Add a new attribute to the <seclabel> XML to allow resource
relabelling to be enabled with static label usage.

  <seclabel model='selinux' type='static' relabel='yes'>
    <label>system_u:system_r:svirt_t:s0:c392,c662</label>
  </seclabel>

* docs/schemas/domain.rng: Add relabel attribute
* src/conf/domain_conf.c, src/conf/domain_conf.h: Parse
  the 'relabel' attribute
* src/qemu/qemu_process.c: Unconditionally clear out the
  'imagelabel' attribute
* src/security/security_apparmor.c: Skip based on 'relabel'
  attribute instead of label type
* src/security/security_selinux.c: Skip based on 'relabel'
  attribute instead of label type and fill in <imagelabel>
  attribute if relabel is enabled.

Normally the dynamic labelling mode will always use a base
label of 'svirt_t' for VMs. Introduce a <baselabel> field
in the <seclabel> XML to allow this base label to be changed

eg

   <seclabel type='dynamic' model='selinux'>
     <baselabel>system_u:object_r:virt_t:s0</baselabel>
   </seclabel>

* docs/schemas/domain.rng: Add <baselabel>
* src/conf/domain_conf.c, src/conf/domain_conf.h: Parsing
  of base label
* src/qemu/qemu_process.c: Don't reset 'model' attribute if
  a base label is specified
* src/security/security_apparmor.c: Refuse to support base label
* src/security/security_selinux.c: Use 'baselabel' when generating
  label, if available

virStorageBackendCreateRaw: createRawFile already reported the
exact error.

Before the fix:

error: Failed to create vol vol-create.img
error: cannot create path '/var/lib/libvirt/images/vol-create.img': Unknown error 18446744073709551597

After the fix:

error: Failed to create vol vol-create.img
error: cannot fill file '/var/lib/libvirt/images/vol-create.img': No space left on device

* configure.ac docs/news.html.in libvirt.spec.in: update for the
  new release
* po/*.po*: updated and regenerated localizations

cmd is not initialized to NULL, but we try to freed it if we
meet some error.

Coverity detected that we could crash on bogus input.  Meanwhile,
strtok_r is rather heavy compared to strchr.

* src/storage/storage_backend_iscsi.c (virStorageBackendIQNFound):
  Check for parse failure, and use lighter-weight functions.

* src/vmware/vmware_driver.c (vmwareDomainReboot): Check error
  before dereferencing memory.

Detected by Coverity.  qemuDomainEventQueue requires a non-NULL
pointer; most callers silently drop the event if we encountered
and OOM situation trying to create the event.

* src/qemu/qemu_migration.c (qemuMigrationFinish): Check for OOM.

Coverity noted that most clients reacted to failure to hash; but in
a best-effort kill loop, we can ignore failure.

* src/util/cgroup.c (virCgroupKillInternal): Ignore hash failure.

Coverity noted that 4 out of 5 calls to virNetClientStreamRaiseError
checked the return value.  This case expects a particular value, so
warn if our expectations went wrong due to some bug elsewhere.

* src/rpc/virnetclient.c (virNetClientCallDispatchStream): Warn on
  unexpected scenario.

Coverity warns if the majority of callers check a function for
errors, but a few don't; but in qemu_audit and qemu_domain, the
choice to not check for failures was safe.  In qemu_command, the
failure to generate a uuid can only occur on a bad pointer.

* src/qemu/qemu_audit.c (qemuAuditCgroup): Ignore failure to get
  cgroup controller.
* src/qemu/qemu_domain.c (qemuDomainObjEnterMonitor)
  (qemuDomainObjEnterMonitorWithDriver): Ignore failure to get
  timestamp.
* src/qemu/qemu_command.c (qemuParseCommandLine): Check for error.

Detected by Coverity.  The leak is on an error path, but I'm not
sure whether that path is likely to be triggered in practice.

* src/rpc/virnetserverservice.c (virNetServerServiceAccept): Plug leak.

Spotted by Coverity.  If we don't update tmp each time through
the loop, then if the filter being removed was not the head of
the list, we accidentally lose all filters prior to the one we
wanted to remove.

