rpms/criu
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI criu-3.19-9.el10

Browse Source
This commit is contained in:
eabdullin 2025-05-14 15:41:39 +00:00
parent e89dd9583f
commit 0eebeb843d
17 changed files with 1495 additions and 1069 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.criu.metadata
View File

@ -1 +0,0 @@
b2ceaf9705aa8239915010136a59664d31044fe3 SOURCES/criu-3.12.tar.bz2

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/criu-3.12.tar.bz2
criu-3.19.tar.gz

87
089345f77a34d1bc7ef146d650636afcd3cdda21.patch Normal file
View File

@ -0,0 +1,87 @@
From 089345f77a34d1bc7ef146d650636afcd3cdda21 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Wed, 10 Jul 2024 18:34:50 +0200
Subject: [PATCH] Adjust to glibc __rseq_size semantic change
In commit 2e456ccf0c34a056e3ccafac4a0c7effef14d918 ("Linux: Make
__rseq_size useful for feature detection (bug 31965)") glibc 2.40
changed the meaning of __rseq_size slightly: it is now the size
of the active/feature area (20 bytes initially), and not the size
of the entire initially defined struct (32 bytes including padding).
The reason for the change is that the size including padding does not
allow detection of newly added features while previously unused
padding is consumed.
The prep_libc_rseq_info change in criu/cr-restore.c is not necessary
on kernels which have full ptrace support for obtaining rseq
information because the code is not used. On older kernels, it is
a correctness fix because with size 20 (the new value), rseq
registeration would fail.
The two other changes are required to make rseq unregistration work
in tests.
Signed-off-by: Florian Weimer <fweimer@redhat.com>
---
criu/cr-restore.c | 8 ++++++++
test/zdtm/static/rseq00.c | 5 ++++-
test/zdtm/transition/rseq01.c | 5 ++++-
3 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/criu/cr-restore.c b/criu/cr-restore.c
index 4db2f4ecfc..b95d4f134b 100644
--- a/criu/cr-restore.c
+++ b/criu/cr-restore.c
@@ -2618,7 +2618,15 @@ static void prep_libc_rseq_info(struct rst_rseq_param *rseq)
if (!kdat.has_ptrace_get_rseq_conf) {
#if defined(__GLIBC__) && defined(RSEQ_SIG)
rseq->rseq_abi_pointer = encode_pointer(__criu_thread_pointer() + __rseq_offset);
+ /*
+ * Current glibc reports the feature/active size in
+ * __rseq_size, not the size passed to the kernel.
+ * This could be 20, but older kernels expect 32 for
+ * the size argument even if only 20 bytes are used.
+ */
rseq->rseq_abi_size = __rseq_size;
+ if (rseq->rseq_abi_size < 32)
+ rseq->rseq_abi_size = 32;
rseq->signature = RSEQ_SIG;
#else
rseq->rseq_abi_pointer = 0;
diff --git a/test/zdtm/static/rseq00.c b/test/zdtm/static/rseq00.c
index 471ad6a43f..7add7801eb 100644
--- a/test/zdtm/static/rseq00.c
+++ b/test/zdtm/static/rseq00.c
@@ -46,12 +46,15 @@ static inline void *__criu_thread_pointer(void)
static inline void unregister_glibc_rseq(void)
{
struct rseq *rseq = (struct rseq *)((char *)__criu_thread_pointer() + __rseq_offset);
+ unsigned int size = __rseq_size;
/* hack: mark glibc rseq structure as failed to register */
rseq->cpu_id = RSEQ_CPU_ID_REGISTRATION_FAILED;
/* unregister rseq */
- syscall(__NR_rseq, (void *)rseq, __rseq_size, 1, RSEQ_SIG);
+ if (__rseq_size < 32)
+ size = 32;
+ syscall(__NR_rseq, (void *)rseq, size, 1, RSEQ_SIG);
}
#else
static inline void unregister_glibc_rseq(void)
diff --git a/test/zdtm/transition/rseq01.c b/test/zdtm/transition/rseq01.c
index 0fbcc2dca0..08a7a8e1a6 100644
--- a/test/zdtm/transition/rseq01.c
+++ b/test/zdtm/transition/rseq01.c
@@ -33,7 +33,10 @@ static inline void *thread_pointer(void)
static inline void unregister_old_rseq(void)
{
/* unregister rseq */
- syscall(__NR_rseq, (void *)((char *)thread_pointer() + __rseq_offset), __rseq_size, 1, RSEQ_SIG);
+ unsigned int size = __rseq_size;
+ if (__rseq_size < 32)
+ size = 32;
+ syscall(__NR_rseq, (void *)((char *)thread_pointer() + __rseq_offset), size, 1, RSEQ_SIG);
}
#else
static inline void unregister_old_rseq(void)

128
2549.patch Normal file
View File

@ -0,0 +1,128 @@
From 0a17c4160580d9bc7092ba9eb7db86952921d221 Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Thu, 16 Jan 2025 07:52:42 +0000
Subject: [PATCH 1/2] util: added cleanup_file attribute.
Signed-off-by: Adrian Reber <areber@redhat.com>
---
criu/include/util.h | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/criu/include/util.h b/criu/include/util.h
index ae293a68c8..4793f7f20e 100644
--- a/criu/include/util.h
+++ b/criu/include/util.h
@@ -406,6 +406,14 @@ static inline void cleanup_freep(void *p)
free(*pp);
}
+#define cleanup_file __attribute__((cleanup(cleanup_filep)))
+static inline void cleanup_filep(FILE **f)
+{
+ FILE *file = *f;
+ if (file)
+ (void)fclose(file);
+}
+
extern int run_command(char *buf, size_t buf_size, int (*child_fn)(void *), void *args);
/*
From 1ed4109958644fbe1cbadf7c72472c82a12834b0 Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Tue, 17 Dec 2024 08:52:46 +0100
Subject: [PATCH 2/2] net: redirect nftables stdout and stderr to CRIU's log
file
When using the nftables network locking backend and restoring a process
a second time the network locking has already been deleted by the first
restore. The second restore will print out to the console text like:
Error: Could not process rule: No such file or directory
delete table inet CRIU-202621
With this change CRIU's log FD is used by libnftables stdout and stderr.
Signed-off-by: Adrian Reber <areber@redhat.com>
---
criu/net.c | 43 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 43 insertions(+)
diff --git a/criu/net.c b/criu/net.c
index eee3311087..efd52db327 100644
--- a/criu/net.c
+++ b/criu/net.c
@@ -3066,9 +3066,43 @@ static int iptables_restore(bool ipv6, char *buf, int size)
return ret;
}
+#if defined(CONFIG_HAS_NFTABLES_LIB_API_0) || defined(CONFIG_HAS_NFTABLES_LIB_API_1)
+static inline FILE *redirect_nftables_output(struct nft_ctx *nft)
+{
+ FILE *fp;
+ int fd;
+
+ fd = dup(log_get_fd());
+ if (fd < 0) {
+ pr_perror("dup() to redirect nftables output failed");
+ return NULL;
+ }
+
+ fp = fdopen(fd, "w");
+ if (!fp) {
+ pr_perror("fdopen() to redirect nftables output failed");
+ return NULL;
+ }
+
+ /**
+ * Without setvbuf() the output from libnftables will be
+ * somewhere in the log file, probably at the end.
+ * With setvbuf() potential output will be at the correct
+ * position.
+ */
+ setvbuf(fp, NULL, _IONBF, 0);
+
+ nft_ctx_set_output(nft, fp);
+ nft_ctx_set_error(nft, fp);
+
+ return fp;
+}
+#endif
+
static inline int nftables_lock_network_internal(void)
{
#if defined(CONFIG_HAS_NFTABLES_LIB_API_0) || defined(CONFIG_HAS_NFTABLES_LIB_API_1)
+ cleanup_file FILE *fp = NULL;
struct nft_ctx *nft;
int ret = 0;
char table[32];
@@ -3081,6 +3115,10 @@ static inline int nftables_lock_network_internal(void)
if (!nft)
return -1;
+ fp = redirect_nftables_output(nft);
+ if (!fp)
+ goto out;
+
snprintf(buf, sizeof(buf), "create table %s", table);
if (NFT_RUN_CMD(nft, buf))
goto err2;
@@ -3168,6 +3206,7 @@ static inline int nftables_network_unlock(void)
{
#if defined(CONFIG_HAS_NFTABLES_LIB_API_0) || defined(CONFIG_HAS_NFTABLES_LIB_API_1)
int ret = 0;
+ cleanup_file FILE *fp = NULL;
struct nft_ctx *nft;
char table[32];
char buf[128];
@@ -3179,6 +3218,10 @@ static inline int nftables_network_unlock(void)
if (!nft)
return -1;
+ fp = redirect_nftables_output(nft);
+ if (!fp)
+ return -1;
+
snprintf(buf, sizeof(buf), "delete table %s", table);
if (NFT_RUN_CMD(nft, buf))
ret = -1;

