api: disallow virConnect*HypervisorCPU on read-only connections

These APIs can be used to execute arbitrary emulators. Forbid them on read-only connections. Fixes: CVE-2019-10168 Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit bf6c2830b6) Signed-off-by: Ján Tomko <jtomko@redhat.com>
api: disallow virConnectGetDomainCapabilities on read-only connections
2025-09-06 05:44:56 +03:00 · 2019-06-24 09:40:32 +02:00 · 2019-06-24 09:40:28 +02:00 · 2019-06-24 09:40:25 +02:00 · 2019-06-24 09:39:42 +02:00 · 2019-05-21 13:25:54 +01:00
31 changed files with 998 additions and 78 deletions
--- a/m4/virt-storage-rbd.m4
+++ b/m4/virt-storage-rbd.m4
@@ -33,6 +33,7 @@ AC_DEFUN([LIBVIRT_STORAGE_CHECK_RBD], [
      old_LIBS="$LIBS"
      LIBS="$LIBS $LIBRBD_LIBS"
      AC_CHECK_FUNCS([rbd_get_features],[],[LIBRBD_FOUND=no])
+      AC_CHECK_FUNCS([rbd_list2])
      LIBS="$old_LIBS"
    fi

--- a/src/admin/admin_server_dispatch.c
+++ b/src/admin/admin_server_dispatch.c
@@ -64,6 +64,28 @@ remoteAdmClientNew(virNetServerClientPtr client ATTRIBUTE_UNUSED,
                   void *opaque)
 {
    struct daemonAdmClientPrivate *priv;
+    uid_t clientuid;
+    gid_t clientgid;
+    pid_t clientpid;
+    unsigned long long timestamp;
+
+    if (virNetServerClientGetUNIXIdentity(client,
+                                          &clientuid,
+                                          &clientgid,
+                                          &clientpid,
+                                          &timestamp) < 0)
+        return NULL;
+
+    VIR_DEBUG("New client pid %lld uid %lld",
+              (long long)clientpid,
+              (long long)clientuid);
+
+    if (geteuid() != clientuid) {
+        virReportRestrictedError(_("Disallowing client %lld with uid %lld"),
+                                 (long long)clientpid,
+                                 (long long)clientuid);
+        return NULL;
+    }

    if (VIR_ALLOC(priv) < 0)
        return NULL;
--- a/src/cpu/cpu_x86.c
+++ b/src/cpu/cpu_x86.c
@@ -165,7 +165,6 @@ struct _virCPUx86Map {
 };

 static virCPUx86MapPtr cpuMap;
-static unsigned int microcodeVersion;

 int virCPUx86DriverOnceInit(void);
 VIR_ONCE_GLOBAL_INIT(virCPUx86Driver);
@@ -1332,8 +1331,6 @@ virCPUx86DriverOnceInit(void)
    if (!(cpuMap = virCPUx86LoadMap()))
        return -1;

-    microcodeVersion = virHostCPUGetMicrocodeVersion();
-
    return 0;
 }

@@ -2373,7 +2370,7 @@ virCPUx86GetHost(virCPUDefPtr cpu,
        goto cleanup;

    ret = x86DecodeCPUData(cpu, cpuData, models);
-    cpu->microcodeVersion = microcodeVersion;
+    cpu->microcodeVersion = virHostCPUGetMicrocodeVersion();

 cleanup:
    virCPUx86DataFree(cpuData);
--- a/src/cpu_map/x86_features.xml
+++ b/src/cpu_map/x86_features.xml
@@ -317,6 +317,9 @@
  <feature name='avx512-4fmaps'>
    <cpuid eax_in='0x07' ecx_in='0x00' edx='0x00000008'/>
  </feature>
+  <feature name='md-clear'> <!-- md_clear -->
+    <cpuid eax_in='0x07' ecx_in='0x00' edx='0x00000400'/>
+  </feature>
  <feature name='pconfig'>
    <cpuid eax_in='0x07' ecx_in='0x00' edx='0x00040000'/>
  </feature>
--- a/src/libvirt-domain.c
+++ b/src/libvirt-domain.c
@@ -1073,8 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml,
 * previously by virDomainSave() or virDomainSaveFlags().
 *
 * No security-sensitive data will be included unless @flags contains
- * VIR_DOMAIN_SAVE_IMAGE_XML_SECURE; this flag is rejected on read-only
- * connections.
+ * VIR_DOMAIN_SAVE_IMAGE_XML_SECURE.
 *
 * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of
 * error.  The caller must free() the returned value.
@@ -1090,13 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file,

    virCheckConnectReturn(conn, NULL);
    virCheckNonNullArgGoto(file, error);
-
-    if ((conn->flags & VIR_CONNECT_RO) &&
-        (flags & VIR_DOMAIN_SAVE_IMAGE_XML_SECURE)) {
-        virReportError(VIR_ERR_OPERATION_DENIED, "%s",
-                       _("virDomainSaveImageGetXMLDesc with secure flag"));
-        goto error;
-    }
+    virCheckReadOnlyGoto(conn->flags, error);

    if (conn->driver->domainSaveImageGetXMLDesc) {
        char *ret;
@@ -9572,6 +9565,7 @@ virDomainManagedSaveDefineXML(virDomainPtr domain, const char *dxml,

    virCheckDomainReturn(domain, -1);
    conn = domain->conn;
+    virCheckReadOnlyGoto(conn->flags, error);

    if (conn->driver->domainManagedSaveDefineXML) {
        int ret;
@@ -11366,6 +11360,7 @@ virConnectGetDomainCapabilities(virConnectPtr conn,
    virResetLastError();

    virCheckConnectReturn(conn, NULL);
+    virCheckReadOnlyGoto(conn->flags, error);

    if (conn->driver->connectGetDomainCapabilities) {
        char *ret;
--- a/src/libvirt-host.c
+++ b/src/libvirt-host.c
@@ -1041,6 +1041,7 @@ virConnectCompareHypervisorCPU(virConnectPtr conn,

    virCheckConnectReturn(conn, VIR_CPU_COMPARE_ERROR);
    virCheckNonNullArgGoto(xmlCPU, error);
+    virCheckReadOnlyGoto(conn->flags, error);

    if (conn->driver->connectCompareHypervisorCPU) {
        int ret;
@@ -1234,6 +1235,7 @@ virConnectBaselineHypervisorCPU(virConnectPtr conn,

    virCheckConnectReturn(conn, NULL);
    virCheckNonNullArgGoto(xmlCPUs, error);
+    virCheckReadOnlyGoto(conn->flags, error);

    if (conn->driver->connectBaselineHypervisorCPU) {
        char *cpu;
--- a/src/locking/virtlockd-admin.socket.in
+++ b/src/locking/virtlockd-admin.socket.in
@@ -5,6 +5,7 @@ Before=libvirtd.service
 [Socket]
 ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock
 Service=virtlockd.service
+SocketMode=0600

