diff --git a/SOURCES/libvirt-api-disallow-virConnect-HypervisorCPU-on-read-only-connections.patch b/SOURCES/libvirt-api-disallow-virConnect-HypervisorCPU-on-read-only-connections.patch
new file mode 100644
index 0000000..97f8622
--- /dev/null
+++ b/SOURCES/libvirt-api-disallow-virConnect-HypervisorCPU-on-read-only-connections.patch
@@ -0,0 +1,46 @@
+From 66884f16592038ec091d4bb2ab1d492062a71c74 Mon Sep 17 00:00:00 2001
+Message-Id: <66884f16592038ec091d4bb2ab1d492062a71c74@dist-git>
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Tue, 18 Jun 2019 13:30:02 +0200
+Subject: [PATCH] api: disallow virConnect*HypervisorCPU on read-only
+ connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+These APIs can be used to execute arbitrary emulators.
+Forbid them on read-only connections.
+
+Fixes: CVE-2019-10168
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Message-Id: <470651092e7d6a4ba5875cf8885fd3714d5ea189.1560857354.git.jtomko@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/libvirt-host.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libvirt-host.c b/src/libvirt-host.c
+index e20d6ee250..2978825d22 100644
+--- a/src/libvirt-host.c
++++ b/src/libvirt-host.c
+@@ -1041,6 +1041,7 @@ virConnectCompareHypervisorCPU(virConnectPtr conn,
+
+ virCheckConnectReturn(conn, VIR_CPU_COMPARE_ERROR);
+ virCheckNonNullArgGoto(xmlCPU, error);
++ virCheckReadOnlyGoto(conn->flags, error);
+
+ if (conn->driver->connectCompareHypervisorCPU) {
+ int ret;
+@@ -1234,6 +1235,7 @@ virConnectBaselineHypervisorCPU(virConnectPtr conn,
+
+ virCheckConnectReturn(conn, NULL);
+ virCheckNonNullArgGoto(xmlCPUs, error);
++ virCheckReadOnlyGoto(conn->flags, error);
+
+ if (conn->driver->connectBaselineHypervisorCPU) {
+ char *cpu;
+--
+2.22.0
+
diff --git a/SOURCES/libvirt-api-disallow-virConnectGetDomainCapabilities-on-read-only-connections.patch b/SOURCES/libvirt-api-disallow-virConnectGetDomainCapabilities-on-read-only-connections.patch
new file mode 100644
index 0000000..7028fcc
--- /dev/null
+++ b/SOURCES/libvirt-api-disallow-virConnectGetDomainCapabilities-on-read-only-connections.patch
@@ -0,0 +1,38 @@
+From 804925f7bdd8cb7e80a0a76ea3323c55d89193ba Mon Sep 17 00:00:00 2001
+Message-Id: <804925f7bdd8cb7e80a0a76ea3323c55d89193ba@dist-git>
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Tue, 18 Jun 2019 13:30:01 +0200
+Subject: [PATCH] api: disallow virConnectGetDomainCapabilities on read-only
+ connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This API can be used to execute arbitrary emulators.
+Forbid it on read-only connections.
+
+Fixes: CVE-2019-10167
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Message-Id: <eeefd7cf2afba696bed78582e086bfbd3ed23e00.1560857354.git.jtomko@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/libvirt-domain.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index 3855dfe0dd..a1c913bd86 100644
+--- a/src/libvirt-domain.c
++++ b/src/libvirt-domain.c
+@@ -11279,6 +11279,7 @@ virConnectGetDomainCapabilities(virConnectPtr conn,
+ virResetLastError();
+
+ virCheckConnectReturn(conn, NULL);
++ virCheckReadOnlyGoto(conn->flags, error);
+
+ if (conn->driver->connectGetDomainCapabilities) {
+ char *ret;
+--
+2.22.0
+
diff --git a/SOURCES/libvirt-api-disallow-virDomainManagedSaveDefineXML-on-read-only-connections.patch b/SOURCES/libvirt-api-disallow-virDomainManagedSaveDefineXML-on-read-only-connections.patch
new file mode 100644
index 0000000..170a379
--- /dev/null
+++ b/SOURCES/libvirt-api-disallow-virDomainManagedSaveDefineXML-on-read-only-connections.patch
@@ -0,0 +1,40 @@
+From 0f8966e0ce1887610b5eb9d955780662fc854094 Mon Sep 17 00:00:00 2001
+Message-Id: <0f8966e0ce1887610b5eb9d955780662fc854094@dist-git>
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Tue, 18 Jun 2019 13:30:00 +0200
+Subject: [PATCH] api: disallow virDomainManagedSaveDefineXML on read-only
+ connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The virDomainManagedSaveDefineXML can be used to alter the domain's
+config used for managedsave or even execute arbitrary emulator binaries.