473
2550.patch Normal file
View File

@ -0,0 +1,473 @@
From 9a2b7d6b3baa2b3183489ed9cebece039f9f488f Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Thu, 23 Jan 2025 09:26:15 +0000
Subject: [PATCH 1/2] criu: use libuuid for criu_run_id generation
criu_run_id will be used in upcoming changes to create and remove
network rules for network locking. Instead of trying to come up with
a way to create unique IDs, just use an existing library.
libuuid should be installed on most systems as it is indirectly required
by systemd (via libmount).
Signed-off-by: Adrian Reber <areber@redhat.com>
---
.cirrus.yml | 2 +-
.github/workflows/check-commits.yml | 2 +-
compel/include/uapi/infect-util.h | 11 ++++++++++-
compel/src/lib/infect-util.c | 2 +-
compel/src/lib/infect.c | 2 +-
criu/Makefile.packages | 4 +++-
criu/fdstore.c | 2 +-
criu/files.c | 2 +-
criu/include/util.h | 4 +++-
criu/pidfd-store.c | 2 +-
criu/unittest/mock.c | 4 +++-
criu/util.c | 17 +++++++----------
scripts/build/Dockerfile.alpine | 3 ++-
scripts/build/Dockerfile.amd-rocm | 1 +
scripts/build/Dockerfile.archlinux | 1 +
scripts/build/Dockerfile.hotspot-alpine | 1 +
scripts/build/Dockerfile.hotspot-ubuntu | 1 +
scripts/build/Dockerfile.linux32.tmpl | 1 +
scripts/build/Dockerfile.openj9-ubuntu | 1 +
.../build/Dockerfile.riscv64-stable-cross.tmpl | 1 +
scripts/build/Dockerfile.stable-cross.tmpl | 1 +
scripts/build/Dockerfile.tmpl | 1 +
scripts/build/Dockerfile.unstable-cross.tmpl | 1 +
scripts/ci/prepare-for-fedora-rawhide.sh | 1 +
scripts/ci/run-ci-tests.sh | 2 +-
scripts/ci/vagrant.sh | 2 +-
26 files changed, 48 insertions(+), 24 deletions(-)
diff --git a/compel/include/uapi/infect-util.h b/compel/include/uapi/infect-util.h
index ace6f6b6b1..658df9393d 100644
--- a/compel/include/uapi/infect-util.h
+++ b/compel/include/uapi/infect-util.h
@@ -3,11 +3,20 @@
#include "common/compiler.h"
+/**
+ * The length of the hash is based on what libuuid provides.
+ * According to the manpage this is:
+ *
+ * The uuid_unparse() function converts the supplied UUID uu from the binary
+ * representation into a 36-byte string (plus trailing '\0')
+ */
+#define RUN_ID_HASH_LENGTH 37
+
/*
* compel_run_id is a unique value of the current run. It can be used to
* generate resource ID-s to avoid conflicts with other processes.
*/
-extern uint64_t compel_run_id;
+extern char compel_run_id[RUN_ID_HASH_LENGTH];
struct parasite_ctl;
extern int __must_check compel_util_send_fd(struct parasite_ctl *ctl, int fd);
diff --git a/compel/src/lib/infect-util.c b/compel/src/lib/infect-util.c
index 00a7c83f7d..dc57e28f7c 100644
--- a/compel/src/lib/infect-util.c
+++ b/compel/src/lib/infect-util.c
@@ -7,7 +7,7 @@
#include "infect-rpc.h"
#include "infect-util.h"
-uint64_t compel_run_id;
+char compel_run_id[RUN_ID_HASH_LENGTH];
int compel_util_send_fd(struct parasite_ctl *ctl, int fd)
{
diff --git a/compel/src/lib/infect.c b/compel/src/lib/infect.c
index 1e3ffb9670..caf54e03fd 100644
--- a/compel/src/lib/infect.c
+++ b/compel/src/lib/infect.c
@@ -427,7 +427,7 @@ static int gen_parasite_saddr(struct sockaddr_un *saddr, int key)
int sun_len;
saddr->sun_family = AF_UNIX;
- snprintf(saddr->sun_path, UNIX_PATH_MAX, "X/crtools-pr-%d-%" PRIx64, key, compel_run_id);
+ snprintf(saddr->sun_path, UNIX_PATH_MAX, "X/crtools-pr-%d-%s", key, compel_run_id);
sun_len = SUN_LEN(saddr);
*saddr->sun_path = '\0';
diff --git a/criu/Makefile.packages b/criu/Makefile.packages
index 7f6113c8f1..3e2e6efd18 100644
--- a/criu/Makefile.packages
+++ b/criu/Makefile.packages
@@ -6,6 +6,7 @@ REQ-RPM-PKG-NAMES += protobuf-devel
REQ-RPM-PKG-NAMES += protobuf-python
REQ-RPM-PKG-NAMES += libnl3-devel
REQ-RPM-PKG-NAMES += libcap-devel
+REQ-RPM-PKG-NAMES += libuuid-devel
REQ-RPM-PKG-TEST-NAMES += libaio-devel
@@ -16,6 +17,7 @@ REQ-DEB-PKG-NAMES += protobuf-compiler
REQ-DEB-PKG-NAMES += $(PYTHON)-protobuf
REQ-DEB-PKG-NAMES += libnl-3-dev
REQ-DEB-PKG-NAMES += libcap-dev
+REQ-DEB-PKG-NAMES += uuid-dev
REQ-DEB-PKG-TEST-NAMES += $(PYTHON)-yaml
REQ-DEB-PKG-TEST-NAMES += libaio-dev
@@ -25,7 +27,7 @@ REQ-DEB-PKG-TEST-NAMES += libaio-dev
REQ-RPM-PKG-TEST-NAMES += $(PYTHON)-PyYAML
-export LIBS += -lprotobuf-c -ldl -lnl-3 -lsoccr -Lsoccr/ -lnet
+export LIBS += -lprotobuf-c -ldl -lnl-3 -lsoccr -Lsoccr/ -lnet -luuid
check-packages-failed:
$(warning Can not find some of the required libraries)
diff --git a/criu/fdstore.c b/criu/fdstore.c
index d615ad15d0..6ac639c553 100644
--- a/criu/fdstore.c
+++ b/criu/fdstore.c
@@ -58,7 +58,7 @@ int fdstore_init(void)
}
addr.sun_family = AF_UNIX;
- addrlen = snprintf(addr.sun_path, sizeof(addr.sun_path), "X/criu-fdstore-%" PRIx64 "-%" PRIx64, st.st_ino,
+ addrlen = snprintf(addr.sun_path, sizeof(addr.sun_path), "X/criu-fdstore-%" PRIx64 "-%s", st.st_ino,
criu_run_id);
addrlen += sizeof(addr.sun_family);
diff --git a/criu/files.c b/criu/files.c
index 31e705bcc5..f16ec32a23 100644
--- a/criu/files.c
+++ b/criu/files.c
@@ -978,7 +978,7 @@ static int receive_fd(struct fdinfo_list_entry *fle);