 [Install]
 WantedBy=sockets.target
--- a/src/locking/virtlockd.socket.in
+++ b/src/locking/virtlockd.socket.in
@@ -4,6 +4,7 @@ Before=libvirtd.service

 [Socket]
 ListenStream=@localstatedir@/run/libvirt/virtlockd-sock
+SocketMode=0600

 [Install]
 WantedBy=sockets.target
--- a/src/logging/virtlogd-admin.socket.in
+++ b/src/logging/virtlogd-admin.socket.in
@@ -5,6 +5,7 @@ Before=libvirtd.service
 [Socket]
 ListenStream=@localstatedir@/run/libvirt/virtlogd-admin-sock
 Service=virtlogd.service
+SocketMode=0600

 [Install]
 WantedBy=sockets.target
--- a/src/logging/virtlogd.socket.in
+++ b/src/logging/virtlogd.socket.in
@@ -4,6 +4,7 @@ Before=libvirtd.service

 [Socket]
 ListenStream=@localstatedir@/run/libvirt/virtlogd-sock
+SocketMode=0600

 [Install]
 WantedBy=sockets.target
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -2108,8 +2108,11 @@ static void
 networkReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup)
 {
    VIR_INFO("Reloading iptables rules");
-    if (networkPreReloadFirewallRules(startup) < 0)
+    /* Ideally we'd not even register the driver when unprivilegd
+     * but until we untangle the virt driver that's not viable */
+    if (!driver->privileged)
        return;
+    networkPreReloadFirewallRules(startup);
    virNetworkObjListForEach(driver->networks,
                             networkReloadFirewallRulesHelper,
                             NULL);
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -35,11 +35,37 @@ VIR_LOG_INIT("network.bridge_driver_linux");

 #define PROC_NET_ROUTE "/proc/net/route"

-int networkPreReloadFirewallRules(bool startup)
+static virErrorPtr errInitV4;
+static virErrorPtr errInitV6;
+
+void networkPreReloadFirewallRules(bool startup)
 {
-    int ret = iptablesSetupPrivateChains();
-    if (ret < 0)
-        return -1;
+    bool created = false;
+    int rc;
+
+    /* We create global rules upfront as we don't want
+     * the perf hit of conditionally figuring out whether
+     * to create them each time a network is started.
+     *
+     * Any errors here are saved to be reported at time
+     * of starting the network though as that makes them
+     * more likely to be seen by a human
+     */
+    rc = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV4);
+    if (rc < 0) {
+        errInitV4 = virSaveLastError();
+        virResetLastError();
+    }
+    if (rc)
+        created = true;
+
+    rc = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV6);
+    if (rc < 0) {
+        errInitV6 = virSaveLastError();
+        virResetLastError();
+    }
+    if (rc)
+        created = true;

    /*
     * If this is initial startup, and we just created the
@@ -54,10 +80,8 @@ int networkPreReloadFirewallRules(bool startup)
     * rules will be present. Thus we can safely just tell it
     * to always delete from the builin chain
     */
-    if (startup && ret == 1)
+    if (startup && created)
        iptablesSetDeletePrivate(false);
-
-    return 0;
 }


@@ -671,6 +695,21 @@ int networkAddFirewallRules(virNetworkDefPtr def)
    virFirewallPtr fw = NULL;
    int ret = -1;

+    if (errInitV4 &&
+        (virNetworkDefGetIPByIndex(def, AF_INET, 0) ||
+         virNetworkDefGetRouteByIndex(def, AF_INET, 0))) {
+        virSetError(errInitV4);
+        return -1;
+    }
+
+    if (errInitV6 &&
+        (virNetworkDefGetIPByIndex(def, AF_INET6, 0) ||
+         virNetworkDefGetRouteByIndex(def, AF_INET6, 0) ||
+         def->ipv6nogw)) {
+        virSetError(errInitV6);
+        return -1;
+    }
+
    if (def->bridgeZone) {

        /* if a firewalld zone has been specified, fail/log an error
--- a/src/network/bridge_driver_nop.c
+++ b/src/network/bridge_driver_nop.c
@@ -19,9 +19,8 @@

 #include <config.h>

-int networkPreReloadFirewallRules(bool startup ATTRIBUTE_UNUSED)
+void networkPreReloadFirewallRules(bool startup ATTRIBUTE_UNUSED)
 {
-    return 0;
 }


--- a/src/network/bridge_driver_platform.h
+++ b/src/network/bridge_driver_platform.h
@@ -58,7 +58,7 @@ struct _virNetworkDriverState {
 typedef struct _virNetworkDriverState virNetworkDriverState;
 typedef virNetworkDriverState *virNetworkDriverStatePtr;

-int networkPreReloadFirewallRules(bool startup);
+void networkPreReloadFirewallRules(bool startup);
 void networkPostReloadFirewallRules(bool startup);

 int networkCheckRouteCollision(virNetworkDefPtr def);
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -4487,7 +4487,7 @@ virQEMUCapsNewData(const char *binary,
                                           priv->libDir,
                                           priv->runUid,
                                           priv->runGid,
-                                           priv->microcodeVersion,
+                                           virHostCPUGetMicrocodeVersion(),
                                           priv->kernelVersion);
 }

@@ -4570,8 +4570,7 @@ virFileCachePtr
 virQEMUCapsCacheNew(const char *libDir,
                    const char *cacheDir,
                    uid_t runUid,
-                    gid_t runGid,
-                    unsigned int microcodeVersion)
+                    gid_t runGid)
 {
    char *capsCacheDir = NULL;
    virFileCachePtr cache = NULL;
@@ -4595,7 +4594,6 @@ virQEMUCapsCacheNew(const char *libDir,

    priv->runUid = runUid;
    priv->runGid = runGid;
-    priv->microcodeVersion = microcodeVersion;
    priv->kvmUsable = VIR_TRISTATE_BOOL_ABSENT;

    if (uname(&uts) == 0 &&
@@ -4617,8 +4615,11 @@ virQEMUCapsPtr
 virQEMUCapsCacheLookup(virFileCachePtr cache,
                       const char *binary)
 {
+    virQEMUCapsCachePrivPtr priv = virFileCacheGetPriv(cache);
    virQEMUCapsPtr ret = NULL;

+    priv->microcodeVersion = virHostCPUGetMicrocodeVersion();
+
    ret = virFileCacheLookup(cache, binary);

    VIR_DEBUG("Returning caps %p for %s", ret, binary);
@@ -4672,6 +4673,7 @@ virQEMUCapsPtr
 virQEMUCapsCacheLookupByArch(virFileCachePtr cache,
                             virArch arch)
 {
+    virQEMUCapsCachePrivPtr priv = virFileCacheGetPriv(cache);
    virQEMUCapsPtr ret = NULL;
    const char *binaryFilters[] = {
        "qemu-system-",
@@ -4684,6 +4686,8 @@ virQEMUCapsCacheLookupByArch(virFileCachePtr cache,
    size_t i;
    size_t j;

