version bump; cleanup; apply security fix for 1.2.11 and drop vulnerable (CVE-2015-0236)

(Portage version: 2.2.15/cvs/Linux x86_64, signed Manifest commit with key BD3A97A3)
author: Matthias Maier <tamiko@gentoo.org> 2015-01-27 10:42:52 +0000
committer: Matthias Maier <tamiko@gentoo.org> 2015-01-27 10:42:52 +0000
commit: 473d75f991d36de6e6166e238fe8d32d4f57e238 (patch)
tree: 8def011a21f3e6d52c4195d2053adf538d2fa509 /app-emulation/libvirt
parent: version bump (diff)
download: gentoo-2-473d75f991d36de6e6166e238fe8d32d4f57e238.tar.gz
gentoo-2-473d75f991d36de6e6166e238fe8d32d4f57e238.tar.bz2
gentoo-2-473d75f991d36de6e6166e238fe8d32d4f57e238.zip
8 files changed, 504 insertions, 200 deletions
diff --git a/app-emulation/libvirt/ChangeLog b/app-emulation/libvirt/ChangeLog
index f925611db67c..8167d460dc53 100644
--- a/app-emulation/libvirt/ChangeLog
+++ b/app-emulation/libvirt/ChangeLog
@@ -1,6 +1,17 @@
 # ChangeLog for app-emulation/libvirt
-# Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-emulation/libvirt/ChangeLog,v 1.411 2014/12/24 15:05:04 tamiko Exp $
+# Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/libvirt/ChangeLog,v 1.412 2015/01/27 10:42:52 tamiko Exp $
+
+*libvirt-1.2.12 (27 Jan 2015)
+*libvirt-1.2.11-r3 (27 Jan 2015)
+
+  27 Jan 2015; Matthias Maier <tamiko@gentoo.org> +libvirt-1.2.11-r3.ebuild,
+  +libvirt-1.2.12.ebuild, -files/libvirt-1.2.10-cve-2014-7823.patch,
+  -files/libvirt-1.2.10-cve-2014-8131-part2.patch,
+  -files/libvirt-1.2.10-cve-2014-8131.patch, -libvirt-1.2.11-r2.ebuild,
+  libvirt-1.2.10-r3.ebuild, libvirt-9999.ebuild:
+  version bump; cleanup; apply security fix for 1.2.11 and drop vulnerable
+  (CVE-2015-0236)
 