static void transport_name_gen(struct sockaddr_un *addr, int *len, int pid)
{
addr->sun_family = AF_UNIX;
- snprintf(addr->sun_path, UNIX_PATH_MAX, "x/crtools-fd-%d-%" PRIx64, pid, criu_run_id);
+ snprintf(addr->sun_path, UNIX_PATH_MAX, "x/crtools-fd-%d-%s", pid, criu_run_id);
*len = SUN_LEN(addr);
*addr->sun_path = '\0';
}
diff --git a/criu/include/util.h b/criu/include/util.h
index 4793f7f20e..194e94deeb 100644
--- a/criu/include/util.h
+++ b/criu/include/util.h
@@ -21,6 +21,8 @@
#include "log.h"
#include "common/err.h"
+#include "compel/infect-util.h"
+
#define PREF_SHIFT_OP(pref, op, size) ((size)op(pref##BYTES_SHIFT))
#define KBYTES_SHIFT 10
#define MBYTES_SHIFT 20
@@ -420,7 +422,7 @@ extern int run_command(char *buf, size_t buf_size, int (*child_fn)(void *), void
* criu_run_id is a unique value of the current run. It can be used to
* generate resource ID-s to avoid conflicts with other CRIU processes.
*/
-extern uint64_t criu_run_id;
+extern char criu_run_id[RUN_ID_HASH_LENGTH];
extern void util_init(void);
extern char *resolve_mountpoint(char *path);
diff --git a/criu/pidfd-store.c b/criu/pidfd-store.c
index 9fdc74cb74..110f7802a2 100644
--- a/criu/pidfd-store.c
+++ b/criu/pidfd-store.c
@@ -99,7 +99,7 @@ int init_pidfd_store_sk(pid_t pid, int sk)
goto err;
}
- addrlen = snprintf(addr.sun_path, sizeof(addr.sun_path), "X/criu-pidfd-store-%d-%d-%" PRIx64, pid, sk,
+ addrlen = snprintf(addr.sun_path, sizeof(addr.sun_path), "X/criu-pidfd-store-%d-%d-%s", pid, sk,
criu_run_id);
addrlen += sizeof(addr.sun_family);
diff --git a/criu/unittest/mock.c b/criu/unittest/mock.c
index e517720e42..b2d5072787 100644
--- a/criu/unittest/mock.c
+++ b/criu/unittest/mock.c
@@ -5,6 +5,8 @@
#include <stdint.h>
#include <stdlib.h>
+#include "compel/infect-util.h"
+
int add_external(char *key)
{
return 0;
@@ -141,4 +143,4 @@ int check_mount_v2(void)
return 0;
}
-uint64_t compel_run_id;
+char compel_run_id[RUN_ID_HASH_LENGTH];
diff --git a/criu/util.c b/criu/util.c
index d2bc9a8657..58c18e20be 100644
--- a/criu/util.c
+++ b/criu/util.c
@@ -28,6 +28,7 @@
#include <ftw.h>
#include <time.h>
#include <libgen.h>
+#include <uuid/uuid.h>
#include "linux/mount.h"
@@ -2026,20 +2027,16 @@ int run_command(char *buf, size_t buf_size, int (*child_fn)(void *), void *args)
return fret;
}
-uint64_t criu_run_id;
+char criu_run_id[RUN_ID_HASH_LENGTH];
void util_init(void)
{
- struct stat statbuf;
+ uuid_t uuid;
- criu_run_id = getpid();
- if (!stat("/proc/self/ns/pid", &statbuf))
- criu_run_id |= (uint64_t)statbuf.st_ino << 32;
- else if (errno != ENOENT)
- pr_perror("Can't stat /proc/self/ns/pid - CRIU run id might not be unique");
-
- compel_run_id = criu_run_id;
- pr_info("CRIU run id = %#" PRIx64 "\n", criu_run_id);
+ uuid_generate(uuid);
+ uuid_unparse(uuid, criu_run_id);
+ pr_info("CRIU run id = %s\n", criu_run_id);
+ memcpy(compel_run_id, criu_run_id, sizeof(criu_run_id));
}
/*
diff --git a/scripts/build/Dockerfile.alpine b/scripts/build/Dockerfile.alpine
index 329d7791de..d843793ea2 100644
--- a/scripts/build/Dockerfile.alpine
+++ b/scripts/build/Dockerfile.alpine
@@ -24,7 +24,8 @@ RUN apk update && apk add \
sudo \
libcap-utils \
libdrm-dev \
- util-linux
+ util-linux \
+ util-linux-dev
COPY . /criu
WORKDIR /criu
diff --git a/scripts/build/Dockerfile.amd-rocm b/scripts/build/Dockerfile.amd-rocm
index c466a73d2d..ed66ae4fec 100644
--- a/scripts/build/Dockerfile.amd-rocm
+++ b/scripts/build/Dockerfile.amd-rocm
@@ -56,6 +56,7 @@ RUN apt-get clean -qqy && apt-get update -qqy && apt-get install -qqy --no-insta
python-protobuf \
python3-minimal \
python-ipaddress \
+ uuid-dev \
curl \
wget \
vim \
diff --git a/scripts/build/Dockerfile.archlinux b/scripts/build/Dockerfile.archlinux
index 4056514891..9d11194bb0 100644
--- a/scripts/build/Dockerfile.archlinux
+++ b/scripts/build/Dockerfile.archlinux
@@ -35,6 +35,7 @@ RUN pacman -Syu --noconfirm \
python-junit-xml \
python-importlib-metadata \
libdrm \
+ util-linux-libs \
diffutils
COPY . /criu
diff --git a/scripts/build/Dockerfile.hotspot-alpine b/scripts/build/Dockerfile.hotspot-alpine
index cb9332fd0c..6caf9d0b1b 100644
--- a/scripts/build/Dockerfile.hotspot-alpine
+++ b/scripts/build/Dockerfile.hotspot-alpine
@@ -19,6 +19,7 @@ RUN apk update && apk add \
maven \
ip6tables \
iptables \
+ util-linux-dev \
bash
COPY . /criu
diff --git a/scripts/build/Dockerfile.hotspot-ubuntu b/scripts/build/Dockerfile.hotspot-ubuntu
index 0318f650f3..67de916acb 100644
--- a/scripts/build/Dockerfile.hotspot-ubuntu
+++ b/scripts/build/Dockerfile.hotspot-ubuntu
@@ -22,6 +22,7 @@ RUN apt-install protobuf-c-compiler \
pkg-config \
iptables \
gcc \
+ uuid-dev \
maven
COPY . /criu
diff --git a/scripts/build/Dockerfile.linux32.tmpl b/scripts/build/Dockerfile.linux32.tmpl
index 13e9926424..d218e06414 100644
--- a/scripts/build/Dockerfile.linux32.tmpl
+++ b/scripts/build/Dockerfile.linux32.tmpl
@@ -21,6 +21,7 @@ RUN apt-install \
pkg-config \
protobuf-c-compiler \
protobuf-compiler \
+ uuid-dev \
python3-minimal