+    priv->microcodeVersion = virHostCPUGetMicrocodeVersion();
+
    for (i = 0; i < ARRAY_CARDINALITY(binaryFilters); i++) {
        for (j = 0; j < ARRAY_CARDINALITY(archs); j++) {
            struct virQEMUCapsSearchData data = {
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -587,8 +587,7 @@ void virQEMUCapsFilterByMachineType(virQEMUCapsPtr qemuCaps,
 virFileCachePtr virQEMUCapsCacheNew(const char *libDir,
                                    const char *cacheDir,
                                    uid_t uid,
-                                    gid_t gid,
-                                    unsigned int microcodeVersion);
+                                    gid_t gid);
 virQEMUCapsPtr virQEMUCapsCacheLookup(virFileCachePtr cache,
                                      const char *binary);
 virQEMUCapsPtr virQEMUCapsCacheLookupCopy(virFileCachePtr cache,
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -585,8 +585,6 @@ qemuStateInitialize(bool privileged,
    char *hugepagePath = NULL;
    char *memoryBackingPath = NULL;
    size_t i;
-    virCPUDefPtr hostCPU = NULL;
-    unsigned int microcodeVersion = 0;

    if (VIR_ALLOC(qemu_driver) < 0)
        return -1;
@@ -809,15 +807,10 @@ qemuStateInitialize(bool privileged,
        run_gid = cfg->group;
    }

-    if ((hostCPU = virCPUProbeHost(virArchFromHost())))
-        microcodeVersion = hostCPU->microcodeVersion;
-    virCPUDefFree(hostCPU);
-
    qemu_driver->qemuCapsCache = virQEMUCapsCacheNew(cfg->libDir,
                                                     cfg->cacheDir,
                                                     run_uid,
-                                                     run_gid,
-                                                     microcodeVersion);
+                                                     run_gid);
    if (!qemu_driver->qemuCapsCache)
        goto error;

@@ -7090,7 +7083,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path,
    if (fd < 0)
        goto cleanup;

-    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0)
+    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0)
        goto cleanup;

    ret = qemuDomainDefFormatXML(driver, def, flags);
--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
@@ -5234,8 +5234,7 @@ enum remote_procedure {
    /**
     * @generate: both
     * @priority: high
-     * @acl: domain:read
-     * @acl: domain:read_secure:VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
+     * @acl: domain:write
     */
    REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,

--- a/src/storage/storage_backend_rbd.c
+++ b/src/storage/storage_backend_rbd.c
@@ -565,19 +565,111 @@ volStorageBackendRBDRefreshVolInfo(virStorageVolDefPtr vol,
    return ret;
 }

+
+#ifdef HAVE_RBD_LIST2
+static char **
+virStorageBackendRBDGetVolNames(virStorageBackendRBDStatePtr ptr)
+{
+    char **names = NULL;
+    size_t nnames = 0;
+    int rc;
+    rbd_image_spec_t *images = NULL;
+    size_t nimages = 16;
+    size_t i;
+
+    while (true) {
+        if (VIR_ALLOC_N(images, nimages) < 0)
+            goto error;
+
+        rc = rbd_list2(ptr->ioctx, images, &nimages);
+        if (rc >= 0)
+            break;
+        if (rc != -ERANGE) {
+            virReportSystemError(-rc, "%s", _("Unable to list RBD images"));
+            goto error;
+        }
+    }
+
+    if (VIR_ALLOC_N(names, nimages + 1) < 0)
+        goto error;
+    nnames = nimages;
+
+    for (i = 0; i < nimages; i++)
+        VIR_STEAL_PTR(names[i], images->name);
+
+    return names;
+
+ error:
+    virStringListFreeCount(names, nnames);
+    rbd_image_spec_list_cleanup(images, nimages);
+    VIR_FREE(images);
+    return NULL;
+}
+
+#else /* ! HAVE_RBD_LIST2 */
+
+static char **
+virStorageBackendRBDGetVolNames(virStorageBackendRBDStatePtr ptr)
+{
+    char **names = NULL;
+    size_t nnames = 0;
+    int rc;
+    size_t max_size = 1024;
+    VIR_AUTOFREE(char *) namebuf = NULL;
+    const char *name;
+
+    while (true) {
+        if (VIR_ALLOC_N(namebuf, max_size) < 0)
+            goto error;
+
+        rc = rbd_list(ptr->ioctx, namebuf, &max_size);
+        if (rc >= 0)
+            break;
+        if (rc != -ERANGE) {
+            virReportSystemError(-rc, "%s", _("Unable to list RBD images"));
+            goto error;
+        }
+        VIR_FREE(namebuf);
+    }
+
+    for (name = namebuf; name < namebuf + max_size;) {
+        VIR_AUTOFREE(char *) namedup = NULL;
+
+        if (STREQ(name, ""))
+            break;
+
+        if (VIR_STRDUP(namedup, name) < 0)
+            goto error;
+
+        if (VIR_APPEND_ELEMENT(names, nnames, namedup) < 0)
+            goto error;
+
+        name += strlen(name) + 1;
+    }
+
+    if (VIR_EXPAND_N(names, nnames, 1) < 0)
+        goto error;
+
+    return names;
+
+ error:
+    virStringListFreeCount(names, nnames);
+    return NULL;
+}
+#endif /* ! HAVE_RBD_LIST2 */
+
+
 static int
 virStorageBackendRBDRefreshPool(virStoragePoolObjPtr pool)
 {
-    size_t max_size = 1024;
    int ret = -1;
-    int len = -1;
    int r = 0;
-    char *name;
    virStoragePoolDefPtr def = virStoragePoolObjGetDef(pool);
    virStorageBackendRBDStatePtr ptr = NULL;
    struct rados_cluster_stat_t clusterstat;
    struct rados_pool_stat_t poolstat;
-    VIR_AUTOFREE(char *) names = NULL;
+    char **names = NULL;
+    size_t i;

    if (!(ptr = virStorageBackendRBDNewState(pool)))
        goto cleanup;
@@ -602,33 +694,16 @@ virStorageBackendRBDRefreshPool(virStoragePoolObjPtr pool)
              def->source.name, clusterstat.kb, clusterstat.kb_avail,
              poolstat.num_bytes);

-    while (true) {
-        if (VIR_ALLOC_N(names, max_size) < 0)
-            goto cleanup;
+    if (!(names = virStorageBackendRBDGetVolNames(ptr)))
+        goto cleanup;

-        len = rbd_list(ptr->ioctx, names, &max_size);
-        if (len >= 0)
-            break;
-        if (len != -ERANGE) {
-            VIR_WARN("%s", "A problem occurred while listing RBD images");
-            goto cleanup;
-        }
-        VIR_FREE(names);
-    }
-
-    for (name = names; name < names + max_size;) {
+    for (i = 0; names[i] != NULL; i++) {
        VIR_AUTOPTR(virStorageVolDef) vol = NULL;

-        if (STREQ(name, ""))
-            break;
-
        if (VIR_ALLOC(vol) < 0)
            goto cleanup;

