libvirt-5.6.0-7

Fix iptables No chain/target/match by that name (bz #1813830) systemd: start libvirtd after firewalld/iptables services (bz #1697636) CVE-2020-12430: memory leak in domstats may allow read-only user to perform DoS attack (bz #1828216, bz #1828190) CVE-2020-10703: Potential denial of service via active pool without target path (bz #1820690, bz #1816650) CVE-2019-20485: potential DoS by holding a monitor job while querying QEMU guest-agent (bz #1809741, bz #1809740)
libvirt-5.6.0-6
2020-05-27 17:44:01 -04:00 · 2020-04-07 16:47:31 -04:00 · 2019-11-11 15:20:15 -05:00 · 2019-09-26 15:47:53 -04:00 · 2019-09-17 12:43:07 -04:00 · 2019-09-17 12:23:56 -04:00
56 changed files with 6119 additions and 1170 deletions
@@ -1,8 +0,0 @@
-.build*.log
-*.rpm
-i686
-x86_64
-libvirt-*.tar.gz
-libvirt-0.6.0.tar.gz
-libvirt-0.6.1.tar.gz
-libvirt-0.6.2.tar.gz
@@ -0,0 +1,5 @@
+.build*.log
+*.rpm
+i686
+x86_64
+libvirt-*.tar.xz
@@ -0,0 +1,31 @@
+From: Erik Skultety <eskultet@redhat.com>
+Date: Mon, 2 Sep 2019 13:25:09 +0200
+Subject: [PATCH] src: security: Replace bitwise OR with logical OR
+
+Typo introduced by commit d73f3f58360.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1738483
+
+Signed-off-by: Erik Skultety <eskultet@redhat.com>
+(cherry picked from commit 5801ef06ec29fdbac6718e455015450f7c243c1b)
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1740024
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/security/security_util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/security/security_util.c b/src/security/security_util.c
+index ad265b0bc5..9d3f483f6b 100644
+--- a/src/security/security_util.c
+++ b/src/security/security_util.c
+@@ -268,7 +268,7 @@ virSecurityMoveRememberedLabel(const char *name,
+     VIR_AUTOFREE(char *) attr_name = NULL;
+     VIR_AUTOFREE(char *) attr_value = NULL;
+ 
+-    if (!(ref_name = virSecurityGetRefCountAttrName(name)) |
+    if (!(ref_name = virSecurityGetRefCountAttrName(name)) ||
+         !(attr_name = virSecurityGetAttrName(name)))
+         return -1;
+ 
@@ -0,0 +1,176 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 2 Sep 2019 13:25:10 +0200
+Subject: [PATCH] security_util: Use more VIR_AUTOFREE()
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit 8ced0909e5a0c41a44c2110d7060f6518b65f0db)
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1740024
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/security/security_util.c | 78 +++++++++++++++---------------------
+ 1 file changed, 32 insertions(+), 46 deletions(-)
+
+diff --git a/src/security/security_util.c b/src/security/security_util.c
+index 9d3f483f6b..04347f51e5 100644
+--- a/src/security/security_util.c
+++ b/src/security/security_util.c
+@@ -113,34 +113,32 @@ virSecurityGetRememberedLabel(const char *name,
+                               const char *path,
+                               char **label)
+ {
+-    char *ref_name = NULL;
+-    char *attr_name = NULL;
+-    char *value = NULL;
+    VIR_AUTOFREE(char *) ref_name = NULL;
+    VIR_AUTOFREE(char *) attr_name = NULL;
+    VIR_AUTOFREE(char *) value = NULL;
+     unsigned int refcount = 0;
+-    int ret = -1;
+ 
+     *label = NULL;
+ 
+     if (!(ref_name = virSecurityGetRefCountAttrName(name)))
+-        goto cleanup;
+        return -1;
+ 
+     if (virFileGetXAttrQuiet(path, ref_name, &value) < 0) {
+-        if (errno == ENOSYS || errno == ENODATA || errno == ENOTSUP) {
+-            ret = -2;
+-        } else {
+-            virReportSystemError(errno,
+-                                 _("Unable to get XATTR %s on %s"),
+-                                 ref_name,
+-                                 path);
+-        }
+-        goto cleanup;
+        if (errno == ENOSYS || errno == ENODATA || errno == ENOTSUP)
+            return -2;
+
+        virReportSystemError(errno,
+                             _("Unable to get XATTR %s on %s"),
+                             ref_name,
+                             path);
+        return -1;
+     }
+ 
+     if (virStrToLong_ui(value, NULL, 10, &refcount) < 0) {
+         virReportError(VIR_ERR_INTERNAL_ERROR,
+                        _("malformed refcount %s on %s"),
+                        value, path);
+-        goto cleanup;
+        return -1;
+     }
+ 
+     VIR_FREE(value);
+@@ -149,30 +147,25 @@ virSecurityGetRememberedLabel(const char *name,
+ 
+     if (refcount > 0) {
+         if (virAsprintf(&value, "%u", refcount) < 0)
+-            goto cleanup;
+            return -1;
+ 
+         if (virFileSetXAttr(path, ref_name, value) < 0)
+-            goto cleanup;
+            return -1;
+     } else {
+         if (virFileRemoveXAttr(path, ref_name) < 0)
+-            goto cleanup;
+            return -1;
+ 
+         if (!(attr_name = virSecurityGetAttrName(name)))
+-            goto cleanup;
+            return -1;
+ 
+         if (virFileGetXAttr(path, attr_name, label) < 0)
+-            goto cleanup;
+            return -1;
+ 
+         if (virFileRemoveXAttr(path, attr_name) < 0)
+-            goto cleanup;
+            return -1;
+     }
+ 
+-    ret = 0;
+- cleanup:
+-    VIR_FREE(value);
+-    VIR_FREE(attr_name);
+-    VIR_FREE(ref_name);
+-    return ret;
+    return 0;
+ }
+ 
+ 
+@@ -201,25 +194,23 @@ virSecuritySetRememberedLabel(const char *name,
+                               const char *path,
+                               const char *label)
+ {
+-    char *ref_name = NULL;
+-    char *attr_name = NULL;
+-    char *value = NULL;
+    VIR_AUTOFREE(char *) ref_name = NULL;
+    VIR_AUTOFREE(char *) attr_name = NULL;
+    VIR_AUTOFREE(char *) value = NULL;
+     unsigned int refcount = 0;
+-    int ret = -1;
+ 
+     if (!(ref_name = virSecurityGetRefCountAttrName(name)))
+-        goto cleanup;
+        return -1;
+ 
+     if (virFileGetXAttrQuiet(path, ref_name, &value) < 0) {
+         if (errno == ENOSYS || errno == ENOTSUP) {
+-            ret = -2;
+-            goto cleanup;
+            return -2;
+         } else if (errno != ENODATA) {
+             virReportSystemError(errno,
+                                  _("Unable to get XATTR %s on %s"),
+                                  ref_name,
+                                  path);
+-            goto cleanup;
+            return -1;
+         }
+     }
+ 
+@@ -228,7 +219,7 @@ virSecuritySetRememberedLabel(const char *name,
+         virReportError(VIR_ERR_INTERNAL_ERROR,
+                        _("malformed refcount %s on %s"),
+                        value, path);
+-        goto cleanup;
+        return -1;
+     }
+ 
+     VIR_FREE(value);
+@@ -237,24 +228,19 @@ virSecuritySetRememberedLabel(const char *name,
+ 
+     if (refcount == 1) {
+         if (!(attr_name = virSecurityGetAttrName(name)))
+-            goto cleanup;
+            return -1;
+ 
+         if (virFileSetXAttr(path, attr_name, label) < 0)
+-            goto cleanup;
+            return -1;
+     }
+ 
+     if (virAsprintf(&value, "%u", refcount) < 0)
+-        goto cleanup;
+        return -1;
+ 
+     if (virFileSetXAttr(path, ref_name, value) < 0)
+-        goto cleanup;
+        return -1;
+ 
+-    ret = refcount;
+- cleanup:
+-    VIR_FREE(value);
+-    VIR_FREE(attr_name);
+-    VIR_FREE(ref_name);
+-    return ret;
+    return refcount;
+ }
+ 
+ 
@@ -0,0 +1,39 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 2 Sep 2019 13:25:11 +0200
+Subject: [PATCH] security_util: Document virSecurityMoveRememberedLabel
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit 359c7c1e94e0c54bf7e7a5a8365f066904b4387b)
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1740024
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/security/security_util.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/src/security/security_util.c b/src/security/security_util.c
+index 04347f51e5..365b2dd2d6 100644
+--- a/src/security/security_util.c
+++ b/src/security/security_util.c
+@@ -244,6 +244,19 @@ virSecuritySetRememberedLabel(const char *name,
+ }
+ 
+ 
+/**
+ * virSecurityMoveRememberedLabel:
+ * @name: security driver name
+ * @src: source file
+ * @dst: destination file
+ *
+ * For given security driver @name, move all XATTRs related to seclabel
+ * remembering from @src to @dst. However, if @dst is NULL, then XATTRs
+ * are just removed from @src.
+ *
+ * Returns: 0 on success,
+ *         -1 otherwise.
+ */
+ int
+ virSecurityMoveRememberedLabel(const char *name,
+                                const char *src,
@@ -0,0 +1,164 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 2 Sep 2019 13:25:12 +0200
+Subject: [PATCH] security: Don't increase XATTRs refcounter on failure
+
+If user has two domains, each have the same disk (configured for
+RW) but each runs with different seclabel then we deny start of
+the second domain because in order to do that we would need to
+relabel the disk but that would cut the first domain off. Even if
+we did not do that, qemu would fail to start because it would be
+unable to lock the disk image for the second time. So far, this
+behaviour is expected. But what is not expected is that we
+increase the refcounter in XATTRs and leave it like that.
+
+What happens is that when the second domain starts,
+virSecuritySetRememberedLabel() is called, and since there are
+XATTRs from the first domain it increments the refcounter and
+returns it (refcounter == 2 at this point). Then callers
+(virSecurityDACSetOwnership() and
+virSecuritySELinuxSetFileconHelper()) realize that refcounter is
+greater than 1 and desired seclabel doesn't match the one the
+disk image already has and an error is produced. But the
+refcounter is never decremented.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1740024
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
+(cherry picked from commit 6a2806fd549c0bfdcb3eb83f130ee99ea8d213e1)
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/security/security_dac.c     | 41 ++++++++++++++++++---------------
+ src/security/security_selinux.c | 18 ++++++++++-----
+ 2 files changed, 34 insertions(+), 25 deletions(-)
+
+diff --git a/src/security/security_dac.c b/src/security/security_dac.c
+index 137daf5d28..4b4afef18a 100644
+--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
+@@ -751,6 +751,7 @@ virSecurityDACSetOwnership(virSecurityManagerPtr mgr,
+                            bool remember)
+ {
+     virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    virErrorPtr origerr;
+     struct stat sb;
+     int refcount;
+     int rc;
+@@ -784,12 +785,13 @@ virSecurityDACSetOwnership(virSecurityManagerPtr mgr,
+              * is @refcount domains using the @path. Do not
+              * change the label (as it would almost certainly
+              * cause the other domains to lose access to the
+-             * @path). */
+             * @path). However, the refcounter was incremented in
+             * XATTRs so decrease it. */
+             if (sb.st_uid != uid || sb.st_gid != gid) {
+                 virReportError(VIR_ERR_OPERATION_INVALID,
+                                _("Setting different DAC user or group on %s "
+                                  "which is already in use"), path);
+-                return -1;
+                goto error;
+             }
+         }
+     }
+@@ -797,25 +799,26 @@ virSecurityDACSetOwnership(virSecurityManagerPtr mgr,
+     VIR_INFO("Setting DAC user and group on '%s' to '%ld:%ld'",
+              NULLSTR(src ? src->path : path), (long)uid, (long)gid);
+ 
+-    if (virSecurityDACSetOwnershipInternal(priv, src, path, uid, gid) < 0) {
+-        virErrorPtr origerr;
+-
+-        virErrorPreserveLast(&origerr);
+-        /* Try to restore the label. This is done so that XATTRs
+-         * are left in the same state as when the control entered
+-         * this function. However, if our attempt fails, there's
+-         * not much we can do. XATTRs refcounting is fubar'ed and
+-         * the only option we have is warn users. */
+-        if (virSecurityDACRestoreFileLabelInternal(mgr, src, path, remember) < 0)
+-            VIR_WARN("Unable to restore label on '%s'. "
+-                     "XATTRs might have been left in inconsistent state.",
+-                     NULLSTR(src ? src->path : path));
+-
+-        virErrorRestore(&origerr);
+-        return -1;
+-    }
+    if (virSecurityDACSetOwnershipInternal(priv, src, path, uid, gid) < 0)
+        goto error;
+ 
+     return 0;
+
+ error:
+    virErrorPreserveLast(&origerr);
+    /* Try to restore the label. This is done so that XATTRs
+     * are left in the same state as when the control entered
+     * this function. However, if our attempt fails, there's
+     * not much we can do. XATTRs refcounting is fubar'ed and
+     * the only option we have is warn users. */
+    if (virSecurityDACRestoreFileLabelInternal(mgr, src, path, remember) < 0)
+        VIR_WARN("Unable to restore label on '%s'. "
+                 "XATTRs might have been left in inconsistent state.",
+                 NULLSTR(src ? src->path : path));
+
+    virErrorRestore(&origerr);
+
+    return -1;
+ }
+ 
+ 
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index ea20373a90..9857223bbf 100644
+--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
+@@ -1334,6 +1334,7 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
+     security_context_t econ = NULL;
+     int refcount;
+     int rc;
+    bool rollback = false;
+     int ret = -1;
+ 
+     if ((rc = virSecuritySELinuxTransactionAppend(path, tcon,
+@@ -1353,6 +1354,8 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
+ 
+         if (econ) {
+             refcount = virSecuritySELinuxRememberLabel(path, econ);
+            if (refcount > 0)
+                rollback = true;
+             if (refcount == -2) {
+                 /* Not supported. Don't error though. */
+             } else if (refcount < 0) {
+@@ -1362,7 +1365,8 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
+                  * is @refcount domains using the @path. Do not
+                  * change the label (as it would almost certainly
+                  * cause the other domains to lose access to the
+-                 * @path). */
+                 * @path). However, the refcounter was
+                 * incremented in XATTRs so decrease it. */
+                 if (STRNEQ(econ, tcon)) {
+                     virReportError(VIR_ERR_OPERATION_INVALID,
+                                    _("Setting different SELinux label on %s "
+@@ -1373,7 +1377,12 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
+         }
+     }
+ 
+-    if (virSecuritySELinuxSetFileconImpl(path, tcon, optional, privileged) < 0) {
+    if (virSecuritySELinuxSetFileconImpl(path, tcon, optional, privileged) < 0)
+        goto cleanup;
+
+    ret = 0;
+ cleanup:
+    if (ret < 0 && rollback) {
+         virErrorPtr origerr;
+ 
+         virErrorPreserveLast(&origerr);
+@@ -1388,11 +1397,8 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
+                      path);
+ 
+         virErrorRestore(&origerr);
+-        goto cleanup;
+-    }
+ 
+-    ret = 0;
+- cleanup:
+    }
+     freecon(econ);
+     return ret;
+ }
@@ -0,0 +1,183 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 2 Sep 2019 13:25:13 +0200
+Subject: [PATCH] util: Introduce virhostuptime
+
+This module contains function to get host boot time.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit 8b802f13cb47817706cba101f5d52e2c8957698d)
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1741140
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ configure.ac             |  1 +
+ src/libvirt_private.syms |  4 ++
+ src/util/Makefile.inc.am |  2 +
+ src/util/virhostuptime.c | 81 ++++++++++++++++++++++++++++++++++++++++
+ src/util/virhostuptime.h | 27 ++++++++++++++
+ 5 files changed, 115 insertions(+)
+ create mode 100644 src/util/virhostuptime.c
+ create mode 100644 src/util/virhostuptime.h
+
+diff --git a/configure.ac b/configure.ac
+index d18d427695..771dd961a5 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -337,6 +337,7 @@ AC_CHECK_FUNCS_ONCE([\
+   getpwuid_r \
+   getrlimit \
+   getuid \
+  getutxid \
+   if_indextoname \
+   mmap \
+   newlocale \
+diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
+index c323f679b3..9fd778272f 100644
+--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
+@@ -2135,6 +2135,10 @@ virHostMemGetStats;
+ virHostMemSetParameters;
+ 
+ 
+# util/virhostuptime.h
+virHostGetBootTime;
+
+
+ # util/viridentity.h
+ virIdentityGetAttr;
+ virIdentityGetCurrent;
+diff --git a/src/util/Makefile.inc.am b/src/util/Makefile.inc.am
+index a47f333a98..46866cf213 100644
+--- a/src/util/Makefile.inc.am
+++ b/src/util/Makefile.inc.am
+@@ -91,6 +91,8 @@ UTIL_SOURCES = \
+ 	util/virhostdev.h \
+ 	util/virhostmem.c \
+ 	util/virhostmem.h \
+	util/virhostuptime.c \
+	util/virhostuptime.h \
+ 	util/viridentity.c \
+ 	util/viridentity.h \
+ 	util/virinitctl.c \
+diff --git a/src/util/virhostuptime.c b/src/util/virhostuptime.c
+new file mode 100644
+index 0000000000..62b781acd5
+--- /dev/null
+++ b/src/util/virhostuptime.c
+@@ -0,0 +1,81 @@
+/*
+ * virhostuptime.c: helper APIs for host uptime
+ *
+ * Copyright (C) 2019 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+
+#ifdef HAVE_GETUTXID
+# include <utmpx.h>
+#endif
+
+#include "virhostuptime.h"
+#include "virthread.h"
+
+static unsigned long long bootTime;
+static int bootTimeErrno;
+static virOnceControl virHostGetBootTimeOnce = VIR_ONCE_CONTROL_INITIALIZER;
+
+#ifdef HAVE_GETUTXID
+static void
+virHostGetBootTimeOnceInit(void)
+{
+    struct utmpx id = {.ut_type = BOOT_TIME};
+    struct utmpx *res = NULL;
+
+    if (!(res = getutxid(&id))) {
+        bootTimeErrno = errno;
+    } else {
+        bootTime = res->ut_tv.tv_sec;
+    }
+
+    endutxent();
+}
+
+#else /* !HAVE_GETUTXID */
+
+static void
+virHostGetBootTimeOnceInit(void)
+{
+    bootTimeErrno = ENOSYS;
+}
+#endif /* HAVE_GETUTXID */
+
+/**
+ * virHostGetBootTime:
+ * @when: UNIX timestamp of boot time
+ *
+ * Get a UNIX timestamp of host boot time and store it at @when.
+ *
+ * Return: 0 on success,
+ *        -1 otherwise.
+ */
+int
+virHostGetBootTime(unsigned long long *when)
+{
+    if (virOnce(&virHostGetBootTimeOnce, virHostGetBootTimeOnceInit) < 0)
+        return -1;
+
+    if (bootTimeErrno) {
+        errno = bootTimeErrno;
+        return -1;
+    }
+
+    *when = bootTime;
+    return 0;
+}
+diff --git a/src/util/virhostuptime.h b/src/util/virhostuptime.h
+new file mode 100644
+index 0000000000..03c1517a64
+--- /dev/null
+++ b/src/util/virhostuptime.h
+@@ -0,0 +1,27 @@
+/*
+ * virhostuptime.h: helper APIs for host uptime
+ *
+ * Copyright (C) 2019 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ */
+
+#pragma once
+
+#include "internal.h"
+
+int
+virHostGetBootTime(unsigned long long *when)
+    ATTRIBUTE_NOINLINE;
@@ -0,0 +1,344 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 2 Sep 2019 13:25:14 +0200
+Subject: [PATCH] security_util: Remove stale XATTRs
+
+It may happen that we leave some XATTRs behind. For instance, on
+a sudden power loss, the host just shuts down without calling
+restore on domain paths. This creates a problem, because when the
+host starts up again, the XATTRs are there but they don't reflect
+the true state and this may result in libvirt denying start of a
+domain.