COPY . /criu
diff --git a/scripts/ci/prepare-for-fedora-rawhide.sh b/scripts/ci/prepare-for-fedora-rawhide.sh
index 09085c403b..42252c93c9 100755
--- a/scripts/ci/prepare-for-fedora-rawhide.sh
+++ b/scripts/ci/prepare-for-fedora-rawhide.sh
@@ -36,6 +36,7 @@ dnf install -y \
e2fsprogs \
rubygem-asciidoctor \
libdrm-devel \
+ libuuid-devel \
kmod
# /tmp is no longer 755 in the rawhide container image and breaks CI - fix it
From c39bce3cf17782784d1a14cf40a4cedd059059fa Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Thu, 23 Jan 2025 17:42:45 +0000
Subject: [PATCH 2/2] net: remember the name of the lock chain (nftables)
Using libnftables the chain to lock the network is composed of
("CRIU-%d", real_pid). This leads to around 40 zdtm tests failing
with errors like this:
Error: No such file or directory; did you mean table 'CRIU-62' in family inet?
delete table inet CRIU-86
The reason is that as soon as a process is running in a namespace the
real PID can be anything and only the PID in the namespace is restored
correctly. Relying on the real PID does not work for the chain name.
Using the PID of the innermost namespace would lead to the chain be
called 'CRIU-1' most of the time which is also not really unique.
With this commit the change is now named using the already existing CRIU
run ID. To be able to correctly restore the process and delete the
locking table, the CRIU run id during checkpointing is now stored in the
inventory as dump_criu_run_id.
Signed-off-by: Adrian Reber <areber@redhat.com>
---
criu/image.c | 30 ++++++++++++++++++++++++++++++
criu/include/util.h | 2 ++
criu/netfilter.c | 20 +++++++++++++++++++-
images/inventory.proto | 4 ++++
4 files changed, 55 insertions(+), 1 deletion(-)
diff --git a/criu/image.c b/criu/image.c
index 9589167fb1..f3747d6ff5 100644
--- a/criu/image.c
+++ b/criu/image.c
@@ -25,6 +25,7 @@ bool img_common_magic = true;
TaskKobjIdsEntry *root_ids;
u32 root_cg_set;
Lsmtype image_lsm;
+char dump_criu_run_id[RUN_ID_HASH_LENGTH];
int check_img_inventory(bool restore)
{
@@ -120,6 +121,24 @@ int check_img_inventory(bool restore)
} else {
opts.network_lock_method = he->network_lock_method;
}
+
+ /**
+ * This contains the criu_run_id during dumping of the process.
+ * For things like removing network locking (nftables) this
+ * information is needed to identify the name of the network
+ * locking table.
+ */
+ if (he->dump_criu_run_id) {
+ strncpy(dump_criu_run_id, he->dump_criu_run_id, sizeof(dump_criu_run_id) - 1);
+ pr_info("Dump CRIU run id = %s\n", dump_criu_run_id);
+ } else {
+ /**
+ * If restoring from an old image this is a marker
+ * that no dump_criu_run_id exists.
+ */
+ dump_criu_run_id[0] = NO_DUMP_CRIU_RUN_ID;
+ }
+
}
ret = 0;
@@ -367,6 +386,17 @@ int prepare_inventory(InventoryEntry *he)
he->has_network_lock_method = true;
he->network_lock_method = opts.network_lock_method;
+ /**
+ * This contains the criu_run_id during dumping of the process.
+ * For things like removing network locking (nftables) this
+ * information is needed to identify the name of the network
+ * locking table.
+ */
+ he->dump_criu_run_id = xstrdup(criu_run_id);
+
+ if (!he->dump_criu_run_id)
+ return -1;
+
return 0;
}
diff --git a/criu/include/util.h b/criu/include/util.h
index 194e94deeb..55ad5b63cf 100644
--- a/criu/include/util.h
+++ b/criu/include/util.h
@@ -424,6 +424,8 @@ extern int run_command(char *buf, size_t buf_size, int (*child_fn)(void *), void
*/
extern char criu_run_id[RUN_ID_HASH_LENGTH];
extern void util_init(void);
+#define NO_DUMP_CRIU_RUN_ID 0x7f
+extern char dump_criu_run_id[RUN_ID_HASH_LENGTH];
extern char *resolve_mountpoint(char *path);
diff --git a/criu/netfilter.c b/criu/netfilter.c
index 9e78dc4b03..e2c82764f2 100644
--- a/criu/netfilter.c
+++ b/criu/netfilter.c
@@ -299,7 +299,25 @@ int nftables_lock_connection(struct inet_sk_desc *sk)
int nftables_get_table(char *table, int n)
{
- if (snprintf(table, n, "inet CRIU-%d", root_item->pid->real) < 0) {
+ int ret;
+
+ switch(dump_criu_run_id[0]) {
+ case 0:
+ /* This is not a restore.*/
+ ret = snprintf(table, n, "inet CRIU-%s", criu_run_id);
+ break;
+ case NO_DUMP_CRIU_RUN_ID:
+ /**
+ * This is a restore from an older image with no
+ * dump_criu_run_id available. Let's use the old ID.
+ */
+ ret = snprintf(table, n, "inet CRIU-%d", root_item->pid->real);
+ break;
+ default:
+ ret = snprintf(table, n, "inet CRIU-%s", dump_criu_run_id);
+ }
+
+ if (ret < 0) {
pr_err("Cannot generate CRIU's nftables table name\n");
return -1;
}
diff --git a/images/inventory.proto b/images/inventory.proto
index 7f655031bc..1e18815bb9 100644
--- a/images/inventory.proto
+++ b/images/inventory.proto
@@ -29,4 +29,8 @@ message inventory_entry {
optional uint32 pre_dump_mode = 9;
optional bool tcp_close = 10;
optional uint32 network_lock_method = 11;
+ // Remember the criu_run_id when CRIU dumped the process.
+ // This is currently used to delete the correct nftables
+ // network locking rule.
+ optional string dump_criu_run_id = 13;
}