-        if (VIR_STRDUP(vol->name, name) < 0)
-            goto cleanup;
-
-        name += strlen(name) + 1;
+        VIR_STEAL_PTR(vol->name, names[i]);

        r = volStorageBackendRBDRefreshVolInfo(vol, pool, ptr);

@@ -661,6 +736,7 @@ virStorageBackendRBDRefreshPool(virStoragePoolObjPtr pool)
    ret = 0;

 cleanup:
+    virStringListFree(names);
    virStorageBackendRBDFreeState(&ptr);
    return ret;
 }
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -127,7 +127,7 @@ iptablesPrivateChainCreate(virFirewallPtr fw,


 int
-iptablesSetupPrivateChains(void)
+iptablesSetupPrivateChains(virFirewallLayer layer)
 {
    virFirewallPtr fw = NULL;
    int ret = -1;
@@ -143,17 +143,11 @@ iptablesSetupPrivateChains(void)
    };
    bool changed = false;
    iptablesGlobalChainData data[] = {
-        { VIR_FIREWALL_LAYER_IPV4, "filter",
+        { layer, "filter",
          filter_chains, ARRAY_CARDINALITY(filter_chains), &changed },
-        { VIR_FIREWALL_LAYER_IPV4, "nat",
+        { layer, "nat",
          natmangle_chains, ARRAY_CARDINALITY(natmangle_chains), &changed },
-        { VIR_FIREWALL_LAYER_IPV4, "mangle",
-          natmangle_chains, ARRAY_CARDINALITY(natmangle_chains), &changed },
-        { VIR_FIREWALL_LAYER_IPV6, "filter",
-          filter_chains, ARRAY_CARDINALITY(filter_chains), &changed },
-        { VIR_FIREWALL_LAYER_IPV6, "nat",
-          natmangle_chains, ARRAY_CARDINALITY(natmangle_chains), &changed },
-        { VIR_FIREWALL_LAYER_IPV6, "mangle",
+        { layer, "mangle",
          natmangle_chains, ARRAY_CARDINALITY(natmangle_chains), &changed },
    };
    size_t i;
--- a/src/util/viriptables.h
+++ b/src/util/viriptables.h
@@ -24,7 +24,7 @@
 # include "virsocketaddr.h"
 # include "virfirewall.h"

-int              iptablesSetupPrivateChains      (void);
+int              iptablesSetupPrivateChains      (virFirewallLayer layer);

 void             iptablesSetDeletePrivate        (bool pvt);

