libvirt-5.6.0-7

Fix iptables No chain/target/match by that name (bz #1813830) systemd: start libvirtd after firewalld/iptables services (bz #1697636) CVE-2020-12430: memory leak in domstats may allow read-only user to perform DoS attack (bz #1828216, bz #1828190) CVE-2020-10703: Potential denial of service via active pool without target path (bz #1820690, bz #1816650) CVE-2019-20485: potential DoS by holding a monitor job while querying QEMU guest-agent (bz #1809741, bz #1809740)
libvirt-5.6.0-6
2020-05-27 17:44:01 -04:00 · 2020-04-07 16:47:31 -04:00 · 2019-11-11 15:20:15 -05:00 · 2019-09-26 15:47:53 -04:00 · 2019-09-17 12:43:07 -04:00 · 2019-09-17 12:23:56 -04:00
51 changed files with 6090 additions and 1242 deletions
@@ -1,12 +0,0 @@
-.build*.log
-*.rpm
-i686
-x86_64
-libvirt-*.tar.gz
-libvirt-0.6.0.tar.gz
-libvirt-0.6.1.tar.gz
-libvirt-0.6.2.tar.gz
-libvirt-0.6.3.tar.gz
-libvirt-0.6.4.tar.gz
-libvirt-0.6.5.tar.gz
-libvirt-0.7.0-0.1.gitf055724.tar.gz
@@ -0,0 +1,5 @@
+.build*.log
+*.rpm
+i686
+x86_64
+libvirt-*.tar.xz
@@ -0,0 +1,31 @@
+From: Erik Skultety <eskultet@redhat.com>
+Date: Mon, 2 Sep 2019 13:25:09 +0200
+Subject: [PATCH] src: security: Replace bitwise OR with logical OR
+
+Typo introduced by commit d73f3f58360.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1738483
+
+Signed-off-by: Erik Skultety <eskultet@redhat.com>
+(cherry picked from commit 5801ef06ec29fdbac6718e455015450f7c243c1b)
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1740024
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/security/security_util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/security/security_util.c b/src/security/security_util.c
+index ad265b0bc5..9d3f483f6b 100644
+--- a/src/security/security_util.c
+++ b/src/security/security_util.c
+@@ -268,7 +268,7 @@ virSecurityMoveRememberedLabel(const char *name,
+     VIR_AUTOFREE(char *) attr_name = NULL;
+     VIR_AUTOFREE(char *) attr_value = NULL;
+ 
+-    if (!(ref_name = virSecurityGetRefCountAttrName(name)) |
+    if (!(ref_name = virSecurityGetRefCountAttrName(name)) ||
+         !(attr_name = virSecurityGetAttrName(name)))
+         return -1;
+ 
@@ -0,0 +1,176 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 2 Sep 2019 13:25:10 +0200
+Subject: [PATCH] security_util: Use more VIR_AUTOFREE()
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit 8ced0909e5a0c41a44c2110d7060f6518b65f0db)
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1740024
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/security/security_util.c | 78 +++++++++++++++---------------------
+ 1 file changed, 32 insertions(+), 46 deletions(-)
+
+diff --git a/src/security/security_util.c b/src/security/security_util.c
+index 9d3f483f6b..04347f51e5 100644
+--- a/src/security/security_util.c
+++ b/src/security/security_util.c
+@@ -113,34 +113,32 @@ virSecurityGetRememberedLabel(const char *name,
+                               const char *path,
+                               char **label)
+ {
+-    char *ref_name = NULL;
+-    char *attr_name = NULL;
+-    char *value = NULL;
+    VIR_AUTOFREE(char *) ref_name = NULL;
+    VIR_AUTOFREE(char *) attr_name = NULL;
+    VIR_AUTOFREE(char *) value = NULL;
+     unsigned int refcount = 0;
+-    int ret = -1;
+ 
+     *label = NULL;
+ 
+     if (!(ref_name = virSecurityGetRefCountAttrName(name)))
+-        goto cleanup;
+        return -1;
+ 
+     if (virFileGetXAttrQuiet(path, ref_name, &value) < 0) {
+-        if (errno == ENOSYS || errno == ENODATA || errno == ENOTSUP) {
+-            ret = -2;
+-        } else {
+-            virReportSystemError(errno,
+-                                 _("Unable to get XATTR %s on %s"),
+-                                 ref_name,
+-                                 path);
+-        }
+-        goto cleanup;
+        if (errno == ENOSYS || errno == ENODATA || errno == ENOTSUP)
+            return -2;
+
+        virReportSystemError(errno,
+                             _("Unable to get XATTR %s on %s"),
+                             ref_name,
+                             path);
+        return -1;
+     }
+ 
+     if (virStrToLong_ui(value, NULL, 10, &refcount) < 0) {
+         virReportError(VIR_ERR_INTERNAL_ERROR,
+                        _("malformed refcount %s on %s"),
+                        value, path);
+-        goto cleanup;
+        return -1;
+     }
+ 
+     VIR_FREE(value);
+@@ -149,30 +147,25 @@ virSecurityGetRememberedLabel(const char *name,
+ 
+     if (refcount > 0) {
+         if (virAsprintf(&value, "%u", refcount) < 0)
+-            goto cleanup;
+            return -1;
+ 
+         if (virFileSetXAttr(path, ref_name, value) < 0)
+-            goto cleanup;
+            return -1;
+     } else {
+         if (virFileRemoveXAttr(path, ref_name) < 0)
+-            goto cleanup;
+            return -1;
+ 
+         if (!(attr_name = virSecurityGetAttrName(name)))
+-            goto cleanup;
+            return -1;
+ 
+         if (virFileGetXAttr(path, attr_name, label) < 0)
+-            goto cleanup;
+            return -1;
+ 
+         if (virFileRemoveXAttr(path, attr_name) < 0)
+-            goto cleanup;
+            return -1;
+     }
+ 
+-    ret = 0;
+- cleanup:
+-    VIR_FREE(value);
+-    VIR_FREE(attr_name);
+-    VIR_FREE(ref_name);
+-    return ret;
+    return 0;
+ }
+ 
+ 
+@@ -201,25 +194,23 @@ virSecuritySetRememberedLabel(const char *name,
+                               const char *path,
+                               const char *label)
+ {
+-    char *ref_name = NULL;
+-    char *attr_name = NULL;
+-    char *value = NULL;
+    VIR_AUTOFREE(char *) ref_name = NULL;
+    VIR_AUTOFREE(char *) attr_name = NULL;
+    VIR_AUTOFREE(char *) value = NULL;
+     unsigned int refcount = 0;
+-    int ret = -1;
+ 
+     if (!(ref_name = virSecurityGetRefCountAttrName(name)))
+-        goto cleanup;
+        return -1;
+ 
+     if (virFileGetXAttrQuiet(path, ref_name, &value) < 0) {
+         if (errno == ENOSYS || errno == ENOTSUP) {
+-            ret = -2;
+-            goto cleanup;
+            return -2;
+         } else if (errno != ENODATA) {
+             virReportSystemError(errno,
+                                  _("Unable to get XATTR %s on %s"),
+                                  ref_name,
+                                  path);
+-            goto cleanup;
+            return -1;
+         }
+     }
+ 
+@@ -228,7 +219,7 @@ virSecuritySetRememberedLabel(const char *name,
+         virReportError(VIR_ERR_INTERNAL_ERROR,
+                        _("malformed refcount %s on %s"),
+                        value, path);
+-        goto cleanup;
+        return -1;
+     }
+ 
+     VIR_FREE(value);
+@@ -237,24 +228,19 @@ virSecuritySetRememberedLabel(const char *name,
+ 
+     if (refcount == 1) {
+         if (!(attr_name = virSecurityGetAttrName(name)))
+-            goto cleanup;
+            return -1;
+ 
+         if (virFileSetXAttr(path, attr_name, label) < 0)
+-            goto cleanup;
+            return -1;
+     }
+ 
+     if (virAsprintf(&value, "%u", refcount) < 0)
+-        goto cleanup;
+        return -1;
+ 
+     if (virFileSetXAttr(path, ref_name, value) < 0)
+-        goto cleanup;
+        return -1;
+ 
+-    ret = refcount;
+- cleanup:
+-    VIR_FREE(value);
+-    VIR_FREE(attr_name);
+-    VIR_FREE(ref_name);
+-    return ret;
+    return refcount;
+ }
+ 
+ 
@@ -0,0 +1,39 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 2 Sep 2019 13:25:11 +0200
+Subject: [PATCH] security_util: Document virSecurityMoveRememberedLabel
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit 359c7c1e94e0c54bf7e7a5a8365f066904b4387b)
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1740024
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/security/security_util.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/src/security/security_util.c b/src/security/security_util.c
+index 04347f51e5..365b2dd2d6 100644
+--- a/src/security/security_util.c
+++ b/src/security/security_util.c
+@@ -244,6 +244,19 @@ virSecuritySetRememberedLabel(const char *name,
+ }
+ 
+ 
+/**
+ * virSecurityMoveRememberedLabel:
+ * @name: security driver name
+ * @src: source file
+ * @dst: destination file
+ *
+ * For given security driver @name, move all XATTRs related to seclabel
+ * remembering from @src to @dst. However, if @dst is NULL, then XATTRs
+ * are just removed from @src.
+ *
+ * Returns: 0 on success,
+ *         -1 otherwise.
+ */
+ int
+ virSecurityMoveRememberedLabel(const char *name,
+                                const char *src,
@@ -0,0 +1,164 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 2 Sep 2019 13:25:12 +0200
+Subject: [PATCH] security: Don't increase XATTRs refcounter on failure
+
+If user has two domains, each have the same disk (configured for
+RW) but each runs with different seclabel then we deny start of
+the second domain because in order to do that we would need to
+relabel the disk but that would cut the first domain off. Even if
+we did not do that, qemu would fail to start because it would be
+unable to lock the disk image for the second time. So far, this
+behaviour is expected. But what is not expected is that we
+increase the refcounter in XATTRs and leave it like that.
+
+What happens is that when the second domain starts,
+virSecuritySetRememberedLabel() is called, and since there are
+XATTRs from the first domain it increments the refcounter and
+returns it (refcounter == 2 at this point). Then callers
+(virSecurityDACSetOwnership() and
+virSecuritySELinuxSetFileconHelper()) realize that refcounter is
+greater than 1 and desired seclabel doesn't match the one the
+disk image already has and an error is produced. But the
+refcounter is never decremented.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1740024
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
+(cherry picked from commit 6a2806fd549c0bfdcb3eb83f130ee99ea8d213e1)
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/security/security_dac.c     | 41 ++++++++++++++++++---------------
+ src/security/security_selinux.c | 18 ++++++++++-----
+ 2 files changed, 34 insertions(+), 25 deletions(-)
+
+diff --git a/src/security/security_dac.c b/src/security/security_dac.c
+index 137daf5d28..4b4afef18a 100644
+--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
+@@ -751,6 +751,7 @@ virSecurityDACSetOwnership(virSecurityManagerPtr mgr,
+                            bool remember)
+ {
+     virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    virErrorPtr origerr;
+     struct stat sb;
+     int refcount;
+     int rc;
+@@ -784,12 +785,13 @@ virSecurityDACSetOwnership(virSecurityManagerPtr mgr,
+              * is @refcount domains using the @path. Do not
+              * change the label (as it would almost certainly
+              * cause the other domains to lose access to the
+-             * @path). */
+             * @path). However, the refcounter was incremented in
+             * XATTRs so decrease it. */
+             if (sb.st_uid != uid || sb.st_gid != gid) {
+                 virReportError(VIR_ERR_OPERATION_INVALID,
+                                _("Setting different DAC user or group on %s "
+                                  "which is already in use"), path);
+-                return -1;
+                goto error;
+             }
+         }
+     }
+@@ -797,25 +799,26 @@ virSecurityDACSetOwnership(virSecurityManagerPtr mgr,
+     VIR_INFO("Setting DAC user and group on '%s' to '%ld:%ld'",
+              NULLSTR(src ? src->path : path), (long)uid, (long)gid);
+ 
+-    if (virSecurityDACSetOwnershipInternal(priv, src, path, uid, gid) < 0) {
+-        virErrorPtr origerr;
+-
+-        virErrorPreserveLast(&origerr);
+-        /* Try to restore the label. This is done so that XATTRs
+-         * are left in the same state as when the control entered
+-         * this function. However, if our attempt fails, there's
+-         * not much we can do. XATTRs refcounting is fubar'ed and
+-         * the only option we have is warn users. */
+-        if (virSecurityDACRestoreFileLabelInternal(mgr, src, path, remember) < 0)
+-            VIR_WARN("Unable to restore label on '%s'. "
+-                     "XATTRs might have been left in inconsistent state.",
+-                     NULLSTR(src ? src->path : path));
+-
+-        virErrorRestore(&origerr);
+-        return -1;
+-    }
+    if (virSecurityDACSetOwnershipInternal(priv, src, path, uid, gid) < 0)
+        goto error;
+ 
+     return 0;
+
+ error:
+    virErrorPreserveLast(&origerr);
+    /* Try to restore the label. This is done so that XATTRs
+     * are left in the same state as when the control entered
+     * this function. However, if our attempt fails, there's
+     * not much we can do. XATTRs refcounting is fubar'ed and
+     * the only option we have is warn users. */
+    if (virSecurityDACRestoreFileLabelInternal(mgr, src, path, remember) < 0)
+        VIR_WARN("Unable to restore label on '%s'. "
+                 "XATTRs might have been left in inconsistent state.",
+                 NULLSTR(src ? src->path : path));
+
+    virErrorRestore(&origerr);
+
+    return -1;
+ }
+ 
+ 
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index ea20373a90..9857223bbf 100644
+--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
+@@ -1334,6 +1334,7 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
+     security_context_t econ = NULL;
+     int refcount;
+     int rc;
+    bool rollback = false;
+     int ret = -1;
+ 
+     if ((rc = virSecuritySELinuxTransactionAppend(path, tcon,
+@@ -1353,6 +1354,8 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
+ 
+         if (econ) {
+             refcount = virSecuritySELinuxRememberLabel(path, econ);
+            if (refcount > 0)
+                rollback = true;
+             if (refcount == -2) {
+                 /* Not supported. Don't error though. */
+             } else if (refcount < 0) {
+@@ -1362,7 +1365,8 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
+                  * is @refcount domains using the @path. Do not
+                  * change the label (as it would almost certainly
+                  * cause the other domains to lose access to the
+-                 * @path). */
+                 * @path). However, the refcounter was
+                 * incremented in XATTRs so decrease it. */
+                 if (STRNEQ(econ, tcon)) {
+                     virReportError(VIR_ERR_OPERATION_INVALID,
+                                    _("Setting different SELinux label on %s "
+@@ -1373,7 +1377,12 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
+         }
+     }
+ 
+-    if (virSecuritySELinuxSetFileconImpl(path, tcon, optional, privileged) < 0) {
+    if (virSecuritySELinuxSetFileconImpl(path, tcon, optional, privileged) < 0)
+        goto cleanup;
+
+    ret = 0;
+ cleanup:
+    if (ret < 0 && rollback) {
+         virErrorPtr origerr;
+ 
+         virErrorPreserveLast(&origerr);
+@@ -1388,11 +1397,8 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
+                      path);
+ 
+         virErrorRestore(&origerr);
+-        goto cleanup;
+-    }
+ 
+-    ret = 0;
+- cleanup:
+    }
+     freecon(econ);
+     return ret;
+ }
@@ -0,0 +1,183 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 2 Sep 2019 13:25:13 +0200
+Subject: [PATCH] util: Introduce virhostuptime
+
+This module contains function to get host boot time.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit 8b802f13cb47817706cba101f5d52e2c8957698d)
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1741140
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ configure.ac             |  1 +
+ src/libvirt_private.syms |  4 ++
+ src/util/Makefile.inc.am |  2 +
+ src/util/virhostuptime.c | 81 ++++++++++++++++++++++++++++++++++++++++
+ src/util/virhostuptime.h | 27 ++++++++++++++
+ 5 files changed, 115 insertions(+)
+ create mode 100644 src/util/virhostuptime.c
+ create mode 100644 src/util/virhostuptime.h
+
+diff --git a/configure.ac b/configure.ac
+index d18d427695..771dd961a5 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -337,6 +337,7 @@ AC_CHECK_FUNCS_ONCE([\
+   getpwuid_r \
+   getrlimit \
+   getuid \
+  getutxid \
+   if_indextoname \
+   mmap \
+   newlocale \
+diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
+index c323f679b3..9fd778272f 100644
+--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
+@@ -2135,6 +2135,10 @@ virHostMemGetStats;
+ virHostMemSetParameters;
+ 
+ 
+# util/virhostuptime.h
+virHostGetBootTime;
+
+
+ # util/viridentity.h
+ virIdentityGetAttr;
+ virIdentityGetCurrent;
+diff --git a/src/util/Makefile.inc.am b/src/util/Makefile.inc.am
+index a47f333a98..46866cf213 100644
+--- a/src/util/Makefile.inc.am
+++ b/src/util/Makefile.inc.am
+@@ -91,6 +91,8 @@ UTIL_SOURCES = \
+ 	util/virhostdev.h \
+ 	util/virhostmem.c \
+ 	util/virhostmem.h \
+	util/virhostuptime.c \
+	util/virhostuptime.h \
+ 	util/viridentity.c \
+ 	util/viridentity.h \
+ 	util/virinitctl.c \
+diff --git a/src/util/virhostuptime.c b/src/util/virhostuptime.c
+new file mode 100644
+index 0000000000..62b781acd5
+--- /dev/null
+++ b/src/util/virhostuptime.c
+@@ -0,0 +1,81 @@
+/*
+ * virhostuptime.c: helper APIs for host uptime
+ *
+ * Copyright (C) 2019 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+
+#ifdef HAVE_GETUTXID
+# include <utmpx.h>
+#endif
+
+#include "virhostuptime.h"
+#include "virthread.h"
+
+static unsigned long long bootTime;
+static int bootTimeErrno;
+static virOnceControl virHostGetBootTimeOnce = VIR_ONCE_CONTROL_INITIALIZER;
+
+#ifdef HAVE_GETUTXID
+static void
+virHostGetBootTimeOnceInit(void)
+{
+    struct utmpx id = {.ut_type = BOOT_TIME};
+    struct utmpx *res = NULL;
+
+    if (!(res = getutxid(&id))) {
+        bootTimeErrno = errno;
+    } else {
+        bootTime = res->ut_tv.tv_sec;
+    }
+
+    endutxent();
+}
+
+#else /* !HAVE_GETUTXID */
+
+static void
+virHostGetBootTimeOnceInit(void)
+{
+    bootTimeErrno = ENOSYS;
+}
+#endif /* HAVE_GETUTXID */
+
+/**
+ * virHostGetBootTime:
+ * @when: UNIX timestamp of boot time
+ *
+ * Get a UNIX timestamp of host boot time and store it at @when.
+ *
+ * Return: 0 on success,
+ *        -1 otherwise.
+ */
+int
+virHostGetBootTime(unsigned long long *when)
+{
+    if (virOnce(&virHostGetBootTimeOnce, virHostGetBootTimeOnceInit) < 0)
+        return -1;
+
+    if (bootTimeErrno) {
+        errno = bootTimeErrno;
+        return -1;
+    }
+
+    *when = bootTime;
+    return 0;
+}
+diff --git a/src/util/virhostuptime.h b/src/util/virhostuptime.h
+new file mode 100644
+index 0000000000..03c1517a64
+--- /dev/null
+++ b/src/util/virhostuptime.h
+@@ -0,0 +1,27 @@
+/*
+ * virhostuptime.h: helper APIs for host uptime
+ *
+ * Copyright (C) 2019 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ */
+
+#pragma once
+
+#include "internal.h"
+
+int
+virHostGetBootTime(unsigned long long *when)
+    ATTRIBUTE_NOINLINE;
@@ -0,0 +1,344 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 2 Sep 2019 13:25:14 +0200
+Subject: [PATCH] security_util: Remove stale XATTRs
+
+It may happen that we leave some XATTRs behind. For instance, on
+a sudden power loss, the host just shuts down without calling
+restore on domain paths. This creates a problem, because when the
+host starts up again, the XATTRs are there but they don't reflect
+the true state and this may result in libvirt denying start of a
+domain.
+
+To solve this, save a unique timestamp (host boot time) among
+with our XATTRs.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1741140
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit 7cfb7aab573a031880a1f4fd20747843fea109ba)
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/security/security_util.c    | 194 +++++++++++++++++++++++++++++++-
+ tests/qemusecuritymock.c        |  12 ++
+ tools/libvirt_recover_xattrs.sh |   2 +-
+ 3 files changed, 206 insertions(+), 2 deletions(-)
+
+diff --git a/src/security/security_util.c b/src/security/security_util.c
+index 365b2dd2d6..31f41cedfd 100644
+--- a/src/security/security_util.c
+++ b/src/security/security_util.c
+@@ -22,11 +22,16 @@
+ #include "virfile.h"
+ #include "virstring.h"
+ #include "virerror.h"
+#include "virlog.h"
+#include "viruuid.h"
+#include "virhostuptime.h"
+ 
+ #include "security_util.h"
+ 
+ #define VIR_FROM_THIS VIR_FROM_SECURITY
+ 
+VIR_LOG_INIT("security.security_util");
+
+ /* There are four namespaces available on Linux (xattr(7)):
+  *
+  *  user - can be modified by anybody,
+@@ -83,6 +88,153 @@ virSecurityGetRefCountAttrName(const char *name ATTRIBUTE_UNUSED)
+ }
+ 
+ 
+#ifdef XATTR_NAMESPACE
+static char *
+virSecurityGetTimestampAttrName(const char *name)
+{
+    char *ret = NULL;
+    ignore_value(virAsprintf(&ret, XATTR_NAMESPACE ".libvirt.security.timestamp_%s", name));
+    return ret;
+}
+#else /* !XATTR_NAMESPACE */
+static char *
+virSecurityGetTimestampAttrName(const char *name ATTRIBUTE_UNUSED)
+{
+    errno = ENOSYS;
+    virReportSystemError(errno, "%s",
+                         _("Extended attributes are not supported on this system"));
+    return NULL;
+}
+#endif /* !XATTR_NAMESPACE */
+
+
+static char *
+virSecurityGetTimestamp(void)
+{
+    unsigned long long boottime = 0;
+    char *ret = NULL;
+
+    if (virHostGetBootTime(&boottime) < 0) {
+        virReportSystemError(errno, "%s",
+                             _("Unable to get host boot time"));
+        return NULL;
+    }
+
+    ignore_value(virAsprintf(&ret, "%llu", boottime));
+    return ret;
+}
+
+
+/**
+ * virSecurityValidateTimestamp:
+ * @name: security driver name
+ * @path: file name
+ *
+ * Check if remembered label on @path for security driver @name
+ * is valid, i.e. the label has been set since the last boot. If
+ * the label was set in previous runs, all XATTRs related to
+ * @name are removed so that clean slate is restored.