452
2570.patch Normal file
View File

@ -0,0 +1,452 @@
From ed2468f0a3c1c3c3b40b41047ffd97ce32346a4e Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Wed, 22 Jan 2025 14:35:26 +0100
Subject: [PATCH] vdso: switch from DT_HASH to DT_GNU_HASH (aarch64)
Trying to run latest CRIU on CentOS Stream 10 or Ubuntu 24.04 (aarch64)
fails like this:
# criu/criu check -v4
[...]
(00.096460) vdso: Parsing at ffffb2e2a000 ffffb2e2c000
(00.096539) vdso: PT_LOAD p_vaddr: 0
(00.096567) vdso: DT_STRTAB: 1d0
(00.096592) vdso: DT_SYMTAB: 128
(00.096616) vdso: DT_STRSZ: 8a
(00.096640) vdso: DT_SYMENT: 18
(00.096663) Error (criu/pie-util-vdso.c:193): vdso: Not all dynamic entries are present
(00.096688) Error (criu/vdso.c:627): vdso: Failed to fill self vdso symtable
(00.096713) Error (criu/kerndat.c:1906): kerndat_vdso_fill_symtable failed when initializing kerndat.
(00.096812) Found mmap_min_addr 0x10000
(00.096881) files stat: fs/nr_open 1073741816
(00.096908) Error (criu/crtools.c:267): Could not initialize kernel features detection.
This seems to be related to the kernel (6.12.0-41.el10.aarch64). The
Ubuntu user-space is running in a container on the same kernel.
Looking at the kernel this seems to be related to:
commit 48f6430505c0b0498ee9020ce3cf9558b1caaaeb
Author: Fangrui Song <i@maskray.me>
Date: Thu Jul 18 10:34:23 2024 -0700
arm64/vdso: Remove --hash-style=sysv
glibc added support for .gnu.hash in 2006 and .hash has been obsoleted
for more than one decade in many Linux distributions. Using
--hash-style=sysv might imply unaddressed issues and confuse readers.
Just drop the option and rely on the linker default, which is likely
"both", or "gnu" when the distribution really wants to eliminate sysv
hash overhead.
Similar to commit 6b7e26547fad ("x86/vdso: Emit a GNU hash").
The commit basically does:
-ldflags-y := -shared -soname=linux-vdso.so.1 --hash-style=sysv \
+ldflags-y := -shared -soname=linux-vdso.so.1 \
Which results in only a GNU hash being added to the ELF header. This
change has been merged with 6.11.
Looking at the referenced x86 commit:
commit 6b7e26547fad7ace3dcb27a5babd2317fb9d1e12
Author: Andy Lutomirski <luto@amacapital.net>
Date: Thu Aug 6 14:45:45 2015 -0700
x86/vdso: Emit a GNU hash
Some dynamic loaders may be slightly faster if a GNU hash is
available. Strangely, this seems to have no effect at all on
the vdso size.
This is unlikely to have any measurable effect on the time it
takes to resolve vdso symbols (since there are so few of them).
In some contexts, it can be a win for a different reason: if
every DSO has a GNU hash section, then libc can avoid
calculating SysV hashes at all. Both musl and glibc appear to
have this optimization.
It's plausible that this breaks some ancient glibc version. If
so, then, depending on what glibc versions break, we could
either require COMPAT_VDSO for them or consider reverting.
Which is also a really simple change:
-VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv) \
+VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=both) \
The big difference here is that for x86 both hash sections are
generated. For aarch64 only the newer GNU hash is generated. That is why
we only see this error on kernel >= 6.11 and aarch64.
Changing from DT_HASH to DT_GNU_HASH seems to work on aarch64. The test
suite runs without any errors.
Unfortunately I am not aware of all implication of this change and if a
successful test suite run means that it still works.
Looking at the kernel I see following hash styles for the VDSO:
aarch64: not specified (only GNU hash style)
arm: --hash-style=sysv
loongarch: --hash-style=sysv
mips: --hash-style=sysv
powerpc: --hash-style=both
riscv: --hash-style=both
s390: --hash-style=both
x86: --hash-style=both
Only aarch64 on kernels >= 6.11 is a problem right now, because all
other platforms provide the old style hashing.
Signed-off-by: Adrian Reber <areber@redhat.com>
Co-developed-by: Dmitry Safonov <dima@arista.com>
Co-authored-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Dmitry Safonov <dima@arista.com>
---
criu/pie/util-vdso.c | 245 ++++++++++++++++++++++++++++++++++---------
1 file changed, 198 insertions(+), 47 deletions(-)
diff --git a/criu/pie/util-vdso.c b/criu/pie/util-vdso.c
index f1e3239ff5..9819335d81 100644
--- a/criu/pie/util-vdso.c
+++ b/criu/pie/util-vdso.c
@@ -5,6 +5,7 @@
#include <fcntl.h>
#include <errno.h>
#include <stdint.h>
+#include <stdbool.h>
#include <sys/types.h>
#include <sys/stat.h>
@@ -48,10 +49,25 @@ static bool __ptr_struct_oob(uintptr_t ptr, size_t struct_size, uintptr_t start,
return __ptr_oob(ptr, start, size) || __ptr_struct_end_oob(ptr, struct_size, start, size);
}
+/* Local strlen implementation */
+static size_t __strlen(const char *str)
+{
+ const char *ptr;
+
+ if (!str)
+ return 0;
+
+ ptr = str;
+ while (*ptr != '\0')
+ ptr++;
+
+ return ptr - str;
+}
+
/*
* Elf hash, see format specification.
*/
-static unsigned long elf_hash(const unsigned char *name)
+static unsigned long elf_sysv_hash(const unsigned char *name)
{
unsigned long h = 0, g;
@@ -65,6 +81,15 @@ static unsigned long elf_hash(const unsigned char *name)
return h;
}
+/* * The GNU hash format. Taken from glibc. */
+static unsigned long elf_gnu_hash(const unsigned char *name)
+{
+ unsigned long h = 5381;
+ for (unsigned char c = *name; c != '\0'; c = *++name)
+ h = h * 33 + c;
+ return h;
+}
+
#if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
#define BORD ELFDATA2MSB /* 0x02 */
#else
@@ -149,11 +174,14 @@ static int parse_elf_phdr(uintptr_t mem, size_t size, Phdr_t **dynamic, Phdr_t *
* Output parameters are:
* @dyn_strtab - address of the symbol table
* @dyn_symtab - address of the string table section
- * @dyn_hash - address of the symbol hash table
+ * @dyn_hash - address of the symbol hash table
+ * @use_gnu_hash - the format of hash DT_HASH or DT_GNU_HASH
*/
-static int parse_elf_dynamic(uintptr_t mem, size_t size, Phdr_t *dynamic, Dyn_t **dyn_strtab, Dyn_t **dyn_symtab,
- Dyn_t **dyn_hash)
+static int parse_elf_dynamic(uintptr_t mem, size_t size, Phdr_t *dynamic,
+ Dyn_t **dyn_strtab, Dyn_t **dyn_symtab,
+ Dyn_t **dyn_hash, bool *use_gnu_hash)
{
+ Dyn_t *dyn_gnu_hash = NULL, *dyn_sysv_hash = NULL;
Dyn_t *dyn_syment = NULL;
Dyn_t *dyn_strsz = NULL;
uintptr_t addr;
@@ -184,16 +212,52 @@ static int parse_elf_dynamic(uintptr_t mem, size_t size, Phdr_t *dynamic, Dyn_t
dyn_syment = d;
pr_debug("DT_SYMENT: %lx\n", (unsigned long)d->d_un.d_val);
} else if (d->d_tag == DT_HASH) {
- *dyn_hash = d;
+ dyn_sysv_hash = d;
pr_debug("DT_HASH: %lx\n", (unsigned long)d->d_un.d_ptr);
+ } else if (d->d_tag == DT_GNU_HASH) {
+ /*
+ * This is complicated.
+ *
+ * Looking at the Linux kernel source, the following can be seen
+ * regarding which hashing style the VDSO uses on each arch:
+ *
+ * aarch64: not specified (depends on linker, can be
+ * only GNU hash style)
+ * arm: --hash-style=sysv
+ * loongarch: --hash-style=sysv
+ * mips: --hash-style=sysv
+ * powerpc: --hash-style=both
+ * riscv: --hash-style=both
+ * s390: --hash-style=both
+ * x86: --hash-style=both
+ *
+ * Some architectures are using both hash-styles, that
+ * is the easiest for CRIU. Some architectures are only
+ * using the old style (sysv), that is what CRIU supports.
+ *