--- a/tests/cputest.c
+++ b/tests/cputest.c
@@ -1184,6 +1184,7 @@ mymain(void)
    DO_TEST_CPUID(VIR_ARCH_X86_64, "Phenom-B95", JSON_HOST);
    DO_TEST_CPUID(VIR_ARCH_X86_64, "Ryzen-7-1800X-Eight-Core", JSON_HOST);
    DO_TEST_CPUID(VIR_ARCH_X86_64, "Xeon-5110", JSON_NONE);
+    DO_TEST_CPUID(VIR_ARCH_X86_64, "Xeon-E3-1225-v5", JSON_MODELS);
    DO_TEST_CPUID(VIR_ARCH_X86_64, "Xeon-E3-1245-v5", JSON_MODELS);
    DO_TEST_CPUID(VIR_ARCH_X86_64, "Xeon-E5-2609-v3", JSON_MODELS);
    DO_TEST_CPUID(VIR_ARCH_X86_64, "Xeon-E5-2623-v4", JSON_MODELS);
--- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml
+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml
@@ -0,0 +1,7 @@
+<!-- Features disabled by QEMU -->
+<cpudata arch='x86'>
+  <cpuid eax_in='0x00000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x0800c1fc' edx='0xb0600000'/>
+  <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x02000000' ecx='0x00000000' edx='0x00000000'/>
+  <cpuid eax_in='0x0000000d' ecx_in='0x01' eax='0x00000008' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
+  <cpuid eax_in='0x80000007' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000100'/>
+</cpudata>
--- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml
+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml
@@ -0,0 +1,8 @@
+<!-- Features enabled by QEMU -->
+<cpudata arch='x86'>
+  <cpuid eax_in='0x00000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0xf7fa3203' edx='0x0f8bfbff'/>
+  <cpuid eax_in='0x00000006' ecx_in='0x00' eax='0x00000004' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
+  <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x009c4fbb' ecx='0x00000000' edx='0x8c000400'/>
+  <cpuid eax_in='0x0000000d' ecx_in='0x01' eax='0x00000007' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
+  <cpuid eax_in='0x80000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000121' edx='0x2c100800'/>
+</cpudata>
--- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
@@ -0,0 +1,29 @@
+<cpu mode='custom' match='exact'>
+  <model fallback='forbid'>Skylake-Client-IBRS</model>
+  <vendor>Intel</vendor>
+  <feature policy='require' name='ds'/>
+  <feature policy='require' name='acpi'/>
+  <feature policy='require' name='ss'/>
+  <feature policy='require' name='ht'/>
+  <feature policy='require' name='tm'/>
+  <feature policy='require' name='pbe'/>
+  <feature policy='require' name='dtes64'/>
+  <feature policy='require' name='monitor'/>
+  <feature policy='require' name='ds_cpl'/>
+  <feature policy='require' name='vmx'/>
+  <feature policy='require' name='smx'/>
+  <feature policy='require' name='est'/>
+  <feature policy='require' name='tm2'/>
+  <feature policy='require' name='xtpr'/>
+  <feature policy='require' name='pdcm'/>
+  <feature policy='require' name='osxsave'/>
+  <feature policy='require' name='tsc_adjust'/>
+  <feature policy='require' name='clflushopt'/>
+  <feature policy='require' name='intel-pt'/>
+  <feature policy='require' name='md-clear'/>
+  <feature policy='require' name='stibp'/>
+  <feature policy='require' name='ssbd'/>
+  <feature policy='require' name='xsaves'/>
+  <feature policy='require' name='pdpe1gb'/>
+  <feature policy='require' name='invtsc'/>
+</cpu>
--- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
@@ -0,0 +1,30 @@
+<cpu>
+  <arch>x86_64</arch>
+  <model>Skylake-Client-IBRS</model>
+  <vendor>Intel</vendor>
+  <feature name='ds'/>
+  <feature name='acpi'/>
+  <feature name='ss'/>
+  <feature name='ht'/>
+  <feature name='tm'/>
+  <feature name='pbe'/>
+  <feature name='dtes64'/>
+  <feature name='monitor'/>
+  <feature name='ds_cpl'/>
+  <feature name='vmx'/>
+  <feature name='smx'/>
+  <feature name='est'/>
+  <feature name='tm2'/>
+  <feature name='xtpr'/>
+  <feature name='pdcm'/>
+  <feature name='osxsave'/>
+  <feature name='tsc_adjust'/>
+  <feature name='clflushopt'/>
+  <feature name='intel-pt'/>
+  <feature name='md-clear'/>
+  <feature name='stibp'/>
+  <feature name='ssbd'/>
+  <feature name='xsaves'/>
+  <feature name='pdpe1gb'/>
+  <feature name='invtsc'/>
+</cpu>
--- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
@@ -0,0 +1,12 @@
+<cpu mode='custom' match='exact'>
+  <model fallback='forbid'>Skylake-Client-IBRS</model>
+  <vendor>Intel</vendor>
+  <feature policy='require' name='ss'/>
+  <feature policy='require' name='hypervisor'/>
+  <feature policy='require' name='tsc_adjust'/>
+  <feature policy='require' name='clflushopt'/>
+  <feature policy='require' name='md-clear'/>
+  <feature policy='require' name='stibp'/>
+  <feature policy='require' name='ssbd'/>
+  <feature policy='require' name='pdpe1gb'/>
+</cpu>
--- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.json
+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.json
@@ -0,0 +1,652 @@
+{
+  "return": {
+    "model": {
+      "name": "base",
+      "props": {
+        "phys-bits": 0,
+        "core-id": -1,
+        "xlevel": 2147483656,
+        "cmov": true,
+        "ia64": false,
+        "aes": true,
+        "mmx": true,
+        "rdpid": false,
+        "arat": true,
+        "gfni": false,
+        "pause-filter": false,
+        "xsavec": true,
+        "intel-pt": false,
+        "osxsave": false,
+        "hv-frequencies": false,
+        "tsc-frequency": 0,
+        "xd": true,
+        "hv-vendor-id": "",
+        "kvm-asyncpf": true,
+        "kvm_asyncpf": true,
+        "perfctr_core": false,
+        "perfctr-core": false,
+        "mpx": true,
+        "pbe": false,
+        "decodeassists": false,
+        "avx512cd": false,
+        "sse4_1": true,
+        "sse4.1": true,
+        "sse4-1": true,
+        "family": 6,
+        "legacy-cache": true,
+        "vmware-cpuid-freq": true,
+        "avx512f": false,
+        "msr": true,
+        "mce": true,
+        "mca": true,
+        "hv-runtime": false,
+        "xcrypt": false,
+        "thread-id": -1,
+        "min-level": 13,
+        "xgetbv1": true,
+        "cid": false,
+        "hv-relaxed": false,
+        "hv-crash": false,
+        "ds": false,
+        "fxsr": true,
+        "xsaveopt": true,
+        "xtpr": false,
+        "avx512vl": false,
+        "avx512-vpopcntdq": false,
+        "phe": false,
+        "extapic": false,
+        "3dnowprefetch": true,
+        "avx512vbmi2": false,
+        "cr8legacy": false,
+        "stibp": true,
+        "cpuid-0xb": true,
+        "xcrypt-en": false,
+        "kvm_pv_eoi": true,
+        "apic-id": 4294967295,
+        "pn": false,
+        "dca": false,
+        "vendor": "GenuineIntel",
+        "pku": false,
+        "smx": false,
+        "cmp_legacy": false,
+        "cmp-legacy": false,
+        "node-id": -1,
+        "avx512-4fmaps": false,
+        "vmcb_clean": false,
+        "vmcb-clean": false,
+        "3dnowext": false,
+        "hle": true,
+        "npt": false,
+        "memory": "/machine/unattached/system[0]",
+        "clwb": false,
+        "lbrv": false,
+        "adx": true,
+        "ss": true,
+        "pni": true,
+        "svm_lock": false,
+        "svm-lock": false,
+        "pfthreshold": false,
+        "smep": true,
+        "smap": true,
+        "x2apic": true,
+        "avx512vbmi": false,
+        "avx512vnni": false,
+        "hv-stimer": false,
+        "i64": true,
+        "flushbyasid": false,
+        "f16c": true,
+        "ace2-en": false,
+        "pat": true,
+        "pae": true,
+        "sse": true,
+        "phe-en": false,
+        "kvm_nopiodelay": true,
+        "kvm-nopiodelay": true,
+        "tm": false,
+        "kvmclock-stable-bit": true,
+        "hypervisor": true,
+        "socket-id": -1,
+        "pcommit": false,
+        "syscall": true,
+        "level": 13,
+        "avx512dq": false,