   24 Dec 2014; Matthias Maier <tamiko@gentoo.org> -libvirt-1.2.10-r2.ebuild:
   drop vulnerable, bug #533286, CVE-2014-8135, CVE-2014-8136
diff --git a/app-emulation/libvirt/files/libvirt-1.2.10-cve-2014-7823.patch b/app-emulation/libvirt/files/libvirt-1.2.10-cve-2014-7823.patch
deleted file mode 100644
index c5e6926d1e96..000000000000
--- a/app-emulation/libvirt/files/libvirt-1.2.10-cve-2014-7823.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-Patch from: https://www.redhat.com/archives/libvir-list/2014-November/msg00114.html
-
-From: Eric Blake <eblake redhat com>
-To: libvir-list redhat com
-Subject: [libvirt] [PATCH] CVE-2014-7823: dumpxml: security hole with migratable flag
-Date: Wed, 5 Nov 2014 17:30:46 +0100
----
-
-Commit 28f8dfd (v1.0.0) introduced a security hole: in at least
-the qemu implementation of virDomainGetXMLDesc, the use of the
-flag VIR_DOMAIN_XML_MIGRATABLE (which is usable from a read-only
-connection) triggers the implicit use of VIR_DOMAIN_XML_SECURE
-prior to calling qemuDomainFormatXML.  However, the use of
-VIR_DOMAIN_XML_SECURE is supposed to be restricted to read-write
-clients only.  This patch treats the migratable flag as requiring
-the same permissions, rather than analyzing what might break if
-migratable xml no longer includes secret information.
-
-Fortunately, the information leak is low-risk: all that is gated
-by the VIR_DOMAIN_XML_SECURE flag is the VNC connection password;
-but VNC passwords are already weak (FIPS forbids their use, and
-on a non-FIPS machine, anyone stupid enough to trust a max-8-byte
-password sent in plaintext over the network deserves what they
-get).  SPICE offers better security than VNC, and all other
-secrets are properly protected by use of virSecret associations
-rather than direct output in domain XML.
-
-* src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_GET_XML_DESC):
-Tighten rules on use of migratable flag.
-* src/libvirt-domain.c (virDomainGetXMLDesc): Likewise.
-
-Signed-off-by: Eric Blake <eblake redhat com>
----
-
-The libvirt-security list agreed that this did not need an embargo
-because it is low-risk; but I'm on the road this week, so while
-this patch for master can go in now, I won't complete the backport
-to all the affected stable branches (everything since v1.0.0) or
-do the Libvirt Security Notice writeup until Monday.
-
- src/libvirt-domain.c         | 3 ++-
- src/remote/remote_protocol.x | 1 +
- 2 files changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
-index 7dc3146..2b0defc 100644
---- a/src/libvirt-domain.c
-+++ b/src/libvirt-domain.c
-@@ -2607,7 +2607,8 @@ virDomainGetXMLDesc(virDomainPtr domain, unsigned int flags)
-     virCheckDomainReturn(domain, NULL);
-     conn = domain->conn;
-
--    if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
-+    if ((conn->flags & VIR_CONNECT_RO) &&
-+        (flags & (VIR_DOMAIN_XML_SECURE | VIR_DOMAIN_XML_MIGRATABLE))) {
-         virReportError(VIR_ERR_OPERATION_DENIED, "%s",
-                        _("virDomainGetXMLDesc with secure flag"));
-         goto error;
-diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
-index db12cda..ebf4530 100644
---- a/src/remote/remote_protocol.x
-+++ b/src/remote/remote_protocol.x
-@@ -3255,6 +3255,7 @@ enum remote_procedure {
-      * @generate: both
-      * @acl: domain:read
-      * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
-+     * @acl: domain:read_secure:VIR_DOMAIN_XML_MIGRATABLE
-      */
-     REMOTE_PROC_DOMAIN_GET_XML_DESC = 14,
-
--- 
-1.9.3
-
diff --git a/app-emulation/libvirt/files/libvirt-1.2.10-cve-2014-8131-part2.patch b/app-emulation/libvirt/files/libvirt-1.2.10-cve-2014-8131-part2.patch
deleted file mode 100644
index 2f8457a94a4e..000000000000
--- a/app-emulation/libvirt/files/libvirt-1.2.10-cve-2014-8131-part2.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From cb104ef734dfea12cb8826dba7e2c98912c4b7e1 Mon Sep 17 00:00:00 2001
-From: Francesco Romani <fromani@redhat.com>
-Date: Thu, 11 Dec 2014 08:44:09 +0100
-Subject: [PATCH 17/20] qemu: bulk stats: Fix logic in monitor handling
-
-A logic bug in qemuConnectGetAllDomainStats makes the code mark the
-monitor as available when qemuDomainObjBeginJob fails, instead of when
-it succeeds, as the correct flow requires.
-
-This patch fixes the check and updates the code documentation
-accordingly.
-
-Broken by commit 57023c0a3af4af1c547189c1f6712ed5edeb0c0b.
-
-Signed-off-by: Francesco Romani <fromani@redhat.com>
----
- src/qemu/qemu_driver.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
-index 830fca7..df3ba6d 100644
---- a/src/qemu/qemu_driver.c
-+++ b/src/qemu/qemu_driver.c
-@@ -18745,9 +18745,9 @@ qemuConnectGetAllDomainStats(virConnectPtr conn,
-         }
- 
-         if (HAVE_JOB(privflags) &&
--            qemuDomainObjBeginJob(driver, dom, QEMU_JOB_QUERY) < 0)
--            /* As it was never requested. Gather as much as possible anyway. */
-+            qemuDomainObjBeginJob(driver, dom, QEMU_JOB_QUERY) == 0)
-             domflags |= QEMU_DOMAIN_STATS_HAVE_JOB;
-+        /* else: without a job it's still possible to gather some data */
- 
-         if (qemuDomainGetStats(conn, dom, stats, &tmp, domflags) < 0)
-             goto endjob;
--- 
-2.0.4
-
diff --git a/app-emulation/libvirt/files/libvirt-1.2.10-cve-2014-8131.patch b/app-emulation/libvirt/files/libvirt-1.2.10-cve-2014-8131.patch
deleted file mode 100644
index 5ede7efc4ef7..000000000000
--- a/app-emulation/libvirt/files/libvirt-1.2.10-cve-2014-8131.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 57023c0a3af4af1c547189c1f6712ed5edeb0c0b Mon Sep 17 00:00:00 2001
-From: Martin Kletzander <mkletzan@redhat.com>
-Date: Thu, 27 Nov 2014 15:47:52 +0100
-Subject: [PATCH 11/20] CVE-2014-8131: Fix possible deadlock and segfault in
- qemuConnectGetAllDomainStats()
-
-When user doesn't have read access on one of the domains he requested,
-the for loop could exit abruptly or continue and override pointer which
-pointed to locked object.
-
-This patch fixed two issues at once.  One is that domflags might have
-had QEMU_DOMAIN_STATS_HAVE_JOB even when there was no job started (this
-is fixed by doing domflags |= QEMU_DOMAIN_STATS_HAVE_JOB only when the
-job was acquired and cleaning domflags on every start of the loop.
-Second one is that the domain is kept locked when
-virConnectGetAllDomainStatsCheckACL() fails and continues the loop when
-it didn't end.  Adding a simple virObjectUnlock() and clearing the
-pointer ought to do.
-
-Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
----
- src/qemu/qemu_driver.c | 20 +++++++++++++-------
- 1 file changed, 13 insertions(+), 7 deletions(-)
-
-diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
-index be37c8f..ae6225b 100644
---- a/src/qemu/qemu_driver.c
-+++ b/src/qemu/qemu_driver.c
-@@ -18740,20 +18740,23 @@ qemuConnectGetAllDomainStats(virConnectPtr conn,
-         privflags |= QEMU_DOMAIN_STATS_HAVE_JOB;
- 
-     for (i = 0; i < ndoms; i++) {
--        domflags = privflags;
-         virDomainStatsRecordPtr tmp = NULL;
-+        domflags = 0;
- 
-         if (!(dom = qemuDomObjFromDomain(doms[i])))
-             continue;
- 
-         if (doms != domlist &&
--            !virConnectGetAllDomainStatsCheckACL(conn, dom->def))
-+            !virConnectGetAllDomainStatsCheckACL(conn, dom->def)) {
-+            virObjectUnlock(dom);
-+            dom = NULL;
-             continue;
-+        }
- 
--        if (HAVE_JOB(domflags) &&
-+        if (HAVE_JOB(privflags) &&
-             qemuDomainObjBeginJob(driver, dom, QEMU_JOB_QUERY) < 0)
-             /* As it was never requested. Gather as much as possible anyway. */
--            domflags &= ~QEMU_DOMAIN_STATS_HAVE_JOB;
-+            domflags |= QEMU_DOMAIN_STATS_HAVE_JOB;
- 
-         if (qemuDomainGetStats(conn, dom, stats, &tmp, domflags) < 0)
-             goto endjob;
-@@ -18761,9 +18764,12 @@ qemuConnectGetAllDomainStats(virConnectPtr conn,
-         if (tmp)
-             tmpstats[nstats++] = tmp;
- 
--        if (HAVE_JOB(domflags) && !qemuDomainObjEndJob(driver, dom)) {
--            dom = NULL;
--            continue;
-+        if (HAVE_JOB(domflags)) {
-+            domflags = 0;
-+            if (!qemuDomainObjEndJob(driver, dom)) {
-+                dom = NULL;
-+                continue;
-+            }
-         }
- 
-         virObjectUnlock(dom);
--- 
-2.0.4
-
diff --git a/app-emulation/libvirt/libvirt-1.2.10-r3.ebuild b/app-emulation/libvirt/libvirt-1.2.10-r3.ebuild
index 373b0658a00c..3aee20a39b44 100644
--- a/app-emulation/libvirt/libvirt-1.2.10-r3.ebuild
+++ b/app-emulation/libvirt/libvirt-1.2.10-r3.ebuild
@@ -1,6 +1,6 @@
-# Copyright 1999-2014 Gentoo Foundation
+# Copyright 1999-2015 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-emulation/libvirt/libvirt-1.2.10-r3.ebuild,v 1.3 2014/12/24 13:19:24 ago Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/libvirt/libvirt-1.2.10-r3.ebuild,v 1.4 2015/01/27 10:42:52 tamiko Exp $
 