+Forbid it on read-only connections.
+
+Fixes: CVE-2019-10166
+Reported-by: Matthias Gerstner <mgerstner@suse.de>
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Message-Id: <352bf5e963a6482d426f97b0ef36ca019e69280b.1560857354.git.jtomko@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/libvirt-domain.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index 0ba85b9360..3855dfe0dd 100644
+--- a/src/libvirt-domain.c
++++ b/src/libvirt-domain.c
+@@ -9487,6 +9487,7 @@ virDomainManagedSaveDefineXML(virDomainPtr domain, const char *dxml,
+
+ virCheckDomainReturn(domain, -1);
+ conn = domain->conn;
++ virCheckReadOnlyGoto(conn->flags, error);
+
+ if (conn->driver->domainManagedSaveDefineXML) {
+ int ret;
+--
+2.22.0
+
diff --git a/SOURCES/libvirt-api-disallow-virDomainSaveImageGetXMLDesc-on-read-only-connections.patch b/SOURCES/libvirt-api-disallow-virDomainSaveImageGetXMLDesc-on-read-only-connections.patch
new file mode 100644
index 0000000..83a3d5a
--- /dev/null
+++ b/SOURCES/libvirt-api-disallow-virDomainSaveImageGetXMLDesc-on-read-only-connections.patch
@@ -0,0 +1,98 @@
+From 799c1b70cdcfffd313315e9ab31d96bbb836aed6 Mon Sep 17 00:00:00 2001
+Message-Id: <799c1b70cdcfffd313315e9ab31d96bbb836aed6@dist-git>
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Tue, 18 Jun 2019 13:29:59 +0200
+Subject: [PATCH] api: disallow virDomainSaveImageGetXMLDesc on read-only
+ connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The virDomainSaveImageGetXMLDesc API is taking a path parameter,
+which can point to any path on the system. This file will then be
+read and parsed by libvirtd running with root privileges.
+
+Forbid it on read-only connections.
+
+Fixes: CVE-2019-10161
+Reported-by: Matthias Gerstner <mgerstner@suse.de>
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+
+Conflicts:
+ src/libvirt-domain.c
+ src/remote/remote_protocol.x
+
+Upstream commit 12a51f372 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
+alias for VIR_DOMAIN_XML_SECURE is not backported.
+Just skip the commit since we now disallow the whole API on read-only
+connections, regardless of the flag.
+Message-Id: <4c14d609cd7b548459b9ef2f59728fa5c5e38268.1560857354.git.jtomko@redhat.com>
+
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/libvirt-domain.c | 11 ++---------
+ src/qemu/qemu_driver.c | 2 +-
+ src/remote/remote_protocol.x | 3 +--
+ 3 files changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index ad0ded9ee3..0ba85b9360 100644
+--- a/src/libvirt-domain.c
++++ b/src/libvirt-domain.c
+@@ -1073,9 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml,
+ * previously by virDomainSave() or virDomainSaveFlags().
+ *
+ * No security-sensitive data will be included unless @flags contains
+- * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only
+- * connections. For this API, @flags should not contain either
+- * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU.
++ * VIR_DOMAIN_XML_SECURE.
+ *
+ * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of
+ * error. The caller must free() the returned value.
+@@ -1091,12 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file,
+
+ virCheckConnectReturn(conn, NULL);
+ virCheckNonNullArgGoto(file, error);
+-
+- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
+- virReportError(VIR_ERR_OPERATION_DENIED, "%s",
+- _("virDomainSaveImageGetXMLDesc with secure flag"));
+- goto error;
+- }
++ virCheckReadOnlyGoto(conn->flags, error);
+
+ if (conn->driver->domainSaveImageGetXMLDesc) {
+ char *ret;
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 21d836a540..fcccdb57c3 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -6784,7 +6784,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path,
+ if (fd < 0)
+ goto cleanup;
+
+- if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0)
++ if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0)
+ goto cleanup;
+
+ ret = qemuDomainDefFormatXML(driver, def, flags);
+diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
+index 28c8febabd..52b92334fa 100644
+--- a/src/remote/remote_protocol.x
++++ b/src/remote/remote_protocol.x
+@@ -5226,8 +5226,7 @@ enum remote_procedure {
+ /**
+ * @generate: both
+ * @priority: high
+- * @acl: domain:read
+- * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
++ * @acl: domain:write
+ */
+ REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,
+
+--
+2.22.0
+
diff --git a/SOURCES/libvirt-virfile-added-GPFS-as-shared-fs.patch b/SOURCES/libvirt-virfile-added-GPFS-as-shared-fs.patch
new file mode 100644
index 0000000..eb111ed
--- /dev/null
+++ b/SOURCES/libvirt-virfile-added-GPFS-as-shared-fs.patch
@@ -0,0 +1,125 @@
+From e1d05dd50a1147b967afb89c57e77df9b5b5fc2d Mon Sep 17 00:00:00 2001
+Message-Id: <e1d05dd50a1147b967afb89c57e77df9b5b5fc2d@dist-git>
+From: Diego Michelotto <diego.michelotto@cnaf.infn.it>
+Date: Tue, 4 Jun 2019 12:12:26 +0200
+Subject: [PATCH] virfile: added GPFS as shared fs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Added GPFS as shared file system recognized during live migration
+security checks.