+        "svm": false,
+        "full-cpuid-auto-level": true,
+        "hv-reset": false,
+        "invtsc": false,
+        "sse3": true,
+        "sse2": true,
+        "ssbd": true,
+        "est": false,
+        "avx512ifma": false,
+        "tm2": false,
+        "kvm-pv-eoi": true,
+        "cx8": true,
+        "kvm_mmu": false,
+        "kvm-mmu": false,
+        "sse4_2": true,
+        "sse4.2": true,
+        "sse4-2": true,
+        "pge": true,
+        "fill-mtrr-mask": true,
+        "avx512bitalg": false,
+        "nodeid_msr": false,
+        "pdcm": false,
+        "movbe": true,
+        "model": 94,
+        "nrip_save": false,
+        "nrip-save": false,
+        "kvm_pv_unhalt": true,
+        "ssse3": true,
+        "sse4a": false,
+        "invpcid": true,
+        "pdpe1gb": true,
+        "tsc-deadline": true,
+        "fma": true,
+        "cx16": true,
+        "de": true,
+        "enforce": false,
+        "stepping": 3,
+        "xsave": true,
+        "clflush": true,
+        "skinit": false,
+        "tsc": true,
+        "tce": false,
+        "fpu": true,
+        "ibs": false,
+        "ds_cpl": false,
+        "ds-cpl": false,
+        "host-phys-bits": true,
+        "fma4": false,
+        "la57": false,
+        "osvw": false,
+        "check": true,
+        "hv-spinlocks": -1,
+        "pmu": false,
+        "pmm": false,
+        "apic": true,
+        "spec-ctrl": true,
+        "min-xlevel2": 0,
+        "tsc-adjust": true,
+        "tsc_adjust": true,
+        "kvm-steal-time": true,
+        "kvm_steal_time": true,
+        "kvmclock": true,
+        "l3-cache": true,
+        "lwp": false,
+        "ibpb": false,
+        "xop": false,
+        "avx": true,
+        "ospke": false,
+        "ace2": false,
+        "avx512bw": false,
+        "acpi": false,
+        "hv-vapic": false,
+        "fsgsbase": true,
+        "ht": false,
+        "nx": true,
+        "pclmulqdq": true,
+        "mmxext": false,
+        "vaes": false,
+        "popcnt": true,
+        "xsaves": false,
+        "tcg-cpuid": true,
+        "lm": true,
+        "umip": false,
+        "pse": true,
+        "avx2": true,
+        "sep": true,
+        "pclmuldq": true,
+        "virt-ssbd": false,
+        "x-hv-max-vps": -1,
+        "nodeid-msr": false,
+        "md-clear": true,
+        "kvm": true,
+        "misalignsse": false,
+        "min-xlevel": 2147483656,
+        "kvm-pv-unhalt": true,
+        "bmi2": true,
+        "bmi1": true,
+        "realized": false,
+        "tsc_scale": false,
+        "tsc-scale": false,
+        "topoext": false,
+        "hv-vpindex": false,
+        "xlevel2": 0,
+        "clflushopt": true,
+        "kvm-no-smi-migration": false,
+        "monitor": false,
+        "avx512er": false,
+        "pmm-en": false,
+        "pcid": true,
+        "3dnow": false,
+        "erms": true,
+        "lahf-lm": true,
+        "lahf_lm": true,
+        "vpclmulqdq": false,
+        "fxsr-opt": false,
+        "hv-synic": false,
+        "xstore": false,
+        "fxsr_opt": false,
+        "kvm-hint-dedicated": false,
+        "rtm": true,
+        "lmce": true,
+        "hv-time": false,
+        "perfctr-nb": false,
+        "perfctr_nb": false,
+        "ffxsr": false,
+        "rdrand": true,
+        "rdseed": true,
+        "avx512-4vnniw": false,
+        "vmx": false,
+        "vme": true,
+        "dtes64": false,
+        "mtrr": true,
+        "rdtscp": true,
+        "pse36": true,
+        "kvm-pv-tlb-flush": false,
+        "tbm": false,
+        "wdt": false,
+        "pause_filter": false,
+        "sha-ni": false,
+        "model-id": "Intel(R) Xeon(R) CPU E3-1225 v5 @ 3.30GHz",
+        "abm": true,
+        "avx512pf": false,
+        "xstore-en": false
+      }
+    }
+  },
+  "id": "model-expansion"
+}
+
+{
+  "return": [
+    {
+      "name": "max",
+      "typename": "max-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": false
+    },
+    {
+      "name": "host",
+      "typename": "host-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": false
+    },
+    {
+      "name": "base",
+      "typename": "base-x86_64-cpu",
+      "unavailable-features": [],
+      "static": true,
+      "migration-safe": true
+    },
+    {
+      "name": "qemu64",
+      "typename": "qemu64-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "qemu32",
+      "typename": "qemu32-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "phenom",
+      "typename": "phenom-x86_64-cpu",
+      "unavailable-features": [
+        "mmxext",
+        "fxsr-opt",
+        "3dnowext",
+        "3dnow",
+        "sse4a",
+        "npt"
+      ],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "pentium3",
+      "typename": "pentium3-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "pentium2",
+      "typename": "pentium2-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "pentium",
+      "typename": "pentium-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "n270",
+      "typename": "n270-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "kvm64",
+      "typename": "kvm64-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "kvm32",
+      "typename": "kvm32-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "cpu64-rhel6",
+      "typename": "cpu64-rhel6-x86_64-cpu",
+      "unavailable-features": [
+        "sse4a"
+      ],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "coreduo",
+      "typename": "coreduo-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "core2duo",
+      "typename": "core2duo-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "athlon",
+      "typename": "athlon-x86_64-cpu",
+      "unavailable-features": [
+        "mmxext",
+        "3dnowext",
+        "3dnow"
+      ],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "Westmere",
+      "typename": "Westmere-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "Westmere-IBRS",
+      "typename": "Westmere-IBRS-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "Skylake-Server",
+      "typename": "Skylake-Server-x86_64-cpu",
+      "unavailable-features": [
+        "avx512f",
+        "avx512dq",
+        "clwb",
+        "avx512cd",
+        "avx512bw",
+        "avx512vl",
+        "avx512f",
+        "avx512f",
+        "avx512f"
+      ],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "Skylake-Server-IBRS",
+      "typename": "Skylake-Server-IBRS-x86_64-cpu",
+      "unavailable-features": [
+        "avx512f",
+        "avx512dq",
+        "clwb",
+        "avx512cd",
+        "avx512bw",
+        "avx512vl",
+        "avx512f",
+        "avx512f",
+        "avx512f"
+      ],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "Skylake-Client",
+      "typename": "Skylake-Client-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "Skylake-Client-IBRS",
+      "typename": "Skylake-Client-IBRS-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "SandyBridge",
+      "typename": "SandyBridge-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "SandyBridge-IBRS",
+      "typename": "SandyBridge-IBRS-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "Penryn",
+      "typename": "Penryn-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "Opteron_G5",
+      "typename": "Opteron_G5-x86_64-cpu",
+      "unavailable-features": [
+        "sse4a",
+        "misalignsse",
+        "xop",
+        "fma4",
+        "tbm"
+      ],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "Opteron_G4",
+      "typename": "Opteron_G4-x86_64-cpu",
+      "unavailable-features": [
+        "sse4a",
+        "misalignsse",
+        "xop",
+        "fma4"
+      ],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "Opteron_G3",
