
++
++done:
++
++    return 0;
++}
++
++
+ static int
+ qcowXGetBackingStore(char **res,
++                     int *format,
+                      const unsigned char *buf,
+-                     size_t buf_size)
++                     size_t buf_size,
++                     bool isQCow2)
+ {
+     unsigned long long offset;
+     unsigned long size;
+ 
+     *res = NULL;
+-    if (buf_size < 4+4+8+4)
++    if (format)
++        *format = VIR_STORAGE_FILE_AUTO;
++
++    if (buf_size < QCOWX_HDR_BACKING_FILE_OFFSET+8+4)
+         return BACKING_STORE_INVALID;
+-    offset = (((unsigned long long)buf[4+4] << 56)
+-              | ((unsigned long long)buf[4+4+1] << 48)
+-              | ((unsigned long long)buf[4+4+2] << 40)
+-              | ((unsigned long long)buf[4+4+3] << 32)
+-              | ((unsigned long long)buf[4+4+4] << 24)
+-              | ((unsigned long long)buf[4+4+5] << 16)
+-              | ((unsigned long long)buf[4+4+6] << 8)
+-              | buf[4+4+7]); /* QCowHeader.backing_file_offset */
++    offset = (((unsigned long long)buf[QCOWX_HDR_BACKING_FILE_OFFSET] << 56)
++              | ((unsigned long long)buf[QCOWX_HDR_BACKING_FILE_OFFSET+1] << 48)
++              | ((unsigned long long)buf[QCOWX_HDR_BACKING_FILE_OFFSET+2] << 40)
++              | ((unsigned long long)buf[QCOWX_HDR_BACKING_FILE_OFFSET+3] << 32)
++              | ((unsigned long long)buf[QCOWX_HDR_BACKING_FILE_OFFSET+4] << 24)
++              | ((unsigned long long)buf[QCOWX_HDR_BACKING_FILE_OFFSET+5] << 16)
++              | ((unsigned long long)buf[QCOWX_HDR_BACKING_FILE_OFFSET+6] << 8)
++              | buf[QCOWX_HDR_BACKING_FILE_OFFSET+7]); /* QCowHeader.backing_file_offset */
+     if (offset > buf_size)
+         return BACKING_STORE_INVALID;
+-    size = ((buf[4+4+8] << 24)
+-            | (buf[4+4+8+1] << 16)
+-            | (buf[4+4+8+2] << 8)
+-            | buf[4+4+8+3]); /* QCowHeader.backing_file_size */
++    size = ((buf[QCOWX_HDR_BACKING_FILE_SIZE] << 24)
++            | (buf[QCOWX_HDR_BACKING_FILE_SIZE+1] << 16)
++            | (buf[QCOWX_HDR_BACKING_FILE_SIZE+2] << 8)
++            | buf[QCOWX_HDR_BACKING_FILE_SIZE+3]); /* QCowHeader.backing_file_size */
+     if (size == 0)
+         return BACKING_STORE_OK;
+     if (offset + size > buf_size || offset + size < offset)
+@@ -197,12 +288,63 @@ qcowXGetBackingStore(char **res,
+     }
+     memcpy(*res, buf + offset, size);
+     (*res)[size] = '\0';
++
++    /*
++     * Traditionally QCow2 files had a layout of
++     *
++     * [header]
++     * [backingStoreName]
++     *
++     * Although the backingStoreName typically followed
++     * the header immediately, this was not required by
++     * the format. By specifying a higher byte offset for
++     * the backing file offset in the header, it was
++     * possible to leave space between the header and
++     * start of backingStore.
++     *
++     * This hack is now used to store extensions to the
++     * qcow2 format:
++     *
++     * [header]
++     * [extensions]
++     * [backingStoreName]
++     *
++     * Thus the file region to search for extensions is
++     * between the end of the header (QCOW2_HDR_TOTAL_SIZE)
++     * and the start of the backingStoreName (offset)
++     */
++    if (isQCow2)
++        qcow2GetBackingStoreFormat(format, buf, buf_size, QCOW2_HDR_TOTAL_SIZE, offset);
++
+     return BACKING_STORE_OK;
+ }
+ 
+ 
+ static int
++qcow1GetBackingStore(char **res,
++                     int *format,
++                     const unsigned char *buf,
++                     size_t buf_size)
++{
++    /* QCow1 doesn't have the extensions capability
++     * used to store backing format */
++    *format = VIR_STORAGE_FILE_AUTO;
++    return qcowXGetBackingStore(res, NULL, buf, buf_size, false);
++}
++
++static int
++qcow2GetBackingStore(char **res,
++                     int *format,
++                     const unsigned char *buf,
++                     size_t buf_size)
++{
++    return qcowXGetBackingStore(res, format, buf, buf_size, true);
++}
++
++
++static int
+ vmdk4GetBackingStore(char **res,
++                     int *format,
+                      const unsigned char *buf,
+                      size_t buf_size)
+ {
+@@ -212,6 +354,14 @@ vmdk4GetBackingStore(char **res,
+     size_t len;
+ 
+     *res = NULL;
++    /*
++     * Technically this should have been VMDK, since
++     * VMDK spec / VMWare impl only support VMDK backed
++     * by VMDK. QEMU isn't following this though and
++     * does probing on VMDK backing files, hence we set
++     * AUTO
++     */
++    *format = VIR_STORAGE_FILE_AUTO;
+ 
+     if (buf_size <= 0x200)
+         return BACKING_STORE_INVALID;
+@@ -358,9 +508,12 @@ virStorageFileGetMetadataFromFD(const char *path,
+         /* Validation passed, we know the file format now */
+         meta->format = fileTypeInfo[i].type;
+         if (fileTypeInfo[i].getBackingStore != NULL) {
+-            char *base;
++            char *backing;
++            int backingFormat;
+ 
+-            switch (fileTypeInfo[i].getBackingStore(&base, head, len)) {
++            switch (fileTypeInfo[i].getBackingStore(&backing,
++                                                    &backingFormat,
++                                                    head, len)) {
+             case BACKING_STORE_OK:
+                 break;
+ 
+@@ -370,13 +523,16 @@ virStorageFileGetMetadataFromFD(const char *path,
+             case BACKING_STORE_ERROR:
+                 return -1;
+             }
+-            if (base != NULL) {
+-                meta->backingStore = absolutePathFromBaseFile(path, base);
+-                VIR_FREE(base);
++            if (backing != NULL) {
++                meta->backingStore = absolutePathFromBaseFile(path, backing);
++                VIR_FREE(backing);
+                 if (meta->backingStore == NULL) {
+                     virReportOOMError();
+                     return -1;
+                 }
++                meta->backingStoreFormat = backingFormat;
++            } else {
++                meta->backingStoreFormat = VIR_STORAGE_FILE_AUTO;
+             }
+         }
+         return 0;
+diff --git a/src/util/storage_file.h b/src/util/storage_file.h
+index 58533ee..6328ba7 100644
+--- a/src/util/storage_file.h
++++ b/src/util/storage_file.h
+@@ -28,6 +28,7 @@
+ # include <stdbool.h>
+ 
+ enum virStorageFileFormat {
++    VIR_STORAGE_FILE_AUTO = -1,
+     VIR_STORAGE_FILE_RAW = 0,
+     VIR_STORAGE_FILE_DIR,
+     VIR_STORAGE_FILE_BOCHS,
+@@ -47,6 +48,7 @@ VIR_ENUM_DECL(virStorageFileFormat);
+ typedef struct _virStorageFileMetadata {
+     int format;
+     char *backingStore;
++    int backingStoreFormat;
+     unsigned long long capacity;
+     bool encrypted;
+ } virStorageFileMetadata;
+-- 
+1.7.1.1
+

libvirt-0.8.2-02-remove-type-field.patch

@@ -0,0 +1,159 @@
+From cab428b1d4d432965cee6f5afb67265557706715 Mon Sep 17 00:00:00 2001
+From: Daniel P. Berrange <berrange@redhat.com>
+Date: Mon, 14 Jun 2010 16:39:32 +0100
+Subject: [PATCH 02/11] Remove 'type' field from FileTypeInfo struct
+
+Instead of including a field in FileTypeInfo struct for the
+disk format, rely on the array index matching the format.
+Use verify() to assert the correct number of elements in the
+array.
+
+* src/util/storage_file.c: remove type field from FileTypeInfo
+---
+ src/util/storage_file.c |  108 +++++++++++++++++++++++-----------------------
+ 1 files changed, 54 insertions(+), 54 deletions(-)
+
+diff --git a/src/util/storage_file.c b/src/util/storage_file.c
+index 80f743e..df0e3a1 100644
+--- a/src/util/storage_file.c
++++ b/src/util/storage_file.c
+@@ -58,7 +58,6 @@ enum {
+ 
+ /* Either 'magic' or 'extension' *must* be provided */
+ struct FileTypeInfo {
+-    int type;           /* One of the constants above */
+     const char *magic;  /* Optional string of file magic
+                          * to check at head of file */
+     const char *extension; /* Optional file extension to check */
+@@ -108,58 +107,59 @@ static int vmdk4GetBackingStore(char **, int *,
+ 
+ 
+ static struct FileTypeInfo const fileTypeInfo[] = {
+-    /* Bochs */
+-    /* XXX Untested
+-    { VIR_STORAGE_FILE_BOCHS, "Bochs Virtual HD Image", NULL,
+-      LV_LITTLE_ENDIAN, 64, 0x20000,
+-      32+16+16+4+4+4+4+4, 8, 1, -1, NULL },*/
+-    /* CLoop */
+-    /* XXX Untested
+-    { VIR_STORAGE_VOL_CLOOP, "#!/bin/sh\n#V2.0 Format\nmodprobe cloop file=$0 && mount -r -t iso9660 /dev/cloop $1\n", NULL,
+-      LV_LITTLE_ENDIAN, -1, 0,
+-      -1, 0, 0, -1, NULL }, */
+-    /* Cow */
+-    { VIR_STORAGE_FILE_COW, "OOOM", NULL,
+-      LV_BIG_ENDIAN, 4, 2,
+-      4+4+1024+4, 8, 1, -1, cowGetBackingStore },
+-    /* DMG */
+-    /* XXX QEMU says there's no magic for dmg, but we should check... */
+-    { VIR_STORAGE_FILE_DMG, NULL, ".dmg",
+-      0, -1, 0,
+-      -1, 0, 0, -1, NULL },
+-    /* XXX there's probably some magic for iso we can validate too... */
+-    { VIR_STORAGE_FILE_ISO, NULL, ".iso",
+-      0, -1, 0,
+-      -1, 0, 0, -1, NULL },
+-    /* Parallels */
+-    /* XXX Untested
+-    { VIR_STORAGE_FILE_PARALLELS, "WithoutFreeSpace", NULL,
+-      LV_LITTLE_ENDIAN, 16, 2,
+-      16+4+4+4+4, 4, 512, -1, NULL },
+-    */
+-    /* QCow */
+-    { VIR_STORAGE_FILE_QCOW, "QFI", NULL,
+-      LV_BIG_ENDIAN, 4, 1,
+-      QCOWX_HDR_IMAGE_SIZE, 8, 1, QCOW1_HDR_CRYPT, qcow1GetBackingStore },
+-    /* QCow 2 */
+-    { VIR_STORAGE_FILE_QCOW2, "QFI", NULL,
+-      LV_BIG_ENDIAN, 4, 2,
+-      QCOWX_HDR_IMAGE_SIZE, 8, 1, QCOW2_HDR_CRYPT, qcow2GetBackingStore },
+-    /* VMDK 3 */
+-    /* XXX Untested
+-    { VIR_STORAGE_FILE_VMDK, "COWD", NULL,
+-      LV_LITTLE_ENDIAN, 4, 1,
+-      4+4+4, 4, 512, -1, NULL },
+-    */
+-    /* VMDK 4 */
+-    { VIR_STORAGE_FILE_VMDK, "KDMV", NULL,
+-      LV_LITTLE_ENDIAN, 4, 1,
+-      4+4+4, 8, 512, -1, vmdk4GetBackingStore },
+-    /* Connectix / VirtualPC */
+-    { VIR_STORAGE_FILE_VPC, "conectix", NULL,
+-      LV_BIG_ENDIAN, 12, 0x10000,
+-      8 + 4 + 4 + 8 + 4 + 4 + 2 + 2 + 4, 8, 1, -1, NULL},
++    [VIR_STORAGE_FILE_RAW] = { NULL, NULL, LV_LITTLE_ENDIAN, -1, 0, 0, 0, 0, 0, NULL },
++    [VIR_STORAGE_FILE_DIR] = { NULL, NULL, LV_LITTLE_ENDIAN, -1, 0, 0, 0, 0, 0, NULL },
++    [VIR_STORAGE_FILE_BOCHS] = {
++        /*"Bochs Virtual HD Image", */ /* Untested */ NULL,
++        NULL,
++        LV_LITTLE_ENDIAN, 64, 0x20000,
++        32+16+16+4+4+4+4+4, 8, 1, -1, NULL
++    },
++    [VIR_STORAGE_FILE_CLOOP] = {
++        /*"#!/bin/sh\n#V2.0 Format\nmodprobe cloop file=$0 && mount -r -t iso9660 /dev/cloop $1\n", */ /* Untested */ NULL,
++        NULL,
++        LV_LITTLE_ENDIAN, -1, 0,
++        -1, 0, 0, -1, NULL
++    },
++    [VIR_STORAGE_FILE_COW] = {
++        "OOOM", NULL,
++        LV_BIG_ENDIAN, 4, 2,
++        4+4+1024+4, 8, 1, -1, cowGetBackingStore
++    },
++    [VIR_STORAGE_FILE_DMG] = {
++        NULL, /* XXX QEMU says there's no magic for dmg, but we should check... */
++        ".dmg",
++        0, -1, 0,
++        -1, 0, 0, -1, NULL
++    },
++    [VIR_STORAGE_FILE_ISO] = {
++        NULL, /* XXX there's probably some magic for iso we can validate too... */
++        ".iso",
++        0, -1, 0,
++        -1, 0, 0, -1, NULL
++    },
++    [VIR_STORAGE_FILE_QCOW] = {
++        "QFI", NULL,
++        LV_BIG_ENDIAN, 4, 1,
++        QCOWX_HDR_IMAGE_SIZE, 8, 1, QCOW1_HDR_CRYPT, qcow1GetBackingStore,
++    },
++    [VIR_STORAGE_FILE_QCOW2] = {
++        "QFI", NULL,
++        LV_BIG_ENDIAN, 4, 2,
++        QCOWX_HDR_IMAGE_SIZE, 8, 1, QCOW2_HDR_CRYPT, qcow2GetBackingStore,
++    },
++    [VIR_STORAGE_FILE_VMDK] = {
++        "KDMV", NULL,
++        LV_LITTLE_ENDIAN, 4, 1,
++        4+4+4, 8, 512, -1, vmdk4GetBackingStore
++    },
++    [VIR_STORAGE_FILE_VPC] = {
++        "conectix", NULL,
++        LV_BIG_ENDIAN, 12, 0x10000,
++        8 + 4 + 4 + 8 + 4 + 4 + 2 + 2 + 4, 8, 1, -1, NULL
++    },
+ };
++verify(ARRAY_CARDINALITY(fileTypeInfo) == VIR_STORAGE_FILE_LAST);
+ 
+ static int
+ cowGetBackingStore(char **res,
+@@ -506,7 +506,7 @@ virStorageFileGetMetadataFromFD(const char *path,
+         }
+ 
+         /* Validation passed, we know the file format now */
+-        meta->format = fileTypeInfo[i].type;
++        meta->format = i;
+         if (fileTypeInfo[i].getBackingStore != NULL) {
+             char *backing;
+             int backingFormat;
+@@ -546,7 +546,7 @@ virStorageFileGetMetadataFromFD(const char *path,
+         if (!virFileHasSuffix(path, fileTypeInfo[i].extension))
+             continue;
+ 
+-        meta->format = fileTypeInfo[i].type;
++        meta->format = i;
+         return 0;
+     }
+ 
+-- 
+1.7.1.1
+