+
+GPFS is 'IBM General Parallel File System' also called
+'IBM Spectrum Scale'
+
+BUG: https://bugzilla.redhat.com/show_bug.cgi?id=1679528
+
+Signed-off-by: Diego Michelotto <diego.michelotto@cnaf.infn.it>
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+(cherry picked from commit d163b940a73a0d6b8277a4bccef2b60936933cf0)
+
+https: //bugzilla.redhat.com/show_bug.cgi?id=1715867
+Message-Id: <fa948f8d8b0b236ca7a5207f6d52c13274fe9058.1559642578.git.pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+---
+ src/util/virfile.c | 9 ++++++++-
+ src/util/virfile.h | 1 +
+ tests/virfiledata/mounts3.txt | 1 +
+ tests/virfilemock.c | 5 +++++
+ tests/virfiletest.c | 1 +
+ 5 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/src/util/virfile.c b/src/util/virfile.c
+index 471d309062..e0564295dd 100644
+--- a/src/util/virfile.c
++++ b/src/util/virfile.c
+@@ -3540,6 +3540,9 @@ int virFilePrintf(FILE *fp, const char *msg, ...)
+ # ifndef CEPH_SUPER_MAGIC
+ # define CEPH_SUPER_MAGIC 0x00C36400
+ # endif
++# ifndef GPFS_SUPER_MAGIC
++# define GPFS_SUPER_MAGIC 0x47504653
++# endif
+
+ # define PROC_MOUNTS "/proc/mounts"
+
+@@ -3688,6 +3691,9 @@ virFileIsSharedFSType(const char *path,
+ if ((fstypes & VIR_FILE_SHFS_CEPH) &&
+ (f_type == CEPH_SUPER_MAGIC))
+ return 1;
++ if ((fstypes & VIR_FILE_SHFS_GPFS) &&
++ (f_type == GPFS_SUPER_MAGIC))
++ return 1;
+
+ return 0;
+ }
+@@ -3852,7 +3858,8 @@ int virFileIsSharedFS(const char *path)
+ VIR_FILE_SHFS_AFS |
+ VIR_FILE_SHFS_SMB |
+ VIR_FILE_SHFS_CIFS |
+- VIR_FILE_SHFS_CEPH);
++ VIR_FILE_SHFS_CEPH |
++ VIR_FILE_SHFS_GPFS);
+ }
+
+
+diff --git a/src/util/virfile.h b/src/util/virfile.h
+index 1d16e96b59..51c221e069 100644
+--- a/src/util/virfile.h
++++ b/src/util/virfile.h
+@@ -206,6 +206,7 @@ enum {
+ VIR_FILE_SHFS_SMB = (1 << 4),
+ VIR_FILE_SHFS_CIFS = (1 << 5),
+ VIR_FILE_SHFS_CEPH = (1 << 6),
++ VIR_FILE_SHFS_GPFS = (1 << 7),
+ };
+
+ int virFileIsSharedFSType(const char *path, int fstypes) ATTRIBUTE_NONNULL(1);
+diff --git a/tests/virfiledata/mounts3.txt b/tests/virfiledata/mounts3.txt
+index 68eded048c..4377e5d471 100644
+--- a/tests/virfiledata/mounts3.txt
++++ b/tests/virfiledata/mounts3.txt
+@@ -35,3 +35,4 @@ host:/gv0 /gluster fuse.glusterfs rw 0 0
+ root@host:/tmp/mkdir /gluster/sshfs fuse.sshfs rw 0 0
+ 192.168.0.1:/ceph/data /ceph ceph rw,noatime,name=cephfs,secret=<hidden>,acl,wsize=16777216 0 0
+ 192.168.0.1,192.168.0.2,192.168.0.3:/ceph/data2 /ceph/multi ceph rw,noatime,name=cephfs,secret=<hidden>,acl,wsize=16777216 0 0
++gpfs_data /gpfs/data gpfs rw,relatime 0 0
+diff --git a/tests/virfilemock.c b/tests/virfilemock.c
+index eb5182df66..02f26433d4 100644
+--- a/tests/virfilemock.c
++++ b/tests/virfilemock.c
+@@ -91,6 +91,9 @@ setmntent(const char *filename, const char *type)
+ #ifndef CEPH_SUPER_MAGIC
+ # define CEPH_SUPER_MAGIC 0x00c36400
+ #endif
++#ifndef GPFS_SUPER_MAGIC
++# define GPFS_SUPER_MAGIC 0x47504653
++#endif
+
+
+ static int