+      "typename": "Opteron_G3-x86_64-cpu",
+      "unavailable-features": [
+        "sse4a",
+        "misalignsse"
+      ],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "Opteron_G2",
+      "typename": "Opteron_G2-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "Opteron_G1",
+      "typename": "Opteron_G1-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "Nehalem",
+      "typename": "Nehalem-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "Nehalem-IBRS",
+      "typename": "Nehalem-IBRS-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "IvyBridge",
+      "typename": "IvyBridge-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "IvyBridge-IBRS",
+      "typename": "IvyBridge-IBRS-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "Haswell",
+      "typename": "Haswell-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "Haswell-noTSX",
+      "typename": "Haswell-noTSX-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "Haswell-noTSX-IBRS",
+      "typename": "Haswell-noTSX-IBRS-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "Haswell-IBRS",
+      "typename": "Haswell-IBRS-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "EPYC",
+      "typename": "EPYC-x86_64-cpu",
+      "unavailable-features": [
+        "sha-ni",
+        "mmxext",
+        "fxsr-opt",
+        "cr8legacy",
+        "sse4a",
+        "misalignsse",
+        "osvw"
+      ],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "EPYC-IBPB",
+      "typename": "EPYC-IBPB-x86_64-cpu",
+      "unavailable-features": [
+        "sha-ni",
+        "mmxext",
+        "fxsr-opt",
+        "cr8legacy",
+        "sse4a",
+        "misalignsse",
+        "osvw",
+        "ibpb"
+      ],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "Conroe",
+      "typename": "Conroe-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "Broadwell",
+      "typename": "Broadwell-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "Broadwell-noTSX",
+      "typename": "Broadwell-noTSX-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "Broadwell-noTSX-IBRS",
+      "typename": "Broadwell-noTSX-IBRS-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "Broadwell-IBRS",
+      "typename": "Broadwell-IBRS-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    },
+    {
+      "name": "486",
+      "typename": "486-x86_64-cpu",
+      "unavailable-features": [],
+      "static": false,
+      "migration-safe": true
+    }
+  ],
+  "id": "definitions"
+}
--- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.sig
+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.sig
@@ -0,0 +1,4 @@
+0506e3
+family:     6 (0x06)
+model:     94 (0x5e)
+stepping:   3 (0x03)
--- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.xml
+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.xml
@@ -0,0 +1,47 @@
+<!-- Intel(R) Xeon(R) CPU E3-1225 v5 @ 3.30GHz -->
+<cpudata arch='x86'>
+  <cpuid eax_in='0x00000000' ecx_in='0x00' eax='0x00000016' ebx='0x756e6547' ecx='0x6c65746e' edx='0x49656e69'/>
+  <cpuid eax_in='0x00000001' ecx_in='0x00' eax='0x000506e3' ebx='0x06100800' ecx='0x7ffafbff' edx='0xbfebfbff'/>
+  <cpuid eax_in='0x00000002' ecx_in='0x00' eax='0x76036301' ebx='0x00f0b6ff' ecx='0x00000000' edx='0x00c30000'/>
+  <cpuid eax_in='0x00000003' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
+  <cpuid eax_in='0x00000004' ecx_in='0x00' eax='0x1c004121' ebx='0x01c0003f' ecx='0x0000003f' edx='0x00000000'/>
+  <cpuid eax_in='0x00000004' ecx_in='0x01' eax='0x1c004122' ebx='0x01c0003f' ecx='0x0000003f' edx='0x00000000'/>
+  <cpuid eax_in='0x00000004' ecx_in='0x02' eax='0x1c004143' ebx='0x00c0003f' ecx='0x000003ff' edx='0x00000000'/>
+  <cpuid eax_in='0x00000004' ecx_in='0x03' eax='0x1c03c163' ebx='0x03c0003f' ecx='0x00001fff' edx='0x00000006'/>
+  <cpuid eax_in='0x00000005' ecx_in='0x00' eax='0x00000040' ebx='0x00000040' ecx='0x00000003' edx='0x00142120'/>
+  <cpuid eax_in='0x00000006' ecx_in='0x00' eax='0x000027f7' ebx='0x00000002' ecx='0x00000009' edx='0x00000000'/>
+  <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x029c6fbf' ecx='0x00000000' edx='0x9c002400'/>
+  <cpuid eax_in='0x00000008' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
+  <cpuid eax_in='0x00000009' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
+  <cpuid eax_in='0x0000000a' ecx_in='0x00' eax='0x07300804' ebx='0x00000000' ecx='0x00000000' edx='0x00000603'/>
+  <cpuid eax_in='0x0000000b' ecx_in='0x00' eax='0x00000001' ebx='0x00000001' ecx='0x00000100' edx='0x00000006'/>
+  <cpuid eax_in='0x0000000b' ecx_in='0x01' eax='0x00000004' ebx='0x00000004' ecx='0x00000201' edx='0x00000006'/>
+  <cpuid eax_in='0x0000000c' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
+  <cpuid eax_in='0x0000000d' ecx_in='0x00' eax='0x0000001f' ebx='0x00000440' ecx='0x00000440' edx='0x00000000'/>
+  <cpuid eax_in='0x0000000d' ecx_in='0x01' eax='0x0000000f' ebx='0x000003c0' ecx='0x00000100' edx='0x00000000'/>
+  <cpuid eax_in='0x0000000d' ecx_in='0x02' eax='0x00000100' ebx='0x00000240' ecx='0x00000000' edx='0x00000000'/>
+  <cpuid eax_in='0x0000000d' ecx_in='0x03' eax='0x00000040' ebx='0x000003c0' ecx='0x00000000' edx='0x00000000'/>
+  <cpuid eax_in='0x0000000d' ecx_in='0x04' eax='0x00000040' ebx='0x00000400' ecx='0x00000000' edx='0x00000000'/>
+  <cpuid eax_in='0x0000000d' ecx_in='0x08' eax='0x00000080' ebx='0x00000000' ecx='0x00000001' edx='0x00000000'/>
+  <cpuid eax_in='0x0000000e' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
+  <cpuid eax_in='0x0000000f' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
+  <cpuid eax_in='0x00000010' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
+  <cpuid eax_in='0x00000011' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
+  <cpuid eax_in='0x00000012' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
+  <cpuid eax_in='0x00000013' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
+  <cpuid eax_in='0x00000014' ecx_in='0x00' eax='0x00000001' ebx='0x0000000f' ecx='0x00000007' edx='0x00000000'/>
+  <cpuid eax_in='0x00000014' ecx_in='0x01' eax='0x02490002' ebx='0x003f3fff' ecx='0x00000000' edx='0x00000000'/>
+  <cpuid eax_in='0x00000015' ecx_in='0x00' eax='0x00000002' ebx='0x00000114' ecx='0x00000000' edx='0x00000000'/>
+  <cpuid eax_in='0x00000016' ecx_in='0x00' eax='0x00000ce4' ebx='0x00000e74' ecx='0x00000064' edx='0x00000000'/>
+  <cpuid eax_in='0x80000000' ecx_in='0x00' eax='0x80000008' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
+  <cpuid eax_in='0x80000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000121' edx='0x2c100800'/>
+  <cpuid eax_in='0x80000002' ecx_in='0x00' eax='0x65746e49' ebx='0x2952286c' ecx='0x6f655820' edx='0x2952286e'/>
+  <cpuid eax_in='0x80000003' ecx_in='0x00' eax='0x55504320' ebx='0x2d334520' ecx='0x35323231' edx='0x20357620'/>
+  <cpuid eax_in='0x80000004' ecx_in='0x00' eax='0x2e332040' ebx='0x48473033' ecx='0x0000007a' edx='0x00000000'/>
+  <cpuid eax_in='0x80000005' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
+  <cpuid eax_in='0x80000006' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x01006040' edx='0x00000000'/>
+  <cpuid eax_in='0x80000007' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000100'/>
+  <cpuid eax_in='0x80000008' ecx_in='0x00' eax='0x00003027' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
+  <cpuid eax_in='0x80860000' ecx_in='0x00' eax='0x00000ce4' ebx='0x00000e74' ecx='0x00000064' edx='0x00000000'/>
+  <cpuid eax_in='0xc0000000' ecx_in='0x00' eax='0x00000ce4' ebx='0x00000e74' ecx='0x00000064' edx='0x00000000'/>
+</cpudata>
--- a/tests/testutilsqemu.c
+++ b/tests/testutilsqemu.c
@@ -740,7 +740,7 @@ int qemuTestDriverInit(virQEMUDriver *driver)