+ *
+ * This is done having extra attribute timestamp_$SECDRIVER which
+ * contains the host boot time. Its value is then compared to
+ * actual host boot time. If these two values don't match then
+ * XATTRs are considered as stale and thus invalid.
+ *
+ * In ideal world, where there network file systems have XATTRs
+ * using plain host boot time is not enough as it may lead to a
+ * situation where a freshly started host sees XATTRs, sees the
+ * timestamp put there by some longer running host and considers
+ * the XATTRs invalid. Well, there is not an easy way out. We
+ * would need to somehow check if the longer running host is
+ * still there and uses the @path (how?).
+ * Fortunately, there is only one network file system which
+ * supports XATTRs currently (GlusterFS via FUSE) and it is used
+ * so rarely that it's almost a corner case.
+ * The worst thing that happens there is that we remove XATTRs
+ * and thus return @path to the default label for $SECDRIVER.
+ *
+ * Returns: 0 if remembered label is valid,
+ *          1 if remembered label was not valid,
+ *         -2 if underlying file system doesn't support XATTRs,
+ *         -1 otherwise.
+ */
+static int
+virSecurityValidateTimestamp(const char *name,
+                             const char *path)
+{
+    VIR_AUTOFREE(char *) expected_timestamp = NULL;
+    VIR_AUTOFREE(char *) timestamp_name = NULL;
+    VIR_AUTOFREE(char *) value = NULL;
+
+    if (!(expected_timestamp = virSecurityGetTimestamp()) ||
+        !(timestamp_name = virSecurityGetTimestampAttrName(name)))
+        return -1;
+
+    errno = 0;
+    if (virFileGetXAttrQuiet(path, timestamp_name, &value) < 0) {
+        if (errno == ENOSYS || errno == ENOTSUP) {
+            return -2;
+        } else if (errno != ENODATA) {
+            virReportSystemError(errno,
+                                 _("Unable to get XATTR %s on %s"),
+                                 timestamp_name,
+                                 path);
+            return -1;
+        }
+
+        /* Timestamp is missing. We could continue and claim a valid timestamp.
+         * But then we would never remove stale XATTRs. Therefore, claim it
+         * invalid and have the code below remove all XATTRs. This of course
+         * means that we will not restore the original owner, but the plus side
+         * is that we reset refcounter which will represent the true state.
+         */
+    }
+
+    if (STREQ_NULLABLE(value, expected_timestamp)) {
+        VIR_DEBUG("XATTRs on %s secdriver=%s are valid", path, name);
+        return 0;
+    }
+
+    VIR_WARN("Invalid XATTR timestamp detected on %s secdriver=%s", path, name);
+
+    if (virSecurityMoveRememberedLabel(name, path, NULL) < 0)
+        return -1;
+
+    return 1;
+}
+
+
+static int
+virSecurityAddTimestamp(const char *name,
+                        const char *path)
+{
+    VIR_AUTOFREE(char *) timestamp_name = NULL;
+    VIR_AUTOFREE(char *) timestamp_value = NULL;
+
+    if (!(timestamp_value = virSecurityGetTimestamp()) ||
+        !(timestamp_name = virSecurityGetTimestampAttrName(name)))
+        return -1;
+
+    return virFileSetXAttr(path, timestamp_name, timestamp_value);
+}
+
+
+static int
+virSecurityRemoveTimestamp(const char *name,
+                           const char *path)
+{
+    VIR_AUTOFREE(char *) timestamp_name = NULL;
+
+    if (!(timestamp_name = virSecurityGetTimestampAttrName(name)))
+        return -1;
+
+    if (virFileRemoveXAttr(path, timestamp_name) < 0 && errno != ENOENT)
+        return -1;
+
+    return 0;
+}
+
+
+ /**
+  * virSecurityGetRememberedLabel:
+  * @name: security driver name
+@@ -117,9 +269,13 @@ virSecurityGetRememberedLabel(const char *name,
+     VIR_AUTOFREE(char *) attr_name = NULL;
+     VIR_AUTOFREE(char *) value = NULL;
+     unsigned int refcount = 0;
+    int rc;
+ 
+     *label = NULL;
+ 
+    if ((rc = virSecurityValidateTimestamp(name, path)) < 0)
+        return rc;
+
+     if (!(ref_name = virSecurityGetRefCountAttrName(name)))
+         return -1;
+ 
+@@ -163,6 +319,9 @@ virSecurityGetRememberedLabel(const char *name,
+ 
+         if (virFileRemoveXAttr(path, attr_name) < 0)
+             return -1;
+
+        if (virSecurityRemoveTimestamp(name, path) < 0)
+            return -1;
+     }
+ 
+     return 0;
+@@ -198,6 +357,10 @@ virSecuritySetRememberedLabel(const char *name,
+     VIR_AUTOFREE(char *) attr_name = NULL;
+     VIR_AUTOFREE(char *) value = NULL;
+     unsigned int refcount = 0;
+    int rc;
+
+    if ((rc = virSecurityValidateTimestamp(name, path)) < 0)
+        return rc;
+ 
+     if (!(ref_name = virSecurityGetRefCountAttrName(name)))
+         return -1;
+@@ -232,6 +395,9 @@ virSecuritySetRememberedLabel(const char *name,
+ 
+         if (virFileSetXAttr(path, attr_name, label) < 0)
+             return -1;
+
+        if (virSecurityAddTimestamp(name, path) < 0)
+            return -1;
+     }
+ 
+     if (virAsprintf(&value, "%u", refcount) < 0)
+@@ -266,9 +432,12 @@ virSecurityMoveRememberedLabel(const char *name,
+     VIR_AUTOFREE(char *) ref_value = NULL;
+     VIR_AUTOFREE(char *) attr_name = NULL;
+     VIR_AUTOFREE(char *) attr_value = NULL;
+    VIR_AUTOFREE(char *) timestamp_name = NULL;
+    VIR_AUTOFREE(char *) timestamp_value = NULL;
+ 
+     if (!(ref_name = virSecurityGetRefCountAttrName(name)) ||
+-        !(attr_name = virSecurityGetAttrName(name)))
+        !(attr_name = virSecurityGetAttrName(name)) ||
+        !(timestamp_name = virSecurityGetTimestampAttrName(name)))
+         return -1;
+ 
+     if (virFileGetXAttrQuiet(src, ref_name, &ref_value) < 0) {
+@@ -293,6 +462,17 @@ virSecurityMoveRememberedLabel(const char *name,
+         }
+     }
+ 
+    if (virFileGetXAttrQuiet(src, timestamp_name, &timestamp_value) < 0) {
+        if (errno == ENOSYS || errno == ENOTSUP) {
+            return -2;
+        } else if (errno != ENODATA) {
+            virReportSystemError(errno,
+                                 _("Unable to get XATTR %s on %s"),
+                                 attr_name, src);
+            return -1;
+        }
+    }
+
+     if (ref_value &&
+         virFileRemoveXAttr(src, ref_name) < 0) {
+         return -1;
+@@ -303,6 +483,11 @@ virSecurityMoveRememberedLabel(const char *name,
+         return -1;
+     }
+ 
+    if (timestamp_value &&
+        virFileRemoveXAttr(src, timestamp_name) < 0) {
+        return -1;
+    }
+
+     if (dst) {
+         if (ref_value &&
+             virFileSetXAttr(dst, ref_name, ref_value) < 0) {
+@@ -314,6 +499,13 @@ virSecurityMoveRememberedLabel(const char *name,
+             ignore_value(virFileRemoveXAttr(dst, ref_name));
+             return -1;
+         }
+
+        if (timestamp_value &&
+            virFileSetXAttr(dst, timestamp_name, timestamp_value) < 0) {
+            ignore_value(virFileRemoveXAttr(dst, ref_name));
+            ignore_value(virFileRemoveXAttr(dst, attr_name));
+            return -1;
+        }
+     }
+ 
+     return 0;
+diff --git a/tests/qemusecuritymock.c b/tests/qemusecuritymock.c
+index a15eef29c9..373d64305a 100644
+--- a/tests/qemusecuritymock.c
+++ b/tests/qemusecuritymock.c
+@@ -32,6 +32,7 @@
+ #include "viralloc.h"
+ #include "qemusecuritytest.h"
+ #include "security/security_manager.h"
+#include "virhostuptime.h"
+ 
+ #define VIR_FROM_THIS VIR_FROM_NONE
+ 
+@@ -488,3 +489,14 @@ virProcessRunInFork(virProcessForkCallback cb,
+ {
+     return cb(-1, opaque);
+ }
+
+
+/* We don't really need to mock this function. The qemusecuritytest doesn't
+ * care about the actual value. However, travis runs build and tests in a
+ * container where utmp is missing and thus this function fails. */
+int
+virHostGetBootTime(unsigned long long *when)
+{
+    *when = 1234567890;
+    return 0;
+}
+diff --git a/tools/libvirt_recover_xattrs.sh b/tools/libvirt_recover_xattrs.sh
+index 58f02f8dfb..3907413c63 100755
+--- a/tools/libvirt_recover_xattrs.sh
+++ b/tools/libvirt_recover_xattrs.sh
+@@ -74,7 +74,7 @@ fi
+ declare -a XATTRS
+ for i in "dac" "selinux"; do
+     for p in ${LIBVIRT_XATTR_PREFIXES[@]}; do
+-        XATTRS+=("$p.$i" "$p.ref_$i")
+        XATTRS+=("$p.$i" "$p.ref_$i" "$p.timestamp_$i")
+     done
+ done
+ 
@@ -0,0 +1,96 @@
+From: Nikolay Shirokovskiy <nshirokovskiy@virtuozzo.com>
+Date: Mon, 2 Sep 2019 13:25:15 +0200
+Subject: [PATCH] security_util: verify xattrs only if ref is present
+
+After 7cfb7aab573 commit starting a domain pullutes logs with
+warnings like [1]. The reason is resource files do not
+have timestamp before starting a domain and after destroying
+domain the timestamp is cleared. Let's check the timestamp
+only if attribute with refcounter is found.
+
+[1] warning : virSecurityValidateTimestamp:198 : Invalid XATTR timestamp detected on \
+    /some/path secdriver=dac
+
+Signed-off-by: Nikolay Shirokovskiy <nshirokovskiy@virtuozzo.com>
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit 7c40211a5a0fd15f5885e38dc571e81b9a3fd699)
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1741140
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/security/security_util.c | 36 ++++++++++++++++++++++++++++--------
+ 1 file changed, 28 insertions(+), 8 deletions(-)
+
+diff --git a/src/security/security_util.c b/src/security/security_util.c
+index 31f41cedfd..865b3ec905 100644
+--- a/src/security/security_util.c
+++ b/src/security/security_util.c
+@@ -269,13 +269,9 @@ virSecurityGetRememberedLabel(const char *name,
+     VIR_AUTOFREE(char *) attr_name = NULL;
+     VIR_AUTOFREE(char *) value = NULL;
+     unsigned int refcount = 0;
+-    int rc;
+ 
+     *label = NULL;
+ 
+-    if ((rc = virSecurityValidateTimestamp(name, path)) < 0)
+-        return rc;
+-
+     if (!(ref_name = virSecurityGetRefCountAttrName(name)))
+         return -1;
+ 
+@@ -290,6 +286,20 @@ virSecurityGetRememberedLabel(const char *name,
+         return -1;
+     }
+ 
+    if (value) {
+        int rc;
+
+        /* Do this after we've tried to get refcounter to ensure underlying FS
+         * supports XATTRs and @path has refcounter attribute set, because
+         * validator might throws a warning. */
+        if ((rc = virSecurityValidateTimestamp(name, path)) < 0)
+            return rc;
+
+        /* Invalid label is like a non-existent one */
+        if (rc == 1)
+            return -2;
+    }
+
+     if (virStrToLong_ui(value, NULL, 10, &refcount) < 0) {
+         virReportError(VIR_ERR_INTERNAL_ERROR,
+                        _("malformed refcount %s on %s"),
+@@ -357,10 +367,6 @@ virSecuritySetRememberedLabel(const char *name,
+     VIR_AUTOFREE(char *) attr_name = NULL;
+     VIR_AUTOFREE(char *) value = NULL;
+     unsigned int refcount = 0;
+-    int rc;
+-
+-    if ((rc = virSecurityValidateTimestamp(name, path)) < 0)
+-        return rc;
+ 
+     if (!(ref_name = virSecurityGetRefCountAttrName(name)))
+         return -1;
+@@ -377,6 +383,20 @@ virSecuritySetRememberedLabel(const char *name,
+         }
+     }
+ 
+    if (value) {
+        int rc;
+
+        /* Do this after we've tried to get refcounter to ensure underlying FS
+         * supports XATTRs and @path has refcounter attribute set, because
+         * validator might throws a warning. */
+        if ((rc = virSecurityValidateTimestamp(name, path)) < 0)
+            return rc;
+
+        /* Invalid label is like a non-existent one */
+        if (rc == 1)
+            VIR_FREE(value);
+    }
+
+     if (value &&
+         virStrToLong_ui(value, NULL, 10, &refcount) < 0) {
+         virReportError(VIR_ERR_INTERNAL_ERROR,
@@ -0,0 +1,97 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 2 Sep 2019 13:25:16 +0200
+Subject: [PATCH] virSecuritySELinuxSetFileconImpl: Drop @optional argument
+
+The only thing that the @optional argument does is that it makes
+the function return 1 instead of 0 if setting SELinux context
+failed in a non-critical fashion. Drop the argument then and
+return 1 in that case. This enables caller to learn if SELinux
+context was set or not.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
+(cherry picked from commit 34712a5e3b313fb9ca2223c54ea46f626429a6c4)
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1740506
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/security/security_selinux.c | 35 +++++++++++++++++++++++----------
+ 1 file changed, 25 insertions(+), 10 deletions(-)
+
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index 9857223bbf..766f334faf 100644
+--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
+@@ -1257,12 +1257,27 @@ virSecuritySELinuxGetProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+     return 0;
+ }
+ 
+-/* Attempt to change the label of PATH to TCON.  If OPTIONAL is true,
+- * return 1 if labelling was not possible.  Otherwise, require a label
+- * change, and return 0 for success, -1 for failure.  */
+/**
+ * virSecuritySELinuxSetFileconImpl:
+ * @path: path to the file to set context on
+ * @tcon: target context to set
+ * @privileged: whether running as privileged user
+ *
+ * Set @tcon SELinux context on @path. If unable to do so, check SELinux
+ * configuration and produce sensible error message suggesting solution.
+ * It may happen that setting context fails but hypervisor will be able to
+ * open the @path successfully. This is because some file systems don't
+ * support SELinux, are RO, or the @path had the correct context from the
+ * start. If that is the case, a positive one is returned.
+ *
+ * Returns:  0 if context was set successfully
+ *           1 if setting the context failed in a non-critical fashion
+ *           -1 in case of error
+ */
+ static int
+-virSecuritySELinuxSetFileconImpl(const char *path, const char *tcon,
+-                                 bool optional, bool privileged)
+virSecuritySELinuxSetFileconImpl(const char *path,
+                                 const char *tcon,
+                                 bool privileged)
+ {
+     security_context_t econ;
+ 
+@@ -1278,7 +1293,7 @@ virSecuritySELinuxSetFileconImpl(const char *path, const char *tcon,
+             if (STREQ(tcon, econ)) {
+                 freecon(econ);
+                 /* It's alright, there's nothing to change anyway. */
+-                return optional ? 1 : 0;
+                return 1;
+             }
+             freecon(econ);
+         }
+@@ -1315,9 +1330,9 @@ virSecuritySELinuxSetFileconImpl(const char *path, const char *tcon,
+                 VIR_INFO("Setting security context '%s' on '%s' not supported",
+                          tcon, path);
+             }
+-            if (optional)
+-                return 1;
+         }
+
+        return 1;
+     }
+     return 0;
+ }
+@@ -1377,7 +1392,7 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
+         }
+     }
+ 
+-    if (virSecuritySELinuxSetFileconImpl(path, tcon, optional, privileged) < 0)
+    if (virSecuritySELinuxSetFileconImpl(path, tcon, privileged) < 0)
+         goto cleanup;
+ 
+     ret = 0;
+@@ -1542,7 +1557,7 @@ virSecuritySELinuxRestoreFileLabel(virSecurityManagerPtr mgr,
+         }
+     }
+ 
+-    if (virSecuritySELinuxSetFileconImpl(newpath, fcon, false, privileged) < 0)
+    if (virSecuritySELinuxSetFileconImpl(newpath, fcon, privileged) < 0)
+         goto cleanup;
+ 
+     ret = 0;
@@ -0,0 +1,106 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 2 Sep 2019 13:25:17 +0200
+Subject: [PATCH] security_selinux: Drop virSecuritySELinuxSetFileconOptional()
+
+There is no real difference between
+virSecuritySELinuxSetFilecon() and
+virSecuritySELinuxSetFileconOptional(). Drop the latter in favour
+of the former.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
+(cherry picked from commit 079c1d6a291869ab4ee5d7f70bfd9a0f716c508e)
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1740506
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/security/security_selinux.c | 53 ++++++++++++++-------------------
+ 1 file changed, 22 insertions(+), 31 deletions(-)
+
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index 766f334faf..87e1ba202d 100644
+--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
+@@ -1419,15 +1419,6 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
+ }
+ 
+ 
+-static int
+-virSecuritySELinuxSetFileconOptional(virSecurityManagerPtr mgr,
+-                                     const char *path,
+-                                     const char *tcon,
+-                                     bool remember)
+-{
+-    return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, true, remember);
+-}
+-
+ static int
+ virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr,
+                              const char *path,
+@@ -1884,28 +1875,28 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr,
+                                            parent_seclabel->label, remember);
+     } else if (!parent || parent == src) {
+         if (src->shared) {
+-            ret = virSecuritySELinuxSetFileconOptional(mgr,
+-                                                       src->path,
+-                                                       data->file_context,
+-                                                       remember);
+            ret = virSecuritySELinuxSetFilecon(mgr,
+                                               src->path,
+                                               data->file_context,
+                                               remember);
+         } else if (src->readonly) {
+-            ret = virSecuritySELinuxSetFileconOptional(mgr,
+-                                                       src->path,
+-                                                       data->content_context,
+-                                                       remember);
+            ret = virSecuritySELinuxSetFilecon(mgr,
+                                               src->path,
+                                               data->content_context,
+                                               remember);
+         } else if (secdef->imagelabel) {
+-            ret = virSecuritySELinuxSetFileconOptional(mgr,
+-                                                       src->path,
+-                                                       secdef->imagelabel,
+-                                                       remember);
+            ret = virSecuritySELinuxSetFilecon(mgr,
+                                               src->path,
+                                               secdef->imagelabel,
+                                               remember);
+         } else {
+             ret = 0;
+         }
+     } else {
+-        ret = virSecuritySELinuxSetFileconOptional(mgr,
+-                                                   src->path,
+-                                                   data->content_context,
+-                                                   remember);
+        ret = virSecuritySELinuxSetFilecon(mgr,
+                                           src->path,
+                                           data->content_context,
+                                           remember);
+     }
+ 
+     if (ret == 1 && !disk_seclabel) {
+@@ -2045,14 +2036,14 @@ virSecuritySELinuxSetSCSILabel(virSCSIDevicePtr dev,
+         return 0;
+ 
+     if (virSCSIDeviceGetShareable(dev))
+-        return virSecuritySELinuxSetFileconOptional(mgr, file,
+-                                                    data->file_context, true);
+        return virSecuritySELinuxSetFilecon(mgr, file,
+                                            data->file_context, true);
+     else if (virSCSIDeviceGetReadonly(dev))
+-        return virSecuritySELinuxSetFileconOptional(mgr, file,
+-                                                    data->content_context, true);
+        return virSecuritySELinuxSetFilecon(mgr, file,
+                                            data->content_context, true);
+     else
+-        return virSecuritySELinuxSetFileconOptional(mgr, file,
+-                                                    secdef->imagelabel, true);
+        return virSecuritySELinuxSetFilecon(mgr, file,
+                                            secdef->imagelabel, true);
+ }
+ 
+ static int
@@ -0,0 +1,126 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 2 Sep 2019 13:25:18 +0200
+Subject: [PATCH] security_selinux: Drop @optional from
+ _virSecuritySELinuxContextItem
+
+Now, that we don't need to remember if setting context is
+'optional' (the argument only made
+virSecuritySELinuxSetFileconImpl() return a different success
+code), we can drop it from the _virSecuritySELinuxContextItem
+structure as we don't need to remember it in transactions.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
+(cherry picked from commit b71d54f44707e80aae6fd01a766bb254882f5163)
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1740506
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/security/security_selinux.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index 87e1ba202d..e5b55fccb4 100644
+--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
+@@ -81,7 +81,6 @@ typedef virSecuritySELinuxContextItem *virSecuritySELinuxContextItemPtr;
+ struct _virSecuritySELinuxContextItem {
+     char *path;
+     char *tcon;
+-    bool optional;
+     bool remember; /* Whether owner remembering should be done for @path/@src */
+     bool restore; /* Whether current operation is 'set' or 'restore' */
+ };
+@@ -122,7 +121,6 @@ static int
+ virSecuritySELinuxContextListAppend(virSecuritySELinuxContextListPtr list,
+                                     const char *path,
+                                     const char *tcon,
+-                                    bool optional,
+                                     bool remember,
+                                     bool restore)
+ {
+@@ -135,7 +133,6 @@ virSecuritySELinuxContextListAppend(virSecuritySELinuxContextListPtr list,
+     if (VIR_STRDUP(item->path, path) < 0 || VIR_STRDUP(item->tcon, tcon) < 0)
+         goto cleanup;
+ 
+-    item->optional = optional;
+     item->remember = remember;
+     item->restore = restore;
+ 
+@@ -170,7 +167,6 @@ virSecuritySELinuxContextListFree(void *opaque)
+  * virSecuritySELinuxTransactionAppend:
+  * @path: Path to chown
+  * @tcon: target context
+- * @optional: true if setting @tcon is optional
+  * @remember: if the original owner should be recorded/recalled
+  * @restore: if current operation is set or restore
+  *
+@@ -187,7 +183,6 @@ virSecuritySELinuxContextListFree(void *opaque)
+ static int
+ virSecuritySELinuxTransactionAppend(const char *path,
+                                     const char *tcon,
+-                                    bool optional,
+                                     bool remember,
+                                     bool restore)
+ {
+@@ -198,7 +193,7 @@ virSecuritySELinuxTransactionAppend(const char *path,
+         return 0;
+ 
+     if (virSecuritySELinuxContextListAppend(list, path, tcon,
+-                                            optional, remember, restore) < 0)
+                                            remember, restore) < 0)
+         return -1;
+ 
+     return 1;
+@@ -234,7 +229,6 @@ virSecuritySELinuxRecallLabel(const char *path,
+ static int virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
+                                               const char *path,
+                                               const char *tcon,
+-                                              bool optional,
+                                               bool remember);
+ 
+ 
+@@ -290,7 +284,6 @@ virSecuritySELinuxTransactionRun(pid_t pid ATTRIBUTE_UNUSED,
+             rv = virSecuritySELinuxSetFileconHelper(list->manager,
+                                                     item->path,
+                                                     item->tcon,
+-                                                    item->optional,
+                                                     remember);
+         } else {
+             rv = virSecuritySELinuxRestoreFileLabel(list->manager,
+@@ -1342,7 +1335,6 @@ static int
+ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
+                                    const char *path,
+                                    const char *tcon,
+-                                   bool optional,
+                                    bool remember)
+ {
+     bool privileged = virSecurityManagerGetPrivileged(mgr);
+@@ -1353,7 +1345,7 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
+     int ret = -1;
+ 
+     if ((rc = virSecuritySELinuxTransactionAppend(path, tcon,
+-                                                  optional, remember, false)) < 0)
+                                                  remember, false)) < 0)
+         return -1;
+     else if (rc > 0)
+         return 0;
+@@ -1425,7 +1417,7 @@ virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr,
+                              const char *tcon,
+                              bool remember)
+ {
+-    return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, false, remember);
+    return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, remember);
+ }
+ 
+ static int
+@@ -1512,7 +1504,7 @@ virSecuritySELinuxRestoreFileLabel(virSecurityManagerPtr mgr,
+     }
+ 
+     if ((rc = virSecuritySELinuxTransactionAppend(path, NULL,
+-                                                  false, recall, true)) < 0) {
+                                                  recall, true)) < 0) {
+         goto cleanup;
+     } else if (rc > 0) {
+         ret = 0;
@@ -0,0 +1,83 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 2 Sep 2019 13:25:19 +0200
+Subject: [PATCH] security_selinux: Drop virSecuritySELinuxSetFileconHelper
+
+This function is no longer needed because after previous commits
+it's just an alias to virSecuritySELinuxSetFilecon.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
+(cherry picked from commit eaa2a064fa9a7cf6220349ac8706a22593cbf607)
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1740506
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/security/security_selinux.c | 33 ++++++++++++---------------------
+ 1 file changed, 12 insertions(+), 21 deletions(-)
+
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index e5b55fccb4..1df04d7358 100644
+--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
+@@ -226,10 +226,10 @@ virSecuritySELinuxRecallLabel(const char *path,
+ }
+ 
+ 
+-static int virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
+-                                              const char *path,
+-                                              const char *tcon,
+-                                              bool remember);
+static int virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr,
+                                        const char *path,
+                                        const char *tcon,
+                                        bool remember);
+ 
+ 
+ static int virSecuritySELinuxRestoreFileLabel(virSecurityManagerPtr mgr,
+@@ -281,10 +281,10 @@ virSecuritySELinuxTransactionRun(pid_t pid ATTRIBUTE_UNUSED,
+         const bool remember = item->remember && list->lock;
+ 
+         if (!item->restore) {
+-            rv = virSecuritySELinuxSetFileconHelper(list->manager,
+-                                                    item->path,
+-                                                    item->tcon,
+-                                                    remember);
+            rv = virSecuritySELinuxSetFilecon(list->manager,
+                                              item->path,
+                                              item->tcon,
+                                              remember);
+         } else {
+             rv = virSecuritySELinuxRestoreFileLabel(list->manager,
+                                                     item->path,
+@@ -1332,10 +1332,10 @@ virSecuritySELinuxSetFileconImpl(const char *path,
+ 
+ 
+ static int
+-virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
+-                                   const char *path,
+-                                   const char *tcon,
+-                                   bool remember)
+virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr,
+                             const char *path,
+                             const char *tcon,
+                             bool remember)
+ {
+     bool privileged = virSecurityManagerGetPrivileged(mgr);
+     security_context_t econ = NULL;
+@@ -1411,15 +1411,6 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
+ }
+ 
+ 
+-static int
+-virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr,
+-                             const char *path,
+-                             const char *tcon,
+-                             bool remember)
+-{
+-    return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, remember);
+-}
+-
+ static int
+ virSecuritySELinuxFSetFilecon(int fd, char *tcon)
+ {
@@ -0,0 +1,49 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 2 Sep 2019 13:25:20 +0200
+Subject: [PATCH] security_selinux: Play nicely with network FS that only
+ emulates SELinux
+
+There are some network file systems that do support XATTRs (e.g.