+
+To solve this, save a unique timestamp (host boot time) among
+with our XATTRs.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1741140
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit 7cfb7aab573a031880a1f4fd20747843fea109ba)
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/security/security_util.c    | 194 +++++++++++++++++++++++++++++++-
+ tests/qemusecuritymock.c        |  12 ++
+ tools/libvirt_recover_xattrs.sh |   2 +-
+ 3 files changed, 206 insertions(+), 2 deletions(-)
+
+diff --git a/src/security/security_util.c b/src/security/security_util.c
+index 365b2dd2d6..31f41cedfd 100644
+--- a/src/security/security_util.c
+++ b/src/security/security_util.c
+@@ -22,11 +22,16 @@
+ #include "virfile.h"
+ #include "virstring.h"
+ #include "virerror.h"
+#include "virlog.h"
+#include "viruuid.h"
+#include "virhostuptime.h"
+ 
+ #include "security_util.h"
+ 
+ #define VIR_FROM_THIS VIR_FROM_SECURITY
+ 
+VIR_LOG_INIT("security.security_util");
+
+ /* There are four namespaces available on Linux (xattr(7)):
+  *
+  *  user - can be modified by anybody,
+@@ -83,6 +88,153 @@ virSecurityGetRefCountAttrName(const char *name ATTRIBUTE_UNUSED)
+ }
+ 
+ 
+#ifdef XATTR_NAMESPACE
+static char *
+virSecurityGetTimestampAttrName(const char *name)
+{
+    char *ret = NULL;
+    ignore_value(virAsprintf(&ret, XATTR_NAMESPACE ".libvirt.security.timestamp_%s", name));
+    return ret;
+}
+#else /* !XATTR_NAMESPACE */
+static char *
+virSecurityGetTimestampAttrName(const char *name ATTRIBUTE_UNUSED)
+{
+    errno = ENOSYS;
+    virReportSystemError(errno, "%s",
+                         _("Extended attributes are not supported on this system"));
+    return NULL;
+}
+#endif /* !XATTR_NAMESPACE */
+
+
+static char *
+virSecurityGetTimestamp(void)
+{
+    unsigned long long boottime = 0;
+    char *ret = NULL;
+
+    if (virHostGetBootTime(&boottime) < 0) {
+        virReportSystemError(errno, "%s",
+                             _("Unable to get host boot time"));
+        return NULL;
+    }
+
+    ignore_value(virAsprintf(&ret, "%llu", boottime));
+    return ret;
+}
+
+
+/**
+ * virSecurityValidateTimestamp:
+ * @name: security driver name
+ * @path: file name
+ *
+ * Check if remembered label on @path for security driver @name
+ * is valid, i.e. the label has been set since the last boot. If
+ * the label was set in previous runs, all XATTRs related to
+ * @name are removed so that clean slate is restored.
+ *
+ * This is done having extra attribute timestamp_$SECDRIVER which
+ * contains the host boot time. Its value is then compared to
+ * actual host boot time. If these two values don't match then
+ * XATTRs are considered as stale and thus invalid.
+ *
+ * In ideal world, where there network file systems have XATTRs
+ * using plain host boot time is not enough as it may lead to a
+ * situation where a freshly started host sees XATTRs, sees the
+ * timestamp put there by some longer running host and considers
+ * the XATTRs invalid. Well, there is not an easy way out. We
+ * would need to somehow check if the longer running host is
+ * still there and uses the @path (how?).
+ * Fortunately, there is only one network file system which
+ * supports XATTRs currently (GlusterFS via FUSE) and it is used
+ * so rarely that it's almost a corner case.
+ * The worst thing that happens there is that we remove XATTRs
+ * and thus return @path to the default label for $SECDRIVER.
+ *
+ * Returns: 0 if remembered label is valid,
+ *          1 if remembered label was not valid,
+ *         -2 if underlying file system doesn't support XATTRs,
+ *         -1 otherwise.
+ */
+static int
+virSecurityValidateTimestamp(const char *name,
+                             const char *path)
+{
+    VIR_AUTOFREE(char *) expected_timestamp = NULL;
+    VIR_AUTOFREE(char *) timestamp_name = NULL;
+    VIR_AUTOFREE(char *) value = NULL;
+
+    if (!(expected_timestamp = virSecurityGetTimestamp()) ||
+        !(timestamp_name = virSecurityGetTimestampAttrName(name)))
+        return -1;
+
+    errno = 0;
+    if (virFileGetXAttrQuiet(path, timestamp_name, &value) < 0) {
+        if (errno == ENOSYS || errno == ENOTSUP) {
+            return -2;
+        } else if (errno != ENODATA) {
+            virReportSystemError(errno,
+                                 _("Unable to get XATTR %s on %s"),
+                                 timestamp_name,
+                                 path);
+            return -1;
+        }
+
+        /* Timestamp is missing. We could continue and claim a valid timestamp.
+         * But then we would never remove stale XATTRs. Therefore, claim it
+         * invalid and have the code below remove all XATTRs. This of course
+         * means that we will not restore the original owner, but the plus side
+         * is that we reset refcounter which will represent the true state.
+         */
+    }
+
+    if (STREQ_NULLABLE(value, expected_timestamp)) {
+        VIR_DEBUG("XATTRs on %s secdriver=%s are valid", path, name);
+        return 0;
+    }
+
+    VIR_WARN("Invalid XATTR timestamp detected on %s secdriver=%s", path, name);
+
+    if (virSecurityMoveRememberedLabel(name, path, NULL) < 0)
+        return -1;
+
+    return 1;
+}
+
+
+static int
+virSecurityAddTimestamp(const char *name,
+                        const char *path)
+{
+    VIR_AUTOFREE(char *) timestamp_name = NULL;
+    VIR_AUTOFREE(char *) timestamp_value = NULL;
+
+    if (!(timestamp_value = virSecurityGetTimestamp()) ||
+        !(timestamp_name = virSecurityGetTimestampAttrName(name)))
+        return -1;
+
+    return virFileSetXAttr(path, timestamp_name, timestamp_value);
+}
+
+
+static int
+virSecurityRemoveTimestamp(const char *name,
+                           const char *path)
+{
+    VIR_AUTOFREE(char *) timestamp_name = NULL;
+
+    if (!(timestamp_name = virSecurityGetTimestampAttrName(name)))
+        return -1;
+
+    if (virFileRemoveXAttr(path, timestamp_name) < 0 && errno != ENOENT)
+        return -1;
+
+    return 0;
+}
+
+
+ /**
+  * virSecurityGetRememberedLabel:
+  * @name: security driver name
+@@ -117,9 +269,13 @@ virSecurityGetRememberedLabel(const char *name,
+     VIR_AUTOFREE(char *) attr_name = NULL;
+     VIR_AUTOFREE(char *) value = NULL;
+     unsigned int refcount = 0;
+    int rc;
+ 
+     *label = NULL;
+ 
+    if ((rc = virSecurityValidateTimestamp(name, path)) < 0)
+        return rc;
+
+     if (!(ref_name = virSecurityGetRefCountAttrName(name)))
+         return -1;
+ 
+@@ -163,6 +319,9 @@ virSecurityGetRememberedLabel(const char *name,
+ 
+         if (virFileRemoveXAttr(path, attr_name) < 0)
+             return -1;
+
+        if (virSecurityRemoveTimestamp(name, path) < 0)
+            return -1;
+     }
+ 
+     return 0;
+@@ -198,6 +357,10 @@ virSecuritySetRememberedLabel(const char *name,
+     VIR_AUTOFREE(char *) attr_name = NULL;
+     VIR_AUTOFREE(char *) value = NULL;
+     unsigned int refcount = 0;
+    int rc;
+
+    if ((rc = virSecurityValidateTimestamp(name, path)) < 0)
+        return rc;
+ 
+     if (!(ref_name = virSecurityGetRefCountAttrName(name)))
+         return -1;
+@@ -232,6 +395,9 @@ virSecuritySetRememberedLabel(const char *name,
+ 
+         if (virFileSetXAttr(path, attr_name, label) < 0)
+             return -1;
+
+        if (virSecurityAddTimestamp(name, path) < 0)
+            return -1;
+     }
+ 
+     if (virAsprintf(&value, "%u", refcount) < 0)
+@@ -266,9 +432,12 @@ virSecurityMoveRememberedLabel(const char *name,
+     VIR_AUTOFREE(char *) ref_value = NULL;
+     VIR_AUTOFREE(char *) attr_name = NULL;
+     VIR_AUTOFREE(char *) attr_value = NULL;
+    VIR_AUTOFREE(char *) timestamp_name = NULL;
+    VIR_AUTOFREE(char *) timestamp_value = NULL;
+ 
+     if (!(ref_name = virSecurityGetRefCountAttrName(name)) ||
+-        !(attr_name = virSecurityGetAttrName(name)))
+        !(attr_name = virSecurityGetAttrName(name)) ||
+        !(timestamp_name = virSecurityGetTimestampAttrName(name)))
+         return -1;
+ 
+     if (virFileGetXAttrQuiet(src, ref_name, &ref_value) < 0) {
+@@ -293,6 +462,17 @@ virSecurityMoveRememberedLabel(const char *name,
+         }
+     }
+ 
+    if (virFileGetXAttrQuiet(src, timestamp_name, &timestamp_value) < 0) {
+        if (errno == ENOSYS || errno == ENOTSUP) {
+            return -2;
+        } else if (errno != ENODATA) {
+            virReportSystemError(errno,
+                                 _("Unable to get XATTR %s on %s"),
+                                 attr_name, src);
+            return -1;
+        }
+    }
+
+     if (ref_value &&
+         virFileRemoveXAttr(src, ref_name) < 0) {
+         return -1;
+@@ -303,6 +483,11 @@ virSecurityMoveRememberedLabel(const char *name,
+         return -1;
+     }
+ 
+    if (timestamp_value &&
+        virFileRemoveXAttr(src, timestamp_name) < 0) {
+        return -1;
+    }
+
+     if (dst) {
+         if (ref_value &&
+             virFileSetXAttr(dst, ref_name, ref_value) < 0) {
+@@ -314,6 +499,13 @@ virSecurityMoveRememberedLabel(const char *name,
+             ignore_value(virFileRemoveXAttr(dst, ref_name));
+             return -1;
+         }
+
+        if (timestamp_value &&
+            virFileSetXAttr(dst, timestamp_name, timestamp_value) < 0) {
+            ignore_value(virFileRemoveXAttr(dst, ref_name));
+            ignore_value(virFileRemoveXAttr(dst, attr_name));
+            return -1;
+        }
+     }
+ 
+     return 0;
+diff --git a/tests/qemusecuritymock.c b/tests/qemusecuritymock.c
+index a15eef29c9..373d64305a 100644
+--- a/tests/qemusecuritymock.c
+++ b/tests/qemusecuritymock.c
+@@ -32,6 +32,7 @@
+ #include "viralloc.h"
+ #include "qemusecuritytest.h"
+ #include "security/security_manager.h"
+#include "virhostuptime.h"
+ 
+ #define VIR_FROM_THIS VIR_FROM_NONE
+ 
+@@ -488,3 +489,14 @@ virProcessRunInFork(virProcessForkCallback cb,
+ {
+     return cb(-1, opaque);
+ }
+
+
+/* We don't really need to mock this function. The qemusecuritytest doesn't
+ * care about the actual value. However, travis runs build and tests in a
+ * container where utmp is missing and thus this function fails. */
+int
+virHostGetBootTime(unsigned long long *when)
+{
+    *when = 1234567890;
+    return 0;
+}
+diff --git a/tools/libvirt_recover_xattrs.sh b/tools/libvirt_recover_xattrs.sh
+index 58f02f8dfb..3907413c63 100755
+--- a/tools/libvirt_recover_xattrs.sh
+++ b/tools/libvirt_recover_xattrs.sh
+@@ -74,7 +74,7 @@ fi
+ declare -a XATTRS
+ for i in "dac" "selinux"; do
+     for p in ${LIBVIRT_XATTR_PREFIXES[@]}; do
+-        XATTRS+=("$p.$i" "$p.ref_$i")
+        XATTRS+=("$p.$i" "$p.ref_$i" "$p.timestamp_$i")
+     done
+ done
+ 
@@ -0,0 +1,96 @@
+From: Nikolay Shirokovskiy <nshirokovskiy@virtuozzo.com>
+Date: Mon, 2 Sep 2019 13:25:15 +0200
+Subject: [PATCH] security_util: verify xattrs only if ref is present
+
+After 7cfb7aab573 commit starting a domain pullutes logs with
+warnings like [1]. The reason is resource files do not
+have timestamp before starting a domain and after destroying
+domain the timestamp is cleared. Let's check the timestamp
+only if attribute with refcounter is found.
+
+[1] warning : virSecurityValidateTimestamp:198 : Invalid XATTR timestamp detected on \
+    /some/path secdriver=dac
+
+Signed-off-by: Nikolay Shirokovskiy <nshirokovskiy@virtuozzo.com>
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit 7c40211a5a0fd15f5885e38dc571e81b9a3fd699)
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1741140
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/security/security_util.c | 36 ++++++++++++++++++++++++++++--------
+ 1 file changed, 28 insertions(+), 8 deletions(-)
+
+diff --git a/src/security/security_util.c b/src/security/security_util.c
+index 31f41cedfd..865b3ec905 100644
+--- a/src/security/security_util.c
+++ b/src/security/security_util.c
+@@ -269,13 +269,9 @@ virSecurityGetRememberedLabel(const char *name,
+     VIR_AUTOFREE(char *) attr_name = NULL;
+     VIR_AUTOFREE(char *) value = NULL;
+     unsigned int refcount = 0;
+-    int rc;
+ 
+     *label = NULL;
+ 
+-    if ((rc = virSecurityValidateTimestamp(name, path)) < 0)
+-        return rc;
+-
+     if (!(ref_name = virSecurityGetRefCountAttrName(name)))
+         return -1;
+ 
+@@ -290,6 +286,20 @@ virSecurityGetRememberedLabel(const char *name,
+         return -1;
+     }
+ 
+    if (value) {
+        int rc;
+
+        /* Do this after we've tried to get refcounter to ensure underlying FS
+         * supports XATTRs and @path has refcounter attribute set, because
+         * validator might throws a warning. */
+        if ((rc = virSecurityValidateTimestamp(name, path)) < 0)
+            return rc;
+
+        /* Invalid label is like a non-existent one */
+        if (rc == 1)
+            return -2;
+    }
+
+     if (virStrToLong_ui(value, NULL, 10, &refcount) < 0) {
+         virReportError(VIR_ERR_INTERNAL_ERROR,
+                        _("malformed refcount %s on %s"),
+@@ -357,10 +367,6 @@ virSecuritySetRememberedLabel(const char *name,
+     VIR_AUTOFREE(char *) attr_name = NULL;
+     VIR_AUTOFREE(char *) value = NULL;
+     unsigned int refcount = 0;
+-    int rc;
+-
+-    if ((rc = virSecurityValidateTimestamp(name, path)) < 0)
+-        return rc;
+ 
+     if (!(ref_name = virSecurityGetRefCountAttrName(name)))
+         return -1;
+@@ -377,6 +383,20 @@ virSecuritySetRememberedLabel(const char *name,
+         }
+     }
+ 
+    if (value) {
+        int rc;
+
+        /* Do this after we've tried to get refcounter to ensure underlying FS
+         * supports XATTRs and @path has refcounter attribute set, because
+         * validator might throws a warning. */
+        if ((rc = virSecurityValidateTimestamp(name, path)) < 0)
+            return rc;
+
+        /* Invalid label is like a non-existent one */
+        if (rc == 1)
+            VIR_FREE(value);
+    }
+
+     if (value &&
+         virStrToLong_ui(value, NULL, 10, &refcount) < 0) {
+         virReportError(VIR_ERR_INTERNAL_ERROR,
@@ -0,0 +1,97 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 2 Sep 2019 13:25:16 +0200
+Subject: [PATCH] virSecuritySELinuxSetFileconImpl: Drop @optional argument
+
+The only thing that the @optional argument does is that it makes
+the function return 1 instead of 0 if setting SELinux context
+failed in a non-critical fashion. Drop the argument then and
+return 1 in that case. This enables caller to learn if SELinux
+context was set or not.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
+(cherry picked from commit 34712a5e3b313fb9ca2223c54ea46f626429a6c4)
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1740506
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/security/security_selinux.c | 35 +++++++++++++++++++++++----------
+ 1 file changed, 25 insertions(+), 10 deletions(-)
+
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index 9857223bbf..766f334faf 100644
+--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
+@@ -1257,12 +1257,27 @@ virSecuritySELinuxGetProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+     return 0;
+ }
+ 
+-/* Attempt to change the label of PATH to TCON.  If OPTIONAL is true,
+- * return 1 if labelling was not possible.  Otherwise, require a label
+- * change, and return 0 for success, -1 for failure.  */
+/**
+ * virSecuritySELinuxSetFileconImpl:
+ * @path: path to the file to set context on
+ * @tcon: target context to set
+ * @privileged: whether running as privileged user
+ *
+ * Set @tcon SELinux context on @path. If unable to do so, check SELinux
+ * configuration and produce sensible error message suggesting solution.
+ * It may happen that setting context fails but hypervisor will be able to
+ * open the @path successfully. This is because some file systems don't
+ * support SELinux, are RO, or the @path had the correct context from the
+ * start. If that is the case, a positive one is returned.