* src/rpc/virnetserverclient.c (virNetServerClientRemoveFilter):
    Don't lose unrelated filters.

Detected by Coverity.  Some, but not all, error paths were clean;
but they were repetitive so I refactored them.

* src/util/pci.c (pciGetDevice): Plug leak.

Detected by Coverity.  Unlikely to hit unless the file contents
were corrupted.

* src/util/interface.c (ifaceRestoreMacAddress): Plug leak.

Detected by Coverity; only strikes on OOM so not serious.

* daemon/libvirtd.c (daemonPidFilePath): Plug leak.

* tests/utiltest.c (DO_TEST): Fix indentation for cppi.

Move non-esx specific tests from esxutilstest there and add a
test for virParseVersionString.

To avoid regressions, we let callers specify whether to require a
minor and micro version.  Callers that were parsing uname() output
benefit from defaulting to 0, whereas callers that were parsing
version strings from other sources should not change in behavior.

* src/util/util.c (virParseVersionString): Allow caller to choose
whether to fail if minor or micro is missing.
* src/util/util.h (virParseVersionString): Update signature.
* src/esx/esx_driver.c (esxGetVersion): Update callers.
* src/lxc/lxc_driver.c (lxcVersion): Likewise.
* src/openvz/openvz_conf.c (openvzExtractVersionInfo): Likewise.
* src/uml/uml_driver.c (umlGetVersion): Likewise.
* src/vbox/vbox_MSCOMGlue.c (vboxLookupVersionInRegistry):
Likewise.
* src/vbox/vbox_tmpl.c (vboxExtractVersion): Likewise.
* src/vmware/vmware_conf.c (vmwareExtractVersion): Likewise.
* src/xenapi/xenapi_driver.c (xenapiGetVersion): Likewise.
Reported by Matthias Bolte.

According to the automake manual, CPPFLAGS (aka INCLUDES, as spelled
in automake 1.9.6) should only include -I, -D, and -U directives; more
generic directives like -Wall belong in CFLAGS since they affect more
phases of the build process.  Therefore, we should be sticking CFLAGS
additions into a CFLAGS container, not a CPPFLAGS container.

* src/Makefile.am (libvirt_driver_vmware_la_CFLAGS): Use AM_CFLAGS.
(INCLUDES): Move CFLAGS items...
(AM_CFLAGS): ...to their proper location.
* python/Makefile.am (INCLUDES, AM_CFLAGS): Likewise.
* tests/Makefile.am (INCLUDES, AM_CFLAGS): Likewise.
(commandtest_CFLAGS, commandhelper_CFLAGS)
(virnetmessagetest_CFLAGS, virnetsockettest_CFLAGS): Use AM_CFLAGS.

This fixes the problem of not finding python in /usr/bin
which broke build on FreeBSD

linux 3.0 has no micro version number, and that is causing problems
for virParseVersionString.  The patch below should allow for:
  major
  major.minor
  major.minor.micro

If major or minor are not present they just default to zero.
We found this in Ubuntu (https://bugs.launchpad.net/bugs/802977)

Detected by Coverity.  No real harm in leaving these, but fixing
them cuts down on the noise for future analysis.

* src/rpc/virnetserver.c (virNetServerAddService): Delete unused
entry.
* src/util/sysinfo.c (virSysinfoRead): Delete dead assignment to
base.

* tests/Makefile.am: Remove jsondata.h

EXTRA_DIST files should unconditionally be part of the tarball,
rather than depending on the presence of sanlock-devel.

Meanwhile, parallel builds could fail if we don't use mkdir -p.

* src/Makefile.am (EXTRA_DIST): Always ship sanlock .aug and
template .conf files.
(%-sanlock.conf): Use MKDIR_P.

For good or for bad, I did a fresh checkout, ./autogen.sh, then
'configure', then 'make syntax-check', and was surprised that it
failed.  Running 'make' before 'make syntax-check' cleaned up the
issue, but this patch makes it work up front.

* cfg.mk (sc_po_check): Add prerequisites.

* .gitignore: Exempt jsontest binary.

