diff options
| author |   Ian Delaney <idella4@gentoo.org> | 2013-05-15 17:47:47 +0000 |
|---|---|---|
| committer | Ian Delaney <idella4@gentoo.org> | 2013-05-15 17:47:47 +0000 |
| commit | 7c8632cc531b5366e04cfbdc24704e8dd802b6fb (patch) | |
| tree | 389c45ce74d906da19b65ad0561eb7498fb27ef1 /app-emulation | |
| parent | Fix phing dependency on php's xsl extension (diff) | |
| download | gentoo-2-7c8632cc531b5366e04cfbdc24704e8dd802b6fb.tar.gz gentoo-2-7c8632cc531b5366e04cfbdc24704e8dd802b6fb.tar.bz2 gentoo-2-7c8632cc531b5366e04cfbdc24704e8dd802b6fb.zip | |
4.2.1-r1; re-invoked ipxe-nopie.patch, revbump 4.2.1-r3; updated security patches, bump 4.2.2; updated security patches, dropped ocaml use flag made redundant by build
(Portage version: 2.1.11.62/cvs/Linux x86_64, signed Manifest commit with key 0xB8072B0D)
Diffstat (limited to 'app-emulation')
10 files changed, 1293 insertions, 5 deletions
diff --git a/app-emulation/xen-tools/ChangeLog b/app-emulation/xen-tools/ChangeLog index 98b5728a9da1..08a90a55126b 100644 --- a/app-emulation/xen-tools/ChangeLog +++ b/app-emulation/xen-tools/ChangeLog @@ -1,6 +1,21 @@ # ChangeLog for app-emulation/xen-tools # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen-tools/ChangeLog,v 1.146 2013/05/15 08:40:29 idella4 Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen-tools/ChangeLog,v 1.147 2013/05/15 17:47:47 idella4 Exp $ + +*xen-tools-4.2.2 (15 May 2013) +*xen-tools-4.2.1-r3 (15 May 2013) + + 15 May 2013; Ian Delaney <idella4@gentoo.org> + +files/xen-4-CVE-2013-0215-XSA-38.patch, + +files/xen-4-CVE-2013-1919-XSA-46.patch, + +files/xen-4-CVE-2013-1922-XSA-48.patch, + +files/xen-4-CVE-2013-1952-XSA-49.patch, + +files/xen-4-CVE-2013-1952-XSA_49.patch, +files/xen-4-ulong.patch, + +xen-tools-4.2.1-r3.ebuild, +xen-tools-4.2.2.ebuild, + xen-tools-4.2.1-r1.ebuild: + 4.2.1-r1; re-invoked ipxe-nopie.patch, revbump 4.2.1-r3; updated security + patches, bump 4.2.2; updated security patches, dropped ocaml use flag made + redundant by build 15 May 2013; Ian Delaney <idella4@gentoo.org> files/xenstored.initd: Fix to xenstored.initd wrt Bug #459082 diff --git a/app-emulation/xen-tools/files/xen-4-CVE-2013-0215-XSA-38.patch b/app-emulation/xen-tools/files/xen-4-CVE-2013-0215-XSA-38.patch new file mode 100644 index 000000000000..f4a5dc0881e8 --- /dev/null +++ b/app-emulation/xen-tools/files/xen-4-CVE-2013-0215-XSA-38.patch @@ -0,0 +1,73 @@ +diff --git a/tools/ocaml/libs/xb/partial.ml b/tools/ocaml/libs/xb/partial.ml +index 3558889..d4d1c7b 100644 +--- a/tools/ocaml/libs/xb/partial.ml ++++ b/tools/ocaml/libs/xb/partial.ml +@@ -27,8 +27,15 @@ external header_size: unit -> int = "stub_header_size" + external header_of_string_internal: string -> int * int * int * int + = "stub_header_of_string" + ++let xenstore_payload_max = 4096 (* xen/include/public/io/xs_wire.h *) ++ + let of_string s = + let tid, rid, opint, dlen = header_of_string_internal s in ++ (* A packet which is bigger than xenstore_payload_max is illegal. ++ This will leave the guest connection is a bad state and will ++ be hard to recover from without restarting the connection ++ (ie rebooting the guest) *) ++ let dlen = min xenstore_payload_max dlen in + { + tid = tid; + rid = rid; +@@ -38,6 +45,7 @@ let of_string s = + } + + let append pkt s sz = ++ if pkt.len > 4096 then failwith "Buffer.add: cannot grow buffer"; + Buffer.add_string pkt.buf (String.sub s 0 sz) + + let to_complete pkt = +diff --git a/tools/ocaml/libs/xb/xs_ring_stubs.c b/tools/ocaml/libs/xb/xs_ring_stubs.c +index 00414c5..4888ac5 100644 +--- a/tools/ocaml/libs/xb/xs_ring_stubs.c ++++ b/tools/ocaml/libs/xb/xs_ring_stubs.c +@@ -39,21 +39,23 @@ static int xs_ring_read(struct mmap_interface *interface, + char *buffer, int len) + { + struct xenstore_domain_interface *intf = interface->addr; +- XENSTORE_RING_IDX cons, prod; ++ XENSTORE_RING_IDX cons, prod; /* offsets only */ + int to_read; + +- cons = intf->req_cons; +- prod = intf->req_prod; ++ cons = *(volatile uint32*)&intf->req_cons; ++ prod = *(volatile uint32*)&intf->req_prod; + xen_mb(); ++ cons = MASK_XENSTORE_IDX(cons); ++ prod = MASK_XENSTORE_IDX(prod); + if (prod == cons) + return 0; +- if (MASK_XENSTORE_IDX(prod) > MASK_XENSTORE_IDX(cons)) ++ if (prod > cons) + to_read = prod - cons; + else +- to_read = XENSTORE_RING_SIZE - MASK_XENSTORE_IDX(cons); ++ to_read = XENSTORE_RING_SIZE - cons; + if (to_read < len) + len = to_read; +- memcpy(buffer, intf->req + MASK_XENSTORE_IDX(cons), len); ++ memcpy(buffer, intf->req + cons, len); + xen_mb(); + intf->req_cons += len; + return len; +@@ -66,8 +68,8 @@ static int xs_ring_write(struct mmap_interface *interface, + XENSTORE_RING_IDX cons, prod; + int can_write; + +- cons = intf->rsp_cons; +- prod = intf->rsp_prod; ++ cons = *(volatile uint32*)&intf->rsp_cons; ++ prod = *(volatile uint32*)&intf->rsp_prod; + xen_mb(); + if ( (prod - cons) >= XENSTORE_RING_SIZE ) + return 0; diff --git a/app-emulation/xen-tools/files/xen-4-CVE-2013-1919-XSA-46.patch b/app-emulation/xen-tools/files/xen-4-CVE-2013-1919-XSA-46.patch new file mode 100644 index 000000000000..9448ea9c6748 --- /dev/null +++ b/app-emulation/xen-tools/files/xen-4-CVE-2013-1919-XSA-46.patch @@ -0,0 +1,293 @@ +x86: fix various issues with handling guest IRQs + +- properly revoke IRQ access in map_domain_pirq() error path +- don't permit replacing an in use IRQ +- don't accept inputs in the GSI range for MAP_PIRQ_TYPE_MSI +- track IRQ access permission in host IRQ terms, not guest IRQ ones + (and with that, also disallow Dom0 access to IRQ0) + +This is CVE-2013-1919 / XSA-46. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> + +--- a/tools/libxl/libxl_create.c ++++ b/tools/libxl/libxl_create.c +@@ -968,14 +968,16 @@ static void domcreate_launch_dm(libxl__e + } + + for (i = 0; i < d_config->b_info.num_irqs; i++) { +- uint32_t irq = d_config->b_info.irqs[i]; ++ int irq = d_config->b_info.irqs[i]; + +- LOG(DEBUG, "dom%d irq %"PRIx32, domid, irq); ++ LOG(DEBUG, "dom%d irq %d", domid, irq); + +- ret = xc_domain_irq_permission(CTX->xch, domid, irq, 1); ++ ret = irq >= 0 ? xc_physdev_map_pirq(CTX->xch, domid, irq, &irq) ++ : -EOVERFLOW; ++ if (!ret) ++ ret = xc_domain_irq_permission(CTX->xch, domid, irq, 1); + if ( ret<0 ){ +- LOGE(ERROR, +- "failed give dom%d access to irq %"PRId32, domid, irq); ++ LOGE(ERROR, "failed give dom%d access to irq %d", domid, irq); + ret = ERROR_FAIL; + } + } +--- a/tools/python/xen/xend/server/irqif.py ++++ b/tools/python/xen/xend/server/irqif.py +@@ -73,6 +73,12 @@ class IRQController(DevController): + + pirq = get_param('irq') + ++ rc = xc.physdev_map_pirq(domid = self.getDomid(), ++ index = pirq, ++ pirq = pirq) ++ if rc < 0: ++ raise VmError('irq: Failed to map irq %x' % (pirq)) ++ + rc = xc.domain_irq_permission(domid = self.getDomid(), + pirq = pirq, + allow_access = True) +@@ -81,12 +87,6 @@ class IRQController(DevController): + #todo non-fatal + raise VmError( + 'irq: Failed to configure irq: %d' % (pirq)) +- rc = xc.physdev_map_pirq(domid = self.getDomid(), +- index = pirq, +- pirq = pirq) +- if rc < 0: +- raise VmError( +- 'irq: Failed to map irq %x' % (pirq)) + back = dict([(k, config[k]) for k in self.valid_cfg if k in config]) + return (self.allocateDeviceID(), back, {}) + +--- a/xen/arch/x86/domain_build.c ++++ b/xen/arch/x86/domain_build.c +@@ -1219,7 +1219,7 @@ int __init construct_dom0( + /* DOM0 is permitted full I/O capabilities. */ + rc |= ioports_permit_access(dom0, 0, 0xFFFF); + rc |= iomem_permit_access(dom0, 0UL, ~0UL); +- rc |= irqs_permit_access(dom0, 0, d->nr_pirqs - 1); ++ rc |= irqs_permit_access(dom0, 1, nr_irqs_gsi - 1); + + /* + * Modify I/O port access permissions. +--- a/xen/arch/x86/domctl.c ++++ b/xen/arch/x86/domctl.c +@@ -772,9 +772,13 @@ long arch_do_domctl( + goto bind_out; + + ret = -EPERM; +- if ( !IS_PRIV(current->domain) && +- !irq_access_permitted(current->domain, bind->machine_irq) ) +- goto bind_out; ++ if ( !IS_PRIV(current->domain) ) ++ { ++ int irq = domain_pirq_to_irq(d, bind->machine_irq); ++ ++ if ( irq <= 0 || !irq_access_permitted(current->domain, irq) ) ++ goto bind_out; ++ } + + ret = -ESRCH; + if ( iommu_enabled ) +@@ -803,9 +807,13 @@ long arch_do_domctl( + bind = &(domctl->u.bind_pt_irq); + + ret = -EPERM; +- if ( !IS_PRIV(current->domain) && +- !irq_access_permitted(current->domain, bind->machine_irq) ) +- goto unbind_out; ++ if ( !IS_PRIV(current->domain) ) ++ { ++ int irq = domain_pirq_to_irq(d, bind->machine_irq); ++ ++ if ( irq <= 0 || !irq_access_permitted(current->domain, irq) ) ++ goto unbind_out; ++ } + + if ( iommu_enabled ) + { +--- a/xen/arch/x86/irq.c ++++ b/xen/arch/x86/irq.c +@@ -184,6 +184,14 @@ int create_irq(int node) + desc->arch.used = IRQ_UNUSED; + irq = ret; + } ++ else if ( dom0 ) ++ { ++ ret = irq_permit_access(dom0, irq); ++ if ( ret ) ++ printk(XENLOG_G_ERR ++ "Could not grant Dom0 access to IRQ%d (error %d)\n", ++ irq, ret); ++ } + + return irq; + } +@@ -280,6 +288,17 @@ void clear_irq_vector(int irq) + void destroy_irq(unsigned int irq) + { + BUG_ON(!MSI_IRQ(irq)); ++ ++ if ( dom0 ) ++ { ++ int err = irq_deny_access(dom0, irq); ++ ++ if ( err ) ++ printk(XENLOG_G_ERR ++ "Could not revoke Dom0 access to IRQ%u (error %d)\n", ++ irq, err); ++ } ++ + dynamic_irq_cleanup(irq); + clear_irq_vector(irq); + } +@@ -1858,7 +1877,7 @@ int map_domain_pirq( + + if ( !IS_PRIV(current->domain) && + !(IS_PRIV_FOR(current->domain, d) && +- irq_access_permitted(current->domain, pirq))) ++ irq_access_permitted(current->domain, irq))) + return -EPERM; + + if ( pirq < 0 || pirq >= d->nr_pirqs || irq < 0 || irq >= nr_irqs ) +@@ -1887,17 +1906,18 @@ int map_domain_pirq( + return ret; + } + +- ret = irq_permit_access(d, pirq); ++ ret = irq_permit_access(d, irq); + if ( ret ) + { +- dprintk(XENLOG_G_ERR, "dom%d: could not permit access to irq %d\n", +- d->domain_id, pirq); ++ printk(XENLOG_G_ERR ++ "dom%d: could not permit access to IRQ%d (pirq %d)\n", ++ d->domain_id, irq, pirq); + return ret; + } + + ret = prepare_domain_irq_pirq(d, irq, pirq, &info); + if ( ret ) +- return ret; ++ goto revoke; + + desc = irq_to_desc(irq); + +@@ -1921,8 +1941,14 @@ int map_domain_pirq( + spin_lock_irqsave(&desc->lock, flags); + + if ( desc->handler != &no_irq_type ) ++ { ++ spin_unlock_irqrestore(&desc->lock, flags); + dprintk(XENLOG_G_ERR, "dom%d: irq %d in use\n", + d->domain_id, irq); ++ pci_disable_msi(msi_desc); ++ ret = -EBUSY; ++ goto done; ++ } + setup_msi_handler(desc, msi_desc); + + if ( opt_irq_vector_map == OPT_IRQ_VECTOR_MAP_PERDEV +@@ -1951,7 +1977,14 @@ int map_domain_pirq( + + done: + if ( ret ) ++ { + cleanup_domain_irq_pirq(d, irq, info); ++ revoke: ++ if ( irq_deny_access(d, irq) ) ++ printk(XENLOG_G_ERR ++ "dom%d: could not revoke access to IRQ%d (pirq %d)\n", ++ d->domain_id, irq, pirq); ++ } + return ret; + } + +@@ -2017,10 +2050,11 @@ int unmap_domain_pirq(struct domain *d, + if ( !forced_unbind ) + cleanup_domain_irq_pirq(d, irq, info); + +- ret = irq_deny_access(d, pirq); ++ ret = irq_deny_access(d, irq); + if ( ret ) +- dprintk(XENLOG_G_ERR, "dom%d: could not deny access to irq %d\n", +- d->domain_id, pirq); ++ printk(XENLOG_G_ERR ++ "dom%d: could not deny access to IRQ%d (pirq %d)\n", ++ d->domain_id, irq, pirq); + + done: + return ret; +--- a/xen/arch/x86/physdev.c ++++ b/xen/arch/x86/physdev.c +@@ -147,7 +147,7 @@ int physdev_map_pirq(domid_t domid, int + if ( irq == -1 ) + irq = create_irq(NUMA_NO_NODE); + +- if ( irq < 0 || irq >= nr_irqs ) ++ if ( irq < nr_irqs_gsi || irq >= nr_irqs ) + { + dprintk(XENLOG_G_ERR, "dom%d: can't create irq for msi!