+gluster via FUSE). And they appear to support SELinux too.
+However, not really. Problem is, that it is impossible to change
+SELinux label of a file stored there, and yet we claim success
+(rightfully - hypervisor succeeds in opening the file). But this
+creates a problem for us - from XATTR bookkeeping POV, we haven't
+changed the label and thus if we remembered any label, we must
+roll back and remove it.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1740506
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
+(cherry picked from commit 8fe953805a535097cf3b819b3b68fbfb166efed4)
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/security/security_selinux.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index 1df04d7358..39d616ba44 100644
+--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
+@@ -1384,12 +1384,18 @@ virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr,
+         }
+     }
+ 
+-    if (virSecuritySELinuxSetFileconImpl(path, tcon, privileged) < 0)
+    rc = virSecuritySELinuxSetFileconImpl(path, tcon, privileged);
+    if (rc < 0)
+         goto cleanup;
+ 
+    /* Do not try restoring the label if it was not changed
+     * (setting it failed in a non-critical fashion) */
+    if (rc == 0)
+        rollback = false;
+
+     ret = 0;
+  cleanup:
+-    if (ret < 0 && rollback) {
+    if (rollback) {
+         virErrorPtr origerr;
+ 
+         virErrorPreserveLast(&origerr);
@@ -0,0 +1,42 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 2 Sep 2019 13:25:21 +0200
+Subject: [PATCH] qemu_blockjob: Print image path on failed security metadata
+ move too
+
+When a block job is completed, the security image metadata are
+moved to the new image. If this fails an warning is printed, but
+the message contains only domain name and lacks image paths. Put
+them both into the warning message.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+ACKed-by: Peter Krempa <pkrempa@redhat.com>
+(cherry picked from commit 7f99d8a739c01a280ca0c173ecd6051a92f0c897)
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1741456
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/qemu/qemu_blockjob.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/qemu/qemu_blockjob.c b/src/qemu/qemu_blockjob.c
+index a5b558b9ab..b3c0f784cd 100644
+--- a/src/qemu/qemu_blockjob.c
+++ b/src/qemu/qemu_blockjob.c
+@@ -584,8 +584,14 @@ qemuBlockJobEventProcessLegacyCompleted(virQEMUDriverPtr driver,
+         virDomainLockImageDetach(driver->lockManager, vm, disk->src);
+ 
+         /* Move secret driver metadata */
+-        if (qemuSecurityMoveImageMetadata(driver, vm, disk->src, disk->mirror) < 0)
+-            VIR_WARN("Unable to move disk metadata on vm %s", vm->def->name);
+        if (qemuSecurityMoveImageMetadata(driver, vm, disk->src, disk->mirror) < 0) {
+            VIR_WARN("Unable to move disk metadata on "
+                     "vm %s from %s to %s (disk target %s)",
+                     vm->def->name,
+                     NULLSTR(disk->src->path),
+                     NULLSTR(disk->mirror->path),
+                     disk->dst);
+        }
+ 
+         virObjectUnref(disk->src);
+         disk->src = disk->mirror;
@@ -0,0 +1,79 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 2 Sep 2019 13:25:22 +0200
+Subject: [PATCH] qemu_blockjob: Remove secdriver metadata more frequently
+
+If a block job reaches failed/cancelled state, or is completed
+without pivot then we must remove security driver metadata
+associated to the backing chain so that we don't leave any
+metadata behind.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1741456
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+ACKed-by: Peter Krempa <pkrempa@redhat.com>
+(cherry picked from commit 16fb3c8b83fb39f9931e942f7d1738ffe024d234)
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+
+Conflicts:
+- src/qemu/qemu_blockjob.c:
+qemuBlockJobProcessEventFailedActiveCommit() doesn't exist as
+v5.7.0-rc2~2 isn't backported (blockdev is not going to be
+enabled with RHEL-AV-8.1.0).
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/qemu/qemu_blockjob.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+diff --git a/src/qemu/qemu_blockjob.c b/src/qemu/qemu_blockjob.c
+index b3c0f784cd..beda9bd64e 100644
+--- a/src/qemu/qemu_blockjob.c
+++ b/src/qemu/qemu_blockjob.c
+@@ -597,7 +597,23 @@ qemuBlockJobEventProcessLegacyCompleted(virQEMUDriverPtr driver,
+         disk->src = disk->mirror;
+     } else {
+         if (disk->mirror) {
+            virStorageSourcePtr n;
+
+             virDomainLockImageDetach(driver->lockManager, vm, disk->mirror);
+
+            /* Ideally, we would restore seclabels on the backing chain here
+             * but we don't know if somebody else is not using parts of it.
+             * Remove security driver metadata so that they are not leaked. */
+            for (n = disk->mirror; virStorageSourceIsBacking(n); n = n->backingStore) {
+                if (qemuSecurityMoveImageMetadata(driver, vm, n, NULL) < 0) {
+                    VIR_WARN("Unable to remove disk metadata on "
+                             "vm %s from %s (disk target %s)",
+                             vm->def->name,
+                             NULLSTR(disk->src->path),
+                             disk->dst);
+                }
+            }
+
+             virObjectUnref(disk->mirror);
+         }
+     }
+@@ -666,7 +682,23 @@ qemuBlockJobEventProcessLegacy(virQEMUDriverPtr driver,
+     case VIR_DOMAIN_BLOCK_JOB_FAILED:
+     case VIR_DOMAIN_BLOCK_JOB_CANCELED:
+         if (disk->mirror) {
+            virStorageSourcePtr n;
+
+             virDomainLockImageDetach(driver->lockManager, vm, disk->mirror);
+
+            /* Ideally, we would restore seclabels on the backing chain here
+             * but we don't know if somebody else is not using parts of it.
+             * Remove security driver metadata so that they are not leaked. */
+            for (n = disk->mirror; virStorageSourceIsBacking(n); n = n->backingStore) {
+                if (qemuSecurityMoveImageMetadata(driver, vm, n, NULL) < 0) {
+                    VIR_WARN("Unable to remove disk metadata on "
+                             "vm %s from %s (disk target %s)",
+                             vm->def->name,
+                             NULLSTR(disk->src->path),
+                             disk->dst);
+                }
+            }
+
+             virObjectUnref(disk->mirror);
+             disk->mirror = NULL;
+         }
@@ -0,0 +1,192 @@
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Fri, 9 Aug 2019 10:48:35 +0200
+Subject: [PATCH] Revert "tpm: Check TPM XML device configuration changes after
+ edit"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Redefining a domain via virDomainDefineXML should not give different results
+based on an already existing definition.
+
+Also, there's a crasher somewhere in the code:
+https://bugzilla.redhat.com/show_bug.cgi?id=1739338
+
+This reverts commit 94b3aa55f83ada33a9fdda66068d58ef1a56c0a5
+
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit d8326cb8826170019c74018511d76c58665ab282)
+---
+ src/conf/domain_conf.c    | 56 ---------------------------------------
+ src/conf/domain_conf.h    |  3 ---
+ src/libvirt_private.syms  |  1 -
+ src/qemu/qemu_driver.c    | 28 --------------------
+ src/qemu/qemu_extdevice.c |  2 +-
+ src/qemu/qemu_extdevice.h |  3 ---
+ 6 files changed, 1 insertion(+), 92 deletions(-)
+
+diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
+index 441eb1a5a2..ac0561ddc5 100644
+--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
+@@ -31436,59 +31436,3 @@ virDomainGraphicsNeedsAutoRenderNode(const virDomainGraphicsDef *graphics)
+ 
+     return true;
+ }
+-
+-
+-static int
+-virDomainCheckTPMChanges(virDomainDefPtr def,
+-                         virDomainDefPtr newDef)
+-{
+-    bool oldEnc, newEnc;
+-
+-    if (!def->tpm)
+-        return 0;
+-
+-    switch (def->tpm->type) {
+-    case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+-        if (virFileExists(def->tpm->data.emulator.storagepath)) {
+-            /* VM has been started */
+-            /* Once a VM was started with an encrypted state we allow
+-             * less configuration changes.
+-             */
+-            oldEnc = def->tpm->data.emulator.hassecretuuid;
+-            if (oldEnc && def->tpm->type != newDef->tpm->type) {
+-                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+-                               _("Changing the type of TPM is not allowed"));
+-                return -1;
+-            }
+-            if (oldEnc && !newDef->tpm) {
+-                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+-                               _("Removing an encrypted TPM is not allowed"));
+-                return -1;
+-            }
+-            newEnc = newDef->tpm->data.emulator.hassecretuuid;
+-            if (oldEnc != newEnc) {
+-                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+-                   _("TPM state encryption cannot be changed "
+-                     "once VM was started"));
+-                return -1;
+-            }
+-        }
+-        break;
+-    case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+-    case VIR_DOMAIN_TPM_TYPE_LAST:
+-        break;
+-    }
+-
+-    return 0;
+-}
+-
+-
+-int
+-virDomainCheckDeviceChanges(virDomainDefPtr def,
+-                            virDomainDefPtr newDef)
+-{
+-    if (!def || !newDef)
+-        return 0;
+-
+-    return virDomainCheckTPMChanges(def, newDef);
+-}
+diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
+index 8a4425df64..d5190a20db 100644
+--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
+@@ -3638,6 +3638,3 @@ virDomainGraphicsGetRenderNode(const virDomainGraphicsDef *graphics);
+ 
+ bool
+ virDomainGraphicsNeedsAutoRenderNode(const virDomainGraphicsDef *graphics);
+-
+-int
+-virDomainCheckDeviceChanges(virDomainDefPtr def, virDomainDefPtr newDef);
+diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
+index 9fd778272f..bbc5144aa2 100644
+--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
+@@ -216,7 +216,6 @@ virDomainBootTypeFromString;
+ virDomainBootTypeToString;
+ virDomainCapabilitiesPolicyTypeToString;
+ virDomainCapsFeatureTypeToString;
+-virDomainCheckDeviceChanges;
+ virDomainChrConsoleTargetTypeFromString;
+ virDomainChrConsoleTargetTypeToString;
+ virDomainChrDefForeach;
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 4ca3eb7bde..1ba6def419 100644
+--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
+@@ -53,7 +53,6 @@
+ #include "qemu_migration_params.h"
+ #include "qemu_blockjob.h"
+ #include "qemu_security.h"
+-#include "qemu_extdevice.h"
+ 
+ #include "virerror.h"
+ #include "virlog.h"
+@@ -7760,30 +7759,6 @@ qemuDomainCreate(virDomainPtr dom)
+     return qemuDomainCreateWithFlags(dom, 0);
+ }
+ 
+-static int
+-qemuDomainCheckDeviceChanges(virQEMUDriverPtr driver,
+-                             virDomainDefPtr def)
+-{
+-    virDomainObjPtr vm;
+-    int ret;
+-
+-    vm = virDomainObjListFindByUUID(driver->domains, def->uuid);
+-    if (!vm)
+-        return 0;
+-
+-    if (qemuExtDevicesInitPaths(driver, vm->def) < 0) {
+-        ret = -1;
+-        goto cleanup;
+-    }
+-
+-    ret = virDomainCheckDeviceChanges(vm->def, def);
+-
+- cleanup:
+-    virDomainObjEndAPI(&vm);
+-
+-    return ret;
+-}
+-
+ static virDomainPtr
+ qemuDomainDefineXMLFlags(virConnectPtr conn,
+                          const char *xml,
+@@ -7820,9 +7795,6 @@ qemuDomainDefineXMLFlags(virConnectPtr conn,
+     if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0)
+         goto cleanup;
+ 
+-    if (qemuDomainCheckDeviceChanges(driver, def) < 0)
+-        goto cleanup;
+-
+     if (!(vm = virDomainObjListAdd(driver->domains, def,
+                                    driver->xmlopt,
+                                    0, &oldDef)))
+diff --git a/src/qemu/qemu_extdevice.c b/src/qemu/qemu_extdevice.c
+index af52466421..dc032aa60c 100644
+--- a/src/qemu/qemu_extdevice.c
+++ b/src/qemu/qemu_extdevice.c
+@@ -79,7 +79,7 @@ qemuExtDeviceLogCommand(qemuDomainLogContextPtr logCtxt,
+  * stored and we can remove directories and files in case of domain XML
+  * changes.
+  */
+-int
+static int
+ qemuExtDevicesInitPaths(virQEMUDriverPtr driver,
+                         virDomainDefPtr def)
+ {
+diff --git a/src/qemu/qemu_extdevice.h b/src/qemu/qemu_extdevice.h
+index 5a53c79f38..039b3e60dd 100644
+--- a/src/qemu/qemu_extdevice.h
+++ b/src/qemu/qemu_extdevice.h
+@@ -54,6 +54,3 @@ bool qemuExtDevicesHasDevice(virDomainDefPtr def);
+ int qemuExtDevicesSetupCgroup(virQEMUDriverPtr driver,
+                               virDomainDefPtr def,
+                               virCgroupPtr cgroup);
+-
+-int qemuExtDevicesInitPaths(virQEMUDriverPtr driver,
+-                            virDomainDefPtr def);
@@ -0,0 +1,59 @@
+From: Laine Stump <laine@redhat.com>
+Date: Thu, 15 Aug 2019 21:52:28 -0400
+Subject: [PATCH] network: fix crash during cleanup from failure to allocate
+ port
+
+During networkPortCreateXML, if networkAllocatePort() failed,
+networkReleasePort() would be called, which would (in the case of
+network pools of macvtap passthrough devices) attempt to find the
+allocated device by comparing port->plug.direct.linkdev to each device
+in the pool. Since port->plug.direct.linkdev was still NULL, the
+attempted strcmp would result in a SEGV.
+
+Calling networkReleasePort() during error cleanup is something that
+should only be done if networkAllocatePort() has already succeeded. It
+turns out there is one other possible error exit from
+networkPortCreateXML() that happens after networkAllocatePort() has
+succeeded, so the code to call networkReleasePort() was just moved
+down to there.
+
+Resolves: https://bugzilla.redhat.com/1741390
+
+Signed-off-by: Laine Stump <laine@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit dac697e8d7d6d9a607e61caeeec06b259edf513f)
+---
+ src/network/bridge_driver.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
+index 41fa89a4af..bc0f781c56 100644
+--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
+@@ -5592,20 +5592,20 @@ networkPortCreateXML(virNetworkPtr net,
+         rc = networkNotifyPort(obj, portdef);
+     else
+         rc = networkAllocatePort(obj, portdef);
+-    if (rc < 0) {
+    if (rc < 0)
+        goto cleanup;
+
+    if (virNetworkObjAddPort(obj, portdef, driver->stateDir) < 0) {
+         virErrorPtr saved;
+
+         saved = virSaveLastError();
+         ignore_value(networkReleasePort(obj, portdef));
+        virNetworkPortDefFree(portdef);
+         virSetError(saved);
+         virFreeError(saved);
+         goto cleanup;
+     }
+ 
+-    if (virNetworkObjAddPort(obj, portdef, driver->stateDir) < 0) {
+-        virNetworkPortDefFree(portdef);
+-        goto cleanup;
+-    }
+-
+     ret = virGetNetworkPort(net, portdef->uuid);
+  cleanup:
+     virNetworkObjEndAPI(&obj);
@@ -0,0 +1,57 @@
+From: Laine Stump <laine@redhat.com>
+Date: Thu, 15 Aug 2019 22:28:27 -0400
+Subject: [PATCH] network: replace virSaveLastError() with
+ virErrorPreserveLast()
+
+virErrorPreserveLast()/virErrorRestore() (added in commit 8333e7455
+back in 2017), do a better better job of saving and restoring the last
+libvirt error than virSaveLastError()/virErrorRestore() (they're
+simpler, and they also save/restore the system errno).
+
+Signed-off-by: Laine Stump <laine@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit 39de732aa728ae9b8a9414ad08b8d0ee7ed02732)
+---
+ src/network/bridge_driver.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
+index bc0f781c56..c7e5151d09 100644
+--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
+@@ -2987,13 +2987,12 @@ networkStartNetwork(virNetworkDriverStatePtr driver,
+ 
+  cleanup:
+     if (ret < 0) {
+        virErrorPtr save_err;
+
+        virErrorPreserveLast(&save_err);
+         virNetworkObjUnsetDefTransient(obj);
+-        virErrorPtr save_err = virSaveLastError();
+-        int save_errno = errno;
+         networkShutdownNetwork(driver, obj);
+-        virSetError(save_err);
+-        virFreeError(save_err);
+-        errno = save_errno;
+        virErrorRestore(&save_err);
+     }
+     return ret;
+ }
+@@ -5596,13 +5595,13 @@ networkPortCreateXML(virNetworkPtr net,
+         goto cleanup;
+ 
+     if (virNetworkObjAddPort(obj, portdef, driver->stateDir) < 0) {
+-        virErrorPtr saved;
+        virErrorPtr save_err;
+ 
+-        saved = virSaveLastError();
+        virErrorPreserveLast(&save_err);
+         ignore_value(networkReleasePort(obj, portdef));
+         virNetworkPortDefFree(portdef);
+-        virSetError(saved);
+-        virFreeError(saved);
+        virErrorRestore(&save_err);
+
+         goto cleanup;
+     }
+ 
@@ -0,0 +1,53 @@
+From: Laine Stump <laine@redhat.com>
+Date: Thu, 15 Aug 2019 16:34:21 -0400
+Subject: [PATCH] access: fix incorrect addition to virAccessPermNetwork
+
+Commit e69444e17 (first appeared in libvirt-5.5.0) added the new value
+"VIR_ACCESS_PERM_NETWORK_SEARCH_PORTS" to the virAccessPerNetwork
+enum, and also the string "search_ports" to the VIR_ENUM_IMPL() macro
+for that enum. Unfortunately, the enum value was added in the middle
+of the list, while the string was added to the end of the
+VIR_ENUM_IMPL().
