diff -pruN 11.6.0-1/debian/changelog 11.6.0-1ubuntu6/debian/changelog --- 11.6.0-1/debian/changelog 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/changelog 2025-10-29 09:34:08.000000000 +0000 @@ -1,3 +1,161 @@ +libvirt (11.6.0-1ubuntu6) resolute; urgency=medium + + * d/p/u-aa/lp2127492-*: apparmor: Allow AMD-SEV device access for + AMD-SEV VM (LP: #2127492) + + -- Hector Cao Wed, 29 Oct 2025 09:34:08 +0000 + +libvirt (11.6.0-1ubuntu5) resolute; urgency=medium + + * Cherry-pick from Debian git repo + - [a17e07a] patches: Add backports + - Fix building against Wireshark 4.6.0 + - Closes: #1118069 + + -- Gianfranco Costamagna Sat, 18 Oct 2025 20:02:01 +0200 + +libvirt (11.6.0-1ubuntu4) resolute; urgency=medium + + * Rebuild against new libwireshark19. + + -- Gianfranco Costamagna Sat, 18 Oct 2025 19:43:53 +0200 + +libvirt (11.6.0-1ubuntu3) questing; urgency=medium + + * Support both GNU and Rust coreutils paths in apparmor policy (LP: #2123870) + - d/p/u-aa/lp2123870-apparmor-use-the-coreutils-tunable-for-coreutils.patch + + -- Georgia Garcia Thu, 23 Sep 2025 15:53:13 -0300 + +libvirt (11.6.0-1ubuntu2) questing; urgency=medium + + [ Lukas Märdian ] + * Default to qemu:///system libvirt URI (LP: #2027838) + On Ubuntu we always want to initialize the URI to qemu:///system, + regardless if running as privileged daemon or not. This keeps backward + compatibility with Ubuntu's default behavior, while still allowing users + more flexibility in changing that default, through config files or + environment variables. + - d/p/u/lp-2027838-conf-Default-to-qemu-system-libvirt-URI.patch + * d/t/default-uri: add basic test for LIBVIRT_DEFAULT_URI handling + * d/libvirt-clients.conffiles: Remove libvirt-uri.sh profile.d script + * Drop Changes: + - libvirt-uri.sh, d/rules: Automatically switch default libvirt URI + for users via user profile (qemu:///system) + + [ Hector Cao ] + * d/p/u-aa/lp2079869-* : virt-aa-helper: Avoid duplicate when append rule + (LP: #2120278) + + -- Hector Cao Wed, 27 Aug 2025 10:18:49 +0200 + +libvirt (11.6.0-1ubuntu1) questing; urgency=medium + + * Merge with Debian experimental (LP: #2115181). Remaining changes: + * Remaining changes: + - d/p/u-aa/lp2079869-*: allow access for bridge helper to sys node + (LP 2079869) + - d/*(post|pre)(rm|inst), d/*.install: drop generated files + - Disable libssh2 support (universe dependency) + - d/control: add libzfslinux-dev to build-deps + - debian/patches/ubuntu/ovmf_paths.patch: adjust paths to secboot.fd UEFI + Secure Boot enabled variants of the OVMF firmware and variable store for + the paths where we ship these files in Ubuntu. + - Set qemu-group to kvm (for compat with older ubuntu) + - Additional apport package-hook + - Autostart default bridged network (As upstream does, but not Debian). + In addition to just enabling it our solution provides: + + do not autostart if subnet is already taken (e.g. in guests). + + iterate some alternative subnets before giving up + + d/l-d-config-network.postinst: clear 'autostarted' state, to activate + network on install (LP 2093864) + + d/control: Add Breaks/Replaces, to account for the move of configuration + of the default bridged network to libvirt-daemon-config-network. + (LP 2107448) + + d/t/network: Test automatic virbr0 setup via autopkgtest. + + d/l-d-config-network.{pre,post}inst.in: diversions for network config. + + d/l-d-config-network.{pre,post}inst.in: retain non pkg owned network + config. + - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is + the group based access to libvirt functions as it was used in Ubuntu + for quite a long time. + + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests + due to the group access change. + + d/libvirt-daemon-driver-qemu.postinst*: add users in sudo to the libvirt + group. + - Update README.Debian with Ubuntu changes + - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx + - fix autopkgtests (LP 1899180) + + d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making + vmlinuz available and accessible (Debian bug 848314) + + d/t/control: fix smoke-qemu-session by ensuring the service will run + installing libvirt-daemon-system + + d/t/smoke-lxc: fix smoke-lxc by ignoring potential issues on destroy as + long as the following undefine succeeds + + d/t/smoke-lxc: use systemd instead of sysV to restart the service + + d/t/control, d/t/smoke-lxc: retry service restart and skip test if + failing; This was flaky on some release/architectures + + d/t/smoke-lxc: retry check_domain being flaky on arm64 + - dnsmasq related enhancements + + run dnsmasq as libvirt-dnsmasq (LP 1743718) + + d/libvirt-daemon-config-network.postinst*: add libvirt-dnsmasq user + and group + + d/libvirt-daemon-config-network.postrm*: remove libvirt-dnsmasq user + and group + on purge + + d/p/ubuntu/dnsmasq-as-priv-user: write dnsmasq config with user + libvirt-dnsmasq and adapt the self tests to expect that config + + Add dnsmasq configuration to work with system wide dnsmasq-base + - d/p/ubuntu/set-default-machine-to-ubuntu.patch: to select default + machine type correctly with newer qemu/libvirt + - d/p/ubuntu/lp-1861125-ubuntu-models: recognize Ubuntu models for + (LP 1861125) fixups + - d/p/ubuntu/wait-for-qemu-kvm.patch - avoid hangs on startup (LP 1887592) + - d/libvirt-daemon-common.libvirt-guests.default: shut guests down + in parallel + - Apparmor Delta that is Ubuntu specific or yet to be upstreamed + split into logical pieces. File names in debian/patches/ubuntu-aa/: + + 0020-virt-aa-helper-ubuntu-storage-paths.patch: + apparmor, virt-aa-helper: Allow various storage pools and image + locations + + 0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor, + libvirt-qemu: Add 9p support + + 0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch: + virt-aa-helper: Ask for no deny rule for readonly disk + + 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: + apparmor, libvirt-qemu: Allow reading charm-specific ceph config + + 0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow + commands executed by ubuntu only kvm wrapper on ppc64el + (LP 1686621 LP 1680384 LP 1784023) + + 0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch: + apparmor, virt-aa-helper: access for snapped nova + + lp-1815910-allow-vhost-hotplug.patch: avoid apparmor issues + with vhost-net/vhost-vsock/vhost-scsi hotplug (LP 1815910) + - libvirt should not use user/group tss for swtpm (LP 1948880) + + d/libvirt-daemon-system.postinst: own swtpm logdir by user swtpm + + d/p/u/swtpm-by-swtpm-user.patch: change default spawned swtpm processes + to user swtpm and adapt expected self test result changes triggered by + this + + d/libvirt-daemon-system.postinst: create user/group swtpm if not present + due to swtpm-tools (LP 1951975) + - d/libvirt-clients.lintian-overrides: Add script-not-executable lintian + override + - libvirt-uri.sh, d/rules: Automatically switch default libvirt URI + for users via user profile (qemu:///system) + + Update: Set LIBVIRT_DEFAULT_URI to "qemu:///system" in all + cases. (LP #2027838) + - d/control: Demote passt to Suggests (from Recommends) for + libvirt-daemon-driver-qemu, because passt is in universe. + - d/control: Make libvirt-daemon Suggest (instead of Recommend) + libvirt-daemon-plugin-sanlock, which is in universe. + - d/control: re-generate from d/control-in: we stop changing both files + and eventually re-generate from d/control-in at built as intended. + * Updated changes + - d/p/u/ovmf_paths.patch: update to match new upstreams qemu.conf + - d/p/u/swtpm-by-swtpm-user.patch: update to match new upstreams qemu.conf + + -- Christian Ehrhardt Mon, 04 Aug 2025 13:24:59 +0200 + libvirt (11.6.0-1) experimental; urgency=medium * [047260f] New upstream version 11.6.0 @@ -10,6 +168,156 @@ libvirt (11.5.0-1) experimental; urgency -- Andrea Bolognani Wed, 02 Jul 2025 21:22:39 +0200 +libvirt (11.4.0-1ubuntu2) questing; urgency=medium + + * d/l-d-config-network.postinst: clear 'autostarted' state, to activate + network on install (LP: #2093864) + * Drop Changes: [Replaced by the above] + - Start default network on install (LP 2093864) + + d/l-d-config-network.postinst: add explicit virsh net-start workaround + + d/control: add libvirt-clients Recommends to l-d-config-network + + d/l-d-config-network.dirs: add var/libvirt/dnsmasq to store lease files + to avoid a warning on install + + -- Lukas Märdian Wed, 25 Jun 2025 11:02:02 +0200 + +libvirt (11.4.0-1ubuntu1) questing; urgency=medium + + [ Christian Ehrhardt ] + * Merge with Debian experimental (LP: #2110424) + * Among many other imrpovements this fixes + - ppc64: P11 Support in Libvirt (LP: #2109469) + - s390x: KVM: Implement virsh hypervisor-cpu-models (LP: #2027925) + * Remaining changes: + - d/p/u-aa/lp2079869-*: allow access for bridge helper to sys node + (LP 2079869) + - d/*(post|pre)(rm|inst), d/*.install: drop generated files + - Disable libssh2 support (universe dependency) + - d/control: add libzfslinux-dev to build-deps + - debian/patches/ubuntu/ovmf_paths.patch: adjust paths to secboot.fd UEFI + Secure Boot enabled variants of the OVMF firmware and variable store for + the paths where we ship these files in Ubuntu. + - Set qemu-group to kvm (for compat with older ubuntu) + - Additional apport package-hook + - Autostart default bridged network (As upstream does, but not Debian). + In addition to just enabling it our solution provides: + + do not autostart if subnet is already taken (e.g. in guests). + + iterate some alternative subnets before giving up + - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is + the group based access to libvirt functions as it was used in Ubuntu + for quite a long time. + + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests + due to the group access change. + + d/libvirt-daemon-driver-qemu.postinst*: add users in sudo to the libvirt + group. + - Update README.Debian with Ubuntu changes + - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx + - fix autopkgtests (LP 1899180) + + d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making + vmlinuz available and accessible (Debian bug 848314) + + d/t/control: fix smoke-qemu-session by ensuring the service will run + installing libvirt-daemon-system + + d/t/smoke-lxc: fix smoke-lxc by ignoring potential issues on destroy as + long as the following undefine succeeds + + d/t/smoke-lxc: use systemd instead of sysV to restart the service + + d/t/control, d/t/smoke-lxc: retry service restart and skip test if + failing; This was flaky on some release/architectures + + d/t/smoke-lxc: retry check_domain being flaky on arm64 + - dnsmasq related enhancements + + run dnsmasq as libvirt-dnsmasq (LP 1743718) + + d/libvirt-daemon-driver-qemu.postinst*: add libvirt-dnsmasq user + and group + + d/libvirt-daemon-driver-qemu.postrm*: remove libvirt-dnsmasq user + and group + on purge + + d/p/ubuntu/dnsmasq-as-priv-user: write dnsmasq config with user + libvirt-dnsmasq and adapt the self tests to expect that config + + d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users group + + Add dnsmasq configuration to work with system wide dnsmasq-base + - d/p/ubuntu/set-default-machine-to-ubuntu.patch: to select default + machine type correctly with newer qemu/libvirt + - d/p/ubuntu/lp-1861125-ubuntu-models: recognize Ubuntu models for + (LP 1861125) fixups + - d/p/ubuntu/wait-for-qemu-kvm.patch - avoid hangs on startup (LP 1887592) + - d/libvirt-daemon-common.libvirt-guests.default: shut guests down + in parallel + - Apparmor Delta that is Ubuntu specific or yet to be upstreamed + split into logical pieces. File names in debian/patches/ubuntu-aa/: + + 0020-virt-aa-helper-ubuntu-storage-paths.patch: + apparmor, virt-aa-helper: Allow various storage pools and image + locations + + 0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor, + libvirt-qemu: Add 9p support + + 0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch: + virt-aa-helper: Ask for no deny rule for readonly disk + + 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: + apparmor, libvirt-qemu: Allow reading charm-specific ceph config + + 0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow + commands executed by ubuntu only kvm wrapper on ppc64el + (LP 1686621 LP 1680384 LP 1784023) + + 0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch: + apparmor, virt-aa-helper: access for snapped nova + + lp-1815910-allow-vhost-hotplug.patch: avoid apparmor issues + with vhost-net/vhost-vsock/vhost-scsi hotplug (LP 1815910) + - libvirt should not use user/group tss for swtpm (LP 1948880) + + d/libvirt-daemon-system.postinst: own swtpm logdir by user swtpm + + d/p/u/swtpm-by-swtpm-user.patch: change default spawned swtpm processes + to user swtpm and adapt expected self test result changes triggered by + this + + d/libvirt-daemon-system.postinst: create user/group swtpm if not present + due to swtpm-tools (LP 1951975) + - d/libvirt-clients.lintian-overrides: Add script-not-executable lintian + override + - libvirt-uri.sh, d/rules: Automatically switch default libvirt URI + for users via user profile (qemu:///system) + + Update: Set LIBVIRT_DEFAULT_URI to "qemu:///system" in all + cases. (LP #2027838) + - d/control: Demote passt to Suggests (from Recommends) for + libvirt-daemon-driver-qemu, because passt is in universe. + - d/control: Make libvirt-daemon Suggest (instead of Recommend) + libvirt-daemon-plugin-sanlock, which is in universe. + * Added changes + - d/control: re-generate from d/control-in: we stop changing both files + and eventually re-generate from d/control-in as it is meant to be. + Having more than just d/control-in is only a git-import artifact anyway. + * Drop changes [in Debian 11.1.0-2] + - Fix potential issue in regard to conffile transfer on upgrades + (LP 2105496) + * Drop changes [in Upstream 11.1.0] + - d/control: drop libvirt-lxc, vbox and xen drivers to suggest + - apparmor: Allow SGX if configured (LP 2100024) + - d/p/u/lp2097886: Enable virtio-mem support not in 11.0 (LP 2097886) + + [ Lukas Märdian ] + * Move autostart of default bridged network from libvirt-daemon-driver-qemu + to libvirt-daemon-config-network.postinst, as it depends on the default.xml + template shipped by the latter. (LP: #2107448) + - Move dnsmasq related enhancements to libvirt-daemon-config-network + + run dnsmasq as libvirt-dnsmasq (LP: 1743718) + + d/libvirt-daemon-config-network.postinst*: add libvirt-dnsmasq + user/group, as moved from d/libvirt-daemon-driver-qemu.postinst. + + d/libvirt-daemon-config-network.postrm*: remove libvirt-dnsmasq + user/group on purge, as moved from d/libvirt-daemon-driver-qemu.postinst + + Move dnsmasq configuration to work with system wide dnsmasq-base from + libvirt-daemon-driver-qemu.post* to libvirt-daemon-config-network.post* + - d/control: Add Breaks/Replaces, to account for the move of configuration + of the default bridged network to libvirt-daemon-config-network. + As per https://wiki.debian.org/PackageTransition case #9. + - d/t/network: Test automatic virbr0 setup via autopkgtest. + - d/l-d-config-network.{pre,post}inst.in: Add diversions for network config. + - d/l-d-config-network.{pre,post}inst.in: retain non pkg owned network + config. + * Start default network on install (LP: #2093864) + - d/l-d-config-network.postinst: add explicit virsh net-start workaround + - d/control: add libvirt-clients Recommends to l-d-config-network + - d/l-d-config-network.dirs: add var/libvirt/dnsmasq to store lease files + to avoid a warning on install + * Drop Changes: + - d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users group + [Upgrade path for 4.0.0-1ubuntu5~ not relevant anymore] + + -- Christian Ehrhardt Wed, 11 Jun 2025 13:11:23 +0200 + libvirt (11.4.0-1) experimental; urgency=medium * [f8bc946] New upstream version 11.4.0 @@ -18,6 +326,13 @@ libvirt (11.4.0-1) experimental; urgency -- Andrea Bolognani Thu, 05 Jun 2025 00:07:28 +0200 +libvirt (11.3.0-3) unstable; urgency=medium + + * [d10b70f] patches: Add backports + - backport/qemu-Be-more-forgiving-when-acquiring-QUERY-job-[...] + + -- Andrea Bolognani Wed, 02 Jul 2025 22:15:28 +0200 + libvirt (11.3.0-2) unstable; urgency=medium * [eb4a97a] patches: Add backports diff -pruN 11.6.0-1/debian/control 11.6.0-1ubuntu6/debian/control --- 11.6.0-1/debian/control 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/control 2025-10-29 09:34:08.000000000 +0000 @@ -1,7 +1,8 @@ Source: libvirt Section: libs Priority: optional -Maintainer: Debian Libvirt Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Libvirt Maintainers Uploaders: Guido Günther , Andrea Bolognani , @@ -39,7 +40,6 @@ Build-Depends: libsasl2-dev, libselinux1-dev [linux-any], libssh-dev, - libssh2-1-dev, libtasn1-6-dev, libtirpc-dev, libudev-dev [linux-any], @@ -47,6 +47,7 @@ Build-Depends: libxen-dev [amd64 arm64], libxml2-dev, libxml2-utils, + libzfslinux-dev [linux-amd64 linux-arm64 linux-armhf linux-i386 linux-ppc64el linux-s390x], meson, po-debconf, python3-docutils, @@ -150,6 +151,7 @@ Suggests: libvirt-daemon-driver-storage-zfs (= ${binary:Version}), libvirt-daemon-driver-vbox (= ${binary:Version}) [amd64 i386], libvirt-daemon-driver-xen (= ${binary:Version}) [amd64 arm64], + libvirt-daemon-plugin-sanlock (= ${binary:Version}), libvirt-daemon-system (= ${binary:Version}), Conflicts: libvirt-daemon-system (<< 10.6.0-2~), @@ -282,17 +284,18 @@ Depends: ${misc:Depends}, ${shlibs:Depends}, Recommends: - passt, swtpm, swtpm-tools, Suggests: numad, + passt, Enhances: qemu-kvm, qemu-system, Breaks: libvirt-clients (<< 6.9.0-2~), libvirt-daemon-system (<< 10.6.0-2~), + libvirt-daemon-config-network (<< 11.0.0-2ubuntu9~), Replaces: libvirt-clients (<< 6.9.0-2~), libvirt-daemon-system (<< 10.6.0-2~), @@ -842,6 +845,7 @@ Package: libvirt-daemon-config-network Section: admin Architecture: all Depends: + adduser, libvirt-common (<< ${source:Version}.1~), libvirt-common (>= ${source:Version}), libvirt-daemon-driver-network (<< ${source:Version}.1~), @@ -851,8 +855,10 @@ Depends: ${misc:Depends}, Breaks: libvirt-daemon-system (<< 6.9.0-2~), + libvirt-daemon-driver-qemu (<< 11.0.0-2ubuntu9~), Replaces: libvirt-daemon-system (<< 6.9.0-2~), + libvirt-daemon-driver-qemu (<< 11.0.0-2ubuntu9~), Description: virtualization daemon - configuration files (default network) libvirt exposes a long-term stable API that can be used to interact with various hypervisors. Its architecture is highly modular, with most features diff -pruN 11.6.0-1/debian/control.in 11.6.0-1ubuntu6/debian/control.in --- 11.6.0-1/debian/control.in 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/control.in 2025-10-29 09:34:08.000000000 +0000 @@ -1,7 +1,8 @@ Source: libvirt Section: libs Priority: optional -Maintainer: Debian Libvirt Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Libvirt Maintainers Uploaders: Guido Günther , Andrea Bolognani , @@ -39,7 +40,6 @@ Build-Depends: libsasl2-dev, libselinux1-dev [linux-any], libssh-dev, - libssh2-1-dev, libtasn1-6-dev, libtirpc-dev, libudev-dev [linux-any], @@ -47,6 +47,7 @@ Build-Depends: libxen-dev [${ARCHES_XEN}], libxml2-dev, libxml2-utils, + libzfslinux-dev [linux-amd64 linux-arm64 linux-armhf linux-i386 linux-ppc64el linux-s390x], meson, po-debconf, python3-docutils, @@ -142,6 +143,7 @@ Suggests: libvirt-daemon-driver-storage-zfs (= ${binary:Version}), libvirt-daemon-driver-vbox (= ${binary:Version}) [${ARCHES_VBOX}], libvirt-daemon-driver-xen (= ${binary:Version}) [${ARCHES_XEN}], + libvirt-daemon-plugin-sanlock (= ${binary:Version}), libvirt-daemon-system (= ${binary:Version}), Conflicts: libvirt-daemon-system (<< 10.6.0-2~), @@ -258,17 +260,18 @@ Depends: ${misc:Depends}, ${shlibs:Depends}, Recommends: - passt, swtpm, swtpm-tools, Suggests: numad, + passt, Enhances: qemu-kvm, qemu-system, Breaks: libvirt-clients (<< 6.9.0-2~), libvirt-daemon-system (<< 10.6.0-2~), + libvirt-daemon-config-network (<< 11.0.0-2ubuntu9~), Replaces: libvirt-clients (<< 6.9.0-2~), libvirt-daemon-system (<< 10.6.0-2~), @@ -730,6 +733,7 @@ Package: libvirt-daemon-config-network Section: admin Architecture: all Depends: + adduser, libvirt-common (<< ${source:Version}.1~), libvirt-common (>= ${source:Version}), libvirt-daemon-driver-network (<< ${source:Version}.1~), @@ -739,8 +743,10 @@ Depends: ${misc:Depends}, Breaks: libvirt-daemon-system (<< 6.9.0-2~), + libvirt-daemon-driver-qemu (<< 11.0.0-2ubuntu9~), Replaces: libvirt-daemon-system (<< 6.9.0-2~), + libvirt-daemon-driver-qemu (<< 11.0.0-2ubuntu9~), Description: virtualization daemon - configuration files (default network) @COMMON_DESCRIPTION@ . diff -pruN 11.6.0-1/debian/libvirt-clients.conffiles 11.6.0-1ubuntu6/debian/libvirt-clients.conffiles --- 11.6.0-1/debian/libvirt-clients.conffiles 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/libvirt-clients.conffiles 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1 @@ +remove-on-upgrade /etc/profile.d/libvirt-uri.sh diff -pruN 11.6.0-1/debian/libvirt-common.README.Debian 11.6.0-1ubuntu6/debian/libvirt-common.README.Debian --- 11.6.0-1/debian/libvirt-common.README.Debian 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/libvirt-common.README.Debian 2025-10-29 09:34:08.000000000 +0000 @@ -42,30 +42,11 @@ EOF This makes dnsmasq only bind to the loopback interface by default so libvirtd can handle the virtual bridges. -Bridged network -=============== -libvirt can use the qemu-bridge-helper to create bridged network interfaces for -session domains. For this to work the helper must have the capability to create -TUN/TAP devices or must have the SUID permission set. -This can be done by running the following command as the user root: - - setcap cap_net_admin+ep /usr/lib/qemu/qemu-bridge-helper - -The allowed bridges must be configured in the file '/etc/qemu/bridge.conf'. For -each bridge add a line like 'allow br0'. - Access Control ============== -Access to the libvirt managing tasks is controlled by PolicyKit. To ease -configuration membership in the "libvirt" group is sufficient. If you want to -manage VMs as non-root you need to add a user to that group. - -Note that this will allow users in this group to use all of libvirt's -API including modifying files on the host. For finer grained access -control have a look at libvirt's ACLs. - -System QEMU/KVM processes are run as user and group libvirt-qemu. This can be -adjusted via /etc/libvirt/qemu.conf. +Access to the libvirt socket is controlled by membership in the "libvirtd" +group. +If you want to manage VMs as non root you need to add a user to that group. QEMU/KVM: Dropping Capabilties ============================== @@ -116,3 +97,82 @@ model. See for further details. -- Guido Günther Wen, 24 Dec 2014 09:55:41 +0200 + +AppArmor Profile +================ +Libvirt now contains AppArmor integration when using KVM or QEMU using +libvirt's sVirt infrastructure. Libvirtd can be configured to launch virtual +machines that are confined by uniquely restrictive AppArmor profiles. This +feature significantly improves virtualization in Ubuntu by providing user-space +host protection as well as guest isolation. + +In the sVirt model, if a profile is loaded for the libvirtd daemon, then each +qemu:///system QEMU virtual machine will have a profile created for it when +the virtual machine is started if one does not already exist. This generated +profile is based on a template file and uses a profile name based on the UUID +of the QEMU virtual machine and contains rules allowing access to only the +files it needs to run, such as its disks, pid file and log files. Just before +the QEMU virtual machine is started, the libvirtd daemon will change into this +unique profile, preventing the QEMU process from accessing any file resources +that are present in another QEMU process or the host machine. + +The AppArmor sVirt implementation is flexible in that it allows a user to +customize the template file in /etc/apparmor.d/libvirt/TEMPLATE for +site-specific access for all newly created QEMU virtual machines. When a +new profile is generated, two files are created: + + /etc/apparmor.d/libvirt/libvirt- + /etc/apparmor.d/libvirt/libvirt-.files + +The former can be fine-tuned by the administrator to allow custom access for +this particular QEMU virtual machine, and the latter will be updated +appropriately when required file access changes, such as when a disk is added. +This flexibility allows for situations such as having one virtual machine in +complain mode with all others in enforce mode. + +Profiles for /usr/sbin/libvirtd, /usr/lib/libvirt/virt-aa-helper (a helper +program which the libvirtd daemon uses instead of manipulating AppArmor +directly), and /etc/apparmor.d/abstractions/libvirt-qemu are used to configure +AppArmor confinement with sVirt. Administrators of libvirt in production +environments are encouraged to review these files (especially 'libvirt-qemu') +to ensure that only the access required is given to the virtual machines. + +If the sVirt security model is active, then the node capabilities XML will +include its details. If a virtual machine is currently protected by the +security model, then the guest XML will include its assigned profile name. If +enabled at compile time, the sVirt security model will be activated if AppArmor +is available on the host OS and a profile for the libvirtd daemon is loaded +when libvirtd is started. To disable sVirt, and revert to the basic level of +AppArmor protection (host protection only), the /etc/libvirt/qemu.conf file can +be used to change the setting to security_driver="none". Users may also +disable AppArmor integration through AppArmor itself by performing: + +$ sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.libvirtd +$ sudo ln -s /etc/apparmor.d/usr.sbin.libvirtd /etc/apparmor.d/disable/usr.sbin.libvirtd + +If your system uses AppArmor, please note that the shipped profile works with +the default installation, and changes in your configuration may require changes +to the installed apparmor profile. Before filing a bug against this software, +please see https://wiki.ubuntu.com/DebuggingApparmor before filing a bug +against this software. + +qemu:///system +-------------- +Adding users to the libvirtd group effectively grants them root access. In +Ubuntu, users in the sudo group (who already have 'sudo' access) are added to +this group automatically. + +Virtual machines started from qemu:///system may run with or without root +privileges. As discussed above, in Ubuntu Qemu/KVM virtual machines are fully +isolated and confined by the AppArmor security driver. Users can adjust this +/etc/libvirt/qemu.conf so that virtual machines started under qemu:///system +run as a non-privileged user (new in libvirt 0.7). The 'libvirt-qemu' user and +'kvm' group are configured for this purpose. In Ubuntu, libvirt runs virtual +machines with non-root privileges as well as fully confined by AppArmor. + +While the current non-root implementation does reduce the privileges of virtual +machines running under qemu:///system, continuing to use a MAC system such as +AppArmor is important because without the MAC system all VMs will still run +under the same user and there is no guest isolation. Additionally, if each VM +ran under its own user, an attacker could potentially break out of the VM and +have unconfined user access to the host machine. diff -pruN 11.6.0-1/debian/libvirt-daemon-common.apport 11.6.0-1ubuntu6/debian/libvirt-daemon-common.apport --- 11.6.0-1/debian/libvirt-daemon-common.apport 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/libvirt-daemon-common.apport 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,22 @@ +'''apport package hook for libvirt source package + +(c) 2009-2011 Canonical Ltd. +Author: +Jamie Strandboge + +''' + +from apport.hookutils import * +from os import path +import re + +def add_info(report): + attach_conffiles(report, 'libvirt-daemon') + attach_related_packages(report, ['apparmor', 'libapparmor1', + 'libapparmor-perl', 'apparmor-utils', 'auditd', 'libaudit0']) + + # get apparmor stuff. + attach_mac_events(report, ['/usr/lib/libvirt/virt-aa-helper', + '/usr/sbin/libvirtd', + 'libvirt-.*']) + diff -pruN 11.6.0-1/debian/libvirt-daemon-common.dirs 11.6.0-1ubuntu6/debian/libvirt-daemon-common.dirs --- 11.6.0-1/debian/libvirt-daemon-common.dirs 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/libvirt-daemon-common.dirs 2025-10-29 09:34:08.000000000 +0000 @@ -3,3 +3,5 @@ var/cache/libvirt var/lib/libvirt/boot var/lib/libvirt/images var/log/libvirt +usr/share/apport/package-hooks +etc/dnsmasq.d-available diff -pruN 11.6.0-1/debian/libvirt-daemon-common.install 11.6.0-1ubuntu6/debian/libvirt-daemon-common.install --- 11.6.0-1/debian/libvirt-daemon-common.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/libvirt-daemon-common.install 2025-10-29 09:34:08.000000000 +0000 @@ -1,4 +1,5 @@ etc/apparmor.d/usr.lib.libvirt.virt-aa-helper +usr/share/apport/package-hooks/source_libvirt.py etc/sasl2/libvirt.conf usr/bin/virt-admin usr/bin/virt-host-validate diff -pruN 11.6.0-1/debian/libvirt-daemon-common.install.in 11.6.0-1ubuntu6/debian/libvirt-daemon-common.install.in --- 11.6.0-1/debian/libvirt-daemon-common.install.in 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/libvirt-daemon-common.install.in 2025-10-29 09:34:08.000000000 +0000 @@ -1,4 +1,5 @@ etc/apparmor.d/usr.lib.libvirt.virt-aa-helper +usr/share/apport/package-hooks/source_libvirt.py etc/sasl2/libvirt.conf usr/bin/virt-admin usr/bin/virt-host-validate diff -pruN 11.6.0-1/debian/libvirt-daemon-common.libvirt-guests.default 11.6.0-1ubuntu6/debian/libvirt-daemon-common.libvirt-guests.default --- 11.6.0-1/debian/libvirt-daemon-common.libvirt-guests.default 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/libvirt-daemon-common.libvirt-guests.default 2025-10-29 09:34:08.000000000 +0000 @@ -30,14 +30,14 @@ # "ON_SHUTDOWN" is set to "shutdown". If Set to 0, guests will be shutdown one # after another. Number of guests on shutdown at any time will not exceed number # set in this variable. -#PARALLEL_SHUTDOWN=0 +PARALLEL_SHUTDOWN=10 # Number of seconds we're willing to wait for a guest to shut down. If parallel # shutdown is enabled, this timeout applies as a timeout for shutting down all # guests on a single URI defined in the variable URIS. If this is 0, then there # is no time out (use with caution, as guests might not respond to a shutdown # request). The default value is 300 seconds (5 minutes). -#SHUTDOWN_TIMEOUT=300 +SHUTDOWN_TIMEOUT=120 # If non-zero, try to bypass the file system cache when saving and # restoring guests, even though this may give slower operation for diff -pruN 11.6.0-1/debian/libvirt-daemon-config-network.dirs 11.6.0-1ubuntu6/debian/libvirt-daemon-config-network.dirs --- 11.6.0-1/debian/libvirt-daemon-config-network.dirs 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/libvirt-daemon-config-network.dirs 2025-10-29 09:34:08.000000000 +0000 @@ -1 +1,2 @@ etc/libvirt/qemu/networks +etc/dnsmasq.d-available diff -pruN 11.6.0-1/debian/libvirt-daemon-config-network.dnsmasq 11.6.0-1ubuntu6/debian/libvirt-daemon-config-network.dnsmasq --- 11.6.0-1/debian/libvirt-daemon-config-network.dnsmasq 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/libvirt-daemon-config-network.dnsmasq 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,2 @@ +bind-interfaces +except-interface=virbr0 diff -pruN 11.6.0-1/debian/libvirt-daemon-config-network.install 11.6.0-1ubuntu6/debian/libvirt-daemon-config-network.install --- 11.6.0-1/debian/libvirt-daemon-config-network.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/libvirt-daemon-config-network.install 2025-10-29 09:34:08.000000000 +0000 @@ -1 +1,2 @@ usr/share/libvirt/networks/default.xml +etc/dnsmasq.d-available/libvirt-daemon diff -pruN 11.6.0-1/debian/libvirt-daemon-config-network.install.in 11.6.0-1ubuntu6/debian/libvirt-daemon-config-network.install.in --- 11.6.0-1/debian/libvirt-daemon-config-network.install.in 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/libvirt-daemon-config-network.install.in 2025-10-29 09:34:08.000000000 +0000 @@ -1 +1,2 @@ usr/share/libvirt/networks/default.xml +etc/dnsmasq.d-available/libvirt-daemon diff -pruN 11.6.0-1/debian/libvirt-daemon-config-network.postinst 11.6.0-1ubuntu6/debian/libvirt-daemon-config-network.postinst --- 11.6.0-1/debian/libvirt-daemon-config-network.postinst 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/libvirt-daemon-config-network.postinst 2025-10-29 09:34:08.000000000 +0000 @@ -49,8 +49,105 @@ create_config_from_template() { fi } +add_users_groups() { + if ! getent group libvirt-dnsmasq >/dev/null; then + addgroup --quiet --system libvirt-dnsmasq + fi + if ! getent passwd libvirt-dnsmasq >/dev/null; then + adduser --quiet \ + --system \ + --ingroup libvirt-dnsmasq \ + --disabled-login \ + --disabled-password \ + --home /var/lib/libvirt/dnsmasq \ + --no-create-home \ + --gecos "Libvirt Dnsmasq" \ + libvirt-dnsmasq + fi +} + +includes_addr() { + addr=${1} + mask=${2} + viraddr=${3} + for n in $(seq 1 4); do + curaddrcomponent=$(echo "${addr}" | awk -F. '{ print $'"${n}"' }') + tgtaddrcomponent=$(echo "${viraddr}" | awk -F. '{ print $'"${n}"' }') + cmp=$((mask/8)) + if [ "${cmp}" -ge "${n}" ]; then + if [ "${curaddrcomponent}" -ne "${tgtaddrcomponent}" ]; then + echo "false" + return + fi + elif [ "$((cmp+1))" -ge "${n}" ]; then + # do we bother comparing partial (i.e. /25)? + : + else + break + fi + done + echo "true" + return +} + +set_autostart() +{ + echo "Enabling libvirt default network" + if [ ! -e /etc/libvirt/qemu/networks/autostart/default.xml ]; then + ln -s /etc/libvirt/qemu/networks/default.xml \ + /etc/libvirt/qemu/networks/autostart/ + fi + # Since the src:libvirt package was split to not install this autostart + # configuration together with (ahead of) libvirt-daemon itself, we need + # to explicitly remove the stamp file, so that the trigger + # "libvirt-restart-libvirtd" will launch the autostart configuration on + # libvirtd.service restart. + rm -f /run/libvirt/network/autostarted +} + +# on first install, don't set default network to autostart if we already +# have a conflicting network. Good for instance for nested libvirt. +maybe_set_autostart() +{ + # 122 is the common default, but iterate a few more options + for thirdoctet in $(seq 122 128); do + tryip="192.168.${thirdoctet}.1" + found=0 + for pair in $(ip addr show | grep "inet\>" |awk '{ print $2 }'); do + a=$(echo "$pair" | awk -F/ '{ print $1}') + m=$(echo "$pair" | awk -F/ '{ print $2}') + res=$(includes_addr "${a}" "${m}" "${tryip}") + if [ "${res}" = "true" ]; then + found=1 + fi + done + if [ $found -ne 1 ]; then + # found a free subnet + if [ "${thirdoctet}" -ne "122" ]; then + echo "Default libvirt network on 192.168.122.1/24 already taken" + echo "Changing to free 192.168.${thirdoctet}.1/24" + sed -i 's/192.168.122/192.168.'"