 EAPI=5
 
@@ -21,14 +21,13 @@ if [[ ${PV} = *9999* ]]; then
 else
 	# Versions with 4 numbers are stable updates:
 	if [[ ${PV} =~ ^[0-9]+(\.[0-9]+){3} ]]; then
-		SRC_URI="http://libvirt.org/sources/stable_updates/${MY_P}.tar.gz
-		${BACKPORTS:+
-			http://dev.gentoo.org/~tamiko/distfiles/${P}-${BACKPORTS}.tar.xz}"
+		SRC_URI="http://libvirt.org/sources/stable_updates/${MY_P}.tar.gz"
 	else
-		SRC_URI="http://libvirt.org/sources/${MY_P}.tar.gz
-		${BACKPORTS:+
-			http://dev.gentoo.org/~tamiko/distfiles/${P}-${BACKPORTS}.tar.xz}"
+		SRC_URI="http://libvirt.org/sources/${MY_P}.tar.gz"
 	fi
+	SRC_URI+=" ${BACKPORTS:+
+		http://dev.gentoo.org/~cardoe/distfiles/${P}-${BACKPORTS}.tar.xz
+		http://dev.gentoo.org/~tamiko/distfiles/${P}-${BACKPORTS}.tar.xz}"
 	KEYWORDS="amd64 x86"
 	SLOT="0/${PV}"
 fi
diff --git a/app-emulation/libvirt/libvirt-1.2.11-r2.ebuild b/app-emulation/libvirt/libvirt-1.2.11-r3.ebuild
index 861a5323b409..ab770c2696ad 100644
--- a/app-emulation/libvirt/libvirt-1.2.11-r2.ebuild
+++ b/app-emulation/libvirt/libvirt-1.2.11-r3.ebuild
@@ -1,6 +1,6 @@
-# Copyright 1999-2014 Gentoo Foundation
+# Copyright 1999-2015 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-emulation/libvirt/libvirt-1.2.11-r2.ebuild,v 1.1 2014/12/18 21:05:55 tamiko Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/libvirt/libvirt-1.2.11-r3.ebuild,v 1.1 2015/01/27 10:42:52 tamiko Exp $
 