+
+This patch corrects that error by moving the new value to the end of
+the enum definition, so that the order matches that of the string
+list.
+
+Resolves: https://bugzilla.redhat.com/1741428
+
+Signed-off-by: Laine Stump <laine@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit 8d6eaf5e099dab8400aa76bcc9a0ac74ff6f46e1)
+---
+ src/access/viraccessperm.h | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/access/viraccessperm.h b/src/access/viraccessperm.h
+index a42512d5e0..7480ee8c2f 100644
+--- a/src/access/viraccessperm.h
+++ b/src/access/viraccessperm.h
+@@ -410,18 +410,18 @@ typedef enum {
+      */
+     VIR_ACCESS_PERM_NETWORK_START,
+ 
+-    /**
+-     * @desc: List network ports
+-     * @message: Listing network ports requires authorization
+-     */
+-    VIR_ACCESS_PERM_NETWORK_SEARCH_PORTS,
+-
+     /**
+      * @desc: Stop network
+      * @message: Stopping network requires authorization
+      */
+     VIR_ACCESS_PERM_NETWORK_STOP,
+ 
+    /**
+     * @desc: List network ports
+     * @message: Listing network ports requires authorization
+     */
+    VIR_ACCESS_PERM_NETWORK_SEARCH_PORTS,
+
+     VIR_ACCESS_PERM_NETWORK_LAST
+ } virAccessPermNetwork;
+ 
@@ -0,0 +1,36 @@
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Thu, 8 Aug 2019 13:42:24 +0100
+Subject: [PATCH] network: fix ability to use openvswitch with vlans
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Use the correct enum constant when validating vlan usage.
+This fixes a merge error in
+
+  commit 6cb0ec48bd95c95489a987e05a88e8bcf1f9109c
+  Author: Daniel P. Berrangé <berrange@redhat.com>
+  Date:   Mon Sep 3 17:34:22 2018 +0100
+
+    network: convert networkAllocateActualDevice to virNetworkPortDef
+
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 93c1d5fe7bb7a62ef884eb41b505b2809d1704b6)
+---
+ src/network/bridge_driver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
+index c7e5151d09..acaeb5c9a2 100644
+--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
+@@ -4813,7 +4813,7 @@ networkAllocatePort(virNetworkObjPtr obj,
+         if (!(port->plugtype == VIR_NETWORK_PORT_PLUG_TYPE_HOSTDEV_PCI ||
+               (port->plugtype == VIR_NETWORK_PORT_PLUG_TYPE_DIRECT &&
+                port->plug.direct.mode == VIR_NETDEV_MACVLAN_MODE_PASSTHRU) ||
+-              (port->plugtype == VIR_DOMAIN_NET_TYPE_BRIDGE &&
+              (port->plugtype == VIR_NETWORK_PORT_PLUG_TYPE_BRIDGE &&
+                port->virtPortProfile &&
+                port->virtPortProfile->virtPortType == VIR_NETDEV_VPORT_PROFILE_OPENVSWITCH))) {
+             virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
@@ -0,0 +1,127 @@
+From: Laine Stump <laine@redhat.com>
+Date: Sun, 11 Aug 2019 16:21:42 -0400
+Subject: [PATCH] util: allow tap-based guest interfaces to have MAC address
+ prefix 0xFE
+
+Back in July 2010, commit 6ea90b84 (meant to resolve
+https://bugzilla.redhat.com/571991 ) added code to set the MAC address
+of any tap device to the associated guest interface's MAC, but with
+the first byte replaced with 0xFE. This was done in order to assure
+that
+
+1) the tap MAC and guest interface MAC were different (otherwise L2
+   forwarding through the tap would not work, and the kernel would
+   repeatedly issue a warning stating as much).
+
+2) any bridge device that had one of these taps attached would *not*
+   take on the MAC of the tap (leading to network instability as
+   guests started and stopped)
+
+A couple years later, https://bugzilla.redhat.com/798467 was filed,
+complaining that a user could configure a tap-based guest interface to
+have a MAC address that itself had a first byte of 0xFE, silently
+(other than the kernel warning messages) resulting in a non-working
+configuration. This was fixed by commit 5d571045, which logged an
+error and failed the guest start / interface attach if the MAC's first
+byte was 0xFE.
+
+Although this restriction only reduces the potential pool of MAC
+addresses from 2^46 (last two bits of byte 1 must be set to 10) by
+2^32 (still 4 orders of magnitude larger than the entire IPv4 address
+space), it also means that management software that autogenerates MAC
+addresses must have special code to avoid an 0xFE prefix. Now after 7
+years, someone has noticed this restriction and requested that we
+remove it.
+
+So instead of failing when 0xFE is found as the first byte, this patch
+removes the restriction by just replacing the first byte in the tap
+device MAC with 0xFA if the first byte in the guest interface is
+0xFE. 0xFA is the next-highest value that still has 10 as the lowest
+two bits, and still
+
+2) meets the requirement of "tap MAC must be different from guest
+   interface MAC", and
+
+3) is high enough that there should never be an issue of the attached
+   bridge device taking on the MAC of the tap.
+
+The result is that *any* MAC can be chosen by management software
+(although it would still not work correctly if a multicast MAC (lowest
+bit of first byte set to 1) was chosen), but that's a different
+issue).
+
+Signed-off-by: Laine Stump <laine@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com
+(cherry picked from commit a60ee914009aa7f1a27fc0563337ded08b09247f)
+---
+ src/qemu/qemu_interface.c | 11 ++++++++++-
+ src/util/virnetdevtap.c   | 26 ++++++++++++--------------
+ 2 files changed, 22 insertions(+), 15 deletions(-)
+
+diff --git a/src/qemu/qemu_interface.c b/src/qemu/qemu_interface.c
+index c8effa68f4..72ed51cb1f 100644
+--- a/src/qemu/qemu_interface.c
+++ b/src/qemu/qemu_interface.c
+@@ -444,8 +444,17 @@ qemuInterfaceEthernetConnect(virDomainDefPtr def,
+     }
+ 
+     virDomainAuditNetDevice(def, net, tunpath, true);
+
+    /* The tap device's MAC address cannot match the MAC address
+     * used by the guest. This results in "received packet on
+     * vnetX with own address as source address" error logs from
+     * the kernel.
+     */
+     virMacAddrSet(&tapmac, &net->mac);
+-    tapmac.addr[0] = 0xFE;
+    if (tapmac.addr[0] == 0xFE)
+        tapmac.addr[0] = 0xFA;
+    else
+        tapmac.addr[0] = 0xFE;
+ 
+     if (virNetDevSetMAC(net->ifname, &tapmac) < 0)
+         goto cleanup;
+diff --git a/src/util/virnetdevtap.c b/src/util/virnetdevtap.c
+index b65c26bee1..4548b51b5b 100644
+--- a/src/util/virnetdevtap.c
+++ b/src/util/virnetdevtap.c
+@@ -668,7 +668,6 @@ int virNetDevTapCreateInBridgePort(const char *brname,
+                                    unsigned int flags)
+ {
+     virMacAddr tapmac;
+-    char macaddrstr[VIR_MAC_STRING_BUFLEN];
+     size_t i;
+ 
+     if (virNetDevTapCreate(ifname, tunpath, tapfd, tapfdSize, flags) < 0)
+@@ -682,19 +681,18 @@ int virNetDevTapCreateInBridgePort(const char *brname,
+      */
+     virMacAddrSet(&tapmac, macaddr);
+     if (!(flags & VIR_NETDEV_TAP_CREATE_USE_MAC_FOR_BRIDGE)) {
+-        if (macaddr->addr[0] == 0xFE) {
+-            /* For normal use, the tap device's MAC address cannot
+-             * match the MAC address used by the guest. This results
+-             * in "received packet on vnetX with own address as source
+-             * address" error logs from the kernel.
+-             */
+-            virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+-                           _("Unable to use MAC address starting with "
+-                             "reserved value 0xFE - '%s' - "),
+-                           virMacAddrFormat(macaddr, macaddrstr));
+-            goto error;
+-        }
+-        tapmac.addr[0] = 0xFE; /* Discourage bridge from using TAP dev MAC */
+        /* The tap device's MAC address cannot match the MAC address
+         * used by the guest. This results in "received packet on
+         * vnetX with own address as source address" error logs from
+         * the kernel. Making the tap address as high as possible
+         * discourages the bridge from using this tap's MAC as its own
+         * (a Linux host bridge will take on the lowest numbered MAC
+         * of all devices attached to it).
+         */
+        if (tapmac.addr[0] == 0xFE)
+            tapmac.addr[0] = 0xFA;
+        else
+            tapmac.addr[0] = 0xFE;
+     }
+ 
+     if (virNetDevSetMAC(*ifname, &tapmac) < 0)
@@ -0,0 +1,39 @@
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Thu, 22 Aug 2019 14:48:46 +0100
+Subject: [PATCH] remote: use Wants instead of Requires for libvirtd sockets
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+To facilitate upgrades from earlier versions of libvirt which did not
+use socket activation for libvirtd, we want to allow the libvirtd socket
+units to be disabled (masked). This can only be supported if we use the
+weaker Wants statement instead of Requires.
+
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit ec7e31ed32065837e201cd3d8a3fb882e43b7fdb)
+---
+ src/remote/libvirtd.service.in | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/remote/libvirtd.service.in b/src/remote/libvirtd.service.in
+index 3ddf0e229b..914bcbd5c4 100644
+--- a/src/remote/libvirtd.service.in
+++ b/src/remote/libvirtd.service.in
+@@ -2,9 +2,12 @@
+ Description=Virtualization daemon
+ Requires=virtlogd.socket
+ Requires=virtlockd.socket
+-Requires=libvirtd.socket
+-Requires=libvirtd-ro.socket
+-Requires=libvirtd-admin.socket
+# Use Wants instead of Requires so that users
+# can disable these three .socket units to revert
+# to a traditional non-activation deployment setup
+Wants=libvirtd.socket
+Wants=libvirtd-ro.socket
+Wants=libvirtd-admin.socket
+ Wants=systemd-machined.service
+ Before=libvirt-guests.service
+ After=network.target
@@ -0,0 +1,67 @@
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Thu, 29 Aug 2019 12:04:42 +0100
+Subject: [PATCH] remote: move timeout arg into sysconf file
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We need to give users the ability to customize the length of the
+shutdown timeout, or even disable timeouts entirely. Thus we must move
+the timeout arg into the sysconf file, instead of the service unit.
+
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 581767a98ab5f674ac335d6c270efa8576bfdfbf)
+
+ Conflicts:
+	src/remote/libvirtd.service.in - due to not having
+	5b816e16968ba02def56f067774ecd9a8c8d44d7 in rhel8
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1741403
+Message-Id: <20190829110444.12163-3-berrange@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ src/remote/libvirtd.service.in |  6 +-----
+ src/remote/libvirtd.sysconf    | 12 +++++++++---
+ 2 files changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/src/remote/libvirtd.service.in b/src/remote/libvirtd.service.in
+index 914bcbd5c4..d5d98f0c12 100644
+--- a/src/remote/libvirtd.service.in
+++ b/src/remote/libvirtd.service.in
+@@ -24,11 +24,7 @@ Documentation=https://libvirt.org
+ [Service]
+ Type=notify
+ EnvironmentFile=-/etc/sysconfig/libvirtd
+-# libvirtd.service is set to run on boot so that autostart of
+-# VMs can be performed. We don't want it to stick around if
+-# unused though, so we set a timeout. The socket activation
+-# then ensures it gets started again if anything needs it
+-ExecStart=@sbindir@/libvirtd --timeout 120 $LIBVIRTD_ARGS
+ExecStart=@sbindir@/libvirtd $LIBVIRTD_ARGS
+ ExecReload=/bin/kill -HUP $MAINPID
+ KillMode=process
+ Restart=on-failure
+diff --git a/src/remote/libvirtd.sysconf b/src/remote/libvirtd.sysconf
+index 5969518bf2..ee9db22bab 100644
+--- a/src/remote/libvirtd.sysconf
+++ b/src/remote/libvirtd.sysconf
+@@ -1,8 +1,14 @@
+ # Customizations for the libvirtd.service systemd unit
+ 
+-# Listen for TCP/IP connections. This is not required if using systemd
+-# socket activation.
+-# NB. must setup TLS/SSL keys prior to using this
+# Default behaviour is for libvirtd.service to start on boot
+# so that VM autostart can be performed. We then want it to
+# shutdown again if nothing was started and rely on systemd
+# socket activation to start it again when some client app
+# connects.
+LIBVIRTD_ARGS="--timeout 120"
+
+# If systemd socket activation is disabled, then the following
+# can be used to listen on TCP/TLS sockets
+ #LIBVIRTD_ARGS="--listen"
+ 
+ # Override Kerberos service keytab for SASL/GSSAPI
@@ -0,0 +1,99 @@
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Thu, 29 Aug 2019 12:04:43 +0100
+Subject: [PATCH] remote: forbid the --listen arg when systemd socket
+ activation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When using systemd socket activation the --listen arg has no
+effect. This is confusing to users upgrading from previous versions of
+libvirt as their config is silently ignored. Turn use of --listen into a
+fatal error when sockets are passed from systemd.
+
+This helps the admin discover the change in behaviour and thus decide
+whether to stick with socket activation or revert to previous behaviour.
+
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 3a6a725b8f575890ee6c151ad1f46ea0ceea1f3b)
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1741403
+Message-Id: <20190829110444.12163-4-berrange@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ src/remote/libvirtd.pod    | 33 ++++++++++++++++++++++++++++++++-
+ src/remote/remote_daemon.c |  8 ++++++++
+ 2 files changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/src/remote/libvirtd.pod b/src/remote/libvirtd.pod
+index 4721e0f4ec..fa30d6a37a 100644
+--- a/src/remote/libvirtd.pod
+++ b/src/remote/libvirtd.pod
+@@ -30,6 +30,35 @@ and will be picked up automatically if their XML configuration has been
+ defined.  Any guests whose XML configuration has not been defined will be lost
+ from the configuration.
+ 
+=head1 SYSTEM SOCKET ACTIVATION
+
+The B<libvirtd> daemon is capable of starting in two modes.
+
+In the traditional mode, it will create and listen on UNIX sockets itself.
+If the B<--listen> parameter is given, it will also listen on TCP/IP socket(s),
+according to the B<listen_tcp> and B<listen_tls> options in
+B</etc/libvirt/libvirtd.conf>
+
+In socket activation mode, it will rely on systemd to create and listen
+on the UNIX, and optionally TCP/IP, sockets and pass them as pre-opened
+file descriptors. In this mode, it is not permitted to pass the B<--listen>
+parameter, and most of the socket related config options in
+B</etc/libvirt/libvirtd.conf> will no longer have any effect. To enable
+TCP or TLS sockets use either
+
+B<$ systemctl start libvirtd-tls.socket>
+
+Or
+
+B<$ systemctl start libvirtd-tcp.socket>
+
+Socket activation mode is generally the default when running on a host
+OS that uses systemd. To revert to the traditional mode, all the socket
+unit files must be masked:
+
+B<$ systemctl mask libvirtd.socket libvirtd-ro.socket \
+      libvirtd-admin.socket libvirtd-tls.socket libvirtd-tcp.socket>
+
+ =head1 OPTIONS
+ 
+ =over
+@@ -48,7 +77,9 @@ Use this configuration file, overriding the default value.
+ 
+ =item B<-l, --listen>
+ 
+-Listen for TCP/IP connections.
+Listen for TCP/IP connections. This should not be set if using systemd
+socket activation. Instead activate the libvirtd-tls.socket or
+libvirtd-tcp.socket unit files.
+ 
+ =item B<-p, --pid-file> I<FILE>
+ 
+diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c
+index d887b7abfb..b7ee1cf49b 100644
+--- a/src/remote/remote_daemon.c
+++ b/src/remote/remote_daemon.c
+@@ -391,6 +391,14 @@ daemonSetupNetworking(virNetServerPtr srv,
+     if (virSystemdGetActivation(actmap, ARRAY_CARDINALITY(actmap), &act) < 0)
+         return -1;
+ 
+#ifdef WITH_IP
+    if (act && ipsock) {
+        VIR_ERROR(_("--listen parameter not permitted with systemd activation "
+                    "sockets, see 'man libvirtd' for further guidance"));
+        return -1;
+    }
+#endif /* ! WITH_IP */
+
+     if (config->unix_sock_group) {
+         if (virGetGroupID(config->unix_sock_group, &unix_sock_gid) < 0)
+             return ret;
@@ -0,0 +1,86 @@
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Thu, 29 Aug 2019 12:04:44 +0100
+Subject: [PATCH] rpm: don't enable socket activation in upgrade if --listen
+ present
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Currently during RPM upgrade we restart libvirtd and unconditionally
+enable use of systemd socket activation for the UNIX sockets.
+
+If the user had previously given the --listen arg to libvirtd though,
+this will no longer be honoured if socket activation is used.
+
+We could start libvirtd-tcp.socket or libvirtd-tls.socket for this,
+but mgmt tools like puppet/ansible might not be expecting this.
+So for now we silently disable socket activation if we see --listen
+was previously set on the host.
+
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 66d04312d03c24c62bcf3b1dc2706f8775d4e2d3)
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1741403
+Message-Id: <20190829110444.12163-5-berrange@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ libvirt.spec.in | 44 +++++++++++++++++++++++++++++++-------------
+ 1 file changed, 31 insertions(+), 13 deletions(-)
+
+diff --git a/libvirt.spec.in b/libvirt.spec.in
+index 045c0fed1a..58f7cae092 100644
+--- a/libvirt.spec.in
+++ b/libvirt.spec.in
+@@ -1378,19 +1378,37 @@ fi
+ 
+ %posttrans daemon
+ if [ -f %{_localstatedir}/lib/rpm-state/libvirt/restart ]; then
+-    # Old libvirtd owns the sockets and will delete them on
+-    # shutdown. Can't use a try-restart as libvirtd will simply
+-    # own the sockets again when it comes back up. Thus we must
+-    # do this particular ordering
+-    /bin/systemctl is-active libvirtd.service 1>/dev/null 2>&1
+-    if test $? = 0 ; then
+-        /bin/systemctl stop libvirtd.service >/dev/null 2>&1 || :
+-
+-        /bin/systemctl try-restart libvirtd.socket >/dev/null 2>&1 || :
+-        /bin/systemctl try-restart libvirtd-ro.socket >/dev/null 2>&1 || :
+-        /bin/systemctl try-restart libvirtd-admin.socket >/dev/null 2>&1 || :
+-
+-        /bin/systemctl start libvirtd.service >/dev/null 2>&1 || :
+    # See if user has previously modified their install to
+    # tell libvirtd to use --listen
+    grep -E '^LIBVIRTD_ARGS=.*--listen' /etc/sysconfig/libvirtd 1>/dev/null 2>&1
+    if test $? = 0
+    then
+        # Then lets keep honouring --listen and *not* use
+        # systemd socket activation, because switching things
+        # might confuse mgmt tool like puppet/ansible that
+        # expect the old style libvirtd
+        /bin/systemctl mask libvirtd.socket >/dev/null 2>&1 || :
+        /bin/systemctl mask libvirtd-ro.socket >/dev/null 2>&1 || :
+        /bin/systemctl mask libvirtd-admin.socket >/dev/null 2>&1 || :
+        /bin/systemctl mask libvirtd-tls.socket >/dev/null 2>&1 || :
+        /bin/systemctl mask libvirtd-tcp.socket >/dev/null 2>&1 || :
+    else
+        # Old libvirtd owns the sockets and will delete them on
+        # shutdown. Can't use a try-restart as libvirtd will simply
+        # own the sockets again when it comes back up. Thus we must
+        # do this particular ordering, so that we get libvirtd
+        # running with socket activation in use
+        /bin/systemctl is-active libvirtd.service 1>/dev/null 2>&1
+        if test $? = 0
+        then
+            /bin/systemctl stop libvirtd.service >/dev/null 2>&1 || :
+
+            /bin/systemctl try-restart libvirtd.socket >/dev/null 2>&1 || :
+            /bin/systemctl try-restart libvirtd-ro.socket >/dev/null 2>&1 || :
+            /bin/systemctl try-restart libvirtd-admin.socket >/dev/null 2>&1 || :
+
+            /bin/systemctl start libvirtd.service >/dev/null 2>&1 || :
+        fi
+     fi
+ fi
+ rm -rf %{_localstatedir}/lib/rpm-state/libvirt || :
@@ -0,0 +1,27 @@
+From: Michael Chapman <mike@very.puzzling.org>
+Date: Tue, 17 Sep 2019 17:03:57 +1000
+Subject: [PATCH] remote: fix registration of TLS socket
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Michael Chapman <mike@very.puzzling.org>
+(cherry picked from commit 522b3d2b24d0f7ac78dad442c990d4e34db0eaf2)
+---
+ src/remote/remote_daemon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c
+index b7ee1cf49b..6b5a6c1523 100644
+--- a/src/remote/remote_daemon.c
+++ b/src/remote/remote_daemon.c
+@@ -473,7 +473,7 @@ daemonSetupNetworking(virNetServerPtr srv,
+                                   config->max_client_requests) < 0)
+         goto cleanup;
+ 
+-    if (((ipsock && config->listen_tls) || (act && virSystemdActivationHasName(act, "ip-tls")))) {
+    if (((ipsock && config->listen_tls) || (act && virSystemdActivationHasName(act, "libvirtd-tls.socket")))) {
+         virNetTLSContextPtr ctxt = NULL;
+ 
+         if (config->ca_file ||
@@ -0,0 +1,34 @@
+From: Pavel Hrdina <phrdina@redhat.com>
+Date: Thu, 5 Sep 2019 11:22:11 +0200
+Subject: [PATCH] vircgroupv2: fix setting cpu.max period
+
+When we set cpu.max period we need to parse the cpu.max file first as
+it contains both quota and period values separated by space.  When only
+a single number is written to that file it will set quota.  However,
+in order to change period we need to write both values.