${thirdoctet}"'/g' /etc/libvirt/qemu/networks/default.xml + fi + set_autostart + return + fi + done + echo "Not enabling default network as no free network was found" +} + +# begin-remove-after: released:26.04 +# Restore existing configuration files (some created by maintainer scripts from +# templates) in (old < 11.0.0-2ubuntu8) libvirt-daemon-driver-qemu.postinst. +# This logic moved into libvirt-daemon-config-network, but we want to keep the +# original files. (LP: #2107448) +if [ "$1" = configure ] || [ "$1" = abort-upgrade ]; then + dpkg-divert --rename --divert /etc/dnsmasq.d-available/libvirt-daemon.dpkg-upgrade --remove /etc/dnsmasq.d-available/libvirt-daemon +fi +# end-remove-after + case "$1" in configure) + add_users_groups create_config_from_template \ "/etc/libvirt/qemu/networks/default.xml" \ "/usr/share/libvirt/networks/default.xml" \ @@ -58,6 +155,13 @@ case "$1" in -- \ "$@" + # On an initial package install, create the default network autostart + # symlink if on a system that it will work on. + # Note: needs to complete before services are started the first time + if [ -z $2 ]; then + maybe_set_autostart + fi + # Trigger daemon restart after installing configuration files dpkg-trigger libvirt-restart-libvirtd ;; @@ -73,4 +177,21 @@ esac #DEBHELPER# +# We need this after the debhelper generated code so that dpkg-maintscript +# can do its renamming first. +if [ "$1" = "configure" ]; then + # Configure dnsmasq + if [ -f /etc/dnsmasq.d-available/libvirt-daemon ]; then + echo "Setting up libvirt-daemon dnsmasq configuration." + mkdir -p /etc/dnsmasq.d + if [ ! -e /etc/dnsmasq.d/libvirt-daemon ]; then + ln -s /etc/dnsmasq.d-available/libvirt-daemon \ + /etc/dnsmasq.d/libvirt-daemon + fi + + # Try to restart a potential system wide dnsmasq + invoke-rc.d dnsmasq restart 2>/dev/null || true + fi +fi + exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-config-network.postinst.in 11.6.0-1ubuntu6/debian/libvirt-daemon-config-network.postinst.in --- 11.6.0-1/debian/libvirt-daemon-config-network.postinst.in 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/libvirt-daemon-config-network.postinst.in 2025-10-29 09:34:08.000000000 +0000 @@ -16,8 +16,105 @@ set -e #CREATE_CONFIG_FROM_TEMPLATE# +add_users_groups() { + if ! getent group libvirt-dnsmasq >/dev/null; then + addgroup --quiet --system libvirt-dnsmasq + fi + if ! getent passwd libvirt-dnsmasq >/dev/null; then + adduser --quiet \ + --system \ + --ingroup libvirt-dnsmasq \ + --disabled-login \ + --disabled-password \ + --home /var/lib/libvirt/dnsmasq \ + --no-create-home \ + --gecos "Libvirt Dnsmasq" \ + libvirt-dnsmasq + fi +} + +includes_addr() { + addr=${1} + mask=${2} + viraddr=${3} + for n in $(seq 1 4); do + curaddrcomponent=$(echo "${addr}" | awk -F. '{ print $'"${n}"' }') + tgtaddrcomponent=$(echo "${viraddr}" | awk -F. '{ print $'"${n}"' }') + cmp=$((mask/8)) + if [ "${cmp}" -ge "${n}" ]; then + if [ "${curaddrcomponent}" -ne "${tgtaddrcomponent}" ]; then + echo "false" + return + fi + elif [ "$((cmp+1))" -ge "${n}" ]; then + # do we bother comparing partial (i.e. /25)? + : + else + break + fi + done + echo "true" + return +} + +set_autostart() +{ + echo "Enabling libvirt default network" + if [ ! -e /etc/libvirt/qemu/networks/autostart/default.xml ]; then + ln -s /etc/libvirt/qemu/networks/default.xml \ + /etc/libvirt/qemu/networks/autostart/ + fi + # Since the src:libvirt package was split to not install this autostart + # configuration together with (ahead of) libvirt-daemon itself, we need + # to explicitly remove the stamp file, so that the trigger + # "libvirt-restart-libvirtd" will launch the autostart configuration on + # libvirtd.service restart. + rm -f /run/libvirt/network/autostarted +} + +# on first install, don't set default network to autostart if we already +# have a conflicting network. Good for instance for nested libvirt. +maybe_set_autostart() +{ + # 122 is the common default, but iterate a few more options + for thirdoctet in $(seq 122 128); do + tryip="192.168.${thirdoctet}.1" + found=0 + for pair in $(ip addr show | grep "inet\>" |awk '{ print $2 }'); do + a=$(echo "$pair" | awk -F/ '{ print $1}') + m=$(echo "$pair" | awk -F/ '{ print $2}') + res=$(includes_addr "${a}" "${m}" "${tryip}") + if [ "${res}" = "true" ]; then + found=1 + fi + done + if [ $found -ne 1 ]; then + # found a free subnet + if [ "${thirdoctet}" -ne "122" ]; then + echo "Default libvirt network on 192.168.122.1/24 already taken" + echo "Changing to free 192.168.${thirdoctet}.1/24" + sed -i 's/192.168.122/192.168.'"${thirdoctet}"'/g' /etc/libvirt/qemu/networks/default.xml + fi + set_autostart + return + fi + done + echo "Not enabling default network as no free network was found" +} + +# begin-remove-after: released:26.04 +# Restore existing configuration files (some created by maintainer scripts from +# templates) in (old < 11.0.0-2ubuntu8) libvirt-daemon-driver-qemu.postinst. +# This logic moved into libvirt-daemon-config-network, but we want to keep the +# original files. (LP: #2107448) +if [ "$1" = configure ] || [ "$1" = abort-upgrade ]; then + dpkg-divert --rename --divert /etc/dnsmasq.d-available/libvirt-daemon.dpkg-upgrade --remove /etc/dnsmasq.d-available/libvirt-daemon +fi +# end-remove-after + case "$1" in configure) + add_users_groups create_config_from_template \ "/etc/libvirt/qemu/networks/default.xml" \ "/usr/share/libvirt/networks/default.xml" \ @@ -25,6 +122,13 @@ case "$1" in -- \ "$@" + # On an initial package install, create the default network autostart + # symlink if on a system that it will work on. + # Note: needs to complete before services are started the first time + if [ -z $2 ]; then + maybe_set_autostart + fi + # Trigger daemon restart after installing configuration files dpkg-trigger libvirt-restart-libvirtd ;; @@ -40,4 +144,21 @@ esac #DEBHELPER# +# We need this after the debhelper generated code so that dpkg-maintscript +# can do its renamming first. +if [ "$1" = "configure" ]; then + # Configure dnsmasq + if [ -f /etc/dnsmasq.d-available/libvirt-daemon ]; then + echo "Setting up libvirt-daemon dnsmasq configuration." + mkdir -p /etc/dnsmasq.d + if [ ! -e /etc/dnsmasq.d/libvirt-daemon ]; then + ln -s /etc/dnsmasq.d-available/libvirt-daemon \ + /etc/dnsmasq.d/libvirt-daemon + fi + + # Try to restart a potential system wide dnsmasq + invoke-rc.d dnsmasq restart 2>/dev/null || true + fi +fi + exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-config-network.postrm 11.6.0-1ubuntu6/debian/libvirt-daemon-config-network.postrm --- 11.6.0-1/debian/libvirt-daemon-config-network.postrm 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/libvirt-daemon-config-network.postrm 2025-10-29 09:34:08.000000000 +0000 @@ -45,7 +45,7 @@ remove_config_from_template() { } case "$1" in - remove|purge) + remove) remove_config_from_template \ "/etc/libvirt/qemu/networks/default.xml" \ "/usr/share/libvirt/networks/default.xml" \ @@ -53,8 +53,32 @@ case "$1" in -- \ "$@" + if [ -L /etc/dnsmasq.d/libvirt-daemon ]; then + echo "Removing libvirt-daemon dnsmasq configuration" + rm -f /etc/dnsmasq.d/libvirt-daemon || true + + # Try to restart a potential system wide dnsmasq + invoke-rc.d dnsmasq restart || true + fi + + # Trigger daemon restart after removing configuration files dpkg-trigger libvirt-restart-libvirtd + + # Remove the link set up by postinst + rm -f /etc/libvirt/qemu/networks/autostart/default.xml + ;; + + purge) + # a running libvirt-dnsmasq will break these removals + # yet the lifecycle of the network is non-related to the pkg purge + # Therefore ignore errors on these removals, better leave a user than break + if getent group libvirt-dnsmasq >/dev/null; then + delgroup libvirt-dnsmasq --system >/dev/null || true + fi + if getent passwd libvirt-dnsmasq >/dev/null; then + deluser libvirt-dnsmasq --system >/dev/null || true + fi ;; upgrade|disappear|failed-upgrade|abort-install|abort-upgrade) diff -pruN 11.6.0-1/debian/libvirt-daemon-config-network.postrm.in 11.6.0-1ubuntu6/debian/libvirt-daemon-config-network.postrm.in --- 11.6.0-1/debian/libvirt-daemon-config-network.postrm.in 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/libvirt-daemon-config-network.postrm.in 2025-10-29 09:34:08.000000000 +0000 @@ -19,7 +19,7 @@ set -e #REMOVE_CONFIG_FROM_TEMPLATE# case "$1" in - remove|purge) + remove) remove_config_from_template \ "/etc/libvirt/qemu/networks/default.xml" \ "/usr/share/libvirt/networks/default.xml" \ @@ -27,8 +27,32 @@ case "$1" in -- \ "$@" + if [ -L /etc/dnsmasq.d/libvirt-daemon ]; then + echo "Removing libvirt-daemon dnsmasq configuration" + rm -f /etc/dnsmasq.d/libvirt-daemon || true + + # Try to restart a potential system wide dnsmasq + invoke-rc.d dnsmasq restart || true + fi + + # Trigger daemon restart after removing configuration files dpkg-trigger libvirt-restart-libvirtd + + # Remove the link set up by postinst + rm -f /etc/libvirt/qemu/networks/autostart/default.xml + ;; + + purge) + # a running libvirt-dnsmasq will break these removals + # yet the lifecycle of the network is non-related to the pkg purge + # Therefore ignore errors on these removals, better leave a user than break + if getent group libvirt-dnsmasq >/dev/null; then + delgroup libvirt-dnsmasq --system >/dev/null || true + fi + if getent passwd libvirt-dnsmasq >/dev/null; then + deluser libvirt-dnsmasq --system >/dev/null || true + fi ;; upgrade|disappear|failed-upgrade|abort-install|abort-upgrade) diff -pruN 11.6.0-1/debian/libvirt-daemon-config-network.preinst 11.6.0-1ubuntu6/debian/libvirt-daemon-config-network.preinst --- 11.6.0-1/debian/libvirt-daemon-config-network.preinst 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/libvirt-daemon-config-network.preinst 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,26 @@ +#!/bin/sh + +set -e + +# begin-remove-after: released:26.04 +# Keep existing configuration files (some created by maintainer scripts from +# templates) in (old < 11.0.0-2ubuntu8) libvirt-daemon-driver-qemu.postinst. +# This logic moved into libvirt-daemon-config-network, but we want to keep the +# original files. (LP: #2107448) +if [ "$1" = install ] || [ "$1" = upgrade ]; then + # Not owned by the pkg, postrm might call remove_config_from_template which would leave a .dpkg-backup + # Priority #1 - if there still is a /etc/libvirt/qemu/networks/default.xml - keep it untouched + # Priority #2 - if not #1, but there is a /etc/libvirt/qemu/networks/default.xml.dpkg-backup restore it as active config + # Priority #3 - if neither of the above apply, it means next install will do a fresh create_config_from_template in postinst + netconf="/etc/libvirt/qemu/networks/default.xml" + if [ ! -e "${netconf}" ]; then + if [ -e "${netconf}.dpkg-backup" ]; then + cp "${netconf}.dpkg-backup" "${netconf}" + fi + fi + # Owned by the pkg, if it was modified dpkg would retain it as .dpkg-upgrade + dpkg-divert --rename --divert /etc/dnsmasq.d-available/libvirt-daemon.dpkg-upgrade --add /etc/dnsmasq.d-available/libvirt-daemon +fi +# end-remove-after + +#DEBHELPER# diff -pruN 11.6.0-1/debian/libvirt-daemon-config-network.preinst.in 11.6.0-1ubuntu6/debian/libvirt-daemon-config-network.preinst.in --- 11.6.0-1/debian/libvirt-daemon-config-network.preinst.in 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/libvirt-daemon-config-network.preinst.in 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,26 @@ +#!/bin/sh + +set -e + +# begin-remove-after: released:26.04 +# Keep existing configuration files (some created by maintainer scripts from +# templates) in (old < 11.0.0-2ubuntu8) libvirt-daemon-driver-qemu.postinst. +# This logic moved into libvirt-daemon-config-network, but we want to keep the +# original files. (LP: #2107448) +if [ "$1" = install ] || [ "$1" = upgrade ]; then + # Not owned by the pkg, postrm might call remove_config_from_template which would leave a .dpkg-backup + # Priority #1 - if there still is a /etc/libvirt/qemu/networks/default.xml - keep it untouched + # Priority #2 - if not #1, but there is a /etc/libvirt/qemu/networks/default.xml.dpkg-backup restore it as active config + # Priority #3 - if neither of the above apply, it means next install will do a fresh create_config_from_template in postinst + netconf="/etc/libvirt/qemu/networks/default.xml" + if [ ! -e "${netconf}" ]; then + if [ -e "${netconf}.dpkg-backup" ]; then + cp "${netconf}.dpkg-backup" "${netconf}" + fi + fi + # Owned by the pkg, if it was modified dpkg would retain it as .dpkg-upgrade + dpkg-divert --rename --divert /etc/dnsmasq.d-available/libvirt-daemon.dpkg-upgrade --add /etc/dnsmasq.d-available/libvirt-daemon +fi +# end-remove-after + +#DEBHELPER# diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-qemu.postinst 11.6.0-1ubuntu6/debian/libvirt-daemon-driver-qemu.postinst --- 11.6.0-1/debian/libvirt-daemon-driver-qemu.postinst 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/libvirt-daemon-driver-qemu.postinst 2025-10-29 09:34:08.000000000 +0000 @@ -57,6 +57,25 @@ add_users_groups() addgroup --quiet --system $PARAMETER_GID libvirt-qemu adduser --quiet libvirt-qemu libvirt-qemu fi + + # Add each sudo user to the libvirt group + for u in $(getent group sudo | sed -e "s/^.*://" -e "s/,/ /g"); do + adduser "$u" libvirt >/dev/null || true + done + + # These users are usually created and owned by swtpm-tools, but that shall + # not become a hard dependency, therefore if swtpm-tools isn't present we + # need to create that user/group here to avoid issues starting the service + # with the new defaults since LP: 1948880 (LP: #1951975) + if ! getent group swtpm >/dev/null; then + addgroup --system swtpm + fi + if ! getent passwd swtpm >/dev/null; then + adduser --system --ingroup swtpm --shell /bin/false \ + --home /var/lib/swtpm --no-create-home \ + --gecos "virtual TPM software stack" \ + swtpm + fi } add_statoverrides() @@ -71,6 +90,8 @@ add_statoverrides() QEMU_CONF="/etc/libvirt/qemu.conf" + SWTPM_DIR="/var/log/swtpm/libvirt/qemu" + for dir in ${ROOT_DIRS}; do if ! dpkg-statoverride --list "${dir}" >/dev/null 2>&1; then [ ! -e "${dir}" ] || chown root:root "${dir}" @@ -89,6 +110,12 @@ add_statoverrides() [ ! -e "${QEMU_CONF}" ] || chown root:root "${QEMU_CONF}" [ ! -e "${QEMU_CONF}" ] || chmod 0600 "${QEMU_CONF}" fi + + # swtpm shall use user swtpm (LP: #1948880) + if ! dpkg-statoverride --list "${SWTPM_DIR}" >/dev/null 2>&1; then + [ ! -e "${SWTPM_DIR}" ] || chown swtpm:swtpm "${SWTPM_DIR}" + [ ! -e "${SWTPM_DIR}" ] || chmod 0700 "${SWTPM_DIR}" + fi } case "$1" in diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-qemu.postinst.in 11.6.0-1ubuntu6/debian/libvirt-daemon-driver-qemu.postinst.in --- 11.6.0-1/debian/libvirt-daemon-driver-qemu.postinst.in 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/libvirt-daemon-driver-qemu.postinst.in 2025-10-29 09:34:08.000000000 +0000 @@ -57,6 +57,25 @@ add_users_groups() addgroup --quiet --system $PARAMETER_GID libvirt-qemu adduser --quiet libvirt-qemu libvirt-qemu fi + + # Add each sudo user to the libvirt group + for u in $(getent group sudo | sed -e "s/^.*://" -e "s/,/ /g"); do + adduser "$u" libvirt >/dev/null || true + done + + # These users are usually created and owned by swtpm-tools, but that shall + # not become a hard dependency, therefore if swtpm-tools isn't present we + # need to create that user/group here to avoid issues starting the service + # with the new defaults since LP: 1948880 (LP: #1951975) + if ! getent group swtpm >/dev/null; then + addgroup --system swtpm + fi + if ! getent passwd swtpm >/dev/null; then + adduser --system --ingroup swtpm --shell /bin/false \ + --home /var/lib/swtpm --no-create-home \ + --gecos "virtual TPM software stack" \ + swtpm + fi } add_statoverrides() @@ -71,6 +90,8 @@ add_statoverrides() QEMU_CONF="/etc/libvirt/qemu.conf" + SWTPM_DIR="/var/log/swtpm/libvirt/qemu" + for dir in ${ROOT_DIRS}; do if ! dpkg-statoverride --list "${dir}" >/dev/null 2>&1; then [ ! -e "${dir}" ] || chown root:root "${dir}" @@ -89,6 +110,12 @@ add_statoverrides() [ ! -e "${QEMU_CONF}" ] || chown root:root "${QEMU_CONF}" [ ! -e "${QEMU_CONF}" ] || chmod 0600 "${QEMU_CONF}" fi + + # swtpm shall use user swtpm (LP: #1948880) + if ! dpkg-statoverride --list "${SWTPM_DIR}" >/dev/null 2>&1; then + [ ! -e "${SWTPM_DIR}" ] || chown swtpm:swtpm "${SWTPM_DIR}" + [ ! -e "${SWTPM_DIR}" ] || chmod 0700 "${SWTPM_DIR}" + fi } case "$1" in diff -pruN 11.6.0-1/debian/patches/backport/wireshark-Adapt-to-wireshark-4.6.0.patch 11.6.0-1ubuntu6/debian/patches/backport/wireshark-Adapt-to-wireshark-4.6.0.patch --- 11.6.0-1/debian/patches/backport/wireshark-Adapt-to-wireshark-4.6.0.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/backport/wireshark-Adapt-to-wireshark-4.6.0.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,490 @@ +From: Michal Privoznik +Date: Fri, 10 Oct 2025 15:22:34 +0200 +Subject: wireshark: Adapt to wireshark-4.6.0 + +The main difference is that wmem_packet_scope() is gone [1] but +the packet_info struct has 'pool` member which points to the +allocator used for given packet. + +Unfortunately, while we were given pointer to packet_info at the +entry level to our dissector (dissect_libvirt() -> +tcp_dissect_pdus() -> dissect_libvirt_message()) it was never +propagated to generated/primitive dissectors. + +But not all dissectors need to allocate memory, so mark the new +argument as unused. And while our generator could be rewritten so +that the argument is annotated as unused iff it's really unused, +I couldn't bother rewriting it. It's generated code after all. +Too much work for little gain. + +Another significant change is that val_to_str() now requires new +argument: pointer to allocator to use because it always allocates +new memory [2][3]. + +1: https://gitlab.com/wireshark/wireshark/-/commit/5ca5c9ca372e06881b23ba9f4fdcb6b479886444 +2: https://gitlab.com/wireshark/wireshark/-/commit/b63599762468e4cf1783419a5556377604d344bb +3: https://gitlab.com/wireshark/wireshark/-/commit/84799be215313e61b83a3eaf074f89d6ee349b8c +Resolves: https://gitlab.com/libvirt/libvirt/-/issues/823 +Signed-off-by: Michal Privoznik +Reviewed-by: Peter Krempa +(cherry picked from commit b42a12174c787b99cd6fcb29b44e4b13bd64ee58) + +Bug-Debian: https://bugs.debian.org/1118069 + +Forwarded: not-needed +Origin: https://gitlab.com/libvirt/libvirt/-/commit/b42a12174c787b99cd6fcb29b44e4b13bd64ee58 +--- + tools/wireshark/src/packet-libvirt.c | 157 ++++++++++++++++++++++++----------- + tools/wireshark/util/genxdrstub.pl | 18 ++-- + 2 files changed, 119 insertions(+), 56 deletions(-) + +diff --git a/tools/wireshark/src/packet-libvirt.c b/tools/wireshark/src/packet-libvirt.c +index 3178ac6..c5c8fb4 100644 +--- a/tools/wireshark/src/packet-libvirt.c ++++ b/tools/wireshark/src/packet-libvirt.c +@@ -63,7 +63,7 @@ static gint ett_libvirt_stream_hole = -1; + + #define XDR_PRIMITIVE_DISSECTOR(xtype, ctype, ftype) \ + static gboolean \ +- dissect_xdr_##xtype(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf) \ ++ dissect_xdr_##xtype(tvbuff_t *tvb, packet_info *pinfo G_GNUC_UNUSED, proto_tree *tree, XDR *xdrs, int hf) \ + { \ + goffset start; \ + ctype val; \ +@@ -93,7 +93,7 @@ XDR_PRIMITIVE_DISSECTOR(bool, bool_t, boolean) + + VIR_WARNINGS_RESET + +-typedef gboolean (*vir_xdr_dissector_t)(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf); ++typedef gboolean (*vir_xdr_dissector_t)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, XDR *xdrs, int hf); + + typedef struct vir_dissector_index vir_dissector_index_t; + struct vir_dissector_index { +@@ -146,22 +146,32 @@ static const value_string status_strings[] = { + }; + + static char * +-G_GNUC_PRINTF(3, 0) +-vir_val_to_str(const uint32_t val, ++G_GNUC_PRINTF(4, 0) ++vir_val_to_str(packet_info *pinfo, ++ const uint32_t val, + const value_string *vs, + const char *fmt) + { +- return val_to_str_wmem(wmem_packet_scope(), val, vs, fmt); ++#if WIRESHARK_VERSION < 4006000 ++ return val_to_str_wmem(pinfo->pool, val, vs, fmt); ++#else ++ return val_to_str(pinfo->pool, val, vs, fmt); ++#endif + } + + static void +-vir_wmem_free(void *ptr) ++vir_wmem_free(packet_info *pinfo, ++ void *ptr) + { +- wmem_free(wmem_packet_scope(), ptr); ++ wmem_free(pinfo->pool, ptr); + } + + static gboolean +-dissect_xdr_string(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf, ++dissect_xdr_string(tvbuff_t *tvb, ++ packet_info *pinfo G_GNUC_UNUSED, ++ proto_tree *tree, ++ XDR *xdrs, ++ int hf, + guint32 maxlen) + { + goffset start; +@@ -179,7 +189,11 @@ dissect_xdr_string(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf, + } + + static gboolean +-dissect_xdr_opaque(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf, ++dissect_xdr_opaque(tvbuff_t *tvb, ++ packet_info *pinfo, ++ proto_tree *tree, ++ XDR *xdrs, ++ int hf, + guint32 size) + { + goffset start; +@@ -190,7 +204,7 @@ dissect_xdr_opaque(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf, + start = xdr_getpos(xdrs); + if ((rc = xdr_opaque(xdrs, (caddr_t)val, size))) { + gint len = xdr_getpos(xdrs) - start; +- const char *s = tvb_bytes_to_str(wmem_packet_scope(), tvb, start, len); ++ const char *s = tvb_bytes_to_str(pinfo->pool, tvb, start, len); + + proto_tree_add_bytes_format_value(tree, hf, tvb, start, len, NULL, "%s", s); + } else { +@@ -202,7 +216,11 @@ dissect_xdr_opaque(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf, + } + + static gboolean +-dissect_xdr_bytes(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf, ++dissect_xdr_bytes(tvbuff_t *tvb, ++ packet_info *pinfo, ++ proto_tree *tree, ++ XDR *xdrs, ++ int hf, + guint32 maxlen) + { + goffset start; +@@ -212,7 +230,7 @@ dissect_xdr_bytes(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf, + start = xdr_getpos(xdrs); + if (xdr_bytes(xdrs, (char **)&val, &length, maxlen)) { + gint len = xdr_getpos(xdrs) - start; +- const char *s = tvb_bytes_to_str(wmem_packet_scope(), tvb, start, len); ++ const char *s = tvb_bytes_to_str(pinfo->pool, tvb, start, len); + + proto_tree_add_bytes_format_value(tree, hf, tvb, start, len, NULL, "%s", s); + free(val); +@@ -224,7 +242,11 @@ dissect_xdr_bytes(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf, + } + + static gboolean +-dissect_xdr_pointer(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf, ++dissect_xdr_pointer(tvbuff_t *tvb, ++ packet_info *pinfo, ++ proto_tree *tree, ++ XDR *xdrs, ++ int hf, + vir_xdr_dissector_t dissect) + { + goffset start; +@@ -236,7 +258,7 @@ dissect_xdr_pointer(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf, + return FALSE; + } + if (not_null) { +- return dissect(tvb, tree, xdrs, hf); ++ return dissect(tvb, pinfo, tree, xdrs, hf); + } else { + proto_item *ti; + ti = proto_tree_add_item(tree, hf, tvb, start, xdr_getpos(xdrs) - start, ENC_NA); +@@ -246,15 +268,22 @@ dissect_xdr_pointer(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf, + } + + static gboolean +-dissect_xdr_iterable(tvbuff_t *tvb, proto_item *ti, XDR *xdrs, gint ett, int rhf, +- guint32 length, vir_xdr_dissector_t dissect, goffset start) ++dissect_xdr_iterable(tvbuff_t *tvb, ++ packet_info *pinfo, ++ proto_item *ti, ++ XDR *xdrs, ++ gint ett, ++ int rhf, ++ guint32 length, ++ vir_xdr_dissector_t dissect, ++ goffset start) + { + proto_tree *tree; + guint32 i; + + tree = proto_item_add_subtree(ti, ett); + for (i = 0; i < length; i++) { +- if (!dissect(tvb, tree, xdrs, rhf)) ++ if (!dissect(tvb, pinfo, tree, xdrs, rhf)) + return FALSE; + } + proto_item_set_len(ti, xdr_getpos(xdrs) - start); +@@ -262,8 +291,16 @@ dissect_xdr_iterable(tvbuff_t *tvb, proto_item *ti, XDR *xdrs, gint ett, int rhf + } + + static gboolean +-dissect_xdr_vector(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf, gint ett, +- int rhf, const gchar *rtype, guint32 size, vir_xdr_dissector_t dissect) ++dissect_xdr_vector(tvbuff_t *tvb, ++ packet_info *pinfo, ++ proto_tree *tree, ++ XDR *xdrs, ++ int hf, ++ gint ett, ++ int rhf, ++ const gchar *rtype, ++ guint32 size, ++ vir_xdr_dissector_t dissect) + { + goffset start; + proto_item *ti; +@@ -271,12 +308,20 @@ dissect_xdr_vector(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf, gint ett, + start = xdr_getpos(xdrs); + ti = proto_tree_add_item(tree, hf, tvb, start, -1, ENC_NA); + proto_item_append_text(ti, " :: %s[%u]", rtype, size); +- return dissect_xdr_iterable(tvb, ti, xdrs, ett, rhf, size, dissect, start); ++ return dissect_xdr_iterable(tvb, pinfo, ti, xdrs, ett, rhf, size, dissect, start); + } + + static gboolean +-dissect_xdr_array(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf, gint ett, +- int rhf, const gchar *rtype, guint32 maxlen, vir_xdr_dissector_t dissect) ++dissect_xdr_array(tvbuff_t *tvb, ++ packet_info *pinfo, ++ proto_tree *tree, ++ XDR *xdrs, ++ int hf, ++ gint ett, ++ int rhf, ++ const gchar *rtype, ++ guint32 maxlen, ++ vir_xdr_dissector_t dissect) + { + goffset start; + proto_item *ti; +@@ -291,7 +336,7 @@ dissect_xdr_array(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf, gint ett, + + ti = proto_tree_add_item(tree, hf, tvb, start, -1, ENC_NA); + proto_item_append_text(ti, " :: %s<%u>", rtype, length); +- return dissect_xdr_iterable(tvb, ti, xdrs, ett, rhf, length, dissect, start); ++ return dissect_xdr_iterable(tvb, pinfo, ti, xdrs, ett, rhf, length, dissect, start); + } + + static vir_xdr_dissector_t +@@ -340,7 +385,10 @@ find_payload_dissector(int32_t proc, + } + + static void +-dissect_libvirt_stream(tvbuff_t *tvb, proto_tree *tree, gint payload_length) ++dissect_libvirt_stream(tvbuff_t *tvb, ++ packet_info *pinfo G_GNUC_UNUSED, ++ proto_tree *tree, ++ gint payload_length) + { + proto_tree_add_item(tree, hf_libvirt_stream, tvb, VIR_HEADER_LEN, + payload_length - VIR_HEADER_LEN, ENC_NA); +@@ -357,6 +405,7 @@ dissect_libvirt_num_of_fds(tvbuff_t *tvb, proto_tree *tree) + + static void + dissect_libvirt_fds(tvbuff_t *tvb G_GNUC_UNUSED, ++ packet_info *pinfo G_GNUC_UNUSED, + gint start G_GNUC_UNUSED, + gint32 nfds G_GNUC_UNUSED) + { +@@ -364,8 +413,12 @@ dissect_libvirt_fds(tvbuff_t *tvb G_GNUC_UNUSED, + } + + static void +-dissect_libvirt_payload_xdr_data(tvbuff_t *tvb, proto_tree *tree, gint payload_length, +- gint32 status, vir_xdr_dissector_t dissect) ++dissect_libvirt_payload_xdr_data(tvbuff_t *tvb, ++ packet_info *pinfo, ++ proto_tree *tree, ++ gint payload_length, ++ gint32 status, ++ vir_xdr_dissector_t dissect) + { + gint32 nfds = 0; + gint start = VIR_HEADER_LEN; +@@ -384,17 +437,21 @@ dissect_libvirt_payload_xdr_data(tvbuff_t *tvb, proto_tree *tree, gint payload_l + payload_data = (caddr_t)tvb_memdup(NULL, payload_tvb, 0, payload_length); + xdrmem_create(&xdrs, payload_data, payload_length, XDR_DECODE); + +- dissect(payload_tvb, tree, &xdrs, -1); ++ dissect(payload_tvb, pinfo, tree, &xdrs, -1); + + xdr_destroy(&xdrs); + g_free(payload_data); + + if (nfds != 0) +- dissect_libvirt_fds(tvb, start + payload_length, nfds); ++ dissect_libvirt_fds(tvb, pinfo, start + payload_length, nfds); + } + + static gboolean +-dissect_xdr_stream_hole(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf) ++dissect_xdr_stream_hole(tvbuff_t *tvb, ++ packet_info *pinfo, ++ proto_tree *tree, ++ XDR *xdrs, ++ int hf) + { + goffset start; + proto_item *ti; +@@ -411,10 +468,10 @@ dissect_xdr_stream_hole(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf) + tree = proto_item_add_subtree(ti, ett_libvirt_stream_hole); + + hf = hf_libvirt_stream_hole_length; +- if (!dissect_xdr_hyper(tvb, tree, xdrs, hf)) return FALSE; ++ if (!dissect_xdr_hyper(tvb, pinfo, tree, xdrs, hf)) return FALSE; + + hf = hf_libvirt_stream_hole_flags; +- if (!dissect_xdr_u_int(tvb, tree, xdrs, hf)) return FALSE; ++ if (!dissect_xdr_u_int(tvb, pinfo, tree, xdrs, hf)) return FALSE; + + proto_item_set_len(ti, xdr_getpos(xdrs) - start); + return TRUE; +@@ -424,6 +481,7 @@ dissect_xdr_stream_hole(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf) + + static void + dissect_libvirt_payload(tvbuff_t *tvb, ++ packet_info *pinfo, + proto_tree *tree, + uint32_t prog, + int32_t proc, +@@ -447,13 +505,13 @@ dissect_libvirt_payload(tvbuff_t *tvb, + xd = find_payload_dissector(proc, type, pds, *len); + if (xd == NULL) + goto unknown; +- dissect_libvirt_payload_xdr_data(tvb, tree, payload_length, status, xd); ++ dissect_libvirt_payload_xdr_data(tvb, pinfo, tree, payload_length, status, xd); + } else if (status == VIR_NET_ERROR) { +- dissect_libvirt_payload_xdr_data(tvb, tree, payload_length, status, dissect_xdr_remote_error); ++ dissect_libvirt_payload_xdr_data(tvb, pinfo, tree, payload_length, status, dissect_xdr_remote_error); + } else if (type == VIR_NET_STREAM) { /* implicitly, status == VIR_NET_CONTINUE */ +- dissect_libvirt_stream(tvb, tree, payload_length); ++ dissect_libvirt_stream(tvb, pinfo, tree, payload_length); + } else if (type == VIR_NET_STREAM_HOLE) { +- dissect_libvirt_payload_xdr_data(tvb, tree, payload_length, status, dissect_xdr_stream_hole); ++ dissect_libvirt_payload_xdr_data(tvb, pinfo, tree, payload_length, status, dissect_xdr_stream_hole); + } else { + goto unknown; + } +@@ -489,21 +547,21 @@ dissect_libvirt_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, + serial = tvb_get_ntohl(tvb, offset); offset += 4; + status = tvb_get_ntohil(tvb, offset); offset += 4; + +- prog_str = vir_val_to_str(prog, program_strings, "%x"); ++ prog_str = vir_val_to_str(pinfo, prog, program_strings, "%x"); + col_add_fstr(pinfo->cinfo, COL_INFO, "Prog=%s", prog_str); +- vir_wmem_free(prog_str); ++ vir_wmem_free(pinfo, prog_str); + + vs = get_program_data(prog, VIR_PROGRAM_PROCSTRINGS); +- proc_str = vir_val_to_str(proc, vs, "%d"); ++ proc_str = vir_val_to_str(pinfo, proc, vs, "%d"); + col_append_fstr(pinfo->cinfo, COL_INFO, " Proc=%s", proc_str); +- vir_wmem_free(proc_str); ++ vir_wmem_free(pinfo, proc_str); + +- type_str = vir_val_to_str(type, type_strings, "%d"); +- status_str = vir_val_to_str(status, status_strings, "%d"); ++ type_str = vir_val_to_str(pinfo, type, type_strings, "%d"); ++ status_str = vir_val_to_str(pinfo, status, status_strings, "%d"); + col_append_fstr(pinfo->cinfo, COL_INFO, " Type=%s Serial=%u Status=%s", + type_str, serial, status_str); +- vir_wmem_free(status_str); +- vir_wmem_free(type_str); ++ vir_wmem_free(pinfo, status_str); ++ vir_wmem_free(pinfo, type_str); + + if (tree) { + gint *hf_proc; +@@ -532,21 +590,26 @@ dissect_libvirt_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, + proto_tree_add_item(libvirt_tree, hf_libvirt_status, tvb, offset, 4, ENC_NA); offset += 4; + + /* Dissect payload remaining */ +- dissect_libvirt_payload(tvb, libvirt_tree, prog, proc, type, status); ++ dissect_libvirt_payload(tvb, pinfo, libvirt_tree, prog, proc, type, status); + } + + return 0; + } + + static guint +-get_message_len(packet_info *pinfo G_GNUC_UNUSED, tvbuff_t *tvb, int offset, void *data G_GNUC_UNUSED) ++get_message_len(packet_info *pinfo G_GNUC_UNUSED, ++ tvbuff_t *tvb, ++ int offset, ++ void *data G_GNUC_UNUSED) + { + return tvb_get_ntohl(tvb, offset); + } + + static int +-dissect_libvirt(tvbuff_t *tvb, packet_info *pinfo, +- proto_tree *tree, void *data G_GNUC_UNUSED) ++dissect_libvirt(tvbuff_t *tvb, ++ packet_info *pinfo, ++ proto_tree *tree, ++ void *data G_GNUC_UNUSED) + { + /* Another magic const - 4; simply, how much bytes + * is needed to tell the length of libvirt packet. */ +diff --git a/tools/wireshark/util/genxdrstub.pl b/tools/wireshark/util/genxdrstub.pl +index 01b663a..f69695c 100755 +--- a/tools/wireshark/util/genxdrstub.pl ++++ b/tools/wireshark/util/genxdrstub.pl +@@ -250,7 +250,7 @@ sub xdr_type { + sub render_caller { + my ($self, $hfid) = @_; + my $name = $c->rinc( 'dissect_xdr_'.($self->idstrip || lc($self->xdr_type)) ); +- "$name(tvb, tree, xdrs, hf)"; ++ "$name(tvb, pinfo, tree, xdrs, hf)"; + } + + sub ft_type { +@@ -345,7 +345,7 @@ BEGIN{::register_profile( + sub render_caller { + my ($self) = @_; + my ($klass) = ref($self) =~ /([^:]+)$/; +- sprintf '%s(tvb, tree, xdrs, hf, %s)', ++ sprintf '%s(tvb, pinfo, tree, xdrs, hf, %s)', + $c->rinc('dissect_xdr_'.lc($klass)), + $c->rinc('dissect_xdr_'.$self->reftype->idstrip); + } +@@ -359,7 +359,7 @@ BEGIN{::register_profile( + sub render_caller { + my ($self, $hfid) = @_; + my ($klass) = ref($self) =~ /([^:]+)$/; +- sprintf '%s(tvb, tree, xdrs, hf, %s)', ++ sprintf '%s(tvb, pinfo, tree, xdrs, hf, %s)', + $c->rinc('dissect_xdr_'.lc($klass)), $self->length || '~0'; + } + +@@ -447,7 +447,7 @@ BEGIN{::register_profile( + sub render_caller { + my ($self, $hfid) = @_; + my ($pname) = reverse split /__/, $hfid; +- sprintf 'dissect_xdr_array(tvb, tree, xdrs, hf, %s, %s, "%s", %s, %s)', ++ sprintf 'dissect_xdr_array(tvb, pinfo, tree, xdrs, hf, %s, %s, "%s", %s, %s)', + $c->rinc('ett_'.$self->idstrip), + $c->rinc("hf_$hfid\__$pname"), + $self->reftype->idstrip, +@@ -476,7 +476,7 @@ BEGIN{::register_profile( + sub render_caller { + my ($self, $hfid) = @_; + my ($pname) = reverse split /__/, $hfid; +- sprintf 'dissect_xdr_vector(tvb, tree, xdrs, hf, %s, %s, "%s", %s, %s)', ++ sprintf 'dissect_xdr_vector(tvb, pinfo, tree, xdrs, hf, %s, %s, "%s", %s, %s)', + $c->rinc('ett_'.$self->idstrip), + $c->rinc("hf_$hfid\__$pname"), + $self->reftype->idstrip, +@@ -857,7 +857,7 @@ __END__<is_primitive; + %> +-static gboolean dissect_xdr_<%= $ident %>(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf) ++static gboolean dissect_xdr_<%= $ident %>(tvbuff_t *tvb, packet_info *pinfo G_GNUC_UNUSED, proto_tree *tree, XDR *xdrs, int hf) + { + return <%= $self->dealias->render_caller($self->ident eq $ident ? undef : $ident) %>; + } +@@ -865,7 +865,7 @@ static gboolean dissect_xdr_<%= $ident %>(tvbuff_t *tvb, proto_tree *tree, XDR * + <% my ($self, $ident) = @_; + my $hfvar = $c->rinc('hf_'.$self->idstrip); + %> +-static gboolean dissect_xdr_<%= $ident %>(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf) ++static gboolean dissect_xdr_<%= $ident %>(tvbuff_t *tvb, packet_info *pinfo G_GNUC_UNUSED, proto_tree *tree, XDR *xdrs, int hf) + { + goffset start; + proto_item *ti; +@@ -890,7 +890,7 @@ static gboolean dissect_xdr_<%= $ident %>(tvbuff_t *tvb, proto_tree *tree, XDR * + } + @@ Sym::Type::Enum#render_dissector + <% my ($self, $ident) = @_; %> +-static gboolean dissect_xdr_<%= $ident %>(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf) ++static gboolean dissect_xdr_<%= $ident %>(tvbuff_t *tvb, packet_info *pinfo G_GNUC_UNUSED, proto_tree *tree, XDR *xdrs, int hf) + { + goffset start; + enum { DUMMY } es; +@@ -914,7 +914,7 @@ static gboolean dissect_xdr_<%= $ident %>(tvbuff_t *tvb, proto_tree *tree, XDR * + my ($self, $ident) = @_; + my $decl_type = $self->decl->type->idstrip; + %> +-static gboolean dissect_xdr_<%= $ident %>(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf) ++static gboolean dissect_xdr_<%= $ident %>(tvbuff_t *tvb, packet_info *pinfo G_GNUC_UNUSED, proto_tree *tree, XDR *xdrs, int hf) + { + gboolean rc = TRUE; + goffset start; diff -pruN 11.6.0-1/debian/patches/backport/wireshark-Don-t-leak-column-strings.patch 11.6.0-1ubuntu6/debian/patches/backport/wireshark-Don-t-leak-column-strings.patch --- 11.6.0-1/debian/patches/backport/wireshark-Don-t-leak-column-strings.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/backport/wireshark-Don-t-leak-column-strings.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,162 @@ +From: Michal Privoznik +Date: Fri, 10 Oct 2025 19:13:48 +0200 +Subject: wireshark: Don't leak column strings + +One of the problems of using val_to_str() is that it may return a +const string from given table ('vs'), OR return an allocated one. +Since the caller has no idea which case it is, it resides to safe +option and don't free returned string. But that might lead to a +memleak. This behaviour is fixed with wireshark-4.6.0 and support +for it will be introduced soon. But first, make vir_val_to_str() +behave like fixed val_to_str() from newer wireshark: just always +allocate the string. + +Now, if val_to_str() needs to allocate new memory it obtains +allocator by calling wmem_packet_scope() which is what we may do +too. + +Hand in hand with that, we need to free the memory using the +correct allocator, hence wmem_free(). But let's put it into a +wrapper vir_wmem_free() because just like val_to_str(), it'll +need additional argument when adapting to new wireshark. + +Oh, and freeing the memory right after col_add_fstr() is safe as +it uses vsnprintf() under the hood to format passed args. + +One last thing, the wmem.h file used to live under epan/wmem/ but +then in v3.5.0~240 [1] was moved to wsutil/wmem/. + +1: https://gitlab.com/wireshark/wireshark/-/commit/7f9c1f5f92c131354fc8b2b88d473706786064c0 +Signed-off-by: Michal Privoznik +Reviewed-by: Peter Krempa +(cherry picked from commit 002b9f559d69b92e77ab2d234df6966fecdaf0ec) + +Bug-Debian: https://bugs.debian.org/1118069 + +Forwarded: not-needed +Origin: https://gitlab.com/libvirt/libvirt/-/commit/002b9f559d69b92e77ab2d234df6966fecdaf0ec +--- + meson.build | 20 ++++++++++++++++++++ + tools/wireshark/src/meson.build | 1 + + tools/wireshark/src/packet-libvirt.c | 35 ++++++++++++++++++++++++++++------- + 3 files changed, 49 insertions(+), 7 deletions(-) + +diff --git a/meson.build b/meson.build +index 5d261a0..3113ac2 100644 +--- a/meson.build ++++ b/meson.build +@@ -1365,6 +1365,26 @@ if wireshark_dep.found() + if cc.check_header('wireshark/ws_version.h') + conf.set('WITH_WS_VERSION', 1) + endif ++ ++ # Find wmem.h ++ # But it's not as easy as you'd think. Ubuntu 20.04 has split parts of ++ # libwireshark.so into libwsutil.so but: ++ # a) wireshark.pc never mentions it, ++ # b) libwsutil-dev package doesn't install pkg-config file. ++ # Fortunately, it's fixed in 24.04. ++ if cc.check_header('wireshark/epan/wmem/wmem.h', dependencies: wireshark_dep) ++ conf.set('WITH_WS_EPAN_WMEM', 1) ++ elif cc.check_header('wireshark/wsutil/wmem/wmem.h', dependencies: wireshark_dep) ++ conf.set('WITH_WS_WSUTIL_WMEM', 1) ++ else ++ error('Unable to locate wmem.h file') ++ endif ++ ++ # TODO: drop wsutil dep once support for Ubuntu 20.04 is dropped ++ wsutil_dep = dependency('', required: false) ++ if not