 EAPI=5
 
@@ -10,6 +10,8 @@ MY_P="${P/_rc/-rc}"
 
 inherit eutils user autotools linux-info systemd readme.gentoo
 
+BACKPORTS="20150127"
+
 if [[ ${PV} = *9999* ]]; then
 	inherit git-r3
 	EGIT_REPO_URI="git://libvirt.org/libvirt.git"
@@ -23,6 +25,9 @@ else
 	else
 		SRC_URI="http://libvirt.org/sources/${MY_P}.tar.gz"
 	fi
+	SRC_URI+=" ${BACKPORTS:+
+		http://dev.gentoo.org/~cardoe/distfiles/${P}-${BACKPORTS}.tar.xz
+		http://dev.gentoo.org/~tamiko/distfiles/${P}-${BACKPORTS}.tar.xz}"
 	KEYWORDS="~amd64 ~x86"
 	SLOT="0/${PV}"
 fi
@@ -222,6 +227,10 @@ src_prepare() {
 
 	epatch "${FILESDIR}"/${PN}-1.2.9-do_not_use_sysconf.patch
 
+	[[ -n ${BACKPORTS} ]] && \
+		EPATCH_FORCE=yes EPATCH_SUFFIX="patch" \
+			EPATCH_SOURCE="${WORKDIR}/patches" epatch
+
 	epatch_user
 