+ * Starting with Linux 6.11, aarch64 unfortunately decided
+ * to switch from '--hash-style=sysv' to ''. Specifying
+ * nothing unfortunately may mean GNU hash style only and not
+ * 'both' (depending on the linker).
+ */
+ dyn_gnu_hash = d;
+ pr_debug("DT_GNU_HASH: %lx\n", (unsigned long)d->d_un.d_ptr);
}
}
- if (!*dyn_strtab || !*dyn_symtab || !dyn_strsz || !dyn_syment || !*dyn_hash) {
+ if (!*dyn_strtab || !*dyn_symtab || !dyn_strsz || !dyn_syment ||
+ (!dyn_gnu_hash && !dyn_sysv_hash)) {
pr_err("Not all dynamic entries are present\n");
return -EINVAL;
}
+ /*
+ * Prefer DT_HASH over DT_GNU_HASH as it's been more tested and
+ * as a result more stable.
+ */
+ *use_gnu_hash = !dyn_sysv_hash;
+ *dyn_hash = dyn_sysv_hash ?: dyn_gnu_hash;
+
return 0;
err_oob:
@@ -208,60 +272,141 @@ typedef unsigned long Hash_t;
typedef Word_t Hash_t;
#endif
-static void parse_elf_symbols(uintptr_t mem, size_t size, Phdr_t *load, struct vdso_symtable *t,
- uintptr_t dynsymbol_names, Hash_t *hash, Dyn_t *dyn_symtab)
+static bool elf_symbol_match(uintptr_t mem, size_t size,
+ uintptr_t dynsymbol_names, Sym_t *sym,
+ const char *symbol, const size_t vdso_symbol_length)
{
- ARCH_VDSO_SYMBOLS_LIST
-
- const char *vdso_symbols[VDSO_SYMBOL_MAX] = { ARCH_VDSO_SYMBOLS };
- const size_t vdso_symbol_length = sizeof(t->symbols[0].name) - 1;
+ uintptr_t addr = (uintptr_t)sym;
+ char *name;
- Hash_t nbucket, nchain;
- Hash_t *bucket, *chain;
+ if (__ptr_struct_oob(addr, sizeof(Sym_t), mem, size))
+ return false;
- unsigned int i, j, k;
- uintptr_t addr;
+ if (ELF_ST_TYPE(sym->st_info) != STT_FUNC && ELF_ST_BIND(sym->st_info) != STB_GLOBAL)
+ return false;
- nbucket = hash[0];
- nchain = hash[1];
- bucket = &hash[2];
- chain = &hash[nbucket + 2];
+ addr = dynsymbol_names + sym->st_name;
+ if (__ptr_struct_oob(addr, vdso_symbol_length, mem, size))
+ return false;
+ name = (void *)addr;
- pr_debug("nbucket %lx nchain %lx bucket %lx chain %lx\n", (long)nbucket, (long)nchain, (unsigned long)bucket,
- (unsigned long)chain);
+ return !std_strncmp(name, symbol, vdso_symbol_length);
+}
- for (i = 0; i < VDSO_SYMBOL_MAX; i++) {
- const char *symbol = vdso_symbols[i];
- k = elf_hash((const unsigned char *)symbol);
- for (j = bucket[k % nbucket]; j < nchain && j != STN_UNDEF; j = chain[j]) {
- Sym_t *sym;
- char *name;
+static unsigned long elf_symbol_lookup(uintptr_t mem, size_t size,
+ const char *symbol, uint32_t symbol_hash, unsigned int sym_off,
+ uintptr_t dynsymbol_names, Dyn_t *dyn_symtab, Phdr_t *load,
+ Hash_t nbucket, Hash_t nchain, Hash_t *bucket, Hash_t *chain,
+ const size_t vdso_symbol_length, bool use_gnu_hash)
+{
+ unsigned int j;
+ uintptr_t addr;
- addr = mem + dyn_symtab->d_un.d_ptr - load->p_vaddr;
+ j = bucket[symbol_hash % nbucket];
+ if (j == STN_UNDEF)
+ return 0;
+
+ addr = mem + dyn_symtab->d_un.d_ptr - load->p_vaddr;
+
+ if (use_gnu_hash) {
+ uint32_t *h = bucket + nbucket + (j - sym_off);
+ uint32_t hash_val;
+
+ symbol_hash |= 1;
+ do {
+ Sym_t *sym = (void *)addr + sizeof(Sym_t) * j;
+
+ hash_val = *h++;
+ if ((hash_val | 1) == symbol_hash &&
+ elf_symbol_match(mem, size, dynsymbol_names, sym,
+ symbol, vdso_symbol_length))
+ return sym->st_value;
+ j++;
+ } while (!(hash_val & 1));
+ } else {
+ for (; j < nchain && j != STN_UNDEF; j = chain[j]) {
+ Sym_t *sym = (void *)addr + sizeof(Sym_t) * j;
+
+ if (elf_symbol_match(mem, size, dynsymbol_names, sym,
+ symbol, vdso_symbol_length))
+ return sym->st_value;
+ }
+ }
+ return 0;
+}
- addr += sizeof(Sym_t) * j;
- if (__ptr_struct_oob(addr, sizeof(Sym_t), mem, size))
- continue;
- sym = (void *)addr;
+static int parse_elf_symbols(uintptr_t mem, size_t size, Phdr_t *load,
+ struct vdso_symtable *t, uintptr_t dynsymbol_names,
+ Hash_t *hash, Dyn_t *dyn_symtab, bool use_gnu_hash)
+{
+ ARCH_VDSO_SYMBOLS_LIST
- if (ELF_ST_TYPE(sym->st_info) != STT_FUNC && ELF_ST_BIND(sym->st_info) != STB_GLOBAL)
- continue;
+ const char *vdso_symbols[VDSO_SYMBOL_MAX] = { ARCH_VDSO_SYMBOLS };
+ const size_t vdso_symbol_length = sizeof(t->symbols[0].name) - 1;
- addr = dynsymbol_names + sym->st_name;
- if (__ptr_struct_oob(addr, vdso_symbol_length, mem, size))
- continue;
- name = (void *)addr;
+ Hash_t *bucket = NULL;
+ Hash_t *chain = NULL;
+ Hash_t nbucket = 0;
+ Hash_t nchain = 0;
+
+ unsigned int sym_off = 0;
+ unsigned int i = 0;
+
+ unsigned long (*elf_hash)(const unsigned char *);
+
+ if (use_gnu_hash) {
+ uint32_t *gnu_hash = (uint32_t *)hash;
+ uint32_t bloom_sz;
+ size_t *bloom;
+
+ nbucket = gnu_hash[0];
+ sym_off = gnu_hash[1];
+ bloom_sz = gnu_hash[2];
+ bloom = (size_t *)&gnu_hash[4];
+ bucket = (Hash_t *)(&bloom[bloom_sz]);
+ elf_hash = &elf_gnu_hash;
+ pr_debug("nbucket %lx sym_off %lx bloom_sz %lx bloom %lx bucket %lx\n",
+ (unsigned long)nbucket, (unsigned long)sym_off,
+ (unsigned long)bloom_sz, (unsigned long)bloom,
+ (unsigned long)bucket);
+ } else {
+ nbucket = hash[0];
+ nchain = hash[1];
+ bucket = &hash[2];
+ chain = &hash[nbucket + 2];
+ elf_hash = &elf_sysv_hash;
+ pr_debug("nbucket %lx nchain %lx bucket %lx chain %lx\n",
+ (unsigned long)nbucket, (unsigned long)nchain,
+ (unsigned long)bucket, (unsigned long)chain);
+ }
- if (std_strncmp(name, symbol, vdso_symbol_length))
- continue;
- /* XXX: provide strncpy() implementation for PIE */
- memcpy(t->symbols[i].name, name, vdso_symbol_length);
- t->symbols[i].offset = (unsigned long)sym->st_value - load->p_vaddr;
- break;
+ for (i = 0; i < VDSO_SYMBOL_MAX; i++) {
+ const char *symbol = vdso_symbols[i];
+ unsigned long addr, symbol_hash;
+ const size_t symbol_length = __strlen(symbol);
+
+ symbol_hash = elf_hash((const unsigned char *)symbol);
+ addr = elf_symbol_lookup(mem, size, symbol, symbol_hash,
+ sym_off, dynsymbol_names, dyn_symtab, load,
+ nbucket, nchain, bucket, chain,
+ vdso_symbol_length, use_gnu_hash);
+ pr_debug("symbol %s at address %lx\n", symbol, addr);
+ if (!addr)
+ continue;
+
+ /* XXX: provide strncpy() implementation for PIE */
+ if (symbol_length > vdso_symbol_length) {
+ pr_err("strlen(%s) %zd, only %zd bytes available\n",
+ symbol, symbol_length, vdso_symbol_length);
+ return -EINVAL;
}
+ memcpy(t->symbols[i].name, symbol, symbol_length);
+ t->symbols[i].offset = addr - load->p_vaddr;
}
+
+ return 0;
}
int vdso_fill_symtable(uintptr_t mem, size_t size, struct vdso_symtable *t)
@@ -271,6 +416,7 @@ int vdso_fill_symtable(uintptr_t mem, size_t size, struct vdso_symtable *t)
Dyn_t *dyn_symtab = NULL;
Dyn_t *dyn_hash = NULL;
Hash_t *hash = NULL;
+ bool use_gnu_hash;
uintptr_t dynsymbol_names;
uintptr_t addr;
@@ -296,7 +442,8 @@ int vdso_fill_symtable(uintptr_t mem, size_t size, struct vdso_symtable *t)
* needed. Note that we're interested in a small set of tags.
*/
- ret = parse_elf_dynamic(mem, size, dynamic, &dyn_strtab, &dyn_symtab, &dyn_hash);
+ ret = parse_elf_dynamic(mem, size, dynamic, &dyn_strtab, &dyn_symtab,
+ &dyn_hash, &use_gnu_hash);
if (ret < 0)
return ret;
@@ -310,7 +457,11 @@ int vdso_fill_symtable(uintptr_t mem, size_t size, struct vdso_symtable *t)
goto err_oob;
hash = (void *)addr;
- parse_elf_symbols(mem, size, load, t, dynsymbol_names, hash, dyn_symtab);
+ ret = parse_elf_symbols(mem, size, load, t, dynsymbol_names, hash, dyn_symtab,
+ use_gnu_hash);
+
+ if (ret <0)
+ return ret;
return 0;