+ *
+ * Returns:  0 if context was set successfully
+ *           1 if setting the context failed in a non-critical fashion
+ *           -1 in case of error
+ */
+ static int
+-virSecuritySELinuxSetFileconImpl(const char *path, const char *tcon,
+-                                 bool optional, bool privileged)
+virSecuritySELinuxSetFileconImpl(const char *path,
+                                 const char *tcon,
+                                 bool privileged)
+ {
+     security_context_t econ;
+ 
+@@ -1278,7 +1293,7 @@ virSecuritySELinuxSetFileconImpl(const char *path, const char *tcon,
+             if (STREQ(tcon, econ)) {
+                 freecon(econ);
+                 /* It's alright, there's nothing to change anyway. */
+-                return optional ? 1 : 0;
+                return 1;
+             }
+             freecon(econ);
+         }
+@@ -1315,9 +1330,9 @@ virSecuritySELinuxSetFileconImpl(const char *path, const char *tcon,
+                 VIR_INFO("Setting security context '%s' on '%s' not supported",
+                          tcon, path);
+             }
+-            if (optional)
+-                return 1;
+         }
+
+        return 1;
+     }
+     return 0;
+ }
+@@ -1377,7 +1392,7 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
+         }
+     }
+ 
+-    if (virSecuritySELinuxSetFileconImpl(path, tcon, optional, privileged) < 0)
+    if (virSecuritySELinuxSetFileconImpl(path, tcon, privileged) < 0)
+         goto cleanup;
+ 
+     ret = 0;
+@@ -1542,7 +1557,7 @@ virSecuritySELinuxRestoreFileLabel(virSecurityManagerPtr mgr,
+         }
+     }
+ 
+-    if (virSecuritySELinuxSetFileconImpl(newpath, fcon, false, privileged) < 0)
+    if (virSecuritySELinuxSetFileconImpl(newpath, fcon, privileged) < 0)
+         goto cleanup;
+ 
+     ret = 0;
@@ -0,0 +1,106 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 2 Sep 2019 13:25:17 +0200
+Subject: [PATCH] security_selinux: Drop virSecuritySELinuxSetFileconOptional()
+
+There is no real difference between
+virSecuritySELinuxSetFilecon() and
+virSecuritySELinuxSetFileconOptional(). Drop the latter in favour
+of the former.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
+(cherry picked from commit 079c1d6a291869ab4ee5d7f70bfd9a0f716c508e)
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1740506
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/security/security_selinux.c | 53 ++++++++++++++-------------------
+ 1 file changed, 22 insertions(+), 31 deletions(-)
+
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index 766f334faf..87e1ba202d 100644
+--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
+@@ -1419,15 +1419,6 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
+ }
+ 
+ 
+-static int
+-virSecuritySELinuxSetFileconOptional(virSecurityManagerPtr mgr,
+-                                     const char *path,
+-                                     const char *tcon,
+-                                     bool remember)
+-{
+-    return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, true, remember);
+-}
+-
+ static int
+ virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr,
+                              const char *path,
+@@ -1884,28 +1875,28 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr,
+                                            parent_seclabel->label, remember);
+     } else if (!parent || parent == src) {
+         if (src->shared) {
+-            ret = virSecuritySELinuxSetFileconOptional(mgr,
+-                                                       src->path,
+-                                                       data->file_context,
+-                                                       remember);
+            ret = virSecuritySELinuxSetFilecon(mgr,
+                                               src->path,
+                                               data->file_context,
+                                               remember);
+         } else if (src->readonly) {
+-            ret = virSecuritySELinuxSetFileconOptional(mgr,
+-                                                       src->path,
+-                                                       data->content_context,
+-                                                       remember);
+            ret = virSecuritySELinuxSetFilecon(mgr,
+                                               src->path,
+                                               data->content_context,
+                                               remember);
+         } else if (secdef->imagelabel) {
+-            ret = virSecuritySELinuxSetFileconOptional(mgr,
+-                                                       src->path,
+-                                                       secdef->imagelabel,
+-                                                       remember);
+            ret = virSecuritySELinuxSetFilecon(mgr,
+                                               src->path,
+                                               secdef->imagelabel,
+                                               remember);
+         } else {
+             ret = 0;
+         }
+     } else {
+-        ret = virSecuritySELinuxSetFileconOptional(mgr,
+-                                                   src->path,
+-                                                   data->content_context,
+-                                                   remember);
+        ret = virSecuritySELinuxSetFilecon(mgr,
+                                           src->path,
+                                           data->content_context,
+                                           remember);
+     }
+ 
+     if (ret == 1 && !disk_seclabel) {
+@@ -2045,14 +2036,14 @@ virSecuritySELinuxSetSCSILabel(virSCSIDevicePtr dev,
+         return 0;
+ 
+     if (virSCSIDeviceGetShareable(dev))
+-        return virSecuritySELinuxSetFileconOptional(mgr, file,
+-                                                    data->file_context, true);
+        return virSecuritySELinuxSetFilecon(mgr, file,
+                                            data->file_context, true);
+     else if (virSCSIDeviceGetReadonly(dev))
+-        return virSecuritySELinuxSetFileconOptional(mgr, file,
+-                                                    data->content_context, true);
+        return virSecuritySELinuxSetFilecon(mgr, file,
+                                            data->content_context, true);
+     else
+-        return virSecuritySELinuxSetFileconOptional(mgr, file,
+-                                                    secdef->imagelabel, true);
+        return virSecuritySELinuxSetFilecon(mgr, file,
+                                            secdef->imagelabel, true);
+ }
+ 
+ static int
@@ -0,0 +1,126 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 2 Sep 2019 13:25:18 +0200
+Subject: [PATCH] security_selinux: Drop @optional from
+ _virSecuritySELinuxContextItem
+
+Now, that we don't need to remember if setting context is
+'optional' (the argument only made
+virSecuritySELinuxSetFileconImpl() return a different success
+code), we can drop it from the _virSecuritySELinuxContextItem
+structure as we don't need to remember it in transactions.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
+(cherry picked from commit b71d54f44707e80aae6fd01a766bb254882f5163)
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1740506
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/security/security_selinux.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index 87e1ba202d..e5b55fccb4 100644
+--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
+@@ -81,7 +81,6 @@ typedef virSecuritySELinuxContextItem *virSecuritySELinuxContextItemPtr;
+ struct _virSecuritySELinuxContextItem {
+     char *path;
+     char *tcon;
+-    bool optional;
+     bool remember; /* Whether owner remembering should be done for @path/@src */
+     bool restore; /* Whether current operation is 'set' or 'restore' */
+ };
+@@ -122,7 +121,6 @@ static int
+ virSecuritySELinuxContextListAppend(virSecuritySELinuxContextListPtr list,
+                                     const char *path,
+                                     const char *tcon,
+-                                    bool optional,
+                                     bool remember,
+                                     bool restore)
+ {
+@@ -135,7 +133,6 @@ virSecuritySELinuxContextListAppend(virSecuritySELinuxContextListPtr list,
+     if (VIR_STRDUP(item->path, path) < 0 || VIR_STRDUP(item->tcon, tcon) < 0)
+         goto cleanup;
+ 
+-    item->optional = optional;
+     item->remember = remember;
+     item->restore = restore;
+ 
+@@ -170,7 +167,6 @@ virSecuritySELinuxContextListFree(void *opaque)
+  * virSecuritySELinuxTransactionAppend:
+  * @path: Path to chown
+  * @tcon: target context
+- * @optional: true if setting @tcon is optional
+  * @remember: if the original owner should be recorded/recalled
+  * @restore: if current operation is set or restore
+  *
+@@ -187,7 +183,6 @@ virSecuritySELinuxContextListFree(void *opaque)
+ static int
+ virSecuritySELinuxTransactionAppend(const char *path,
+                                     const char *tcon,
+-                                    bool optional,
+                                     bool remember,
+                                     bool restore)
+ {
+@@ -198,7 +193,7 @@ virSecuritySELinuxTransactionAppend(const char *path,
+         return 0;
+ 
+     if (virSecuritySELinuxContextListAppend(list, path, tcon,
+-                                            optional, remember, restore) < 0)
+                                            remember, restore) < 0)
+         return -1;
+ 
+     return 1;
+@@ -234,7 +229,6 @@ virSecuritySELinuxRecallLabel(const char *path,
+ static int virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
+                                               const char *path,
+                                               const char *tcon,
+-                                              bool optional,
+                                               bool remember);
+ 
+ 
+@@ -290,7 +284,6 @@ virSecuritySELinuxTransactionRun(pid_t pid ATTRIBUTE_UNUSED,
+             rv = virSecuritySELinuxSetFileconHelper(list->manager,
+                                                     item->path,
+                                                     item->tcon,
+-                                                    item->optional,
+                                                     remember);
+         } else {
+             rv = virSecuritySELinuxRestoreFileLabel(list->manager,
+@@ -1342,7 +1335,6 @@ static int
+ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
+                                    const char *path,
+                                    const char *tcon,
+-                                   bool optional,
+                                    bool remember)
+ {
+     bool privileged = virSecurityManagerGetPrivileged(mgr);
+@@ -1353,7 +1345,7 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
+     int ret = -1;
+ 
+     if ((rc = virSecuritySELinuxTransactionAppend(path, tcon,
+-                                                  optional, remember, false)) < 0)
+                                                  remember, false)) < 0)
+         return -1;
+     else if (rc > 0)
+         return 0;
+@@ -1425,7 +1417,7 @@ virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr,
+                              const char *tcon,
+                              bool remember)
+ {
+-    return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, false, remember);
+    return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, remember);
+ }
+ 
+ static int
+@@ -1512,7 +1504,7 @@ virSecuritySELinuxRestoreFileLabel(virSecurityManagerPtr mgr,
+     }
+ 
+     if ((rc = virSecuritySELinuxTransactionAppend(path, NULL,
+-                                                  false, recall, true)) < 0) {
+                                                  recall, true)) < 0) {
+         goto cleanup;
+     } else if (rc > 0) {
+         ret = 0;
@@ -0,0 +1,83 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 2 Sep 2019 13:25:19 +0200
+Subject: [PATCH] security_selinux: Drop virSecuritySELinuxSetFileconHelper
+
+This function is no longer needed because after previous commits
+it's just an alias to virSecuritySELinuxSetFilecon.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
+(cherry picked from commit eaa2a064fa9a7cf6220349ac8706a22593cbf607)
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1740506
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/security/security_selinux.c | 33 ++++++++++++---------------------
+ 1 file changed, 12 insertions(+), 21 deletions(-)
+
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index e5b55fccb4..1df04d7358 100644
+--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
+@@ -226,10 +226,10 @@ virSecuritySELinuxRecallLabel(const char *path,
+ }
+ 
+ 
+-static int virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
+-                                              const char *path,
+-                                              const char *tcon,
+-                                              bool remember);
+static int virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr,
+                                        const char *path,
+                                        const char *tcon,
+                                        bool remember);
+ 
+ 
+ static int virSecuritySELinuxRestoreFileLabel(virSecurityManagerPtr mgr,
+@@ -281,10 +281,10 @@ virSecuritySELinuxTransactionRun(pid_t pid ATTRIBUTE_UNUSED,
+         const bool remember = item->remember && list->lock;
+ 
+         if (!item->restore) {
+-            rv = virSecuritySELinuxSetFileconHelper(list->manager,
+-                                                    item->path,
+-                                                    item->tcon,
+-                                                    remember);
+            rv = virSecuritySELinuxSetFilecon(list->manager,
+                                              item->path,
+                                              item->tcon,
+                                              remember);
+         } else {
+             rv = virSecuritySELinuxRestoreFileLabel(list->manager,
+                                                     item->path,
+@@ -1332,10 +1332,10 @@ virSecuritySELinuxSetFileconImpl(const char *path,
+ 
+ 
+ static int
+-virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
+-                                   const char *path,
+-                                   const char *tcon,
+-                                   bool remember)
+virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr,
+                             const char *path,
+                             const char *tcon,
+                             bool remember)
+ {
+     bool privileged = virSecurityManagerGetPrivileged(mgr);
+     security_context_t econ = NULL;
+@@ -1411,15 +1411,6 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
+ }
+ 
+ 
+-static int
+-virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr,
+-                             const char *path,
+-                             const char *tcon,
+-                             bool remember)
+-{
+-    return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, remember);
+-}
+-
+ static int
+ virSecuritySELinuxFSetFilecon(int fd, char *tcon)
+ {
@@ -0,0 +1,49 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 2 Sep 2019 13:25:20 +0200
+Subject: [PATCH] security_selinux: Play nicely with network FS that only
+ emulates SELinux
+
+There are some network file systems that do support XATTRs (e.g.
+gluster via FUSE). And they appear to support SELinux too.
+However, not really. Problem is, that it is impossible to change
+SELinux label of a file stored there, and yet we claim success
+(rightfully - hypervisor succeeds in opening the file). But this
+creates a problem for us - from XATTR bookkeeping POV, we haven't
+changed the label and thus if we remembered any label, we must
+roll back and remove it.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1740506
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
+(cherry picked from commit 8fe953805a535097cf3b819b3b68fbfb166efed4)
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/security/security_selinux.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index 1df04d7358..39d616ba44 100644
+--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
+@@ -1384,12 +1384,18 @@ virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr,
+         }
+     }
+ 
+-    if (virSecuritySELinuxSetFileconImpl(path, tcon, privileged) < 0)
+    rc = virSecuritySELinuxSetFileconImpl(path, tcon, privileged);
+    if (rc < 0)
+         goto cleanup;
+ 
+    /* Do not try restoring the label if it was not changed
+     * (setting it failed in a non-critical fashion) */
+    if (rc == 0)
+        rollback = false;
+
+     ret = 0;
+  cleanup:
+-    if (ret < 0 && rollback) {
+    if (rollback) {
+         virErrorPtr origerr;
+ 
+         virErrorPreserveLast(&origerr);
@@ -0,0 +1,42 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 2 Sep 2019 13:25:21 +0200
+Subject: [PATCH] qemu_blockjob: Print image path on failed security metadata
+ move too
+
+When a block job is completed, the security image metadata are
+moved to the new image. If this fails an warning is printed, but
+the message contains only domain name and lacks image paths. Put
+them both into the warning message.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+ACKed-by: Peter Krempa <pkrempa@redhat.com>
+(cherry picked from commit 7f99d8a739c01a280ca0c173ecd6051a92f0c897)
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1741456
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/qemu/qemu_blockjob.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/qemu/qemu_blockjob.c b/src/qemu/qemu_blockjob.c
+index a5b558b9ab..b3c0f784cd 100644
+--- a/src/qemu/qemu_blockjob.c
+++ b/src/qemu/qemu_blockjob.c
+@@ -584,8 +584,14 @@ qemuBlockJobEventProcessLegacyCompleted(virQEMUDriverPtr driver,
+         virDomainLockImageDetach(driver->lockManager, vm, disk->src);
+ 
+         /* Move secret driver metadata */
+-        if (qemuSecurityMoveImageMetadata(driver, vm, disk->src, disk->mirror) < 0)
+-            VIR_WARN("Unable to move disk metadata on vm %s", vm->def->name);
+        if (qemuSecurityMoveImageMetadata(driver, vm, disk->src, disk->mirror) < 0) {
+            VIR_WARN("Unable to move disk metadata on "
+                     "vm %s from %s to %s (disk target %s)",
+                     vm->def->name,
+                     NULLSTR(disk->src->path),
+                     NULLSTR(disk->mirror->path),
+                     disk->dst);
+        }
+ 
+         virObjectUnref(disk->src);
+         disk->src = disk->mirror;
@@ -0,0 +1,79 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 2 Sep 2019 13:25:22 +0200
+Subject: [PATCH] qemu_blockjob: Remove secdriver metadata more frequently
+
+If a block job reaches failed/cancelled state, or is completed
+without pivot then we must remove security driver metadata
+associated to the backing chain so that we don't leave any
+metadata behind.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1741456
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+ACKed-by: Peter Krempa <pkrempa@redhat.com>
+(cherry picked from commit 16fb3c8b83fb39f9931e942f7d1738ffe024d234)
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+
+Conflicts:
+- src/qemu/qemu_blockjob.c:
+qemuBlockJobProcessEventFailedActiveCommit() doesn't exist as
+v5.7.0-rc2~2 isn't backported (blockdev is not going to be
+enabled with RHEL-AV-8.1.0).
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/qemu/qemu_blockjob.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+diff --git a/src/qemu/qemu_blockjob.c b/src/qemu/qemu_blockjob.c
+index b3c0f784cd..beda9bd64e 100644
+--- a/src/qemu/qemu_blockjob.c
+++ b/src/qemu/qemu_blockjob.c
+@@ -597,7 +597,23 @@ qemuBlockJobEventProcessLegacyCompleted(virQEMUDriverPtr driver,
+         disk->src = disk->mirror;
+     } else {
+         if (disk->mirror) {
+            virStorageSourcePtr n;
+
+             virDomainLockImageDetach(driver->lockManager, vm, disk->mirror);
+
+            /* Ideally, we would restore seclabels on the backing chain here
+             * but we don't know if somebody else is not using parts of it.
+             * Remove security driver metadata so that they are not leaked. */
+            for (n = disk->mirror; virStorageSourceIsBacking(n); n = n->backingStore) {
+                if (qemuSecurityMoveImageMetadata(driver, vm, n, NULL) < 0) {
+                    VIR_WARN("Unable to remove disk metadata on "
+                             "vm %s from %s (disk target %s)",
+                             vm->def->name,
+                             NULLSTR(disk->src->path),
+                             disk->dst);
+                }
+            }
+
+             virObjectUnref(disk->mirror);
+         }
+     }
+@@ -666,7 +682,23 @@ qemuBlockJobEventProcessLegacy(virQEMUDriverPtr driver,
+     case VIR_DOMAIN_BLOCK_JOB_FAILED:
+     case VIR_DOMAIN_BLOCK_JOB_CANCELED:
+         if (disk->mirror) {
+            virStorageSourcePtr n;
+
+             virDomainLockImageDetach(driver->lockManager, vm, disk->mirror);
+
+            /* Ideally, we would restore seclabels on the backing chain here
+             * but we don't know if somebody else is not using parts of it.
+             * Remove security driver metadata so that they are not leaked. */
+            for (n = disk->mirror; virStorageSourceIsBacking(n); n = n->backingStore) {
+                if (qemuSecurityMoveImageMetadata(driver, vm, n, NULL) < 0) {
+                    VIR_WARN("Unable to remove disk metadata on "
+                             "vm %s from %s (disk target %s)",
+                             vm->def->name,
+                             NULLSTR(disk->src->path),
+                             disk->dst);
+                }
+            }
+
+             virObjectUnref(disk->mirror);
+             disk->mirror = NULL;
+         }
@@ -0,0 +1,192 @@
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Fri, 9 Aug 2019 10:48:35 +0200
+Subject: [PATCH] Revert "tpm: Check TPM XML device configuration changes after
+ edit"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Redefining a domain via virDomainDefineXML should not give different results
+based on an already existing definition.
+
+Also, there's a crasher somewhere in the code:
+https://bugzilla.redhat.com/show_bug.cgi?id=1739338
+
+This reverts commit 94b3aa55f83ada33a9fdda66068d58ef1a56c0a5
+
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit d8326cb8826170019c74018511d76c58665ab282)
+---
+ src/conf/domain_conf.c    | 56 ---------------------------------------
+ src/conf/domain_conf.h    |  3 ---
+ src/libvirt_private.syms  |  1 -
+ src/qemu/qemu_driver.c    | 28 --------------------
+ src/qemu/qemu_extdevice.c |  2 +-
+ src/qemu/qemu_extdevice.h |  3 ---
+ 6 files changed, 1 insertion(+), 92 deletions(-)
+
+diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
+index 441eb1a5a2..ac0561ddc5 100644
+--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
+@@ -31436,59 +31436,3 @@ virDomainGraphicsNeedsAutoRenderNode(const virDomainGraphicsDef *graphics)
+ 
+     return true;
+ }
+-
+-
+-static int
+-virDomainCheckTPMChanges(virDomainDefPtr def,
+-                         virDomainDefPtr newDef)
+-{
+-    bool oldEnc, newEnc;
+-
+-    if (!def->tpm)
+-        return 0;
+-
+-    switch (def->tpm->type) {
+-    case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+-        if (virFileExists(def->tpm->data.emulator.storagepath)) {
+-            /* VM has been started */
+-            /* Once a VM was started with an encrypted state we allow
+-             * less configuration changes.
+-             */
+-            oldEnc = def->tpm->data.emulator.hassecretuuid;
+-            if (oldEnc && def->tpm->type != newDef->tpm->type) {
+-                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+-                               _("Changing the type of TPM is not allowed"));
+-                return -1;
+-            }
+-            if (oldEnc && !newDef->tpm) {
+-                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+-                               _("Removing an encrypted TPM is not allowed"));
+-                return -1;
+-            }
+-            newEnc = newDef->tpm->data.emulator.hassecretuuid;
+-            if (oldEnc != newEnc) {
+-                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+-                   _("TPM state encryption cannot be changed "
+-                     "once VM was started"));
+-                return -1;
+-            }
+-        }
+-        break;
+-    case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+-    case VIR_DOMAIN_TPM_TYPE_LAST:
+-        break;
+-    }
+-
+-    return 0;
+-}
+-
+-
+-int
+-virDomainCheckDeviceChanges(virDomainDefPtr def,
+-                            virDomainDefPtr newDef)
+-{
+-    if (!def || !newDef)
+-        return 0;
+-
+-    return virDomainCheckTPMChanges(def, newDef);
+-}
+diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
+index 8a4425df64..d5190a20db 100644
+--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
+@@ -3638,6 +3638,3 @@ virDomainGraphicsGetRenderNode(const virDomainGraphicsDef *graphics);
+ 
+ bool
+ virDomainGraphicsNeedsAutoRenderNode(const virDomainGraphicsDef *graphics);
+-
+-int
+-virDomainCheckDeviceChanges(virDomainDefPtr def, virDomainDefPtr newDef);
+diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
+index 9fd778272f..bbc5144aa2 100644
+--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
+@@ -216,7 +216,6 @@ virDomainBootTypeFromString;
+ virDomainBootTypeToString;
+ virDomainCapabilitiesPolicyTypeToString;
+ virDomainCapsFeatureTypeToString;
+-virDomainCheckDeviceChanges;
+ virDomainChrConsoleTargetTypeFromString;
+ virDomainChrConsoleTargetTypeToString;
+ virDomainChrDefForeach;
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 4ca3eb7bde..1ba6def419 100644
+--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
+@@ -53,7 +53,6 @@
+ #include "qemu_migration_params.h"
+ #include "qemu_blockjob.h"
+ #include "qemu_security.h"
+-#include "qemu_extdevice.h"
+ 
+ #include "virerror.h"
+ #include "virlog.h"
+@@ -7760,30 +7759,6 @@ qemuDomainCreate(virDomainPtr dom)
+     return qemuDomainCreateWithFlags(dom, 0);
+ }
+ 
+-static int
+-qemuDomainCheckDeviceChanges(virQEMUDriverPtr driver,
+-                             virDomainDefPtr def)
+-{
+-    virDomainObjPtr vm;
+-    int ret;
+-
+-    vm = virDomainObjListFindByUUID(driver->domains, def->uuid);
+-    if (!vm)
+-        return 0;
+-
+-    if (qemuExtDevicesInitPaths(driver, vm->def) < 0) {
+-        ret = -1;
+-        goto cleanup;
+-    }
+-
+-    ret = virDomainCheckDeviceChanges(vm->def, def);
+-
+- cleanup:
+-    virDomainObjEndAPI(&vm);
+-
+-    return ret;
+-}
+-
+ static virDomainPtr
+ qemuDomainDefineXMLFlags(virConnectPtr conn,
+                          const char *xml,
+@@ -7820,9 +7795,6 @@ qemuDomainDefineXMLFlags(virConnectPtr conn,
+     if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0)
+         goto cleanup;
+ 
+-    if (qemuDomainCheckDeviceChanges(driver, def) < 0)
+-        goto cleanup;
+-
+     if (!(vm = virDomainObjListAdd(driver->domains, def,
+                                    driver->xmlopt,
+                                    0, &oldDef)))
+diff --git a/src/qemu/qemu_extdevice.c b/src/qemu/qemu_extdevice.c
+index af52466421..dc032aa60c 100644
+--- a/src/qemu/qemu_extdevice.c
+++ b/src/qemu/qemu_extdevice.c
+@@ -79,7 +79,7 @@ qemuExtDeviceLogCommand(qemuDomainLogContextPtr logCtxt,
+  * stored and we can remove directories and files in case of domain XML
+  * changes.
+  */
+-int
+static int
+ qemuExtDevicesInitPaths(virQEMUDriverPtr driver,
+                         virDomainDefPtr def)
+ {
+diff --git a/src/qemu/qemu_extdevice.h b/src/qemu/qemu_extdevice.h
+index 5a53c79f38..039b3e60dd 100644
+--- a/src/qemu/qemu_extdevice.h
+++ b/src/qemu/qemu_extdevice.h
+@@ -54,6 +54,3 @@ bool qemuExtDevicesHasDevice(virDomainDefPtr def);
+ int qemuExtDevicesSetupCgroup(virQEMUDriverPtr driver,
+                               virDomainDefPtr def,
+                               virCgroupPtr cgroup);
+-
+-int qemuExtDevicesInitPaths(virQEMUDriverPtr driver,
+-                            virDomainDefPtr def);
@@ -0,0 +1,59 @@
+From: Laine Stump <laine@redhat.com>
+Date: Thu, 15 Aug 2019 21:52:28 -0400
+Subject: [PATCH] network: fix crash during cleanup from failure to allocate
+ port
+
+During networkPortCreateXML, if networkAllocatePort() failed,
+networkReleasePort() would be called, which would (in the case of
+network pools of macvtap passthrough devices) attempt to find the
+allocated device by comparing port->plug.direct.linkdev to each device
+in the pool. Since port->plug.direct.linkdev was still NULL, the
+attempted strcmp would result in a SEGV.