libvirt-0.8.2-03-refactor-metadata-extract.patch

@@ -0,0 +1,585 @@
+From 57482ca0be29e9e92e242c9acb577e0b770c01d1 Mon Sep 17 00:00:00 2001
+From: Daniel P. Berrange <berrange@redhat.com>
+Date: Tue, 15 Jun 2010 14:58:10 +0100
+Subject: [PATCH 03/11] Refactor virStorageFileGetMetadataFromFD to separate functionality
+
+The virStorageFileGetMetadataFromFD did two jobs in one. First
+it probed for storage type, then it extracted metadata for the
+type. It is desirable to be able to separate these jobs, allowing
+probing without querying metadata, and querying metadata without
+probing.
+
+To prepare for this, split out probing code into a new pair of
+methods
+
+  virStorageFileProbeFormatFromFD
+  virStorageFileProbeFormat
+
+* src/util/storage_file.c, src/util/storage_file.h,
+  src/libvirt_private.syms: Introduce virStorageFileProbeFormat
+  and virStorageFileProbeFormatFromFD
+---
+ src/libvirt_private.syms |    2 +
+ src/util/storage_file.c  |  460 +++++++++++++++++++++++++++++++++-------------
+ src/util/storage_file.h  |    4 +
+ 3 files changed, 335 insertions(+), 131 deletions(-)
+
+diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
+index 778ceb1..4607f49 100644
+--- a/src/libvirt_private.syms
++++ b/src/libvirt_private.syms
+@@ -628,6 +628,8 @@ virStorageGenerateQcowPassphrase;
+ # storage_file.h
+ virStorageFileFormatTypeToString;
+ virStorageFileFormatTypeFromString;
++virStorageFileProbeFormat;
++virStorageFileProbeFormatFromFD;
+ virStorageFileGetMetadata;
+ virStorageFileGetMetadataFromFD;
+ virStorageFileIsSharedFS;
+diff --git a/src/util/storage_file.c b/src/util/storage_file.c
+index df0e3a1..221268b 100644
+--- a/src/util/storage_file.c
++++ b/src/util/storage_file.c
+@@ -104,6 +104,9 @@ static int vmdk4GetBackingStore(char **, int *,
+ #define QCOW2_HDR_EXTENSION_END 0
+ #define QCOW2_HDR_EXTENSION_BACKING_FORMAT 0xE2792ACA
+ 
++/* VMDK needs at least this to find backing store,
++ * other formats are less */
++#define STORAGE_MAX_HEAD (20*512)
+ 
+ 
+ static struct FileTypeInfo const fileTypeInfo[] = {
+@@ -349,9 +352,14 @@ vmdk4GetBackingStore(char **res,
+                      size_t buf_size)
+ {
+     static const char prefix[] = "parentFileNameHint=\"";
+-
+-    char desc[20*512 + 1], *start, *end;
++    char *desc, *start, *end;
+     size_t len;
++    int ret = BACKING_STORE_ERROR;
++
++    if (VIR_ALLOC_N(desc, STORAGE_MAX_HEAD + 1) < 0) {
++        virReportOOMError();
++        goto cleanup;
++    }
+ 
+     *res = NULL;
+     /*
+@@ -363,29 +371,42 @@ vmdk4GetBackingStore(char **res,
+      */
+     *format = VIR_STORAGE_FILE_AUTO;
+ 
+-    if (buf_size <= 0x200)
+-        return BACKING_STORE_INVALID;
++    if (buf_size <= 0x200) {
++        ret = BACKING_STORE_INVALID;
++        goto cleanup;
++    }
+     len = buf_size - 0x200;
+-    if (len > sizeof(desc) - 1)
+-        len = sizeof(desc) - 1;
++    if (len > STORAGE_MAX_HEAD)
++        len = STORAGE_MAX_HEAD;
+     memcpy(desc, buf + 0x200, len);
+     desc[len] = '\0';
+     start = strstr(desc, prefix);
+-    if (start == NULL)
+-        return BACKING_STORE_OK;
++    if (start == NULL) {
++        ret = BACKING_STORE_OK;
++        goto cleanup;
++    }
+     start += strlen(prefix);
+     end = strchr(start, '"');
+-    if (end == NULL)
+-        return BACKING_STORE_INVALID;
+-    if (end == start)
+-        return BACKING_STORE_OK;
++    if (end == NULL) {
++        ret = BACKING_STORE_INVALID;
++        goto cleanup;
++    }
++    if (end == start) {
++        ret = BACKING_STORE_OK;
++        goto cleanup;
++    }
+     *end = '\0';
+     *res = strdup(start);
+     if (*res == NULL) {
+         virReportOOMError();
+-        return BACKING_STORE_ERROR;
++        goto cleanup;
+     }
+-    return BACKING_STORE_OK;
++
++    ret = BACKING_STORE_OK;
++
++cleanup:
++    VIR_FREE(desc);
++    return ret;
+ }
+ 
+ /**
+@@ -411,148 +432,325 @@ absolutePathFromBaseFile(const char *base_file, const char *path)
+     return res;
+ }
+ 
+-/**
+- * Probe the header of a file to determine what type of disk image
+- * it is, and info about its capacity if available.
+- */
+-int
+-virStorageFileGetMetadataFromFD(const char *path,
+-                                int fd,
+-                                virStorageFileMetadata *meta)
++
++static bool
++virStorageFileMatchesMagic(int format,
++                           unsigned char *buf,
++                           size_t buflen)
+ {
+-    unsigned char head[20*512]; /* vmdk4GetBackingStore needs this much. */
+-    int len, i;
++    int mlen;
+ 
+-    memset(meta, 0, sizeof (*meta));
++    if (fileTypeInfo[format].magic == NULL)
++        return false;
+ 
+-    /* If all else fails, call it a raw file */
+-    meta->format = VIR_STORAGE_FILE_RAW;
++    /* Validate magic data */
++    mlen = strlen(fileTypeInfo[format].magic);
++    if (mlen > buflen)
++        return false;
+ 
+-    if ((len = read(fd, head, sizeof(head))) < 0) {
+-        virReportSystemError(errno, _("cannot read header '%s'"), path);
+-        return -1;
++    if (memcmp(buf, fileTypeInfo[format].magic, mlen) != 0)
++        return false;
++
++    return true;
++}
++
++
++static bool
++virStorageFileMatchesExtension(int format,
++                               const char *path)
++{
++    if (fileTypeInfo[format].extension == NULL)
++        return false;
++
++    if (virFileHasSuffix(path, fileTypeInfo[format].extension))
++        return true;
++
++    return false;
++}
++
++
++static bool
++virStorageFileMatchesVersion(int format,
++                             unsigned char *buf,
++                             size_t buflen)
++{
++    int version;
++
++    /* Validate version number info */
++    if (fileTypeInfo[format].versionOffset == -1)
++        return false;
++
++    if ((fileTypeInfo[format].versionOffset + 4) > buflen)
++        return false;
++
++    if (fileTypeInfo[format].endian == LV_LITTLE_ENDIAN) {
++        version =
++            (buf[fileTypeInfo[format].versionOffset+3] << 24) |
++            (buf[fileTypeInfo[format].versionOffset+2] << 16) |
++            (buf[fileTypeInfo[format].versionOffset+1] << 8) |
++            (buf[fileTypeInfo[format].versionOffset]);
++    } else {
++        version =
++            (buf[fileTypeInfo[format].versionOffset] << 24) |
++            (buf[fileTypeInfo[format].versionOffset+1] << 16) |
++            (buf[fileTypeInfo[format].versionOffset+2] << 8) |
++            (buf[fileTypeInfo[format].versionOffset+3]);
+     }
++    if (version != fileTypeInfo[format].versionNumber)
++        return false;
+ 
+-    /* First check file magic */
+-    for (i = 0 ; i < ARRAY_CARDINALITY(fileTypeInfo) ; i++) {
+-        int mlen;
+-
+-        if (fileTypeInfo[i].magic == NULL)
+-            continue;
+-
+-        /* Validate magic data */
+-        mlen = strlen(fileTypeInfo[i].magic);
+-        if (mlen > len)
+-            continue;
+-        if (memcmp(head, fileTypeInfo[i].magic, mlen) != 0)
+-            continue;
+-
+-        /* Validate version number info */
+-        if (fileTypeInfo[i].versionNumber != -1) {
+-            int version;
+-
+-            if (fileTypeInfo[i].endian == LV_LITTLE_ENDIAN) {
+-                version = (head[fileTypeInfo[i].versionOffset+3] << 24) |
+-                    (head[fileTypeInfo[i].versionOffset+2] << 16) |
+-                    (head[fileTypeInfo[i].versionOffset+1] << 8) |
+-                    head[fileTypeInfo[i].versionOffset];
+-            } else {
+-                version = (head[fileTypeInfo[i].versionOffset] << 24) |
+-                    (head[fileTypeInfo[i].versionOffset+1] << 16) |
+-                    (head[fileTypeInfo[i].versionOffset+2] << 8) |
+-                    head[fileTypeInfo[i].versionOffset+3];
+-            }
+-            if (version != fileTypeInfo[i].versionNumber)
+-                continue;
+-        }
++    return true;
++}
+ 
+-        /* Optionally extract capacity from file */
+-        if (fileTypeInfo[i].sizeOffset != -1) {
+-            if (fileTypeInfo[i].endian == LV_LITTLE_ENDIAN) {
+-                meta->capacity =
+-                    ((unsigned long long)head[fileTypeInfo[i].sizeOffset+7] << 56) |
+-                    ((unsigned long long)head[fileTypeInfo[i].sizeOffset+6] << 48) |
+-                    ((unsigned long long)head[fileTypeInfo[i].sizeOffset+5] << 40) |
+-                    ((unsigned long long)head[fileTypeInfo[i].sizeOffset+4] << 32) |
+-                    ((unsigned long long)head[fileTypeInfo[i].sizeOffset+3] << 24) |
+-                    ((unsigned long long)head[fileTypeInfo[i].sizeOffset+2] << 16) |
+-                    ((unsigned long long)head[fileTypeInfo[i].sizeOffset+1] << 8) |
+-                    ((unsigned long long)head[fileTypeInfo[i].sizeOffset]);
+-            } else {
+-                meta->capacity =
+-                    ((unsigned long long)head[fileTypeInfo[i].sizeOffset] << 56) |
+-                    ((unsigned long long)head[fileTypeInfo[i].sizeOffset+1] << 48) |
+-                    ((unsigned long long)head[fileTypeInfo[i].sizeOffset+2] << 40) |
+-                    ((unsigned long long)head[fileTypeInfo[i].sizeOffset+3] << 32) |
+-                    ((unsigned long long)head[fileTypeInfo[i].sizeOffset+4] << 24) |
+-                    ((unsigned long long)head[fileTypeInfo[i].sizeOffset+5] << 16) |
+-                    ((unsigned long long)head[fileTypeInfo[i].sizeOffset+6] << 8) |
+-                    ((unsigned long long)head[fileTypeInfo[i].sizeOffset+7]);
+-            }
+-            /* Avoid unlikely, but theoretically possible overflow */
+-            if (meta->capacity > (ULLONG_MAX / fileTypeInfo[i].sizeMultiplier))
+-                continue;
+-            meta->capacity *= fileTypeInfo[i].sizeMultiplier;
+-        }
+ 
+-        if (fileTypeInfo[i].qcowCryptOffset != -1) {
+-            int crypt_format;
++static int
++virStorageFileGetMetadataFromBuf(int format,
++                                 const char *path,
++                                 unsigned char *buf,
++                                 size_t buflen,
++                                 virStorageFileMetadata *meta)
++{
++    /* XXX we should consider moving virStorageBackendUpdateVolInfo
++     * code into this method, for non-magic files
++     */
++    if (!fileTypeInfo[format].magic) {
++        return 0;
++    }
+ 
+-            crypt_format = (head[fileTypeInfo[i].qcowCryptOffset] << 24) |
+-                (head[fileTypeInfo[i].qcowCryptOffset+1] << 16) |
+-                (head[fileTypeInfo[i].qcowCryptOffset+2] << 8) |
+-                head[fileTypeInfo[i].qcowCryptOffset+3];
+-            meta->encrypted = crypt_format != 0;
++    /* Optionally extract capacity from file */
++    if (fileTypeInfo[format].sizeOffset != -1) {
++        if ((fileTypeInfo[format].sizeOffset + 8) > buflen)
++            return 1;
++
++        if (fileTypeInfo[format].endian == LV_LITTLE_ENDIAN) {
++            meta->capacity =
++                ((unsigned long long)buf[fileTypeInfo[format].sizeOffset+7] << 56) |
++                ((unsigned long long)buf[fileTypeInfo[format].sizeOffset+6] << 48) |
++                ((unsigned long long)buf[fileTypeInfo[format].sizeOffset+5] << 40) |
++                ((unsigned long long)buf[fileTypeInfo[format].sizeOffset+4] << 32) |
++                ((unsigned long long)buf[fileTypeInfo[format].sizeOffset+3] << 24) |
++                ((unsigned long long)buf[fileTypeInfo[format].sizeOffset+2] << 16) |
++                ((unsigned long long)buf[fileTypeInfo[format].sizeOffset+1] << 8) |
++                ((unsigned long long)buf[fileTypeInfo[format].sizeOffset]);
++        } else {
++            meta->capacity =
++                ((unsigned long long)buf[fileTypeInfo[format].sizeOffset] << 56) |
++                ((unsigned long long)buf[fileTypeInfo[format].sizeOffset+1] << 48) |
++                ((unsigned long long)buf[fileTypeInfo[format].sizeOffset+2] << 40) |
++                ((unsigned long long)buf[fileTypeInfo[format].sizeOffset+3] << 32) |
++                ((unsigned long long)buf[fileTypeInfo[format].sizeOffset+4] << 24) |
++                ((unsigned long long)buf[fileTypeInfo[format].sizeOffset+5] << 16) |
++                ((unsigned long long)buf[fileTypeInfo[format].sizeOffset+6] << 8) |
++                ((unsigned long long)buf[fileTypeInfo[format].sizeOffset+7]);
+         }
++        /* Avoid unlikely, but theoretically possible overflow */
++        if (meta->capacity > (ULLONG_MAX / fileTypeInfo[format].sizeMultiplier))
++            return 1;
++        meta->capacity *= fileTypeInfo[format].sizeMultiplier;
++    }
+ 
+-        /* Validation passed, we know the file format now */
+-        meta->format = i;
+-        if (fileTypeInfo[i].getBackingStore != NULL) {
+-            char *backing;
+-            int backingFormat;
++    if (fileTypeInfo[format].qcowCryptOffset != -1) {
++        int crypt_format;
+ 
+-            switch (fileTypeInfo[i].getBackingStore(&backing,
+-                                                    &backingFormat,
+-                                                    head, len)) {
+-            case BACKING_STORE_OK:
+-                break;
++        crypt_format =
++            (buf[fileTypeInfo[format].qcowCryptOffset] << 24) |
++            (buf[fileTypeInfo[format].qcowCryptOffset+1] << 16) |
++            (buf[fileTypeInfo[format].qcowCryptOffset+2] << 8) |
++            (buf[fileTypeInfo[format].qcowCryptOffset+3]);
++        meta->encrypted = crypt_format != 0;
++    }
+ 
+-            case BACKING_STORE_INVALID:
+-                continue;
++    if (fileTypeInfo[format].getBackingStore != NULL) {
++        char *backing;
++        int backingFormat;
++        int ret = fileTypeInfo[format].getBackingStore(&backing,
++                                                       &backingFormat,
++                                                       buf, buflen);
++        if (ret == BACKING_STORE_INVALID)
++            return 1;
++
++        if (ret == BACKING_STORE_ERROR)
++            return -1;
+ 
+-            case BACKING_STORE_ERROR:
++        if (backing != NULL) {
++            meta->backingStore = absolutePathFromBaseFile(path, backing);
++            VIR_FREE(backing);
++            if (meta->backingStore == NULL) {
++                virReportOOMError();
+                 return -1;
+             }
+-            if (backing != NULL) {
+-                meta->backingStore = absolutePathFromBaseFile(path, backing);
+-                VIR_FREE(backing);
+-                if (meta->backingStore == NULL) {
+-                    virReportOOMError();
+-                    return -1;
+-                }
+-                meta->backingStoreFormat = backingFormat;
+-            } else {
+-                meta->backingStoreFormat = VIR_STORAGE_FILE_AUTO;
+-            }
++            meta->backingStoreFormat = backingFormat;
++        } else {
++            meta->backingStore = NULL;
++            meta->backingStoreFormat = VIR_STORAGE_FILE_AUTO;
++        }
++    }
++
++    return 0;
++}
++
++
++static int
++virStorageFileProbeFormatFromBuf(const char *path,
++                                 unsigned char *buf,
++                                 size_t buflen)
++{
++    int format = VIR_STORAGE_FILE_RAW;
++    int i;
++
++    /* First check file magic */
++    for (i = 0 ; i < VIR_STORAGE_FILE_LAST ; i++) {
++        if (virStorageFileMatchesMagic(i, buf, buflen) &&
++            virStorageFileMatchesVersion(i, buf, buflen)) {
++            format = i;
++            goto cleanup;
+         }
+-        return 0;
+     }
+ 
+     /* No magic, so check file extension */
+-    for (i = 0 ; i < ARRAY_CARDINALITY(fileTypeInfo) ; i++) {
+-        if (fileTypeInfo[i].extension == NULL)
+-            continue;
++    for (i = 0 ; i < VIR_STORAGE_FILE_LAST ; i++) {
++        if (virStorageFileMatchesExtension(i, path)) {
++            format = i;
++            goto cleanup;
++        }
++    }
+ 
+-        if (!virFileHasSuffix(path, fileTypeInfo[i].extension))
+-            continue;
++cleanup:
++    return format;
++}
+ 
+-        meta->format = i;
+-        return 0;
++
++/**
++ * virStorageFileProbeFormatFromFD:
++ *
++ * Probe for the format of 'fd' (which is an open file descriptor
++ * pointing to 'path'), returning the detected disk format.
++ *
++ * Callers are advised never to trust the returned 'format'
++ * unless it is listed as VIR_STORAGE_FILE_RAW, since a
++ * malicious guest can turn a file into any other non-raw
++ * format at will.
++ *
++ * Best option: Don't use this function
++ */
++int
++virStorageFileProbeFormatFromFD(const char *path, int fd)
++{
++    unsigned char *head;
++    ssize_t len = STORAGE_MAX_HEAD;
++    int ret = -1;
++
++    if (VIR_ALLOC_N(head, len) < 0) {
++        virReportOOMError();
++        return -1;
+     }
+ 
+-    return 0;
++    if (lseek(fd, 0, SEEK_SET) == (off_t)-1) {
++        virReportSystemError(errno, _("cannot set to start of '%s'"), path);
++        goto cleanup;
++    }
++
++    if ((len = read(fd, head, len)) < 0) {
++        virReportSystemError(errno, _("cannot read header '%s'"), path);
++        goto cleanup;
++    }
++
++    ret = virStorageFileProbeFormatFromBuf(path, head, len);
++
++cleanup:
++    VIR_FREE(head);
++    return ret;
++}
++
++
++/**
++ * virStorageFileProbeFormat:
++ *
++ * Probe for the format of 'path', returning the detected
++ * disk format.
++ *
++ * Callers are advised never to trust the returned 'format'
++ * unless it is listed as VIR_STORAGE_FILE_RAW, since a
++ * malicious guest can turn a raw file into any other non-raw
++ * format at will.
++ *
++ * Best option: Don't use this function
++ */
++int
++virStorageFileProbeFormat(const char *path)
++{
++    int fd, ret;
++
++    if ((fd = open(path, O_RDONLY)) < 0) {
++        virReportSystemError(errno, _("cannot open file '%s'"), path);
++        return -1;
++    }
++
++    ret = virStorageFileProbeFormatFromFD(path, fd);
++
++    close(fd);
++
++    return ret;
+ }
+ 
++/**
++ * virStorageFileGetMetadataFromFD:
++ *
++ * Probe for the format of 'fd' (which is an open file descriptor
++ * for the file 'path'), filling 'meta' with the detected
++ * format and other associated metadata.
++ *
++ * Callers are advised never to trust the returned 'meta->format'
++ * unless it is listed as VIR_STORAGE_FILE_RAW, since a
++ * malicious guest can turn a raw file into any other non-raw
++ * format at will.
++ */
++int
++virStorageFileGetMetadataFromFD(const char *path,
++                                int fd,
++                                virStorageFileMetadata *meta)
++{
++    unsigned char *head;
++    ssize_t len = STORAGE_MAX_HEAD;
++    int ret = -1;
++
++    if (VIR_ALLOC_N(head, len) < 0) {
++        virReportOOMError();
++        return -1;
++    }
++
++    memset(meta, 0, sizeof (*meta));
++
++    if (lseek(fd, 0, SEEK_SET) == (off_t)-1) {
++        virReportSystemError(errno, _("cannot set to start of '%s'"), path);
++        goto cleanup;
++    }
++
++    if ((len = read(fd, head, len)) < 0) {
++        virReportSystemError(errno, _("cannot read header '%s'"), path);
++        goto cleanup;
++    }
++
++    meta->format = virStorageFileProbeFormatFromBuf(path, head, len);
++
++    ret = virStorageFileGetMetadataFromBuf(meta->format, path, head, len, meta);
++
++cleanup:
++    VIR_FREE(head);
++    return ret;
++}
++
++/**
++ * virStorageFileGetMetadata:
++ *
++ * Probe for the format of 'path', filling 'meta' with the detected
++ * format and other associated metadata.
++ *
++ * Callers are advised never to trust the returned 'meta->format'
++ * unless it is listed as VIR_STORAGE_FILE_RAW, since a
++ * malicious guest can turn a raw file into any other non-raw
++ * format at will.
++ */
+ int
+ virStorageFileGetMetadata(const char *path,
+                           virStorageFileMetadata *meta)
+diff --git a/src/util/storage_file.h b/src/util/storage_file.h
+index 6328ba7..3420d44 100644
+--- a/src/util/storage_file.h
++++ b/src/util/storage_file.h
+@@ -57,6 +57,10 @@ typedef struct _virStorageFileMetadata {
+ #  define DEV_BSIZE 512
+ # endif
+ 
++int virStorageFileProbeFormat(const char *path);
++int virStorageFileProbeFormatFromFD(const char *path,
++                                    int fd);
++
+ int virStorageFileGetMetadata(const char *path,
+                               virStorageFileMetadata *meta);
+ int virStorageFileGetMetadataFromFD(const char *path,
+-- 
+1.7.1.1
+