+
+The code was prepared for that but mistakenly used new line to end the
+string with the first value.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1749227
+
+Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
+Reviewed-by: Erik Skultety <eskultet@redhat.com>
+(cherry picked from commit 0bd4ad193d8ba7f0104f4739f19f2731e7cf9f56)
+---
+ src/util/vircgroupv2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/util/vircgroupv2.c b/src/util/vircgroupv2.c
+index e36c36685b..d8abe18943 100644
+--- a/src/util/vircgroupv2.c
+++ b/src/util/vircgroupv2.c
+@@ -1507,7 +1507,7 @@ virCgroupV2SetCpuCfsPeriod(virCgroupPtr group,
+                        _("Invalid 'cpu.max' data."));
+         return -1;
+     }
+-    *tmp = '\n';
+    *tmp = '\0';
+ 
+     if (virAsprintf(&value, "%s %llu", str, cfs_period) < 0)
+         return -1;
@@ -0,0 +1,55 @@
+From: Cole Robinson <crobinso@redhat.com>
+Date: Thu, 26 Sep 2019 15:00:55 -0400
+Subject: [PATCH] vircgroupv2: Fix VM startup when legacy cgroups are defined
+
+On Fedora 31, starting a 'mock' build alters /proc/$pid/cgroup,
+probably due to usage of systemd-nspawn.
+
+Before:
+$ cat /proc/self/cgroup
+0::/user.slice/user-1000.slice/...
+
+After:
+$ cat /proc/self/cgroup
+1:name=systemd:/
+0::/user.slice/user-1000.slice/...
+
+The cgroupv2 code mishandles that first line in the second case, which
+causes VM startup to fail with: Unable to read from
+'/sys/fs/cgroup/machine/cgroup.controllers': No such file or directory
+
+The kernel docs[1] say that the cgroupv2 path will always start with
+'0::', which in the code here controllers="". Only set the v2 placement
+path when we see that cgroup file entry.
+
+[1] https://www.kernel.org/doc/html/v5.3/admin-guide/cgroup-v2.html#processes
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1751120
+
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ src/util/vircgroupv2.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/util/vircgroupv2.c b/src/util/vircgroupv2.c
+index d8abe18943..acd48d1259 100644
+--- a/src/util/vircgroupv2.c
+++ b/src/util/vircgroupv2.c
+@@ -194,12 +194,16 @@ virCgroupV2DetectMounts(virCgroupPtr group,
+ static int
+ virCgroupV2DetectPlacement(virCgroupPtr group,
+                            const char *path,
+-                           const char *controllers ATTRIBUTE_UNUSED,
+                           const char *controllers,
+                            const char *selfpath)
+ {
+     if (group->unified.placement)
+         return 0;
+ 
+    /* controllers="" indicates the cgroupv2 controller path */
+    if (STRNEQ_NULLABLE(controllers, ""))
+        return 0;
+
+     /*
+      * selfpath == "/" + path="" -> "/"
+      * selfpath == "/libvirt.service" + path == "" -> "/libvirt.service"
@@ -0,0 +1,72 @@
+From: Cole Robinson <crobinso@redhat.com>
+Date: Thu, 26 Sep 2019 15:25:52 -0400
+Subject: [PATCH] vircgroup: Add some VIR_DEBUG statements
+
+These helped with debugging
+https://bugzilla.redhat.com/show_bug.cgi?id=1612383
+
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ src/util/vircgroup.c   | 3 ++-
+ src/util/vircgroupv2.c | 9 +++++++++
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/util/vircgroup.c b/src/util/vircgroup.c
+index 825f62a97b..4f9d80666d 100644
+--- a/src/util/vircgroup.c
+++ b/src/util/vircgroup.c
+@@ -1157,7 +1157,8 @@ virCgroupNewMachineSystemd(const char *name,
+     virCgroupFree(&init);
+ 
+     if (!path || STREQ(path, "/") || path[0] != '/') {
+-        VIR_DEBUG("Systemd didn't setup its controller");
+        VIR_DEBUG("Systemd didn't setup its controller, path=%s",
+                  NULLSTR(path));
+         return -2;
+     }
+ 
+diff --git a/src/util/vircgroupv2.c b/src/util/vircgroupv2.c
+index acd48d1259..c536be0cd9 100644
+--- a/src/util/vircgroupv2.c
+++ b/src/util/vircgroupv2.c
+@@ -155,10 +155,14 @@ virCgroupV2CopyPlacement(virCgroupPtr group,
+                          const char *path,
+                          virCgroupPtr parent)
+ {
+    VIR_DEBUG("group=%p path=%s parent=%p", group, path, parent);
+
+     if (path[0] == '/') {
+         if (VIR_STRDUP(group->unified.placement, path) < 0)
+             return -1;
+     } else {
+        VIR_DEBUG("parent->unified.placement=%s", parent->unified.placement);
+
+         /*
+          * parent == "/" + path="" => "/"
+          * parent == "/libvirt.service" + path == "" => "/libvirt.service"
+@@ -172,6 +176,7 @@ virCgroupV2CopyPlacement(virCgroupPtr group,
+             return -1;
+     }
+ 
+    VIR_DEBUG("set group->unified.placement=%s", group->unified.placement);
+     return 0;
+ }
+ 
+@@ -200,6 +205,9 @@ virCgroupV2DetectPlacement(virCgroupPtr group,
+     if (group->unified.placement)
+         return 0;
+ 
+    VIR_DEBUG("group=%p path=%s controllers=%s selfpath=%s",
+              group, path, controllers, selfpath);
+
+     /* controllers="" indicates the cgroupv2 controller path */
+     if (STRNEQ_NULLABLE(controllers, ""))
+         return 0;
+@@ -216,6 +224,7 @@ virCgroupV2DetectPlacement(virCgroupPtr group,
+                     path) < 0)
+         return -1;
+ 
+    VIR_DEBUG("set group->unified.placement=%s", group->unified.placement);
+     return 0;
+ }
+ 
@@ -0,0 +1,30 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Fri, 4 Oct 2019 16:33:37 +0200
+Subject: [PATCH] qemu_driver: Fix comment of qemuStateCleanup()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The comment says that the function kills domains and networks.
+This is obviously not the case.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit e0b90162c94c45a9b0cf197e45b71f26036725d8)
+---
+ src/qemu/qemu_driver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 1ba6def419..69416d6d1a 100644
+--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
+@@ -1190,7 +1190,7 @@ qemuStateStop(void)
+ /**
+  * qemuStateCleanup:
+  *
+- * Shutdown the QEMU daemon, it will stop all active domains and networks
+ * Release resources allocated by QEMU driver (no domain is shut off though)
+  */
+ static int
+ qemuStateCleanup(void)
@@ -0,0 +1,123 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Fri, 4 Oct 2019 16:57:04 +0200
+Subject: [PATCH] driver: Introduce virDriverShouldAutostart()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some of objects we manage can be autostarted on libvirtd startup
+(e.g. domains, network, storage pools). The idea was that when
+the host is started up these objects are started too without need
+of user intervention. However, with the latest daemon split and
+switch to socket activated, short lived daemons (we put --timeout
+120 onto each daemon's command line) this doesn't do what we want
+it to. The problem is not new though, we already had the session
+daemon come and go and we circumvented this problem by
+documenting it (see v4.10.0-92-g61b4e8aaf1). But now that we meet
+the same problem at all fronts it's time to deal with it.
+
+The solution implemented in this commit is to have a file (one
+per each driver) that:
+
+  1) if doesn't exist, is created and autostart is allowed for
+     given driver,
+
+  2) if it does exist, then autostart is suppressed for given
+     driver.
+
+All the files live in a location that doesn't survive host
+reboots (/var/run/ for instance) and thus the file is
+automatically not there on fresh host boot.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit ee16a195d97315ba3610b3640d347d3f4a358b55)
+---
+ src/driver.c             | 39 +++++++++++++++++++++++++++++++++++++++
+ src/driver.h             |  3 +++
+ src/libvirt_private.syms |  1 +
+ 3 files changed, 43 insertions(+)
+
+diff --git a/src/driver.c b/src/driver.c
+index 5e8f68f6df..471053686f 100644
+--- a/src/driver.c
+++ b/src/driver.c
+@@ -29,6 +29,7 @@
+ #include "virfile.h"
+ #include "virlog.h"
+ #include "virmodule.h"
+#include "virstring.h"
+ #include "virthread.h"
+ #include "configmake.h"
+ 
+@@ -69,6 +70,44 @@ virDriverLoadModule(const char *name,
+ 
+ /* XXX unload modules, but we can't until we can unregister libvirt drivers */
+ 
+/**
+ * virDriverShouldAutostart:
+ * @dir: driver's run state directory (usually /var/run/libvirt/$driver)
+ * @autostart: whether driver should initiate autostart
+ *
+ * Automatic starting of libvirt's objects (e.g. domains, networks, storage
+ * pools, etc.) doesn't play nice with using '--timeout' on daemon's command
+ * line because the objects are attempted to autostart on every start of
+ * corresponding driver/daemon. To resolve this problem, a file is created in
+ * driver's private directory (which doesn't survive host's reboot) and thus
+ * autostart is attempted only once.
+ */
+int
+virDriverShouldAutostart(const char *dir,
+                         bool *autostart)
+{
+    VIR_AUTOFREE(char *) path = NULL;
+
+    *autostart = false;
+
+    if (virAsprintf(&path, "%s/autostarted", dir) < 0)
+        return -1;
+
+    if (virFileExists(path)) {
+        VIR_DEBUG("Autostart file %s exists, skipping autostart", path);
+        return 0;
+    }
+
+    VIR_DEBUG("Autostart file %s does not exist, do autostart", path);
+    *autostart = true;
+
+    if (virFileTouch(path, 0600) < 0)
+        return -1;
+
+    return 0;
+}
+
+
+ virThreadLocal connectInterface;
+ virThreadLocal connectNetwork;
+ virThreadLocal connectNWFilter;
+diff --git a/src/driver.h b/src/driver.h
+index 898fb96df4..c52284498e 100644
+--- a/src/driver.h
+++ b/src/driver.h
+@@ -112,6 +112,9 @@ int virDriverLoadModule(const char *name,
+                         const char *regfunc,
+                         bool required);
+ 
+int virDriverShouldAutostart(const char *name,
+                             bool *autostart);
+
+ virConnectPtr virGetConnectInterface(void);
+ virConnectPtr virGetConnectNetwork(void);
+ virConnectPtr virGetConnectNWFilter(void);
+diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
+index bbc5144aa2..c1c3974133 100644
+--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
+@@ -1337,6 +1337,7 @@ virStreamClass;
+ 
+ 
+ # driver.h
+virDriverShouldAutostart;
+ virGetConnectInterface;
+ virGetConnectNetwork;
+ virGetConnectNodeDev;
@@ -0,0 +1,187 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Sat, 5 Oct 2019 09:15:24 +0200
+Subject: [PATCH] lib: autostart objects exactly once
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1755303
+
+With the recent work in daemon split and socket activation
+daemons can come and go. They can and will be started many times
+during a session which results in objects being autostarted
+multiple times. This is not optimal. Use
+virDriverShouldAutostart() to determine if autostart should be
+done or not.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit bab464f8ea54d177e163f32c7c3476220694665c)
+---
+ src/bhyve/bhyve_driver.c     |  8 +++++++-
+ src/libxl/libxl_driver.c     | 10 ++++++++--
+ src/lxc/lxc_driver.c         |  7 ++++++-
+ src/network/bridge_driver.c  | 12 +++++++++---
+ src/qemu/qemu_driver.c       |  7 ++++++-
+ src/storage/storage_driver.c |  7 ++++++-
+ 6 files changed, 42 insertions(+), 9 deletions(-)
+
+diff --git a/src/bhyve/bhyve_driver.c b/src/bhyve/bhyve_driver.c
+index 5387ac5570..12788155a8 100644
+--- a/src/bhyve/bhyve_driver.c
+++ b/src/bhyve/bhyve_driver.c
+@@ -1218,6 +1218,8 @@ bhyveStateInitialize(bool privileged,
+                      virStateInhibitCallback callback ATTRIBUTE_UNUSED,
+                      void *opaque ATTRIBUTE_UNUSED)
+ {
+    bool autostart = true;
+
+     if (!privileged) {
+         VIR_INFO("Not running privileged, disabling driver");
+         return 0;
+@@ -1301,7 +1303,11 @@ bhyveStateInitialize(bool privileged,
+ 
+     virBhyveProcessReconnectAll(bhyve_driver);
+ 
+-    bhyveAutostartDomains(bhyve_driver);
+    if (virDriverShouldAutostart(BHYVE_STATE_DIR, &autostart) < 0)
+        goto cleanup;
+
+    if (autostart)
+        bhyveAutostartDomains(bhyve_driver);
+ 
+     return 0;
+ 
+diff --git a/src/libxl/libxl_driver.c b/src/libxl/libxl_driver.c
+index 492028c487..c1c94767c3 100644
+--- a/src/libxl/libxl_driver.c
+++ b/src/libxl/libxl_driver.c
+@@ -655,6 +655,7 @@ libxlStateInitialize(bool privileged,
+     libxlDriverConfigPtr cfg;
+     char *driverConf = NULL;
+     char ebuf[1024];
+    bool autostart = true;
+ 
+     if (!libxlDriverShouldLoad(privileged))
+         return 0;
+@@ -800,8 +801,13 @@ libxlStateInitialize(bool privileged,
+                                        NULL, NULL) < 0)
+         goto error;
+ 
+-    virDomainObjListForEach(libxl_driver->domains, libxlAutostartDomain,
+-                            libxl_driver);
+    if (virDriverShouldAutostart(cfg->stateDir, &autostart) < 0)
+        goto error;
+
+    if (autostart) {
+        virDomainObjListForEach(libxl_driver->domains, libxlAutostartDomain,
+                                libxl_driver);
+    }
+ 
+     virDomainObjListForEach(libxl_driver->domains, libxlDomainManagedSaveLoad,
+                             libxl_driver);
+diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
+index d0b6703101..24e6773f09 100644
+--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
+@@ -1541,6 +1541,7 @@ static int lxcStateInitialize(bool privileged,
+ {
+     virCapsPtr caps = NULL;
+     virLXCDriverConfigPtr cfg = NULL;
+    bool autostart = true;
+ 
+     /* Check that the user is root, silently disable if not */
+     if (!privileged) {
+@@ -1630,7 +1631,11 @@ static int lxcStateInitialize(bool privileged,
+                                        NULL, NULL) < 0)
+         goto cleanup;
+ 
+-    virLXCProcessAutostartAll(lxc_driver);
+    if (virDriverShouldAutostart(cfg->stateDir, &autostart) < 0)
+        goto cleanup;
+
+    if (autostart)
+        virLXCProcessAutostartAll(lxc_driver);
+ 
+     virObjectUnref(caps);
+     return 0;
+diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
+index acaeb5c9a2..b830cdba42 100644
+--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
+@@ -716,6 +716,7 @@ networkStateInitialize(bool privileged,
+     int ret = -1;
+     char *configdir = NULL;
+     char *rundir = NULL;
+    bool autostart = true;
+ #ifdef WITH_FIREWALLD
+     DBusConnection *sysbus = NULL;
+ #endif
+@@ -816,9 +817,14 @@ networkStateInitialize(bool privileged,
+     networkReloadFirewallRules(network_driver, true);
+     networkRefreshDaemons(network_driver);
+ 
+-    virNetworkObjListForEach(network_driver->networks,
+-                             networkAutostartConfig,
+-                             network_driver);
+    if (virDriverShouldAutostart(network_driver->stateDir, &autostart) < 0)
+        goto error;
+
+    if (autostart) {
+        virNetworkObjListForEach(network_driver->networks,
+                                 networkAutostartConfig,
+                                 network_driver);
+    }
+ 
+     network_driver->networkEventState = virObjectEventStateNew();
+ 
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 69416d6d1a..5dd2616c7b 100644
+--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
+@@ -726,6 +726,7 @@ qemuStateInitialize(bool privileged,
+     gid_t run_gid = -1;
+     char *hugepagePath = NULL;
+     char *memoryBackingPath = NULL;
+    bool autostart = true;
+     size_t i;
+ 
+     if (VIR_ALLOC(qemu_driver) < 0)
+@@ -1071,7 +1072,11 @@ qemuStateInitialize(bool privileged,
+ 
+     qemuProcessReconnectAll(qemu_driver);
+ 
+-    qemuAutostartDomains(qemu_driver);
+    if (virDriverShouldAutostart(cfg->stateDir, &autostart) < 0)
+        goto error;
+
+    if (autostart)
+        qemuAutostartDomains(qemu_driver);
+ 
+     return 0;
+ 
+diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
+index 03ac6a6845..05192027d6 100644
+--- a/src/storage/storage_driver.c
+++ b/src/storage/storage_driver.c
+@@ -253,6 +253,7 @@ storageStateInitialize(bool privileged,
+ {
+     VIR_AUTOFREE(char *) configdir = NULL;
+     VIR_AUTOFREE(char *) rundir = NULL;
+    bool autostart = true;
+ 
+     if (VIR_ALLOC(driver) < 0)
+         return -1;
+@@ -314,7 +315,11 @@ storageStateInitialize(bool privileged,
+ 
+     storagePoolUpdateAllState();
+ 
+-    storageDriverAutostart();
+    if (virDriverShouldAutostart(driver->stateDir, &autostart) < 0)
+        goto error;
+
+    if (autostart)
+        storageDriverAutostart();
+ 
+     driver->storageEventState = virObjectEventStateNew();
+ 
@@ -0,0 +1,34 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Sat, 5 Oct 2019 09:22:15 +0200
+Subject: [PATCH] Revert "src: Document autostart for session demon"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This reverts commit 61b4e8aaf1bce07f282c152de556c3d6aa8d65be.
+
+After previous commits this is no longer needed.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 897d8b34c8577d6e663b7b9bdb17ea4f5f1b83b9)
+---
+ src/libvirt-domain.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index 2fe9bb8e91..d01fef358f 100644
+--- a/src/libvirt-domain.c
+++ b/src/libvirt-domain.c
+@@ -6693,11 +6693,6 @@ virDomainCreateWithFiles(virDomainPtr domain, unsigned int nfiles,
+  * configured to be automatically started when the host
+  * machine boots.
+  *
+- * Please note that this might result in unexpected behaviour if
+- * used for some session URIs. Since the session daemon is started
+- * with --timeout it comes and goes and as it does so it
+- * autostarts domains which might have been shut off recently.
+- *
+  * Returns -1 in case of error, 0 in case of success
+  */
+ int
@@ -0,0 +1,39 @@
+From: Laine Stump <laine@laine.org>
+Date: Wed, 16 Oct 2019 14:06:54 -0400
+Subject: [PATCH] util: allow sending mac addr to virNetNewLink without ifindex
+
+Although until now, any use of the extra_args argument (a pointer to a
+struct containing extra attributes to add the the RTM_NEWLINK message)
+would always have the ifindex and mac set, so the code could assume it
+was safe to add both to the message if extra_args != NULL. There is
+now a use for setting a MAC address in the RTM_NEWLINK without setting
+the ifindex, so we should check each of these separately.
+
+Signed-off-by: Laine Stump <laine@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit b596d6c106cd87d6d452c5dd4ad923a034544fbf)
+---
+ src/util/virnetlink.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/util/virnetlink.c b/src/util/virnetlink.c
+index 7b3c6bf05f..394495ee2b 100644
+--- a/src/util/virnetlink.c
+++ b/src/util/virnetlink.c
+@@ -548,9 +548,14 @@ virNetlinkNewLink(const char *ifname,
+     NETLINK_MSG_NEST_END(nl_msg, linkinfo);
+ 
+     if (extra_args) {
+-        NETLINK_MSG_PUT(nl_msg, IFLA_LINK,
+        if (extra_args->ifindex) {
+            NETLINK_MSG_PUT(nl_msg, IFLA_LINK,
+                         sizeof(uint32_t), extra_args->ifindex);
+-        NETLINK_MSG_PUT(nl_msg, IFLA_ADDRESS, VIR_MAC_BUFLEN, extra_args->mac);
+        }
+        if (extra_args->mac) {
+            NETLINK_MSG_PUT(nl_msg, IFLA_ADDRESS,
+                            VIR_MAC_BUFLEN, extra_args->mac);
+        }
+     }
+ 
+     if (virNetlinkCommand(nl_msg, &resp, &buflen, 0, 0, NETLINK_ROUTE, 0) < 0)
@@ -0,0 +1,213 @@
+From: Laine Stump <laine@laine.org>
+Date: Thu, 17 Oct 2019 21:12:30 -0400
+Subject: [PATCH] util: set bridge device MAC address explicitly during
+ virNetDevBridgeCreate
+
+When libvirt first implemented a stable and configurable MAC address
+for the bridges created for libvirt virtual networks (commit
+5754dbd56d, in libvirt v0.8.8) most distro stable releases didn't
+support explicitly setting the MAC address of a bridge; the bridge
+just always assumed the lowest numbered MAC of all attached
+interfaces. Because of this, we stabilized the bridge MAC address by
+creating a "dummy" tap interface with a MAC address guaranteed to be
+lower than any of the guest tap devices' MACs (which all started with
+0xFE, so it's not difficult to do) and attached it to the bridge -
+this was the inception of the "virbr0-nic" device that has confused so
+many people over the years.
+
+Even though the linux kernel had recently gained support for
+explicitly setting a bridge MAC, we deemed it unnecessary to set the
+MAC that way, because the other (indirect) method worked everywhere.
+
+But recently there have been reports that the bridge MAC address was
+not following the setting in the network config, and mismatched the
+MAC of the dummy tap device (which was still correct). It turns out
+that this is due to a change in systemd-242 that persists whatever MAC
+address is set for a bridge when it's initially started. According to
+the systemd NEWS file entry for version 242
+(https://github.com/systemd/systemd/blob/master/NEWS):
+
+  "if a bridge interface is created without any slaves, and gains
+   a slave later, then now the bridge does not inherit slave's MAC."
+
+This change was the result of:
+
+  https://github.com/systemd/systemd/issues/3374
+
+(apparently if there is no MAC saved for a bridge by the name of a
+bridge being created, the random MAC generated during creation is
+saved, and then that same MAC is used to explicitly set the MAC each
+time it is created). Once a bridge has an explicitly set MAC, the "use
+the lowest numbered MAC of attached devices" rule is ignored, so our
+dummy tap device is like the goggles - it does nothing! (well, almost).
+
+We could whine about changes in default behavior, etc. etc., but
+because the change was in response to actual user problems, that seems
+likely a fruitless task. Fortunately, time has marched on, and even
+distro releases that are old enough that they are no longer supported
+by upstream libvirt (e.g. RHEL6) have support for explicitly setting a
+bridge device MAC address, either during creation or with a separate
+ioctl after creation, so we can now do that.