+
+Calling networkReleasePort() during error cleanup is something that
+should only be done if networkAllocatePort() has already succeeded. It
+turns out there is one other possible error exit from
+networkPortCreateXML() that happens after networkAllocatePort() has
+succeeded, so the code to call networkReleasePort() was just moved
+down to there.
+
+Resolves: https://bugzilla.redhat.com/1741390
+
+Signed-off-by: Laine Stump <laine@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit dac697e8d7d6d9a607e61caeeec06b259edf513f)
+---
+ src/network/bridge_driver.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
+index 41fa89a4af..bc0f781c56 100644
+--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
+@@ -5592,20 +5592,20 @@ networkPortCreateXML(virNetworkPtr net,
+         rc = networkNotifyPort(obj, portdef);
+     else
+         rc = networkAllocatePort(obj, portdef);
+-    if (rc < 0) {
+    if (rc < 0)
+        goto cleanup;
+
+    if (virNetworkObjAddPort(obj, portdef, driver->stateDir) < 0) {
+         virErrorPtr saved;
+
+         saved = virSaveLastError();
+         ignore_value(networkReleasePort(obj, portdef));
+        virNetworkPortDefFree(portdef);
+         virSetError(saved);
+         virFreeError(saved);
+         goto cleanup;
+     }
+ 
+-    if (virNetworkObjAddPort(obj, portdef, driver->stateDir) < 0) {
+-        virNetworkPortDefFree(portdef);
+-        goto cleanup;
+-    }
+-
+     ret = virGetNetworkPort(net, portdef->uuid);
+  cleanup:
+     virNetworkObjEndAPI(&obj);
@@ -0,0 +1,57 @@
+From: Laine Stump <laine@redhat.com>
+Date: Thu, 15 Aug 2019 22:28:27 -0400
+Subject: [PATCH] network: replace virSaveLastError() with
+ virErrorPreserveLast()
+
+virErrorPreserveLast()/virErrorRestore() (added in commit 8333e7455
+back in 2017), do a better better job of saving and restoring the last
+libvirt error than virSaveLastError()/virErrorRestore() (they're
+simpler, and they also save/restore the system errno).
+
+Signed-off-by: Laine Stump <laine@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit 39de732aa728ae9b8a9414ad08b8d0ee7ed02732)
+---
+ src/network/bridge_driver.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
+index bc0f781c56..c7e5151d09 100644
+--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
+@@ -2987,13 +2987,12 @@ networkStartNetwork(virNetworkDriverStatePtr driver,
+ 
+  cleanup:
+     if (ret < 0) {
+        virErrorPtr save_err;
+
+        virErrorPreserveLast(&save_err);
+         virNetworkObjUnsetDefTransient(obj);
+-        virErrorPtr save_err = virSaveLastError();
+-        int save_errno = errno;
+         networkShutdownNetwork(driver, obj);
+-        virSetError(save_err);
+-        virFreeError(save_err);
+-        errno = save_errno;
+        virErrorRestore(&save_err);
+     }
+     return ret;
+ }
+@@ -5596,13 +5595,13 @@ networkPortCreateXML(virNetworkPtr net,
+         goto cleanup;
+ 
+     if (virNetworkObjAddPort(obj, portdef, driver->stateDir) < 0) {
+-        virErrorPtr saved;
+        virErrorPtr save_err;
+ 
+-        saved = virSaveLastError();
+        virErrorPreserveLast(&save_err);
+         ignore_value(networkReleasePort(obj, portdef));
+         virNetworkPortDefFree(portdef);
+-        virSetError(saved);
+-        virFreeError(saved);
+        virErrorRestore(&save_err);
+
+         goto cleanup;
+     }
+ 
@@ -0,0 +1,53 @@
+From: Laine Stump <laine@redhat.com>
+Date: Thu, 15 Aug 2019 16:34:21 -0400
+Subject: [PATCH] access: fix incorrect addition to virAccessPermNetwork
+
+Commit e69444e17 (first appeared in libvirt-5.5.0) added the new value
+"VIR_ACCESS_PERM_NETWORK_SEARCH_PORTS" to the virAccessPerNetwork
+enum, and also the string "search_ports" to the VIR_ENUM_IMPL() macro
+for that enum. Unfortunately, the enum value was added in the middle
+of the list, while the string was added to the end of the
+VIR_ENUM_IMPL().
+
+This patch corrects that error by moving the new value to the end of
+the enum definition, so that the order matches that of the string
+list.
+
+Resolves: https://bugzilla.redhat.com/1741428
+
+Signed-off-by: Laine Stump <laine@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit 8d6eaf5e099dab8400aa76bcc9a0ac74ff6f46e1)
+---
+ src/access/viraccessperm.h | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/access/viraccessperm.h b/src/access/viraccessperm.h
+index a42512d5e0..7480ee8c2f 100644
+--- a/src/access/viraccessperm.h
+++ b/src/access/viraccessperm.h
+@@ -410,18 +410,18 @@ typedef enum {
+      */
+     VIR_ACCESS_PERM_NETWORK_START,
+ 
+-    /**
+-     * @desc: List network ports
+-     * @message: Listing network ports requires authorization
+-     */
+-    VIR_ACCESS_PERM_NETWORK_SEARCH_PORTS,
+-
+     /**
+      * @desc: Stop network
+      * @message: Stopping network requires authorization
+      */
+     VIR_ACCESS_PERM_NETWORK_STOP,
+ 
+    /**
+     * @desc: List network ports
+     * @message: Listing network ports requires authorization
+     */
+    VIR_ACCESS_PERM_NETWORK_SEARCH_PORTS,
+
+     VIR_ACCESS_PERM_NETWORK_LAST
+ } virAccessPermNetwork;
+ 
@@ -0,0 +1,36 @@
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Thu, 8 Aug 2019 13:42:24 +0100
+Subject: [PATCH] network: fix ability to use openvswitch with vlans
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Use the correct enum constant when validating vlan usage.
+This fixes a merge error in
+
+  commit 6cb0ec48bd95c95489a987e05a88e8bcf1f9109c
+  Author: Daniel P. Berrangé <berrange@redhat.com>
+  Date:   Mon Sep 3 17:34:22 2018 +0100
+
+    network: convert networkAllocateActualDevice to virNetworkPortDef
+
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 93c1d5fe7bb7a62ef884eb41b505b2809d1704b6)
+---
+ src/network/bridge_driver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
+index c7e5151d09..acaeb5c9a2 100644
+--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
+@@ -4813,7 +4813,7 @@ networkAllocatePort(virNetworkObjPtr obj,
+         if (!(port->plugtype == VIR_NETWORK_PORT_PLUG_TYPE_HOSTDEV_PCI ||
+               (port->plugtype == VIR_NETWORK_PORT_PLUG_TYPE_DIRECT &&
+                port->plug.direct.mode == VIR_NETDEV_MACVLAN_MODE_PASSTHRU) ||
+-              (port->plugtype == VIR_DOMAIN_NET_TYPE_BRIDGE &&
+              (port->plugtype == VIR_NETWORK_PORT_PLUG_TYPE_BRIDGE &&
+                port->virtPortProfile &&
+                port->virtPortProfile->virtPortType == VIR_NETDEV_VPORT_PROFILE_OPENVSWITCH))) {
+             virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
@@ -0,0 +1,127 @@
+From: Laine Stump <laine@redhat.com>
+Date: Sun, 11 Aug 2019 16:21:42 -0400
+Subject: [PATCH] util: allow tap-based guest interfaces to have MAC address
+ prefix 0xFE
+
+Back in July 2010, commit 6ea90b84 (meant to resolve
+https://bugzilla.redhat.com/571991 ) added code to set the MAC address
+of any tap device to the associated guest interface's MAC, but with
+the first byte replaced with 0xFE. This was done in order to assure
+that
+
+1) the tap MAC and guest interface MAC were different (otherwise L2
+   forwarding through the tap would not work, and the kernel would
+   repeatedly issue a warning stating as much).
+
+2) any bridge device that had one of these taps attached would *not*
+   take on the MAC of the tap (leading to network instability as
+   guests started and stopped)
+
+A couple years later, https://bugzilla.redhat.com/798467 was filed,
+complaining that a user could configure a tap-based guest interface to
+have a MAC address that itself had a first byte of 0xFE, silently
+(other than the kernel warning messages) resulting in a non-working
+configuration. This was fixed by commit 5d571045, which logged an
+error and failed the guest start / interface attach if the MAC's first
+byte was 0xFE.
+
+Although this restriction only reduces the potential pool of MAC
+addresses from 2^46 (last two bits of byte 1 must be set to 10) by
+2^32 (still 4 orders of magnitude larger than the entire IPv4 address
+space), it also means that management software that autogenerates MAC
+addresses must have special code to avoid an 0xFE prefix. Now after 7
+years, someone has noticed this restriction and requested that we
+remove it.
+
+So instead of failing when 0xFE is found as the first byte, this patch
+removes the restriction by just replacing the first byte in the tap
+device MAC with 0xFA if the first byte in the guest interface is
+0xFE. 0xFA is the next-highest value that still has 10 as the lowest
+two bits, and still
+
+2) meets the requirement of "tap MAC must be different from guest
+   interface MAC", and
+
+3) is high enough that there should never be an issue of the attached
+   bridge device taking on the MAC of the tap.
+
+The result is that *any* MAC can be chosen by management software
+(although it would still not work correctly if a multicast MAC (lowest
+bit of first byte set to 1) was chosen), but that's a different
+issue).
+
+Signed-off-by: Laine Stump <laine@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com
+(cherry picked from commit a60ee914009aa7f1a27fc0563337ded08b09247f)
+---
+ src/qemu/qemu_interface.c | 11 ++++++++++-
+ src/util/virnetdevtap.c   | 26 ++++++++++++--------------
+ 2 files changed, 22 insertions(+), 15 deletions(-)
+
+diff --git a/src/qemu/qemu_interface.c b/src/qemu/qemu_interface.c
+index c8effa68f4..72ed51cb1f 100644
+--- a/src/qemu/qemu_interface.c
+++ b/src/qemu/qemu_interface.c
+@@ -444,8 +444,17 @@ qemuInterfaceEthernetConnect(virDomainDefPtr def,
+     }
+ 
+     virDomainAuditNetDevice(def, net, tunpath, true);
+
+    /* The tap device's MAC address cannot match the MAC address
+     * used by the guest. This results in "received packet on
+     * vnetX with own address as source address" error logs from
+     * the kernel.
+     */
+     virMacAddrSet(&tapmac, &net->mac);
+-    tapmac.addr[0] = 0xFE;
+    if (tapmac.addr[0] == 0xFE)
+        tapmac.addr[0] = 0xFA;
+    else
+        tapmac.addr[0] = 0xFE;
+ 
+     if (virNetDevSetMAC(net->ifname, &tapmac) < 0)
+         goto cleanup;
+diff --git a/src/util/virnetdevtap.c b/src/util/virnetdevtap.c
+index b65c26bee1..4548b51b5b 100644
+--- a/src/util/virnetdevtap.c
+++ b/src/util/virnetdevtap.c
+@@ -668,7 +668,6 @@ int virNetDevTapCreateInBridgePort(const char *brname,
+                                    unsigned int flags)
+ {
+     virMacAddr tapmac;
+-    char macaddrstr[VIR_MAC_STRING_BUFLEN];
+     size_t i;
+ 
+     if (virNetDevTapCreate(ifname, tunpath, tapfd, tapfdSize, flags) < 0)
+@@ -682,19 +681,18 @@ int virNetDevTapCreateInBridgePort(const char *brname,
+      */
+     virMacAddrSet(&tapmac, macaddr);
+     if (!(flags & VIR_NETDEV_TAP_CREATE_USE_MAC_FOR_BRIDGE)) {
+-        if (macaddr->addr[0] == 0xFE) {
+-            /* For normal use, the tap device's MAC address cannot
+-             * match the MAC address used by the guest. This results
+-             * in "received packet on vnetX with own address as source
+-             * address" error logs from the kernel.
+-             */
+-            virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+-                           _("Unable to use MAC address starting with "
+-                             "reserved value 0xFE - '%s' - "),
+-                           virMacAddrFormat(macaddr, macaddrstr));
+-            goto error;
+-        }
+-        tapmac.addr[0] = 0xFE; /* Discourage bridge from using TAP dev MAC */
+        /* The tap device's MAC address cannot match the MAC address
+         * used by the guest. This results in "received packet on
+         * vnetX with own address as source address" error logs from
+         * the kernel. Making the tap address as high as possible
+         * discourages the bridge from using this tap's MAC as its own
+         * (a Linux host bridge will take on the lowest numbered MAC
+         * of all devices attached to it).
+         */
+        if (tapmac.addr[0] == 0xFE)
+            tapmac.addr[0] = 0xFA;
+        else
+            tapmac.addr[0] = 0xFE;
+     }
+ 
+     if (virNetDevSetMAC(*ifname, &tapmac) < 0)
@@ -0,0 +1,39 @@
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Thu, 22 Aug 2019 14:48:46 +0100
+Subject: [PATCH] remote: use Wants instead of Requires for libvirtd sockets
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+To facilitate upgrades from earlier versions of libvirt which did not
+use socket activation for libvirtd, we want to allow the libvirtd socket
+units to be disabled (masked). This can only be supported if we use the
+weaker Wants statement instead of Requires.
+
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit ec7e31ed32065837e201cd3d8a3fb882e43b7fdb)
+---
+ src/remote/libvirtd.service.in | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/remote/libvirtd.service.in b/src/remote/libvirtd.service.in
+index 3ddf0e229b..914bcbd5c4 100644
+--- a/src/remote/libvirtd.service.in
+++ b/src/remote/libvirtd.service.in
+@@ -2,9 +2,12 @@
+ Description=Virtualization daemon
+ Requires=virtlogd.socket
+ Requires=virtlockd.socket
+-Requires=libvirtd.socket
+-Requires=libvirtd-ro.socket
+-Requires=libvirtd-admin.socket
+# Use Wants instead of Requires so that users
+# can disable these three .socket units to revert
+# to a traditional non-activation deployment setup
+Wants=libvirtd.socket
+Wants=libvirtd-ro.socket
+Wants=libvirtd-admin.socket
+ Wants=systemd-machined.service
+ Before=libvirt-guests.service
+ After=network.target
@@ -0,0 +1,67 @@
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Thu, 29 Aug 2019 12:04:42 +0100
+Subject: [PATCH] remote: move timeout arg into sysconf file
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We need to give users the ability to customize the length of the
+shutdown timeout, or even disable timeouts entirely. Thus we must move
+the timeout arg into the sysconf file, instead of the service unit.
+
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 581767a98ab5f674ac335d6c270efa8576bfdfbf)
+
+ Conflicts:
+	src/remote/libvirtd.service.in - due to not having
+	5b816e16968ba02def56f067774ecd9a8c8d44d7 in rhel8
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1741403
+Message-Id: <20190829110444.12163-3-berrange@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ src/remote/libvirtd.service.in |  6 +-----
+ src/remote/libvirtd.sysconf    | 12 +++++++++---
+ 2 files changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/src/remote/libvirtd.service.in b/src/remote/libvirtd.service.in
+index 914bcbd5c4..d5d98f0c12 100644
+--- a/src/remote/libvirtd.service.in
+++ b/src/remote/libvirtd.service.in
+@@ -24,11 +24,7 @@ Documentation=https://libvirt.org
+ [Service]
+ Type=notify
+ EnvironmentFile=-/etc/sysconfig/libvirtd
+-# libvirtd.service is set to run on boot so that autostart of
+-# VMs can be performed. We don't want it to stick around if
+-# unused though, so we set a timeout. The socket activation
+-# then ensures it gets started again if anything needs it
+-ExecStart=@sbindir@/libvirtd --timeout 120 $LIBVIRTD_ARGS
+ExecStart=@sbindir@/libvirtd $LIBVIRTD_ARGS
+ ExecReload=/bin/kill -HUP $MAINPID
+ KillMode=process
+ Restart=on-failure
+diff --git a/src/remote/libvirtd.sysconf b/src/remote/libvirtd.sysconf
+index 5969518bf2..ee9db22bab 100644
+--- a/src/remote/libvirtd.sysconf
+++ b/src/remote/libvirtd.sysconf
+@@ -1,8 +1,14 @@
+ # Customizations for the libvirtd.service systemd unit
+ 
+-# Listen for TCP/IP connections. This is not required if using systemd
+-# socket activation.
+-# NB. must setup TLS/SSL keys prior to using this
+# Default behaviour is for libvirtd.service to start on boot
+# so that VM autostart can be performed. We then want it to
+# shutdown again if nothing was started and rely on systemd
+# socket activation to start it again when some client app
+# connects.
+LIBVIRTD_ARGS="--timeout 120"
+
+# If systemd socket activation is disabled, then the following
+# can be used to listen on TCP/TLS sockets
+ #LIBVIRTD_ARGS="--listen"
+ 
+ # Override Kerberos service keytab for SASL/GSSAPI
@@ -0,0 +1,99 @@
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Thu, 29 Aug 2019 12:04:43 +0100
+Subject: [PATCH] remote: forbid the --listen arg when systemd socket
+ activation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When using systemd socket activation the --listen arg has no
+effect. This is confusing to users upgrading from previous versions of
+libvirt as their config is silently ignored. Turn use of --listen into a
+fatal error when sockets are passed from systemd.
+
+This helps the admin discover the change in behaviour and thus decide
+whether to stick with socket activation or revert to previous behaviour.
+
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 3a6a725b8f575890ee6c151ad1f46ea0ceea1f3b)
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1741403
+Message-Id: <20190829110444.12163-4-berrange@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ src/remote/libvirtd.pod    | 33 ++++++++++++++++++++++++++++++++-
+ src/remote/remote_daemon.c |  8 ++++++++
+ 2 files changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/src/remote/libvirtd.pod b/src/remote/libvirtd.pod
+index 4721e0f4ec..fa30d6a37a 100644
+--- a/src/remote/libvirtd.pod
+++ b/src/remote/libvirtd.pod
+@@ -30,6 +30,35 @@ and will be picked up automatically if their XML configuration has been
+ defined.  Any guests whose XML configuration has not been defined will be lost
+ from the configuration.
+ 
+=head1 SYSTEM SOCKET ACTIVATION
+
+The B<libvirtd> daemon is capable of starting in two modes.
+
+In the traditional mode, it will create and listen on UNIX sockets itself.
+If the B<--listen> parameter is given, it will also listen on TCP/IP socket(s),
+according to the B<listen_tcp> and B<listen_tls> options in
+B</etc/libvirt/libvirtd.conf>
+
+In socket activation mode, it will rely on systemd to create and listen
+on the UNIX, and optionally TCP/IP, sockets and pass them as pre-opened
+file descriptors. In this mode, it is not permitted to pass the B<--listen>
+parameter, and most of the socket related config options in
+B</etc/libvirt/libvirtd.conf> will no longer have any effect. To enable
+TCP or TLS sockets use either
+
+B<$ systemctl start libvirtd-tls.socket>
+
+Or
+
+B<$ systemctl start libvirtd-tcp.socket>
+
+Socket activation mode is generally the default when running on a host
+OS that uses systemd. To revert to the traditional mode, all the socket
+unit files must be masked:
+
+B<$ systemctl mask libvirtd.socket libvirtd-ro.socket \
+      libvirtd-admin.socket libvirtd-tls.socket libvirtd-tcp.socket>
+
+ =head1 OPTIONS
+ 
+ =over
+@@ -48,7 +77,9 @@ Use this configuration file, overriding the default value.
+ 
+ =item B<-l, --listen>
+ 
+-Listen for TCP/IP connections.
+Listen for TCP/IP connections. This should not be set if using systemd
+socket activation. Instead activate the libvirtd-tls.socket or
+libvirtd-tcp.socket unit files.
+ 
+ =item B<-p, --pid-file> I<FILE>
+ 
+diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c
+index d887b7abfb..b7ee1cf49b 100644
+--- a/src/remote/remote_daemon.c
+++ b/src/remote/remote_daemon.c
+@@ -391,6 +391,14 @@ daemonSetupNetworking(virNetServerPtr srv,
+     if (virSystemdGetActivation(actmap, ARRAY_CARDINALITY(actmap), &act) < 0)
+         return -1;
+ 
+#ifdef WITH_IP
+    if (act && ipsock) {
+        VIR_ERROR(_("--listen parameter not permitted with systemd activation "
+                    "sockets, see 'man libvirtd' for further guidance"));
+        return -1;
+    }
+#endif /* ! WITH_IP */
+
+     if (config->unix_sock_group) {
+         if (virGetGroupID(config->unix_sock_group, &unix_sock_gid) < 0)
+             return ret;
@@ -0,0 +1,86 @@
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Thu, 29 Aug 2019 12:04:44 +0100
+Subject: [PATCH] rpm: don't enable socket activation in upgrade if --listen
+ present
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Currently during RPM upgrade we restart libvirtd and unconditionally
+enable use of systemd socket activation for the UNIX sockets.