libvirt-0.8.2-04-require-storage-format.patch

@@ -0,0 +1,285 @@
+From 726a63a437efd96510ce316bf30d16f213d4db27 Mon Sep 17 00:00:00 2001
+From: Daniel P. Berrange <berrange@redhat.com>
+Date: Tue, 15 Jun 2010 16:15:51 +0100
+Subject: [PATCH 04/11] Require format to be passed into virStorageFileGetMetadata
+
+Require the disk image to be passed into virStorageFileGetMetadata.
+If this is set to VIR_STORAGE_FILE_AUTO, then the format will be
+resolved using probing. This makes it easier to control when
+probing will be used
+
+* src/qemu/qemu_driver.c, src/qemu/qemu_security_dac.c,
+  src/security/security_selinux.c, src/security/virt-aa-helper.c:
+  Set VIR_STORAGE_FILE_AUTO when calling virStorageFileGetMetadata.
+* src/storage/storage_backend_fs.c: Probe for disk format before
+  calling virStorageFileGetMetadata.
+* src/util/storage_file.h, src/util/storage_file.c: Remove format
+  from virStorageFileMeta struct & require it to be passed into
+  method.
+---
+ src/qemu/qemu_driver.c           |   27 +++++++++++++++++---
+ src/qemu/qemu_security_dac.c     |    4 ++-
+ src/security/security_selinux.c  |    4 ++-
+ src/security/virt-aa-helper.c    |    4 ++-
+ src/storage/storage_backend_fs.c |   11 ++++++--
+ src/util/storage_file.c          |   50 +++++++++++++++++++++++++------------
+ src/util/storage_file.h          |    3 +-
+ 7 files changed, 76 insertions(+), 27 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 487bfa3..97f2990 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -3069,7 +3069,9 @@ static int qemuSetupDiskCgroup(virCgroupPtr cgroup,
+             }
+         }
+ 
+-        rc = virStorageFileGetMetadata(path, &meta);
++        rc = virStorageFileGetMetadata(path,
++                                       VIR_STORAGE_FILE_AUTO,
++                                       &meta);
+         if (rc < 0)
+             VIR_WARN("Unable to lookup parent image for %s", path);
+ 
+@@ -3119,7 +3121,9 @@ static int qemuTeardownDiskCgroup(virCgroupPtr cgroup,
+             }
+         }
+ 
+-        rc = virStorageFileGetMetadata(path, &meta);
++        rc = virStorageFileGetMetadata(path,
++                                       VIR_STORAGE_FILE_AUTO,
++                                       &meta);
+         if (rc < 0)
+             VIR_WARN("Unable to lookup parent image for %s", path);
+ 
+@@ -9614,6 +9618,7 @@ static int qemuDomainGetBlockInfo(virDomainPtr dom,
+     virDomainDiskDefPtr disk = NULL;
+     struct stat sb;
+     int i;
++    int format;
+ 
+     virCheckFlags(0, -1);
+ 
+@@ -9658,7 +9663,21 @@ static int qemuDomainGetBlockInfo(virDomainPtr dom,
+     }
+ 
+     /* Probe for magic formats */
+-    if (virStorageFileGetMetadataFromFD(path, fd, &meta) < 0)
++    if (disk->driverType) {
++        if ((format = virStorageFileFormatTypeFromString(disk->driverType)) < 0) {
++            qemuReportError(VIR_ERR_INTERNAL_ERROR,
++                            _("unknown disk format %s for %s"),
++                            disk->driverType, disk->src);
++            goto cleanup;
++        }
++    } else {
++        if ((format = virStorageFileProbeFormat(disk->src)) < 0)
++            goto cleanup;
++    }
++
++    if (virStorageFileGetMetadataFromFD(path, fd,
++                                        format,
++                                        &meta) < 0)
+         goto cleanup;
+ 
+     /* Get info for normal formats */
+@@ -9706,7 +9725,7 @@ static int qemuDomainGetBlockInfo(virDomainPtr dom,
+        highest allocated extent from QEMU */
+     if (virDomainObjIsActive(vm) &&
+         disk->type == VIR_DOMAIN_DISK_TYPE_BLOCK &&
+-        meta.format != VIR_STORAGE_FILE_RAW &&
++        format != VIR_STORAGE_FILE_RAW &&
+         S_ISBLK(sb.st_mode)) {
+         qemuDomainObjPrivatePtr priv = vm->privateData;
+         if (qemuDomainObjBeginJob(vm) < 0)
+diff --git a/src/qemu/qemu_security_dac.c b/src/qemu/qemu_security_dac.c
+index 95015b0..acfe48e 100644
+--- a/src/qemu/qemu_security_dac.c
++++ b/src/qemu/qemu_security_dac.c
+@@ -115,7 +115,9 @@ qemuSecurityDACSetSecurityImageLabel(virDomainObjPtr vm ATTRIBUTE_UNUSED,
+         virStorageFileMetadata meta;
+         int ret;
+ 
+-        ret = virStorageFileGetMetadata(path, &meta);
++        ret = virStorageFileGetMetadata(path,
++                                        VIR_STORAGE_FILE_AUTO,
++                                        &meta);
+ 
+         if (path != disk->src)
+             VIR_FREE(path);
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index e5eef19..5c0f002 100644
+--- a/src/security/security_selinux.c
++++ b/src/security/security_selinux.c
+@@ -457,7 +457,9 @@ SELinuxSetSecurityImageLabel(virDomainObjPtr vm,
+         virStorageFileMetadata meta;
+         int ret;
+ 
+-        ret = virStorageFileGetMetadata(path, &meta);
++        ret = virStorageFileGetMetadata(path,
++                                        VIR_STORAGE_FILE_AUTO,
++                                        &meta);
+ 
+         if (path != disk->src)
+             VIR_FREE(path);
+diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
+index c66f107..2c045e6 100644
+--- a/src/security/virt-aa-helper.c
++++ b/src/security/virt-aa-helper.c
+@@ -830,7 +830,9 @@ get_files(vahControl * ctl)
+             do {
+                 virStorageFileMetadata meta;
+ 
+-                ret = virStorageFileGetMetadata(path, &meta);
++                ret = virStorageFileGetMetadata(path,
++                                                VIR_STORAGE_FILE_AUTO,
++                                                &meta);
+ 
+                 if (path != ctl->def->disks[i]->src)
+                     VIR_FREE(path);
+diff --git a/src/storage/storage_backend_fs.c b/src/storage/storage_backend_fs.c
+index f0cd770..d3ac0fe 100644
+--- a/src/storage/storage_backend_fs.c
++++ b/src/storage/storage_backend_fs.c
+@@ -75,14 +75,19 @@ virStorageBackendProbeTarget(virStorageVolTargetPtr target,
+ 
+     memset(&meta, 0, sizeof(meta));
+ 
+-    if (virStorageFileGetMetadataFromFD(target->path, fd, &meta) < 0) {
++    if ((target->format = virStorageFileProbeFormatFromFD(target->path, fd)) < 0) {
+         close(fd);
+         return -1;
+     }
+ 
+-    close(fd);
++    if (virStorageFileGetMetadataFromFD(target->path, fd,
++                                        target->format,
++                                        &meta) < 0) {
++        close(fd);
++        return -1;
++    }
+ 
+-    target->format = meta.format;
++    close(fd);
+ 
+     if (backingStore) {
+         *backingStore = meta.backingStore;
+diff --git a/src/util/storage_file.c b/src/util/storage_file.c
+index 221268b..9712d92 100644
+--- a/src/util/storage_file.c
++++ b/src/util/storage_file.c
+@@ -696,18 +696,23 @@ virStorageFileProbeFormat(const char *path)
+ /**
+  * virStorageFileGetMetadataFromFD:
+  *
+- * Probe for the format of 'fd' (which is an open file descriptor
+- * for the file 'path'), filling 'meta' with the detected
+- * format and other associated metadata.
++ * Extract metadata about the storage volume with the specified
++ * image format. If image format is VIR_STORAGE_FILE_AUTO, it
++ * will probe to automatically identify the format. 
+  *
+- * Callers are advised never to trust the returned 'meta->format'
+- * unless it is listed as VIR_STORAGE_FILE_RAW, since a
+- * malicious guest can turn a raw file into any other non-raw
+- * format at will.
++ * Callers are advised never to use VIR_STORAGE_FILE_AUTO as a
++ * format, since a malicious guest can turn a raw file into any
++ * other non-raw format at will.
++ *
++ * If the returned meta.backingStoreFormat is VIR_STORAGE_FILE_AUTO
++ * it indicates the image didn't specify an explicit format for its
++ * backing store. Callers are advised against probing for the
++ * backing store format in this case.
+  */
+ int
+ virStorageFileGetMetadataFromFD(const char *path,
+                                 int fd,
++                                int format,
+                                 virStorageFileMetadata *meta)
+ {
+     unsigned char *head;
+@@ -731,9 +736,16 @@ virStorageFileGetMetadataFromFD(const char *path,
+         goto cleanup;
+     }
+ 
+-    meta->format = virStorageFileProbeFormatFromBuf(path, head, len);
++    if (format == VIR_STORAGE_FILE_AUTO)
++        format = virStorageFileProbeFormatFromBuf(path, head, len);
++
++    if (format < 0 ||
++        format >= VIR_STORAGE_FILE_LAST) {
++        virReportSystemError(EINVAL, _("unknown storage file format %d"), format);
++        return -1;
++    }
+ 
+-    ret = virStorageFileGetMetadataFromBuf(meta->format, path, head, len, meta);
++    ret = virStorageFileGetMetadataFromBuf(format, path, head, len, meta);
+ 
+ cleanup:
+     VIR_FREE(head);
+@@ -743,16 +755,22 @@ cleanup:
+ /**
+  * virStorageFileGetMetadata:
+  *
+- * Probe for the format of 'path', filling 'meta' with the detected
+- * format and other associated metadata.
++ * Extract metadata about the storage volume with the specified
++ * image format. If image format is VIR_STORAGE_FILE_AUTO, it
++ * will probe to automatically identify the format. 
+  *
+- * Callers are advised never to trust the returned 'meta->format'
+- * unless it is listed as VIR_STORAGE_FILE_RAW, since a
+- * malicious guest can turn a raw file into any other non-raw
+- * format at will.
++ * Callers are advised never to use VIR_STORAGE_FILE_AUTO as a
++ * format, since a malicious guest can turn a raw file into any
++ * other non-raw format at will.
++ *
++ * If the returned meta.backingStoreFormat is VIR_STORAGE_FILE_AUTO
++ * it indicates the image didn't specify an explicit format for its
++ * backing store. Callers are advised against probing for the
++ * backing store format in this case.
+  */
+ int
+ virStorageFileGetMetadata(const char *path,
++                          int format,
+                           virStorageFileMetadata *meta)
+ {
+     int fd, ret;
+@@ -762,7 +780,7 @@ virStorageFileGetMetadata(const char *path,
+         return -1;
+     }
+ 
+-    ret = virStorageFileGetMetadataFromFD(path, fd, meta);
++    ret = virStorageFileGetMetadataFromFD(path, fd, format, meta);
+ 
+     close(fd);
+ 
+diff --git a/src/util/storage_file.h b/src/util/storage_file.h
+index 3420d44..6853182 100644
+--- a/src/util/storage_file.h
++++ b/src/util/storage_file.h
+@@ -46,7 +46,6 @@ enum virStorageFileFormat {
+ VIR_ENUM_DECL(virStorageFileFormat);
+ 
+ typedef struct _virStorageFileMetadata {
+-    int format;
+     char *backingStore;
+     int backingStoreFormat;
+     unsigned long long capacity;
+@@ -62,9 +61,11 @@ int virStorageFileProbeFormatFromFD(const char *path,
+                                     int fd);
+ 
+ int virStorageFileGetMetadata(const char *path,
++                              int format,
+                               virStorageFileMetadata *meta);
+ int virStorageFileGetMetadataFromFD(const char *path,
+                                     int fd,
++                                    int format,
+                                     virStorageFileMetadata *meta);
+ 
+ int virStorageFileIsSharedFS(const char *path);
+-- 
+1.7.1.1
+