+
+To enable explicitly setting the mac during bridge creation, we add a
+mac arg to virNetDevBridgeCreate().  In the case of platforms where
+the bridge is created with a netlink RTM_NEWLINK message, we just add
+that mac to the message. For platforms that still use an ioctl (either
+SIOCBRADDBR or SIOCIFCREATE2), we make a separate call to
+virNetDevSetMAC() after creating the bridge.
+
+(NB: I was unable to test the calling of virNetDevSetMAC() from the
+SIOCIFCREATE2 (BSD) version of virNetDevBridgeCreate(); even though I
+managed to get a FreeBSD system setup and libvirt built there, when I
+tried to start the default network the SIOCIFCREATE2 ioctl itself
+failed, so it never even got to the virNetDevSetMAC(). That leaves the
+FreeBSD implementation untested.)
+
+This makes the dummy tap pointless for purposes of setting the MAC
+address, but it is still useful for IPv6 DAD initialization (which
+apparently requires at least one interface to be attached to the
+bridge and online), as well as for setting an initial MTU for the
+bridge, so it hasn't been removed.
+
+(NB: we can safely *always* call virNetDevBridgeCreate() with
+&def->mac from the network driver because, in spite of the existence
+of a "mac_specified" bool in the config suggesting that it may not
+always be present, in reality a mac address will always be added to
+any network that doesn't have one - this is guaranteed in all cases by
+commit a47ae7c004)
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1760851
+Signed-off-by: Laine Stump <laine@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit 13ec827052fcd79a4350f499aab5f4aa20ea83fa)
+---
+ src/network/bridge_driver.c |  2 +-
+ src/util/virnetdevbridge.c  | 44 ++++++++++++++++++++++++++++++-------
+ src/util/virnetdevbridge.h  |  3 ++-
+ 3 files changed, 39 insertions(+), 10 deletions(-)
+
+diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
+index b830cdba42..d5c544f556 100644
+--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
+@@ -2510,7 +2510,7 @@ networkStartNetworkVirtual(virNetworkDriverStatePtr driver,
+                        def->name);
+         return -1;
+     }
+-    if (virNetDevBridgeCreate(def->bridge) < 0)
+    if (virNetDevBridgeCreate(def->bridge, &def->mac) < 0)
+         return -1;
+ 
+     if (def->mac_specified) {
+diff --git a/src/util/virnetdevbridge.c b/src/util/virnetdevbridge.c
+index 4f21a82fb7..368ce912d1 100644
+--- a/src/util/virnetdevbridge.c
+++ b/src/util/virnetdevbridge.c
+@@ -379,7 +379,8 @@ virNetDevBridgePortSetUnicastFlood(const char *brname ATTRIBUTE_UNUSED,
+  */
+ #if defined(HAVE_STRUCT_IFREQ) && defined(SIOCBRADDBR)
+ static int
+-virNetDevBridgeCreateWithIoctl(const char *brname)
+virNetDevBridgeCreateWithIoctl(const char *brname,
+                               const virMacAddr *mac)
+ {
+     VIR_AUTOCLOSE fd = -1;
+ 
+@@ -392,22 +393,36 @@ virNetDevBridgeCreateWithIoctl(const char *brname)
+         return -1;
+     }
+ 
+    if (virNetDevSetMAC(brname, mac) < 0) {
+        virErrorPtr savederr;
+
+        virErrorPreserveLast(&savederr);
+        ignore_value(ioctl(fd, SIOCBRDELBR, brname));
+        virErrorRestore(&savederr);
+        return -1;
+    }
+
+     return 0;
+ }
+ #endif
+ 
+ #if defined(__linux__) && defined(HAVE_LIBNL)
+ int
+-virNetDevBridgeCreate(const char *brname)
+virNetDevBridgeCreate(const char *brname,
+                      const virMacAddr *mac)
+ {
+     /* use a netlink RTM_NEWLINK message to create the bridge */
+     int error = 0;
+    virNetlinkNewLinkData data = {
+        .mac = mac,
+    };
+
+ 
+-    if (virNetlinkNewLink(brname, "bridge", NULL, &error) < 0) {
+    if (virNetlinkNewLink(brname, "bridge", &data, &error) < 0) {
+ # if defined(HAVE_STRUCT_IFREQ) && defined(SIOCBRADDBR)
+         if (error == -EOPNOTSUPP) {
+             /* fallback to ioctl if netlink doesn't support creating bridges */
+-            return virNetDevBridgeCreateWithIoctl(brname);
+            return virNetDevBridgeCreateWithIoctl(brname, mac);
+         }
+ # endif
+         if (error < 0)
+@@ -423,15 +438,17 @@ virNetDevBridgeCreate(const char *brname)
+ 
+ #elif defined(HAVE_STRUCT_IFREQ) && defined(SIOCBRADDBR)
+ int
+-virNetDevBridgeCreate(const char *brname)
+virNetDevBridgeCreate(const char *brname,
+                      const virMacAddr *mac)
+ {
+-    return virNetDevBridgeCreateWithIoctl(brname);
+    return virNetDevBridgeCreateWithIoctl(brname, mac);
+ }
+ 
+ 
+ #elif defined(HAVE_STRUCT_IFREQ) && defined(SIOCIFCREATE2)
+ int
+-virNetDevBridgeCreate(const char *brname)
+virNetDevBridgeCreate(const char *brname,
+                      const virMacAddr *mac)
+ {
+     struct ifreq ifr;
+     VIR_AUTOCLOSE s = -1;
+@@ -448,10 +465,21 @@ virNetDevBridgeCreate(const char *brname)
+     if (virNetDevSetName(ifr.ifr_name, brname) == -1)
+         return -1;
+ 
+    if (virNetDevSetMAC(brname, mac) < 0) {
+        virErrorPtr savederr;
+
+        virErrorPreserveLast(&savederr);
+        ignore_value(virNetDevBridgeDelete(brname));
+        virErrorRestore(&savederr);
+        return -1;
+    }
+
+     return 0;
+ }
+ #else
+-int virNetDevBridgeCreate(const char *brname)
+int
+virNetDevBridgeCreate(const char *brname,
+                      const virMacAddr *mac G_GNUC_UNUSED)
+ {
+     virReportSystemError(ENOSYS,
+                          _("Unable to create bridge %s"), brname);
+diff --git a/src/util/virnetdevbridge.h b/src/util/virnetdevbridge.h
+index 8df5e51c2e..2a2bde8d0e 100644
+--- a/src/util/virnetdevbridge.h
+++ b/src/util/virnetdevbridge.h
+@@ -21,7 +21,8 @@
+ #include "internal.h"
+ #include "virmacaddr.h"
+ 
+-int virNetDevBridgeCreate(const char *brname)
+int virNetDevBridgeCreate(const char *brname,
+                          const virMacAddr *mac)
+     ATTRIBUTE_NONNULL(1) ATTRIBUTE_RETURN_CHECK;
+ int virNetDevBridgeDelete(const char *brname)
+     ATTRIBUTE_NONNULL(1) ATTRIBUTE_RETURN_CHECK;
@@ -0,0 +1,122 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 14 Oct 2019 16:37:03 +0200
+Subject: [PATCH] virhostuptime: Add linux stub for musl
+
+When we want to know the boot timestamp of the host, we can call
+virHostGetBootTime(). Under the hood, it uses getutxid() which is
+defined by POSIX and properly check for in configure. However,
+musl took a path where it declares the function but instead of
+providing any useful implementation it returns NULL meaning "no
+record found". If that's the case, use our second best option -
+/proc/uptime and a bit of maths.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1760885
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Cole Robinson <crobinso@redhat.com>
+(cherry picked from commit 070d6969fe912b8f2e9aadee88c6bdda00a65f4f)
+Signed-off-by: rpm-build <rpm-build>
+
+Conflicts:
+po/POTFILES.in
+---
+ src/util/virhostuptime.c | 62 ++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 59 insertions(+), 3 deletions(-)
+
+diff --git a/src/util/virhostuptime.c b/src/util/virhostuptime.c
+index 62b781acd5..a203961996 100644
+--- a/src/util/virhostuptime.c
+++ b/src/util/virhostuptime.c
+@@ -25,16 +25,68 @@
+ #endif
+ 
+ #include "virhostuptime.h"
+#include "viralloc.h"
+#include "virfile.h"
+#include "virlog.h"
+#include "virstring.h"
+#include "virtime.h"
+ #include "virthread.h"
+ 
+#define VIR_FROM_THIS VIR_FROM_NONE
+
+VIR_LOG_INIT("util.virhostuptime");
+
+ static unsigned long long bootTime;
+ static int bootTimeErrno;
+ static virOnceControl virHostGetBootTimeOnce = VIR_ONCE_CONTROL_INITIALIZER;
+ 
+-#ifdef HAVE_GETUTXID
+#if defined(__linux__)
+# define UPTIME_FILE  "/proc/uptime"
+static int
+virHostGetBootTimeProcfs(unsigned long long *btime)
+{
+    unsigned long long now;
+    double up;
+    VIR_AUTOFREE(char *) buf = NULL;
+    char *tmp;
+
+    if (virTimeMillisNow(&now) < 0)
+        return -errno;
+
+    /* 1KiB limit is more than enough. */
+    if (virFileReadAll(UPTIME_FILE, 1024, &buf) < 0)
+        return -errno;
+
+    /* buf contains two doubles now:
+     *   $uptime $idle_time
+     * We're interested only in the first one */
+    if (!(tmp = strchr(buf, ' '))) {
+        virReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("uptime file has unexpected format '%s'"),
+                       buf);
+        return -EINVAL;
+    }
+
+    *tmp = '\0';
+
+    if (virStrToDouble(buf, NULL, &up) < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("Unable to parse uptime value '%s'"),
+                       buf);
+        return -EINVAL;
+    }
+
+    *btime = now / 1000 - up + 0.5;
+
+    return 0;
+}
+#endif /* defined(__linux__) */
+
+#if defined(HAVE_GETUTXID) || defined(__linux__)
+ static void
+ virHostGetBootTimeOnceInit(void)
+ {
+# ifdef HAVE_GETUTXID
+     struct utmpx id = {.ut_type = BOOT_TIME};
+     struct utmpx *res = NULL;
+ 
+@@ -45,16 +97,20 @@ virHostGetBootTimeOnceInit(void)
+     }
+ 
+     endutxent();
+# endif /* HAVE_GETUTXID */
+
+    if (bootTimeErrno != 0 || bootTime == 0)
+        bootTimeErrno = -virHostGetBootTimeProcfs(&bootTime);
+ }
+ 
+-#else /* !HAVE_GETUTXID */
+#else /* !defined(HAVE_GETUTXID) && !defined(__linux__) */
+ 
+ static void
+ virHostGetBootTimeOnceInit(void)
+ {
+     bootTimeErrno = ENOSYS;
+ }
+-#endif /* HAVE_GETUTXID */
+#endif /* !defined(HAVE_GETUTXID) && !defined(__linux__) */
+ 
+ /**
+  * virHostGetBootTime:
@@ -0,0 +1,31 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Thu, 14 Nov 2019 16:42:51 +0100
+Subject: [PATCH] virhostuptime: Wrap virHostGetBootTimeProcfs() call in an
+ ifdef
+
+The virHostGetBootTimeProcfs() function is defined only for Linux
+and therefore it's only call should also be done if we're on
+Linux.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit 1b0de07f41bbe0d23ab96b604428ae55fd22aec0)
+Signed-off-by: rpm-build <rpm-build>
+---
+ src/util/virhostuptime.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/util/virhostuptime.c b/src/util/virhostuptime.c
+index a203961996..94004d05db 100644
+--- a/src/util/virhostuptime.c
+++ b/src/util/virhostuptime.c
+@@ -99,8 +99,10 @@ virHostGetBootTimeOnceInit(void)
+     endutxent();
+ # endif /* HAVE_GETUTXID */
+ 
+# ifdef __linux__
+     if (bootTimeErrno != 0 || bootTime == 0)
+         bootTimeErrno = -virHostGetBootTimeProcfs(&bootTime);
+# endif /* __linux__ */
+ }
+ 
+ #else /* !defined(HAVE_GETUTXID) && !defined(__linux__) */
@@ -0,0 +1,71 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Thu, 19 Dec 2019 10:11:04 +0100
+Subject: [PATCH] virhostuptime: Introduce virHostBootTimeInit()
+
+The idea is to offer callers an init function that they can call
+independently to ensure that the global variables get
+initialized.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Cole Robinson <crobinso@redhat.com>
+(cherry picked from commit 9d69bc19b94544b06838b2e2895826991d107178)
+Signed-off-by: rpm-build <rpm-build>
+
+Conflicts:
+	src/util/virhostuptime.h
+---
+ src/libvirt_private.syms |  1 +
+ src/util/virhostuptime.c | 12 +++++++++++-
+ src/util/virhostuptime.h |  3 +++
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
+index c1c3974133..fbd1c25597 100644
+--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
+@@ -2136,6 +2136,7 @@ virHostMemSetParameters;
+ 
+ 
+ # util/virhostuptime.h
+virHostBootTimeInit;
+ virHostGetBootTime;
+ 
+ 
+diff --git a/src/util/virhostuptime.c b/src/util/virhostuptime.c
+index 94004d05db..d82e268264 100644
+--- a/src/util/virhostuptime.c
+++ b/src/util/virhostuptime.c
+@@ -126,7 +126,7 @@ virHostGetBootTimeOnceInit(void)
+ int
+ virHostGetBootTime(unsigned long long *when)
+ {
+-    if (virOnce(&virHostGetBootTimeOnce, virHostGetBootTimeOnceInit) < 0)
+    if (virHostBootTimeInit() < 0)
+         return -1;
+ 
+     if (bootTimeErrno) {
+@@ -137,3 +137,13 @@ virHostGetBootTime(unsigned long long *when)
+     *when = bootTime;
+     return 0;
+ }
+
+
+int
+virHostBootTimeInit(void)
+{
+    if (virOnce(&virHostGetBootTimeOnce, virHostGetBootTimeOnceInit) < 0)
+        return -1;
+
+    return 0;
+}
+diff --git a/src/util/virhostuptime.h b/src/util/virhostuptime.h
+index 03c1517a64..0886b03767 100644
+--- a/src/util/virhostuptime.h
+++ b/src/util/virhostuptime.h
+@@ -25,3 +25,6 @@
+ int
+ virHostGetBootTime(unsigned long long *when)
+     ATTRIBUTE_NOINLINE;
+
+int
+virHostBootTimeInit(void);
@@ -0,0 +1,54 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Tue, 17 Dec 2019 14:08:42 +0100
+Subject: [PATCH] remote_daemon: Initialize host boot time global variable
+
+This is not strictly needed, but it makes sure we initialize the
+@bootTime global variable. Thing is, in order to validate XATTRs
+and prune those set in some previous runs of the host, a
+timestamp is recorded in XATTRs. The host boot time was unique
+enough so it was chosen as the timestamp value. And to avoid
+querying and parsing /proc/uptime every time, the query function
+does that only once and stores the boot time in a global
+variable. However, the only time the query function is called is
+in a child process that does lock files and changes seclabels. So
+effectively, we are doing exactly what we wanted to prevent from
+happening.
+
+The fix is simple, call the virHostBootTimeInit() function which
+sets the global variable.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Cole Robinson <crobinso@redhat.com>
+(cherry picked from commit 35d603d5ae0abe91b8b48203c5b7051b1800682b)
+Signed-off-by: rpm-build <rpm-build>
+---
+ src/remote/remote_daemon.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c
+index 6b5a6c1523..43f9527405 100644
+--- a/src/remote/remote_daemon.c
+++ b/src/remote/remote_daemon.c
+@@ -57,6 +57,7 @@
+ #include "virgettext.h"
+ #include "util/virnetdevopenvswitch.h"
+ #include "virsystemd.h"
+#include "virhostuptime.h"
+ 
+ #include "driver.h"
+ 
+@@ -1088,6 +1089,14 @@ int main(int argc, char **argv) {
+         exit(EXIT_FAILURE);
+     }
+ 
+    /* Let's try to initialize global variable that holds the host's boot time. */
+    if (virHostBootTimeInit() < 0) {
+        /* This is acceptable failure. Maybe we won't need the boot time
+         * anyway, and if we do, then virHostGetBootTime() returns an
+         * appropriate error. */
+        VIR_DEBUG("Ignoring failed boot time init");
+    }
+
+     daemonSetupNetDevOpenvswitch(config);
+ 
+     if (daemonSetupAccessManager(config) < 0) {
@@ -0,0 +1,55 @@
+From: Laine Stump <laine@redhat.com>
+Date: Thu, 7 May 2020 22:32:59 -0400
+Subject: [PATCH] network: make it safe to call networkSetupPrivateChains()
+ multiple times
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+networkSetupPrivateChains() is currently called only once per run of
+libvirtd, so it can assume that errInitV4 and errInitV6 are empty/null
+when it is called. In preparation for potentially calling this
+function multiple times during one run, this patch moves the reset of
+errInitV[46] to the top of the function, to assure no memory is
+leaked.
+
+Signed-off-by: Laine Stump <laine@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit de110f110fb917a31b9f33ad8e4b3c1d3284766a)
+---
+ src/network/bridge_driver_linux.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
+index 35459c10d1..f4e4e2df76 100644
+--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
+@@ -48,6 +48,10 @@ static void networkSetupPrivateChains(void)
+     VIR_DEBUG("Setting up global firewall chains");
+ 
+     createdChains = false;
+    virFreeError(errInitV4);
+    errInitV4 = NULL;
+    virFreeError(errInitV6);
+    errInitV6 = NULL;
+ 
+     rc = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV4);
+     if (rc < 0) {
+@@ -56,8 +60,6 @@ static void networkSetupPrivateChains(void)
+         errInitV4 = virSaveLastError();
+         virResetLastError();
+     } else {
+-        virFreeError(errInitV4);
+-        errInitV4 = NULL;
+         if (rc) {
+             VIR_DEBUG("Created global IPv4 chains");
+             createdChains = true;
+@@ -73,8 +75,6 @@ static void networkSetupPrivateChains(void)
+         errInitV6 = virSaveLastError();
+         virResetLastError();
+     } else {
+-        virFreeError(errInitV6);
+-        errInitV6 = NULL;
+         if (rc) {
+             VIR_DEBUG("Created global IPv6 chains");
+             createdChains = true;
@@ -0,0 +1,265 @@
+From: Laine Stump <laine@redhat.com>
+Date: Thu, 7 May 2020 21:54:39 -0400
+Subject: [PATCH] network: force re-creation of iptables private chains on
+ firewalld restart
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When firewalld is stopped, it removes *all* iptables rules and chains,
+including those added by libvirt. Since restarting firewalld means
+stopping and then starting it, any time it is restarted, libvirt needs
+to recreate all the private iptables chains it uses, along with all
+the rules it adds.
+
+We already have code in place to call networkReloadFirewallRules() any
+time we're notified of a firewalld start, and
+networkReloadFirewallRules() will call
+networkPreReloadFirewallRules(), which calls
+networkSetupPrivateChains(); unfortunately that last call is called
+using virOnce(), meaning that it will only be called the first time
+through networkPreReloadFirewallRules() after libvirtd starts - so of
+course when firewalld is later restarted, the call to
+networkSetupPrivateChains() is skipped.
+
+The neat and tidy way to fix this would be if there was a standard way
+to reset a pthread_once_t object so that the next time virOnce was
+called, it would think the function hadn't been called, and call it
+again. Unfortunately, there isn't any official way of doing that (we
+*could* just fill it with 0 and hope for the best, but that doesn't
+seem very safe.
+
+So instead, this patch just adds a static variable called
+chainInitDone, which is set to true after networkSetupPrivateChains()
+is called for the first time, and then during calls to
+networkPreReloadFirewallRules(), if chainInitDone is set, we call
+networkSetupPrivateChains() directly instead of via virOnce().
+
+It may seem unsafe to directly call a function that is meant to be
+called only once, but I think in this case we're safe - there's
+nothing in the function that is inherently "once only" - it doesn't
+initialize anything that can't safely be re-initialized (as long as
+two threads don't try to do it at the same time), and it only happens
+when responding to a dbus message that firewalld has been started (and
+I don't think it's possible for us to be processing two of those at
+once), and even then only if the initial call to the function has
+already been completed (so we're safe if we receive a firewalld
+restart call at a time when we haven't yet called it, or even if
+another thread is already in the process of executing it. The only
+problematic bit I can think of is if another thread is in the process
+of adding an iptable rule at the time we're executing this function,
+but 1) none of those threads will be trying to add chains, and 2) if
+there was a concurrency problem with other threads adding iptables
+rules while firewalld was being restarted, it would still be a problem
+even without this change.
+
+This is yet another patch that fixes an occurrence of this error:
+
+COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --insert LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT' failed: iptables: No chain/target/match by that name.