* daemon/libvirtd.c, daemon/remote.c: Add #if HAVE_SASL and
  suitable function stubs to allow build without SASL

Based on Coverity's finding on the previous patch, I audited
gnulib's pipe2 code and found that we had the potential for
a subtle double-close bug, unless gnulib guarantees that the
contents of the fd array are unchanged on pipe2() failure.

* .gnulib: Update to latest, for pipe2 fix.

Detected by Coverity.  Both are instances of bad things happening
if pipe2 fails; the virNetClientNew failure could free garbage,
and virNetSocketNewConnectCommand could close random fds.

Note: POSIX doesn't guarantee the contents of fd[0] and fd[1]
after pipe failure: http://austingroupbugs.net/view.php?id=467
We may need to introduce a virPipe2 wrapper that guarantees
that on pipe failure, the fds are explicitly set to -1, rather
than our current state of assuming the fds are unchanged from
their value prior to the failed pipe call.

* src/rpc/virnetclient.c (virNetClientNew): Initialize variable.
* src/rpc/virnetsocket.c (virNetSocketNewConnectCommand):
Likewise.

Detected by Coverity; neither vshCmddefHelp nor vshCmdOptParse
was initializing opts_required.

* tools/virsh.c (vshCmddefOptParse): Always initialize bitmaps.

Detected by Coverity.  info.nrVirtCpu is unsigned short, but if
cpumaplen is int, then the product of the two in vshMalloc risks
unintended sign extension.  cmdVcpuinfo had already solved this
by using size_t cpumaplen.

* tools/virsh.c (cmdVcpuPin): Use correct type.

The virDomainMigratePrepareTunnel3 impl in the remote driver
was using the procedure number for the virDomainMigratePrepareTunnel
method. This doesn't work out so well, because it makes the server
ignore & drop all stream packets

* src/remote/remote_driver.c: Fix procedure for PrepareTunnel3

We ignore any stream data packets which come in for streams which
are not registered, since these packets are async and do not have
a reply. If we get a stream control packet though we must send back
an actual error, otherwise a (broken) client may hang forever
making it hard to diagnose the client bug.

* src/rpc/virnetserverprogram.c: Send back error for unexpected
  stream control messages

If a message packet for a invalid stream is received it is just
free'd. This is not good because it doesn't let the client RPC
request counter decrement. If a stream is shutdown with pending
packets the message also isn't released properly because of an
incorrect header type

* daemon/stream.c: Fix message header type
* src/rpc/virnetserverprogram.c: Send dummy reply instead of
  free'ing ignored stream message

virNetSocketFree uses kill(SIGTERM) so we must include
signal.h for the definitions

* src/rpc/virnetsocket.c: Include signal.h

While investigating some memory leaks it was unclear whether the
JSON code correctly free'd all memory during parsing. Add a test
case which can be run under valgrind to clearly demonstrate that
the parser is leak free.

* tests/Makefile.am: Add 'jsontest'
* tests/jsontest.c: A few simple JSON parsing tests

The qemudDomainSaveFlag method will call EndJob on the 'vm'
object it is passed in. This can result in the 'vm' object
being free'd if the last reference is removed. Thus no caller
of 'qemudDomainSaveFlag' must *ever* reference 'vm' again
upon return.

Unfortunately qemudDomainSave and qemuDomainManagedSave
both call 'virDomainObjUnlock', which can result in a
crash. This is non-deterministic since it involves a race
with the monitor I/O thread.

Fix this by making qemudDomainSaveFlag responsible for
calling virDomainObjUnlock instead.

* src/qemu/qemu_driver.c: Fix potential use after free
  when saving guests

The 'char control[CMSG_SPACE(sizeof(int))];' was not being
wiped, so could potentially contain uninitialized bytes.
While this was harmless in this case, it caused complaints
from valgrind

* src/qemu/qemu_monitor.c: memset 'control' variable
  in qemuMonitorIOWriteWithFD

The event handler functions do not free the virJSONValuePtr
object. Every event received from a VM thus caused a memory
leak

* src/qemu/qemu_monitor_json.c: Fix leak of event object