libvirt-0.8.2-05-disk-path-iterator.patch

@@ -0,0 +1,170 @@
+From ac5067f1e2e98181ee0e9230f756697f50d853eb Mon Sep 17 00:00:00 2001
+From: Daniel P. Berrange <berrange@redhat.com>
+Date: Mon, 14 Jun 2010 18:09:15 +0100
+Subject: [PATCH 05/11] Add an API for iterating over disk paths
+
+There is duplicated code which iterates over disk backing stores
+performing some action. Provide a convenient helper for doing
+this to eliminate duplication & risk of mistakes with disk format
+probing
+
+* src/conf/domain_conf.c, src/conf/domain_conf.h,
+  src/libvirt_private.syms: Add virDomainDiskDefForeachPath()
+---
+ src/conf/domain_conf.c   |   99 ++++++++++++++++++++++++++++++++++++++++++++++
+ src/conf/domain_conf.h   |   11 +++++
+ src/libvirt_private.syms |    1 +
+ 3 files changed, 111 insertions(+), 0 deletions(-)
+
+diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
+index 378c06e..b20ca97 100644
+--- a/src/conf/domain_conf.c
++++ b/src/conf/domain_conf.c
+@@ -45,6 +45,7 @@
+ #include "macvtap.h"
+ #include "nwfilter_conf.h"
+ #include "ignore-value.h"
++#include "storage_file.h"
+ 
+ #define VIR_FROM_THIS VIR_FROM_DOMAIN
+ 
+@@ -7273,4 +7274,102 @@ done:
+ }
+ 
+ 
++int virDomainDiskDefForeachPath(virDomainDiskDefPtr disk,
++                                bool allowProbing,
++                                bool ignoreOpenFailure,
++                                virDomainDiskDefPathIterator iter,
++                                void *opaque)
++{
++    virHashTablePtr paths;
++    int format;
++    int ret = -1;
++    size_t depth = 0;
++    char *nextpath = NULL;
++
++    if (!disk->src)
++        return 0;
++
++    if (disk->driverType) {
++        const char *formatStr = disk->driverType;
++        if (STREQ(formatStr, "aio"))
++            formatStr = "raw"; /* Xen compat */
++
++        if ((format = virStorageFileFormatTypeFromString(formatStr)) < 0) {
++            virDomainReportError(VIR_ERR_INTERNAL_ERROR,
++                                 _("unknown disk format '%s' for %s"),
++                                 disk->driverType, disk->src);
++            return -1;
++        }
++    } else {
++        if (allowProbing) {
++            format = VIR_STORAGE_FILE_AUTO;
++        } else {
++            virDomainReportError(VIR_ERR_INTERNAL_ERROR,
++                                 _("no disk format for %s and probing is disabled"),
++                                 disk->src);
++            return -1;
++        }
++    }
++
++    paths = virHashCreate(5);
++
++    do {
++        virStorageFileMetadata meta;
++        const char *path = nextpath ? nextpath : disk->src;
++        int fd;
++
++        if (iter(disk, path, depth, opaque) < 0)
++            goto cleanup;
++
++        if (virHashLookup(paths, path)) {
++            virDomainReportError(VIR_ERR_INTERNAL_ERROR,
++                                 _("backing store for %s is self-referential"),
++                                 disk->src);
++            goto cleanup;
++        }
++
++        if ((fd = open(path, O_RDONLY)) < 0) {
++            if (ignoreOpenFailure) {
++                char ebuf[1024];
++                VIR_WARN("Ignoring open failure on %s: %s", path,
++                         virStrerror(errno, ebuf, sizeof(ebuf)));
++                break;
++            } else {
++                virReportSystemError(errno,
++                                     _("unable to open disk path %s"),
++                                     path);
++                goto cleanup;
++            }
++        }
++
++        if (virStorageFileGetMetadataFromFD(path, fd, format, &meta) < 0) {
++            close(fd);
++            goto cleanup;
++        }
++        close(fd);
++
++        if (virHashAddEntry(paths, path, (void*)0x1) < 0) {
++            virReportOOMError();
++            goto cleanup;
++        }
++
++        depth++;
++        nextpath = meta.backingStore;
++
++        format = meta.backingStoreFormat;
++
++        if (format == VIR_STORAGE_FILE_AUTO &&
++            !allowProbing)
++            format = VIR_STORAGE_FILE_RAW; /* Stops further recursion */
++    } while (nextpath);
++
++    ret = 0;
++
++cleanup:
++    virHashFree(paths, NULL);
++    VIR_FREE(nextpath);
++
++    return ret;
++}
++
+ #endif /* ! PROXY */
+diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
+index 01da17e..d46869e 100644
+--- a/src/conf/domain_conf.h
++++ b/src/conf/domain_conf.h
+@@ -1079,6 +1079,17 @@ int virDomainChrDefForeach(virDomainDefPtr def,
+                            void *opaque);
+ 
+ 
++typedef int (*virDomainDiskDefPathIterator)(virDomainDiskDefPtr disk,
++                                            const char *path,
++                                            size_t depth,
++                                            void *opaque);
++
++int virDomainDiskDefForeachPath(virDomainDiskDefPtr disk,
++                                bool allowProbing,
++                                bool ignoreOpenFailure,
++                                virDomainDiskDefPathIterator iter,
++                                void *opaque);
++
+ VIR_ENUM_DECL(virDomainVirt)
+ VIR_ENUM_DECL(virDomainBoot)
+ VIR_ENUM_DECL(virDomainFeature)
+diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
+index 4607f49..b5f3695 100644
+--- a/src/libvirt_private.syms
++++ b/src/libvirt_private.syms
+@@ -225,6 +225,7 @@ virDomainSnapshotDefFormat;
+ virDomainSnapshotAssignDef;
+ virDomainObjAssignDef;
+ virDomainChrDefForeach;
++virDomainDiskDefForeachPath;
+ 
+ 
+ # domain_event.h
+-- 
+1.7.1.1
+