+
+In particular, this resolves: https://bugzilla.redhat.com/1813830
+
+Signed-off-by: Laine Stump <laine@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit f5418b427e7d2f26803880309478de9103680826)
+---
+ src/network/bridge_driver.c          | 16 ++++---
+ src/network/bridge_driver_linux.c    | 69 ++++++++++++++++++----------
+ src/network/bridge_driver_nop.c      |  3 +-
+ src/network/bridge_driver_platform.h |  2 +-
+ 4 files changed, 58 insertions(+), 32 deletions(-)
+
+diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
+index d5c544f556..981b4e4578 100644
+--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
+@@ -289,7 +289,9 @@ static int
+ networkShutdownNetworkExternal(virNetworkObjPtr obj);
+ 
+ static void
+-networkReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup);
+networkReloadFirewallRules(virNetworkDriverStatePtr driver,
+                           bool startup,
+                           bool force);
+ 
+ static void
+ networkRefreshDaemons(virNetworkDriverStatePtr driver);
+@@ -695,7 +697,7 @@ firewalld_dbus_filter_bridge(DBusConnection *connection ATTRIBUTE_UNUSED,
+ 
+     if (reload) {
+         VIR_DEBUG("Reload in bridge_driver because of firewalld.");
+-        networkReloadFirewallRules(driver, false);
+        networkReloadFirewallRules(driver, false, true);
+     }
+ 
+     return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+@@ -814,7 +816,7 @@ networkStateInitialize(bool privileged,
+     virNetworkObjListPrune(network_driver->networks,
+                            VIR_CONNECT_LIST_NETWORKS_INACTIVE |
+                            VIR_CONNECT_LIST_NETWORKS_TRANSIENT);
+-    networkReloadFirewallRules(network_driver, true);
+    networkReloadFirewallRules(network_driver, true, false);
+     networkRefreshDaemons(network_driver);
+ 
+     if (virDriverShouldAutostart(network_driver->stateDir, &autostart) < 0)
+@@ -884,7 +886,7 @@ networkStateReload(void)
+                                 network_driver->networkConfigDir,
+                                 network_driver->networkAutostartDir,
+                                 network_driver->xmlopt);
+-    networkReloadFirewallRules(network_driver, false);
+    networkReloadFirewallRules(network_driver, false, false);
+     networkRefreshDaemons(network_driver);
+     virNetworkObjListForEach(network_driver->networks,
+                              networkAutostartConfig,
+@@ -2267,14 +2269,16 @@ networkReloadFirewallRulesHelper(virNetworkObjPtr obj,
+ 
+ 
+ static void
+-networkReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup)
+networkReloadFirewallRules(virNetworkDriverStatePtr driver,
+                           bool startup,
+                           bool force)
+ {
+     VIR_INFO("Reloading iptables rules");
+     /* Ideally we'd not even register the driver when unprivilegd
+      * but until we untangle the virt driver that's not viable */
+     if (!driver->privileged)
+         return;
+-    networkPreReloadFirewallRules(driver, startup);
+    networkPreReloadFirewallRules(driver, startup, force);
+     virNetworkObjListForEach(driver->networks,
+                              networkReloadFirewallRulesHelper,
+                              NULL);
+diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
+index f4e4e2df76..f65928e556 100644
+--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
+@@ -36,11 +36,14 @@ VIR_LOG_INIT("network.bridge_driver_linux");
+ #define PROC_NET_ROUTE "/proc/net/route"
+ 
+ static virOnceControl createdOnce;
+-static bool createdChains;
+static bool chainInitDone; /* true iff networkSetupPrivateChains was ever called */
+static bool createdChains; /* true iff networkSetupPrivateChains created chains during most recent call */
+ static virErrorPtr errInitV4;
+ static virErrorPtr errInitV6;
+ 
+-/* Only call via virOnce */
+/* Usually only called via virOnce, but can also be called directly in
+ * response to firewalld reload (if chainInitDone == true)
+ */
+ static void networkSetupPrivateChains(void)
+ {
+     int rc;
+@@ -82,6 +85,8 @@ static void networkSetupPrivateChains(void)
+             VIR_DEBUG("Global IPv6 chains already exist");
+         }
+     }
+
+    chainInitDone = true;
+ }
+ 
+ 
+@@ -111,7 +116,10 @@ networkHasRunningNetworks(virNetworkDriverStatePtr driver)
+ }
+ 
+ 
+-void networkPreReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup)
+void
+networkPreReloadFirewallRules(virNetworkDriverStatePtr driver,
+                              bool startup,
+                              bool force)
+ {
+     /*
+      * If there are any running networks, we need to
+@@ -130,29 +138,42 @@ void networkPreReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup
+      * of starting the network though as that makes them
+      * more likely to be seen by a human
+      */
+-    if (!networkHasRunningNetworks(driver)) {
+-        VIR_DEBUG("Delayed global rule setup as no networks are running");
+-        return;
+-    }
+    if (chainInitDone && force) {
+        /* The Private chains have already been initialized once
+         * during this run of libvirtd, so 1) we can't do it again via
+         * virOnce(), and 2) we need to re-add the private chains even
+         * if there are currently no running networks, because the
+         * next time a network is started, libvirt will expect that
+         * the chains have already been added. So we call directly
+         * instead of via virOnce().
+         */
+        networkSetupPrivateChains();
+ 
+-    ignore_value(virOnce(&createdOnce, networkSetupPrivateChains));
+    } else {
+        if (!networkHasRunningNetworks(driver)) {
+            VIR_DEBUG("Delayed global rule setup as no networks are running");
+            return;
+        }
+ 
+-    /*
+-     * If this is initial startup, and we just created the
+-     * top level private chains we either
+-     *
+-     *   - upgraded from old libvirt
+-     *   - freshly booted from clean state
+-     *
+-     * In the first case we must delete the old rules from
+-     * the built-in chains, instead of our new private chains.
+-     * In the second case it doesn't matter, since no existing
+-     * rules will be present. Thus we can safely just tell it
+-     * to always delete from the builin chain
+-     */
+-    if (startup && createdChains) {
+-        VIR_DEBUG("Requesting cleanup of legacy firewall rules");
+-        iptablesSetDeletePrivate(false);
+        ignore_value(virOnce(&createdOnce, networkSetupPrivateChains));
+
+        /*
+         * If this is initial startup, and we just created the
+         * top level private chains we either
+         *
+         *   - upgraded from old libvirt
+         *   - freshly booted from clean state
+         *
+         * In the first case we must delete the old rules from
+         * the built-in chains, instead of our new private chains.
+         * In the second case it doesn't matter, since no existing
+         * rules will be present. Thus we can safely just tell it
+         * to always delete from the builin chain
+         */
+        if (startup && createdChains) {
+            VIR_DEBUG("Requesting cleanup of legacy firewall rules");
+            iptablesSetDeletePrivate(false);
+        }
+     }
+ }
+ 
+diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_nop.c
+index ec7b1ed8b7..74a9b87158 100644
+--- a/src/network/bridge_driver_nop.c
+++ b/src/network/bridge_driver_nop.c
+@@ -20,7 +20,8 @@
+ #include <config.h>
+ 
+ void networkPreReloadFirewallRules(virNetworkDriverStatePtr driver ATTRIBUTE_UNUSED,
+-                                   bool startup ATTRIBUTE_UNUSED)
+                                   bool startup ATTRIBUTE_UNUSED,
+                                   bool force ATTRIBUTE_UNUSED)
+ {
+ }
+ 
+diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driver_platform.h
+index 169417a6c0..48ab52c160 100644
+--- a/src/network/bridge_driver_platform.h
+++ b/src/network/bridge_driver_platform.h
+@@ -62,7 +62,7 @@ struct _virNetworkDriverState {
+ typedef struct _virNetworkDriverState virNetworkDriverState;
+ typedef virNetworkDriverState *virNetworkDriverStatePtr;
+ 
+-void networkPreReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup);
+void networkPreReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup, bool force);
+ void networkPostReloadFirewallRules(bool startup);
+ 
+ int networkCheckRouteCollision(virNetworkDefPtr def);
@@ -0,0 +1,85 @@
+From: Laine Stump <laine@redhat.com>
+Date: Fri, 1 May 2020 00:05:50 -0400
+Subject: [PATCH] systemd: start libvirtd after firewalld/iptables services
+
+When a system has enabled the iptables/ip6tables services rather than
+firewalld, there is no explicit ordering of the start of those
+services vs. libvirtd. This creates a problem when libvirtd.service is
+started before ip[6]tables, as the latter, when it finally is started,
+will remove all of the iptables rules that had previously been added
+by libvirt, including the custom chains where libvirt's rules are
+kept. This results in an error message similar to the following when a
+user subsequently tries to start a new libvirt network:
+
+ "Error while activating network: Call to virNetworkCreate failed:
+ internal error: Failed to apply firewall rules
+ /usr/sbin/ip6tables -w --table filter --insert LIBVIRT_FWO \
+   --in-interface virbr2 --jump REJECT:
+ ip6tables: No chain/target/match by that name."
+
+(Prior to logging this error, it also would have caused failure to
+forward (or block) traffic in some cases, e.g. for guests on a NATed
+network, since libvirt's rules to forward/block had all been deleted
+and libvirt didn't know about it, so it couldn't fix the problem)
+
+When this happens, the problem can be remedied by simply restarting
+libvirtd.service (which has the side-effect of reloading all
+libvirt-generated firewall rules)
+
+Instead, we can just explicitly stating in the libvirtd.service file
+that libvirtd.service should start after ip6tables.service and
+ip6tables.service, eliminating the race condition that leads to the
+error.
+
+There is also nothing (that I can see) in the systemd .service files
+to guarantee that firewalld.service will be started (if enabled) prior
+to libvirtd.service. The same error scenario given above would occur
+if libvirtd.service started before firewalld.service.  Even before
+that, though libvirtd would have detected that firewalld.service was
+disabled, and then turn off all firewalld support. So, for example,
+firewalld's libvirt zone wouldn't be used, and most likely traffic
+from guests would therefore be blocked (all with no external
+indication of the source of the problem other than a debug-level log
+when libvirtd was started saying that firewalld wasn't in use); also
+libvirtd wouldn't notice when firewalld reloaded its rules (which also
+simultaneously deletes all of libvirt's rules).
+
+I'm not aware of any reports that have been traced back to
+libvirtd.service starting before firewalld.service, but have seen that
+error reported multiple times, and also don't see an existing
+dependency that would guarantee firewalld.service starts before
+libvirtd.service, so it's possible it's been happening and we just
+haven't gotten to the bottom of it.
+
+This patch adds an After= line to the libvirtd.service file for each
+of iptables.service, ip6tables.service, and firewalld.servicee, which
+should guarantee that libvirtd.service isn't started until systemd has
+started whichever of the others is enabled.
+
+This race was diagnosed, and patch proposed, by Jason Montleon in
+https://bugzilla.redhat.com/1723698 . At the time (April 2019) danpb
+agreed with him that this change to libvirtd.service was a reasonable
+thing to do, but I guess everyone thought someone else was going to
+post a patch, so in the end nobody did.
+
+Signed-off-by: Laine Stump <laine@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit 0756415f147dda15a417bd79eef9a62027d176e6)
+---
+ src/remote/libvirtd.service.in | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/remote/libvirtd.service.in b/src/remote/libvirtd.service.in
+index d5d98f0c12..ada5be62e6 100644
+--- a/src/remote/libvirtd.service.in
+++ b/src/remote/libvirtd.service.in
+@@ -11,6 +11,9 @@ Wants=libvirtd-admin.socket
+ Wants=systemd-machined.service
+ Before=libvirt-guests.service
+ After=network.target
+After=firewalld.service
+After=iptables.service
+After=ip6tables.service
+ After=dbus.service
+ After=iscsid.service
+ After=apparmor.service
@@ -0,0 +1,41 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 19 Feb 2020 08:40:59 +0100
+Subject: [PATCH] qemuDomainGetStatsIOThread: Don't leak array with 0 iothreads
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+qemuMonitorGetIOThreads returns a NULL-terminated list even when 0
+iothreads are present. The caller didn't perform cleanup if there were 0
+iothreads leaking the array.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1804548
+
+Fixes: d1eac92784573559b6fd56836e33b215c89308e3
+Reported-by: Jing Yan <jiyan@redhat.com>
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit 9bf9e0ae6af38c806f4672ca7b12a6b38d5a9581)
+---
+ src/qemu/qemu_driver.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 5dd2616c7b..331e53b971 100644
+--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
+@@ -21632,8 +21632,12 @@ qemuDomainGetStatsIOThread(virQEMUDriverPtr driver,
+     if ((niothreads = qemuDomainGetIOThreadsMon(driver, dom, &iothreads)) < 0)
+         return -1;
+ 
+-    if (niothreads == 0)
+-        return 0;
+    /* qemuDomainGetIOThreadsMon returns a NULL-terminated list, so we must free
+     * it even if it returns 0 */
+    if (niothreads == 0) {
+        ret = 0;
+        goto cleanup;
+    }
+ 
+     QEMU_ADD_COUNT_PARAM(record, maxparams, "iothread", niothreads);
+ 
@@ -0,0 +1,47 @@
+From: Yi Li <yili@winhong.com>
+Date: Sat, 21 Dec 2019 08:33:33 +0800
+Subject: [PATCH] storage: Fix daemon crash on lookup storagepool by targetpath
+
+Causing a crash when storagePoolLookupByTargetPath beacuse of
+Some types of storage pool have no target elements.
+Use STREQ_NULLABLE instead of STREQ
+Avoids segfaults when using NULL arguments.
+
+Core was generated by `/usr/sbin/libvirtd'.
+Program terminated with signal 11, Segmentation fault.
+(gdb) bt
+0  0x0000ffff9e951388 in strcmp () from /lib64/libc.so.6
+1  0x0000ffff92103e9c in storagePoolLookupByTargetPathCallback (
+    obj=0xffff7009aab0, opaque=0xffff801058b0) at storage/storage_driver.c:1649
+2  0x0000ffff9f2c52a4 in virStoragePoolObjListSearchCb (
+    payload=0xffff801058b0, name=<optimized out>, opaque=<optimized out>)
+    at conf/virstorageobj.c:476
+3  0x0000ffff9f1f2f7c in virHashSearch (ctable=0xffff800f4f60,
+    iter=iter@entry=0xffff9f2c5278 <virStoragePoolObjListSearchCb>,
+    data=data@entry=0xffff95af7488, name=name@entry=0x0) at util/virhash.c:696
+4  0x0000ffff9f2c64f0 in virStoragePoolObjListSearch (pools=0xffff800f2ce0,
+    searcher=searcher@entry=0xffff92103e68 <storagePoolLookupByTargetPathCallback>,
+     opaque=<optimized out>) at conf/virstorageobj.c:505
+5  0x0000ffff92101f54 in storagePoolLookupByTargetPath (conn=0xffff5c0009f0,
+path=0xffff7009a850 "/vms/images") at storage/storage_driver.c:1672
+
+Reviewed-by: Cole Robinson <crobinso@redhat.com>
+Signed-off-by: Yi Li <yili@winhong.com>
+(cherry picked from commit dfff16a7c261f8d28e3abe60a47165f845fa952f)
+---
+ src/storage/storage_driver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
+index 05192027d6..d878b0be92 100644
+--- a/src/storage/storage_driver.c
+++ b/src/storage/storage_driver.c
+@@ -1675,7 +1675,7 @@ storagePoolLookupByTargetPathCallback(virStoragePoolObjPtr obj,
+         return false;
+ 
+     def = virStoragePoolObjGetDef(obj);
+-    return STREQ(path, def->target.path);
+    return STREQ_NULLABLE(path, def->target.path);
+ }
+ 
+ 
@@ -0,0 +1,168 @@
+From: Jonathon Jongsma <jjongsma@redhat.com>
+Date: Thu, 5 Dec 2019 10:08:52 -0600
+Subject: [PATCH] qemu: don't hold both jobs for suspend
+
+We have to assume that the guest agent may be malicious so we don't want
+to allow any agent queries to block any other libvirt API. By holding a
+monitor job while we're querying the agent, we open ourselves up to a
+DoS.
+
+So split the function up a bit to only hold the monitor job while
+querying qemu for whether the domain supports suspend. Then acquire only
+an agent job while issuing the agent suspend command.
+
+Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit a663a860819287e041c3de672aad1d8543098ecc)
+---
+ src/qemu/qemu_driver.c | 94 ++++++++++++++++++++++++++----------------
+ 1 file changed, 59 insertions(+), 35 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 331e53b971..96c0b3505a 100644
+--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
+@@ -19867,6 +19867,59 @@ qemuDomainProbeQMPCurrentMachine(virQEMUDriverPtr driver,
+ }
+ 
+ 
+/* returns -1 on error, or if query is not supported, 0 if query was successful */
+static int
+qemuDomainQueryWakeupSuspendSupport(virQEMUDriverPtr driver,
+                                    virDomainObjPtr vm,
+                                    bool *wakeupSupported)
+{
+    qemuDomainObjPrivatePtr priv = vm->privateData;
+    int ret = -1;
+
+    if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_QUERY_CURRENT_MACHINE))
+        return -1;
+
+    if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_MODIFY) < 0)
+        return -1;
+
+    if ((ret = virDomainObjCheckActive(vm)) < 0)
+        goto endjob;
+
+    ret = qemuDomainProbeQMPCurrentMachine(driver, vm, wakeupSupported);
+
+ endjob:
+    qemuDomainObjEndJob(driver, vm);
+    return ret;
+}
+
+
+static int
+qemuDomainPMSuspendAgent(virQEMUDriverPtr driver,
+                         virDomainObjPtr vm,
+                         unsigned int target)
+{
+    qemuAgentPtr agent;
+    int ret = -1;
+
+    if (qemuDomainObjBeginAgentJob(driver, vm, QEMU_AGENT_JOB_MODIFY) < 0)
+        return -1;
+
+    if ((ret = virDomainObjCheckActive(vm)) < 0)
+        goto endjob;
+
+    if (!qemuDomainAgentAvailable(vm, true))
+        goto endjob;
+
+    agent = qemuDomainObjEnterAgent(vm);
+    ret = qemuAgentSuspend(agent, target);
+    qemuDomainObjExitAgent(vm, agent);
+
+ endjob:
+    qemuDomainObjEndAgentJob(vm);
+    return ret;
+}
+
+
+ static int
+ qemuDomainPMSuspendForDuration(virDomainPtr dom,
+                                unsigned int target,
+@@ -19874,11 +19927,9 @@ qemuDomainPMSuspendForDuration(virDomainPtr dom,
+                                unsigned int flags)
+ {
+     virQEMUDriverPtr driver = dom->conn->privateData;
+-    qemuDomainObjPrivatePtr priv;
+     virDomainObjPtr vm;
+-    qemuAgentPtr agent;
+-    qemuDomainJob job = QEMU_JOB_NONE;
+     int ret = -1;
+    bool wakeupSupported;
+ 
+     virCheckFlags(0, -1);
+ 
+@@ -19903,17 +19954,6 @@ qemuDomainPMSuspendForDuration(virDomainPtr dom,
+     if (virDomainPMSuspendForDurationEnsureACL(dom->conn, vm->def) < 0)
+         goto cleanup;
+ 
+-    priv = vm->privateData;
+-
+-    if (virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_QUERY_CURRENT_MACHINE))
+-        job = QEMU_JOB_MODIFY;
+-
+-    if (qemuDomainObjBeginJobWithAgent(driver, vm, job, QEMU_AGENT_JOB_MODIFY) < 0)
+-        goto cleanup;
+-
+-    if (virDomainObjCheckActive(vm) < 0)
+-        goto endjob;
+-
+     /*
+      * The case we want to handle here is when QEMU has the API (i.e.
+      * QEMU_CAPS_QUERY_CURRENT_MACHINE is set). Otherwise, do not interfere
+@@ -19921,16 +19961,11 @@ qemuDomainPMSuspendForDuration(virDomainPtr dom,
+      * that don't know about this cap, will keep their old behavior of
+      * suspending 'in the dark'.