 	[[ -n ${AUTOTOOLIZE} ]] && eautoreconf
diff --git a/app-emulation/libvirt/libvirt-1.2.12.ebuild b/app-emulation/libvirt/libvirt-1.2.12.ebuild
new file mode 100644
index 000000000000..4a23953d4ee3
--- /dev/null
+++ b/app-emulation/libvirt/libvirt-1.2.12.ebuild
@@ -0,0 +1,462 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/libvirt/libvirt-1.2.12.ebuild,v 1.1 2015/01/27 10:42:52 tamiko Exp $
+
+EAPI=5
+
+AUTOTOOLIZE=yes
+
+MY_P="${P/_rc/-rc}"
+
+inherit eutils user autotools linux-info systemd readme.gentoo
+
+BACKPORTS=""
+
+if [[ ${PV} = *9999* ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="git://libvirt.org/libvirt.git"
+	SRC_URI=""
+	KEYWORDS=""
+	SLOT="0"
+else
+	# Versions with 4 numbers are stable updates:
+	if [[ ${PV} =~ ^[0-9]+(\.[0-9]+){3} ]]; then
+		SRC_URI="http://libvirt.org/sources/stable_updates/${MY_P}.tar.gz"
+	else
+		SRC_URI="http://libvirt.org/sources/${MY_P}.tar.gz"
+	fi
+	SRC_URI+=" ${BACKPORTS:+
+		http://dev.gentoo.org/~cardoe/distfiles/${P}-${BACKPORTS}.tar.xz
+		http://dev.gentoo.org/~tamiko/distfiles/${P}-${BACKPORTS}.tar.xz}"
+	KEYWORDS="~amd64 ~x86"
+	SLOT="0/${PV}"
+fi
+S="${WORKDIR}/${P%_rc*}"
+
+DESCRIPTION="C toolkit to manipulate virtual machines"
+HOMEPAGE="http://www.libvirt.org/"
+LICENSE="LGPL-2.1"
+IUSE="audit avahi +caps firewalld fuse glusterfs iscsi +libvirtd lvm lxc \
+	+macvtap nfs nls numa openvz parted pcap phyp policykit +qemu rbd sasl \
+	selinux +udev uml +vepa virtualbox virt-network wireshark-plugins xen \
+	elibc_glibc systemd"
+REQUIRED_USE="libvirtd? ( || ( lxc openvz qemu uml virtualbox xen ) )
+	lxc? ( caps libvirtd )
+	openvz? ( libvirtd )
+	qemu? ( libvirtd )
+	uml? ( libvirtd )
+	vepa? ( macvtap )
+	virtualbox? ( libvirtd )
+	xen? ( libvirtd )
+	virt-network? ( libvirtd )
+	firewalld? ( virt-network )"
+
+# gettext.sh command is used by the libvirt command wrappers, and it's
+# non-optional, so put it into RDEPEND.
+# We can use both libnl:1.1 and libnl:3, but if you have both installed, the
+# package will use 3 by default. Since we don't have slot pinning in an API,
+# we must go with the most recent
+RDEPEND="sys-libs/readline
+	sys-libs/ncurses
+	>=net-misc/curl-7.18.0
+	dev-libs/libgcrypt:0
+	>=dev-libs/libxml2-2.7.6
+	dev-libs/libnl:3
+	>=net-libs/gnutls-1.0.25
+	net-libs/libssh2
+	sys-apps/dmidecode
+	>=sys-apps/util-linux-2.17
+	sys-devel/gettext
+	>=net-analyzer/netcat6-1.0-r2
+	app-misc/scrub
+	audit? ( sys-process/audit )
+	avahi? ( >=net-dns/avahi-0.6[dbus] )
+	caps? ( sys-libs/libcap-ng )
+	fuse? ( >=sys-fs/fuse-2.8.6 )
+	glusterfs? ( >=sys-cluster/glusterfs-3.4.1 )
+	iscsi? ( sys-block/open-iscsi )
+	lxc? ( !systemd? ( sys-power/pm-utils ) )
+	lvm? ( >=sys-fs/lvm2-2.02.48-r2 )
+	nfs? ( net-fs/nfs-utils )
+	numa? (
+		>sys-process/numactl-2.0.2
+		sys-process/numad
+	)
+	openvz? ( sys-kernel/openvz-sources )
+	parted? (
+		>=sys-block/parted-1.8[device-mapper]
+		sys-fs/lvm2
+	)
+	pcap? ( >=net-libs/libpcap-1.0.0 )
+	policykit? ( >=sys-auth/polkit-0.9 )
+	qemu? (
+		>=app-emulation/qemu-0.13.0
+		dev-libs/yajl
+		!systemd? ( sys-power/pm-utils )
+	)
+	rbd? ( sys-cluster/ceph )
+	sasl? ( dev-libs/cyrus-sasl )
+	selinux? ( >=sys-libs/libselinux-2.0.85 )
+	systemd? ( sys-apps/systemd )
+	virtualbox? ( || ( app-emulation/virtualbox >=app-emulation/virtualbox-bin-2.2.0 ) )
+	wireshark-plugins? ( net-analyzer/wireshark:= )
+	xen? ( app-emulation/xen-tools app-emulation/xen )
+	udev? ( virtual/udev >=x11-libs/libpciaccess-0.10.9 )
+	virt-network? ( net-dns/dnsmasq[script]
+		>=net-firewall/iptables-1.4.10
+		net-misc/radvd
+		net-firewall/ebtables
+		sys-apps/iproute2[-minimal]
+		firewalld? ( net-firewall/firewalld )
+	)
+	elibc_glibc? ( || ( >=net-libs/libtirpc-0.2.2-r1 <sys-libs/glibc-2.14 ) )"
+
+DEPEND="${RDEPEND}
+	virtual/pkgconfig
+	app-text/xhtml1
+	dev-lang/perl
+	dev-perl/XML-XPath
+	dev-libs/libxslt"
+
+DOC_CONTENTS="For the basic networking support (bridged and routed networks)
+you don't need any extra software. For more complex network modes
+including but not limited to NATed network, you can enable the
+'virt-network' USE flag.\n\n
+If you are using dnsmasq on your system, you will have
+to configure /etc/dnsmasq.conf to enable the following settings:\n\n
+	bind-interfaces\n
+	interface or except-interface\n\n
+Otherwise you might have issues with your existing DNS server."
+
+LXC_CONFIG_CHECK="
+	~CGROUPS
+	~CGROUP_FREEZER
+	~CGROUP_DEVICE
+	~CGROUP_CPUACCT
+	~CGROUP_SCHED
+	~CGROUP_PERF
+	~BLK_CGROUP
+	~NET_CLS_CGROUP
+	~CGROUP_NET_PRIO
+	~CPUSETS
+	~RESOURCE_COUNTERS
+	~NAMESPACES
+	~UTS_NS
+	~IPC_NS
+	~PID_NS
+	~NET_NS
+	~USER_NS
+	~DEVPTS_MULTIPLE_INSTANCES
+	~VETH
+	~MACVLAN
+	~POSIX_MQUEUE
+	~SECURITYFS
+	~!GRKERNSEC_CHROOT_MOUNT