    /* Using /dev/null for libDir and cacheDir automatically produces errors
     * upon attempt to use any of them */
-    driver->qemuCapsCache = virQEMUCapsCacheNew("/dev/null", "/dev/null", 0, 0, 0);
+    driver->qemuCapsCache = virQEMUCapsCacheNew("/dev/null", "/dev/null", 0, 0);
    if (!driver->qemuCapsCache)
        goto error;
Author	SHA1	Message	Date
Ján Tomko	2a3f95a407	api: disallow virConnect*HypervisorCPU on read-only connections These APIs can be used to execute arbitrary emulators. Forbid them on read-only connections. Fixes: CVE-2019-10168 Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit `bf6c2830b6`) Signed-off-by: Ján Tomko <jtomko@redhat.com>	2019-06-24 09:40:32 +02:00
Ján Tomko	c5085b7a90	api: disallow virConnectGetDomainCapabilities on read-only connections This API can be used to execute arbitrary emulators. Forbid it on read-only connections. Fixes: CVE-2019-10167 Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit `8afa68bac0`) Signed-off-by: Ján Tomko <jtomko@redhat.com>	2019-06-24 09:40:28 +02:00
Ján Tomko	58c7c3fc4a	api: disallow virDomainManagedSaveDefineXML on read-only connections The virDomainManagedSaveDefineXML can be used to alter the domain's config used for managedsave or even execute arbitrary emulator binaries. Forbid it on read-only connections. Fixes: CVE-2019-10166 Reported-by: Matthias Gerstner <mgerstner@suse.de> Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit `db0b78457f`) Signed-off-by: Ján Tomko <jtomko@redhat.com>	2019-06-24 09:40:25 +02:00
Ján Tomko	111bb6555c	api: disallow virDomainSaveImageGetXMLDesc on read-only connections The virDomainSaveImageGetXMLDesc API is taking a path parameter, which can point to any path on the system. This file will then be read and parsed by libvirtd running with root privileges. Forbid it on read-only connections. Fixes: CVE-2019-10161 Reported-by: Matthias Gerstner <mgerstner@suse.de> Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit `aed6a032ce`) Signed-off-by: Ján Tomko <jtomko@redhat.com>	2019-06-24 09:39:42 +02:00
Daniel P. Berrangé	4aa6ce7dad	logging: restrict sockets to mode 0600 The virtlogd daemon's only intended client is the libvirtd daemon. As such it should never allow clients from other user accounts to connect. The code already enforces this and drops clients from other UIDs, but we can get earlier (and thus stronger) protection against DoS by setting the socket permissions to 0600 Fixes CVE-2019-10132 Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit `e37bd65f99`)	2019-05-21 13:25:54 +01:00
Daniel P. Berrangé	771a7f2fa8	locking: restrict sockets to mode 0600 The virtlockd daemon's only intended client is the libvirtd daemon. As such it should never allow clients from other user accounts to connect. The code already enforces this and drops clients from other UIDs, but we can get earlier (and thus stronger) protection against DoS by setting the socket permissions to 0600 Fixes CVE-2019-10132 Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit `f111e09468`)	2019-05-21 13:25:54 +01:00
Daniel P. Berrangé	44a0bcdb10	admin: reject clients unless their UID matches the current UID The admin protocol RPC messages are only intended for use by the user running the daemon. As such they should not be allowed for any client UID that does not match the server UID. Fixes CVE-2019-10132 Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit `96f41cd765`)	2019-05-21 13:25:54 +01:00
Jiri Denemark	2686c9e10d	cpu_map: Define md-clear CPUID bit CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 The bit is set when microcode provides the mechanism to invoke a flush of various exploitable CPU buffers by invoking the VERW instruction. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit `538d873571`) Conflicts: tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-guest.xml tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-host.xml - test data missing downstream Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>	2019-05-14 19:22:26 +01:00
Jiri Denemark	54fb85c213	cputest: Add data for Intel(R) Xeon(R) CPU E3-1225 v5 Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Jiri Denemark <jdenemar@redhat.com> (cherry picked from commit `5cd9db3ac1`)	2019-05-14 19:22:00 +01:00
Jiri Denemark	b735dde844	qemu: Don't cache microcode version My earlier commit `be46f61326` was incomplete. It removed caching of microcode version in the CPU driver, which means the capabilities XML will see the correct microcode version. But it is also cached in the QEMU capabilities cache where it is used to detect whether we need to reprobe QEMU. By missing the second place, the original commit `be46f61326` made the situation even worse since libvirt would report correct microcode version while still using the old host CPU model (visible in domain capabilities XML). Signed-off-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> (cherry picked from commit `673c62a3b7`)	2019-05-14 19:21:48 +01:00
Jiri Denemark	1442aa99be	cpu_x86: Do not cache microcode version The microcode version checks are used to invalidate cached CPU data we get from QEMU. To minimize /proc/cpuinfo parsing the microcode version was only read when libvirtd started and cached for the daemon's lifetime. However, the CPU microcode can change anytime (updating the microcode package can automatically upload it to the CPU) and we need to stop caching it to avoid using stale CPU model data. Signed-off-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> (cherry picked from commit `be46f61326`)	2019-05-14 19:21:48 +01:00
Daniel P. Berrangé	3e02ee9b5d	network: avoid trying to create global firewall rules if unprivileged The unprivileged libvirtd does not have permission to create firewall rules, or bridge devices, or do anything to the host network in general. Historically we still activate the network driver though and let the network start API call fail. The startup code path which reloads firewall rules on active networks would thus effectively be a no-op when unprivileged as it is impossible for there to be any active networks With the change to use a global set of firewall chains, however, we now have code that is run unconditionally. Ideally we would not register the network driver at all when unprivileged, but the entanglement with the virt drivers currently makes that impractical. As a temporary hack, we just make the firewall reload into a no-op. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit `5d010c3df6`)	2019-03-20 17:10:44 +00:00
Daniel P. Berrangé	095c450366	network: split setup of ipv4 and ipv6 top level chains During startup libvirtd creates top level chains for both ipv4 and ipv6 protocols. If this fails for any reason then startup of virtual networks is blocked. The default virtual network, however, only requires use of ipv4 and some servers have ipv6 disabled so it is expected that ipv6 chain creation will fail. There could equally be servers with no ipv4, only ipv6. This patch thus makes error reporting a little more fine grained so that it works more sensibly when either ipv4 or ipv6 is disabled on the server. Only the protocols that are actually used by the virtual network have errors reported. Reviewed-by: Andrea Bolognani <abologna@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit `686803a1a2`)	2019-03-20 17:10:38 +00:00
Daniel P. Berrangé	b990740b12	network: improve error report when firewall chain creation fails During startup we create some top level chains in which all virtual network firewall rules will be placed. The upfront creation is done to avoid slowing down creation of individual virtual networks by checking for chain existance every time. There are some factors which can cause this upfront creation to fail and while a message will get into the libvirtd log this won't be seen by users who later try to start a virtual network. Instead they'll just get a message saying that the libvirt top level chain does not exist. This message is accurate, but unhelpful for solving the root cause. This patch thus saves any error during daemon startup and reports it when trying to create a virtual network later. Reviewed-by: Andrea Bolognani <abologna@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit `9f4e35dc73`)	2019-03-20 17:10:28 +00:00
Daniel P. Berrangé	e8ec259220	storage: add support for new rbd_list2 method The rbd_list method has been deprecated in Ceph >= 14.0.0 in favour of the new rbd_list2 method which populates an array of structs. Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit `3aa190f2a4`)	2019-03-20 17:10:16 +00:00
Daniel P. Berrangé	092320f10b	storage: split off code for calling rbd_list The rbd_list method has a quite unpleasant signature returning an array of strings in a single buffer instead of an array. It is being deprecated in favour of rbd_list2. To maintain clarity of code when supporting both APIs in parallel, split the rbd_list code out into a separate method. In splitting this we now honour the rbd_list failures. Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit `28c8403ed0`)	2019-03-20 17:10:10 +00:00