+      */
+-    if (virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_QUERY_CURRENT_MACHINE)) {
+-        bool wakeupSupported;
+-
+-        if (qemuDomainProbeQMPCurrentMachine(driver, vm, &wakeupSupported) < 0)
+-            goto endjob;
+-
+    if (qemuDomainQueryWakeupSuspendSupport(driver, vm, &wakeupSupported) == 0) {
+         if (!wakeupSupported) {
+             virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
+                            _("Domain does not have suspend support"));
+-            goto endjob;
+            goto cleanup;
+         }
+     }
+ 
+@@ -19940,29 +19975,18 @@ qemuDomainPMSuspendForDuration(virDomainPtr dom,
+              target == VIR_NODE_SUSPEND_TARGET_HYBRID)) {
+             virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                            _("S3 state is disabled for this domain"));
+-            goto endjob;
+            goto cleanup;
+         }
+ 
+         if (vm->def->pm.s4 == VIR_TRISTATE_BOOL_NO &&
+             target == VIR_NODE_SUSPEND_TARGET_DISK) {
+             virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                            _("S4 state is disabled for this domain"));
+-            goto endjob;
+            goto cleanup;
+         }
+     }
+ 
+-    if (!qemuDomainAgentAvailable(vm, true))
+-        goto endjob;
+-
+-    agent = qemuDomainObjEnterAgent(vm);
+-    ret = qemuAgentSuspend(agent, target);
+-    qemuDomainObjExitAgent(vm, agent);
+-
+- endjob:
+-    if (job)
+-        qemuDomainObjEndJobWithAgent(driver, vm);
+-    else
+-        qemuDomainObjEndAgentJob(vm);
+    ret = qemuDomainPMSuspendAgent(driver, vm, target);
+ 
+  cleanup:
+     virDomainObjEndAPI(&vm);
@@ -1,21 +0,0 @@
-# Makefile for source rpm: libvirt
-# $Id$
-NAME := libvirt
-SPECFILE = $(firstword $(wildcard *.spec))
-
-define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
-endef
-
-MAKEFILE_COMMON := $(shell $(find-makefile-common))
-
-ifeq ($(MAKEFILE_COMMON),)
-# attempt a checkout
-define checkout-makefile-common
-test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
-endef
-
-MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
-endif
-
-include $(MAKEFILE_COMMON)
@@ -1,33 +0,0 @@
--- src/qemu_conf.c.orig	2009-05-29 19:24:59.000000000 +0200
-+++ src/qemu_conf.c	2009-05-29 19:19:39.000000000 +0200
-@@ -792,6 +792,20 @@ int qemudBuildCommandLine(virConnectPtr 
-     char uuid[VIR_UUID_STRING_BUFLEN];
-     char domid[50];
-     const char *cpu = NULL;
-+    int skipSound = 0;
-+
-+    if (driver->securityDriver &&
-+        driver->securityDriver->name &&
-+        STREQ(driver->securityDriver->name, "selinux") &&
-+        getuid() == 0) {
-+        static int soundWarned = 0; 
-+        skipSound = 1;
-+        if (def->nsounds &&
-+            !soundWarned) {
-+            soundWarned = 1;
-+            VIR_WARN0("Sound cards for VMs are disabled while SELinux security model is active");
-+        }
-+    }
- 
-     uname_normalize(&ut);
- 
-@@ -1429,7 +1443,8 @@ int qemudBuildCommandLine(virConnectPtr 
-     }
- 
-     /* Add sound hardware */
-    if (def->nsounds) {
-+    if (def->nsounds &&
-+        !skipSound) {
-         int size = 100;
-         char *modstr;
-         if (VIR_ALLOC_N(modstr, size+1) < 0)
@@ -1,248 +0,0 @@
-From 50f5a6c7ab7795fb6ade4bb24849fa2bab5084dd Mon Sep 17 00:00:00 2001
-From: Mark McLoughlin <markmc@redhat.com>
-Date: Wed, 29 Jul 2009 08:40:17 +0100
-Subject: [PATCH] Convert NEWS to UTF-8
-
-* docs/news.xsl: request UTF-8 as the output encoding
-
-* NEWS: re-generate with UTF-8 encoding
---
- NEWS          |   70 ++++++++++++++++++++++++++++----------------------------
- docs/news.xsl |    2 +-
- 2 files changed, 36 insertions(+), 36 deletions(-)
-
-diff --git a/NEWS b/NEWS
-index 447d2b4..0a838b9 100644
--- a/NEWS
-+++ b/NEWS
-@@ -137,7 +137,7 @@
-    - Improvements: add SCSI storage rescan (David Allan), rootless
-           LXC containers support improvements (Serge Hallyn), getHostname
-           support for LXC (Dan Smith), cleanup and logging output of some
-          domain functions (Guido Günther), drop pool lock when allocating
-+          domain functions (Guido GÃ¼nther), drop pool lock when allocating
-           volumes (Cole Robinson), LXC handle kernel without CLONE_NEWUSER
-           support (Serge Hallyn), cpu pinning on defined Xen domains (Takahashi
-           Tomohiro), dynamic bridge names support (Soren Hansen), LXC use
-@@ -145,7 +145,7 @@
-           virNodeDeviceCreateXML and virNodeDeviceDestroy entry points
-           (Dave Allan)
-    - Cleanups: don't hardcode getgrnam_r buffer to 1024 bytes (Guido
-          Günther), qemudBuildCommandLine API cleanup (Daniel Berrange),
-+          GÃ¼nther), qemudBuildCommandLine API cleanup (Daniel Berrange),
-           
- 
- 
-@@ -214,15 +214,15 @@
-           to avoid crashes (Daniel Berrange), mark defined network descriptions
-           as persistent (Cole Robinson), qemu+tls handshake negotiation hang
-           (Chris Lalancette)
-   - Improvements: don't hardcode ssh port (Guido Günther), new test
-+   - Improvements: don't hardcode ssh port (Guido GÃ¼nther), new test
-           cases and testing infrastructure (Jim Meyering), improve the
-           SExpr parser (John Levon), proper error reporting on xend
-           shutdown command (John Levon), proper handling of errors when
-          saving QEmu domains state (Guido Günther), revamp of the internal
-+          saving QEmu domains state (Guido GÃ¼nther), revamp of the internal
-           error memory APIs (John Levon), better virsh error reporting (John
-           Levon), more daemon options to allow running multiple daemons (Jim
-          Meyering), error handling when creating a QEmu domain (Guido Günther),
-          fix timeouts in QEmu log reading (Guido Günther), migration with
-+          Meyering), error handling when creating a QEmu domain (Guido GÃ¼nther),
-+          fix timeouts in QEmu log reading (Guido GÃ¼nther), migration with
-           xend 3.3 fixes (John Levon), virsh XML dump flags cleanup (Cole
-           Robinson), fix build with loadable drivers (Maximilian Wilhelm),
-           internal XML APIs to read long long and hexa values (Mark
-@@ -236,7 +236,7 @@
-           (Jim Meyering), many error handling cleanups (Jim Meyering), XML
-           module cleanups (Mark McLoughlin), compiler warning (Maximilian
-           Wilhelm), daemon TCP listen cleanup (Cole Robinson), size_t type
-          cleanup (Guido Günther), parallel make fix (Michael Marineau),
-+          cleanup (Guido GÃ¼nther), parallel make fix (Michael Marineau),
-           storage error diagnostic fix (Ryota Ozaki), remove redundant monitor
-           watch variable (Cole Robinson), qemu AttachDevice error report
-           improvement (Cole Robinson), virsh output cleanup (Jim Meyering),
-@@ -248,7 +248,7 @@
- 0.6.0: Jan 31 2009:
-    - New features: thread safety of the API and event handling (Daniel
-           Berrange), allow QEmu domains to survive daemon restart (Guido
-          Günther), extended logging capabilities, support copy-on-write
-+          GÃ¼nther), extended logging capabilities, support copy-on-write
-           storage volumes (Daniel Berrange), support of storage cache
-           control options for QEmu/KVM (Daniel Berrange)
-    - Portability: fix old DBus API problem, Debian portability fix
-@@ -260,13 +260,13 @@
-           solaris Xen fixes (John Levon), RPC portability to Solaris (Daniel
-           Berrange)
-    - Documentation: typo fixes (Richard Jones), logging support,
-          vnc keymap attributes (Guido Günther), HACKING file updates
-+          vnc keymap attributes (Guido GÃ¼nther), HACKING file updates
-          (Jim Meyering), new PCI passthrough format, libvirt-qpid and
-          UML driver documentation (Daniel Berrange), provide RNG schemas
-          for all XML formats used in libvirt APIs (Daniel Berrange), 
-    - Bug fixes: segfault on virtual network without bridge name (Cole
-           Robinson), various locking fixes (Cole Robinson), fix serial
-          and parallel devices on tcp/unix/telnet (Guido Günther), leak
-+          and parallel devices on tcp/unix/telnet (Guido GÃ¼nther), leak
-           in daemon (Jim Meyering), storage driver segfault (Miloslav TrmaC),
-           missing check in read-only connections (Daniel Berrange),
-           OpenVZ crash and mutex fixes (Anton Protopopov), couple of
-@@ -282,15 +282,15 @@
-    - Improvements: driver infrastructure and locking (Daniel Berrange),
-           Test driver infrastructure (Daniel Berrange), parallelism in the
-           daemon and associated config (Daniel Berrange), virsh help cleanups
-          (Jim Meyering), logrotate daemon logs (Guido Günther), more
-+          (Jim Meyering), logrotate daemon logs (Guido GÃ¼nther), more
-           regression tests (Jim Meyering), QEmu SDL graphics (Itamar Heim),
-           add --version flag to daemon (Dave Allan), memory consumption
-           cleanup (Dave Allan), QEmu pid file and XML states for daemon
-          restart (Guido Günther), gnulib updates (Jim Meyering and
-+          restart (Guido GÃ¼nther), gnulib updates (Jim Meyering and
-           Dan Berrange), PCI passthrough for KVM (Jason Krieg), generic
-           internal thread API (Daniel Berrange), RHEL-5 specific Xen
-           configure option and code (Markus Armbruster), save domain
-          state as string in status file (Guido Günther), add locking
-+          state as string in status file (Guido GÃ¼nther), add locking
-           to all API entry points (Daniel Berrange), new ref counting APIs
-           (Daniel Berrange), IP address for Xen bridges (John Levon),
-           driver format for disk file types (Daniel Berrange), improve
-@@ -303,15 +303,15 @@
-           (Jim Meyering), gethostby* cleanup and test (Jim Meyering), some
-            code fixes (Dave Allan), various code cleanup (Jim Meyering),
-            virsh argument handling cleanup (Jim Meyering), virAsprintf
-           cleanup replacement (Guido Günther), QEmu monitor reads (Cole
-           Robinson), Makefile cleanups (Guido Günther), Xen code cleanups
-+           cleanup replacement (Guido GÃ¼nther), QEmu monitor reads (Cole
-+           Robinson), Makefile cleanups (Guido GÃ¼nther), Xen code cleanups
-            (John Levon), revamp of ELF export scripts (John Levon), domain
-            event callback args (John Levon), enforce use of pid_t (John Levon),
-            virsh pool-*-as XML code merge (Cole Robinson), xgettext warnings
-           (Jim Meyering), add virKillProcess (Guido Günther), add
-+           (Jim Meyering), add virKillProcess (Guido GÃ¼nther), add
-            virGetHostname (David Lutterkort), add flags argument to the full
-           XML parsing stack (Guido Günther), various daemon code cleanups
-           (Guido Günther), handling of daemon missing config file (Jim
-+           XML parsing stack (Guido GÃ¼nther), various daemon code cleanups
-+           (Guido GÃ¼nther), handling of daemon missing config file (Jim
-            Meyering), rpcgen invocation cleanup (Richard Jones), devhelp
-            builkd makefile cleanups (John Levon), update error handling for
-            threading (Daniel Berrange), remove all non-rentrant POSIX calls
-@@ -331,7 +331,7 @@
-    - Bug fixes: add a delay in storage backend for disks to show up
-           (Chris Lalancette), fix parsing for CDRom device with no source
-           (Daniel Berrange), use xenstore to list domains to avoid some
-          bugs (Guido Günther), remove a leak in xen inotify code (Daniel
-+          bugs (Guido GÃ¼nther), remove a leak in xen inotify code (Daniel
-           Berrange), UML driver freeing of uninitialialized variable (Ron
-           Yorston), fix UML inotify code (Daniel Berrange), crash when
-           adding storage without a format (Cole Robinson)
-@@ -339,8 +339,8 @@
-           max memory (Jim Fehlig), allow remote://hostname/ URI for automatic
-           probe of hypervisors (Daniel Berrange), fix daemon configuration
-           regression testing (Jim Meyering ), check /usr/bin/kvm for QEmu
-          driver init (Guido Günther), proper active vs. inactive
-          differentiation (Guido Günther), improve MTU setting on tap
-+          driver init (Guido GÃ¼nther), proper active vs. inactive
-+          differentiation (Guido GÃ¼nther), improve MTU setting on tap
-           interfaces (Eduardo Habkost), increase timeout for initial QEmu
-           monitor poll (Cole Robinson)
-    - Cleanups:fix improper initialisations (Jim Meyering)
-@@ -350,9 +350,9 @@
-    - New features: CPU and scheduler support for LXC (Dan Smith), SDL display configuration (Daniel Berrange), domain lifecycle event support for QEmu and Xen with python bindings (Ben Guthro and Daniel Berrange), KVM/QEmu migration support (Rich Jones and Chris Lalancette), User Mode Linux driver (Daniel Berrange), API for node device enumeration using HAL and DeviceKit with python bindings (David Lively), 
-    - Portability: RHEL build fixes, VPATH build (Guido Gunther), many MinGW related cleanups and fixes (Richard Jones), compilation without libvirtd (Richard Jones), Add a Windows icon (Richard Jones), sys/poll.h portability fixes (Daniel Berrange), gnulib and mingw cleanups (Jim Meyering), 
-    - Documentation: virsh man page cleanups (Mark McLoughlin), doc for NIC model selection (Richard Jones), monitoring section, link to AMQP bindings, inew APIs, UML driver docs (Daniel Berrange), 
-   - Bug fixes: Xen interfaces ordering (Jim Fehlig), startup timeout with multiple pty (Cole Robinson), segfault if QEmu without active virtual network (Cole Robinson), qemu small leak (Eduardo Habkost), index creation for more than 26 disks (Sanjay Rao and Chris Wright), virRealloc handling of 0 (Daniel Berrange), missing pointer initialization (Chris Lalancette), bus device index bug (Guido Günther), avoid crash in some error patch (Chris Lalancette), fix a problem in storage back-end (Chris Lalancette), minimum domain memory size check for Xen (Shigeki Sakamoto), switch off QEmu cache if device is shared (Charles Duffy), logical volume definition before scan bug (Chris Lalancette), a couple of memory leaks on QEmu vnc (Jim Meyering), lvs parsing fixes (Cole Robinson),  
-   - Improvements: LXC resources control and internal cgroup API (Dan Smith), virDomainCreateLinux renamed virDomainDefineXML, network driver modularization (Daniel Berrange), change the way domain and net are reported in errors (Jim Meyering), partition table scan on iSCSI (Chris Lalancette), qemudDiskDeviceName to handle normal disks (Guido Günther), qemudDomainBlockStats improvement (Guido Günther), scsi/virtio hotplug support for KVM (Guido Günther), USB hot addition in QEmu (Guido Günther), logical pool and storage backend XML dump improvement (Chris Lalancette), MAC addresses prefix per driver (Daniel Berrange), OpenVZ getVersion support (Daniel Berrange), hot removal of scsi/virtio disks for KVM (Guido Günther), test storage driver (Cole Robinson), iSCSI and disk storage driver improvement on path handling (Chris Lalancette), UUID and ID support for Xenner (Daniel Berrange), better logging when when executing commands (Cole Robinson), bridged network for OpenVZ (Daniel Berrange), OpenVZ config file params (Evgeniy Sokolov), allow to build drivers as libtool convenience libs (Daniel Berrange), fully versioned linker script for exported ABI (Daniel Berrange), Push URI probing down into drivers open (Daniel Berrange), move all stateful drivers into the daemon binary (Daniel Berrange), improve domain event with a detail field (Daniel Berrange), domain events for QEMU driver (Daniel Berrange), event unregister callback crash (David Lively), plug a few leaks (Daniel Berrange), internal APIs for handling node device XML config (David Lively), tweaks to node device implementation (Daniel Berrange), OpenVZ vCPUs values init (Evgeniy Sokolov)
-   - Cleanups: C99 initializers (Guido Gunther), test output (Cole Robinson), debug macro centralization (Cole Robinson), various error handling (Guido Günther), safewrite use cleanup (Jim Meyering), centralize error reporting logic (Cole Robinson), avoid printf warnings (Daniel Berrange), use arrays instead of list for internal APIs (Daniel Berrange), remove many format string warnings Jim Meyering), avoid syntax check warnings (Chris Lalancette), improve po-check and list generation (Jim Meyering), .gitignore generation and handling (Jim Meyering), use ARRAY_CARDINALITY (Jim Meyering), gnulib updates and switch to use netdb.h (Jim Meyering), drop usage of socket_errno (Jim Meyering), remove socketcompat.h (Jim Meyering), more tests (Jim Meyering), drop virStringList (Daniel Berrange), reformatting and isolation of the error APIs (Daniel Berrange), cleanup internal.h and move internal APIs in specific headers (Daniel Berrange), move domain events helpers into domain_events.c (Daniel Berrange), cleanup the way optional modules are compiled (Daniel Berrange), add new logging module, optional dlopen of drivers (Daniel Berrange), various new tests (Jim Meyering), cleanups when Xen is not configured in (Daniel Berrange), add some missing functions comments (Jim Meyering), 
-+   - Bug fixes: Xen interfaces ordering (Jim Fehlig), startup timeout with multiple pty (Cole Robinson), segfault if QEmu without active virtual network (Cole Robinson), qemu small leak (Eduardo Habkost), index creation for more than 26 disks (Sanjay Rao and Chris Wright), virRealloc handling of 0 (Daniel Berrange), missing pointer initialization (Chris Lalancette), bus device index bug (Guido GÃ¼nther), avoid crash in some error patch (Chris Lalancette), fix a problem in storage back-end (Chris Lalancette), minimum domain memory size check for Xen (Shigeki Sakamoto), switch off QEmu cache if device is shared (Charles Duffy), logical volume definition before scan bug (Chris Lalancette), a couple of memory leaks on QEmu vnc (Jim Meyering), lvs parsing fixes (Cole Robinson),  
-+   - Improvements: LXC resources control and internal cgroup API (Dan Smith), virDomainCreateLinux renamed virDomainDefineXML, network driver modularization (Daniel Berrange), change the way domain and net are reported in errors (Jim Meyering), partition table scan on iSCSI (Chris Lalancette), qemudDiskDeviceName to handle normal disks (Guido GÃ¼nther), qemudDomainBlockStats improvement (Guido GÃ¼nther), scsi/virtio hotplug support for KVM (Guido GÃ¼nther), USB hot addition in QEmu (Guido GÃ¼nther), logical pool and storage backend XML dump improvement (Chris Lalancette), MAC addresses prefix per driver (Daniel Berrange), OpenVZ getVersion support (Daniel Berrange), hot removal of scsi/virtio disks for KVM (Guido GÃ¼nther), test storage driver (Cole Robinson), iSCSI and disk storage driver improvement on path handling (Chris Lalancette), UUID and ID support for Xenner (Daniel Berrange), better logging when when executing commands (Cole Robinson), bridged network for OpenVZ (Daniel Berrange), OpenVZ config file params (Evgeniy Sokolov), allow to build drivers as libtool convenience libs (Daniel Berrange), fully versioned linker script for exported ABI (Daniel Berrange), Push URI probing down into drivers open (Daniel Berrange), move all stateful drivers into the daemon binary (Daniel Berrange), improve domain event with a detail field (Daniel Berrange), domain events for QEMU driver (Daniel Berrange), event unregister callback crash (David Lively), plug a few leaks (Daniel Berrange), internal APIs for handling node device XML config (David Lively), tweaks to node device implementation (Daniel Berrange), OpenVZ vCPUs values init (Evgeniy Sokolov)
-+   - Cleanups: C99 initializers (Guido Gunther), test output (Cole Robinson), debug macro centralization (Cole Robinson), various error handling (Guido GÃ¼nther), safewrite use cleanup (Jim Meyering), centralize error reporting logic (Cole Robinson), avoid printf warnings (Daniel Berrange), use arrays instead of list for internal APIs (Daniel Berrange), remove many format string warnings Jim Meyering), avoid syntax check warnings (Chris Lalancette), improve po-check and list generation (Jim Meyering), .gitignore generation and handling (Jim Meyering), use ARRAY_CARDINALITY (Jim Meyering), gnulib updates and switch to use netdb.h (Jim Meyering), drop usage of socket_errno (Jim Meyering), remove socketcompat.h (Jim Meyering), more tests (Jim Meyering), drop virStringList (Daniel Berrange), reformatting and isolation of the error APIs (Daniel Berrange), cleanup internal.h and move internal APIs in specific headers (Daniel Berrange), move domain events helpers into domain_events.c (Daniel Berrange), cleanup the way optional modules are compiled (Daniel Berrange), add new logging module, optional dlopen of drivers (Daniel Berrange), various new tests (Jim Meyering), cleanups when Xen is not configured in (Daniel Berrange), add some missing functions comments (Jim Meyering), 
- 
- 
- 0.4.6: Sep 23 2008:
-@@ -364,7 +364,7 @@
-           OpenVZ (Evgeniy Sokolov), fix parsing of pool without a source
-           (Chris Lalancette and Daniel Berrange)
-    - Improvements: add storage disk volume delete (Cole Robinson),
-          KVM dynamic max CPU detection (Guido Günther), spec file improvement
-+          KVM dynamic max CPU detection (Guido GÃ¼nther), spec file improvement
-           for minimal builds (Ben Guthro), improved error message in XM
-           configuration module (Richard Jones), network config in OpenVZ
-           support (Evgeniy Sokolov), enable stopping a pool in logical
-@@ -379,7 +379,7 @@
-           unified XML domain and network parsing for all drivers (Daniel
-           Berrange), OpenVZ features improvements (Evgeniy Sokolov),
-           OpenVZ and Linux containers support now default, USB device
-          passthrough for QEmu/KVM (Guido Günther), storage pool source
-+          passthrough for QEmu/KVM (Guido GÃ¼nther), storage pool source
-           discovery (David Lively)
-    - Portability: fixes for MinGW (Atsushi SAKAI and Daniel Berrange),
-           detection of xen lib improvement (David Lively),
-@@ -389,9 +389,9 @@
-           SAKAI and Daniel Berrange), HTML generation fix, -lpthread explicit
-           linking when needed (Jim Meyering)
-    - Documentation: various typo fixes (Anton Protopopov, Toth
-          István, Atsushi SAKAI, Nguyen Anh Quynh),
-+          IstvÃ¡n, Atsushi SAKAI, Nguyen Anh Quynh),
-           Java bindings docs, remove Xen centric
-          comments (Guido Günther), various typo in comments (Chris
-+          comments (Guido GÃ¼nther), various typo in comments (Chris
-           Lalancette), docs and API comments fixes (Charles Duffy),
-           how to contribute to open source link (Richard Jones),
-           memory unit fixups (matthew chan)
-@@ -401,14 +401,14 @@
-           in QEmu/KVM (Daniel Berrange), fix OpenVZ probe function (Evgeniy
-           Sokolov), ID related lookup fixes in OpenVZ (Evgeniy Sokolov),
-           pool cration for netfs (Cole Robinson), check for migrate support
-          with QEmu (Guido Günther), check against double create with QEmu
-          (Guido Günther), broken open failure detection in QEmu (Guido
-          Günther), UUID string conversions in QEmu (Guido Günther),
-+          with QEmu (Guido GÃ¼nther), check against double create with QEmu
-+          (Guido GÃ¼nther), broken open failure detection in QEmu (Guido
-+          GÃ¼nther), UUID string conversions in QEmu (Guido GÃ¼nther),
-           various small cleanup and bug fixes (Daniel Berrange), ID
-           related fixes in the test driver (Daniel Berrange), better error
-           reporting on XML parsing (Daniel Berrange), empty CD-ROM source
-           device section (Chris Lalancette), avoid crashes for interface
-          without a name in QEmu (Guido Günther), provide the real
-+          without a name in QEmu (Guido GÃ¼nther), provide the real
-           vncport (Charles Duffy), fix forward delay (Daniel Berrange),
-           new VM state is initialized to be SHUTOFF (Daniel Berrange),
-           virsh attach-disk bug fixes (Chris Lalancette), veth clash
-@@ -440,7 +440,7 @@
-           (Daniel Berrange), virsh "edit" command (Richard Jones), save
-           UUID of OpenVZ domains (Evgeniy Sokolov), improve xen blocks
-           statistics (Chris Lalancette), gnulib updates (Jim Meyering),
-          allow to add disk as USB devices (Guido Günther), LXC container
-+          allow to add disk as USB devices (Guido GÃ¼nther), LXC container
-           process should survive libvirtd restarts (Daniel Berrange), allow
-           to define static host domain configs, number of CPU used by
-           OpenVZ domains (Evgeniy Sokolov), private root fs for LXC (Daniel
-@@ -572,9 +572,9 @@
-       driver (Cole Robinson), xen and hvm added to test driver capabilities
-       (Cole Robinson)
-    - Code cleanup: remove unused getopt header (Jim Meyering), mark more
-      strings as translatable (Guido Günther and Jim Meyering), convert
-+      strings as translatable (Guido GÃ¼nther and Jim Meyering), convert
-       error strings to something meaningful and translatable (Jim Meyering),
-      Linux Containers code cleanup, last error initializer (Guido Günther)
-+      Linux Containers code cleanup, last error initializer (Guido GÃ¼nther)
- 
- 
- 0.4.1: Mar 3 2008:
-diff --git a/docs/news.xsl b/docs/news.xsl
-index a190120..e35030e 100644
--- a/docs/news.xsl
-+++ b/docs/news.xsl
-@@ -1,7 +1,7 @@
- <?xml version="1.0"?>
- <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-                 version="1.0">
-  <xsl:output method="text" encoding="ISO-8859-1"/>
-+  <xsl:output method="text" encoding="UTF-8"/>
- 
-   <xsl:template match="/">
-     <xsl:text>
-- 
-1.6.2.5
-
@@ -1 +1 @@
-7c8008af99963682cb38666d2f1661ba  libvirt-0.7.0-0.1.gitf055724.tar.gz
+SHA512 (libvirt-5.6.0.tar.xz) = 95fe931394fb31288faf73349bb298f08f63cf062f851b9935303145f8166f69128be9360757f0e1845256c14f4d7672843dba0dc6c086b1c3c8bfc035cc8986