import passt-0%5E20240806.gee36266-2.el9

682c81f0 · Rocky Automation · 87fc84b8 · 682c81f0 · 682c81f0 · 682c81f0
Commit 682c81f0 authored 4 months ago by Rocky Automation
--- a/.passt.checksum
+++ b/.passt.checksum
+642dfeadac92b3a81224c3ae9289642354e260a341101d546cd60666753351a0
--- a/.passt.metadata
+++ b/.passt.metadata
-63e1388a021a47f83ca46a91482182573a5c8ea41335e1bb4d7f4e1cc75b1c87 SOURCES/passt-4ddbcb9c0c555838b123c018a9ebc9b7e14a87e5.tar.xz
+ffcbfc459a689acd3086b9be20f4d8413c2c03bb94343901ece22ac19d6f559e SOURCES/passt-ee36266a55478672ad2c5f4efbd6ca0bef3d37cd.tar.xz
--- a/SOURCES/0001-selinux-Drop-user_namespace-create-allow-rules.patch
+++ b/SOURCES/0001-selinux-Drop-user_namespace-create-allow-rules.patch
+From 6977619743bbc602a865f79562b59a80921d6063 Mon Sep 17 00:00:00 2001
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Mon, 21 Aug 2023 17:52:28 +0200
+Subject: [PATCH] selinux: Drop user_namespace create allow rules
+
+Those are incompatible with current el9 kernels. I introduced them
+upstream with commit 62059058cf24 ("selinux: Fix user namespace
+creation after breaking kernel change"), in turn as a result of
+kernel commit ed5d44d42c95 ("selinux: Implement userns_create hook"),
+but on current el9 kernels (which lack the hook) they result in
+failures such as:
+
+  Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/passt/cil:103
+  Failed to resolve AST
+  /usr/sbin/semodule:  Failed!
+  Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/pasta/cil:104
+  Failed to resolve AST
+  /usr/sbin/semodule:  Failed!
+
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+---
+ contrib/selinux/passt.te | 1 -
+ contrib/selinux/pasta.te | 1 -
+ 2 files changed, 2 deletions(-)
+
+diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te
+index facc2d1..de10f45 100644
+--- a/contrib/selinux/passt.te
+++ b/contrib/selinux/passt.te
+@@ -93,7 +93,6 @@ allow syslogd_t self:cap_userns sys_ptrace;
+ allow passt_t self:process setcap;
+ allow passt_t self:capability { sys_tty_config setpcap net_bind_service setuid setgid};
+ allow passt_t self:cap_userns { setpcap sys_admin sys_ptrace };
+-allow passt_t self:user_namespace create;
+ 
+ allow passt_t passwd_file_t:file read_file_perms;
+ sssd_search_lib(passt_t)
+diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
+index ed70c5f..3226e37 100644
+--- a/contrib/selinux/pasta.te
+++ b/contrib/selinux/pasta.te
+@@ -113,7 +113,6 @@ init_daemon_domain(pasta_t, pasta_exec_t)
+ 
+ allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource setuid setgid };
+ allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service };
+-allow pasta_t self:user_namespace create;
+ 
+ allow pasta_t passwd_file_t:file read_file_perms;
+ sssd_search_lib(pasta_t)
+-- 
+2.39.2
+
--- a/SOURCES/0002-flow-Don-t-crash-if-guest-attempts-to-connect-to-por.patch
+++ b/SOURCES/0002-flow-Don-t-crash-if-guest-attempts-to-connect-to-por.patch
+From 002b2a23380d4df552bac7665d462ac4c7bced0b Mon Sep 17 00:00:00 2001
+From: David Gibson <david@gibson.dropbear.id.au>
+Date: Wed, 14 Aug 2024 20:03:33 +1000
+Subject: [PATCH] flow: Don't crash if guest attempts to connect to port 0
+
+Using a zero port on TCP or UDP is dubious, and we can't really deal with
+forwarding such a flow within the constraints of the socket API.  Hence
+we ASSERT()ed that we had non-zero ports in flow_hash().
+
+The intention was to make sure that the protocol code sanitizes such ports
+before completing a flow entry.  Unfortunately, flow_hash() is also called
+on new packets to see if they have an existing flow, so the unsanitized
+guest packet can crash passt with the assert.
+
+Correct this by moving the assert from flow_hash() to flow_sidx_hash()
+which is only used on entries already in the table, not on unsanitized
+data.
+
+Reported-by: Matt Hamilton <matt@thmail.io>
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+---
+ flow.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/flow.c b/flow.c
+index 687e9fd..93b687d 100644
+--- a/flow.c
+++ b/flow.c
+@@ -561,12 +561,6 @@ static uint64_t flow_hash(const struct ctx *c, uint8_t proto, uint8_t pif,
+ {
+ 	struct siphash_state state = SIPHASH_INIT(c->hash_secret);
+ 
+-	/* For the hash table to work, we need complete endpoint information,
+-	 * and at least a forwarding port.
+-	 */
+-	ASSERT(pif != PIF_NONE && !inany_is_unspecified(&side->eaddr) &&
+-	       side->eport != 0 && side->fport != 0);
+-
+ 	inany_siphash_feed(&state, &side->faddr);
+ 	inany_siphash_feed(&state, &side->eaddr);
+ 
+@@ -586,8 +580,16 @@ static uint64_t flow_hash(const struct ctx *c, uint8_t proto, uint8_t pif,
+ static uint64_t flow_sidx_hash(const struct ctx *c, flow_sidx_t sidx)
+ {
+ 	const struct flow_common *f = &flow_at_sidx(sidx)->f;
+-	return flow_hash(c, FLOW_PROTO(f),
+-			 f->pif[sidx.sidei], &f->side[sidx.sidei]);
+	const struct flowside *side = &f->side[sidx.sidei];
+	uint8_t pif = f->pif[sidx.sidei];
+
+	/* For the hash table to work, entries must have complete endpoint
+	 * information, and at least a forwarding port.
+	 */
+	ASSERT(pif != PIF_NONE && !inany_is_unspecified(&side->eaddr) &&
+	       side->eport != 0 && side->fport != 0);
+
+	return flow_hash(c, FLOW_PROTO(f), pif, side);
+ }
+ 
+ /**
+-- 
+2.43.0
+
--- a/SPECS/passt.spec
+++ b/SPECS/passt.spec
@@ -7,40 +7,23 @@
 # Copyright (c) 2022 Red Hat GmbH
 # Author: Stefano Brivio <sbrivio@redhat.com>