\n", + d->domain_id); +--- a/xen/common/domctl.c ++++ b/xen/common/domctl.c +@@ -25,6 +25,7 @@ + #include <xen/paging.h> + #include <xen/hypercall.h> + #include <asm/current.h> ++#include <asm/irq.h> + #include <asm/page.h> + #include <public/domctl.h> + #include <xsm/xsm.h> +@@ -897,9 +898,9 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc + else if ( xsm_irq_permission(d, pirq, allow) ) + ret = -EPERM; + else if ( allow ) +- ret = irq_permit_access(d, pirq); ++ ret = pirq_permit_access(d, pirq); + else +- ret = irq_deny_access(d, pirq); ++ ret = pirq_deny_access(d, pirq); + + rcu_unlock_domain(d); + } +--- a/xen/common/event_channel.c ++++ b/xen/common/event_channel.c +@@ -369,7 +369,7 @@ static long evtchn_bind_pirq(evtchn_bind + if ( (pirq < 0) || (pirq >= d->nr_pirqs) ) + return -EINVAL; + +- if ( !is_hvm_domain(d) && !irq_access_permitted(d, pirq) ) ++ if ( !is_hvm_domain(d) && !pirq_access_permitted(d, pirq) ) + return -EPERM; + + spin_lock(&d->event_lock); +--- a/xen/include/xen/iocap.h ++++ b/xen/include/xen/iocap.h +@@ -28,4 +28,22 @@ + #define irq_access_permitted(d, i) \ + rangeset_contains_singleton((d)->irq_caps, i) + ++#define pirq_permit_access(d, i) ({ \ ++ struct domain *d__ = (d); \ ++ int i__ = domain_pirq_to_irq(d__, i); \ ++ i__ > 0 ? rangeset_add_singleton(d__->irq_caps, i__)\ ++ : -EINVAL; \ ++}) ++#define pirq_deny_access(d, i) ({ \ ++ struct domain *d__ = (d); \ ++ int i__ = domain_pirq_to_irq(d__, i); \ ++ i__ > 0 ? rangeset_remove_singleton(d__->irq_caps, i__)\ ++ : -EINVAL; \ ++}) ++#define pirq_access_permitted(d, i) ({ \ ++ struct domain *d__ = (d); \ ++ rangeset_contains_singleton(d__->irq_caps, \ ++ domain_pirq_to_irq(d__, i));\ ++}) ++ + #endif /* __XEN_IOCAP_H__ */ diff --git a/app-emulation/xen-tools/files/xen-4-CVE-2013-1922-XSA-48.patch b/app-emulation/xen-tools/files/xen-4-CVE-2013-1922-XSA-48.patch new file mode 100644 index 000000000000..998dbcb1d516 --- /dev/null +++ b/app-emulation/xen-tools/files/xen-4-CVE-2013-1922-XSA-48.patch @@ -0,0 +1,114 @@ +Add -f FMT / --format FMT arg to qemu-nbd + +From: "Daniel P. Berrange" <berrange@redhat.com> + +Currently the qemu-nbd program will auto-detect the format of +any disk it is given. This behaviour is known to be insecure. +For example, if qemu-nbd initially exposes a 'raw' file to an +unprivileged app, and that app runs + + 'qemu-img create -f qcow2 -o backing_file=/etc/shadow /dev/nbd0' + +then the next time the app is started, the qemu-nbd will now +detect it as a 'qcow2' file and expose /etc/shadow to the +unprivileged app. + +The only way to avoid this is to explicitly tell qemu-nbd what +disk format to use on the command line, completely disabling +auto-detection. This patch adds a '-f' / '--format' arg for +this purpose, mirroring what is already available via qemu-img +and qemu commands. + + qemu-nbd --format raw -p 9000 evil.img + +will now always use raw, regardless of what format 'evil.img' +looks like it contains + +Signed-off-by: Daniel P. Berrange <berrange@redhat.com> +[Use errx, not err. - Paolo] +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> + +[ This is a security issue, CVE-2013-1922 / XSA-48. ] + +diff --git a/qemu-nbd.c b/qemu-nbd.c +index 291cba2..8fbe2cf 100644 +--- a/tools/qemu-xen/qemu-nbd.c ++++ b/tools/qemu-xen/qemu-nbd.c +@@ -247,6 +247,7 @@ out: + int main(int argc, char **argv) + { + BlockDriverState *bs; ++ BlockDriver *drv; + off_t dev_offset = 0; + off_t offset = 0; + uint32_t nbdflags = 0; +@@ -256,7 +257,7 @@ int main(int argc, char **argv) + struct sockaddr_in addr; + socklen_t addr_len = sizeof(addr); + off_t fd_size; +- const char *sopt = "hVb:o:p:rsnP:c:dvk:e:t"; ++ const char *sopt = "hVb:o:p:rsnP:c:dvk:e:f:t"; + struct option lopt[] = { + { "help", 0, NULL, 'h' }, + { "version", 0, NULL, 'V' }, +@@ -271,6 +272,7 @@ int main(int argc, char **argv) + { "snapshot", 0, NULL, 's' }, + { "nocache", 0, NULL, 'n' }, + { "shared", 1, NULL, 'e' }, ++ { "format", 1, NULL, 'f' }, + { "persistent", 0, NULL, 't' }, + { "verbose", 0, NULL, 'v' }, + { NULL, 0, NULL, 0 } +@@ -292,6 +294,7 @@ int main(int argc, char **argv) + int max_fd; + int persistent = 0; + pthread_t client_thread; ++ const char *fmt = NULL; + + /* The client thread uses SIGTERM to interrupt the server. A signal + * handler ensures that "qemu-nbd -v -c" exits with a nice status code. +@@ -368,6 +371,9 @@ int main(int argc, char **argv) + errx(EXIT_FAILURE, "Shared device number must be greater than 0\n"); + } + break; ++ case 'f': ++ fmt = optarg; ++ break; + case 't': + persistent = 1; + break; +@@ -478,9 +484,19 @@ int main(int argc, char **argv) + bdrv_init(); + atexit(bdrv_close_all); + ++ if (fmt) { ++ drv = bdrv_find_format(fmt); ++ if (!drv) { ++ errx(EXIT_FAILURE, "Unknown file format '%s'", fmt); ++ } ++ } else { ++ drv = NULL; ++ } ++ + bs = bdrv_new("hda"); + srcpath = argv[optind]; +- if ((ret = bdrv_open(bs, srcpath, flags, NULL)) < 0) { ++ ret = bdrv_open(bs, srcpath, flags, drv); ++ if (ret < 0) { + errno = -ret; + err(EXIT_FAILURE, "Failed to bdrv_open '%s'", argv[optind]); + } +diff --git a/qemu-nbd.texi b/qemu-nbd.texi +index 44996cc..f56c68e 100644 +--- a/tools/qemu-xen/qemu-nbd.texi ++++ b/tools/qemu-xen/qemu-nbd.texi +@@ -36,6 +36,8 @@ Export Qemu disk image using NBD protocol. + disconnect the specified device + @item -e, --shared=@var{num} + device can be shared by @var{num} clients (default @samp{1}) ++@item -f, --format=@var{fmt} ++ force block driver for format @var{fmt} instead of auto-detecting + @item -t, --persistent + don't exit on the last connection + @item -v, --verbose diff --git a/app-emulation/xen-tools/files/xen-4-CVE-2013-1952-XSA-49.patch b/app-emulation/xen-tools/files/xen-4-CVE-2013-1952-XSA-49.patch new file mode 100644 index 000000000000..4b92c7f98d35 --- /dev/null +++ b/app-emulation/xen-tools/files/xen-4-CVE-2013-1952-XSA-49.patch @@ -0,0 +1,50 @@ +VT-d: don't permit SVT_NO_VERIFY entries for known device types + +Only in cases where we don't know what to do we should leave the IRTE +blank (suppressing all validation), but we should always log a warning +in those cases (as being insecure). + +This is CVE-2013-1952 / XSA-49. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Acked-by: "Zhang, Xiantao" <xiantao.zhang@intel.com> + +--- a/xen/drivers/passthrough/vtd/intremap.c ++++ b/xen/drivers/passthrough/vtd/intremap.c +@@ -440,16 +440,15 @@ static void set_msi_source_id(struct pci + type = pdev_type(seg, bus, devfn); + switch ( type ) + { ++ case DEV_TYPE_PCIe_ENDPOINT: + case DEV_TYPE_PCIe_BRIDGE: + case DEV_TYPE_PCIe2PCI_BRIDGE: +- case DEV_TYPE_LEGACY_PCI_BRIDGE: +- break; +- +- case DEV_TYPE_PCIe_ENDPOINT: + set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16, PCI_BDF2(bus, devfn)); + break; + + case DEV_TYPE_PCI: ++ case DEV_TYPE_LEGACY_PCI_BRIDGE: ++ /* case DEV_TYPE_PCI2PCIe_BRIDGE: */ + ret = find_upstream_bridge(seg, &bus, &devfn, &secbus); + if ( ret == 0 ) /* integrated PCI device */ + { +@@ -461,10 +460,15 @@ static void set_msi_source_id(struct pci + if ( pdev_type(seg, bus, devfn) == DEV_TYPE_PCIe2PCI_BRIDGE ) + set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, + (bus << 8) | pdev->bus); +- else if ( pdev_type(seg, bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE ) ++ else + set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16, + PCI_BDF2(bus, devfn)); + } ++ else ++ dprintk(XENLOG_WARNING VTDPREFIX, ++ "d%d: no upstream bridge for %04x:%02x:%02x.%u\n", ++ pdev->domain->domain_id, ++ seg, bus, PCI_SLOT(devfn), PCI_FUNC(devfn)); + break; + + default: diff --git a/app-emulation/xen-tools/files/xen-4-CVE-2013-1952-XSA_49.patch b/app-emulation/xen-tools/files/xen-4-CVE-2013-1952-XSA_49.patch new file mode 100644 index 000000000000..4543f21bc460 --- /dev/null +++ b/app-emulation/xen-tools/files/xen-4-CVE-2013-1952-XSA_49.patch @@ -0,0 +1,41 @@ +diff -ur xen-4.2.1.orig/xen/drivers/passthrough/vtd/intremap.c xen-4.2.1/xen/drivers/passthrough/vtd/intremap.c +--- xen/drivers/passthrough/vtd/intremap.c 2012-12-17 23:01:55.000000000 +0800 ++++ xen/drivers/passthrough/vtd/intremap.c 2013-05-15 23:09:06.704546506 +0800 +@@ -440,16 +440,17 @@ + type = pdev_type(seg, bus, devfn); + switch ( type ) + { ++ case DEV_TYPE_PCIe_ENDPOINT: + case DEV_TYPE_PCIe_BRIDGE: + case DEV_TYPE_PCIe2PCI_BRIDGE: +- case DEV_TYPE_LEGACY_PCI_BRIDGE: +- break; + +- case DEV_TYPE_PCIe_ENDPOINT: + set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16, PCI_BDF2(bus, devfn)); + break; + + case DEV_TYPE_PCI: ++ case DEV_TYPE_LEGACY_PCI_BRIDGE: ++ /* case DEV_TYPE_PCI2PCIe_BRIDGE: */ ++ + ret = find_upstream_bridge(seg, &bus, &devfn, &secbus); + if ( ret == 0 ) /* integrated PCI device */ + { +@@ -461,10 +462,15 @@ + if ( pdev_type(seg, bus, devfn) == DEV_TYPE_PCIe2PCI_BRIDGE ) + set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, + (bus << 8) | pdev->bus); +- else if ( pdev_type(seg, bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE ) ++ else + set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, + PCI_BDF2(bus, devfn)); + } ++ else ++ dprintk(XENLOG_WARNING VTDPREFIX, ++ "d%d: no upstream bridge for %04x:%02x:%02x.%u\n", ++ pdev->domain->domain_id, ++ seg, bus, PCI_SLOT(devfn), PCI_FUNC(devfn)); + break; + + default: diff --git a/app-emulation/xen-tools/files/xen-4-ulong.patch b/app-emulation/xen-tools/files/xen-4-ulong.patch new file mode 100644 index 000000000000..443e321d344c --- /dev/null +++ b/app-emulation/xen-tools/files/xen-4-ulong.patch @@ -0,0 +1,11 @@ +diff -ur xen-4.2.2.orig/tools/debugger/gdbsx/xg/xg_main.c xen-4.2.2/tools/debugger/gdbsx/xg/xg_main.c +--- tools/debugger/gdbsx/xg/xg_main.c 2013-04-24 00:42:55.000000000 +0800 ++++ tools/debugger/gdbsx/xg/xg_main.c 2013-05-16 00:22:39.263704336 +0800 +@@ -50,6 +50,7 @@ + #include "xg_public.h" + #include <xen/version.h> + #include <xen/domctl.h> ++#include <sys/types.h> + #include <xen/sys/privcmd.h> + #include <xen/foreign/x86_32.h> + #include <xen/foreign/x86_64.h> diff --git a/app-emulation/xen-tools/xen-tools-4.2.1-r1.ebuild b/app-emulation/xen-tools/xen-tools-4.2.1-r1.ebuild