+	~!GRKERNSEC_CHROOT_DOUBLE
+	~!GRKERNSEC_CHROOT_PIVOT
+	~!GRKERNSEC_CHROOT_CHMOD
+	~!GRKERNSEC_CHROOT_CAPS
+"
+
+VIRTNET_CONFIG_CHECK="
+	~BRIDGE_NF_EBTABLES
+	~BRIDGE_EBT_MARK_T
+	~NETFILTER_ADVANCED
+	~NETFILTER_XT_TARGET_CHECKSUM
+	~NETFILTER_XT_CONNMARK
+	~NETFILTER_XT_MARK
+"
+
+BWLMT_CONFIG_CHECK="
+	~BRIDGE_EBT_T_NAT
+	~NET_SCH_HTB
+	~NET_SCH_SFQ
+	~NET_SCH_INGRESS
+	~NET_CLS_FW
+	~NET_CLS_U32
+	~NET_ACT_POLICE
+"
+
+MACVTAP_CONFIG_CHECK=" ~MACVTAP"
+
+LVM_CONFIG_CHECK=" ~BLK_DEV_DM ~DM_SNAPSHOT ~DM_MULTIPATH"
+
+ERROR_USER_NS="Optional depending on LXC configuration."
+
+pkg_setup() {
+	enewgroup qemu 77
+	enewuser qemu 77 -1 -1 qemu kvm
+
+	# Some people used the masked ebuild which was not adding the qemu
+	# user to the kvm group originally. This results in VMs failing to
+	# start for some users. bug #430808
+	egetent group kvm | grep -q qemu
+	if [[ $? -ne 0 ]]; then
+		gpasswd -a qemu kvm
+	fi
+
+	# Handle specific kernel versions for different features
+	kernel_is lt 3 6 && LXC_CONFIG_CHECK+=" ~CGROUP_MEM_RES_CTLR"
+	kernel_is ge 3 6 &&	LXC_CONFIG_CHECK+=" ~MEMCG ~MEMCG_SWAP ~MEMCG_KMEM"
+
+	CONFIG_CHECK=""
+	use fuse && CONFIG_CHECK+=" ~FUSE_FS"
+	use lvm && CONFIG_CHECK+="${LVM_CONFIG_CHECK}"
+	use lxc && CONFIG_CHECK+="${LXC_CONFIG_CHECK}"
+	use macvtap && CONFIG_CHECK+="${MACVTAP_CONFIG_CHECK}"
+	use virt-network && CONFIG_CHECK+="${VIRTNET_CONFIG_CHECK}"
+	# Bandwidth Limiting Support
+	use virt-network && CONFIG_CHECK+="${BWLMT_CONFIG_CHECK}"
+	if [[ -n ${CONFIG_CHECK} ]]; then
+		linux-info_pkg_setup
+	fi
+}
+
+src_prepare() {
+	touch "${S}/.mailmap"
+
+	if [[ ${PV} = *9999* ]]; then
+		# git checkouts require bootstrapping to create the configure script.
+		# Additionally the submodules must be cloned to the right locations
+		# bug #377279
+		./bootstrap || die "bootstrap failed"
+		(
+			git submodule status | sed 's/^[ +-]//;s/ .*//'
+			git hash-object bootstrap.conf
+		) >.git-module-status
+	fi
+
+	epatch "${FILESDIR}"/${PN}-1.2.9-do_not_use_sysconf.patch
+
+	[[ -n ${BACKPORTS} ]] && \
+		EPATCH_FORCE=yes EPATCH_SUFFIX="patch" \
+			EPATCH_SOURCE="${WORKDIR}/patches" epatch
+
+	epatch_user
+
+	[[ -n ${AUTOTOOLIZE} ]] && eautoreconf
+
+	# Tweak the init script
+	local avahi_init=
+	local iscsi_init=
+	local rbd_init=
+	local firewalld_init=
+	cp "${FILESDIR}/libvirtd.init-r14" "${S}/libvirtd.init"
+	use avahi && avahi_init='avahi-daemon'
+	use iscsi && iscsi_init='iscsid'
+	use rbd && rbd_init='ceph'
+	use firewalld && firewalld_init='need firewalld'
+
+	sed -e "s/USE_FLAG_FIREWALLD/${firewalld_init}/" -i "${S}/libvirtd.init"
+	sed -e "s/USE_FLAG_AVAHI/${avahi_init}/" -i "${S}/libvirtd.init"
+	sed -e "s/USE_FLAG_ISCSI/${iscsi_init}/" -i "${S}/libvirtd.init"
+	sed -e "s/USE_FLAG_RBD/${rbd_init}/" -i "${S}/libvirtd.init"
+}
+
+src_configure() {
+	local myconf=""
+
+	## enable/disable daemon, otherwise client only utils
+	myconf+=" $(use_with libvirtd)"
+
+	## enable/disable the daemon using avahi to find VMs
+	myconf+=" $(use_with avahi)"
+
+	## hypervisors on the local host
+	myconf+=" $(use_with xen) $(use_with xen xen-inotify)"
+	myconf+=" --without-xenapi"
+	if use xen && has_version ">=app-emulation/xen-tools-4.2.0"; then
+		myconf+=" --with-libxl"
+	else
+		myconf+=" --without-libxl"
+	fi
+	myconf+=" $(use_with openvz)"
+	myconf+=" $(use_with lxc)"
+	if use virtualbox && has_version app-emulation/virtualbox-ose; then
+		myconf+=" --with-vbox=/usr/lib/virtualbox-ose/"
+	else
+		myconf+=" $(use_with virtualbox vbox)"
+	fi
+	myconf+=" $(use_with uml)"
+	myconf+=" $(use_with qemu)"
+	myconf+=" $(use_with qemu yajl)" # Use QMP over HMP
+	myconf+=" $(use_with phyp)"
+	myconf+=" --with-esx"
+	myconf+=" --with-vmware"
+
+	## additional host drivers
+	myconf+=" $(use_with virt-network network)"
+	myconf+=" --with-storage-fs"
+	myconf+=" $(use_with lvm storage-lvm)"
+	myconf+=" $(use_with iscsi storage-iscsi)"
+	myconf+=" $(use_with parted storage-disk)"
+	mycond+=" $(use_with glusterfs)"
+	mycond+=" $(use_with glusterfs storage-gluster)"
+	myconf+=" $(use_with lvm storage-mpath)"
+	myconf+=" $(use_with rbd storage-rbd)"
+	myconf+=" $(use_with numa numactl)"
+	myconf+=" $(use_with numa numad)"
+	myconf+=" $(use_with selinux)"
+	myconf+=" $(use_with fuse)"
+
+	# udev for device support details
+	myconf+=" $(use_with udev)"
+	myconf+=" --without-hal"
+
+	# linux capability support so we don't need privileged accounts
+	myconf+=" $(use_with caps capng)"
+
+	## auth stuff
+	myconf+=" $(use_with policykit polkit)"
+	myconf+=" $(use_with sasl)"
+
+	# network bits
+	myconf+=" $(use_with macvtap)"
+	myconf+=" $(use_with pcap libpcap)"
+	myconf+=" $(use_with vepa virtualport)"
+	myconf+=" $(use_with firewalld)"
+
+	## other
+	myconf+=" $(use_enable nls)"