cc.has_function('wmem_free', dependencies: wireshark_dep) ++ wsutil_dep = cc.find_library('wsutil', required: true) ++ endif + endif + + # generic build dependencies checks +diff --git a/tools/wireshark/src/meson.build b/tools/wireshark/src/meson.build +index 9b452dc..ba0df91 100644 +--- a/tools/wireshark/src/meson.build ++++ b/tools/wireshark/src/meson.build +@@ -9,6 +9,7 @@ shared_library( + ], + dependencies: [ + wireshark_dep, ++ wsutil_dep, + xdr_dep, + tools_dep, + ], +diff --git a/tools/wireshark/src/packet-libvirt.c b/tools/wireshark/src/packet-libvirt.c +index f6ad2c4..3178ac6 100644 +--- a/tools/wireshark/src/packet-libvirt.c ++++ b/tools/wireshark/src/packet-libvirt.c +@@ -21,6 +21,11 @@ + #include + #include + #include ++#ifdef WITH_WS_EPAN_WMEM ++# include ++#elif WITH_WS_WSUTIL_WMEM ++# include ++#endif + #include + #include + #include "packet-libvirt.h" +@@ -140,13 +145,19 @@ static const value_string status_strings[] = { + { -1, NULL } + }; + +-static const char * ++static char * + G_GNUC_PRINTF(3, 0) + vir_val_to_str(const uint32_t val, + const value_string *vs, + const char *fmt) + { +- return val_to_str(val, vs, fmt); ++ return val_to_str_wmem(wmem_packet_scope(), val, vs, fmt); ++} ++ ++static void ++vir_wmem_free(void *ptr) ++{ ++ wmem_free(wmem_packet_scope(), ptr); + } + + static gboolean +@@ -462,6 +473,10 @@ dissect_libvirt_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, + uint32_t prog, serial; + int32_t proc, type, status; + const value_string *vs; ++ char *prog_str = NULL; ++ char *proc_str = NULL; ++ char *type_str = NULL; ++ char *status_str = NULL; + + col_set_str(pinfo->cinfo, COL_PROTOCOL, "Libvirt"); + col_clear(pinfo->cinfo, COL_INFO); +@@ -474,15 +489,21 @@ dissect_libvirt_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, + serial = tvb_get_ntohl(tvb, offset); offset += 4; + status = tvb_get_ntohil(tvb, offset); offset += 4; + +- col_add_fstr(pinfo->cinfo, COL_INFO, "Prog=%s", +- vir_val_to_str(prog, program_strings, "%x")); ++ prog_str = vir_val_to_str(prog, program_strings, "%x"); ++ col_add_fstr(pinfo->cinfo, COL_INFO, "Prog=%s", prog_str); ++ vir_wmem_free(prog_str); + + vs = get_program_data(prog, VIR_PROGRAM_PROCSTRINGS); +- col_append_fstr(pinfo->cinfo, COL_INFO, " Proc=%s", vir_val_to_str(proc, vs, "%d")); ++ proc_str = vir_val_to_str(proc, vs, "%d"); ++ col_append_fstr(pinfo->cinfo, COL_INFO, " Proc=%s", proc_str); ++ vir_wmem_free(proc_str); + ++ type_str = vir_val_to_str(type, type_strings, "%d"); ++ status_str = vir_val_to_str(status, status_strings, "%d"); + col_append_fstr(pinfo->cinfo, COL_INFO, " Type=%s Serial=%u Status=%s", +- vir_val_to_str(type, type_strings, "%d"), serial, +- vir_val_to_str(status, status_strings, "%d")); ++ type_str, serial, status_str); ++ vir_wmem_free(status_str); ++ vir_wmem_free(type_str); + + if (tree) { + gint *hf_proc; diff -pruN 11.6.0-1/debian/patches/backport/wireshark-Don-t-special-case-retval-of-get_program_data-i.patch 11.6.0-1ubuntu6/debian/patches/backport/wireshark-Don-t-special-case-retval-of-get_program_data-i.patch --- 11.6.0-1/debian/patches/backport/wireshark-Don-t-special-case-retval-of-get_program_data-i.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/backport/wireshark-Don-t-special-case-retval-of-get_program_data-i.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,43 @@ +From: Michal Privoznik +Date: Fri, 10 Oct 2025 19:16:54 +0200 +Subject: wireshark: Don't special case retval of get_program_data() in + dissect_libvirt_message() + +The get_program_data() function returns a pointer (in this +specific case to an array of procedure strings) which, if +non-NULL is then passed val_to_str(). Well, if val_to_str() sees +NULL it is treated gracefully, i.e. like if the numeric value +'proc' wasn't found in the array. + +Therefore, there's no need to special case call to +col_append_fstr(). Both result into the same behaviour. + +Signed-off-by: Michal Privoznik +Reviewed-by: Peter Krempa +(cherry picked from commit 1086888f95a322101f8cf53b63c96600ccbeb882) + +Bug-Debian: https://bugs.debian.org/1118069 + +Forwarded: not-needed +Origin: https://gitlab.com/libvirt/libvirt/-/commit/1086888f95a322101f8cf53b63c96600ccbeb882 +--- + tools/wireshark/src/packet-libvirt.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/tools/wireshark/src/packet-libvirt.c b/tools/wireshark/src/packet-libvirt.c +index af14c6b..6c72980 100644 +--- a/tools/wireshark/src/packet-libvirt.c ++++ b/tools/wireshark/src/packet-libvirt.c +@@ -469,11 +469,7 @@ dissect_libvirt_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, + val_to_str(prog, program_strings, "%x")); + + vs = get_program_data(prog, VIR_PROGRAM_PROCSTRINGS); +- if (vs == NULL) { +- col_append_fstr(pinfo->cinfo, COL_INFO, " Proc=%d", proc); +- } else { +- col_append_fstr(pinfo->cinfo, COL_INFO, " Proc=%s", val_to_str(proc, vs, "%d")); +- } ++ col_append_fstr(pinfo->cinfo, COL_INFO, " Proc=%s", val_to_str(proc, vs, "%d")); + + col_append_fstr(pinfo->cinfo, COL_INFO, " Type=%s Serial=%u Status=%s", + val_to_str(type, type_strings, "%d"), serial, diff -pruN 11.6.0-1/debian/patches/backport/wireshark-Drop-needless-declaration-of-proto_register_lib.patch 11.6.0-1ubuntu6/debian/patches/backport/wireshark-Drop-needless-declaration-of-proto_register_lib.patch --- 11.6.0-1/debian/patches/backport/wireshark-Drop-needless-declaration-of-proto_register_lib.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/backport/wireshark-Drop-needless-declaration-of-proto_register_lib.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,35 @@ +From: Michal Privoznik +Date: Mon, 13 Oct 2025 10:34:51 +0200 +Subject: wireshark: Drop needless declaration of proto_register_libvirt() and + proto_reg_handoff_libvirt() + +Both proto_register_libvirt() and proto_reg_handoff_libvirt() are +declared in packet-libvirt.h which is included from plugin.c. +There's no need to provide another declaration in plugin.c. + +Signed-off-by: Michal Privoznik +Reviewed-by: Peter Krempa +(cherry picked from commit b825bb556bd3967bf5422c243b77bd4038e317e2) + +Bug-Debian: https://bugs.debian.org/1118069 + +Forwarded: not-needed +Origin: https://gitlab.com/libvirt/libvirt/-/commit/b825bb556bd3967bf5422c243b77bd4038e317e2 +--- + tools/wireshark/src/plugin.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/tools/wireshark/src/plugin.c b/tools/wireshark/src/plugin.c +index 9a83f2c..19b25e7 100644 +--- a/tools/wireshark/src/plugin.c ++++ b/tools/wireshark/src/plugin.c +@@ -72,9 +72,6 @@ void plugin_register(void) + + #else /* WIRESHARK_VERSION >= 2009000 */ + +-void proto_register_libvirt(void); +-void proto_reg_handoff_libvirt(void); +- + WS_DLL_PUBLIC_DEF const gchar plugin_version[] = PLUGIN_VERSION; + WS_DLL_PUBLIC_DEF const int plugin_want_major = WIRESHARK_VERSION_MAJOR; + WS_DLL_PUBLIC_DEF const int plugin_want_minor = WIRESHARK_VERSION_MINOR; diff -pruN 11.6.0-1/debian/patches/backport/wireshark-Fix-int-type-of-some-virNetMessageHeader-member.patch 11.6.0-1ubuntu6/debian/patches/backport/wireshark-Fix-int-type-of-some-virNetMessageHeader-member.patch --- 11.6.0-1/debian/patches/backport/wireshark-Fix-int-type-of-some-virNetMessageHeader-member.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/backport/wireshark-Fix-int-type-of-some-virNetMessageHeader-member.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,129 @@ +From: Michal Privoznik +Date: Mon, 13 Oct 2025 09:21:30 +0200 +Subject: wireshark: Fix int type of some virNetMessageHeader members + +Our virNetMessageHeader is a struct that's declared as follows: + + struct virNetMessageHeader { + unsigned prog; + unsigned vers; + int proc; + virNetMessageType type; + unsigned serial; + virNetMessageStatus status; + }; + +Now, per RFC 4506 enums are also encoded as signed integers. This +means, that only 'prog', 'vers' and 'serial' are really unsigned +integers. The others ('proc', 'type' and 'status') are encoded as +signed integers. Fix their type when dissecting. + +While at it, also follow latest trend in wireshark and switch +from guint32 to uint32_t. + +Signed-off-by: Michal Privoznik +Reviewed-by: Peter Krempa +(cherry picked from commit 7374c4ecbd591b02f7be4b2918addc6d5852aafb) + +Bug-Debian: https://bugs.debian.org/1118069 + +Forwarded: not-needed +Origin: https://gitlab.com/libvirt/libvirt/-/commit/7374c4ecbd591b02f7be4b2918addc6d5852aafb +--- + tools/wireshark/src/packet-libvirt.c | 34 +++++++++++++++++++++++----------- + 1 file changed, 23 insertions(+), 11 deletions(-) + +diff --git a/tools/wireshark/src/packet-libvirt.c b/tools/wireshark/src/packet-libvirt.c +index da2aabd..af14c6b 100644 +--- a/tools/wireshark/src/packet-libvirt.c ++++ b/tools/wireshark/src/packet-libvirt.c +@@ -92,7 +92,7 @@ typedef gboolean (*vir_xdr_dissector_t)(tvbuff_t *tvb, proto_tree *tree, XDR *xd + + typedef struct vir_dissector_index vir_dissector_index_t; + struct vir_dissector_index { +- guint32 proc; ++ int32_t proc; + vir_xdr_dissector_t args; + vir_xdr_dissector_t ret; + vir_xdr_dissector_t msg; +@@ -275,8 +275,10 @@ dissect_xdr_array(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf, gint ett, + } + + static vir_xdr_dissector_t +-find_payload_dissector(guint32 proc, guint32 type, +- const vir_dissector_index_t *pds, gsize length) ++find_payload_dissector(int32_t proc, ++ enum vir_net_message_type type, ++ const vir_dissector_index_t *pds, ++ gsize length) + { + const vir_dissector_index_t *pd; + guint32 first, last, direction; +@@ -309,6 +311,10 @@ find_payload_dissector(guint32 proc, guint32 type, + return pd->ret; + case VIR_NET_MESSAGE: + return pd->msg; ++ case VIR_NET_STREAM: ++ case VIR_NET_STREAM_HOLE: ++ /* Handled elsewhere */ ++ return NULL; + } + return NULL; + } +@@ -397,8 +403,12 @@ dissect_xdr_stream_hole(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf) + #include "libvirt/protocol.h" + + static void +-dissect_libvirt_payload(tvbuff_t *tvb, proto_tree *tree, +- guint32 prog, guint32 proc, guint32 type, guint32 status) ++dissect_libvirt_payload(tvbuff_t *tvb, ++ proto_tree *tree, ++ uint32_t prog, ++ int32_t proc, ++ int32_t type, ++ int32_t status) + { + gssize payload_length; + +@@ -430,7 +440,8 @@ dissect_libvirt_payload(tvbuff_t *tvb, proto_tree *tree, + return; + + unknown: +- dbg("Cannot determine payload: Prog=%u, Proc=%u, Type=%u, Status=%u", prog, proc, type, status); ++ dbg("Cannot determine payload: Prog=%u, Proc=%d, Type=%d, Status=%d", ++ prog, proc, type, status); + proto_tree_add_item(tree, hf_libvirt_unknown, tvb, VIR_HEADER_LEN, -1, ENC_NA); + } + +@@ -439,7 +450,8 @@ dissect_libvirt_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, + void *opaque G_GNUC_UNUSED) + { + goffset offset; +- guint32 prog, proc, type, serial, status; ++ uint32_t prog, serial; ++ int32_t proc, type, status; + const value_string *vs; + + col_set_str(pinfo->cinfo, COL_PROTOCOL, "Libvirt"); +@@ -448,17 +460,17 @@ dissect_libvirt_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, + offset = 4; /* End of length field */ + prog = tvb_get_ntohl(tvb, offset); offset += 4; + offset += 4; /* Ignore version header field */ +- proc = tvb_get_ntohl(tvb, offset); offset += 4; +- type = tvb_get_ntohl(tvb, offset); offset += 4; ++ proc = tvb_get_ntohil(tvb, offset); offset += 4; ++ type = tvb_get_ntohil(tvb, offset); offset += 4; + serial = tvb_get_ntohl(tvb, offset); offset += 4; +- status = tvb_get_ntohl(tvb, offset); offset += 4; ++ status = tvb_get_ntohil(tvb, offset); offset += 4; + + col_add_fstr(pinfo->cinfo, COL_INFO, "Prog=%s", + val_to_str(prog, program_strings, "%x")); + + vs = get_program_data(prog, VIR_PROGRAM_PROCSTRINGS); + if (vs == NULL) { +- col_append_fstr(pinfo->cinfo, COL_INFO, " Proc=%u", proc); ++ col_append_fstr(pinfo->cinfo, COL_INFO, " Proc=%d", proc); + } else { + col_append_fstr(pinfo->cinfo, COL_INFO, " Proc=%s", val_to_str(proc, vs, "%d")); + } diff -pruN 11.6.0-1/debian/patches/backport/wireshark-Introduce-and-use-vir_val_to_str.patch 11.6.0-1ubuntu6/debian/patches/backport/wireshark-Introduce-and-use-vir_val_to_str.patch --- 11.6.0-1/debian/patches/backport/wireshark-Introduce-and-use-vir_val_to_str.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/backport/wireshark-Introduce-and-use-vir_val_to_str.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,65 @@ +From: Michal Privoznik +Date: Fri, 10 Oct 2025 18:23:18 +0200 +Subject: wireshark: Introduce and use vir_val_to_str() + +Wireshark offers val_to_str() function which converts numeric +value to string by looking up value ('val') in an array ('vs') of + pairs. If no corresponding string is found, then +the value is formatted using given 'fmt' string. + +Starting from wireshark-4.6.0 not only this function gained +another argument but also returns a strdup()-ed string. To keep +our code simple, let's introduce a wrapper so which can be then +adjusted as needed. + +Signed-off-by: Michal Privoznik +Reviewed-by: Peter Krempa +(cherry picked from commit ba2c4bdd5cbccd5c0673149cf76802c98b70d2f7) + +Bug-Debian: https://bugs.debian.org/1118069 + +Forwarded: not-needed +Origin: https://gitlab.com/libvirt/libvirt/-/commit/ba2c4bdd5cbccd5c0673149cf76802c98b70d2f7 +--- + tools/wireshark/src/packet-libvirt.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/tools/wireshark/src/packet-libvirt.c b/tools/wireshark/src/packet-libvirt.c +index 6c72980..f6ad2c4 100644 +--- a/tools/wireshark/src/packet-libvirt.c ++++ b/tools/wireshark/src/packet-libvirt.c +@@ -140,6 +140,15 @@ static const value_string status_strings[] = { + { -1, NULL } + }; + ++static const char * ++G_GNUC_PRINTF(3, 0) ++vir_val_to_str(const uint32_t val, ++ const value_string *vs, ++ const char *fmt) ++{ ++ return val_to_str(val, vs, fmt); ++} ++ + static gboolean + dissect_xdr_string(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf, + guint32 maxlen) +@@ -466,14 +475,14 @@ dissect_libvirt_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, + status = tvb_get_ntohil(tvb, offset); offset += 4; + + col_add_fstr(pinfo->cinfo, COL_INFO, "Prog=%s", +- val_to_str(prog, program_strings, "%x")); ++ vir_val_to_str(prog, program_strings, "%x")); + + vs = get_program_data(prog, VIR_PROGRAM_PROCSTRINGS); +- col_append_fstr(pinfo->cinfo, COL_INFO, " Proc=%s", val_to_str(proc, vs, "%d")); ++ col_append_fstr(pinfo->cinfo, COL_INFO, " Proc=%s", vir_val_to_str(proc, vs, "%d")); + + col_append_fstr(pinfo->cinfo, COL_INFO, " Type=%s Serial=%u Status=%s", +- val_to_str(type, type_strings, "%d"), serial, +- val_to_str(status, status_strings, "%d")); ++ vir_val_to_str(type, type_strings, "%d"), serial, ++ vir_val_to_str(status, status_strings, "%d")); + + if (tree) { + gint *hf_proc; diff -pruN 11.6.0-1/debian/patches/backport/wireshark-Move-WIRESHARK_VERSION-macro-definition.patch 11.6.0-1ubuntu6/debian/patches/backport/wireshark-Move-WIRESHARK_VERSION-macro-definition.patch --- 11.6.0-1/debian/patches/backport/wireshark-Move-WIRESHARK_VERSION-macro-definition.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/backport/wireshark-Move-WIRESHARK_VERSION-macro-definition.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,78 @@ +From: Michal Privoznik +Date: Mon, 13 Oct 2025 09:04:17 +0200 +Subject: wireshark: Move WIRESHARK_VERSION macro definition + +Soon, other parts of the wireshark code will need to +differentiate wrt wireshark version. Therefore, move the +WIRESHARK_VERSION macro definition among with its deps into +packet-libvirt.h. + +Signed-off-by: Michal Privoznik +Reviewed-by: Peter Krempa +(cherry picked from commit 02a0e78bf54c903da8922c56bade9b3298ade351) + +Bug-Debian: https://bugs.debian.org/1118069 + +Forwarded: not-needed +Origin: https://gitlab.com/libvirt/libvirt/-/commit/02a0e78bf54c903da8922c56bade9b3298ade351 +--- + tools/wireshark/src/packet-libvirt.h | 14 ++++++++++++++ + tools/wireshark/src/plugin.c | 14 -------------- + 2 files changed, 14 insertions(+), 14 deletions(-) + +diff --git a/tools/wireshark/src/packet-libvirt.h b/tools/wireshark/src/packet-libvirt.h +index 14e6e13..15cfcb0 100644 +--- a/tools/wireshark/src/packet-libvirt.h ++++ b/tools/wireshark/src/packet-libvirt.h +@@ -19,5 +19,19 @@ + + #pragma once + ++#ifdef WITH_WS_VERSION ++# include ++#else ++# include ++# define WIRESHARK_VERSION_MAJOR VERSION_MAJOR ++# define WIRESHARK_VERSION_MINOR VERSION_MINOR ++# define WIRESHARK_VERSION_MICRO VERSION_MICRO ++#endif ++ ++#define WIRESHARK_VERSION \ ++ ((WIRESHARK_VERSION_MAJOR * 1000 * 1000) + \ ++ (WIRESHARK_VERSION_MINOR * 1000) + \ ++ (WIRESHARK_VERSION_MICRO)) ++ + void proto_register_libvirt(void); + void proto_reg_handoff_libvirt(void); +diff --git a/tools/wireshark/src/plugin.c b/tools/wireshark/src/plugin.c +index 19b25e7..64317b5 100644 +--- a/tools/wireshark/src/plugin.c ++++ b/tools/wireshark/src/plugin.c +@@ -12,15 +12,6 @@ + + #include + +-#ifdef WITH_WS_VERSION +-# include +-#else +-# include +-# define WIRESHARK_VERSION_MAJOR VERSION_MAJOR +-# define WIRESHARK_VERSION_MINOR VERSION_MINOR +-# define WIRESHARK_VERSION_MICRO VERSION_MICRO +-#endif +- + #define HAVE_PLUGINS 1 + #include + /* plugins are DLLs */ +@@ -32,11 +23,6 @@ + /* Let the plugin version be the version of libvirt */ + #define PLUGIN_VERSION VERSION + +-#define WIRESHARK_VERSION \ +- ((WIRESHARK_VERSION_MAJOR * 1000 * 1000) + \ +- (WIRESHARK_VERSION_MINOR * 1000) + \ +- (WIRESHARK_VERSION_MICRO)) +- + #if WIRESHARK_VERSION < 2005000 + + WS_DLL_PUBLIC_DEF const gchar version[] = VERSION; diff -pruN 11.6.0-1/debian/patches/backport/wireshark-Switch-header-files-to-pragma-once.patch 11.6.0-1ubuntu6/debian/patches/backport/wireshark-Switch-header-files-to-pragma-once.patch --- 11.6.0-1/debian/patches/backport/wireshark-Switch-header-files-to-pragma-once.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/backport/wireshark-Switch-header-files-to-pragma-once.