+
+If the user had previously given the --listen arg to libvirtd though,
+this will no longer be honoured if socket activation is used.
+
+We could start libvirtd-tcp.socket or libvirtd-tls.socket for this,
+but mgmt tools like puppet/ansible might not be expecting this.
+So for now we silently disable socket activation if we see --listen
+was previously set on the host.
+
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 66d04312d03c24c62bcf3b1dc2706f8775d4e2d3)
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1741403
+Message-Id: <20190829110444.12163-5-berrange@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ libvirt.spec.in | 44 +++++++++++++++++++++++++++++++-------------
+ 1 file changed, 31 insertions(+), 13 deletions(-)
+
+diff --git a/libvirt.spec.in b/libvirt.spec.in
+index 045c0fed1a..58f7cae092 100644
+--- a/libvirt.spec.in
+++ b/libvirt.spec.in
+@@ -1378,19 +1378,37 @@ fi
+ 
+ %posttrans daemon
+ if [ -f %{_localstatedir}/lib/rpm-state/libvirt/restart ]; then
+-    # Old libvirtd owns the sockets and will delete them on
+-    # shutdown. Can't use a try-restart as libvirtd will simply
+-    # own the sockets again when it comes back up. Thus we must
+-    # do this particular ordering
+-    /bin/systemctl is-active libvirtd.service 1>/dev/null 2>&1
+-    if test $? = 0 ; then
+-        /bin/systemctl stop libvirtd.service >/dev/null 2>&1 || :
+-
+-        /bin/systemctl try-restart libvirtd.socket >/dev/null 2>&1 || :
+-        /bin/systemctl try-restart libvirtd-ro.socket >/dev/null 2>&1 || :
+-        /bin/systemctl try-restart libvirtd-admin.socket >/dev/null 2>&1 || :
+-
+-        /bin/systemctl start libvirtd.service >/dev/null 2>&1 || :
+    # See if user has previously modified their install to
+    # tell libvirtd to use --listen
+    grep -E '^LIBVIRTD_ARGS=.*--listen' /etc/sysconfig/libvirtd 1>/dev/null 2>&1
+    if test $? = 0
+    then
+        # Then lets keep honouring --listen and *not* use
+        # systemd socket activation, because switching things
+        # might confuse mgmt tool like puppet/ansible that
+        # expect the old style libvirtd
+        /bin/systemctl mask libvirtd.socket >/dev/null 2>&1 || :
+        /bin/systemctl mask libvirtd-ro.socket >/dev/null 2>&1 || :
+        /bin/systemctl mask libvirtd-admin.socket >/dev/null 2>&1 || :
+        /bin/systemctl mask libvirtd-tls.socket >/dev/null 2>&1 || :
+        /bin/systemctl mask libvirtd-tcp.socket >/dev/null 2>&1 || :
+    else
+        # Old libvirtd owns the sockets and will delete them on
+        # shutdown. Can't use a try-restart as libvirtd will simply
+        # own the sockets again when it comes back up. Thus we must
+        # do this particular ordering, so that we get libvirtd
+        # running with socket activation in use
+        /bin/systemctl is-active libvirtd.service 1>/dev/null 2>&1
+        if test $? = 0
+        then
+            /bin/systemctl stop libvirtd.service >/dev/null 2>&1 || :
+
+            /bin/systemctl try-restart libvirtd.socket >/dev/null 2>&1 || :
+            /bin/systemctl try-restart libvirtd-ro.socket >/dev/null 2>&1 || :
+            /bin/systemctl try-restart libvirtd-admin.socket >/dev/null 2>&1 || :
+
+            /bin/systemctl start libvirtd.service >/dev/null 2>&1 || :
+        fi
+     fi
+ fi
+ rm -rf %{_localstatedir}/lib/rpm-state/libvirt || :
@@ -0,0 +1,27 @@
+From: Michael Chapman <mike@very.puzzling.org>
+Date: Tue, 17 Sep 2019 17:03:57 +1000
+Subject: [PATCH] remote: fix registration of TLS socket
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Michael Chapman <mike@very.puzzling.org>
+(cherry picked from commit 522b3d2b24d0f7ac78dad442c990d4e34db0eaf2)
+---
+ src/remote/remote_daemon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c
+index b7ee1cf49b..6b5a6c1523 100644
+--- a/src/remote/remote_daemon.c
+++ b/src/remote/remote_daemon.c
+@@ -473,7 +473,7 @@ daemonSetupNetworking(virNetServerPtr srv,
+                                   config->max_client_requests) < 0)
+         goto cleanup;
+ 
+-    if (((ipsock && config->listen_tls) || (act && virSystemdActivationHasName(act, "ip-tls")))) {
+    if (((ipsock && config->listen_tls) || (act && virSystemdActivationHasName(act, "libvirtd-tls.socket")))) {
+         virNetTLSContextPtr ctxt = NULL;
+ 
+         if (config->ca_file ||
@@ -0,0 +1,34 @@
+From: Pavel Hrdina <phrdina@redhat.com>
+Date: Thu, 5 Sep 2019 11:22:11 +0200
+Subject: [PATCH] vircgroupv2: fix setting cpu.max period
+
+When we set cpu.max period we need to parse the cpu.max file first as
+it contains both quota and period values separated by space.  When only
+a single number is written to that file it will set quota.  However,
+in order to change period we need to write both values.
+
+The code was prepared for that but mistakenly used new line to end the
+string with the first value.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1749227
+
+Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
+Reviewed-by: Erik Skultety <eskultet@redhat.com>
+(cherry picked from commit 0bd4ad193d8ba7f0104f4739f19f2731e7cf9f56)
+---
+ src/util/vircgroupv2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/util/vircgroupv2.c b/src/util/vircgroupv2.c
+index e36c36685b..d8abe18943 100644
+--- a/src/util/vircgroupv2.c
+++ b/src/util/vircgroupv2.c
+@@ -1507,7 +1507,7 @@ virCgroupV2SetCpuCfsPeriod(virCgroupPtr group,
+                        _("Invalid 'cpu.max' data."));
+         return -1;
+     }
+-    *tmp = '\n';
+    *tmp = '\0';
+ 
+     if (virAsprintf(&value, "%s %llu", str, cfs_period) < 0)
+         return -1;
@@ -0,0 +1,55 @@
+From: Cole Robinson <crobinso@redhat.com>
+Date: Thu, 26 Sep 2019 15:00:55 -0400
+Subject: [PATCH] vircgroupv2: Fix VM startup when legacy cgroups are defined
+
+On Fedora 31, starting a 'mock' build alters /proc/$pid/cgroup,
+probably due to usage of systemd-nspawn.
+
+Before:
+$ cat /proc/self/cgroup
+0::/user.slice/user-1000.slice/...
+
+After:
+$ cat /proc/self/cgroup
+1:name=systemd:/
+0::/user.slice/user-1000.slice/...
+
+The cgroupv2 code mishandles that first line in the second case, which
+causes VM startup to fail with: Unable to read from
+'/sys/fs/cgroup/machine/cgroup.controllers': No such file or directory
+
+The kernel docs[1] say that the cgroupv2 path will always start with
+'0::', which in the code here controllers="". Only set the v2 placement
+path when we see that cgroup file entry.
+
+[1] https://www.kernel.org/doc/html/v5.3/admin-guide/cgroup-v2.html#processes
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1751120
+
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ src/util/vircgroupv2.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/util/vircgroupv2.c b/src/util/vircgroupv2.c
+index d8abe18943..acd48d1259 100644
+--- a/src/util/vircgroupv2.c
+++ b/src/util/vircgroupv2.c
+@@ -194,12 +194,16 @@ virCgroupV2DetectMounts(virCgroupPtr group,
+ static int
+ virCgroupV2DetectPlacement(virCgroupPtr group,
+                            const char *path,
+-                           const char *controllers ATTRIBUTE_UNUSED,
+                           const char *controllers,
+                            const char *selfpath)
+ {
+     if (group->unified.placement)
+         return 0;
+ 
+    /* controllers="" indicates the cgroupv2 controller path */
+    if (STRNEQ_NULLABLE(controllers, ""))
+        return 0;
+
+     /*
+      * selfpath == "/" + path="" -> "/"
+      * selfpath == "/libvirt.service" + path == "" -> "/libvirt.service"
@@ -0,0 +1,72 @@
+From: Cole Robinson <crobinso@redhat.com>
+Date: Thu, 26 Sep 2019 15:25:52 -0400
+Subject: [PATCH] vircgroup: Add some VIR_DEBUG statements
+
+These helped with debugging
+https://bugzilla.redhat.com/show_bug.cgi?id=1612383
+
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ src/util/vircgroup.c   | 3 ++-
+ src/util/vircgroupv2.c | 9 +++++++++
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/util/vircgroup.c b/src/util/vircgroup.c
+index 825f62a97b..4f9d80666d 100644
+--- a/src/util/vircgroup.c
+++ b/src/util/vircgroup.c
+@@ -1157,7 +1157,8 @@ virCgroupNewMachineSystemd(const char *name,
+     virCgroupFree(&init);
+ 
+     if (!path || STREQ(path, "/") || path[0] != '/') {
+-        VIR_DEBUG("Systemd didn't setup its controller");
+        VIR_DEBUG("Systemd didn't setup its controller, path=%s",
+                  NULLSTR(path));
+         return -2;
+     }
+ 
+diff --git a/src/util/vircgroupv2.c b/src/util/vircgroupv2.c
+index acd48d1259..c536be0cd9 100644
+--- a/src/util/vircgroupv2.c
+++ b/src/util/vircgroupv2.c
+@@ -155,10 +155,14 @@ virCgroupV2CopyPlacement(virCgroupPtr group,
+                          const char *path,
+                          virCgroupPtr parent)
+ {
+    VIR_DEBUG("group=%p path=%s parent=%p", group, path, parent);
+
+     if (path[0] == '/') {
+         if (VIR_STRDUP(group->unified.placement, path) < 0)
+             return -1;
+     } else {
+        VIR_DEBUG("parent->unified.placement=%s", parent->unified.placement);
+
+         /*
+          * parent == "/" + path="" => "/"
+          * parent == "/libvirt.service" + path == "" => "/libvirt.service"
+@@ -172,6 +176,7 @@ virCgroupV2CopyPlacement(virCgroupPtr group,
+             return -1;
+     }
+ 
+    VIR_DEBUG("set group->unified.placement=%s", group->unified.placement);
+     return 0;
+ }
+ 
+@@ -200,6 +205,9 @@ virCgroupV2DetectPlacement(virCgroupPtr group,
+     if (group->unified.placement)
+         return 0;
+ 
+    VIR_DEBUG("group=%p path=%s controllers=%s selfpath=%s",
+              group, path, controllers, selfpath);
+
+     /* controllers="" indicates the cgroupv2 controller path */
+     if (STRNEQ_NULLABLE(controllers, ""))
+         return 0;
+@@ -216,6 +224,7 @@ virCgroupV2DetectPlacement(virCgroupPtr group,
+                     path) < 0)
+         return -1;
+ 
+    VIR_DEBUG("set group->unified.placement=%s", group->unified.placement);
+     return 0;
+ }
+ 
@@ -0,0 +1,30 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Fri, 4 Oct 2019 16:33:37 +0200
+Subject: [PATCH] qemu_driver: Fix comment of qemuStateCleanup()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The comment says that the function kills domains and networks.
+This is obviously not the case.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit e0b90162c94c45a9b0cf197e45b71f26036725d8)
+---
+ src/qemu/qemu_driver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 1ba6def419..69416d6d1a 100644
+--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
+@@ -1190,7 +1190,7 @@ qemuStateStop(void)
+ /**
+  * qemuStateCleanup:
+  *
+- * Shutdown the QEMU daemon, it will stop all active domains and networks
+ * Release resources allocated by QEMU driver (no domain is shut off though)
+  */
+ static int
+ qemuStateCleanup(void)
@@ -0,0 +1,123 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Fri, 4 Oct 2019 16:57:04 +0200
+Subject: [PATCH] driver: Introduce virDriverShouldAutostart()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some of objects we manage can be autostarted on libvirtd startup
+(e.g. domains, network, storage pools). The idea was that when
+the host is started up these objects are started too without need
+of user intervention. However, with the latest daemon split and
+switch to socket activated, short lived daemons (we put --timeout
+120 onto each daemon's command line) this doesn't do what we want
+it to. The problem is not new though, we already had the session
+daemon come and go and we circumvented this problem by
+documenting it (see v4.10.0-92-g61b4e8aaf1). But now that we meet
+the same problem at all fronts it's time to deal with it.
+
+The solution implemented in this commit is to have a file (one
+per each driver) that:
+
+  1) if doesn't exist, is created and autostart is allowed for
+     given driver,
+
+  2) if it does exist, then autostart is suppressed for given
+     driver.
+
+All the files live in a location that doesn't survive host
+reboots (/var/run/ for instance) and thus the file is
+automatically not there on fresh host boot.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit ee16a195d97315ba3610b3640d347d3f4a358b55)
+---
+ src/driver.c             | 39 +++++++++++++++++++++++++++++++++++++++
+ src/driver.h             |  3 +++
+ src/libvirt_private.syms |  1 +
+ 3 files changed, 43 insertions(+)
+
+diff --git a/src/driver.c b/src/driver.c
+index 5e8f68f6df..471053686f 100644
+--- a/src/driver.c
+++ b/src/driver.c
+@@ -29,6 +29,7 @@
+ #include "virfile.h"
+ #include "virlog.h"
+ #include "virmodule.h"
+#include "virstring.h"
+ #include "virthread.h"
+ #include "configmake.h"
+ 
+@@ -69,6 +70,44 @@ virDriverLoadModule(const char *name,
+ 
+ /* XXX unload modules, but we can't until we can unregister libvirt drivers */
+ 
+/**
+ * virDriverShouldAutostart:
+ * @dir: driver's run state directory (usually /var/run/libvirt/$driver)
+ * @autostart: whether driver should initiate autostart
+ *
+ * Automatic starting of libvirt's objects (e.g. domains, networks, storage
+ * pools, etc.) doesn't play nice with using '--timeout' on daemon's command
+ * line because the objects are attempted to autostart on every start of
+ * corresponding driver/daemon. To resolve this problem, a file is created in
+ * driver's private directory (which doesn't survive host's reboot) and thus
+ * autostart is attempted only once.
+ */
+int
+virDriverShouldAutostart(const char *dir,
+                         bool *autostart)
+{
+    VIR_AUTOFREE(char *) path = NULL;
+
+    *autostart = false;
+
+    if (virAsprintf(&path, "%s/autostarted", dir) < 0)
+        return -1;
+
+    if (virFileExists(path)) {
+        VIR_DEBUG("Autostart file %s exists, skipping autostart", path);
+        return 0;
+    }
+
+    VIR_DEBUG("Autostart file %s does not exist, do autostart", path);
+    *autostart = true;
+
+    if (virFileTouch(path, 0600) < 0)
+        return -1;
+
+    return 0;
+}
+
+
+ virThreadLocal connectInterface;
+ virThreadLocal connectNetwork;
+ virThreadLocal connectNWFilter;
+diff --git a/src/driver.h b/src/driver.h
+index 898fb96df4..c52284498e 100644
+--- a/src/driver.h
+++ b/src/driver.h
+@@ -112,6 +112,9 @@ int virDriverLoadModule(const char *name,
+                         const char *regfunc,
+                         bool required);
+ 
+int virDriverShouldAutostart(const char *name,
+                             bool *autostart);
+
+ virConnectPtr virGetConnectInterface(void);
+ virConnectPtr virGetConnectNetwork(void);
+ virConnectPtr virGetConnectNWFilter(void);
+diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
+index bbc5144aa2..c1c3974133 100644
+--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
+@@ -1337,6 +1337,7 @@ virStreamClass;
+ 
+ 
+ # driver.h
+virDriverShouldAutostart;
+ virGetConnectInterface;
+ virGetConnectNetwork;
+ virGetConnectNodeDev;
@@ -0,0 +1,187 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Sat, 5 Oct 2019 09:15:24 +0200
+Subject: [PATCH] lib: autostart objects exactly once
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1755303
+
+With the recent work in daemon split and socket activation
+daemons can come and go. They can and will be started many times
+during a session which results in objects being autostarted
+multiple times. This is not optimal. Use
+virDriverShouldAutostart() to determine if autostart should be
+done or not.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit bab464f8ea54d177e163f32c7c3476220694665c)
+---
+ src/bhyve/bhyve_driver.c     |  8 +++++++-
+ src/libxl/libxl_driver.c     | 10 ++++++++--
+ src/lxc/lxc_driver.c         |  7 ++++++-
+ src/network/bridge_driver.c  | 12 +++++++++---
+ src/qemu/qemu_driver.c       |  7 ++++++-
+ src/storage/storage_driver.c |  7 ++++++-
+ 6 files changed, 42 insertions(+), 9 deletions(-)
+
+diff --git a/src/bhyve/bhyve_driver.c b/src/bhyve/bhyve_driver.c
+index 5387ac5570..12788155a8 100644
+--- a/src/bhyve/bhyve_driver.c
+++ b/src/bhyve/bhyve_driver.c
+@@ -1218,6 +1218,8 @@ bhyveStateInitialize(bool privileged,
+                      virStateInhibitCallback callback ATTRIBUTE_UNUSED,
+                      void *opaque ATTRIBUTE_UNUSED)
+ {
+    bool autostart = true;
+
+     if (!privileged) {
+         VIR_INFO("Not running privileged, disabling driver");
+         return 0;
+@@ -1301,7 +1303,11 @@ bhyveStateInitialize(bool privileged,
+ 
+     virBhyveProcessReconnectAll(bhyve_driver);
+ 
+-    bhyveAutostartDomains(bhyve_driver);
+    if (virDriverShouldAutostart(BHYVE_STATE_DIR, &autostart) < 0)
+        goto cleanup;
+
+    if (autostart)
+        bhyveAutostartDomains(bhyve_driver);
+ 
+     return 0;
+ 
+diff --git a/src/libxl/libxl_driver.c b/src/libxl/libxl_driver.c
+index 492028c487..c1c94767c3 100644
+--- a/src/libxl/libxl_driver.c
+++ b/src/libxl/libxl_driver.c
+@@ -655,6 +655,7 @@ libxlStateInitialize(bool privileged,
+     libxlDriverConfigPtr cfg;
+     char *driverConf = NULL;
+     char ebuf[1024];
+    bool autostart = true;
+ 
+     if (!libxlDriverShouldLoad(privileged))
+         return 0;
+@@ -800,8 +801,13 @@ libxlStateInitialize(bool privileged,
+                                        NULL, NULL) < 0)
+         goto error;
+ 
+-    virDomainObjListForEach(libxl_driver->domains, libxlAutostartDomain,
+-                            libxl_driver);
+    if (virDriverShouldAutostart(cfg->stateDir, &autostart) < 0)
+        goto error;
+
+    if (autostart) {
+        virDomainObjListForEach(libxl_driver->domains, libxlAutostartDomain,
+                                libxl_driver);
+    }
+ 
+     virDomainObjListForEach(libxl_driver->domains, libxlDomainManagedSaveLoad,
+                             libxl_driver);
+diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
+index d0b6703101..24e6773f09 100644
+--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
+@@ -1541,6 +1541,7 @@ static int lxcStateInitialize(bool privileged,
+ {
+     virCapsPtr caps = NULL;
+     virLXCDriverConfigPtr cfg = NULL;
+    bool autostart = true;
+ 
+     /* Check that the user is root, silently disable if not */
+     if (!privileged) {
+@@ -1630,7 +1631,11 @@ static int lxcStateInitialize(bool privileged,
+                                        NULL, NULL) < 0)
+         goto cleanup;
+ 
+-    virLXCProcessAutostartAll(lxc_driver);
+    if (virDriverShouldAutostart(cfg->stateDir, &autostart) < 0)
+        goto cleanup;
+
+    if (autostart)
+        virLXCProcessAutostartAll(lxc_driver);
+ 
+     virObjectUnref(caps);
+     return 0;
+diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
+index acaeb5c9a2..b830cdba42 100644
+--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
+@@ -716,6 +716,7 @@ networkStateInitialize(bool privileged,
+     int ret = -1;
+     char *configdir = NULL;
+     char *rundir = NULL;
+    bool autostart = true;
+ #ifdef WITH_FIREWALLD
+     DBusConnection *sysbus = NULL;
+ #endif
+@@ -816,9 +817,14 @@ networkStateInitialize(bool privileged,
+     networkReloadFirewallRules(network_driver, true);
+     networkRefreshDaemons(network_driver);
+ 
+-    virNetworkObjListForEach(network_driver->networks,
+-                             networkAutostartConfig,
+-                             network_driver);
+    if (virDriverShouldAutostart(network_driver->stateDir, &autostart) < 0)
+        goto error;
+
+    if (autostart) {
+        virNetworkObjListForEach(network_driver->networks,
+                                 networkAutostartConfig,
+                                 network_driver);
+    }
+ 
+     network_driver->networkEventState = virObjectEventStateNew();
+ 
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 69416d6d1a..5dd2616c7b 100644
+--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
+@@ -726,6 +726,7 @@ qemuStateInitialize(bool privileged,
+     gid_t run_gid = -1;
+     char *hugepagePath = NULL;
+     char *memoryBackingPath = NULL;
+    bool autostart = true;
+     size_t i;
+ 
+     if (VIR_ALLOC(qemu_driver) < 0)
+@@ -1071,7 +1072,11 @@ qemuStateInitialize(bool privileged,
+ 
+     qemuProcessReconnectAll(qemu_driver);
+ 
+-    qemuAutostartDomains(qemu_driver);
+    if (virDriverShouldAutostart(cfg->stateDir, &autostart) < 0)
+        goto error;
+
+    if (autostart)
+        qemuAutostartDomains(qemu_driver);
+ 
+     return 0;
+ 
+diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
+index 03ac6a6845..05192027d6 100644
+--- a/src/storage/storage_driver.c
+++ b/src/storage/storage_driver.c
+@@ -253,6 +253,7 @@ storageStateInitialize(bool privileged,
+ {
+     VIR_AUTOFREE(char *) configdir = NULL;
+     VIR_AUTOFREE(char *) rundir = NULL;
+    bool autostart = true;
+ 
+     if (VIR_ALLOC(driver) < 0)
+         return -1;
+@@ -314,7 +315,11 @@ storageStateInitialize(bool privileged,
+ 
+     storagePoolUpdateAllState();
+ 
+-    storageDriverAutostart();
+    if (virDriverShouldAutostart(driver->stateDir, &autostart) < 0)
+        goto error;
+
+    if (autostart)
+        storageDriverAutostart();
+ 
+     driver->storageEventState = virObjectEventStateNew();
+ 
@@ -0,0 +1,34 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Sat, 5 Oct 2019 09:22:15 +0200
+Subject: [PATCH] Revert "src: Document autostart for session demon"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This reverts commit 61b4e8aaf1bce07f282c152de556c3d6aa8d65be.