index 7a45893082fc..64c317761e34 100644 --- a/app-emulation/xen-tools/xen-tools-4.2.1-r1.ebuild +++ b/app-emulation/xen-tools/xen-tools-4.2.1-r1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen-tools/xen-tools-4.2.1-r1.ebuild,v 1.8 2013/02/22 10:36:08 idella4 Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen-tools/xen-tools-4.2.1-r1.ebuild,v 1.9 2013/05/15 17:47:47 idella4 Exp $ EAPI=5 @@ -183,9 +183,9 @@ src_prepare() { epatch "${FILESDIR}/${PN}-4.1.1-bridge.patch" # Don't build ipxe with pie on hardened, Bug #360805 -# if gcc-specs-pie; then -# epatch "${FILESDIR}"/ipxe-nopie.patch -# fi + if gcc-specs-pie; then + epatch "${FILESDIR}"/ipxe-nopie.patch + fi # Prevent double stripping of files at install epatch "${FILESDIR}"/${PN/-tools/}-4.2.0-nostrip.patch diff --git a/app-emulation/xen-tools/xen-tools-4.2.1-r3.ebuild b/app-emulation/xen-tools/xen-tools-4.2.1-r3.ebuild new file mode 100644 index 000000000000..015e56346ab5 --- /dev/null +++ b/app-emulation/xen-tools/xen-tools-4.2.1-r3.ebuild @@ -0,0 +1,347 @@ +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen-tools/xen-tools-4.2.1-r3.ebuild,v 1.1 2013/05/15 17:47:47 idella4 Exp $ + +EAPI=5 + +PYTHON_COMPAT=( python{2_6,2_7} ) +PYTHON_REQ_USE='xml,threads' + +IPXE_TARBALL_URL="http://dev.gentoo.org/~idella4/tarballs/ipxe.tar.gz" +XEN_SEABIOS_URL="http://dev.gentoo.org/~idella4/tarballs/seabios-0-20121121.tar.bz2" + +if [[ $PV == *9999 ]]; then + KEYWORDS="" + REPO="xen-unstable.hg" + EHG_REPO_URI="http://xenbits.xensource.com/${REPO}" + S="${WORKDIR}/${REPO}" + live_eclass="mercurial" +else + KEYWORDS="~amd64 ~x86" + SRC_URI="http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz + $IPXE_TARBALL_URL + $XEN_SEABIOS_URL" + S="${WORKDIR}/xen-${PV}" +fi + +inherit flag-o-matic eutils multilib python-single-r1 toolchain-funcs udev ${live_eclass} + +DESCRIPTION="Xend daemon and tools" +HOMEPAGE="http://xen.org/" +DOCS=( README docs/README.xen-bugtool ) + +LICENSE="GPL-2" +SLOT="0" +IUSE="api custom-cflags debug doc flask hvm qemu ocaml pygrub screen static-libs xend" + +REQUIRED_USE="hvm? ( qemu )" + +CDEPEND="dev-libs/yajl + dev-python/lxml[${PYTHON_USEDEP}] + dev-python/pypam[${PYTHON_USEDEP}] + dev-python/pyxml[${PYTHON_USEDEP}] + sys-libs/zlib + sys-power/iasl + ocaml? ( dev-ml/findlib ) + hvm? ( media-libs/libsdl ) + ${PYTHON_DEPS} + api? ( dev-libs/libxml2 + net-misc/curl ) + ${PYTHON_DEPS} + pygrub? ( ${PYTHON_DEPS//${PYTHON_REQ_USE}/ncurses} )" +DEPEND="${CDEPEND} + sys-devel/bin86 + sys-devel/dev86 + dev-lang/perl + app-misc/pax-utils + doc? ( + app-doc/doxygen + dev-tex/latex2html[png,gif] + media-gfx/transfig + media-gfx/graphviz + dev-tex/xcolor + dev-texlive/texlive-latexextra + virtual/latex-base + dev-tex/latexmk + dev-texlive/texlive-latex + dev-texlive/texlive-pictures + dev-texlive/texlive-latexrecommended + ) + hvm? ( x11-proto/xproto + )" +RDEPEND="${CDEPEND} + sys-apps/iproute2 + net-misc/bridge-utils + ocaml? ( >=dev-lang/ocaml-3.12.0 ) + screen? ( + app-misc/screen + app-admin/logrotate + ) + virtual/udev" + +# hvmloader is used to bootstrap a fully virtualized kernel +# Approved by QA team in bug #144032 +QA_WX_LOAD="usr/lib/xen/boot/hvmloader" + +RESTRICT="test" + +pkg_setup() { + python-single-r1_pkg_setup + export "CONFIG_LOMOUNT=y" + + if has_version dev-libs/libgcrypt; then + export "CONFIG_GCRYPT=y" + fi + + if use qemu; then + export "CONFIG_IOEMU=y" + else + export "CONFIG_IOEMU=n" + fi + + if ! use x86 && ! has x86 $(get_all_abis) && use hvm; then + eerror "HVM (VT-x and AMD-v) cannot be built on this system. An x86 or" + eerror "an amd64 multilib profile is required. Remove the hvm use flag" + eerror "to build xen-tools on your current profile." + die "USE=hvm is unsupported on this system." + fi + + if [[ -z ${XEN_TARGET_ARCH} ]] ; then + if use x86 && use amd64; then + die "Confusion! Both x86 and amd64 are set in your use flags!" + elif use x86; then + export XEN_TARGET_ARCH="x86_32" + elif use amd64 ; then + export XEN_TARGET_ARCH="x86_64" + else + die "Unsupported architecture!" + fi + fi + + use api && export "LIBXENAPI_BINDINGS=y" + use flask && export "FLASK_ENABLE=y" +} + +src_prepare() { + # Drop .config, fixes to gcc-4.6 + epatch "${FILESDIR}"/${PN/-tools/}-4-fix_dotconfig-gcc.patch + + # Xend + if ! use xend; then + sed -e 's:xm xen-bugtool xen-python-path xend:xen-bugtool xen-python-path:' \ + -i tools/misc/Makefile || die "Disabling xend failed" + sed -e 's:^XEND_INITD:#XEND_INITD:' \ + -i tools/examples/Makefile || die "Disabling xend failed" + fi + + # if the user *really* wants to use their own custom-cflags, let them + if use custom-cflags; then + einfo "User wants their own CFLAGS - removing defaults" + + # try and remove all the default cflags + find "${S}" \( -name Makefile -o -name Rules.mk -o -name Config.mk \) \ + -exec sed \ + -e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \ + -i {} + || die "failed to re-set custom-cflags" + fi + + if ! use pygrub; then + sed -e '/^SUBDIRS-$(PYTHON_TOOLS) += pygrub$/d' -i tools/Makefile || die + fi + + # Disable hvm support on systems that don't support x86_32 binaries. + if ! use hvm; then + sed -e '/^CONFIG_IOEMU := y$/d' -i config/*.mk || die + sed -e '/SUBDIRS-$(CONFIG_X86) += firmware/d' -i tools/Makefile || die + fi + + # Don't bother with qemu, only needed for fully virtualised guests + if ! use qemu; then + sed -e "/^CONFIG_IOEMU := y$/d" -i config/*.mk || die + sed -e "s:install-tools\: tools/ioemu-dir:install-tools\: :g" -i Makefile || die + fi + + # Fix texi2html build error with new texi2html + epatch "${FILESDIR}"/${PN}-4-docfix.patch + + # Fix network broadcast on bridged networks + epatch "${FILESDIR}/${PN}-3.4.0-network-bridge-broadcast.patch" + + # Prevent the downloading of ipxe, seabios + epatch "${FILESDIR}"/${PN/-tools/}-4.2.0-anti-download.patch + cp "${DISTDIR}"/ipxe.tar.gz tools/firmware/etherboot/ || die + mv ../seabios-dir-remote tools/firmware/ || die + pushd tools/firmware/ > /dev/null + ln -s seabios-dir-remote seabios-dir || die + popd > /dev/null + + # Fix bridge by idella4, bug #362575 + epatch "${FILESDIR}/${PN}-4.1.1-bridge.patch" + + # Don't build ipxe with pie on hardened, Bug #360805 + if gcc-specs-pie; then + epatch "${FILESDIR}"/ipxe-nopie.patch + fi + + # Prevent double stripping of files at install + epatch "${FILESDIR}"/${PN/-tools/}-4.2.0-nostrip.patch + + # fix jobserver in Makefile + epatch "${FILESDIR}"/${PN/-tools/}-4.2.0-jserver.patch + + # add missing typedef + epatch "${FILESDIR}"/xen-4-ulong.patch + + #Sec patch, currently valid + epatch "${FILESDIR}"/xen-4-CVE-2012-6075-XSA-41.patch \ + "${FILESDIR}"/xen-4-CVE-2013-0215-XSA-38.patch \ + "${FILESDIR}"/xen-4-CVE-2013-1919-XSA-46.patch \ + "${FILESDIR}"/xen-4-CVE-2013-1922-XSA-48.patch \ + "${FILESDIR}"/xen-4-CVE-2013-1952-XSA_49.patch +} + +src_compile() { + export VARTEXFONTS="${T}/fonts" + local myopt + use debug && myopt="${myopt} debug=y" + + use custom-cflags || unset CFLAGS + if test-flag-CC -fno-strict-overflow; then + append-flags -fno-strict-overflow + fi + + unset LDFLAGS + unset CFLAGS + emake CC="$(tc-getCC)" LD="$(tc-getLD)" -C tools ${myopt} + + use doc && emake -C docs txt html + emake -C docs man-pages +} + +src_install() { + # Override auto-detection in the build system, bug #382573 + export INITD_DIR=/tmp/init.d + export CONFIG_LEAF_DIR=../tmp/default + + # Let the build system compile installed Python modules. + local PYTHONDONTWRITEBYTECODE + export PYTHONDONTWRITEBYTECODE + + emake DESTDIR="${ED}" DOCDIR="/usr/share/doc/${PF}" \ + XEN_PYTHON_NATIVE_INSTALL=y install-tools + + # Fix the remaining Python shebangs. + python_fix_shebang "${ED}" + + # Remove RedHat-specific stuff + rm -rf "${ED}"tmp || die + + # uncomment lines in xl.conf + sed -e 's:^#autoballoon=1:autoballoon=1:' \ + -e 's:^#lockfile="/var/lock/xl":lockfile="/var/lock/xl":' \ + -e 's:^#vifscript="vif-bridge":vifscript="vif-bridge":' \ + -i tools/examples/xl.conf || die + + if use doc; then + emake DESTDIR="${ED}" DOCDIR="/usr/share/doc/${PF}" install-docs + + dohtml -r docs/ + docinto pdf + dodoc ${DOCS[@]} + [ -d "${ED}"/usr/share/doc/xen ] && mv "${ED}"/usr/share/doc/xen/* "${ED}"/usr/share/doc/${PF}/html + fi + + rm -rf "${ED}"/usr/share/doc/xen/ + doman docs/man?/* + + if use xend; then + newinitd "${FILESDIR}"/xend.initd-r2 xend || die "Couldn't install xen.initd" + fi + newconfd "${FILESDIR}"/xendomains.confd xendomains + newconfd "${FILESDIR}"/xenstored.confd xenstored + newconfd "${FILESDIR}"/xenconsoled.confd xenconsoled + newinitd "${FILESDIR}"/xendomains.initd-r2 xendomains + newinitd "${FILESDIR}"/xenstored.initd xenstored + newinitd "${FILESDIR}"/xenconsoled.initd xenconsoled + + if use screen; then + cat "${FILESDIR}"/xendomains-screen.confd >> "${ED}"/etc/conf.d/xendomains || die + cp "${FILESDIR}"/xen-consoles.logrotate "${ED}"/etc/xen/ || die + keepdir /var/log/xen-consoles + fi + + if use qemu; then + mkdir -p "${D}"usr/lib64/xen/bin || die + mv "${D}"usr/lib/xen/bin/qemu* "${D}"usr/lib64/xen/bin/ || die + fi + + # For -static-libs wrt Bug 384355 + if ! use static-libs; then + rm -f "${ED}"usr/$(get_libdir)/*.a "${ED}"usr/$(get_libdir)/ocaml/*/*.a + fi + + # xend expects these to exist + keepdir /var/run/xenstored /var/lib/xenstored /var/xen/dump /var/lib/xen /var/log/xen + + # for xendomains + keepdir /etc/xen/auto + + # Temp QA workaround + dodir "$(udev_get_udevdir)" + mv "${ED}"/etc/udev/* "${ED}/$(udev_get_udevdir)" + rm -rf "${ED}"/etc/udev + + # Remove files failing QA AFTER emake installs them, avoiding seeking absent files + find "${ED}" \( -name openbios-sparc32 -o -name openbios-sparc64 \ + -o -name openbios-ppc -o -name palcode-clipper \) -delete || die +} + +pkg_postinst() { + elog "Official Xen Guide and the unoffical wiki page:" + elog " http://www.gentoo.org/doc/en/xen-guide.xml" + elog " http://gentoo-wiki.com/HOWTO_Xen_and_Gentoo" + + if [[ "$(scanelf -s __guard -q "${PYTHON}")" ]] ; then + echo + ewarn "xend may not work when python is built with stack smashing protection (ssp)." + ewarn "If 'xm create' fails with '<ProtocolError for /RPC2: -1 >', see bug #141866" + ewarn "This problem may be resolved as of Xen 3.0.4, if not post in the bug." + fi + + # TODO: we need to have the current Python slot here. + if ! has_version "dev-lang/python[ncurses]"; then + echo + ewarn "NB: Your dev-lang/python is built without USE=ncurses." + ewarn "Please rebuild python with USE=ncurses to make use of xenmon.py." + fi + + if has_version "sys-apps/iproute2[minimal]"; then + echo + ewarn "Your sys-apps/iproute2 is built with USE=minimal. Networking" + ewarn "will not work until you rebuild iproute2 without USE=minimal." + fi + + if ! use hvm; then + echo + elog "HVM (VT-x and AMD-V) support has been disabled. If you need hvm" + elog "support enable the hvm use flag." + elog "An x86 or amd64 multilib system is required to build HVM support." + echo + elog "The qemu use flag has been removed and replaced with hvm." + fi + + if use xend; then + echo + elog "xend capability has been enabled and installed" + fi + + if grep -qsF XENSV= "${ROOT}/etc/conf.d/xend"; then + echo + elog "xensv is broken upstream (Gentoo bug #142011)." + elog "Please remove '${ROOT%/}/etc/conf.d/xend', as it is no longer needed." + fi +} diff --git a/app-emulation/xen-tools/xen-tools-4.2.2.ebuild b/app-emulation/xen-tools/xen-tools-4.2.2.ebuild new file mode 100644 index 000000000000..312cb58f99b0 --- /dev/null +++ b/app-emulation/xen-tools/xen-tools-4.2.2.ebuild @@ -0,0 +1,344 @@ +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen-tools/xen-tools-4.2.2.ebuild,v 1.1 2013/05/15 17:47:47 idella4 Exp $ + +EAPI=5 + +PYTHON_COMPAT=( python{2_6,2_7} ) +PYTHON_REQ_USE='xml,threads' + +IPXE_TARBALL_URL="http://dev.gentoo.org/~idella4/tarballs/ipxe.tar.gz" +XEN_SEABIOS_URL="http://dev.gentoo.org/~idella4/tarballs/seabios-0-20121121.tar.bz2" + +if [[ $PV == *9999 ]]; then + KEYWORDS="" + REPO="xen-unstable.hg" + EHG_REPO_URI="http://xenbits.xensource.com/${REPO}" + S="${WORKDIR}/${REPO}" + live_eclass="mercurial" +else + KEYWORDS="~amd64 ~x86" + SRC_URI="http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz + $IPXE_TARBALL_URL + $XEN_SEABIOS_URL" + S="${WORKDIR}/xen-${PV}" +fi + +inherit flag-o-matic eutils multilib python-single-r1 toolchain-funcs udev ${live_eclass} + +DESCRIPTION="Xend daemon and tools" +HOMEPAGE="http://xen.org/" +DOCS=( README docs/README.xen-bugtool ) + +LICENSE="GPL-2" +SLOT="0" +IUSE="api custom-cflags debug doc flask hvm qemu pygrub screen static-libs xend" + +REQUIRED_USE="hvm? ( qemu )" + +CDEPEND="dev-libs/yajl + dev-python/lxml[${PYTHON_USEDEP}] + dev-python/pypam[${PYTHON_USEDEP}] + dev-python/pyxml[${PYTHON_USEDEP}] + sys-libs/zlib + sys-power/iasl + dev-ml/findlib + hvm? ( media-libs/libsdl ) + ${PYTHON_DEPS} + api? ( dev-libs/libxml2 + net-misc/curl ) + ${PYTHON_DEPS} + pygrub? ( ${PYTHON_DEPS//${PYTHON_REQ_USE}/ncurses} )" +DEPEND="${CDEPEND} + sys-devel/bin86 + sys-devel/dev86 + dev-lang/perl + app-misc/pax-utils + doc? ( + app-doc/doxygen + dev-tex/latex2html[png,gif] + media-gfx/transfig + media-gfx/graphviz + dev-tex/xcolor + dev-texlive/texlive-latexextra + virtual/latex-base + dev-tex/latexmk + dev-texlive/texlive-latex + dev-texlive/texlive-pictures + dev-texlive/texlive-latexrecommended + ) + hvm? ( x11-proto/xproto + )" +RDEPEND="${CDEPEND} + sys-apps/iproute2 + net-misc/bridge-utils + screen? ( + app-misc/screen + app-admin/logrotate + ) + virtual/udev" + +# hvmloader is used to bootstrap a fully virtualized kernel +# Approved by QA team in bug #144032 +QA_WX_LOAD="usr/lib/xen/boot/hvmloader" + +RESTRICT="test" + +pkg_setup() { + python-single-r1_pkg_setup + export "CONFIG_LOMOUNT=y" + + if has_version dev-libs/libgcrypt; then + export "CONFIG_GCRYPT=y" + fi + + if use qemu; then + export "CONFIG_IOEMU=y" + else + export "CONFIG_IOEMU=n" + fi + + if ! use x86 && ! has x86 $(get_all_abis) && use hvm; then + eerror "HVM (VT-x and AMD-v) cannot be built on this system. An x86 or" + eerror "an amd64 multilib profile is required. Remove the hvm use flag" + eerror "to build xen-tools on your current profile." + die "USE=hvm is unsupported on this system." + fi + + if [[ -z ${XEN_TARGET_ARCH} ]] ; then + if use x86 && use amd64; then + die "Confusion! Both x86 and amd64 are set in your use flags!" + elif use x86; then + export XEN_TARGET_ARCH="x86_32" + elif use amd64 ; then + export XEN_TARGET_ARCH="x86_64" + else + die "Unsupported architecture!" + fi + fi + + use api && export "LIBXENAPI_BINDINGS=y" + use flask && export "FLASK_ENABLE=y" +} + +src_prepare() { + # Drop .config, fixes to gcc-4.6 + epatch "${FILESDIR}"/${PN/-tools/}-4-fix_dotconfig-gcc.patch + + # Xend + if ! use xend; then + sed -e 's:xm xen-bugtool xen-python-path xend:xen-bugtool xen-python-path:' \ + -i tools/misc/Makefile || die "Disabling xend failed" + sed -e 's:^XEND_INITD:#XEND_INITD:' \ + -i tools/examples/Makefile || die "Disabling xend failed" + fi + + # if the user *really* wants to use their own custom-cflags, let them + if use custom-cflags; then + einfo "User wants their own CFLAGS - removing defaults" + + # try and remove all the default cflags + find "${S}" \( -name Makefile -o -name Rules.mk -o -name Config.mk \) \ + -exec sed \ + -e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \ + -i {} + || die "failed to re-set custom-cflags" + fi + + if ! use pygrub; then + sed -e '/^SUBDIRS-$(PYTHON_TOOLS) += pygrub$/d' -i tools/Makefile || die + fi + + # Disable hvm support on systems that don't support x86_32 binaries. + if ! use hvm; then + sed -e '/^CONFIG_IOEMU := y$/d' -i config/*.mk || die + sed -e '/SUBDIRS-$(CONFIG_X86) += firmware/d' -i tools/Makefile || die + fi + + # Don't bother with qemu, only needed for fully virtualised guests + if ! use qemu; then + sed -e "/^CONFIG_IOEMU := y$/d" -i config/*.mk || die + sed -e "s:install-tools\: tools/ioemu-dir:install-tools\: :g" -i Makefile || die + fi + + # Fix texi2html build error with new texi2html + epatch "${FILESDIR}"/${PN}-4-docfix.patch + + # Fix network broadcast on bridged networks + epatch "${FILESDIR}/${PN}-3.4.0-network-bridge-broadcast.patch" + + # Prevent the downloading of ipxe, seabios + epatch "${FILESDIR}"/${PN/-tools/}-4.2.0-anti-download.patch + cp "${DISTDIR}"/ipxe.tar.gz tools/firmware/etherboot/ || die + mv ../seabios-dir-remote tools/firmware/ || die + pushd tools/firmware/ > /dev/null + ln -s seabios-dir-remote seabios-dir || die + popd > /dev/null + + # Fix bridge by idella4, bug #362575 + epatch "${FILESDIR}/${PN}-4.1.1-bridge.patch" + + # Don't build ipxe with pie on hardened, Bug #360805 + if gcc-specs-pie; then + epatch "${FILESDIR}"/ipxe-nopie.patch + fi + + # Prevent double stripping of files at install + epatch "${FILESDIR}"/${PN/-tools/}-4.2.0-nostrip.patch + + # fix jobserver in Makefile + epatch "${FILESDIR}"/${PN/-tools/}-4.2.0-jserver.patch + + # add missing header + epatch "${FILESDIR}"/xen-4-ulong.patch + + #Sec patch, currently valid + epatch "${FILESDIR}"/xen-4-CVE-2012-6075-XSA-41.patch \ + "${FILESDIR}"/xen-4-CVE-2013-1922-XSA-48.patch \ + "${FILESDIR}"/xen-4-CVE-2013-1952-XSA-49.patch +} + +src_compile() { + export VARTEXFONTS="${T}/fonts" + local myopt + use debug && myopt="${myopt} debug=y" + + use custom-cflags || unset CFLAGS + if test-flag-CC -fno-strict-overflow; then + append-flags -fno-strict-overflow + fi + + unset LDFLAGS + unset CFLAGS + emake CC="$(tc-getCC)" LD="$(tc-getLD)" -C tools ${myopt} + + use doc && emake -C docs txt html + emake -C docs man-pages +} + +src_install() { + # Override auto-detection in the build system, bug #382573 + export INITD_DIR=/tmp/init.d + export CONFIG_LEAF_DIR=../tmp/default + + # Let the build system compile installed Python modules. + local PYTHONDONTWRITEBYTECODE + export PYTHONDONTWRITEBYTECODE + + emake DESTDIR="${ED}" DOCDIR="/usr/share/doc/${PF}" \ + XEN_PYTHON_NATIVE_INSTALL=y install-tools + + # Fix the remaining Python shebangs. + python_fix_shebang "${ED}" + + # Remove RedHat-specific stuff + rm -rf "${ED}"tmp || die + + # uncomment lines in xl.conf + sed -e 's:^#autoballoon=1:autoballoon=1:' \ + -e 's:^#lockfile="/var/lock/xl":lockfile="/var/lock/xl":' \ + -e 's:^#vifscript="vif-bridge":vifscript="vif-bridge":' \ + -i tools/examples/xl.conf || die + + if use doc; then + emake DESTDIR="${ED}" DOCDIR="/usr/share/doc/${PF}" install-docs + + dohtml -r docs/ + docinto pdf + dodoc ${DOCS[@]} + [ -d "${ED}"/usr/share/doc/xen ] && mv "${ED}"/usr/share/doc/xen/* "${ED}"/usr/share/doc/${PF}/html + fi + + rm -rf "${ED}"/usr/share/doc/xen/ + doman docs/man?/* + + if use xend; then + newinitd "${FILESDIR}"/xend.initd-r2 xend || die "Couldn't install xen.initd" + fi + newconfd "${FILESDIR}"/xendomains.confd xendomains + newconfd "${FILESDIR}"/xenstored.confd xenstored + newconfd "${FILESDIR}"/xenconsoled.confd xenconsoled + newinitd "${FILESDIR}"/xendomains.initd-r2 xendomains + newinitd "${FILESDIR}"/xenstored.initd xenstored + newinitd "${FILESDIR}"/xenconsoled.initd xenconsoled + + if use screen; then + cat "${FILESDIR}"/xendomains-screen.confd >> "${ED}"/etc/conf.d/xendomains || die + cp "${FILESDIR}"/xen-consoles.logrotate "${ED}"/etc/xen/ || die + keepdir /var/log/xen-consoles + fi + + if use qemu; then + mkdir -p "${D}"usr/lib64/xen/bin || die + mv "${D}"usr/lib/xen/bin/qemu* "${D}"usr/lib64/xen/bin/ || die + fi + + # For -static-libs wrt Bug 384355 + if ! use static-libs; then + rm -f "${ED}"usr/$(get_libdir)/*.a "${ED}"usr/$(get_libdir)/ocaml/*/*.a + fi + + # xend expects these to exist + keepdir /var/run/xenstored /var/lib/xenstored /var/xen/dump /var/lib/xen /var/log/xen + + # for xendomains + keepdir /etc/xen/auto + + # Temp QA workaround + dodir "$(udev_get_udevdir)" + mv "${ED}"/etc/udev/* "${ED}/$(udev_get_udevdir)" + rm -rf "${ED}"/etc/udev + + # Remove files failing QA AFTER emake installs them, avoiding seeking absent files + find "${ED}" \( -name openbios-sparc32 -o -name openbios-sparc64 \ + -o -name openbios-ppc -o -name palcode-clipper \) -delete || die +} + +pkg_postinst() { + elog "Official Xen Guide and the unoffical wiki page:" + elog " http://www.gentoo.org/doc/en/xen-guide.xml" + elog " http://gentoo-wiki.com/HOWTO_Xen_and_Gentoo" + + if [[ "$(scanelf -s __guard -q "${PYTHON}")" ]] ; then + echo + ewarn "xend may not work when python is built with stack smashing protection (ssp)." + ewarn "If 'xm create' fails with '<ProtocolError for /RPC2: -1 >', see bug #141866" + ewarn "This problem may be resolved as of Xen 3.0.4, if not post in the bug." + fi + + # TODO: we need to have the current Python slot here. + if ! has_version "dev-lang/python[ncurses]"; then + echo + ewarn "NB: Your dev-lang/python is built without USE=ncurses." + ewarn "Please rebuild python with USE=ncurses to make use of xenmon.py." + fi + + if has_version "sys-apps/iproute2[minimal]"; then + echo + ewarn "Your sys-apps/iproute2 is built with USE=minimal. Networking" + ewarn "will not work until you rebuild iproute2 without USE=minimal." + fi + + if ! use hvm; then + echo + elog "HVM (VT-x and AMD-V) support has been disabled. If you need hvm" + elog "support enable the hvm use flag." + elog "An x86 or amd64 multilib system is required to build HVM support." + echo + elog "The qemu use flag has been removed and replaced with hvm." + fi + + if use xend; then + echo + elog "xend capability has been enabled and installed" + fi + + if grep -qsF XENSV= "${ROOT}/etc/conf.d/xend"; then + echo + elog "xensv is broken upstream (Gentoo bug #142011)." + elog "Please remove '${ROOT%/}/etc/conf.d/xend', as it is no longer needed." + fi +} |