38
2590.patch Normal file
View File

@ -0,0 +1,38 @@
From de5dba8c47ffe4e16fae17539270d55e1a8604d1 Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Fri, 7 Feb 2025 09:24:19 +0100
Subject: [PATCH] vdso: handle s390x correctly
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
On s390x there is currently a build failure:
criu/pie/util-vdso.c: In function elf_symbol_lookup:
criu/pie/util-vdso.c:313:31: error: initialization of uint32_t * {aka unsigned int *} from incompatible pointer type Hash_t * {aka long unsigned int *} [-Wincompatible-pointer-types]
313 | uint32_t *h = bucket + nbucket + (j - sym_off);
| ^~~~~~
Replacing uint32_t with Hash_t which is defined behind a architecture
specific ifdef solves this error.
Signed-off-by: Adrian Reber <areber@redhat.com>
---
criu/pie/util-vdso.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/criu/pie/util-vdso.c b/criu/pie/util-vdso.c
index 9819335d81..d16fd85f43 100644
--- a/criu/pie/util-vdso.c
+++ b/criu/pie/util-vdso.c
@@ -310,8 +310,8 @@ static unsigned long elf_symbol_lookup(uintptr_t mem, size_t size,
addr = mem + dyn_symtab->d_un.d_ptr - load->p_vaddr;
if (use_gnu_hash) {
- uint32_t *h = bucket + nbucket + (j - sym_off);
- uint32_t hash_val;
+ Hash_t *h = bucket + nbucket + (j - sym_off);
+ Hash_t hash_val;
symbol_hash |= 1;
do {

67
SOURCES/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch
View File

@ -1,67 +0,0 @@
From 1e84cb90b63bce841376140a7a80107e5ec1e1a8 Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Fri, 3 May 2019 06:27:51 +0000
Subject: [PATCH] lsm: fix compiler error 'unused-result'
Reading out the xattr 'security.selinux' of checkpointed sockets with
fscanf() works (at least in theory) without checking the result of
fscanf(). There are, however, multiple CI failures when ignoring the
return value of fscanf().
This adds ferror() to check if the stream has an actual error or if '-1'
just mean EOF.
Handle all errors of fscanf() // Andrei
Signed-off-by: Adrian Reber <areber@redhat.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
---
criu/lsm.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/criu/lsm.c b/criu/lsm.c
index ef6ba112b3..9c9ac7f80e 100644
--- a/criu/lsm.c
+++ b/criu/lsm.c
@@ -33,8 +33,8 @@ static int apparmor_get_label(pid_t pid, char **profile_name)
return -1;
if (fscanf(f, "%ms", profile_name) != 1) {
- fclose(f);
pr_perror("err scanfing");
+ fclose(f);
return -1;
}
@@ -111,19 +111,23 @@ static int selinux_get_label(pid_t pid, char **output)
static int selinux_get_sockcreate_label(pid_t pid, char **output)
{
FILE *f;
+ int ret;
f = fopen_proc(pid, "attr/sockcreate");
if (!f)
return -1;
- fscanf(f, "%ms", output);
- /*
- * No need to check the result of fscanf(). If there is something
- * in /proc/PID/attr/sockcreate it will be copied to *output. If
- * there is nothing it will stay NULL. So whatever fscanf() does
- * it should be correct.
- */
-
+ ret = fscanf(f, "%ms", output);
+ if (ret == -1 && errno != 0) {
+ pr_perror("Unable to parse /proc/%d/attr/sockcreate", pid);
+ /*
+ * Only if the error indicator is set it is a real error.
+ * -1 could also be EOF, which would mean that sockcreate
+ * was just empty, which is the most common case.
+ */
+ fclose(f);
+ return -1;
+ }
fclose(f);
return 0;
}