+
+After previous commits this is no longer needed.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 897d8b34c8577d6e663b7b9bdb17ea4f5f1b83b9)
+---
+ src/libvirt-domain.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index 2fe9bb8e91..d01fef358f 100644
+--- a/src/libvirt-domain.c
+++ b/src/libvirt-domain.c
+@@ -6693,11 +6693,6 @@ virDomainCreateWithFiles(virDomainPtr domain, unsigned int nfiles,
+  * configured to be automatically started when the host
+  * machine boots.
+  *
+- * Please note that this might result in unexpected behaviour if
+- * used for some session URIs. Since the session daemon is started
+- * with --timeout it comes and goes and as it does so it
+- * autostarts domains which might have been shut off recently.
+- *
+  * Returns -1 in case of error, 0 in case of success
+  */
+ int
@@ -0,0 +1,39 @@
+From: Laine Stump <laine@laine.org>
+Date: Wed, 16 Oct 2019 14:06:54 -0400
+Subject: [PATCH] util: allow sending mac addr to virNetNewLink without ifindex
+
+Although until now, any use of the extra_args argument (a pointer to a
+struct containing extra attributes to add the the RTM_NEWLINK message)
+would always have the ifindex and mac set, so the code could assume it
+was safe to add both to the message if extra_args != NULL. There is
+now a use for setting a MAC address in the RTM_NEWLINK without setting
+the ifindex, so we should check each of these separately.
+
+Signed-off-by: Laine Stump <laine@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit b596d6c106cd87d6d452c5dd4ad923a034544fbf)
+---
+ src/util/virnetlink.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/util/virnetlink.c b/src/util/virnetlink.c
+index 7b3c6bf05f..394495ee2b 100644
+--- a/src/util/virnetlink.c
+++ b/src/util/virnetlink.c
+@@ -548,9 +548,14 @@ virNetlinkNewLink(const char *ifname,
+     NETLINK_MSG_NEST_END(nl_msg, linkinfo);
+ 
+     if (extra_args) {
+-        NETLINK_MSG_PUT(nl_msg, IFLA_LINK,
+        if (extra_args->ifindex) {
+            NETLINK_MSG_PUT(nl_msg, IFLA_LINK,
+                         sizeof(uint32_t), extra_args->ifindex);
+-        NETLINK_MSG_PUT(nl_msg, IFLA_ADDRESS, VIR_MAC_BUFLEN, extra_args->mac);
+        }
+        if (extra_args->mac) {
+            NETLINK_MSG_PUT(nl_msg, IFLA_ADDRESS,
+                            VIR_MAC_BUFLEN, extra_args->mac);
+        }
+     }
+ 
+     if (virNetlinkCommand(nl_msg, &resp, &buflen, 0, 0, NETLINK_ROUTE, 0) < 0)
@@ -0,0 +1,213 @@
+From: Laine Stump <laine@laine.org>
+Date: Thu, 17 Oct 2019 21:12:30 -0400
+Subject: [PATCH] util: set bridge device MAC address explicitly during
+ virNetDevBridgeCreate
+
+When libvirt first implemented a stable and configurable MAC address
+for the bridges created for libvirt virtual networks (commit
+5754dbd56d, in libvirt v0.8.8) most distro stable releases didn't
+support explicitly setting the MAC address of a bridge; the bridge
+just always assumed the lowest numbered MAC of all attached
+interfaces. Because of this, we stabilized the bridge MAC address by
+creating a "dummy" tap interface with a MAC address guaranteed to be
+lower than any of the guest tap devices' MACs (which all started with
+0xFE, so it's not difficult to do) and attached it to the bridge -
+this was the inception of the "virbr0-nic" device that has confused so
+many people over the years.
+
+Even though the linux kernel had recently gained support for
+explicitly setting a bridge MAC, we deemed it unnecessary to set the
+MAC that way, because the other (indirect) method worked everywhere.
+
+But recently there have been reports that the bridge MAC address was
+not following the setting in the network config, and mismatched the
+MAC of the dummy tap device (which was still correct). It turns out
+that this is due to a change in systemd-242 that persists whatever MAC
+address is set for a bridge when it's initially started. According to
+the systemd NEWS file entry for version 242
+(https://github.com/systemd/systemd/blob/master/NEWS):
+
+  "if a bridge interface is created without any slaves, and gains
+   a slave later, then now the bridge does not inherit slave's MAC."
+
+This change was the result of:
+
+  https://github.com/systemd/systemd/issues/3374
+
+(apparently if there is no MAC saved for a bridge by the name of a
+bridge being created, the random MAC generated during creation is
+saved, and then that same MAC is used to explicitly set the MAC each
+time it is created). Once a bridge has an explicitly set MAC, the "use
+the lowest numbered MAC of attached devices" rule is ignored, so our
+dummy tap device is like the goggles - it does nothing! (well, almost).
+
+We could whine about changes in default behavior, etc. etc., but
+because the change was in response to actual user problems, that seems
+likely a fruitless task. Fortunately, time has marched on, and even
+distro releases that are old enough that they are no longer supported
+by upstream libvirt (e.g. RHEL6) have support for explicitly setting a
+bridge device MAC address, either during creation or with a separate
+ioctl after creation, so we can now do that.
+
+To enable explicitly setting the mac during bridge creation, we add a
+mac arg to virNetDevBridgeCreate().  In the case of platforms where
+the bridge is created with a netlink RTM_NEWLINK message, we just add
+that mac to the message. For platforms that still use an ioctl (either
+SIOCBRADDBR or SIOCIFCREATE2), we make a separate call to
+virNetDevSetMAC() after creating the bridge.
+
+(NB: I was unable to test the calling of virNetDevSetMAC() from the
+SIOCIFCREATE2 (BSD) version of virNetDevBridgeCreate(); even though I
+managed to get a FreeBSD system setup and libvirt built there, when I
+tried to start the default network the SIOCIFCREATE2 ioctl itself
+failed, so it never even got to the virNetDevSetMAC(). That leaves the
+FreeBSD implementation untested.)
+
+This makes the dummy tap pointless for purposes of setting the MAC
+address, but it is still useful for IPv6 DAD initialization (which
+apparently requires at least one interface to be attached to the
+bridge and online), as well as for setting an initial MTU for the
+bridge, so it hasn't been removed.
+
+(NB: we can safely *always* call virNetDevBridgeCreate() with
+&def->mac from the network driver because, in spite of the existence
+of a "mac_specified" bool in the config suggesting that it may not
+always be present, in reality a mac address will always be added to
+any network that doesn't have one - this is guaranteed in all cases by
+commit a47ae7c004)
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1760851
+Signed-off-by: Laine Stump <laine@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit 13ec827052fcd79a4350f499aab5f4aa20ea83fa)
+---
+ src/network/bridge_driver.c |  2 +-
+ src/util/virnetdevbridge.c  | 44 ++++++++++++++++++++++++++++++-------
+ src/util/virnetdevbridge.h  |  3 ++-
+ 3 files changed, 39 insertions(+), 10 deletions(-)
+
+diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
+index b830cdba42..d5c544f556 100644
+--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
+@@ -2510,7 +2510,7 @@ networkStartNetworkVirtual(virNetworkDriverStatePtr driver,
+                        def->name);
+         return -1;
+     }
+-    if (virNetDevBridgeCreate(def->bridge) < 0)
+    if (virNetDevBridgeCreate(def->bridge, &def->mac) < 0)
+         return -1;
+ 
+     if (def->mac_specified) {
+diff --git a/src/util/virnetdevbridge.c b/src/util/virnetdevbridge.c
+index 4f21a82fb7..368ce912d1 100644
+--- a/src/util/virnetdevbridge.c
+++ b/src/util/virnetdevbridge.c
+@@ -379,7 +379,8 @@ virNetDevBridgePortSetUnicastFlood(const char *brname ATTRIBUTE_UNUSED,
+  */
+ #if defined(HAVE_STRUCT_IFREQ) && defined(SIOCBRADDBR)
+ static int
+-virNetDevBridgeCreateWithIoctl(const char *brname)
+virNetDevBridgeCreateWithIoctl(const char *brname,
+                               const virMacAddr *mac)
+ {
+     VIR_AUTOCLOSE fd = -1;
+ 
+@@ -392,22 +393,36 @@ virNetDevBridgeCreateWithIoctl(const char *brname)
+         return -1;
+     }
+ 
+    if (virNetDevSetMAC(brname, mac) < 0) {
+        virErrorPtr savederr;
+
+        virErrorPreserveLast(&savederr);
+        ignore_value(ioctl(fd, SIOCBRDELBR, brname));
+        virErrorRestore(&savederr);
+        return -1;
+    }
+
+     return 0;
+ }
+ #endif
+ 
+ #if defined(__linux__) && defined(HAVE_LIBNL)
+ int
+-virNetDevBridgeCreate(const char *brname)
+virNetDevBridgeCreate(const char *brname,
+                      const virMacAddr *mac)
+ {
+     /* use a netlink RTM_NEWLINK message to create the bridge */
+     int error = 0;
+    virNetlinkNewLinkData data = {
+        .mac = mac,
+    };
+
+ 
+-    if (virNetlinkNewLink(brname, "bridge", NULL, &error) < 0) {
+    if (virNetlinkNewLink(brname, "bridge", &data, &error) < 0) {
+ # if defined(HAVE_STRUCT_IFREQ) && defined(SIOCBRADDBR)
+         if (error == -EOPNOTSUPP) {
+             /* fallback to ioctl if netlink doesn't support creating bridges */
+-            return virNetDevBridgeCreateWithIoctl(brname);
+            return virNetDevBridgeCreateWithIoctl(brname, mac);
+         }
+ # endif
+         if (error < 0)
+@@ -423,15 +438,17 @@ virNetDevBridgeCreate(const char *brname)
+ 
+ #elif defined(HAVE_STRUCT_IFREQ) && defined(SIOCBRADDBR)
+ int
+-virNetDevBridgeCreate(const char *brname)
+virNetDevBridgeCreate(const char *brname,
+                      const virMacAddr *mac)
+ {
+-    return virNetDevBridgeCreateWithIoctl(brname);
+    return virNetDevBridgeCreateWithIoctl(brname, mac);
+ }
+ 
+ 
+ #elif defined(HAVE_STRUCT_IFREQ) && defined(SIOCIFCREATE2)
+ int
+-virNetDevBridgeCreate(const char *brname)
+virNetDevBridgeCreate(const char *brname,
+                      const virMacAddr *mac)
+ {
+     struct ifreq ifr;
+     VIR_AUTOCLOSE s = -1;
+@@ -448,10 +465,21 @@ virNetDevBridgeCreate(const char *brname)
+     if (virNetDevSetName(ifr.ifr_name, brname) == -1)
+         return -1;
+ 
+    if (virNetDevSetMAC(brname, mac) < 0) {
+        virErrorPtr savederr;
+
+        virErrorPreserveLast(&savederr);
+        ignore_value(virNetDevBridgeDelete(brname));
+        virErrorRestore(&savederr);
+        return -1;
+    }
+
+     return 0;
+ }
+ #else
+-int virNetDevBridgeCreate(const char *brname)
+int
+virNetDevBridgeCreate(const char *brname,
+                      const virMacAddr *mac G_GNUC_UNUSED)
+ {
+     virReportSystemError(ENOSYS,
+                          _("Unable to create bridge %s"), brname);
+diff --git a/src/util/virnetdevbridge.h b/src/util/virnetdevbridge.h
+index 8df5e51c2e..2a2bde8d0e 100644
+--- a/src/util/virnetdevbridge.h
+++ b/src/util/virnetdevbridge.h
+@@ -21,7 +21,8 @@
+ #include "internal.h"
+ #include "virmacaddr.h"
+ 
+-int virNetDevBridgeCreate(const char *brname)
+int virNetDevBridgeCreate(const char *brname,
+                          const virMacAddr *mac)
+     ATTRIBUTE_NONNULL(1) ATTRIBUTE_RETURN_CHECK;
+ int virNetDevBridgeDelete(const char *brname)
+     ATTRIBUTE_NONNULL(1) ATTRIBUTE_RETURN_CHECK;
@@ -0,0 +1,122 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 14 Oct 2019 16:37:03 +0200
+Subject: [PATCH] virhostuptime: Add linux stub for musl
+
+When we want to know the boot timestamp of the host, we can call
+virHostGetBootTime(). Under the hood, it uses getutxid() which is
+defined by POSIX and properly check for in configure. However,
+musl took a path where it declares the function but instead of
+providing any useful implementation it returns NULL meaning "no
+record found". If that's the case, use our second best option -
+/proc/uptime and a bit of maths.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1760885
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Cole Robinson <crobinso@redhat.com>
+(cherry picked from commit 070d6969fe912b8f2e9aadee88c6bdda00a65f4f)
+Signed-off-by: rpm-build <rpm-build>
+
+Conflicts:
+po/POTFILES.in
+---
+ src/util/virhostuptime.c | 62 ++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 59 insertions(+), 3 deletions(-)
+
+diff --git a/src/util/virhostuptime.c b/src/util/virhostuptime.c
+index 62b781acd5..a203961996 100644
+--- a/src/util/virhostuptime.c
+++ b/src/util/virhostuptime.c
+@@ -25,16 +25,68 @@
+ #endif
+ 
+ #include "virhostuptime.h"
+#include "viralloc.h"
+#include "virfile.h"
+#include "virlog.h"
+#include "virstring.h"
+#include "virtime.h"
+ #include "virthread.h"
+ 
+#define VIR_FROM_THIS VIR_FROM_NONE
+
+VIR_LOG_INIT("util.virhostuptime");
+
+ static unsigned long long bootTime;
+ static int bootTimeErrno;
+ static virOnceControl virHostGetBootTimeOnce = VIR_ONCE_CONTROL_INITIALIZER;
+ 
+-#ifdef HAVE_GETUTXID
+#if defined(__linux__)
+# define UPTIME_FILE  "/proc/uptime"
+static int
+virHostGetBootTimeProcfs(unsigned long long *btime)
+{
+    unsigned long long now;
+    double up;
+    VIR_AUTOFREE(char *) buf = NULL;
+    char *tmp;
+
+    if (virTimeMillisNow(&now) < 0)
+        return -errno;
+
+    /* 1KiB limit is more than enough. */
+    if (virFileReadAll(UPTIME_FILE, 1024, &buf) < 0)
+        return -errno;
+
+    /* buf contains two doubles now:
+     *   $uptime $idle_time
+     * We're interested only in the first one */
+    if (!(tmp = strchr(buf, ' '))) {
+        virReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("uptime file has unexpected format '%s'"),
+                       buf);
+        return -EINVAL;
+    }
+
+    *tmp = '\0';
+
+    if (virStrToDouble(buf, NULL, &up) < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("Unable to parse uptime value '%s'"),
+                       buf);
+        return -EINVAL;
+    }
+
+    *btime = now / 1000 - up + 0.5;
+
+    return 0;
+}
+#endif /* defined(__linux__) */
+
+#if defined(HAVE_GETUTXID) || defined(__linux__)
+ static void
+ virHostGetBootTimeOnceInit(void)
+ {
+# ifdef HAVE_GETUTXID
+     struct utmpx id = {.ut_type = BOOT_TIME};
+     struct utmpx *res = NULL;
+ 
+@@ -45,16 +97,20 @@ virHostGetBootTimeOnceInit(void)
+     }
+ 
+     endutxent();
+# endif /* HAVE_GETUTXID */
+
+    if (bootTimeErrno != 0 || bootTime == 0)
+        bootTimeErrno = -virHostGetBootTimeProcfs(&bootTime);
+ }
+ 
+-#else /* !HAVE_GETUTXID */
+#else /* !defined(HAVE_GETUTXID) && !defined(__linux__) */
+ 
+ static void
+ virHostGetBootTimeOnceInit(void)
+ {
+     bootTimeErrno = ENOSYS;
+ }
+-#endif /* HAVE_GETUTXID */
+#endif /* !defined(HAVE_GETUTXID) && !defined(__linux__) */
+ 
+ /**
+  * virHostGetBootTime:
@@ -0,0 +1,31 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Thu, 14 Nov 2019 16:42:51 +0100
+Subject: [PATCH] virhostuptime: Wrap virHostGetBootTimeProcfs() call in an
+ ifdef
+
+The virHostGetBootTimeProcfs() function is defined only for Linux
+and therefore it's only call should also be done if we're on
+Linux.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit 1b0de07f41bbe0d23ab96b604428ae55fd22aec0)
+Signed-off-by: rpm-build <rpm-build>
+---
+ src/util/virhostuptime.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/util/virhostuptime.c b/src/util/virhostuptime.c
+index a203961996..94004d05db 100644
+--- a/src/util/virhostuptime.c
+++ b/src/util/virhostuptime.c
+@@ -99,8 +99,10 @@ virHostGetBootTimeOnceInit(void)
+     endutxent();
+ # endif /* HAVE_GETUTXID */
+ 
+# ifdef __linux__
+     if (bootTimeErrno != 0 || bootTime == 0)
+         bootTimeErrno = -virHostGetBootTimeProcfs(&bootTime);
+# endif /* __linux__ */
+ }
+ 
+ #else /* !defined(HAVE_GETUTXID) && !defined(__linux__) */
@@ -0,0 +1,71 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Thu, 19 Dec 2019 10:11:04 +0100
+Subject: [PATCH] virhostuptime: Introduce virHostBootTimeInit()
+
+The idea is to offer callers an init function that they can call
+independently to ensure that the global variables get
+initialized.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Cole Robinson <crobinso@redhat.com>
+(cherry picked from commit 9d69bc19b94544b06838b2e2895826991d107178)
+Signed-off-by: rpm-build <rpm-build>
+
+Conflicts:
+	src/util/virhostuptime.h
+---
+ src/libvirt_private.syms |  1 +
+ src/util/virhostuptime.c | 12 +++++++++++-
+ src/util/virhostuptime.h |  3 +++
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
+index c1c3974133..fbd1c25597 100644
+--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
+@@ -2136,6 +2136,7 @@ virHostMemSetParameters;
+ 
+ 
+ # util/virhostuptime.h
+virHostBootTimeInit;
+ virHostGetBootTime;
+ 
+ 
+diff --git a/src/util/virhostuptime.c b/src/util/virhostuptime.c
+index 94004d05db..d82e268264 100644
+--- a/src/util/virhostuptime.c
+++ b/src/util/virhostuptime.c
+@@ -126,7 +126,7 @@ virHostGetBootTimeOnceInit(void)
+ int
+ virHostGetBootTime(unsigned long long *when)
+ {
+-    if (virOnce(&virHostGetBootTimeOnce, virHostGetBootTimeOnceInit) < 0)
+    if (virHostBootTimeInit() < 0)
+         return -1;
+ 
+     if (bootTimeErrno) {
+@@ -137,3 +137,13 @@ virHostGetBootTime(unsigned long long *when)
+     *when = bootTime;
+     return 0;
+ }
+
+
+int
+virHostBootTimeInit(void)
+{
+    if (virOnce(&virHostGetBootTimeOnce, virHostGetBootTimeOnceInit) < 0)
+        return -1;
+
+    return 0;
+}
+diff --git a/src/util/virhostuptime.h b/src/util/virhostuptime.h
+index 03c1517a64..0886b03767 100644
+--- a/src/util/virhostuptime.h
+++ b/src/util/virhostuptime.h
+@@ -25,3 +25,6 @@
+ int
+ virHostGetBootTime(unsigned long long *when)
+     ATTRIBUTE_NOINLINE;
+
+int
+virHostBootTimeInit(void);
@@ -0,0 +1,54 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Tue, 17 Dec 2019 14:08:42 +0100
+Subject: [PATCH] remote_daemon: Initialize host boot time global variable
+
+This is not strictly needed, but it makes sure we initialize the
+@bootTime global variable. Thing is, in order to validate XATTRs
+and prune those set in some previous runs of the host, a
+timestamp is recorded in XATTRs. The host boot time was unique
+enough so it was chosen as the timestamp value. And to avoid
+querying and parsing /proc/uptime every time, the query function
+does that only once and stores the boot time in a global
+variable. However, the only time the query function is called is
+in a child process that does lock files and changes seclabels. So
+effectively, we are doing exactly what we wanted to prevent from
+happening.