libvirt-0.8.2-06-use-disk-iterator.patch

@@ -0,0 +1,506 @@
+From 54c1bb731d2b19a46a594cf9682c022f1e1114d2 Mon Sep 17 00:00:00 2001
+From: Daniel P. Berrange <berrange@redhat.com>
+Date: Tue, 15 Jun 2010 16:40:47 +0100
+Subject: [PATCH 06/11] Convert all disk backing store loops to shared helper API
+
+Update the QEMU cgroups code, QEMU DAC security driver, SELinux
+and AppArmour security drivers over to use the shared helper API
+virDomainDiskDefForeachPath().
+
+* src/qemu/qemu_driver.c, src/qemu/qemu_security_dac.c,
+  src/security/security_selinux.c, src/security/virt-aa-helper.c:
+  Convert over to use virDomainDiskDefForeachPath()
+---
+ src/qemu/qemu_driver.c          |  161 ++++++++++++++++----------------------
+ src/qemu/qemu_security_dac.c    |   47 ++++--------
+ src/security/security_selinux.c |   67 +++++++----------
+ src/security/virt-aa-helper.c   |   71 ++++++++----------
+ 4 files changed, 142 insertions(+), 204 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 97f2990..99aeffa 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -3040,107 +3040,82 @@ static const char *const defaultDeviceACL[] = {
+ #define DEVICE_PTY_MAJOR 136
+ #define DEVICE_SND_MAJOR 116
+ 
+-static int qemuSetupDiskCgroup(virCgroupPtr cgroup,
+-                               virDomainObjPtr vm,
+-                               virDomainDiskDefPtr disk)
+-{
+-    char *path = disk->src;
+-    int ret = -1;
+ 
+-    while (path != NULL) {
+-        virStorageFileMetadata meta;
+-        int rc;
++static int qemuSetupDiskPathAllow(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
++                                  const char *path,
++                                  size_t depth ATTRIBUTE_UNUSED,
++                                  void *opaque)
++{
++    virCgroupPtr cgroup = opaque;
++    int rc;
+ 
+-        VIR_DEBUG("Process path '%s' for disk", path);
+-        rc = virCgroupAllowDevicePath(cgroup, path);
+-        if (rc != 0) {
+-            /* Get this for non-block devices */
+-            if (rc == -EINVAL) {
+-                VIR_DEBUG("Ignoring EINVAL for %s", path);
+-            } else if (rc == -EACCES) { /* Get this for root squash NFS */
+-                VIR_DEBUG("Ignoring EACCES for %s", path);
+-            } else {
+-                virReportSystemError(-rc,
+-                                     _("Unable to allow device %s for %s"),
+-                                     path, vm->def->name);
+-                if (path != disk->src)
+-                    VIR_FREE(path);
+-                goto cleanup;
+-            }
++    VIR_DEBUG("Process path %s for disk", path);
++    /* XXX RO vs RW */
++    rc = virCgroupAllowDevicePath(cgroup, path);
++    if (rc != 0) {
++        /* Get this for non-block devices */
++        if (rc == -EINVAL) {
++            VIR_DEBUG("Ignoring EINVAL for %s", path);
++        } else if (rc == -EACCES) { /* Get this for root squash NFS */
++            VIR_DEBUG("Ignoring EACCES for %s", path);
++        } else {
++            virReportSystemError(-rc,
++                                 _("Unable to allow access for disk path %s"),
++                                 path);
++            return -1;
+         }
+-
+-        rc = virStorageFileGetMetadata(path,
+-                                       VIR_STORAGE_FILE_AUTO,
+-                                       &meta);
+-        if (rc < 0)
+-            VIR_WARN("Unable to lookup parent image for %s", path);
+-
+-        if (path != disk->src)
+-            VIR_FREE(path);
+-        path = NULL;
+-
+-        if (rc < 0)
+-            break; /* Treating as non fatal */
+-
+-        path = meta.backingStore;
+     }
++    return 0;
++}
+ 
+-    ret = 0;
+ 
+-cleanup:
+-    return ret;
++static int qemuSetupDiskCgroup(virCgroupPtr cgroup,
++                               virDomainDiskDefPtr disk)
++{
++    return virDomainDiskDefForeachPath(disk,
++                                       true,
++                                       true,
++                                       qemuSetupDiskPathAllow,
++                                       cgroup);
+ }
+ 
+ 
+-static int qemuTeardownDiskCgroup(virCgroupPtr cgroup,
+-                                  virDomainObjPtr vm,
+-                                  virDomainDiskDefPtr disk)
++static int qemuTeardownDiskPathDeny(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
++                                    const char *path,
++                                    size_t depth ATTRIBUTE_UNUSED,
++                                    void *opaque)
+ {
+-    char *path = disk->src;
+-    int ret = -1;
+-
+-    while (path != NULL) {
+-        virStorageFileMetadata meta;
+-        int rc;
++    virCgroupPtr cgroup = opaque;
++    int rc;
+ 
+-        VIR_DEBUG("Process path '%s' for disk", path);
+-        rc = virCgroupDenyDevicePath(cgroup, path);
+-        if (rc != 0) {
+-            /* Get this for non-block devices */
+-            if (rc == -EINVAL) {
+-                VIR_DEBUG("Ignoring EINVAL for %s", path);
+-            } else if (rc == -EACCES) { /* Get this for root squash NFS */
+-                VIR_DEBUG("Ignoring EACCES for %s", path);
+-            } else {
+-                virReportSystemError(-rc,
+-                                     _("Unable to deny device %s for %s"),
+-                                     path, vm->def->name);
+-                if (path != disk->src)
+-                    VIR_FREE(path);
+-                goto cleanup;
+-            }
++    VIR_DEBUG("Process path %s for disk", path);
++    /* XXX RO vs RW */
++    rc = virCgroupDenyDevicePath(cgroup, path);
++    if (rc != 0) {
++        /* Get this for non-block devices */
++        if (rc == -EINVAL) {
++            VIR_DEBUG("Ignoring EINVAL for %s", path);
++        } else if (rc == -EACCES) { /* Get this for root squash NFS */
++            VIR_DEBUG("Ignoring EACCES for %s", path);
++        } else {
++            virReportSystemError(-rc,
++                                 _("Unable to allow access for disk path %s"),
++                                 path);
++            return -1;
+         }
+-
+-        rc = virStorageFileGetMetadata(path,
+-                                       VIR_STORAGE_FILE_AUTO,
+-                                       &meta);
+-        if (rc < 0)
+-            VIR_WARN("Unable to lookup parent image for %s", path);
+-
+-        if (path != disk->src)
+-            VIR_FREE(path);
+-        path = NULL;
+-
+-        if (rc < 0)
+-            break; /* Treating as non fatal */
+-
+-        path = meta.backingStore;
+     }
++    return 0;
++}
+ 
+-    ret = 0;
+ 
+-cleanup:
+-    return ret;
++static int qemuTeardownDiskCgroup(virCgroupPtr cgroup,
++                                  virDomainDiskDefPtr disk)
++{
++    return virDomainDiskDefForeachPath(disk,
++                                       true,
++                                       true,
++                                       qemuTeardownDiskPathDeny,
++                                       cgroup);
+ }
+ 
+ 
+@@ -3204,7 +3179,7 @@ static int qemuSetupCgroup(struct qemud_driver *driver,
+         }
+ 
+         for (i = 0; i < vm->def->ndisks ; i++) {
+-            if (qemuSetupDiskCgroup(cgroup, vm, vm->def->disks[i]) < 0)
++            if (qemuSetupDiskCgroup(cgroup, vm->def->disks[i]) < 0)
+                 goto cleanup;
+         }
+ 
+@@ -8035,7 +8010,7 @@ static int qemudDomainAttachDevice(virDomainPtr dom,
+                                 vm->def->name);
+                 goto endjob;
+             }
+-            if (qemuSetupDiskCgroup(cgroup, vm, dev->data.disk) < 0)
++            if (qemuSetupDiskCgroup(cgroup, dev->data.disk) < 0)
+                 goto endjob;
+         }
+ 
+@@ -8080,7 +8055,7 @@ static int qemudDomainAttachDevice(virDomainPtr dom,
+             /* Fallthrough */
+         }
+         if (ret != 0 && cgroup) {
+-            if (qemuTeardownDiskCgroup(cgroup, vm, dev->data.disk) < 0)
++            if (qemuTeardownDiskCgroup(cgroup, dev->data.disk) < 0)
+                 VIR_WARN("Failed to teardown cgroup for disk path %s",
+                          NULLSTR(dev->data.disk->src));
+         }
+@@ -8280,7 +8255,7 @@ static int qemuDomainUpdateDeviceFlags(virDomainPtr dom,
+                                 vm->def->name);
+                 goto endjob;
+             }
+-            if (qemuSetupDiskCgroup(cgroup, vm, dev->data.disk) < 0)
++            if (qemuSetupDiskCgroup(cgroup, dev->data.disk) < 0)
+                 goto endjob;
+         }
+ 
+@@ -8303,7 +8278,7 @@ static int qemuDomainUpdateDeviceFlags(virDomainPtr dom,
+         }
+ 
+         if (ret != 0 && cgroup) {
+-            if (qemuTeardownDiskCgroup(cgroup, vm, dev->data.disk) < 0)
++            if (qemuTeardownDiskCgroup(cgroup, dev->data.disk) < 0)
+                 VIR_WARN("Failed to teardown cgroup for disk path %s",
+                          NULLSTR(dev->data.disk->src));
+         }
+@@ -8430,7 +8405,7 @@ static int qemudDomainDetachPciDiskDevice(struct qemud_driver *driver,
+         VIR_WARN("Unable to restore security label on %s", dev->data.disk->src);
+ 
+     if (cgroup != NULL) {
+-        if (qemuTeardownDiskCgroup(cgroup, vm, dev->data.disk) < 0)
++        if (qemuTeardownDiskCgroup(cgroup, dev->data.disk) < 0)
+             VIR_WARN("Failed to teardown cgroup for disk path %s",
+                      NULLSTR(dev->data.disk->src));
+     }
+@@ -8493,7 +8468,7 @@ static int qemudDomainDetachSCSIDiskDevice(struct qemud_driver *driver,
+         VIR_WARN("Unable to restore security label on %s", dev->data.disk->src);
+ 
+     if (cgroup != NULL) {
+-        if (qemuTeardownDiskCgroup(cgroup, vm, dev->data.disk) < 0)
++        if (qemuTeardownDiskCgroup(cgroup, dev->data.disk) < 0)
+             VIR_WARN("Failed to teardown cgroup for disk path %s",
+                      NULLSTR(dev->data.disk->src));
+     }
+diff --git a/src/qemu/qemu_security_dac.c b/src/qemu/qemu_security_dac.c
+index acfe48e..770010d 100644
+--- a/src/qemu/qemu_security_dac.c
++++ b/src/qemu/qemu_security_dac.c
+@@ -98,45 +98,28 @@ err:
+ 
+ 
+ static int
++qemuSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
++                                    const char *path,
++                                    size_t depth ATTRIBUTE_UNUSED,
++                                    void *opaque ATTRIBUTE_UNUSED)
++{
++    return qemuSecurityDACSetOwnership(path, driver->user, driver->group);
++}
++
++
++static int
+ qemuSecurityDACSetSecurityImageLabel(virDomainObjPtr vm ATTRIBUTE_UNUSED,
+                                      virDomainDiskDefPtr disk)
+ 
+ {
+-    const char *path;
+-
+     if (!driver->privileged || !driver->dynamicOwnership)
+         return 0;
+ 
+-    if (!disk->src)
+-        return 0;
+-
+-    path = disk->src;
+-    do {
+-        virStorageFileMetadata meta;
+-        int ret;
+-
+-        ret = virStorageFileGetMetadata(path,
+-                                        VIR_STORAGE_FILE_AUTO,
+-                                        &meta);
+-
+-        if (path != disk->src)
+-            VIR_FREE(path);
+-        path = NULL;
+-
+-        if (ret < 0)
+-            return -1;
+-
+-        if (meta.backingStore != NULL &&
+-            qemuSecurityDACSetOwnership(meta.backingStore,
+-                                        driver->user, driver->group) < 0) {
+-            VIR_FREE(meta.backingStore);
+-            return -1;
+-        }
+-
+-        path = meta.backingStore;
+-    } while (path != NULL);
+-
+-    return qemuSecurityDACSetOwnership(disk->src, driver->user, driver->group);
++    return virDomainDiskDefForeachPath(disk,
++                                       true,
++                                       false,
++                                       qemuSecurityDACSetSecurityFileLabel,
++                                       NULL);
+ }
+ 
+ 
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index 5c0f002..d191118 100644
+--- a/src/security/security_selinux.c
++++ b/src/security/security_selinux.c
+@@ -439,54 +439,43 @@ SELinuxRestoreSecurityImageLabel(virDomainObjPtr vm,
+ 
+ 
+ static int
++SELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk,
++                            const char *path,
++                            size_t depth,
++                            void *opaque)
++{
++    const virSecurityLabelDefPtr secdef = opaque;
++
++    if (depth == 0) {
++        if (disk->shared) {
++            return SELinuxSetFilecon(path, default_image_context);
++        } else if (disk->readonly) {
++            return SELinuxSetFilecon(path, default_content_context);
++        } else if (secdef->imagelabel) {
++            return SELinuxSetFilecon(path, secdef->imagelabel);
++        } else {
++            return 0;
++        }
++    } else {
++        return SELinuxSetFilecon(path, default_content_context);
++    }
++}
++
++static int
+ SELinuxSetSecurityImageLabel(virDomainObjPtr vm,
+                              virDomainDiskDefPtr disk)
+ 
+ {
+     const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+-    const char *path;
+ 
+     if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
+         return 0;
+ 
+-    if (!disk->src)
+-        return 0;
+-
+-    path = disk->src;
+-    do {
+-        virStorageFileMetadata meta;
+-        int ret;
+-
+-        ret = virStorageFileGetMetadata(path,
+-                                        VIR_STORAGE_FILE_AUTO,
+-                                        &meta);
+-
+-        if (path != disk->src)
+-            VIR_FREE(path);
+-        path = NULL;
+-
+-        if (ret < 0)
+-           break;
+-
+-        if (meta.backingStore != NULL &&
+-            SELinuxSetFilecon(meta.backingStore,
+-                              default_content_context) < 0) {
+-            VIR_FREE(meta.backingStore);
+-            return -1;
+-        }
+-
+-        path = meta.backingStore;
+-    } while (path != NULL);
+-
+-    if (disk->shared) {
+-        return SELinuxSetFilecon(disk->src, default_image_context);
+-    } else if (disk->readonly) {
+-        return SELinuxSetFilecon(disk->src, default_content_context);
+-    } else if (secdef->imagelabel) {
+-        return SELinuxSetFilecon(disk->src, secdef->imagelabel);
+-    }
+-
+-    return 0;
++    return virDomainDiskDefForeachPath(disk,
++                                       true,
++                                       false,
++                                       SELinuxSetSecurityFileLabel,
++                                       secdef);
+ }
+ 
+ 
+diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
+index 2c045e6..9ed0cd3 100644
+--- a/src/security/virt-aa-helper.c
++++ b/src/security/virt-aa-helper.c
+@@ -36,7 +36,6 @@
+ #include "uuid.h"
+ #include "hostusb.h"
+ #include "pci.h"
+-#include "storage_file.h"
+ 
+ static char *progname;
+ 
+@@ -801,6 +800,28 @@ file_iterate_pci_cb(pciDevice *dev ATTRIBUTE_UNUSED,
+ }
+ 
+ static int
++add_file_path(virDomainDiskDefPtr disk,
++              const char *path,
++              size_t depth,
++              void *opaque)
++{
++    virBufferPtr buf = opaque;
++    int ret;
++
++    if (depth == 0) {
++        if (disk->readonly)
++            ret = vah_add_file(buf, path, "r");
++        else
++            ret = vah_add_file(buf, path, "rw");
++    } else {
++        ret = vah_add_file(buf, path, "r");
++    }
++
++    return ret;
++}
++
++
++static int
+ get_files(vahControl * ctl)
+ {
+     virBuffer buf = VIR_BUFFER_INITIALIZER;
+@@ -821,45 +842,15 @@ get_files(vahControl * ctl)
+         goto clean;
+     }
+ 
+-    for (i = 0; i < ctl->def->ndisks; i++)
+-        if (ctl->def->disks[i] && ctl->def->disks[i]->src) {
+-            int ret;
+-            const char *path;
+-
+-            path = ctl->def->disks[i]->src;
+-            do {
+-                virStorageFileMetadata meta;
+-
+-                ret = virStorageFileGetMetadata(path,
+-                                                VIR_STORAGE_FILE_AUTO,
+-                                                &meta);
+-
+-                if (path != ctl->def->disks[i]->src)
+-                    VIR_FREE(path);
+-                path = NULL;
+-
+-                if (ret < 0) {
+-                    vah_warning("could not open path, skipping");
+-                    continue;
+-                }
+-
+-                if (meta.backingStore != NULL &&
+-                    (ret = vah_add_file(&buf, meta.backingStore, "rw")) != 0) {
+-                    VIR_FREE(meta.backingStore);
+-                    goto clean;
+-                }
+-
+-                path = meta.backingStore;
+-            } while (path != NULL);
+-
+-            if (ctl->def->disks[i]->readonly)
+-                ret = vah_add_file(&buf, ctl->def->disks[i]->src, "r");
+-            else
+-                ret = vah_add_file(&buf, ctl->def->disks[i]->src, "rw");
+-
+-            if (ret != 0)
+-                goto clean;
+-        }
++    for (i = 0; i < ctl->def->ndisks; i++) {
++        int ret = virDomainDiskDefForeachPath(ctl->def->disks[i],
++                                              true,
++                                              false,
++                                              add_file_path,
++                                              &buf);
++        if (ret != 0)
++            goto clean;
++    }
+ 
+     for (i = 0; i < ctl->def->nserials; i++)
+         if (ctl->def->serials[i] && ctl->def->serials[i]->data.file.path)
+-- 
+1.7.1.1
+