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,44 @@ +From: Michal Privoznik +Date: Fri, 10 Oct 2025 15:20:05 +0200 +Subject: wireshark: Switch header files to #pragma once + +The genxdrstub.pl script generates some header files. But they +use the old pattern to guard against multiple inclusion: + + #ifndef SOMETHING_H + #define SOMETHING_H + ... + #endif + +Change the script to generate just '#pragma once' used everywhere +else in our code. + +Signed-off-by: Michal Privoznik +Reviewed-by: Peter Krempa +(cherry picked from commit 41d3b457972bde85991fa7ed6f282370aca4b2af) + +Bug-Debian: https://bugs.debian.org/1118069 + +Forwarded: not-needed +Origin: https://gitlab.com/libvirt/libvirt/-/commit/41d3b457972bde85991fa7ed6f282370aca4b2af +--- + tools/wireshark/util/genxdrstub.pl | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/tools/wireshark/util/genxdrstub.pl b/tools/wireshark/util/genxdrstub.pl +index 8cfda25..01b663a 100755 +--- a/tools/wireshark/util/genxdrstub.pl ++++ b/tools/wireshark/util/genxdrstub.pl +@@ -563,11 +563,8 @@ sub add_header_file { + local $self->{header_contents} = []; + $self->print("/* *DO NOT MODIFY* this file directly.\n"); + $self->print(" * This file was generated by $0 from libvirt version $libvirt_version */\n"); +- my $ucname = uc $name; +- $self->print("#ifndef _$ucname\_H_\n"); +- $self->print("#define _$ucname\_H_\n"); ++ $self->print("#pragma once\n"); + $block->(); +- $self->print("#endif /* _$ucname\_H_ */"); + push @{ $self->{headers} }, [ $name, delete $self->{header_contents} ]; + } + diff -pruN 11.6.0-1/debian/patches/series 11.6.0-1ubuntu6/debian/patches/series --- 11.6.0-1/debian/patches/series 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/series 2025-10-29 09:34:08.000000000 +0000 @@ -1,4 +1,36 @@ +backport/wireshark-Drop-needless-declaration-of-proto_register_lib.patch +backport/wireshark-Switch-header-files-to-pragma-once.patch +backport/wireshark-Move-WIRESHARK_VERSION-macro-definition.patch +backport/wireshark-Fix-int-type-of-some-virNetMessageHeader-member.patch +backport/wireshark-Don-t-special-case-retval-of-get_program_data-i.patch +backport/wireshark-Introduce-and-use-vir_val_to_str.patch +backport/wireshark-Don-t-leak-column-strings.patch +backport/wireshark-Adapt-to-wireshark-4.6.0.patch debian/Debianize-libvirt-guests.patch debian/apparmor_profiles_local_include.patch debian/Use-sensible-editor-by-default.patch debian/Drop-inter-package-Also-lines-from-libvirtd.service.patch + +ubuntu/Allow-libvirt-group-to-access-the-socket.patch +ubuntu/daemon-augeas-fix-expected.patch +ubuntu/ubuntu_machine_type.patch +ubuntu/set-default-machine-to-ubuntu.patch +ubuntu/lp-1861125-ubuntu-models.patch +ubuntu/dnsmasq-as-priv-user +ubuntu/ovmf_paths.patch +ubuntu/wait-for-qemu-kvm.patch +ubuntu/swtpm-by-swtpm-user.patch +ubuntu/lp-2027838-conf-Default-to-qemu-system-libvirt-URI.patch + +# Ubuntu Apparmor Changes +ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch +ubuntu-aa/0029-appmor-libvirt-qemu-Add-9p-support.patch +ubuntu-aa/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch +ubuntu-aa/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch +ubuntu-aa/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch +ubuntu-aa/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch +ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch +ubuntu-aa/lp2079869-allow-access-for-bridge-helper-to-sys-devices-system.patch +ubuntu-aa/lp2120278-virt-aa-helper-Avoid-duplicate-when-append-rule.patch +ubuntu-aa/lp2123870-apparmor-use-the-coreutils-tunable-for-coreutils.patch +ubuntu-aa/lp2127492-apparmor-Allow-AMD-SEV-device-access-for-AMD-SEV-VM.patch diff -pruN 11.6.0-1/debian/patches/ubuntu/Allow-libvirt-group-to-access-the-socket.patch 11.6.0-1ubuntu6/debian/patches/ubuntu/Allow-libvirt-group-to-access-the-socket.patch --- 11.6.0-1/debian/patches/ubuntu/Allow-libvirt-group-to-access-the-socket.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/ubuntu/Allow-libvirt-group-to-access-the-socket.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,50 @@ +From: Guido Guenther +Date: Thu, 26 Jun 2008 20:01:38 +0200 +Subject: Allow libvirt group to access the socket +Forwarded: no +Updated: 2020-08-05 + +This is the group based access to libvirt functions as it was used +in Ubuntu for quite long. + +Debian uses root + policykit for the same. But since Ubuntu did it +the group based way for so long people are used to that, so we keep it. + +There are some related tests (if augeas is enabled as build depend) that need +to be adapted in their expected output, that is done in: + d/p/ubuntu/daemon-augeas-fix-expected.patch + + +--- libvirt.orig/src/remote/libvirtd.conf.in 2024-01-12 15:03:56.073753030 -0500 ++++ libvirt/src/remote/libvirtd.conf.in 2024-01-12 15:03:56.073753030 -0500 +@@ -166,7 +166,7 @@ + # + # To restrict monitoring of domains you may wish to either + # enable 'sasl' here, or change the polkit policy definition. +-#auth_unix_ro = "@default_auth@" ++auth_unix_ro = "none" + + # Set an authentication scheme for UNIX read-write sockets. + # +@@ -182,7 +182,7 @@ + # is essential to change the systemd SocketMode parameter + # back to 0600, to avoid an insecure configuration. + # +-#auth_unix_rw = "@default_auth@" ++auth_unix_rw = "none" + @CUT_ENABLE_IP@ + + # Change the authentication scheme for TCP sockets. +--- libvirt.orig/src/remote/libvirtd.socket.in 2024-01-12 15:03:56.073753030 -0500 ++++ libvirt/src/remote/libvirtd.socket.in 2024-01-12 15:04:52.681162551 -0500 +@@ -4,7 +4,9 @@ Description=libvirt legacy monolithic da + [Socket] + ListenStream=@runstatedir@/libvirt/libvirt-sock + Service=libvirtd.service +-SocketMode=@sockmode@ ++SocketMode=0660 ++SocketUser=root ++SocketGroup=libvirt + RemoveOnStop=yes + + [Install] diff -pruN 11.6.0-1/debian/patches/ubuntu/daemon-augeas-fix-expected.patch 11.6.0-1ubuntu6/debian/patches/ubuntu/daemon-augeas-fix-expected.patch --- 11.6.0-1/debian/patches/ubuntu/daemon-augeas-fix-expected.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/ubuntu/daemon-augeas-fix-expected.patch 2025-08-21 13:05:03.000000000 +0000 @@ -0,0 +1,21 @@ +Description: Fix the expected augeas output for 'make check' + This never used to run for us because we never build-depended on + augeas-tools. +Author: Serge Hallyn +Forwarded: no + +This is only needed in combination with + d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch and makes the tests +match the slightly different default configuration. + +--- a/src/remote/test_libvirtd.aug.in ++++ b/src/remote/test_libvirtd.aug.in +@@ -14,8 +14,6 @@ module Test_@DAEMON_NAME@ = + { "unix_sock_rw_perms" = "0770" } + { "unix_sock_admin_perms" = "0700" } + { "unix_sock_dir" = "@runstatedir@/libvirt" } +- { "auth_unix_ro" = "@default_auth@" } +- { "auth_unix_rw" = "@default_auth@" } + @CUT_ENABLE_IP@ + { "auth_tcp" = "sasl" } + { "auth_tls" = "none" } diff -pruN 11.6.0-1/debian/patches/ubuntu/dnsmasq-as-priv-user 11.6.0-1ubuntu6/debian/patches/ubuntu/dnsmasq-as-priv-user --- 11.6.0-1/debian/patches/ubuntu/dnsmasq-as-priv-user 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/ubuntu/dnsmasq-as-priv-user 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,300 @@ +Title: Run DNSMASQ as libvirt-dnsmasq user +DEP: 3 +Date: 2012-03-02 +Drivers: Serge Hallyn +URL: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/938255 + +Dropped in Artful for security reasons: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1690729 +Readded in improved Bionic: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1743718 +Debian nack: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862340 + +Abstract: + Generally it's bad form from a security perspective to run daemons as user + nobody because a vulnerability in one daemon will possibly allow it, when + compromised, to interfere with another daemon that is also running as nobody. + The preferred solution is to run it as a service-specific system user. In this + case, because there may be multiple dnsmasq daemons running, a separate + libvirt-dnsmasq user (the dnsmasq package itself runs the dnsmasq daemon under + a system user called unsurprisingly 'dnsmasq'). +--- a/src/network/bridge_driver.c ++++ b/src/network/bridge_driver.c +@@ -1129,7 +1129,8 @@ networkDnsmasqConfContents(virNetworkObj + "## virsh net-edit %s\n" + "## or other application using the libvirt API.\n" + "##\n## dnsmasq conf file created by libvirt\n" +- "strict-order\n", ++ "strict-order\n" ++ "user=libvirt-dnsmasq\n", + def->name); + + /* if dns is disabled, set its listening port to 0, which +--- a/tests/networkxml2confdata/dhcp6host-routed-network.conf ++++ b/tests/networkxml2confdata/dhcp6host-routed-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr1 +--- a/tests/networkxml2confdata/dhcp6-nat-network.conf ++++ b/tests/networkxml2confdata/dhcp6-nat-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/dhcp6-network.conf ++++ b/tests/networkxml2confdata/dhcp6-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + domain=mynet + expand-hosts + except-interface=lo +--- a/tests/networkxml2confdata/isolated-network.conf ++++ b/tests/networkxml2confdata/isolated-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr2 +--- a/tests/networkxml2confdata/nat-network.conf ++++ b/tests/networkxml2confdata/nat-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/nat-network-dns-forwarders.conf ++++ b/tests/networkxml2confdata/nat-network-dns-forwarders.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + server=8.8.8.8 + server=8.8.4.4 + server=/example.com/192.168.1.1 +--- a/tests/networkxml2confdata/nat-network-dns-forward-plain.conf ++++ b/tests/networkxml2confdata/nat-network-dns-forward-plain.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/nat-network-dns-hosts.conf ++++ b/tests/networkxml2confdata/nat-network-dns-hosts.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + domain=example.com + expand-hosts + domain-needed +--- a/tests/networkxml2confdata/nat-network-dns-srv-record.conf ++++ b/tests/networkxml2confdata/nat-network-dns-srv-record.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf ++++ b/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/nat-network-dns-txt-record.conf ++++ b/tests/networkxml2confdata/nat-network-dns-txt-record.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/netboot-network.conf ++++ b/tests/networkxml2confdata/netboot-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + domain=example.com + expand-hosts + except-interface=lo +--- a/tests/networkxml2confdata/netboot-proxy-network.conf ++++ b/tests/networkxml2confdata/netboot-proxy-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + domain=example.com + expand-hosts + except-interface=lo +--- a/tests/networkxml2confdata/routed-network.conf ++++ b/tests/networkxml2confdata/routed-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr1 +--- a/tests/networkxml2confdata/nat-network-dns-local-domain.conf ++++ b/tests/networkxml2confdata/nat-network-dns-local-domain.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + local=/example.com/ + domain=example.com + expand-hosts +--- a/tests/networkxml2confdata/nat-network-name-with-quotes.conf ++++ b/tests/networkxml2confdata/nat-network-name-with-quotes.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/open-network.conf ++++ b/tests/networkxml2confdata/open-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr1 +--- a/tests/networkxml2confdata/ptr-domains-auto.conf ++++ b/tests/networkxml2confdata/ptr-domains-auto.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + local=/122.168.192.in-addr.arpa/ + local=/1.0.e.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ + except-interface=lo +--- a/tests/networkxml2confdata/routed-network-no-dns.conf ++++ b/tests/networkxml2confdata/routed-network-no-dns.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + port=0 + except-interface=lo + bind-dynamic +--- a/tests/networkxml2confdata/nat-network-dns-forwarder-no-resolv.conf ++++ b/tests/networkxml2confdata/nat-network-dns-forwarder-no-resolv.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + server=/example.com/192.168.1.1 + except-interface=lo + bind-dynamic +--- a/tests/networkxml2confdata/nat-network-mtu.conf ++++ b/tests/networkxml2confdata/nat-network-mtu.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/dnsmasq-options.conf ++++ b/tests/networkxml2confdata/dnsmasq-options.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/leasetime-hours.conf ++++ b/tests/networkxml2confdata/leasetime-hours.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/leasetime-infinite.conf ++++ b/tests/networkxml2confdata/leasetime-infinite.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/leasetime-minutes.conf ++++ b/tests/networkxml2confdata/leasetime-minutes.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/leasetime-seconds.conf ++++ b/tests/networkxml2confdata/leasetime-seconds.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/netboot-tftp.conf ++++ b/tests/networkxml2confdata/netboot-tftp.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 diff -pruN 11.6.0-1/debian/patches/ubuntu/lp-1861125-ubuntu-models.patch 11.6.0-1ubuntu6/debian/patches/ubuntu/lp-1861125-ubuntu-models.patch --- 11.6.0-1/debian/patches/ubuntu/lp-1861125-ubuntu-models.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/ubuntu/lp-1861125-ubuntu-models.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,21 @@ +Description: Ubuntu Models for LP: 1861125 + We got the issue fixed through + https://bugzilla.redhat.com/show_bug.cgi?id=1795651 but it is type based + so at least for the support time of Xenial we need to carry a delty adding + the named Ubuntu types to the workaround. +Forwarded: no (Ubuntu specific) +Author: Christian Ehrhardt +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1861125 +Bug-Upstream: https://bugzilla.redhat.com/show_bug.cgi?id=1795651 +Last-Update: 2020-02-12 +--- a/src/qemu/qemu_capabilities.c ++++ b/src/qemu/qemu_capabilities.c +@@ -2323,6 +2323,8 @@ const char *s390HostPassthroughOnlyMachi + "s390-ccw-virtio-2.5", + "s390-ccw-virtio-2.6", + "s390-ccw-virtio-2.7", ++ "s390-ccw-virtio-xenial", ++ "s390-ccw-virtio-yakkety", + NULL + }; + diff -pruN 11.6.0-1/debian/patches/ubuntu/lp-2027838-conf-Default-to-qemu-system-libvirt-URI.patch 11.6.0-1ubuntu6/debian/patches/ubuntu/lp-2027838-conf-Default-to-qemu-system-libvirt-URI.patch --- 11.6.0-1/debian/patches/ubuntu/lp-2027838-conf-Default-to-qemu-system-libvirt-URI.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/ubuntu/lp-2027838-conf-Default-to-qemu-system-libvirt-URI.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,59 @@ +From: =?utf-8?q?Lukas_M=C3=A4rdian?= +Date: Wed, 20 Aug 2025 11:26:12 +0200 +Subject: conf: Default to qemu:///system libvirt URI (LP: #2027838) + +On Ubuntu we always want to initialize the URI to qemu:///system, regardless if +running as privileged daemon or not. This keeps backward compatibility with +Ubuntu's default behavior, while still allowing users more flexibility in +changing that default, through config files or environment variables. + +This can still be overridden via the "uri_default" setting in +/etc/libvirt.conf, ~/.config/libvirt/libvirt.conf or the +LIBVIRT_DEFAULT_URI environment variable. + +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/2027838 +Origin: vendor, Ubuntu +Forwarded: not-needed +Last-Update: 2025-08-20 +--- + docs/uri.rst | 2 +- + src/libvirt.c | 12 +++++++++++- + 2 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/docs/uri.rst b/docs/uri.rst +index cc97000..38efcce 100644 +--- a/docs/uri.rst ++++ b/docs/uri.rst +@@ -56,7 +56,7 @@ will use the following logic to determine what URI to use. + + #. The environment variable ``LIBVIRT_DEFAULT_URI`` + #. The client configuration file ``uri_default`` parameter +-#. Probe each hypervisor in turn until one that works is found ++#. Fallback to ``qemu:///system`` + + Historically an empty URI was equivalent to ``xen:///system``. + +diff --git a/src/libvirt.c b/src/libvirt.c +index 375d3fa..004de32 100644 +--- a/src/libvirt.c ++++ b/src/libvirt.c +@@ -886,8 +886,18 @@ virConnectGetDefaultURI(virConf *conf, + VIR_DEBUG("Using LIBVIRT_DEFAULT_URI '%s'", defname); + *name = g_strdup(defname); + } else { +- if (virConfGetValueString(conf, "uri_default", name) < 0) ++ int ret = virConfGetValueString(conf, "uri_default", name); ++ if (ret < 0) + return -1; ++ else if (ret == 0) { ++ /* Pretend uri_default was set to qemu:///system, if not found. ++ On Ubuntu we always want to initialize the URI to qemu:///system, ++ regardless if running as privileged daemon or not (LP: #2027838). ++ This can still be overridden via the "uri_default" setting in ++ /etc/libvirt.conf, ~/.config/libvirt/libvirt.conf or the ++ LIBVIRT_DEFAULT_URI environment variable. */ ++ *name = g_strdup("qemu:///system"); ++ } + + if (*name) + VIR_DEBUG("Using config file uri '%s'", *name); diff -pruN 11.6.0-1/debian/patches/ubuntu/ovmf_paths.patch 11.6.0-1ubuntu6/debian/patches/ubuntu/ovmf_paths.patch --- 11.6.0-1/debian/patches/ubuntu/ovmf_paths.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/ubuntu/ovmf_paths.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,54 @@ +From: Mathieu Trudel-Lapierre +Subject: Add paths to "ms" variants of OVMF code/vars + +The "ms" Secure Boot -enabled variants of OVMF_CODE and OVMF_VARS +both should include the added label rather than just the OVMF_CODE file: +in Ubuntu, we always build OVMF_CODE with Secure Boot enabled, as we only +build it once, but the variable store in the ms.fd file additionally +includes preloaded Microsoft KEK/DB keys, as well as an ephemeral PK/KEK +key that was generated just for that purpose (for which only the public +part is available, the secret key has been deleted). The fact that a PK, +KEK, and DB keys are loaded means Secure Boot is effectively enabled and +can validate UEFI binaries. When users use the non-secboot variant, then +Secure Boot is effectively not in use due to the absence of the keys. + +--- + src/qemu/qemu.conf | 3 ++- + src/qemu/qemu_conf.c | 3 ++- + src/qemu/test_libvirtd_qemu.aug.in | 1 + + 3 files changed, 5 insertions(+), 2 deletions(-) + +--- a/src/qemu/qemu.conf.in ++++ b/src/qemu/qemu.conf.in +@@ -1006,7 +1006,8 @@ + # "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd", + # "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd", + # "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd", +-# "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd" ++# "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd", ++# "/usr/share/OVMF/OVMF_CODE.ms.fd:/usr/share/OVMF/OVMF_VARS.ms.fd" + #] + + +--- a/src/qemu/qemu_conf.c ++++ b/src/qemu/qemu_conf.c +@@ -106,7 +106,8 @@ VIR_ONCE_GLOBAL_INIT(virQEMUConfig); + "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd:" \ + "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd:" \ + "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd:" \ +- "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd" ++ "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd:" \ ++ "/usr/share/OVMF/OVMF_CODE.ms.fd:/usr/share/OVMF/OVMF_VARS.ms.fd" + #endif + + +--- a/src/qemu/test_libvirtd_qemu.aug.in ++++ b/src/qemu/test_libvirtd_qemu.aug.in +@@ -117,6 +117,7 @@ module Test_libvirtd_qemu = + { "2" = "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd" } + { "3" = "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd" } + { "4" = "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd" } ++ { "5" = "/usr/share/OVMF/OVMF_CODE.ms.fd:/usr/share/OVMF/OVMF_VARS.ms.fd" } + } + { "stdio_handler" = "logd" } + { "gluster_debug_level" = "9" } diff -pruN 11.6.0-1/debian/patches/ubuntu/set-default-machine-to-ubuntu.patch 11.6.0-1ubuntu6/debian/patches/ubuntu/set-default-machine-to-ubuntu.patch --- 11.6.0-1/debian/patches/ubuntu/set-default-machine-to-ubuntu.