+
+The fix is simple, call the virHostBootTimeInit() function which
+sets the global variable.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Cole Robinson <crobinso@redhat.com>
+(cherry picked from commit 35d603d5ae0abe91b8b48203c5b7051b1800682b)
+Signed-off-by: rpm-build <rpm-build>
+---
+ src/remote/remote_daemon.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c
+index 6b5a6c1523..43f9527405 100644
+--- a/src/remote/remote_daemon.c
+++ b/src/remote/remote_daemon.c
+@@ -57,6 +57,7 @@
+ #include "virgettext.h"
+ #include "util/virnetdevopenvswitch.h"
+ #include "virsystemd.h"
+#include "virhostuptime.h"
+ 
+ #include "driver.h"
+ 
+@@ -1088,6 +1089,14 @@ int main(int argc, char **argv) {
+         exit(EXIT_FAILURE);
+     }
+ 
+    /* Let's try to initialize global variable that holds the host's boot time. */
+    if (virHostBootTimeInit() < 0) {
+        /* This is acceptable failure. Maybe we won't need the boot time
+         * anyway, and if we do, then virHostGetBootTime() returns an
+         * appropriate error. */
+        VIR_DEBUG("Ignoring failed boot time init");
+    }
+
+     daemonSetupNetDevOpenvswitch(config);
+ 
+     if (daemonSetupAccessManager(config) < 0) {
@@ -0,0 +1,55 @@
+From: Laine Stump <laine@redhat.com>
+Date: Thu, 7 May 2020 22:32:59 -0400
+Subject: [PATCH] network: make it safe to call networkSetupPrivateChains()
+ multiple times
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+networkSetupPrivateChains() is currently called only once per run of
+libvirtd, so it can assume that errInitV4 and errInitV6 are empty/null
+when it is called. In preparation for potentially calling this
+function multiple times during one run, this patch moves the reset of
+errInitV[46] to the top of the function, to assure no memory is
+leaked.
+
+Signed-off-by: Laine Stump <laine@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit de110f110fb917a31b9f33ad8e4b3c1d3284766a)
+---
+ src/network/bridge_driver_linux.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
+index 35459c10d1..f4e4e2df76 100644
+--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
+@@ -48,6 +48,10 @@ static void networkSetupPrivateChains(void)
+     VIR_DEBUG("Setting up global firewall chains");
+ 
+     createdChains = false;
+    virFreeError(errInitV4);
+    errInitV4 = NULL;
+    virFreeError(errInitV6);
+    errInitV6 = NULL;
+ 
+     rc = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV4);
+     if (rc < 0) {
+@@ -56,8 +60,6 @@ static void networkSetupPrivateChains(void)
+         errInitV4 = virSaveLastError();
+         virResetLastError();
+     } else {
+-        virFreeError(errInitV4);
+-        errInitV4 = NULL;
+         if (rc) {
+             VIR_DEBUG("Created global IPv4 chains");
+             createdChains = true;
+@@ -73,8 +75,6 @@ static void networkSetupPrivateChains(void)
+         errInitV6 = virSaveLastError();
+         virResetLastError();
+     } else {
+-        virFreeError(errInitV6);
+-        errInitV6 = NULL;
+         if (rc) {
+             VIR_DEBUG("Created global IPv6 chains");
+             createdChains = true;
@@ -0,0 +1,265 @@
+From: Laine Stump <laine@redhat.com>
+Date: Thu, 7 May 2020 21:54:39 -0400
+Subject: [PATCH] network: force re-creation of iptables private chains on
+ firewalld restart
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When firewalld is stopped, it removes *all* iptables rules and chains,
+including those added by libvirt. Since restarting firewalld means
+stopping and then starting it, any time it is restarted, libvirt needs
+to recreate all the private iptables chains it uses, along with all
+the rules it adds.
+
+We already have code in place to call networkReloadFirewallRules() any
+time we're notified of a firewalld start, and
+networkReloadFirewallRules() will call
+networkPreReloadFirewallRules(), which calls
+networkSetupPrivateChains(); unfortunately that last call is called
+using virOnce(), meaning that it will only be called the first time
+through networkPreReloadFirewallRules() after libvirtd starts - so of
+course when firewalld is later restarted, the call to
+networkSetupPrivateChains() is skipped.
+
+The neat and tidy way to fix this would be if there was a standard way
+to reset a pthread_once_t object so that the next time virOnce was
+called, it would think the function hadn't been called, and call it
+again. Unfortunately, there isn't any official way of doing that (we
+*could* just fill it with 0 and hope for the best, but that doesn't
+seem very safe.
+
+So instead, this patch just adds a static variable called
+chainInitDone, which is set to true after networkSetupPrivateChains()
+is called for the first time, and then during calls to
+networkPreReloadFirewallRules(), if chainInitDone is set, we call
+networkSetupPrivateChains() directly instead of via virOnce().
+
+It may seem unsafe to directly call a function that is meant to be
+called only once, but I think in this case we're safe - there's
+nothing in the function that is inherently "once only" - it doesn't
+initialize anything that can't safely be re-initialized (as long as
+two threads don't try to do it at the same time), and it only happens
+when responding to a dbus message that firewalld has been started (and
+I don't think it's possible for us to be processing two of those at
+once), and even then only if the initial call to the function has
+already been completed (so we're safe if we receive a firewalld
+restart call at a time when we haven't yet called it, or even if
+another thread is already in the process of executing it. The only
+problematic bit I can think of is if another thread is in the process
+of adding an iptable rule at the time we're executing this function,
+but 1) none of those threads will be trying to add chains, and 2) if
+there was a concurrency problem with other threads adding iptables
+rules while firewalld was being restarted, it would still be a problem
+even without this change.
+
+This is yet another patch that fixes an occurrence of this error:
+
+COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --insert LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT' failed: iptables: No chain/target/match by that name.
+
+In particular, this resolves: https://bugzilla.redhat.com/1813830
+
+Signed-off-by: Laine Stump <laine@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit f5418b427e7d2f26803880309478de9103680826)
+---
+ src/network/bridge_driver.c          | 16 ++++---
+ src/network/bridge_driver_linux.c    | 69 ++++++++++++++++++----------
+ src/network/bridge_driver_nop.c      |  3 +-
+ src/network/bridge_driver_platform.h |  2 +-
+ 4 files changed, 58 insertions(+), 32 deletions(-)
+
+diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
+index d5c544f556..981b4e4578 100644
+--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
+@@ -289,7 +289,9 @@ static int
+ networkShutdownNetworkExternal(virNetworkObjPtr obj);
+ 
+ static void
+-networkReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup);
+networkReloadFirewallRules(virNetworkDriverStatePtr driver,
+                           bool startup,
+                           bool force);
+ 
+ static void
+ networkRefreshDaemons(virNetworkDriverStatePtr driver);
+@@ -695,7 +697,7 @@ firewalld_dbus_filter_bridge(DBusConnection *connection ATTRIBUTE_UNUSED,
+ 
+     if (reload) {
+         VIR_DEBUG("Reload in bridge_driver because of firewalld.");
+-        networkReloadFirewallRules(driver, false);
+        networkReloadFirewallRules(driver, false, true);
+     }
+ 
+     return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+@@ -814,7 +816,7 @@ networkStateInitialize(bool privileged,
+     virNetworkObjListPrune(network_driver->networks,
+                            VIR_CONNECT_LIST_NETWORKS_INACTIVE |
+                            VIR_CONNECT_LIST_NETWORKS_TRANSIENT);
+-    networkReloadFirewallRules(network_driver, true);
+    networkReloadFirewallRules(network_driver, true, false);
+     networkRefreshDaemons(network_driver);
+ 
+     if (virDriverShouldAutostart(network_driver->stateDir, &autostart) < 0)
+@@ -884,7 +886,7 @@ networkStateReload(void)
+                                 network_driver->networkConfigDir,
+                                 network_driver->networkAutostartDir,
+                                 network_driver->xmlopt);
+-    networkReloadFirewallRules(network_driver, false);
+    networkReloadFirewallRules(network_driver, false, false);
+     networkRefreshDaemons(network_driver);
+     virNetworkObjListForEach(network_driver->networks,
+                              networkAutostartConfig,
+@@ -2267,14 +2269,16 @@ networkReloadFirewallRulesHelper(virNetworkObjPtr obj,
+ 
+ 
+ static void
+-networkReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup)
+networkReloadFirewallRules(virNetworkDriverStatePtr driver,
+                           bool startup,
+                           bool force)
+ {
+     VIR_INFO("Reloading iptables rules");
+     /* Ideally we'd not even register the driver when unprivilegd
+      * but until we untangle the virt driver that's not viable */
+     if (!driver->privileged)
+         return;
+-    networkPreReloadFirewallRules(driver, startup);
+    networkPreReloadFirewallRules(driver, startup, force);
+     virNetworkObjListForEach(driver->networks,
+                              networkReloadFirewallRulesHelper,
+                              NULL);
+diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
+index f4e4e2df76..f65928e556 100644
+--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
+@@ -36,11 +36,14 @@ VIR_LOG_INIT("network.bridge_driver_linux");
+ #define PROC_NET_ROUTE "/proc/net/route"
+ 
+ static virOnceControl createdOnce;
+-static bool createdChains;
+static bool chainInitDone; /* true iff networkSetupPrivateChains was ever called */
+static bool createdChains; /* true iff networkSetupPrivateChains created chains during most recent call */
+ static virErrorPtr errInitV4;
+ static virErrorPtr errInitV6;
+ 
+-/* Only call via virOnce */
+/* Usually only called via virOnce, but can also be called directly in
+ * response to firewalld reload (if chainInitDone == true)
+ */
+ static void networkSetupPrivateChains(void)
+ {
+     int rc;
+@@ -82,6 +85,8 @@ static void networkSetupPrivateChains(void)
+             VIR_DEBUG("Global IPv6 chains already exist");
+         }
+     }
+
+    chainInitDone = true;
+ }
+ 
+ 
+@@ -111,7 +116,10 @@ networkHasRunningNetworks(virNetworkDriverStatePtr driver)
+ }
+ 
+ 
+-void networkPreReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup)
+void
+networkPreReloadFirewallRules(virNetworkDriverStatePtr driver,
+                              bool startup,
+                              bool force)
+ {
+     /*
+      * If there are any running networks, we need to
+@@ -130,29 +138,42 @@ void networkPreReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup
+      * of starting the network though as that makes them
+      * more likely to be seen by a human
+      */
+-    if (!networkHasRunningNetworks(driver)) {
+-        VIR_DEBUG("Delayed global rule setup as no networks are running");
+-        return;
+-    }
+    if (chainInitDone && force) {
+        /* The Private chains have already been initialized once
+         * during this run of libvirtd, so 1) we can't do it again via
+         * virOnce(), and 2) we need to re-add the private chains even
+         * if there are currently no running networks, because the
+         * next time a network is started, libvirt will expect that
+         * the chains have already been added. So we call directly
+         * instead of via virOnce().
+         */
+        networkSetupPrivateChains();
+ 
+-    ignore_value(virOnce(&createdOnce, networkSetupPrivateChains));
+    } else {
+        if (!networkHasRunningNetworks(driver)) {
+            VIR_DEBUG("Delayed global rule setup as no networks are running");
+            return;
+        }
+ 
+-    /*
+-     * If this is initial startup, and we just created the
+-     * top level private chains we either
+-     *
+-     *   - upgraded from old libvirt
+-     *   - freshly booted from clean state
+-     *
+-     * In the first case we must delete the old rules from
+-     * the built-in chains, instead of our new private chains.
+-     * In the second case it doesn't matter, since no existing
+-     * rules will be present. Thus we can safely just tell it
+-     * to always delete from the builin chain
+-     */
+-    if (startup && createdChains) {
+-        VIR_DEBUG("Requesting cleanup of legacy firewall rules");
+-        iptablesSetDeletePrivate(false);
+        ignore_value(virOnce(&createdOnce, networkSetupPrivateChains));
+
+        /*
+         * If this is initial startup, and we just created the
+         * top level private chains we either
+         *
+         *   - upgraded from old libvirt
+         *   - freshly booted from clean state
+         *
+         * In the first case we must delete the old rules from
+         * the built-in chains, instead of our new private chains.
+         * In the second case it doesn't matter, since no existing
+         * rules will be present. Thus we can safely just tell it
+         * to always delete from the builin chain
+         */
+        if (startup && createdChains) {
+            VIR_DEBUG("Requesting cleanup of legacy firewall rules");
+            iptablesSetDeletePrivate(false);
+        }
+     }
+ }
+ 
+diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_nop.c
+index ec7b1ed8b7..74a9b87158 100644
+--- a/src/network/bridge_driver_nop.c
+++ b/src/network/bridge_driver_nop.c
+@@ -20,7 +20,8 @@
+ #include <config.h>
+ 
+ void networkPreReloadFirewallRules(virNetworkDriverStatePtr driver ATTRIBUTE_UNUSED,
+-                                   bool startup ATTRIBUTE_UNUSED)
+                                   bool startup ATTRIBUTE_UNUSED,
+                                   bool force ATTRIBUTE_UNUSED)
+ {
+ }
+ 
+diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driver_platform.h
+index 169417a6c0..48ab52c160 100644
+--- a/src/network/bridge_driver_platform.h
+++ b/src/network/bridge_driver_platform.h
+@@ -62,7 +62,7 @@ struct _virNetworkDriverState {
+ typedef struct _virNetworkDriverState virNetworkDriverState;
+ typedef virNetworkDriverState *virNetworkDriverStatePtr;
+ 
+-void networkPreReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup);
+void networkPreReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup, bool force);
+ void networkPostReloadFirewallRules(bool startup);
+ 
+ int networkCheckRouteCollision(virNetworkDefPtr def);
@@ -0,0 +1,85 @@
+From: Laine Stump <laine@redhat.com>
+Date: Fri, 1 May 2020 00:05:50 -0400
+Subject: [PATCH] systemd: start libvirtd after firewalld/iptables services
+
+When a system has enabled the iptables/ip6tables services rather than
+firewalld, there is no explicit ordering of the start of those
+services vs. libvirtd. This creates a problem when libvirtd.service is
+started before ip[6]tables, as the latter, when it finally is started,
+will remove all of the iptables rules that had previously been added
+by libvirt, including the custom chains where libvirt's rules are
+kept. This results in an error message similar to the following when a
+user subsequently tries to start a new libvirt network:
+
+ "Error while activating network: Call to virNetworkCreate failed:
+ internal error: Failed to apply firewall rules
+ /usr/sbin/ip6tables -w --table filter --insert LIBVIRT_FWO \
+   --in-interface virbr2 --jump REJECT:
+ ip6tables: No chain/target/match by that name."
+
+(Prior to logging this error, it also would have caused failure to
+forward (or block) traffic in some cases, e.g. for guests on a NATed
+network, since libvirt's rules to forward/block had all been deleted
+and libvirt didn't know about it, so it couldn't fix the problem)
+
+When this happens, the problem can be remedied by simply restarting
+libvirtd.service (which has the side-effect of reloading all
+libvirt-generated firewall rules)
+
+Instead, we can just explicitly stating in the libvirtd.service file
+that libvirtd.service should start after ip6tables.service and
+ip6tables.service, eliminating the race condition that leads to the
+error.
+
+There is also nothing (that I can see) in the systemd .service files
+to guarantee that firewalld.service will be started (if enabled) prior
+to libvirtd.service. The same error scenario given above would occur
+if libvirtd.service started before firewalld.service.  Even before
+that, though libvirtd would have detected that firewalld.service was
+disabled, and then turn off all firewalld support. So, for example,
+firewalld's libvirt zone wouldn't be used, and most likely traffic
+from guests would therefore be blocked (all with no external
+indication of the source of the problem other than a debug-level log
+when libvirtd was started saying that firewalld wasn't in use); also
+libvirtd wouldn't notice when firewalld reloaded its rules (which also
+simultaneously deletes all of libvirt's rules).
+
+I'm not aware of any reports that have been traced back to
+libvirtd.service starting before firewalld.service, but have seen that
+error reported multiple times, and also don't see an existing
+dependency that would guarantee firewalld.service starts before
+libvirtd.service, so it's possible it's been happening and we just
+haven't gotten to the bottom of it.
+
+This patch adds an After= line to the libvirtd.service file for each
+of iptables.service, ip6tables.service, and firewalld.servicee, which
+should guarantee that libvirtd.service isn't started until systemd has
+started whichever of the others is enabled.
+
+This race was diagnosed, and patch proposed, by Jason Montleon in
+https://bugzilla.redhat.com/1723698 . At the time (April 2019) danpb
+agreed with him that this change to libvirtd.service was a reasonable
+thing to do, but I guess everyone thought someone else was going to
+post a patch, so in the end nobody did.
+
+Signed-off-by: Laine Stump <laine@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit 0756415f147dda15a417bd79eef9a62027d176e6)
+---
+ src/remote/libvirtd.service.in | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/remote/libvirtd.service.in b/src/remote/libvirtd.service.in
+index d5d98f0c12..ada5be62e6 100644
+--- a/src/remote/libvirtd.service.in
+++ b/src/remote/libvirtd.service.in
+@@ -11,6 +11,9 @@ Wants=libvirtd-admin.socket
+ Wants=systemd-machined.service
+ Before=libvirt-guests.service
+ After=network.target
+After=firewalld.service
+After=iptables.service
+After=ip6tables.service
+ After=dbus.service
+ After=iscsid.service
+ After=apparmor.service
@@ -0,0 +1,41 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 19 Feb 2020 08:40:59 +0100
+Subject: [PATCH] qemuDomainGetStatsIOThread: Don't leak array with 0 iothreads
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+qemuMonitorGetIOThreads returns a NULL-terminated list even when 0
+iothreads are present. The caller didn't perform cleanup if there were 0
+iothreads leaking the array.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1804548
+
+Fixes: d1eac92784573559b6fd56836e33b215c89308e3
+Reported-by: Jing Yan <jiyan@redhat.com>
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit 9bf9e0ae6af38c806f4672ca7b12a6b38d5a9581)
+---
+ src/qemu/qemu_driver.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 5dd2616c7b..331e53b971 100644
+--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
+@@ -21632,8 +21632,12 @@ qemuDomainGetStatsIOThread(virQEMUDriverPtr driver,
+     if ((niothreads = qemuDomainGetIOThreadsMon(driver, dom, &iothreads)) < 0)
+         return -1;
+ 
+-    if (niothreads == 0)
+-        return 0;
+    /* qemuDomainGetIOThreadsMon returns a NULL-terminated list, so we must free
+     * it even if it returns 0 */
+    if (niothreads == 0) {
+        ret = 0;
+        goto cleanup;
+    }
+ 
+     QEMU_ADD_COUNT_PARAM(record, maxparams, "iothread", niothreads);
+ 
@@ -0,0 +1,47 @@
+From: Yi Li <yili@winhong.com>
+Date: Sat, 21 Dec 2019 08:33:33 +0800
+Subject: [PATCH] storage: Fix daemon crash on lookup storagepool by targetpath
+
+Causing a crash when storagePoolLookupByTargetPath beacuse of
+Some types of storage pool have no target elements.
+Use STREQ_NULLABLE instead of STREQ
+Avoids segfaults when using NULL arguments.
+
+Core was generated by `/usr/sbin/libvirtd'.
+Program terminated with signal 11, Segmentation fault.