libvirt-0.8.2-08-disable-disk-probing.patch

@@ -0,0 +1,468 @@
+From dac2b936e77f6c76c11f162e4b175492e4803acb Mon Sep 17 00:00:00 2001
+From: Daniel P. Berrange <berrange@redhat.com>
+Date: Tue, 15 Jun 2010 17:58:58 +0100
+Subject: [PATCH 08/11] Disable all disk probing in QEMU driver & add config option to re-enable
+
+Disk format probing is now disabled by default. A new config
+option in /etc/qemu/qemu.conf will re-enable it for existing
+deployments where this causes trouble
+---
+ src/qemu/libvirtd_qemu.aug       |    1 +
+ src/qemu/qemu.conf               |   12 ++++++++++++
+ src/qemu/qemu_conf.c             |    4 ++++
+ src/qemu/qemu_conf.h             |    1 +
+ src/qemu/qemu_driver.c           |   36 +++++++++++++++++++++++-------------
+ src/qemu/qemu_security_dac.c     |    2 +-
+ src/qemu/test_libvirtd_qemu.aug  |    4 ++++
+ src/security/security_apparmor.c |   12 ++++++++----
+ src/security/security_driver.c   |   16 ++++++++++++++--
+ src/security/security_driver.h   |   10 ++++++++--
+ src/security/security_selinux.c  |    9 ++++++---
+ src/security/virt-aa-helper.c    |   10 +++++++++-
+ tests/seclabeltest.c             |    2 +-
+ 13 files changed, 92 insertions(+), 27 deletions(-)
+
+diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
+index 7c9f271..47d0525 100644
+--- a/src/qemu/libvirtd_qemu.aug
++++ b/src/qemu/libvirtd_qemu.aug
+@@ -40,6 +40,7 @@ module Libvirtd_qemu =
+                  | bool_entry "relaxed_acs_check"
+                  | bool_entry "vnc_allow_host_audio"
+                  | bool_entry "clear_emulator_capabilities"
++                 | bool_entry "allow_disk_format_probing"
+ 
+    (* Each enty in the config is one of the following three ... *)
+    let entry = vnc_entry
+diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
+index 93934f3..dc8eb83 100644
+--- a/src/qemu/qemu.conf
++++ b/src/qemu/qemu.conf
+@@ -187,3 +187,15 @@
+ # exploit the privileges and possibly do damage to the host.
+ #
+ # clear_emulator_capabilities = 1
++
++
++
++# If allow_disk_format_probing is enabled, libvirt will probe disk
++# images to attempt to identify their format, when not otherwise
++# specified in the XML. This is disabled by default.
++#
++# WARNING: Enabling probing is a security hole in almost all
++# deployments. It is strongly recommended that users update their
++# guest XML <disk> elements to include  <driver type='XXXX'/>
++# elements instead of enabling this option.
++# allow_disk_format_probing = 1
+diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
+index 988220b..3ba48bf 100644
+--- a/src/qemu/qemu_conf.c
++++ b/src/qemu/qemu_conf.c
+@@ -365,6 +365,10 @@ int qemudLoadDriverConfig(struct qemud_driver *driver,
+     CHECK_TYPE ("clear_emulator_capabilities", VIR_CONF_LONG);
+     if (p) driver->clearEmulatorCapabilities = p->l;
+ 
++    p = virConfGetValue (conf, "allow_disk_format_probing");
++    CHECK_TYPE ("allow_disk_format_probing", VIR_CONF_LONG);
++    if (p) driver->allowDiskFormatProbing = p->l;
++
+     virConfFree (conf);
+     return 0;
+ }
+diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
+index ab5f158..30e9f20 100644
+--- a/src/qemu/qemu_conf.h
++++ b/src/qemu/qemu_conf.h
+@@ -141,6 +141,7 @@ struct qemud_driver {
+     unsigned int relaxedACS : 1;
+     unsigned int vncAllowHostAudio : 1;
+     unsigned int clearEmulatorCapabilities : 1;
++    unsigned int allowDiskFormatProbing : 1;
+ 
+     virCapsPtr caps;
+ 
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 616547c..3c479c5 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -1322,7 +1322,8 @@ qemudSecurityInit(struct qemud_driver *qemud_drv)
+     qemuSecurityDACSetDriver(qemud_drv);
+ 
+     ret = virSecurityDriverStartup(&security_drv,
+-                                   qemud_drv->securityDriverName);
++                                   qemud_drv->securityDriverName,
++                                   qemud_drv->allowDiskFormatProbing);
+     if (ret == -1) {
+         VIR_ERROR0(_("Failed to start security driver"));
+         return -1;
+@@ -3070,11 +3071,12 @@ static int qemuSetupDiskPathAllow(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
+ }
+ 
+ 
+-static int qemuSetupDiskCgroup(virCgroupPtr cgroup,
++static int qemuSetupDiskCgroup(struct qemud_driver *driver,
++                               virCgroupPtr cgroup,
+                                virDomainDiskDefPtr disk)
+ {
+     return virDomainDiskDefForeachPath(disk,
+-                                       true,
++                                       driver->allowDiskFormatProbing,
+                                        true,
+                                        qemuSetupDiskPathAllow,
+                                        cgroup);
+@@ -3109,11 +3111,12 @@ static int qemuTeardownDiskPathDeny(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
+ }
+ 
+ 
+-static int qemuTeardownDiskCgroup(virCgroupPtr cgroup,
++static int qemuTeardownDiskCgroup(struct qemud_driver *driver,
++                                  virCgroupPtr cgroup,
+                                   virDomainDiskDefPtr disk)
+ {
+     return virDomainDiskDefForeachPath(disk,
+-                                       true,
++                                       driver->allowDiskFormatProbing,
+                                        true,
+                                        qemuTeardownDiskPathDeny,
+                                        cgroup);
+@@ -3180,7 +3183,7 @@ static int qemuSetupCgroup(struct qemud_driver *driver,
+         }
+ 
+         for (i = 0; i < vm->def->ndisks ; i++) {
+-            if (qemuSetupDiskCgroup(cgroup, vm->def->disks[i]) < 0)
++            if (qemuSetupDiskCgroup(driver, cgroup, vm->def->disks[i]) < 0)
+                 goto cleanup;
+         }
+ 
+@@ -8033,7 +8036,7 @@ static int qemudDomainAttachDevice(virDomainPtr dom,
+                                 vm->def->name);
+                 goto endjob;
+             }
+-            if (qemuSetupDiskCgroup(cgroup, dev->data.disk) < 0)
++            if (qemuSetupDiskCgroup(driver, cgroup, dev->data.disk) < 0)
+                 goto endjob;
+         }
+ 
+@@ -8078,7 +8081,7 @@ static int qemudDomainAttachDevice(virDomainPtr dom,
+             /* Fallthrough */
+         }
+         if (ret != 0 && cgroup) {
+-            if (qemuTeardownDiskCgroup(cgroup, dev->data.disk) < 0)
++            if (qemuTeardownDiskCgroup(driver, cgroup, dev->data.disk) < 0)
+                 VIR_WARN("Failed to teardown cgroup for disk path %s",
+                          NULLSTR(dev->data.disk->src));
+         }
+@@ -8278,7 +8281,7 @@ static int qemuDomainUpdateDeviceFlags(virDomainPtr dom,
+                                 vm->def->name);
+                 goto endjob;
+             }
+-            if (qemuSetupDiskCgroup(cgroup, dev->data.disk) < 0)
++            if (qemuSetupDiskCgroup(driver, cgroup, dev->data.disk) < 0)
+                 goto endjob;
+         }
+ 
+@@ -8301,7 +8304,7 @@ static int qemuDomainUpdateDeviceFlags(virDomainPtr dom,
+         }
+ 
+         if (ret != 0 && cgroup) {
+-            if (qemuTeardownDiskCgroup(cgroup, dev->data.disk) < 0)
++            if (qemuTeardownDiskCgroup(driver, cgroup, dev->data.disk) < 0)
+                 VIR_WARN("Failed to teardown cgroup for disk path %s",
+                          NULLSTR(dev->data.disk->src));
+         }
+@@ -8429,7 +8432,7 @@ static int qemudDomainDetachPciDiskDevice(struct qemud_driver *driver,
+         VIR_WARN("Unable to restore security label on %s", dev->data.disk->src);
+ 
+     if (cgroup != NULL) {
+-        if (qemuTeardownDiskCgroup(cgroup, dev->data.disk) < 0)
++        if (qemuTeardownDiskCgroup(driver, cgroup, dev->data.disk) < 0)
+             VIR_WARN("Failed to teardown cgroup for disk path %s",
+                      NULLSTR(dev->data.disk->src));
+     }
+@@ -8493,7 +8496,7 @@ static int qemudDomainDetachSCSIDiskDevice(struct qemud_driver *driver,
+         VIR_WARN("Unable to restore security label on %s", dev->data.disk->src);
+ 
+     if (cgroup != NULL) {
+-        if (qemuTeardownDiskCgroup(cgroup, dev->data.disk) < 0)
++        if (qemuTeardownDiskCgroup(driver, cgroup, dev->data.disk) < 0)
+             VIR_WARN("Failed to teardown cgroup for disk path %s",
+                      NULLSTR(dev->data.disk->src));
+     }
+@@ -9672,8 +9675,15 @@ static int qemuDomainGetBlockInfo(virDomainPtr dom,
+             goto cleanup;
+         }
+     } else {
+-        if ((format = virStorageFileProbeFormat(disk->src)) < 0)
++        if (driver->allowDiskFormatProbing) {
++            if ((format = virStorageFileProbeFormat(disk->src)) < 0)
++                goto cleanup;
++        } else {
++            qemuReportError(VIR_ERR_INTERNAL_ERROR,
++                            _("no disk format for %s and probing is disabled"),
++                            disk->src);
+             goto cleanup;
++        }
+     }
+ 
+     if (virStorageFileGetMetadataFromFD(path, fd,
+diff --git a/src/qemu/qemu_security_dac.c b/src/qemu/qemu_security_dac.c
+index 0bbcf69..55dc0c6 100644
+--- a/src/qemu/qemu_security_dac.c
++++ b/src/qemu/qemu_security_dac.c
+@@ -117,7 +117,7 @@ qemuSecurityDACSetSecurityImageLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
+         return 0;
+ 
+     return virDomainDiskDefForeachPath(disk,
+-                                       true,
++                                       driver->allowDiskFormatProbing,
+                                        false,
+                                        qemuSecurityDACSetSecurityFileLabel,
+                                        NULL);
+diff --git a/src/qemu/test_libvirtd_qemu.aug b/src/qemu/test_libvirtd_qemu.aug
+index 3326cc5..f0c4a0d 100644
+--- a/src/qemu/test_libvirtd_qemu.aug
++++ b/src/qemu/test_libvirtd_qemu.aug
+@@ -101,6 +101,8 @@ relaxed_acs_check = 1
+ vnc_allow_host_audio = 1
+ 
+ clear_emulator_capabilities = 0
++
++allow_disk_format_probing = 1
+ "
+ 
+    test Libvirtd_qemu.lns get conf =
+@@ -212,3 +214,5 @@ clear_emulator_capabilities = 0
+ { "vnc_allow_host_audio" = "1" }
+ { "#empty" }
+ { "clear_emulator_capabilities" = "0" }
++{ "#empty" }
++{ "allow_disk_format_probing" = "1" }
+diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
+index cb5c739..c5f9829 100644
+--- a/src/security/security_apparmor.c
++++ b/src/security/security_apparmor.c
+@@ -157,6 +157,8 @@ load_profile(virSecurityDriverPtr drv,
+     char *xml = NULL;
+     int pipefd[2];
+     pid_t child;
++    const char *probe = virSecurityDriverGetAllowDiskFormatProbing(drv)
++        ? "1" : "0";
+ 
+     if (pipe(pipefd) < -1) {
+         virReportSystemError(errno, "%s", _("unable to create pipe"));
+@@ -172,19 +174,19 @@ load_profile(virSecurityDriverPtr drv,
+ 
+     if (create) {
+         const char *const argv[] = {
+-            VIRT_AA_HELPER, "-c", "-u", profile, NULL
++            VIRT_AA_HELPER, "-p", probe, "-c", "-u", profile, NULL
+         };
+         ret = virExec(argv, NULL, NULL, &child,
+                       pipefd[0], NULL, NULL, VIR_EXEC_NONE);
+     } else if (fn) {
+         const char *const argv[] = {
+-            VIRT_AA_HELPER, "-r", "-u", profile, "-f", fn, NULL
++            VIRT_AA_HELPER, "-p", probe, "-r", "-u", profile, "-f", fn, NULL
+         };
+         ret = virExec(argv, NULL, NULL, &child,
+                       pipefd[0], NULL, NULL, VIR_EXEC_NONE);
+     } else {
+         const char *const argv[] = {
+-            VIRT_AA_HELPER, "-r", "-u", profile, NULL
++            VIRT_AA_HELPER, "-p", probe, "-r", "-u", profile, NULL
+         };
+         ret = virExec(argv, NULL, NULL, &child,
+                       pipefd[0], NULL, NULL, VIR_EXEC_NONE);
+@@ -347,9 +349,11 @@ AppArmorSecurityDriverProbe(void)
+  * currently not used.
+  */
+ static int
+-AppArmorSecurityDriverOpen(virSecurityDriverPtr drv)
++AppArmorSecurityDriverOpen(virSecurityDriverPtr drv,
++                           bool allowDiskFormatProbing)
+ {
+     virSecurityDriverSetDOI(drv, SECURITY_APPARMOR_VOID_DOI);
++    virSecurityDriverSetAllowDiskFormatProbing(drv, allowDiskFormatProbing);
+     return 0;
+ }
+ 
+diff --git a/src/security/security_driver.c b/src/security/security_driver.c
+index aac9f78..9e32fa4 100644
+--- a/src/security/security_driver.c
++++ b/src/security/security_driver.c
+@@ -56,7 +56,8 @@ virSecurityDriverVerify(virDomainDefPtr def)
+ 
+ int
+ virSecurityDriverStartup(virSecurityDriverPtr *drv,
+-                         const char *name)
++                         const char *name,
++                         bool allowDiskFormatProbing)
+ {
+     unsigned int i;
+ 
+@@ -72,7 +73,7 @@ virSecurityDriverStartup(virSecurityDriverPtr *drv,
+         switch (tmp->probe()) {
+         case SECURITY_DRIVER_ENABLE:
+             virSecurityDriverInit(tmp);
+-            if (tmp->open(tmp) == -1) {
++            if (tmp->open(tmp, allowDiskFormatProbing) == -1) {
+                 return -1;
+             } else {
+                 *drv = tmp;
+@@ -125,3 +126,14 @@ virSecurityDriverGetModel(virSecurityDriverPtr drv)
+ {
+     return drv->name;
+ }
++
++void virSecurityDriverSetAllowDiskFormatProbing(virSecurityDriverPtr drv,
++                                                bool allowDiskFormatProbing)
++{
++    drv->_private.allowDiskFormatProbing = allowDiskFormatProbing;
++}
++
++bool virSecurityDriverGetAllowDiskFormatProbing(virSecurityDriverPtr drv)
++{
++    return drv->_private.allowDiskFormatProbing;
++}
+diff --git a/src/security/security_driver.h b/src/security/security_driver.h
+index 61c9eb0..d768f32 100644
+--- a/src/security/security_driver.h
++++ b/src/security/security_driver.h
+@@ -33,7 +33,8 @@ typedef struct _virSecurityDriverState virSecurityDriverState;
+ typedef virSecurityDriverState *virSecurityDriverStatePtr;
+ 
+ typedef virSecurityDriverStatus (*virSecurityDriverProbe) (void);
+-typedef int (*virSecurityDriverOpen) (virSecurityDriverPtr drv);
++typedef int (*virSecurityDriverOpen) (virSecurityDriverPtr drv,
++                                      bool allowDiskFormatProbing);
+ typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityDriverPtr drv,
+                                                    virDomainObjPtr vm,
+                                                    virDomainDiskDefPtr disk);
+@@ -102,12 +103,14 @@ struct _virSecurityDriver {
+      */
+     struct {
+         char doi[VIR_SECURITY_DOI_BUFLEN];
++        bool allowDiskFormatProbing;
+     } _private;
+ };
+ 
+ /* Global methods */
+ int virSecurityDriverStartup(virSecurityDriverPtr *drv,
+-                             const char *name);
++                             const char *name,
++                             bool allowDiskFormatProbing);
+ 
+ int
+ virSecurityDriverVerify(virDomainDefPtr def);
+@@ -120,7 +123,10 @@ virSecurityDriverVerify(virDomainDefPtr def);
+ void virSecurityDriverInit(virSecurityDriverPtr drv);
+ int virSecurityDriverSetDOI(virSecurityDriverPtr drv,
+                             const char *doi);
++void virSecurityDriverSetAllowDiskFormatProbing(virSecurityDriverPtr drv,
++                                                bool allowDiskFormatProbing);
+ const char *virSecurityDriverGetDOI(virSecurityDriverPtr drv);
+ const char *virSecurityDriverGetModel(virSecurityDriverPtr drv);
++bool virSecurityDriverGetAllowDiskFormatProbing(virSecurityDriverPtr drv);
+ 
+ #endif /* __VIR_SECURITY_H__ */
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index cc3812b..a9dd836 100644
+--- a/src/security/security_selinux.c
++++ b/src/security/security_selinux.c
+@@ -266,13 +266,15 @@ SELinuxSecurityDriverProbe(void)
+ }
+ 
+ static int
+-SELinuxSecurityDriverOpen(virSecurityDriverPtr drv)
++SELinuxSecurityDriverOpen(virSecurityDriverPtr drv,
++                          bool allowDiskFormatProbing)
+ {
+     /*
+      * Where will the DOI come from?  SELinux configuration, or qemu
+      * configuration? For the moment, we'll just set it to "0".
+      */
+     virSecurityDriverSetDOI(drv, SECURITY_SELINUX_VOID_DOI);
++    virSecurityDriverSetAllowDiskFormatProbing(drv, allowDiskFormatProbing);
+     return SELinuxInitialize();
+ }
+ 
+@@ -467,18 +469,19 @@ SELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk,
+ }
+ 
+ static int
+-SELinuxSetSecurityImageLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
++SELinuxSetSecurityImageLabel(virSecurityDriverPtr drv,
+                              virDomainObjPtr vm,
+                              virDomainDiskDefPtr disk)
+ 
+ {
+     const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
++    bool allowDiskFormatProbing = virSecurityDriverGetAllowDiskFormatProbing(drv);
+ 
+     if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
+         return 0;
+ 
+     return virDomainDiskDefForeachPath(disk,
+-                                       true,
++                                       allowDiskFormatProbing,
+                                        false,
+                                        SELinuxSetSecurityFileLabel,
+                                        secdef);
+diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
+index 9ed0cd3..521545d 100644
+--- a/src/security/virt-aa-helper.c
++++ b/src/security/virt-aa-helper.c
+@@ -40,6 +40,7 @@
+ static char *progname;
+ 
+ typedef struct {
++    bool allowDiskFormatProbing;
+     char uuid[PROFILE_NAME_SIZE];       /* UUID of vm */
+     bool dryrun;                /* dry run */
+     char cmd;                   /* 'c'   create
+@@ -844,7 +845,7 @@ get_files(vahControl * ctl)
+ 
+     for (i = 0; i < ctl->def->ndisks; i++) {
+         int ret = virDomainDiskDefForeachPath(ctl->def->disks[i],
+-                                              true,
++                                              ctl->allowDiskFormatProbing,
+                                               false,
+                                               add_file_path,
+                                               &buf);
+@@ -943,6 +944,7 @@ vahParseArgv(vahControl * ctl, int argc, char **argv)
+ {
+     int arg, idx = 0;
+     struct option opt[] = {
++        {"probing", 1, 0, 'p' },
+         {"add", 0, 0, 'a'},
+         {"create", 0, 0, 'c'},
+         {"dryrun", 0, 0, 'd'},
+@@ -991,6 +993,12 @@ vahParseArgv(vahControl * ctl, int argc, char **argv)
+                     PROFILE_NAME_SIZE) == NULL)
+                     vah_error(ctl, 1, "error copying UUID");
+                 break;
++            case 'p':
++                if (STREQ(optarg, "1"))
++                    ctl->allowDiskFormatProbing = true;
++                else
++                    ctl->allowDiskFormatProbing = false;
++                break;
+             default:
+                 vah_error(ctl, 1, "unsupported option");
+                 break;
+diff --git a/tests/seclabeltest.c b/tests/seclabeltest.c
+index 26d1f86..ef3f026 100644
+--- a/tests/seclabeltest.c
++++ b/tests/seclabeltest.c
+@@ -15,7 +15,7 @@ main (int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED)
+     const char *doi, *model;
+     virSecurityDriverPtr security_drv;
+ 
+-    ret = virSecurityDriverStartup (&security_drv, "selinux");
++    ret = virSecurityDriverStartup (&security_drv, "selinux", false);
+     if (ret == -1)
+     {
+         fprintf (stderr, "Failed to start security driver");
+-- 
+1.7.1.1
+