+
+	# user privilege bits fir qemu/kvm
+	if use caps; then
+		myconf+=" --with-qemu-user=qemu"
+		myconf+=" --with-qemu-group=qemu"
+	else
+		myconf+=" --with-qemu-user=root"
+		myconf+=" --with-qemu-group=root"
+	fi
+
+	# audit support
+	myconf+=" $(use_with audit)"
+
+	# wireshark dissector
+	myconf+=" $(use_with wireshark-plugins wireshark-dissector)"
+
+	## stuff we don't yet support
+	myconf+=" --without-netcf"
+
+	# locking support
+	myconf+=" --without-sanlock"
+
+	# systemd unit files
+	myconf+=" $(use_with systemd systemd-daemon)"
+	use systemd && myconf+=" --with-init-script=systemd"
+
+	# this is a nasty trick to work around the problem in bug
+	# #275073. The reason why we don't solve this properly is that
+	# it'll require us to rebuild autotools (and we don't really want
+	# to do that right now). The proper solution has been sent
+	# upstream and should hopefully land in 0.7.7, in the mean time,
+	# mime the same functionality with this.
+	case ${CHOST} in
+		*cygwin* | *mingw* )
+			;;
+		*)
+			ac_cv_prog_WINDRES=no
+			;;
+	esac
+
+	econf \
+		${myconf} \
+		--disable-static \
+		--disable-werror \
+		--with-remote \
+		--docdir=/usr/share/doc/${PF} \
+		--localstatedir=/var
+
+	if [[ ${PV} = *9999* ]]; then
+		# Restore gnulib's config.sub and config.guess
+		# bug #377279
+		(cd .gnulib && git reset --hard > /dev/null)
+	fi
+}
+
+src_test() {
+	# Explicitly allow parallel build of tests
+	export VIR_TEST_DEBUG=1
+	HOME="${T}" emake check || die "tests failed"
+}
+
+src_install() {
+	emake install \
+		DESTDIR="${D}" \
+		HTML_DIR=/usr/share/doc/${PF}/html \
+		DOCS_DIR=/usr/share/doc/${PF} \
+		EXAMPLE_DIR=/usr/share/doc/${PF}/examples \
+		SYSTEMD_UNIT_DIR="$(systemd_get_unitdir)" \
+		|| die "emake install failed"
+
+	find "${D}" -name '*.la' -delete || die
+
+	# Remove bogus, empty directories. They are either not used, or
+	# libvirtd is able to create them on demand
+	rm -rf "${D}"/etc/sysconf
+	rm -rf "${D}"/var/cache
+	rm -rf "${D}"/var/run
+	rm -rf "${D}"/var/log
+
+	use libvirtd || return 0
+	# From here, only libvirtd-related instructions, be warned!
+
+	use systemd && \
+		systemd_install_serviced "${FILESDIR}"/libvirtd.service.conf libvirtd
+
+	newinitd "${S}/libvirtd.init" libvirtd || die
+	newconfd "${FILESDIR}/libvirtd.confd-r4" libvirtd || die
+	newinitd "${FILESDIR}/virtlockd.init" virtlockd || die
+
+	readme.gentoo_create_doc
+}
+
+pkg_preinst() {
+	# we only ever want to generate this once
+	if [[ -e "${ROOT}"/etc/libvirt/qemu/networks/default.xml ]]; then
+		rm -rf "${D}"/etc/libvirt/qemu/networks/default.xml
+	fi
+
+	# We really don't want to use or support old PolicyKit cause it
+	# screws with the new polkit integration
+	if has_version sys-auth/policykit; then
+		rm -rf "${D}"/usr/share/PolicyKit/policy/org.libvirt.unix.policy
+	fi
+
+	# Only sysctl files ending in .conf work
+	dodir /etc/sysctl.d
+	mv "${D}"/usr/lib/sysctl.d/libvirtd.conf "${D}"/etc/sysctl.d/libvirtd.conf
+}
+
+pkg_postinst() {
+	if [[ -e "${ROOT}"/etc/libvirt/qemu/networks/default.xml ]]; then
+		touch "${ROOT}"/etc/libvirt/qemu/networks/default.xml
+	fi
+
+	if ! use policykit; then
+		elog "To allow normal users to connect to libvirtd you must change the"
+		elog "unix sock group and/or perms in /etc/libvirt/libvirtd.conf"
+	fi
+
+	use libvirtd || return 0
+	# From here, only libvirtd-related instructions, be warned!
+
+	readme.gentoo_print_elog
+
+	if use caps && use qemu; then
+		elog "libvirt will now start qemu/kvm VMs with non-root privileges."
+		elog "Ensure any resources your VMs use are accessible by qemu:qemu"
+	fi
+
+	if [[ -n "${REPLACING_VERSIONS}" ]]; then
+		elog ""
+		elog "The systemd service-file configuration under /etc/sysconfig has"
+		elog "been removed. Please use"
+		elog "    /etc/systemd/system/libvirt.d/00gentoo.conf"
+		elog "to control the '--listen' parameter for libvirtd. The configuration"
+		elog "for the libvirt-guests.service is now found under"
+		elog "    /etc/libvirt/libvirt-guests.conf"
+		elog "The openrc configuration has not been changed. Thus no action is"
+		elog "required for the openrc service manager."
+		elog ""
+	fi
+}
diff --git a/app-emulation/libvirt/libvirt-9999.ebuild b/app-emulation/libvirt/libvirt-9999.ebuild
index 4703c2587d87..31679cb95f23 100644
--- a/app-emulation/libvirt/libvirt-9999.ebuild
+++ b/app-emulation/libvirt/libvirt-9999.ebuild
@@ -1,6 +1,6 @@
-# Copyright 1999-2014 Gentoo Foundation
+# Copyright 1999-2015 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-emulation/libvirt/libvirt-9999.ebuild,v 1.71 2014/12/18 21:05:55 tamiko Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/libvirt/libvirt-9999.ebuild,v 1.72 2015/01/27 10:42:52 tamiko Exp $
 