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/ubuntu/set-default-machine-to-ubuntu.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,45 @@ +Description: set default machine type to ubuntu + Upstream qemu is about to change the default machine type to q35. + But libvirt has sort of an API-contract that guarantees to have the + default be at a "pc" type. + Note: it can not be overemphasized that users/tools should choose a type + themselves in any cases possible + . + Due to those changes in qemu libvirt now ignores the qemu default type. + But we want the latest distro machine type the default. + Qemu only provides max one alias per type, so we can not set "ubuntu" + which is the default we provided for users asking for the latest type + matching the current series AND at the same time an alias to "pc" which + is what libvirt now explicitly selects. + . + The lowest amount of confusion is to let libvirt select "ubuntu" instead of + "pc" as the default. That matches all former Ubuntu releases where "ubuntu" + was the default qemu provided and libvirt picked up and at the same time it + stays a pc-based type as required by libvirt. + . + Distro-only: as the machine types only are that way to maintain + differences between pure upstream and derived qemu implementation. +Forwarded: not-needed +Author: Christian Ehrhardt +Last-Update: 2019-01-10 + +--- libvirt.orig/src/qemu/qemu_capabilities.c 2024-07-23 18:33:02.852372495 -0400 ++++ libvirt/src/qemu/qemu_capabilities.c 2024-07-23 18:33:36.116126928 -0400 +@@ -2696,7 +2696,7 @@ static const char *preferredMachines[] = + + "virt", /* VIR_ARCH_AARCH64 */ + "axis-dev88", /* VIR_ARCH_CRIS */ +- "pc", /* VIR_ARCH_I686 */ ++ "ubuntu", /* VIR_ARCH_I686 */ + NULL, /* VIR_ARCH_ITANIUM (doesn't exist in QEMU any more) */ + "lm32-evr", /* VIR_ARCH_LM32 */ + +@@ -2730,7 +2730,7 @@ static const char *preferredMachines[] = + "sun4u", /* VIR_ARCH_SPARC64 */ + "puv3", /* VIR_ARCH_UNICORE32 */ + +- "pc", /* VIR_ARCH_X86_64 */ ++ "ubuntu", /* VIR_ARCH_X86_64 */ + "sim", /* VIR_ARCH_XTENSA */ + "sim", /* VIR_ARCH_XTENSAEB */ + }; diff -pruN 11.6.0-1/debian/patches/ubuntu/swtpm-by-swtpm-user.patch 11.6.0-1ubuntu6/debian/patches/ubuntu/swtpm-by-swtpm-user.patch --- 11.6.0-1/debian/patches/ubuntu/swtpm-by-swtpm-user.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/ubuntu/swtpm-by-swtpm-user.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,40 @@ +Description: Have swtpm use the swtpm user by default + User 'tss' has more permissions than required and since tpm in some sense + is guest/host interface it shall be run under a more restrictive user. +Forwarded: no-needed +X-Not-Forwarded-Reason: swtpm user is ubuntu specific +Author: Christian Ehrhardt +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1948880 +Last-Update: 2021-11-11 +--- a/src/qemu/qemu.conf.in ++++ b/src/qemu/qemu.conf.in +@@ -1095,11 +1095,14 @@ + + # User for the swtpm TPM Emulator + # +-# Default is 'tss'; this is the same user that tcsd (TrouSerS) installs +-# and uses; alternative is 'root' ++# Default is 'swtpm' as established by the swtpm-tools package. + # +-#swtpm_user = "tss" +-#swtpm_group = "tss" ++# In the past this was 'tss' and that still would be the built-in default ++# if nothing was configured here, but the 'tss' user also has TPM device ++# access in the host which isn't needed for swtpm. ++# ++swtpm_user = "swtpm" ++swtpm_group = "swtpm" + + + # For debugging and testing purposes it's sometimes useful to be able to disable +--- a/src/qemu/test_libvirtd_qemu.aug.in ++++ b/src/qemu/test_libvirtd_qemu.aug.in +@@ -130,8 +130,6 @@ module Test_libvirtd_qemu = + { "slirp_helper" = "/usr/bin/slirp-helper" } + { "qemu_rdp" = "qemu-rdp" } + { "dbus_daemon" = "dbus-daemon" } +-{ "swtpm_user" = "tss" } +-{ "swtpm_group" = "tss" } + { "capability_filters" + { "1" = "capname" } + } diff -pruN 11.6.0-1/debian/patches/ubuntu/ubuntu_machine_type.patch 11.6.0-1ubuntu6/debian/patches/ubuntu/ubuntu_machine_type.patch --- 11.6.0-1/debian/patches/ubuntu/ubuntu_machine_type.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/ubuntu/ubuntu_machine_type.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,14 @@ +Description: Extend libvirt checks for ubuntu machine types +Author: Felix Geyer +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1379346 +Last-Update: 2015-11-24 +--- a/src/qemu/qemu_domain.c ++++ b/src/qemu/qemu_domain.c +@@ -8900,6 +8900,7 @@ qemuDomainMachineIsI440FX(const char *ma + STRPREFIX(machine, "pc-0.") || + STRPREFIX(machine, "pc-1.") || + STRPREFIX(machine, "pc-i440fx-") || ++ STREQ(machine, "ubuntu") || + STRPREFIX(machine, "rhel")) { + return true; + } diff -pruN 11.6.0-1/debian/patches/ubuntu/wait-for-qemu-kvm.patch 11.6.0-1ubuntu6/debian/patches/ubuntu/wait-for-qemu-kvm.patch --- 11.6.0-1/debian/patches/ubuntu/wait-for-qemu-kvm.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/ubuntu/wait-for-qemu-kvm.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,23 @@ +Description: Wait for qemu-kvm to have the module initialized + It was reported that in rare occasions libvirt might start up while + the kvm module is (re)loading. That can cause the capability probing + qemu processes to abort and let libvirtd hang on initialization. + Waiting on qemu-kvm is rather safe and reasonable, but is an ubuntu-only + service and therefore not generally applicable. + If qemu-kvm isn't installed or not enabled this is a no-op as it is only + an "After" rule for ordering. +Forwarded: no +X-Not-Forwarded-Reason: Ubuntu specific qemu-kvm service +Author: Christian Ehrhardt +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1887592 +Last-Update: 2020-08-06 +--- libvirt.orig/src/remote/libvirtd.service.in 2024-01-12 15:45:46.460367440 -0500 ++++ libvirt/src/remote/libvirtd.service.in 2024-01-12 15:46:05.904201450 -0500 +@@ -23,6 +23,7 @@ After=apparmor.service + After=remote-fs.target + After=systemd-machined.service + After=xencommons.service ++After=qemu-kvm.service + Conflicts=xendomains.service + + [Service] diff -pruN 11.6.0-1/debian/patches/ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch 11.6.0-1ubuntu6/debian/patches/ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch --- 11.6.0-1/debian/patches/ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,37 @@ +From 4a8125774ff0745c0273a199fa8b9fb8316c2992 Mon Sep 17 00:00:00 2001 +From: Stefan Bader +Date: Thu, 11 May 2017 16:36:19 +0200 +Subject: [PATCH 20/33] UBUNTU-only: apparmor, virt-aa-helper: Allow various storage pools + and image locations + +Got various updates over time to include further Ubuntu specific paths. + +Forwarded: no (Ubuntu specific paths) +Signed-off-by: Stefan Bader +--- + src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in ++++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +@@ -57,7 +57,19 @@ profile virt-aa-helper @libexecdir@/virt + @{HOME}/** r, + /var/lib/libvirt/images/ r, + /var/lib/libvirt/images/** r, +- /var/lib/nova/instances/_base/* r, ++ # nova base images (LP: #907269) ++ /var/lib/nova/images/** r, ++ /var/lib/nova/instances/_base/** r, ++ # nova snapshots (LP: #1244694) ++ /var/lib/nova/instances/snapshots/** r, ++ # eucalyptus (LP: #564914) ++ /var/lib/eucalyptus/instances/**/disk* r, ++ # eucalyptus loader (LP: #637544) ++ /var/lib/eucalyptus/instances/**/loader* r, ++ # for uvtool ++ /var/lib/uvtool/libvirt/images/** r, ++ # for multipass ++ /var/snap/multipass/common/data/multipassd/vault/instances/** r, + /{media,mnt,opt,srv}/** r, + # For virt-sandbox + /{,var/}run/libvirt/**/[sv]d[a-z] r, diff -pruN 11.6.0-1/debian/patches/ubuntu-aa/0029-appmor-libvirt-qemu-Add-9p-support.patch 11.6.0-1ubuntu6/debian/patches/ubuntu-aa/0029-appmor-libvirt-qemu-Add-9p-support.patch --- 11.6.0-1/debian/patches/ubuntu-aa/0029-appmor-libvirt-qemu-Add-9p-support.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/ubuntu-aa/0029-appmor-libvirt-qemu-Add-9p-support.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,34 @@ +From 0e7ed68253072d77b2997b316d37403a275c3d2f Mon Sep 17 00:00:00 2001 +From: Stefan Bader +Date: Fri, 19 May 2017 09:48:52 +0200 +Subject: [PATCH 29/33] appmor, libvirt-qemu.in: Add 9p support + +Add fowner and fsetid to libvirt-qemu profile. + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1378434 + +Note: While upstreaming Serge and Guido were not very happy +with granting those permissions unconditionally. Instead they +thought it would be better to do this in virt-aa-helper only +if 9p filesystem is in use. + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt +Signed-off-by: Stefan Bader +--- + src/security/apparmor/libvirt-qemu.in | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -11,6 +11,10 @@ + capability setgid, + capability setuid, + ++ # for 9p ++ capability fsetid, ++ capability fowner, ++ + network inet stream, + network inet6 stream, + diff -pruN 11.6.0-1/debian/patches/ubuntu-aa/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch 11.6.0-1ubuntu6/debian/patches/ubuntu-aa/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch --- 11.6.0-1/debian/patches/ubuntu-aa/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/ubuntu-aa/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,43 @@ +From df20057fd2774cd61d86a6f0a7f05a545e1bd862 Mon Sep 17 00:00:00 2001 +From: Serge Hallyn +Date: Wed, 10 May 2017 15:16:30 +0200 +Subject: [PATCH 31/33] virt-aa-helper: Ask for no deny rule for readonly disk + elements + +Just because a disk element only requests read access doesn't mean +there may not be another readwrite request. + +Using 'R' when creating the apparmor rule will prevent an implicit +write-deny rule to be created alongside. This does not mean write +is allowed but it would cause a denial message and probably more +relevant, allows to add write access later. + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1554031 + +Review note: Investigate whether instead of dropping explicit deny +write it would be possible to create explicit blockcommit rules +(LP: #1692441). + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt +Signed-off-by: Stefan Bader +--- + src/security/virt-aa-helper.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/src/security/virt-aa-helper.c ++++ b/src/security/virt-aa-helper.c +@@ -851,11 +851,11 @@ add_file_path(virStorageSource *src, + + if (depth == 0) { + if (src->readonly) +- ret = vah_add_file(buf, src->path, "rk"); ++ ret = vah_add_file(buf, src->path, "Rk"); + else + ret = vah_add_file(buf, src->path, "rwk"); + } else { +- ret = vah_add_file(buf, src->path, "rk"); ++ ret = vah_add_file(buf, src->path, "Rk"); + } + + if (ret != 0) diff -pruN 11.6.0-1/debian/patches/ubuntu-aa/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch 11.6.0-1ubuntu6/debian/patches/ubuntu-aa/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch --- 11.6.0-1/debian/patches/ubuntu-aa/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/ubuntu-aa/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,34 @@ +From b1d54d7e56da3961f9db8705f7a5eaecd6f9222c Mon Sep 17 00:00:00 2001 +From: Stefan Bader +Date: Tue, 23 May 2017 17:21:08 +0200 +Subject: [PATCH 32/33] apparmor, libvirt-qemu.in: Allow reading charm-specific + ceph config + +Allows reading ceph configuration files from (juju) charm +specific location and silence denial messages which were +occuring related to that. + +Bug-Ubuntu: http://bugs.launchpad.net/bugs/1403648 + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt +Signed-off-by: Stefan Bader +--- + src/security/apparmor/libvirt-qemu.in | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -250,6 +250,12 @@ + unix (send, receive) type=stream addr=none peer=(label=virtqemud), + unix (send, receive) type=stream addr=none peer=(label=swtpm), + ++ # allow access to charm-specific ceph config (LP: #1403648). ++ # No more silencing spurious denials as it can more critically hide other issues (LP: #1719579) ++ # Also allow the optional asok key that might be enabled by the charm (LP: #1779674) ++ /var/lib/charm/*/ceph.conf r, ++ /run/ceph/rbd-client-*.asok rw, ++ + # for gathering information about available host resources + /sys/devices/system/cpu/ r, + /sys/devices/system/node/ r, diff -pruN 11.6.0-1/debian/patches/ubuntu-aa/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch 11.6.0-1ubuntu6/debian/patches/ubuntu-aa/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch --- 11.6.0-1/debian/patches/ubuntu-aa/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/ubuntu-aa/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,41 @@ +From a7cf113469ba32951a0cfa44a35992153ae876c8 Mon Sep 17 00:00:00 2001 +From: Christian Ehrhardt +Date: Tue, 4 Jul 2017 07:57:19 +0200 +Subject: [PATCH 33/33] UBUNTU-only: apparmor: for kvm.powerpc (LP: #1680384) + +The (so far) Ubuntu only kvm wrappers call a lot more on ppc. +Since this is already considered as the qemu binary it must be opened up +in apparmor to work. +So allow these extra tools executed by kvm.powerpc + +Note: this got added in 1680384 and extended by 1686621 + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt + +Author: Christian Ehrhardt +Forwarded: no +Forward-info: Distro specific +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1680384 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686621 +Last-Update: 2018-06-17 +--- + src/security/apparmor/libvirt-qemu.in | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -256,6 +256,13 @@ + /var/lib/charm/*/ceph.conf r, + /run/ceph/rbd-client-*.asok rw, + ++ # kvm.powerpc executes/accesses this ++ /{usr/,}bin/uname rmix, ++ /{usr/,}sbin/ppc64_cpu rmix, ++ /{usr/,}bin/grep rmix, ++ /sys/devices/system/cpu/subcores_per_core r, ++ /sys/devices/system/cpu/cpu*/online r, ++ + # for gathering information about available host resources + /sys/devices/system/cpu/ r, + /sys/devices/system/node/ r, diff -pruN 11.6.0-1/debian/patches/ubuntu-aa/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch 11.6.0-1ubuntu6/debian/patches/ubuntu-aa/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch --- 11.6.0-1/debian/patches/ubuntu-aa/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/ubuntu-aa/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,28 @@ +From 4c5da648e1f1bb3fd721de59ff8b2c3614ef07a9 Mon Sep 17 00:00:00 2001 +From: Corey Bryant +Date: Wed, 5 Jul 2017 17:07:48 +0200 +Subject: [PATCH 34/34] apparmor:, virt-aa-helper: access for snapped nova + +Allow access to base images stored in nova-hypervisor snap's +$SNAP_COMMON directory, enabling use of the libvirt deb from the +nova-hypervisor snap (LP: #1644507). + +Author: Corey Bryant +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt +--- + src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in ++++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +@@ -62,6 +62,9 @@ profile virt-aa-helper @libexecdir@/virt + /var/lib/nova/instances/_base/** r, + # nova snapshots (LP: #1244694) + /var/lib/nova/instances/snapshots/** r, ++ # nova base/snapshot files in snapped nova (LP: #1644507) ++ /var/snap/nova-hypervisor/common/instances/_base/** r, ++ /var/snap/nova-hypervisor/common/instances/snapshots/** r, + # eucalyptus (LP: #564914) + /var/lib/eucalyptus/instances/**/disk* r, + # eucalyptus loader (LP: #637544) diff -pruN 11.6.0-1/debian/patches/ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch 11.6.0-1ubuntu6/debian/patches/ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch --- 11.6.0-1/debian/patches/ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,57 @@ +Description: UBUNTU-only: apparmor: allow vhost-net/vsock + There are use case scenarios where a guest is started without vhost-net + or vhost-vsock, but later on such devices are hot added. + In the static start with such devices virt-aa-helper could generate rules + but actually doesn't have to as libvirt mediates access and passes FDs that + qemu will use. + This works fine, but on a hotplug of such devices without a static device + being present (that would have added the rule on start) we only have the + labeling calls of the security modules which do not vocer vhost-net/vsock. + The paths are considered security sensitive in general but even without + apparmor are protected by DAC due to Ubuntu by default not running guests + as root user or group. + To make people changing user/group aware this also adds a comment about it + to the qemu.conf file. + Under this constraint (warn in the .conf) we got the ack from security to + do this change for the comfort of our users until a more complex change like + new labellig calls is implemented. +Forwarded: yes (nacked, but complex solution has unknown ETA) +Author: Christian Ehrhardt +Origin: https://www.redhat.com/archives/libvir-list/2019-April/msg00750.html +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1815910 +Last-Update: 2019-05-15 + +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -276,6 +276,11 @@ + # for vfio hotplug on systems without static vfio (LP: #1775777) + /dev/vfio/vfio rw, + ++ # for vhost-net/vsock/scsi hotplug (LP: #1815910) ++ /dev/vhost-net rw, ++ /dev/vhost-vsock rw, ++ /dev/vhost-scsi rw, ++ + # required for sasl GSSAPI plugin + /etc/gss/mech.d/ r, + /etc/gss/mech.d/* r, +--- a/src/qemu/qemu.conf.in ++++ b/src/qemu/qemu.conf.in +@@ -510,6 +510,17 @@ + # can be used to ensure that a user id will not be interpreted as a user + # name. + # ++# By default libvirt runs VMs as non-root and uses AppArmor profiles ++# to provide host protection and VM isolation. While AppArmor ++# continues to provide this protection when the VMs are running as ++# root, /dev/vhost-net, /dev/vhost-vsock and /dev/vhost-scsi access is ++# allowed by default in the AppArmor security policy, so malicious VMs ++# running as root would have direct access to this file. If changing this ++# to run as root, you may want to remove this access from ++# /etc/apparmor.d/abstractions/libvirt-qemu. For more information, see: ++# https://launchpad.net/bugs/1815910 ++# https://www.redhat.com/archives/libvir-list/2019-April/msg00750.html ++# + # Some examples of valid values are: + # + # user = "qemu" # A user named "qemu" diff -pruN 11.6.0-1/debian/patches/ubuntu-aa/lp2079869-allow-access-for-bridge-helper-to-sys-devices-system.patch 11.6.0-1ubuntu6/debian/patches/ubuntu-aa/lp2079869-allow-access-for-bridge-helper-to-sys-devices-system.patch --- 11.6.0-1/debian/patches/ubuntu-aa/lp2079869-allow-access-for-bridge-helper-to-sys-devices-system.