libvirt-0.8.2-09-set-default-driver.patch

@@ -0,0 +1,94 @@
+From 3534cd47a57ee9cf7041472511444784f14d6939 Mon Sep 17 00:00:00 2001
+From: Daniel P. Berrange <berrange@redhat.com>
+Date: Mon, 14 Jun 2010 16:08:55 +0100
+Subject: [PATCH 09/11] Add ability to set a default driver name/type when parsing disks
+
+Record a default driver name/type in capabilities struct. Use this
+when parsing disks if value is not set in XML config.
+
+* src/conf/capabilities.h: Record default driver name/type for disks
+* src/conf/domain_conf.c: Fallback to default driver name/type
+  when parsing disks
+* src/qemu/qemu_driver.c: Set default driver name/type to raw
+---
+ src/conf/capabilities.h |    2 ++
+ src/conf/domain_conf.c  |   16 +++++++++++++++-
+ src/qemu/qemu_driver.c  |    8 ++++++++
+ 3 files changed, 25 insertions(+), 1 deletions(-)
+
+diff --git a/src/conf/capabilities.h b/src/conf/capabilities.h
+index 9290c82..f676eb8 100644
+--- a/src/conf/capabilities.h
++++ b/src/conf/capabilities.h
+@@ -123,6 +123,8 @@ struct _virCaps {
+     virCapsGuestPtr *guests;
+     unsigned char macPrefix[VIR_MAC_PREFIX_BUFLEN];
+     unsigned int emulatorRequired : 1;
++    const char *defaultDiskDriverName;
++    const char *defaultDiskDriverType;
+     void *(*privateDataAllocFunc)(void);
+     void (*privateDataFreeFunc)(void *);
+     int (*privateDataXMLFormat)(virBufferPtr, void *);
+diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
+index b20ca97..f3b8cfa 100644
+--- a/src/conf/domain_conf.c
++++ b/src/conf/domain_conf.c
+@@ -1639,6 +1639,16 @@ virDomainDiskDefParseXML(virCapsPtr caps,
+     def->serial = serial;
+     serial = NULL;
+ 
++    if (!def->driverType &&
++        caps->defaultDiskDriverType &&
++        !(def->driverType = strdup(caps->defaultDiskDriverType)))
++        goto no_memory;
++
++    if (!def->driverName &&
++        caps->defaultDiskDriverName &&
++        !(def->driverName = strdup(caps->defaultDiskDriverName)))
++        goto no_memory;
++
+     if (def->info.type == VIR_DOMAIN_DEVICE_ADDRESS_TYPE_NONE
+         && virDomainDiskDefAssignAddress(caps, def) < 0)
+         goto error;
+@@ -1659,6 +1669,9 @@ cleanup:
+ 
+     return def;
+ 
++no_memory:
++    virReportOOMError();
++
+  error:
+     virDomainDiskDefFree(def);
+     def = NULL;
+@@ -4275,7 +4288,8 @@ static virDomainDefPtr virDomainDefParseXML(virCapsPtr caps,
+     if (n && VIR_ALLOC_N(def->disks, n) < 0)
+         goto no_memory;
+     for (i = 0 ; i < n ; i++) {
+-        virDomainDiskDefPtr disk = virDomainDiskDefParseXML(caps, nodes[i],
++        virDomainDiskDefPtr disk = virDomainDiskDefParseXML(caps,
++                                                            nodes[i],
+                                                             flags);
+         if (!disk)
+             goto error;
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 3c479c5..14b790e 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -1357,6 +1357,14 @@ qemuCreateCapabilities(virCapsPtr oldcaps,
+         return NULL;
+     }
+ 
++    if (driver->allowDiskFormatProbing) {
++        caps->defaultDiskDriverName = NULL;
++        caps->defaultDiskDriverType = NULL;
++    } else {
++        caps->defaultDiskDriverName = "qemu";
++        caps->defaultDiskDriverType = "raw";
++    }
++
+     /* Domain XML parser hooks */
+     caps->privateDataAllocFunc = qemuDomainObjPrivateAlloc;
+     caps->privateDataFreeFunc = qemuDomainObjPrivateFree;
+-- 
+1.7.1.1
+

libvirt-0.8.2-10-qemu-img-format-handling.patch

@@ -0,0 +1,291 @@
+From 2ba8625d6d148fa489586efabdfaf2ef20903762 Mon Sep 17 00:00:00 2001
+From: Daniel P. Berrange <berrange@redhat.com>
+Date: Wed, 16 Jun 2010 14:14:05 +0100
+Subject: [PATCH 10/11] Rewrite qemu-img backing store format handling
+
+When creating qcow2 files with a backing store, it is important
+to set an explicit format to prevent QEMU probing. The storage
+backend was only doing this if it found a 'kvm-img' binary. This
+is wrong because plenty of kvm-img binaries don't support an
+explicit format, and plenty of 'qemu-img' binaries do support
+a format. The result was that most qcow2 files were not getting
+a backing store format.
+
+This patch runs 'qemu-img -h' to check for the two support
+argument formats
+
+  '-o backing_format=raw'
+  '-F raw'
+
+and use whichever option it finds
+
+* src/storage/storage_backend.c: Query binary to determine
+  how to set the backing store format
+---
+ src/storage/storage_backend.c |  214 +++++++++++++++++++++++++++++------------
+ 1 files changed, 152 insertions(+), 62 deletions(-)
+
+diff --git a/src/storage/storage_backend.c b/src/storage/storage_backend.c
+index aba8937..c185693 100644
+--- a/src/storage/storage_backend.c
++++ b/src/storage/storage_backend.c
+@@ -561,6 +561,69 @@ static int virStorageBackendCreateExecCommand(virStoragePoolObjPtr pool,
+     return 0;
+ }
+ 
++enum {
++    QEMU_IMG_BACKING_FORMAT_NONE = 0,
++    QEMU_IMG_BACKING_FORMAT_FLAG,
++    QEMU_IMG_BACKING_FORMAT_OPTIONS,
++};
++
++static int virStorageBackendQEMUImgBackingFormat(const char *qemuimg)
++{
++    const char *const qemuarg[] = { qemuimg, "-h", NULL };
++    const char *const qemuenv[] = { "LC_ALL=C", NULL };
++    pid_t child = 0;
++    int status;
++    int newstdout = -1;
++    char *help = NULL;
++    enum { MAX_HELP_OUTPUT_SIZE = 1024*8 };
++    int len;
++    char *start;
++    char *end;
++    char *tmp;
++    int ret = -1;
++
++    if (virExec(qemuarg, qemuenv, NULL,
++                &child, -1, &newstdout, NULL, VIR_EXEC_CLEAR_CAPS) < 0)
++        goto cleanup;
++
++    if ((len = virFileReadLimFD(newstdout, MAX_HELP_OUTPUT_SIZE, &help)) < 0) {
++        virReportSystemError(errno,
++                             _("Unable to read '%s -h' output"),
++                             qemuimg);
++        goto cleanup;
++    }
++
++    start = strstr(help, " create ");
++    end = strstr(start, "\n");
++    if ((tmp = strstr(start, "-F fmt")) && tmp < end)
++        ret = QEMU_IMG_BACKING_FORMAT_FLAG;
++    else if ((tmp = strstr(start, "[-o options]")) && tmp < end)
++        ret = QEMU_IMG_BACKING_FORMAT_OPTIONS;
++    else
++        ret = QEMU_IMG_BACKING_FORMAT_NONE;
++
++cleanup:
++    VIR_FREE(help);
++    close(newstdout);
++rewait:
++    if (child) {
++        if (waitpid(child, &status, 0) != child) {
++            if (errno == EINTR)
++                goto rewait;
++
++            VIR_ERROR(_("Unexpected exit status from qemu %d pid %lu"),
++                      WEXITSTATUS(status), (unsigned long)child);
++        }
++        if (WEXITSTATUS(status) != 0) {
++            VIR_WARN("Unexpected exit status '%d', qemu probably failed",
++                     WEXITSTATUS(status));
++        }
++    }
++
++    return ret;
++}
++
++
+ static int
+ virStorageBackendCreateQemuImg(virConnectPtr conn,
+                                virStoragePoolObjPtr pool,
+@@ -568,10 +631,9 @@ virStorageBackendCreateQemuImg(virConnectPtr conn,
+                                virStorageVolDefPtr inputvol,
+                                unsigned int flags ATTRIBUTE_UNUSED)
+ {
+-    int ret;
++    int ret = -1;
+     char size[100];
+     char *create_tool;
+-    short use_kvmimg;
+ 
+     const char *type = virStorageFileFormatTypeToString(vol->target.format);
+     const char *backingType = vol->backingStore.path ?
+@@ -582,41 +644,10 @@ virStorageBackendCreateQemuImg(virConnectPtr conn,
+     const char *inputPath = inputvol ? inputvol->target.path : NULL;
+     /* Treat input block devices as 'raw' format */
+     const char *inputType = inputPath ?
+-                            virStorageFileFormatTypeToString(inputvol->type == VIR_STORAGE_VOL_BLOCK ? VIR_STORAGE_FILE_RAW : inputvol->target.format) :
+-                            NULL;
+-
+-    const char **imgargv;
+-    /* The extra NULL field is for indicating encryption (-e). */
+-    const char *imgargvnormal[] = {
+-        NULL, "create",
+-        "-f", type,
+-        vol->target.path,
+-        size,
+-        NULL,
+-        NULL
+-    };
+-    /* Extra NULL fields are for including "backingType" when using
+-     * kvm-img (-F backingType), and for indicating encryption (-e).
+-     */
+-    const char *imgargvbacking[] = {
+-        NULL, "create",
+-        "-f", type,
+-        "-b", vol->backingStore.path,
+-        vol->target.path,
+-        size,
+-        NULL,
+-        NULL,
+-        NULL,
+-        NULL
+-    };
+-    const char *convargv[] = {
+-        NULL, "convert",
+-        "-f", inputType,
+-        "-O", type,
+-        inputPath,
+-        vol->target.path,
+-        NULL,
+-    };
++        virStorageFileFormatTypeToString(inputvol->type == VIR_STORAGE_VOL_BLOCK ?
++                                         VIR_STORAGE_FILE_RAW :
++                                         inputvol->target.format) :
++        NULL;
+ 
+     if (type == NULL) {
+         virStorageReportError(VIR_ERR_INTERNAL_ERROR,
+@@ -690,44 +721,103 @@ virStorageBackendCreateQemuImg(virConnectPtr conn,
+         }
+     }
+ 
+-    if ((create_tool = virFindFileInPath("kvm-img")) != NULL)
+-        use_kvmimg = 1;
+-    else if ((create_tool = virFindFileInPath("qemu-img")) != NULL)
+-        use_kvmimg = 0;
+-    else {
++    /* Size in KB */
++    snprintf(size, sizeof(size), "%lluK", vol->capacity/1024);
++
++    /* KVM is usually ahead of qemu on features, so try that first */
++    create_tool = virFindFileInPath("kvm-img");
++    if (!create_tool)
++        create_tool = virFindFileInPath("qemu-img");
++
++    if (!create_tool) {
+         virStorageReportError(VIR_ERR_INTERNAL_ERROR,
+                               "%s", _("unable to find kvm-img or qemu-img"));
+         return -1;
+     }
+ 
+     if (inputvol) {
+-        convargv[0] = create_tool;
+-        imgargv = convargv;
++        const char *imgargv[] = {
++            create_tool,
++            "convert",
++            "-f", inputType,
++            "-O", type,
++            inputPath,
++            vol->target.path,
++            NULL,
++        };
++
++        ret = virStorageBackendCreateExecCommand(pool, vol, imgargv);
+     } else if (vol->backingStore.path) {
+-        imgargvbacking[0] = create_tool;
+-        if (use_kvmimg) {
+-            imgargvbacking[6] = "-F";
+-            imgargvbacking[7] = backingType;
+-            imgargvbacking[8] = vol->target.path;
+-            imgargvbacking[9] = size;
++        const char *imgargv[] = {
++            create_tool,
++            "create",
++            "-f", type,
++            "-b", vol->backingStore.path,
++            NULL,
++            NULL,
++            NULL,
++            NULL,
++            NULL,
++            NULL
++        };
++        int imgformat = virStorageBackendQEMUImgBackingFormat(create_tool);
++        char *optflag = NULL;
++        if (imgformat < 0)
++            goto cleanup;
++
++        switch (imgformat) {
++        case QEMU_IMG_BACKING_FORMAT_FLAG:
++            imgargv[6] = "-F";
++            imgargv[7] = backingType;
++            imgargv[8] = vol->target.path;
++            imgargv[9] = size;
++            if (vol->target.encryption != NULL)
++                imgargv[10] = "-e";
++            break;
++
++        case QEMU_IMG_BACKING_FORMAT_OPTIONS:
++            if (virAsprintf(&optflag, "backing_fmt=%s", backingType) < 0) {
++                virReportOOMError();
++                goto cleanup;
++            }
++            imgargv[6] = "-o";
++            imgargv[7] = optflag;
++            imgargv[8] = vol->target.path;
++            imgargv[9] = size;
+             if (vol->target.encryption != NULL)
+-                imgargvbacking[10] = "-e";
+-        } else if (vol->target.encryption != NULL)
+-            imgargvbacking[8] = "-e";
+-        imgargv = imgargvbacking;
++                imgargv[10] = "-e";
++            break;
++
++        default:
++            VIR_INFO("Unable to set backing store format for %s with %s",
++                     vol->target.path, create_tool);
++            imgargv[6] = vol->target.path;
++            imgargv[7] = size;
++            if (vol->target.encryption != NULL)
++                imgargv[8] = "-e";
++        }
++
++        ret = virStorageBackendCreateExecCommand(pool, vol, imgargv);
++        VIR_FREE(optflag);
+     } else {
+-        imgargvnormal[0] = create_tool;
+-        imgargv = imgargvnormal;
++        /* The extra NULL field is for indicating encryption (-e). */
++        const char *imgargv[] = {
++            create_tool,
++            "create",
++            "-f", type,
++            vol->target.path,
++            size,
++            NULL,
++            NULL
++        };
+         if (vol->target.encryption != NULL)
+             imgargv[6] = "-e";
+-    }
+ 
++        ret = virStorageBackendCreateExecCommand(pool, vol, imgargv);
++    }
+ 
+-    /* Size in KB */
+-    snprintf(size, sizeof(size), "%lluK", vol->capacity/1024);
+-
+-    ret = virStorageBackendCreateExecCommand(pool, vol, imgargv);
+-    VIR_FREE(imgargv[0]);
++    cleanup:
++    VIR_FREE(create_tool);
+ 
+     return ret;
+ }
+-- 
+1.7.1.1
+