 EAPI=5
 
@@ -10,6 +10,8 @@ MY_P="${P/_rc/-rc}"
 
 inherit eutils user autotools linux-info systemd readme.gentoo
 
+BACKPORTS=""
+
 if [[ ${PV} = *9999* ]]; then
 	inherit git-r3
 	EGIT_REPO_URI="git://libvirt.org/libvirt.git"
@@ -23,6 +25,9 @@ else
 	else
 		SRC_URI="http://libvirt.org/sources/${MY_P}.tar.gz"
 	fi
+	SRC_URI+=" ${BACKPORTS:+
+		http://dev.gentoo.org/~cardoe/distfiles/${P}-${BACKPORTS}.tar.xz
+		http://dev.gentoo.org/~tamiko/distfiles/${P}-${BACKPORTS}.tar.xz}"
 	KEYWORDS="~amd64 ~x86"
 	SLOT="0/${PV}"
 fi
@@ -223,6 +228,10 @@ src_prepare() {
 
 	epatch "${FILESDIR}"/${PN}-1.2.9-do_not_use_sysconf.patch
 
+	[[ -n ${BACKPORTS} ]] && \
+		EPATCH_FORCE=yes EPATCH_SUFFIX="patch" \
+			EPATCH_SOURCE="${WORKDIR}/patches" epatch
+
 	epatch_user
 
 	[[ -n ${AUTOTOOLIZE} ]] && eautoreconf
author	Matthias Maier <tamiko@gentoo.org>	2015-01-27 10:42:52 +0000
committer	Matthias Maier <tamiko@gentoo.org>	2015-01-27 10:42:52 +0000
commit	473d75f991d36de6e6166e238fe8d32d4f57e238 (patch)
tree	8def011a21f3e6d52c4195d2053adf538d2fa509 /app-emulation/libvirt
parent	version bump (diff)
download	gentoo-2-473d75f991d36de6e6166e238fe8d32d4f57e238.tar.gz gentoo-2-473d75f991d36de6e6166e238fe8d32d4f57e238.tar.bz2 gentoo-2-473d75f991d36de6e6166e238fe8d32d4f57e238.zip