-%global git_hash 4ddbcb9c0c555838b123c018a9ebc9b7e14a87e5
+%global git_hash ee36266a55478672ad2c5f4efbd6ca0bef3d37cd
 %global selinuxtype targeted

 Name:		passt
-Version:	0^20230222.g4ddbcb9
-Release:	4%{?dist}
+Version:	0^20240806.gee36266
+Release:	2%{?dist}
 Summary:	User-mode networking daemons for virtual machines and namespaces
-License:	AGPLv3+ and BSD
+License:	GPL-2.0-or-later AND BSD-3-Clause
 Group:		System Environment/Daemons
 URL:		https://passt.top/
 Source:		https://passt.top/passt/snapshot/passt-%{git_hash}.tar.xz

-Patch1: 0001-udp-Actually-use-host-resolver-to-forward-DNS-querie.patch
-Patch2: 0002-conf-Split-add_dns-4-6-out-of-get_dns.patch
-Patch3: 0003-conf-udp-Allow-any-loopback-address-to-be-used-as-re.patch
-Patch4: 0004-tcp-tcp_splice-Get-rid-of-false-positive-CWE-394-Cov.patch
-Patch5: 0005-tcp-Avoid-false-but-convoluted-positive-Coverity-CWE.patch
-Patch6: 0006-tcp-Avoid-theoretical-resource-leak-CWE-772-Coverity.patch
-Patch7: 0007-Fix-definitions-of-SOCKET_MAX-TCP_MAX_CONNS.patch
-Patch8: 0008-doc-demo-Fix-and-suppress-ShellCheck-warnings.patch
-Patch9: 0009-contrib-selinux-Drop-duplicate-init_daemon_domain-ru.patch
-Patch10: 0010-contrib-selinux-Let-passt-write-to-stdout-and-stderr.patch
-Patch11: 0011-contrib-selinux-Allow-binding-and-connecting-to-all-.patch
-Patch12: 0012-contrib-selinux-Let-interface-users-set-paths-for-lo.patch
-Patch13: 0013-tcp-udp-util-Pass-socket-creation-errors-all-the-way.patch
-Patch14: 0014-tcp-udp-Fix-partial-success-return-codes-in-tcp-udp-.patch
-Patch15: 0015-conf-Terminate-on-EMFILE-or-ENFILE-on-sockets-for-po.patch
-Patch16: 0016-tcp-Clamp-MSS-value-when-queueing-data-to-tap-also-f.patch
-Patch17: 0017-contrib-selinux-Drop-example-from-headers-this-is-th.patch
-Patch18: 0018-contrib-selinux-Drop-unused-passt_read_data-interfac.patch
-Patch19: 0019-contrib-selinux-Split-interfaces-into-smaller-bits.patch
+Patch1:		0001-selinux-Drop-user_namespace-create-allow-rules.patch
+Patch2:		0002-flow-Don-t-crash-if-guest-attempts-to-connect-to-por.patch

 BuildRequires:	gcc, make, git, checkpolicy, selinux-policy-devel
-Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
+Requires:	(%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})

 %description
 passt implements a translation layer between a Layer-2 network interface and
@@ -71,13 +54,30 @@ This package adds SELinux enforcement to passt(1) and pasta(1).