+@@ -139,6 +142,8 @@ statfs_mock(const char *mtab,
+ ftype = FUSE_SUPER_MAGIC;
+ } else if (STRPREFIX(mb.mnt_type, "ceph")) {
+ ftype = CEPH_SUPER_MAGIC;
++ } else if (STRPREFIX(mb.mnt_type, "gpfs")) {
++ ftype = GPFS_SUPER_MAGIC;
+ } else {
+ /* Everything else is EXT4. We don't care really for other paths. */
+ ftype = EXT4_SUPER_MAGIC;
+diff --git a/tests/virfiletest.c b/tests/virfiletest.c
+index 972c07fdc5..5f17676c75 100644
+--- a/tests/virfiletest.c
++++ b/tests/virfiletest.c
+@@ -460,6 +460,7 @@ mymain(void)
+ DO_TEST_FILE_IS_SHARED_FS_TYPE("mounts3.txt", "/some/symlink/file", true);
+ DO_TEST_FILE_IS_SHARED_FS_TYPE("mounts3.txt", "/ceph/file", true);
+ DO_TEST_FILE_IS_SHARED_FS_TYPE("mounts3.txt", "/ceph/multi/file", true);
++ DO_TEST_FILE_IS_SHARED_FS_TYPE("mounts3.txt", "/gpfs/data", true);
+
+ return ret != 0 ? EXIT_FAILURE : EXIT_SUCCESS;
+ }
+--
+2.21.0
+
diff --git a/SPECS/libvirt.spec b/SPECS/libvirt.spec
index 70ed4ef..6bbbf4f 100644
--- a/SPECS/libvirt.spec
+++ b/SPECS/libvirt.spec
@@ -253,7 +253,7 @@
Summary: Library providing a simple virtualization API
Name: libvirt
Version: 4.5.0
-Release: 10%{?dist}.10%{?extra_release}
+Release: 10%{?dist}.12%{?extra_release}
License: LGPLv2+
URL: https://libvirt.org/
@@ -419,6 +419,11 @@ Patch153: libvirt-virnwfilterbindingobj-Introduce-and-use-virNWFilterBindingObjS
Patch154: libvirt-admin-reject-clients-unless-their-UID-matches-the-current-UID.patch
Patch155: libvirt-locking-restrict-sockets-to-mode-0600.patch
Patch156: libvirt-logging-restrict-sockets-to-mode-0600.patch
+Patch157: libvirt-virfile-added-GPFS-as-shared-fs.patch
+Patch158: libvirt-api-disallow-virDomainSaveImageGetXMLDesc-on-read-only-connections.patch
+Patch159: libvirt-api-disallow-virDomainManagedSaveDefineXML-on-read-only-connections.patch
+Patch160: libvirt-api-disallow-virConnectGetDomainCapabilities-on-read-only-connections.patch
+Patch161: libvirt-api-disallow-virConnect-HypervisorCPU-on-read-only-connections.patch
Requires: libvirt-daemon = %{version}-%{release}
Requires: libvirt-daemon-config-network = %{version}-%{release}
@@ -2320,6 +2325,15 @@ exit 0
%changelog
+* Tue Jun 18 2019 Jiri Denemark <jdenemar@redhat.com> - 4.5.0-10.el7_6.12
+- api: disallow virDomainSaveImageGetXMLDesc on read-only connections (CVE-2019-10161)
+- api: disallow virDomainManagedSaveDefineXML on read-only connections (CVE-2019-10166)
+- api: disallow virConnectGetDomainCapabilities on read-only connections (CVE-2019-10167)
+- api: disallow virConnect*HypervisorCPU on read-only connections (CVE-2019-10168)
+
+* Wed Jun 5 2019 Jiri Denemark <jdenemar@redhat.com> - 4.5.0-10.el7_6.11
+- virfile: added GPFS as shared fs (rhbz#1715867)
+
* Thu May 16 2019 Jiri Denemark <jdenemar@redhat.com> - 4.5.0-10.el7_6.10
- virnwfilterbindingobj: Introduce and use virNWFilterBindingObjStealDef (rhbz#1702173)
- admin: reject clients unless their UID matches the current UID (CVE-2019-10132)