+(gdb) bt
+0  0x0000ffff9e951388 in strcmp () from /lib64/libc.so.6
+1  0x0000ffff92103e9c in storagePoolLookupByTargetPathCallback (
+    obj=0xffff7009aab0, opaque=0xffff801058b0) at storage/storage_driver.c:1649
+2  0x0000ffff9f2c52a4 in virStoragePoolObjListSearchCb (
+    payload=0xffff801058b0, name=<optimized out>, opaque=<optimized out>)
+    at conf/virstorageobj.c:476
+3  0x0000ffff9f1f2f7c in virHashSearch (ctable=0xffff800f4f60,
+    iter=iter@entry=0xffff9f2c5278 <virStoragePoolObjListSearchCb>,
+    data=data@entry=0xffff95af7488, name=name@entry=0x0) at util/virhash.c:696
+4  0x0000ffff9f2c64f0 in virStoragePoolObjListSearch (pools=0xffff800f2ce0,
+    searcher=searcher@entry=0xffff92103e68 <storagePoolLookupByTargetPathCallback>,
+     opaque=<optimized out>) at conf/virstorageobj.c:505
+5  0x0000ffff92101f54 in storagePoolLookupByTargetPath (conn=0xffff5c0009f0,
+path=0xffff7009a850 "/vms/images") at storage/storage_driver.c:1672
+
+Reviewed-by: Cole Robinson <crobinso@redhat.com>
+Signed-off-by: Yi Li <yili@winhong.com>
+(cherry picked from commit dfff16a7c261f8d28e3abe60a47165f845fa952f)
+---
+ src/storage/storage_driver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
+index 05192027d6..d878b0be92 100644
+--- a/src/storage/storage_driver.c
+++ b/src/storage/storage_driver.c
+@@ -1675,7 +1675,7 @@ storagePoolLookupByTargetPathCallback(virStoragePoolObjPtr obj,
+         return false;
+ 
+     def = virStoragePoolObjGetDef(obj);
+-    return STREQ(path, def->target.path);
+    return STREQ_NULLABLE(path, def->target.path);
+ }
+ 
+ 
@@ -0,0 +1,168 @@
+From: Jonathon Jongsma <jjongsma@redhat.com>
+Date: Thu, 5 Dec 2019 10:08:52 -0600
+Subject: [PATCH] qemu: don't hold both jobs for suspend
+
+We have to assume that the guest agent may be malicious so we don't want
+to allow any agent queries to block any other libvirt API. By holding a
+monitor job while we're querying the agent, we open ourselves up to a
+DoS.
+
+So split the function up a bit to only hold the monitor job while
+querying qemu for whether the domain supports suspend. Then acquire only
+an agent job while issuing the agent suspend command.
+
+Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit a663a860819287e041c3de672aad1d8543098ecc)
+---
+ src/qemu/qemu_driver.c | 94 ++++++++++++++++++++++++++----------------
+ 1 file changed, 59 insertions(+), 35 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 331e53b971..96c0b3505a 100644
+--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
+@@ -19867,6 +19867,59 @@ qemuDomainProbeQMPCurrentMachine(virQEMUDriverPtr driver,
+ }
+ 
+ 
+/* returns -1 on error, or if query is not supported, 0 if query was successful */
+static int
+qemuDomainQueryWakeupSuspendSupport(virQEMUDriverPtr driver,
+                                    virDomainObjPtr vm,
+                                    bool *wakeupSupported)
+{
+    qemuDomainObjPrivatePtr priv = vm->privateData;
+    int ret = -1;
+
+    if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_QUERY_CURRENT_MACHINE))
+        return -1;
+
+    if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_MODIFY) < 0)
+        return -1;
+
+    if ((ret = virDomainObjCheckActive(vm)) < 0)
+        goto endjob;
+
+    ret = qemuDomainProbeQMPCurrentMachine(driver, vm, wakeupSupported);
+
+ endjob:
+    qemuDomainObjEndJob(driver, vm);
+    return ret;
+}
+
+
+static int
+qemuDomainPMSuspendAgent(virQEMUDriverPtr driver,
+                         virDomainObjPtr vm,
+                         unsigned int target)
+{
+    qemuAgentPtr agent;
+    int ret = -1;
+
+    if (qemuDomainObjBeginAgentJob(driver, vm, QEMU_AGENT_JOB_MODIFY) < 0)
+        return -1;
+
+    if ((ret = virDomainObjCheckActive(vm)) < 0)
+        goto endjob;
+
+    if (!qemuDomainAgentAvailable(vm, true))
+        goto endjob;
+
+    agent = qemuDomainObjEnterAgent(vm);
+    ret = qemuAgentSuspend(agent, target);
+    qemuDomainObjExitAgent(vm, agent);
+
+ endjob:
+    qemuDomainObjEndAgentJob(vm);
+    return ret;
+}
+
+
+ static int
+ qemuDomainPMSuspendForDuration(virDomainPtr dom,
+                                unsigned int target,
+@@ -19874,11 +19927,9 @@ qemuDomainPMSuspendForDuration(virDomainPtr dom,
+                                unsigned int flags)
+ {
+     virQEMUDriverPtr driver = dom->conn->privateData;
+-    qemuDomainObjPrivatePtr priv;
+     virDomainObjPtr vm;
+-    qemuAgentPtr agent;
+-    qemuDomainJob job = QEMU_JOB_NONE;
+     int ret = -1;
+    bool wakeupSupported;
+ 
+     virCheckFlags(0, -1);
+ 
+@@ -19903,17 +19954,6 @@ qemuDomainPMSuspendForDuration(virDomainPtr dom,
+     if (virDomainPMSuspendForDurationEnsureACL(dom->conn, vm->def) < 0)
+         goto cleanup;
+ 
+-    priv = vm->privateData;
+-
+-    if (virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_QUERY_CURRENT_MACHINE))
+-        job = QEMU_JOB_MODIFY;
+-
+-    if (qemuDomainObjBeginJobWithAgent(driver, vm, job, QEMU_AGENT_JOB_MODIFY) < 0)
+-        goto cleanup;
+-
+-    if (virDomainObjCheckActive(vm) < 0)
+-        goto endjob;
+-
+     /*
+      * The case we want to handle here is when QEMU has the API (i.e.
+      * QEMU_CAPS_QUERY_CURRENT_MACHINE is set). Otherwise, do not interfere
+@@ -19921,16 +19961,11 @@ qemuDomainPMSuspendForDuration(virDomainPtr dom,
+      * that don't know about this cap, will keep their old behavior of
+      * suspending 'in the dark'.
+      */
+-    if (virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_QUERY_CURRENT_MACHINE)) {
+-        bool wakeupSupported;
+-
+-        if (qemuDomainProbeQMPCurrentMachine(driver, vm, &wakeupSupported) < 0)
+-            goto endjob;
+-
+    if (qemuDomainQueryWakeupSuspendSupport(driver, vm, &wakeupSupported) == 0) {
+         if (!wakeupSupported) {
+             virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
+                            _("Domain does not have suspend support"));
+-            goto endjob;
+            goto cleanup;
+         }
+     }
+ 
+@@ -19940,29 +19975,18 @@ qemuDomainPMSuspendForDuration(virDomainPtr dom,
+              target == VIR_NODE_SUSPEND_TARGET_HYBRID)) {
+             virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                            _("S3 state is disabled for this domain"));
+-            goto endjob;
+            goto cleanup;
+         }
+ 
+         if (vm->def->pm.s4 == VIR_TRISTATE_BOOL_NO &&
+             target == VIR_NODE_SUSPEND_TARGET_DISK) {
+             virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                            _("S4 state is disabled for this domain"));
+-            goto endjob;
+            goto cleanup;
+         }
+     }
+ 
+-    if (!qemuDomainAgentAvailable(vm, true))
+-        goto endjob;
+-
+-    agent = qemuDomainObjEnterAgent(vm);
+-    ret = qemuAgentSuspend(agent, target);
+-    qemuDomainObjExitAgent(vm, agent);
+-
+- endjob:
+-    if (job)
+-        qemuDomainObjEndJobWithAgent(driver, vm);
+-    else
+-        qemuDomainObjEndAgentJob(vm);
+    ret = qemuDomainPMSuspendAgent(driver, vm, target);
+ 
+  cleanup:
+     virDomainObjEndAPI(&vm);
@@ -1,21 +0,0 @@
-# Makefile for source rpm: libvirt
-# $Id$
-NAME := libvirt
-SPECFILE = $(firstword $(wildcard *.spec))
-
-define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
-endef
-
-MAKEFILE_COMMON := $(shell $(find-makefile-common))
-
-ifeq ($(MAKEFILE_COMMON),)
-# attempt a checkout
-define checkout-makefile-common
-test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
-endef
-
-MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
-endif
-
-include $(MAKEFILE_COMMON)
@@ -1 +0,0 @@
-F-11
@@ -1,45 +0,0 @@
-From: "Daniel P. Berrange" <berrange@redhat.com>
-To: libvir-list@redhat.com
-Date: Thu, 30 Apr 2009 15:09:05 +0100
-Subject: [libvirt] PATCH: Enable migration with QEMU >= 0.10.0
-
-The KVM migration code was added to QEMU for the 0.10.0 release, so we 
-should enable this in libvirt now.
-
-Daniel
-
-diff -r be7993675e07 src/qemu_conf.c
--- a/src/qemu_conf.c	Thu Apr 30 14:49:27 2009 +0100
-+++ b/src/qemu_conf.c	Thu Apr 30 15:08:45 2009 +0100
-@@ -472,16 +472,13 @@ int qemudExtractVersionInfo(const char *
- 
-     /*
-      * Handling of -incoming arg with varying features
-     *  -incoming tcp    (kvm >= 79)
-     *  -incoming exec   (kvm >= 80)
-+     *  -incoming tcp    (kvm >= 79, qemu >= 0.10.0)
-+     *  -incoming exec   (kvm >= 80, qemu >= 0.10.0)
-      *  -incoming stdio  (all earlier kvm)
-      *
-      * NB, there was a pre-kvm-79 'tcp' support, but it
-      * was broken, because it blocked the monitor console
-      * while waiting for data, so pretend it doesn't exist
-     *
-     * XXX when next QEMU release after 0.9.1 arrives,
-     * we'll need to add MIGRATE_QEMU_TCP/EXEC here too
-      */
-     if (kvm_version >= 79) {
-         flags |= QEMUD_CMD_FLAG_MIGRATE_QEMU_TCP;
-@@ -489,6 +486,9 @@ int qemudExtractVersionInfo(const char *
-             flags |= QEMUD_CMD_FLAG_MIGRATE_QEMU_EXEC;
-     } else if (kvm_version > 0) {
-         flags |= QEMUD_CMD_FLAG_MIGRATE_KVM_STDIO;
-+    } else if (version >= 10000) {
-+        flags |= QEMUD_CMD_FLAG_MIGRATE_QEMU_TCP;
-+        flags |= QEMUD_CMD_FLAG_MIGRATE_QEMU_EXEC;
-     }
- 
-     if (retversion)
-
-
-- 
@@ -1,26 +0,0 @@
-From 0ae4c67ff5f1d24698c5cfc8a9719d333c892644 Mon Sep 17 00:00:00 2001
-From: Mark McLoughlin <markmc@redhat.com>
-Date: Thu, 16 Apr 2009 11:23:55 +0100
-Subject: [PATCH 1/3] qemu -drive takes format= not fmt=
-
-Seems like a simple typo - it has been "format=" since the flag
-was introduced, but we added it as "fmt=".
-
-Signed-off-by: Mark McLoughlin <markmc@redhat.com>
---
- src/qemu_conf.c                                    |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/qemu_conf.c b/src/qemu_conf.c
-index f36c927..6f9e610 100644
--- a/src/qemu_conf.c
-+++ b/src/qemu_conf.c
-@@ -1135,7 +1135,7 @@ int qemudBuildCommandLine(virConnectPtr conn,
-                 disk->device == VIR_DOMAIN_DISK_DEVICE_DISK)
-                 virBufferAddLit(&opt, ",boot=on");
-             if (disk->driverType)
-                virBufferVSprintf(&opt, ",fmt=%s", disk->driverType);
-+                virBufferVSprintf(&opt, ",format=%s", disk->driverType);
- 
-             if (disk->cachemode) {
-                 const char *mode =
@@ -1,76 +0,0 @@
-diff -rup libvirt-0.6.2/src/security_selinux.c libvirt-0.6.2.new/src/security_selinux.c
--- libvirt-0.6.2/src/security_selinux.c	2009-04-03 15:36:56.000000000 +0100
-+++ libvirt-0.6.2.new/src/security_selinux.c	2009-05-05 13:39:42.000000000 +0100
-@@ -24,11 +24,12 @@
- #include "virterror_internal.h"
- #include "util.h"
- #include "memory.h"
-
-+#include "logging.h"
- 
- #define VIR_FROM_THIS VIR_FROM_SECURITY
- 
- static char default_domain_context[1024];
-+static char default_content_context[1024];
- static char default_image_context[1024];
- #define SECURITY_SELINUX_VOID_DOI       "0"
- #define SECURITY_SELINUX_NAME "selinux"
-@@ -148,8 +149,13 @@ SELinuxInitialize(virConnectPtr conn)
-     close(fd);
- 
-     ptr = strchrnul(default_image_context, '\n');
-    *ptr = '\0';
-
-+    if (*ptr == '\n') {
-+        *ptr = '\0';
-+        strcpy(default_content_context, ptr+1);
-+        ptr = strchrnul(default_content_context, '\n');
-+        if (*ptr == '\n')
-+            *ptr = '\0';
-+    }
-     return 0;
- }
- 
-@@ -275,6 +281,8 @@ SELinuxSetFilecon(virConnectPtr conn, co
- {
-     char ebuf[1024];
- 
-+    VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon);
-+
-     if(setfilecon(path, tcon) < 0) {
-         virSecurityReportError(conn, VIR_ERR_ERROR,
-                                _("%s: unable to set security context "
-@@ -299,6 +307,8 @@ SELinuxRestoreSecurityImageLabel(virConn
-     char *newpath = NULL;
-     const char *path = disk->src;
- 
-+    /* Don't restore labels on readoly/shared disks, because
-+     * other VMs may still be accessing these */
-     if (disk->readonly || disk->shared)
-         return 0;
- 
-@@ -328,8 +338,13 @@ SELinuxSetSecurityImageLabel(virConnectP
- {
-     const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
- 
-    if (secdef->imagelabel)
-+    if (disk->shared) {
-+        return SELinuxSetFilecon(conn, disk->src, default_image_context);
-+    } else if (disk->readonly) {
-+        return SELinuxSetFilecon(conn, disk->src, default_content_context);
-+    } else if (secdef->imagelabel) {
-         return SELinuxSetFilecon(conn, disk->src, secdef->imagelabel);
-+    }
- 
-     return 0;
- }
-@@ -403,9 +418,6 @@ SELinuxSetSecurityLabel(virConnectPtr co
- 
-     if (secdef->imagelabel) {
-         for (i = 0 ; i < vm->def->ndisks ; i++) {
-            if (vm->def->disks[i]->readonly ||
-                vm->def->disks[i]->shared) continue;
-
-             if (SELinuxSetSecurityImageLabel(conn, vm, vm->def->disks[i]) < 0)
-                 return -1;
-         }
@@ -1,33 +0,0 @@
--- src/qemu_conf.c.orig	2009-04-02 11:50:10.000000000 +0200
-+++ src/qemu_conf.c	2009-04-03 17:46:59.000000000 +0200
-@@ -779,6 +779,20 @@ int qemudBuildCommandLine(virConnectPtr 
-     char domid[50];
-     char *pidfile;
-     const char *cpu = NULL;
-+    int skipSound = 0;
-+
-+    if (driver->securityDriver &&
-+        driver->securityDriver->name &&
-+        STREQ(driver->securityDriver->name, "selinux") &&
-+        getuid() == 0) {
-+        static int soundWarned = 0; 
-+        skipSound = 1;
-+        if (vm->def->nsounds &&
-+            !soundWarned) {
-+            soundWarned = 1;
-+            VIR_WARN0("Sound cards for VMs are disabled while SELinux security model is active");
-+        }
-+    }
- 
-     uname_normalize(&ut);
- 
-@@ -1425,7 +1439,8 @@ int qemudBuildCommandLine(virConnectPtr 
-     }
- 
-     /* Add sound hardware */
-    if (vm->def->nsounds) {
-+    if (vm->def->nsounds &&
-+        !skipSound) {
-         int size = 100;
-         char *modstr;
-         if (VIR_ALLOC_N(modstr, size+1) < 0)
@@ -1,45 +0,0 @@
-From 3d7771e0570e09096ad9391a857dad48b150bc0c Mon Sep 17 00:00:00 2001
-From: Mark McLoughlin <markmc@redhat.com>
-Date: Wed, 6 May 2009 16:33:28 +0100
-Subject: [PATCH] Fix qemu driver's interpretation of <hostdev managed='yes'/>
-
-This change:
-
-  Tue Mar  3 08:55:13 GMT 2009 Daniel P. Berrange <berrange@redhat.com>
-
-       Don't try to detach & reset PCI devices while running test
-       suite for XML-> ARGV conversion.
-       * src/qemu_driver.c: Add qemuPrepareHostDevices() helper to
-       detach and reset PCI devices.
-       * src/qemu_conf.c: Don't detach & reset PCI devices while
-       building the command line argv
-
-accidentally did this:
-
-            if (hostdev->managed) {
-+        if (!hostdev->managed) {
-
-Which results in managed='yes' not causing the device to be
-detached when the guest is starting.
-
-Signed-off-by: Mark McLoughlin <markmc@redhat.com>
---
- src/qemu_driver.c |    2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-diff --git a/src/qemu_driver.c b/src/qemu_driver.c
-index 5898026..59312c0 100644
--- a/src/qemu_driver.c
-+++ b/src/qemu_driver.c
-@@ -1215,7 +1215,7 @@ static int qemuPrepareHostDevices(virConnectPtr conn,
-         if (hostdev->source.subsys.type != VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI)
-             continue;
- 
-        if (!hostdev->managed) {
-+        if (hostdev->managed) {
-             pciDevice *dev = pciGetDevice(conn,
-                                           hostdev->source.subsys.u.pci.domain,
-                                           hostdev->source.subsys.u.pci.bus,
-- 
-1.6.0.6
-
@@ -1,76 +0,0 @@
-commit 0e51348cb9aeafe5e2fd6469a4bde0baa1eb8720
-Author: Cole Robinson <crobinso@redhat.com>
-Date:   Mon May 4 15:06:03 2009 -0400
-
-    Refresh QEMU driver capabilities for each getCapabilities call.
-    
-    Also fix up a couple issues where caps are accessed without locking
-    the driver structure.
-
-diff --git a/src/qemu_driver.c b/src/qemu_driver.c
-index 23ea961..790dac6 100644
--- a/src/qemu_driver.c
-+++ b/src/qemu_driver.c
-@@ -1885,10 +1885,12 @@ static int qemudGetNodeInfo(virConnectPtr conn,
- 
- static char *qemudGetCapabilities(virConnectPtr conn) {
-     struct qemud_driver *driver = conn->privateData;
-    char *xml;
-+    char *xml = NULL;
- 
-     qemuDriverLock(driver);
-    if ((xml = virCapabilitiesFormatXML(driver->caps)) == NULL)
-+    virCapabilitiesFree(qemu_driver->caps);
-+    if ((qemu_driver->caps = qemudCapsInit()) == NULL ||
-+        (xml = virCapabilitiesFormatXML(driver->caps)) == NULL)
-         virReportOOMError(conn);
-     qemuDriverUnlock(driver);
- 
-@@ -3169,20 +3171,26 @@ cleanup:
-     return ret;
- }
- 
-static int qemudNodeGetSecurityModel(virConnectPtr conn, virSecurityModelPtr secmodel)
-+static int qemudNodeGetSecurityModel(virConnectPtr conn,
-+                                     virSecurityModelPtr secmodel)
- {
-     struct qemud_driver *driver = (struct qemud_driver *)conn->privateData;
-     char *p;
-+    int ret = 0;
- 
-    if (!driver->securityDriver)
-        return -2;
-+    qemuDriverLock(driver);
-+    if (!driver->securityDriver) {
-+        ret = -2;
-+        goto cleanup;
-+    }
- 
-     p = driver->caps->host.secModel.model;
-     if (strlen(p) >= VIR_SECURITY_MODEL_BUFLEN-1) {
-         qemudReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
-                          _("security model string exceeds max %d bytes"),
-                          VIR_SECURITY_MODEL_BUFLEN-1);
-        return -1;
-+        ret = -1;
-+        goto cleanup;
-     }
-     strcpy(secmodel->model, p);
- 
-@@ -3191,10 +3199,14 @@ static int qemudNodeGetSecurityModel(virConnectPtr conn, virSecurityModelPtr sec
-         qemudReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
-                          _("security DOI string exceeds max %d bytes"),
-                          VIR_SECURITY_DOI_BUFLEN-1);
-        return -1;
-+        ret = -1;
-+        goto cleanup;
-     }
-     strcpy(secmodel->doi, p);
-    return 0;
-+
-+cleanup:
-+    qemuDriverUnlock(driver);
-+    return ret;
- }
- 
- /* TODO: check seclabel restore */
@@ -1 +1 @@
-3035b484861516a1cd425acef1e760e3  libvirt-0.6.2.tar.gz
+SHA512 (libvirt-5.6.0.tar.xz) = 95fe931394fb31288faf73349bb298f08f63cf062f851b9935303145f8166f69128be9360757f0e1845256c14f4d7672843dba0dc6c086b1c3c8bfc035cc8986