libvirt-0.8.2-11-storage-vol-backing.patch

@@ -0,0 +1,165 @@
+From d33f44c2e74de28c89b64cdc2c0a6564662e075c Mon Sep 17 00:00:00 2001
+From: Daniel P. Berrange <berrange@redhat.com>
+Date: Fri, 9 Jul 2010 11:28:40 +0100
+Subject: [PATCH 11/11] Use the extract backing store format in storage volume lookup
+
+The storage volume lookup code was probing for the backing store
+format, instead of using the format extracted from the file
+itself. This meant it could report in accurate information. If
+a format is included in the file, then use that in preference,
+with probing as a fallback.
+
+* src/storage/storage_backend_fs.c: Use extracted backing store
+  format
+---
+ src/storage/storage_backend_fs.c |   80 +++++++++++++++++---------------------
+ 1 files changed, 36 insertions(+), 44 deletions(-)
+
+diff --git a/src/storage/storage_backend_fs.c b/src/storage/storage_backend_fs.c
+index d3ac0fe..ffb0071 100644
+--- a/src/storage/storage_backend_fs.c
++++ b/src/storage/storage_backend_fs.c
+@@ -51,6 +51,7 @@
+ static int
+ virStorageBackendProbeTarget(virStorageVolTargetPtr target,
+                              char **backingStore,
++                             int *backingStoreFormat,
+                              unsigned long long *allocation,
+                              unsigned long long *capacity,
+                              virStorageEncryptionPtr *encryption)
+@@ -58,6 +59,10 @@ virStorageBackendProbeTarget(virStorageVolTargetPtr target,
+     int fd, ret;
+     virStorageFileMetadata meta;
+ 
++    if (backingStore)
++        *backingStore = NULL;
++    if (backingStoreFormat)
++        *backingStoreFormat = VIR_STORAGE_FILE_AUTO;
+     if (encryption)
+         *encryption = NULL;
+ 
+@@ -89,22 +94,30 @@ virStorageBackendProbeTarget(virStorageVolTargetPtr target,
+ 
+     close(fd);
+ 
+-    if (backingStore) {
+-        *backingStore = meta.backingStore;
+-        meta.backingStore = NULL;
++    if (meta.backingStore) {
++        if (backingStore) {
++            *backingStore = meta.backingStore;
++            meta.backingStore = NULL;
++            if (meta.backingStoreFormat == VIR_STORAGE_FILE_AUTO) {
++                if ((*backingStoreFormat = virStorageFileProbeFormat(*backingStore)) < 0) {
++                    close(fd);
++                    goto cleanup;
++                }
++            } else {
++                *backingStoreFormat = meta.backingStoreFormat;
++            }
++        } else {
++            VIR_FREE(meta.backingStore);
++        }
+     }
+ 
+-    VIR_FREE(meta.backingStore);
+-
+     if (capacity && meta.capacity)
+         *capacity = meta.capacity;
+ 
+     if (encryption != NULL && meta.encrypted) {
+         if (VIR_ALLOC(*encryption) < 0) {
+             virReportOOMError();
+-            if (backingStore)
+-                VIR_FREE(*backingStore);
+-            return -1;
++            goto cleanup;
+         }
+ 
+         switch (target->format) {
+@@ -124,6 +137,11 @@ virStorageBackendProbeTarget(virStorageVolTargetPtr target,
+     }
+ 
+     return 0;
++
++cleanup:
++    if (backingStore)
++        VIR_FREE(*backingStore);
++    return -1;
+ }
+ 
+ #if WITH_STORAGE_FS
+@@ -585,6 +603,7 @@ virStorageBackendFileSystemRefresh(virConnectPtr conn ATTRIBUTE_UNUSED,
+     while ((ent = readdir(dir)) != NULL) {
+         int ret;
+         char *backingStore;
++        int backingStoreFormat;
+ 
+         if (VIR_ALLOC(vol) < 0)
+             goto no_memory;
+@@ -604,6 +623,7 @@ virStorageBackendFileSystemRefresh(virConnectPtr conn ATTRIBUTE_UNUSED,
+ 
+         if ((ret = virStorageBackendProbeTarget(&vol->target,
+                                                 &backingStore,
++                                                &backingStoreFormat,
+                                                 &vol->allocation,
+                                                 &vol->capacity,
+                                                 &vol->target.encryption)) < 0) {
+@@ -619,46 +639,18 @@ virStorageBackendFileSystemRefresh(virConnectPtr conn ATTRIBUTE_UNUSED,
+         }
+ 
+         if (backingStore != NULL) {
+-            if (vol->target.format == VIR_STORAGE_FILE_QCOW2 &&
+-                STRPREFIX("fmt:", backingStore)) {
+-                char *fmtstr = backingStore + 4;
+-                char *path = strchr(fmtstr, ':');
+-                if (!path) {
+-                    VIR_FREE(backingStore);
+-                } else {
+-                    *path = '\0';
+-                    if ((vol->backingStore.format =
+-                         virStorageFileFormatTypeFromString(fmtstr)) < 0) {
+-                        VIR_FREE(backingStore);
+-                    } else {
+-                        memmove(backingStore, path, strlen(path) + 1);
+-                        vol->backingStore.path = backingStore;
+-
+-                        if (virStorageBackendUpdateVolTargetInfo(&vol->backingStore,
+-                                                                 NULL,
+-                                                                 NULL) < 0)
+-                            VIR_FREE(vol->backingStore);
+-                    }
+-                }
+-            } else {
+-                vol->backingStore.path = backingStore;
+-
+-                if ((ret = virStorageBackendProbeTarget(&vol->backingStore,
+-                                                        NULL, NULL, NULL,
+-                                                        NULL)) < 0) {
+-                    if (ret == -1)
+-                        goto cleanup;
+-                    else {
+-                        /* Silently ignore non-regular files,
+-                         * eg '.' '..', 'lost+found' */
+-                        VIR_FREE(vol->backingStore);
+-                    }
+-                }
++            vol->backingStore.path = backingStore;
++            vol->backingStore.format = backingStoreFormat;
++
++            if (virStorageBackendUpdateVolTargetInfo(&vol->backingStore,
++                                                     NULL,
++                                                     NULL) < 0) {
++                VIR_FREE(vol->backingStore.path);
++                goto cleanup;
+             }
+         }
+ 
+ 
+-
+         if (VIR_REALLOC_N(pool->volumes.objs,
+                           pool->volumes.count+1) < 0)
+             goto no_memory;
+-- 
+1.7.1.1
+

libvirt-0.8.2-apply-iptables-sport-mapping.patch

@@ -0,0 +1,265 @@
+From 112a309bc7839e95c558b535143f855ce89cca8c Mon Sep 17 00:00:00 2001
+From: Daniel P. Berrange <berrange@redhat.com>
+Date: Thu, 10 Jun 2010 12:50:38 -0400
+Subject: [PATCH] CVE-2010-2242 Apply a source port mapping to virtual network masquerading
+
+IPtables will seek to preserve the source port unchanged when
+doing masquerading, if possible. NFS has a pseudo-security
+option where it checks for the source port <= 1023 before
+allowing a mount request. If an admin has used this to make the
+host OS trusted for mounts, the default iptables behaviour will
+potentially allow NAT'd guests access too. This needs to be
+stopped.
+
+With this change, the iptables -t nat -L -n -v rules for the
+default network will be
+
+Chain POSTROUTING (policy ACCEPT 95 packets, 9163 bytes)
+ pkts bytes target     prot opt in     out     source               destination
+   14   840 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24    masq ports: 1024-65535
+   75  5752 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24    masq ports: 1024-65535
+    0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24
+
+* src/network/bridge_driver.c: Add masquerade rules for TCP
+  and UDP protocols
+* src/util/iptables.c, src/util/iptables.c: Add source port
+  mappings for TCP & UDP protocols when masquerading.
+---
+ src/network/bridge_driver.c |   73 ++++++++++++++++++++++++++++++++++++++++--
+ src/util/iptables.c         |   70 +++++++++++++++++++++++++++++------------
+ src/util/iptables.h         |    6 ++-
+ 3 files changed, 122 insertions(+), 27 deletions(-)
+
+diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
+index 72255c1..80ed57a 100644
+--- a/src/network/bridge_driver.c
++++ b/src/network/bridge_driver.c
+@@ -638,18 +638,74 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
+         goto masqerr2;
+     }
+ 
+-    /* enable masquerading */
++    /*
++     * Enable masquerading.
++     *
++     * We need to end up with 3 rules in the table in this order
++     *
++     *  1. protocol=tcp with sport mapping restricton
++     *  2. protocol=udp with sport mapping restricton
++     *  3. generic any protocol
++     *
++     * The sport mappings are required, because default IPtables
++     * MASQUERADE is maintain port number unchanged where possible.
++     *
++     * NFS can be configured to only "trust" port numbers < 1023.
++     *
++     * Guests using NAT thus need to be prevented from having port
++     * numbers < 1023, otherwise they can bypass the NFS "security"
++     * check on the source port number.
++     *
++     * Since we use '--insert' to add rules to the header of the
++     * chain, we actually need to add them in the reverse of the
++     * order just mentioned !
++     */
++
++    /* First the generic masquerade rule for other protocols */
+     if ((err = iptablesAddForwardMasquerade(driver->iptables,
+                                             network->def->network,
+-                                            network->def->forwardDev))) {
++                                            network->def->forwardDev,
++                                            NULL))) {
+         virReportSystemError(err,
+                              _("failed to add iptables rule to enable masquerading to '%s'"),
+                              network->def->forwardDev ? network->def->forwardDev : NULL);
+         goto masqerr3;
+     }
+ 
++    /* UDP with a source port restriction */
++    if ((err = iptablesAddForwardMasquerade(driver->iptables,
++                                            network->def->network,
++                                            network->def->forwardDev,
++                                            "udp"))) {
++        virReportSystemError(err,
++                             _("failed to add iptables rule to enable UDP masquerading to '%s'"),
++                             network->def->forwardDev ? network->def->forwardDev : NULL);
++        goto masqerr4;
++    }
++
++    /* TCP with a source port restriction */
++    if ((err = iptablesAddForwardMasquerade(driver->iptables,
++                                            network->def->network,
++                                            network->def->forwardDev,
++                                            "tcp"))) {
++        virReportSystemError(err,
++                             _("failed to add iptables rule to enable TCP masquerading to '%s'"),
++                             network->def->forwardDev ? network->def->forwardDev : NULL);
++        goto masqerr5;
++    }
++
+     return 1;
+ 
++ masqerr5:
++    iptablesRemoveForwardMasquerade(driver->iptables,
++                                    network->def->network,
++                                    network->def->forwardDev,
++                                    "udp");
++ masqerr4:
++    iptablesRemoveForwardMasquerade(driver->iptables,
++                                    network->def->network,
++                                    network->def->forwardDev,
++                                    NULL);
+  masqerr3:
+     iptablesRemoveForwardAllowRelatedIn(driver->iptables,
+                                  network->def->network,
+@@ -814,8 +870,17 @@ networkRemoveIptablesRules(struct network_driver *driver,
+     if (network->def->forwardType != VIR_NETWORK_FORWARD_NONE) {
+         if (network->def->forwardType == VIR_NETWORK_FORWARD_NAT) {
+             iptablesRemoveForwardMasquerade(driver->iptables,
+-                                                network->def->network,
+-                                                network->def->forwardDev);
++                                            network->def->network,
++                                            network->def->forwardDev,
++                                            "tcp");
++            iptablesRemoveForwardMasquerade(driver->iptables,
++                                            network->def->network,
++                                            network->def->forwardDev,
++                                            "udp");
++            iptablesRemoveForwardMasquerade(driver->iptables,
++                                            network->def->network,
++                                            network->def->forwardDev,
++                                            NULL);
+             iptablesRemoveForwardAllowRelatedIn(driver->iptables,
+                                                 network->def->network,
+                                                 network->def->bridge,
+diff --git a/src/util/iptables.c b/src/util/iptables.c
+index d06b857..f63e8c6 100644
+--- a/src/util/iptables.c
++++ b/src/util/iptables.c
+@@ -692,25 +692,49 @@ iptablesRemoveForwardRejectIn(iptablesContext *ctx,
+  */
+ static int
+ iptablesForwardMasquerade(iptablesContext *ctx,
+-                       const char *network,
+-                       const char *physdev,
+-                       int action)
++                          const char *network,
++                          const char *physdev,
++                          const char *protocol,
++                          int action)
+ {
+-    if (physdev && physdev[0]) {
+-        return iptablesAddRemoveRule(ctx->nat_postrouting,
+-                                     action,
+-                                     "--source", network,
+-                                     "!", "--destination", network,
+-                                     "--out-interface", physdev,
+-                                     "--jump", "MASQUERADE",
+-                                     NULL);
++    if (protocol && protocol[0]) {
++        if (physdev && physdev[0]) {
++            return iptablesAddRemoveRule(ctx->nat_postrouting,
++                                         action,
++                                         "--source", network,
++                                         "-p", protocol,
++                                         "!", "--destination", network,
++                                         "--out-interface", physdev,
++                                         "--jump", "MASQUERADE",
++                                         "--to-ports", "1024-65535",
++                                         NULL);
++        } else {
++            return iptablesAddRemoveRule(ctx->nat_postrouting,
++                                         action,
++                                         "--source", network,
++                                         "-p", protocol,
++                                         "!", "--destination", network,
++                                         "--jump", "MASQUERADE",
++                                         "--to-ports", "1024-65535",
++                                         NULL);
++        }
+     } else {
+-        return iptablesAddRemoveRule(ctx->nat_postrouting,
+-                                     action,
+-                                     "--source", network,
+-                                     "!", "--destination", network,
+-                                     "--jump", "MASQUERADE",
+-                                     NULL);
++        if (physdev && physdev[0]) {
++            return iptablesAddRemoveRule(ctx->nat_postrouting,
++                                         action,
++                                         "--source", network,
++                                         "!", "--destination", network,
++                                         "--out-interface", physdev,
++                                         "--jump", "MASQUERADE",
++                                         NULL);
++        } else {
++            return iptablesAddRemoveRule(ctx->nat_postrouting,
++                                         action,
++                                         "--source", network,
++                                         "!", "--destination", network,
++                                         "--jump", "MASQUERADE",
++                                         NULL);
++        }
+     }
+ }
+ 
+@@ -719,6 +743,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
+  * @ctx: pointer to the IP table context
+  * @network: the source network name
+  * @physdev: the physical input device or NULL
++ * @protocol: the network protocol or NULL
+  *
+  * Add rules to the IP table context to allow masquerading
+  * network @network on @physdev. This allow the bridge to
+@@ -729,9 +754,10 @@ iptablesForwardMasquerade(iptablesContext *ctx,
+ int
+ iptablesAddForwardMasquerade(iptablesContext *ctx,
+                              const char *network,
+-                             const char *physdev)
++                             const char *physdev,
++                             const char *protocol)
+ {
+-    return iptablesForwardMasquerade(ctx, network, physdev, ADD);
++    return iptablesForwardMasquerade(ctx, network, physdev, protocol, ADD);
+ }
+ 
+ /**
+@@ -739,6 +765,7 @@ iptablesAddForwardMasquerade(iptablesContext *ctx,
+  * @ctx: pointer to the IP table context
+  * @network: the source network name
+  * @physdev: the physical input device or NULL
++ * @protocol: the network protocol or NULL
+  *
+  * Remove rules from the IP table context to stop masquerading
+  * network @network on @physdev. This stops the bridge from
+@@ -749,7 +776,8 @@ iptablesAddForwardMasquerade(iptablesContext *ctx,
+ int
+ iptablesRemoveForwardMasquerade(iptablesContext *ctx,
+                                 const char *network,
+-                                const char *physdev)
++                                const char *physdev,
++                                const char *protocol)
+ {
+-    return iptablesForwardMasquerade(ctx, network, physdev, REMOVE);
++    return iptablesForwardMasquerade(ctx, network, physdev, protocol, REMOVE);
+ }
+diff --git a/src/util/iptables.h b/src/util/iptables.h
+index 7d55a6d..b47d854 100644
+--- a/src/util/iptables.h
++++ b/src/util/iptables.h
+@@ -85,9 +85,11 @@ int              iptablesRemoveForwardRejectIn   (iptablesContext *ctx,
+ 
+ int              iptablesAddForwardMasquerade    (iptablesContext *ctx,
+                                                   const char *network,
+-                                                  const char *physdev);
++                                                  const char *physdev,
++                                                  const char *protocol);
+ int              iptablesRemoveForwardMasquerade (iptablesContext *ctx,
+                                                   const char *network,
+-                                                  const char *physdev);
++                                                  const char *physdev,
++                                                  const char *protocol);
+ 
+ #endif /* __QEMUD_IPTABLES_H__ */
+-- 
+1.6.6.1
+

sources

@@ -1 +1 @@
-SHA512 (libvirt-4.1.0.tar.xz) = 62d1a228adf3270cc6defe3cbf92dac8c4ce2c434c4d97219571ccef799a4f6304cfd1ba9938338356641285f53ac71145d7b398523021c5ea1dc8e3d49cf894
+14164638fe0e7f65e425acc85dabc517  libvirt-0.8.2.tar.gz