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/ubuntu-aa/lp2079869-allow-access-for-bridge-helper-to-sys-devices-system.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,31 @@ +From: Hector Cao +Date: Thu, 13 Feb 2025 11:09:34 +0100 +Subject: Allow acess for bridge-helper to sys devices node + +qemu-bridge-helper needs to read /sys/devices/system/node +that is not allowed in the apparmor profile +it does not make libvirtd fail but add an apparmor +audit message. This patch allows to remove this apparmor +warning + +Author: Hector Cao +Bug-Ubuntu: https://launchpad.net/bugs/2079869 +Forwarded: https://lists.ubuntu.com/archives/apparmor/2025-February/013499.html +--- + src/security/apparmor/usr.sbin.libvirtd.in | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in +index 3659ddc..2afc4cb 100644 +--- a/src/security/apparmor/usr.sbin.libvirtd.in ++++ b/src/security/apparmor/usr.sbin.libvirtd.in +@@ -141,6 +141,9 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { + /etc/qemu/** r, + owner @{PROC}/*/status r, + ++ # for gathering information about available host resources ++ /sys/devices/system/node/ r, ++ + /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper rmix, + } + diff -pruN 11.6.0-1/debian/patches/ubuntu-aa/lp2120278-virt-aa-helper-Avoid-duplicate-when-append-rule.patch 11.6.0-1ubuntu6/debian/patches/ubuntu-aa/lp2120278-virt-aa-helper-Avoid-duplicate-when-append-rule.patch --- 11.6.0-1/debian/patches/ubuntu-aa/lp2120278-virt-aa-helper-Avoid-duplicate-when-append-rule.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/ubuntu-aa/lp2120278-virt-aa-helper-Avoid-duplicate-when-append-rule.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,59 @@ +From: Hector Cao +Subject: virt-aa-helper: Avoid duplicate when append rule + +when a device is dynamically attached to a VM, and it needs a special +system access for apparmor, libvirt calls virt-aa-helper (with argument -F) +to append a new rule to the apparmor profile of the VM. virt-aa-helper does +not check for duplicate and blindly appends the rule to the profile. since +there is no rule removal when a device is detached, this can make the profile +grow in size if a big number of attach/detach operations are done and the +profile might hit the size limit and futur attach operations might dysfunction +because no rule can be added into the apparmor profile. + +this patch tries to mitigate this issue by doing a duplicate check +when rules are appended into the profile. this fix does not guarantee +the absence of duplicates but should be enough to prevent the profile +to grow significantly in size and reach its size limit. + +Signed-off-by: Hector CAO +Signed-off-by: Michal Privoznik +Reviewed-by: Michal Privoznik + +Origin: upstream, https://github.com/libvirt/libvirt/commit/291dbefd074378df6b541fc1c19d3504279e069b +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+bug/2120278 + +--- + src/security/virt-aa-helper.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c +index b662d971cb..8a297d4b54 100644 +--- a/src/security/virt-aa-helper.c ++++ b/src/security/virt-aa-helper.c +@@ -208,10 +208,21 @@ update_include_file(const char *include_file, const char *included_files, + return -1; + } + +- if (append && virFileExists(include_file)) ++ if (append && existing) { ++ /* Duplicate check: include_files might contain multiple rules ++ * the best is to check for each rule (separated by \n) but ++ * it might be overkilled, just do the check for the whole ++ * include_files. ++ * Most of the time, include_files contains only one rule ++ * so this check is OK to avoid the overflow of the profile ++ * duplicates might still exist though. ++ */ ++ if (strstr(existing, included_files) != NULL) ++ return 0; + pcontent = g_strdup_printf("%s%s", existing, included_files); +- else ++ } else { + pcontent = g_strdup_printf("%s%s", warning, included_files); ++ } + + plen = strlen(pcontent); + if (plen > MAX_FILE_LEN) { +-- +2.45.2 + diff -pruN 11.6.0-1/debian/patches/ubuntu-aa/lp2123870-apparmor-use-the-coreutils-tunable-for-coreutils.patch 11.6.0-1ubuntu6/debian/patches/ubuntu-aa/lp2123870-apparmor-use-the-coreutils-tunable-for-coreutils.patch --- 11.6.0-1/debian/patches/ubuntu-aa/lp2123870-apparmor-use-the-coreutils-tunable-for-coreutils.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/ubuntu-aa/lp2123870-apparmor-use-the-coreutils-tunable-for-coreutils.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,85 @@ +From 4912bda8e232d64d8f62d9f3d361957d190a6957 Mon Sep 17 00:00:00 2001 +From: Georgia Garcia +Date: Tue, 23 Sep 2025 15:40:21 -0300 +Subject: [PATCH] apparmor: use the coreutils tunable for coreutils + +To support use of both GNU and Rust coreutils paths, replace instances +of hardcoded uses of /{usr/,}bin/ by the @{coreutil_dirs} variable in +the libvirt-qemu abstraction, and add @{coreutil_dirs}* PUx permission +to the profiles that already allow /{usr/,}bin/* and /{usr/,}sbin/* + +Fixes: https://bugs.launchpad.net/bugs/2123870 +Forwarded: no +X-Not-Forwarded-Reason: the @{coreutil_dirs} apparmor variable is not +available in any upstream releases, it's only in ubuntu currently. +Signed-off-by: Georgia Garcia +--- + src/security/apparmor/libvirt-qemu | 6 +++--- + src/security/apparmor/usr.sbin.libvirtd.in | 1 + + src/security/apparmor/usr.sbin.virtqemud.in | 1 + + src/security/apparmor/usr.sbin.virtxend.in | 1 + + 4 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu +index d5c719e73..747ff7302 100644 +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -212,8 +212,8 @@ + + # for save and resume + /{usr/,}bin/dash rmix, +- /{usr/,}bin/dd rmix, +- /{usr/,}bin/cat rmix, ++ @{coreutil_dirs}dd rmix, ++ @{coreutil_dirs}cat rmix, + + # for restore + /{usr/,}bin/bash rmix, +@@ -261,7 +261,7 @@ + /run/ceph/rbd-client-*.asok rw, + + # kvm.powerpc executes/accesses this +- /{usr/,}bin/uname rmix, ++ @{coreutil_dirs}uname rmix, + /{usr/,}sbin/ppc64_cpu rmix, + /{usr/,}bin/grep rmix, + /sys/devices/system/cpu/subcores_per_core r, +diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in +index 5ea80f408..356895af4 100644 +--- a/src/security/apparmor/usr.sbin.libvirtd.in ++++ b/src/security/apparmor/usr.sbin.libvirtd.in +@@ -90,6 +90,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, ++ @{coreutil_dirs}* PUx, + @sbindir@/virtlogd pix, + @sbindir@/* PUx, + /{usr/,}lib/udev/scsi_id PUx, +diff --git a/src/security/apparmor/usr.sbin.virtqemud.in b/src/security/apparmor/usr.sbin.virtqemud.in +index 522c098af..324989642 100644 +--- a/src/security/apparmor/usr.sbin.virtqemud.in ++++ b/src/security/apparmor/usr.sbin.virtqemud.in +@@ -88,6 +88,7 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) { + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, ++ @{coreutil_dirs}* PUx, + @sbindir@/virtlogd pix, + @sbindir@/* PUx, + /{usr/,}lib/udev/scsi_id PUx, +diff --git a/src/security/apparmor/usr.sbin.virtxend.in b/src/security/apparmor/usr.sbin.virtxend.in +index 324a00039..d0fff85de 100644 +--- a/src/security/apparmor/usr.sbin.virtxend.in ++++ b/src/security/apparmor/usr.sbin.virtxend.in +@@ -34,6 +34,7 @@ profile virtxend @sbindir@/virtxend flags=(attach_disconnected) { + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, ++ @{coreutil_dirs}* PUx, + @sbindir@/virtlogd pix, + @sbindir@/* PUx, + /{usr/,}lib/udev/scsi_id PUx, +-- +2.43.0 + diff -pruN 11.6.0-1/debian/patches/ubuntu-aa/lp2127492-apparmor-Allow-AMD-SEV-device-access-for-AMD-SEV-VM.patch 11.6.0-1ubuntu6/debian/patches/ubuntu-aa/lp2127492-apparmor-Allow-AMD-SEV-device-access-for-AMD-SEV-VM.patch --- 11.6.0-1/debian/patches/ubuntu-aa/lp2127492-apparmor-Allow-AMD-SEV-device-access-for-AMD-SEV-VM.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/patches/ubuntu-aa/lp2127492-apparmor-Allow-AMD-SEV-device-access-for-AMD-SEV-VM.patch 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,68 @@ +From: Hector Cao +Subject: apparmor: Allow AMD-SEV device access for AMD-SEV VM + +AMD-SEV virtual machines interact with the underlying +AMD-SEV technology through the character device /dev/sev. +Currently, the AppArmor profile does not include the rule +required to allow this access. + +There are two main approaches to address this limitation: + +1) Add the required rule to the libvirt-qemu abstraction. +2) Dynamically add the rule only when the VM is an AMD-SEV + guest. + +Since AMD-SEV guests represent a niche use case, it is more +appropriate to apply the rule dynamically rather than granting +access to all VMs through a global abstraction change. + +This commit implements option (2) by modifying the virt-aa-helper +binary to insert the necessary rule into the AppArmor dynamic +profile when the VM is identified as an AMD-SEV guest. + +The added entry in the generated libvirt-.files file +will look like: + + ... + "/dev/sev" rw, + ... + +Signed-off-by: Hector Cao +Reviewed-by: Michal Privoznik + +Origin: upstream, https://gitlab.com/libvirt/libvirt/-/commit/b90cf0c916cb114ae4cefa082311c05fc5e00193 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+bug/2127492 + +--- + src/security/virt-aa-helper.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c +index 8a297d4b54..de0a826063 100644 +--- a/src/security/virt-aa-helper.c ++++ b/src/security/virt-aa-helper.c +@@ -1370,6 +1370,21 @@ get_files(vahControl * ctl) + virBufferAddLit(&buf, " deny \"/var/lib/libvirt/.cache/\" w,\n"); + } + ++ /* AMD-SEV VM needs to read/write the character device /dev/sev */ ++ if (ctl->def->sec) { ++ switch (ctl->def->sec->sectype) { ++ case VIR_DOMAIN_LAUNCH_SECURITY_SEV: ++ case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP: ++ virBufferAddLit(&buf, " \"/dev/sev\" rw,\n"); ++ break; ++ case VIR_DOMAIN_LAUNCH_SECURITY_PV: ++ case VIR_DOMAIN_LAUNCH_SECURITY_TDX: ++ case VIR_DOMAIN_LAUNCH_SECURITY_NONE: ++ case VIR_DOMAIN_LAUNCH_SECURITY_LAST: ++ break; ++ } ++ } ++ + if (ctl->newfile && + vah_add_file(&buf, ctl->newfile, "rwk") != 0) { + return -1; +-- +2.51.0 + diff -pruN 11.6.0-1/debian/rules 11.6.0-1ubuntu6/debian/rules --- 11.6.0-1/debian/rules 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/rules 2025-10-29 09:34:08.000000000 +0000 @@ -153,7 +153,7 @@ DEB_CONFIGURE_EXTRA_ARGS := \ -Dopenwsman=disabled \ -Ddriver_vz=disabled \ -Dqemu_user=libvirt-qemu \ - -Dqemu_group=libvirt-qemu \ + -Dqemu_group=kvm \ -Dqemu_moddir=/usr/lib/$(DEB_HOST_MULTIARCH)/qemu \ -Dqemu_datadir=/usr/share/qemu \ -Ddocs=enabled \ @@ -164,7 +164,7 @@ DEB_CONFIGURE_EXTRA_ARGS := \ -Dtls_priority=NORMAL \ $(WITH_OPENVZ) \ -Dsasl=enabled \ - -Dlibssh2=enabled \ + -Dlibssh2=disabled \ -Dlibssh=enabled \ -Dreadline=enabled \ -Dbash_completion=enabled \ @@ -275,6 +275,16 @@ ifeq ($(DEB_HOST_ARCH_OS), linux) mkdir -p $(DEB_DESTDIR)/etc/apt/apt.conf.d/ cp debian/apt/* \ $(DEB_DESTDIR)/etc/apt/apt.conf.d/ + + # Install apport package hook + mkdir -p $(DEB_DESTDIR)/usr/share/apport/package-hooks/ + cp -f debian/libvirt-daemon-common.apport \ + $(DEB_DESTDIR)/usr/share/apport/package-hooks/source_libvirt.py + + # Copy dnsmasq configuration + mkdir -p $(DEB_DESTDIR)/etc/dnsmasq.d-available/ + cp debian/libvirt-daemon-config-network.dnsmasq \ + $(DEB_DESTDIR)/etc/dnsmasq.d-available/libvirt-daemon endif # Copy the release notes where dh_installdocs can find them diff -pruN 11.6.0-1/debian/tests/control 11.6.0-1ubuntu6/debian/tests/control --- 11.6.0-1/debian/tests/control 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/tests/control 2025-10-29 09:34:08.000000000 +0000 @@ -9,8 +9,9 @@ Tests: smoke-qemu-session, Depends: libvirt-clients, - libvirt-daemon, + libvirt-daemon-system, libxml2-utils, + linux-image-amd64 [amd64] | linux-generic [amd64], qemu-kvm, qemu-system, Restrictions: @@ -30,6 +31,7 @@ Restrictions: allow-stderr, isolation-machine, needs-root, + skippable, Tests: build-test, @@ -39,3 +41,24 @@ Depends: pkg-config, Restrictions: allow-stderr, + +Tests: + network, +Depends: + dnsmasq-base, + libvirt-clients, + libvirt-daemon, + libvirt-daemon-driver-qemu, +Restrictions: + allow-stderr, + needs-root, + +Tests: + default-uri, +Depends: + libvirt-clients, + libvirt-daemon, + libvirt-daemon-driver-qemu, +Restrictions: + allow-stderr, + needs-root, diff -pruN 11.6.0-1/debian/tests/default-uri 11.6.0-1ubuntu6/debian/tests/default-uri --- 11.6.0-1/debian/tests/default-uri 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/tests/default-uri 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,38 @@ +#!/bin/sh + +set -e +set -x + +# Setup +USER="testvirt" +adduser --disabled-password --gecos "" $USER +adduser $USER libvirt +cp /etc/libvirt/libvirt.conf /etc/libvirt/libvirt.conf.BAK + +# As root: +virsh uri | grep -q "qemu:///system" # Default + +# Config can override default +echo "uri_default = \"qemu:///conf_test\"" >> /etc/libvirt/libvirt.conf +virsh uri 2>&1 | grep -q "/conf_test" + +# ENV can override config +LIBVIRT_DEFAULT_URI="qemu:///test_env" virsh uri 2>&1 | grep -q "/test_env" + + +# As user: + +sudo -u $USER bash -ex <> ~/.config/libvirt/libvirt.conf +virsh uri 2>&1 | grep -q "/conf_test_user" + +# ENV can override config +LIBVIRT_DEFAULT_URI="qemu:///test_env_user" virsh uri 2>&1 | grep -q "/test_env_user" +EOF + +mv /etc/libvirt/libvirt.conf.BAK /etc/libvirt/libvirt.conf +exit 0 diff -pruN 11.6.0-1/debian/tests/network 11.6.0-1ubuntu6/debian/tests/network --- 11.6.0-1/debian/tests/network 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/tests/network 2025-10-29 09:34:08.000000000 +0000 @@ -0,0 +1,32 @@ +#!/bin/sh + +set -e +set -x + +# Find primary interface (default route with lowest metric) +IFACE="$(ip -o -4 route show to default | sort -k11 -n | head -n 1 | awk '{print $5}')" + +# Verify libvirt IPs are not currently assigned +if $(ip addr | grep -q "192.168.122.1"); then + echo "ERROR: IP 192.168.122.1 shouldn't be there." + exit 1; +fi +if $(ip addr | grep -q "192.168.123.1"); then + echo "ERROR: IP 192.168.123.1 shouldn't be there." + exit 1; +fi + +# Consume primary libvirt IP, to trigger fallback condition +ip addr add 192.168.122.1 dev $IFACE + +# Set up virbr0 through maintainer scripts +apt -y install libvirt-daemon-config-network | grep -B2 -A2 "Changing to free 192.168.123.1/24" +cat /etc/libvirt/qemu/networks/default.xml +virsh net-list + +# Confirm IP addresses are correctly assigned +ip addr show $IFACE | grep -q "192.168.122.1" +ip addr show virbr0 | grep -q "192.168.123.1" + +echo 'Network test successful' +exit 0 diff -pruN 11.6.0-1/debian/tests/smoke-lxc 11.6.0-1ubuntu6/debian/tests/smoke-lxc --- 11.6.0-1/debian/tests/smoke-lxc 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/tests/smoke-lxc 2024-08-27 13:19:01.000000000 +0000 @@ -16,10 +16,36 @@ cleanup() fi } +try_check_domain() +{ + for _ in $(seq 10); do + check_domain && return + sleep 2s + done + echo "Known to be unreliable on test infrastructure - skipping" + exit 77 +} + check_domain() { + rc=0 virsh list | grep -qs "${DOMAIN}[[:space:]]\+running" + rc=$((rc+$?)) virsh lxc-enter-namespace --noseclabel ${DOMAIN} /bin/ls /bin/ls + rc=$((rc+$?)) + return $rc +} + +try_restart_libvirtd() +{ + for _ in $(seq 10); do + systemctl restart libvirtd && return + sleep 2s + done + # This turned out to be flaky, non reproducible outside of LP-infra and + # is not what we want to test, Skip the test in this case + echo "Restart failed while checking for container-survival-through restart - skipping". + exit 77 } trap cleanup EXIT @@ -35,11 +61,11 @@ rm -f /var/log/libvirt/lxc/sl.log virsh start ${DOMAIN} # Check virtlogd is running grep -qs "starting up" /var/log/libvirt/lxc/sl.log -check_domain +try_check_domain # Make sure a restart doesn't termiante the domain -/etc/init.d/libvirtd restart -check_domain -virsh destroy ${DOMAIN} +try_restart_libvirtd +try_check_domain +virsh destroy ${DOMAIN} || true virsh undefine ${DOMAIN} CLEANED_UP=1 set +x diff -pruN 11.6.0-1/debian/tests/smoke-qemu-session 11.6.0-1ubuntu6/debian/tests/smoke-qemu-session --- 11.6.0-1/debian/tests/smoke-qemu-session 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/tests/smoke-qemu-session 2024-08-27 13:19:01.000000000 +0000 @@ -27,8 +27,13 @@ if [ $(uname -m) != "x86_64" ]; then exit 77 fi +# to be able to load our simple guest from /vmlinuz later +sudo chown $USER /initrd.img +sudo chown $USER /vmlinuz + echo echo "Running as $USER" set -x + virt-host-validate qemu || true virsh capabilities virsh capabilities | grep -qs "arch name='x86_64'" diff -pruN 11.6.0-1/debian/tests/smoke-qemu-session.xml 11.6.0-1ubuntu6/debian/tests/smoke-qemu-session.xml --- 11.6.0-1/debian/tests/smoke-qemu-session.xml 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu6/debian/tests/smoke-qemu-session.xml 2024-08-27 13:19:01.000000000 +0000 @@ -1,4 +1,4 @@ - + sqs 256000 256000 @@ -18,7 +18,7 @@ destroy destroy - /usr/bin/kvm + /usr/bin/qemu-system-x86_64