 %build
 %set_build_flags
-%make_build VERSION="%{version}-%{release}.%{_arch}"
+# The Makefile creates symbolic links for pasta, but we need actual copies for
+# SELinux file contexts to work as intended. Same with pasta.avx2 if present.
+# Build twice, changing the version string, to avoid duplicate Build-IDs.
+%make_build VERSION="%{version}-%{release}.%{_arch}-pasta"
+mv -f passt pasta
+%ifarch x86_64
+mv -f passt.avx2 pasta.avx2
+%make_build passt passt.avx2 VERSION="%{version}-%{release}.%{_arch}"
+%else
+%make_build passt VERSION="%{version}-%{release}.%{_arch}"
+%endif

 %install
+# Already built (not as symbolic links), see above
+touch pasta
+%ifarch x86_64
+touch pasta.avx2
+%endif
+
 %make_install DESTDIR=%{buildroot} prefix=%{_prefix} bindir=%{_bindir} mandir=%{_mandir} docdir=%{_docdir}/%{name}
 %ifarch x86_64
 ln -sr %{buildroot}%{_mandir}/man1/passt.1 %{buildroot}%{_mandir}/man1/passt.avx2.1
 ln -sr %{buildroot}%{_mandir}/man1/pasta.1 %{buildroot}%{_mandir}/man1/pasta.avx2.1
+install -p -m 755 %{buildroot}%{_bindir}/passt.avx2 %{buildroot}%{_bindir}/pasta.avx2
 %endif

 pushd contrib/selinux
@@ -104,7 +104,7 @@ fi
 %selinux_relabel_post -s %{selinuxtype}

 %files
-%license LICENSES/{AGPL-3.0-or-later.txt,BSD-3-Clause.txt}
+%license LICENSES/{GPL-2.0-or-later.txt,BSD-3-Clause.txt}
 %dir %{_docdir}/%{name}
 %doc %{_docdir}/%{name}/README.md
 %doc %{_docdir}/%{name}/demo.sh
@@ -127,6 +127,40 @@ fi
 %{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp

 %changelog
+* Wed Aug 14 2024 Stefano Brivio <sbrivio@redhat.com> - 0^20240806-gee36266-2
+- Resolves: RHEL-54268
+
+* Wed Aug  7 2024 Stefano Brivio <sbrivio@redhat.com> - 0^20240806.gee36266-1
+- Resolves: RHEL-53189
+
+* Fri Aug  2 2024 Stefano Brivio <sbrivio@redhat.com> - 0^20240726.g57a21d2-1
+- Resolves: RHEL-52638
+
+* Mon Jun 24 2024 Stefano Brivio <sbrivio@redhat.com> - 0^20240624.g1ee2eca-1
+- Resolves: RHEL-44837
+
+* Wed May 22 2024 Stefano Brivio <sbrivio@redhat.com> - 0^20240510.g7288448-1
+- Resolves: RHEL-37647
+
+* Fri Dec 15 2023 Stefano Brivio <sbrivio@redhat.com> - 0^20231204.gb86afe3-1
+- Resolves: RHEL-19590
+
+* Tue Aug 22 2023 Stefano Brivio <sbrivio@redhat.com> - 0^20230818.g0af928e-4
+- Switch to copies instead of links for pasta: previous workaround unreliable
+- Resolves: RHELPLAN-155811
+
+* Tue Aug 22 2023 Stefano Brivio <sbrivio@redhat.com> - 0^20230818.g0af928e-3
+- Explicit restorecon in scriptlet as rpm(8) mix up contexts with hard links
+- Resolves: RHELPLAN-155811
+
+* Mon Aug 21 2023 Stefano Brivio <sbrivio@redhat.com> - 0^20230818.g0af928e-2
+- Drop user_namespace create allow rule, incompatible with current el9 kernel
+- Resolves: RHELPLAN-155811
+
+* Sat Aug 19 2023 Stefano Brivio <sbrivio@redhat.com> - 0^20230818.g0af928e-1
+- Rebase from Fedora 39
+- Resolves: RHELPLAN-155811
+
 * Sun Jun 11 2023 Stefano Brivio <sbrivio@redhat.com> - 0^20230222.g4ddbcb9-4
 - Drop (pointless) patches 20, 21, 22, actually apply changes to the spec file!
 - Refresh SELinux labels in scriptlets, require -selinux package (rhbz#2183089)