834
SOURCES/685.patch
View File

@ -1,834 +0,0 @@
From 3313343ba7803bff077af5d87df2260cdcd2d678 Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Thu, 2 May 2019 13:41:46 +0000
Subject: [PATCH 1/4] lsm: also dump and restore sockcreate
The file /proc/PID/attr/sockcreate is used by SELinux to label newly
created sockets with the label available at sockcreate.
If it is NULL, the default label of the process will be used.
This reads out that file during checkpoint and restores the value during
restore.
This value is irrelevant for existing sockets as they might have been
created with another context. This is only to make sure that newly
created sockets have the correct context.
Signed-off-by: Adrian Reber <areber@redhat.com>
---
criu/cr-restore.c | 36 ++++++++++++++++++++++++++++++++++++
criu/include/restorer.h | 2 ++
criu/lsm.c | 32 ++++++++++++++++++++++++++++++++
criu/pie/restorer.c | 15 ++++++++++-----
images/creds.proto | 1 +
5 files changed, 81 insertions(+), 5 deletions(-)
diff --git a/criu/cr-restore.c b/criu/cr-restore.c
index 5fd22e9246..f254cbc0eb 100644
--- a/criu/cr-restore.c
+++ b/criu/cr-restore.c
@@ -2997,6 +2997,8 @@ static void rst_reloc_creds(struct thread_restore_args *thread_args,
if (args->lsm_profile)
args->lsm_profile = rst_mem_remap_ptr(args->mem_lsm_profile_pos, RM_PRIVATE);
+ if (args->lsm_sockcreate)
+ args->lsm_sockcreate = rst_mem_remap_ptr(args->mem_lsm_sockcreate_pos, RM_PRIVATE);
if (args->groups)
args->groups = rst_mem_remap_ptr(args->mem_groups_pos, RM_PRIVATE);
@@ -3062,6 +3064,40 @@ rst_prep_creds_args(CredsEntry *ce, unsigned long *prev_pos)
args->mem_lsm_profile_pos = 0;
}
+ if (ce->lsm_sockcreate) {
+ char *rendered = NULL;
+ char *profile;
+
+ profile = ce->lsm_sockcreate;
+
+ if (validate_lsm(profile) < 0)
+ return ERR_PTR(-EINVAL);
+
+ if (profile && render_lsm_profile(profile, &rendered)) {
+ return ERR_PTR(-EINVAL);
+ }
+ if (rendered) {
+ size_t lsm_sockcreate_len;
+ char *lsm_sockcreate;
+
+ args->mem_lsm_sockcreate_pos = rst_mem_align_cpos(RM_PRIVATE);
+ lsm_sockcreate_len = strlen(rendered);
+ lsm_sockcreate = rst_mem_alloc(lsm_sockcreate_len + 1, RM_PRIVATE);
+ if (!lsm_sockcreate) {
+ xfree(rendered);
+ return ERR_PTR(-ENOMEM);
+ }
+
+ args = rst_mem_remap_ptr(this_pos, RM_PRIVATE);
+ args->lsm_sockcreate = lsm_sockcreate;
+ strncpy(args->lsm_sockcreate, rendered, lsm_sockcreate_len);
+ xfree(rendered);
+ }
+ } else {
+ args->lsm_sockcreate = NULL;
+ args->mem_lsm_sockcreate_pos = 0;
+ }
+
/*
* Zap fields which we can't use.
*/
diff --git a/criu/include/restorer.h b/criu/include/restorer.h
index 2884ce9e6d..b83e9130c5 100644
--- a/criu/include/restorer.h
+++ b/criu/include/restorer.h
@@ -69,8 +69,10 @@ struct thread_creds_args {
unsigned int secbits;
char *lsm_profile;
unsigned int *groups;
+ char *lsm_sockcreate;
unsigned long mem_lsm_profile_pos;
+ unsigned long mem_lsm_sockcreate_pos;
unsigned long mem_groups_pos;
unsigned long mem_pos_next;
diff --git a/criu/lsm.c b/criu/lsm.c
index 849ec37cde..b0ef0c396c 100644
--- a/criu/lsm.c
+++ b/criu/lsm.c
@@ -98,6 +98,32 @@ static int selinux_get_label(pid_t pid, char **output)
freecon(ctx);
return ret;
}
+
+/*
+ * selinux_get_sockcreate_label reads /proc/PID/attr/sockcreate
+ * to see if the PID has a special label specified for sockets.
+ * Most of the time this will be empty and the process will use
+ * the process context also for sockets.
+ */
+static int selinux_get_sockcreate_label(pid_t pid, char **output)
+{
+ FILE *f;
+
+ f = fopen_proc(pid, "attr/sockcreate");
+ if (!f)
+ return -1;
+
+ fscanf(f, "%ms", output);
+ /*
+ * No need to check the result of fscanf(). If there is something
+ * in /proc/PID/attr/sockcreate it will be copied to *output. If
+ * there is nothing it will stay NULL. So whatever fscanf() does
+ * it should be correct.
+ */
+
+ fclose(f);
+ return 0;
+}
#endif
void kerndat_lsm(void)
@@ -132,6 +158,7 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce)
int ret;
ce->lsm_profile = NULL;
+ ce->lsm_sockcreate = NULL;
switch (kdat.lsm) {
case LSMTYPE__NO_LSM:
@@ -143,6 +170,9 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce)
#ifdef CONFIG_HAS_SELINUX
case LSMTYPE__SELINUX:
ret = selinux_get_label(pid, &ce->lsm_profile);
+ if (ret)
+ break;
+ ret = selinux_get_sockcreate_label(pid, &ce->lsm_sockcreate);
break;
#endif
default:
@@ -153,6 +183,8 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce)
if (ce->lsm_profile)
pr_info("%d has lsm profile %s\n", pid, ce->lsm_profile);
+ if (ce->lsm_sockcreate)
+ pr_info("%d has lsm sockcreate label %s\n", pid, ce->lsm_sockcreate);
return ret;
}
diff --git a/criu/pie/restorer.c b/criu/pie/restorer.c
index 6e18cc2606..4f42605a09 100644
--- a/criu/pie/restorer.c
+++ b/criu/pie/restorer.c
@@ -149,7 +149,7 @@ static void sigchld_handler(int signal, siginfo_t *siginfo, void *data)
sys_exit_group(1);
}
-static int lsm_set_label(char *label, int procfd)
+static int lsm_set_label(char *label, char *type, int procfd)
{
int ret = -1, len, lsmfd;
char path[STD_LOG_SIMPLE_CHUNK];
@@ -157,9 +157,9 @@ static int lsm_set_label(char *label, int procfd)
if (!label)
return 0;
- pr_info("restoring lsm profile %s\n", label);
+ pr_info("restoring lsm profile (%s) %s\n", type, label);
- std_sprintf(path, "self/task/%ld/attr/current", sys_gettid());
+ std_sprintf(path, "self/task/%ld/attr/%s", sys_gettid(), type);
lsmfd = sys_openat(procfd, path, O_WRONLY, 0);
if (lsmfd < 0) {
@@ -305,9 +305,14 @@ static int restore_creds(struct thread_creds_args *args, int procfd,
* SELinux and instead the process context is set before the
* threads are created.
*/
- if (lsm_set_label(args->lsm_profile, procfd) < 0)
+ if (lsm_set_label(args->lsm_profile, "current", procfd) < 0)
return -1;
}
+
+ /* Also set the sockcreate label for all threads */
+ if (lsm_set_label(args->lsm_sockcreate, "sockcreate", procfd) < 0)
+ return -1;
+
return 0;
}
@@ -1571,7 +1576,7 @@ long __export_restore_task(struct task_restore_args *args)
if (args->lsm_type == LSMTYPE__SELINUX) {
/* Only for SELinux */
if (lsm_set_label(args->t->creds_args->lsm_profile,
- args->proc_fd) < 0)
+ "current", args->proc_fd) < 0)
goto core_restore_end;
}
diff --git a/images/creds.proto b/images/creds.proto
index 29fb8652eb..23b84c7e50 100644
--- a/images/creds.proto
+++ b/images/creds.proto
@@ -20,4 +20,5 @@ message creds_entry {
repeated uint32 groups = 14;
optional string lsm_profile = 15;
+ optional string lsm_sockcreate = 16;
}
From 495e6aa7ac51fcb36e6bc5f6c97f44cab7649b9c Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Thu, 2 May 2019 13:47:29 +0000
Subject: [PATCH 2/4] test: Verify that sockcreate does not change during
restore
This makes sure that sockcreate stays empty for selinux00 before and
after checkpoint/restore.
Signed-off-by: Adrian Reber <areber@redhat.com>
---
test/zdtm/static/selinux00.c | 34 ++++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/test/zdtm/static/selinux00.c b/test/zdtm/static/selinux00.c
index dd9096a6fc..db8420eacb 100644
--- a/test/zdtm/static/selinux00.c
+++ b/test/zdtm/static/selinux00.c
@@ -83,6 +83,31 @@ int checkprofile()
return 0;
}
+int check_sockcreate()
+{
+ char *output = NULL;
+ FILE *f = fopen("/proc/self/attr/sockcreate", "r");
+ int ret = fscanf(f, "%ms", &output);
+ fclose(f);
+
+ if (ret >= 1) {
+ free(output);
+ /* sockcreate should be empty, if fscanf found something
+ * it is wrong.*/
+ fail("sockcreate should be empty\n");
+ return -1;
+ }
+
+ if (output) {
+ free(output);
+ /* Same here, output should still be NULL. */
+ fail("sockcreate should be empty\n");
+ return -1;
+ }
+
+ return 0;
+}
+
int main(int argc, char **argv)
{
test_init(argc, argv);
@@ -95,12 +120,21 @@ int main(int argc, char **argv)
return 0;
}
+ if (check_sockcreate())
+ return -1;
+
if (setprofile())
return -1;
+ if (check_sockcreate())
+ return -1;
+
test_daemon();
test_waitsig();
+ if (check_sockcreate())
+ return -1;
+
if (checkprofile() == 0)
pass();
From fe52cf66b38a261846ff40fc425085724b2acc15 Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Mon, 29 Apr 2019 15:21:59 +0200
Subject: [PATCH 3/4] sockets: dump and restore xattr security labels
Restoring a SELinux process also requires to correctly label sockets.
During checkpointing fgetxattr() is used to retrieve the
"security.selinux" xattr and during restore setsockcreatecon() is used
before a socket is created.
Previous commits are already restoring the sockcreate SELinux setting if
set by the process.
Signed-off-by: Adrian Reber <areber@redhat.com>
---
criu/include/lsm.h | 18 +++++++++++++++
criu/lsm.c | 56 +++++++++++++++++++++++++++++++++++++++++++++
criu/sk-inet.c | 12 ++++++++++
criu/sockets.c | 4 ++++
images/fdinfo.proto | 1 +
5 files changed, 91 insertions(+)
diff --git a/criu/include/lsm.h b/criu/include/lsm.h
index b4fce13039..3b82712829 100644
--- a/criu/include/lsm.h
+++ b/criu/include/lsm.h
@@ -3,6 +3,7 @@
#include "images/inventory.pb-c.h"
#include "images/creds.pb-c.h"
+#include "images/fdinfo.pb-c.h"
#define AA_SECURITYFS_PATH "/sys/kernel/security/apparmor"
@@ -34,4 +35,21 @@ int validate_lsm(char *profile);
int render_lsm_profile(char *profile, char **val);
extern int lsm_check_opts(void);
+
+#ifdef CONFIG_HAS_SELINUX
+int dump_xattr_security_selinux(int fd, FdinfoEntry *e);
+int run_setsockcreatecon(FdinfoEntry *e);
+int reset_setsockcreatecon();
+#else
+static inline int dump_xattr_security_selinux(int fd, FdinfoEntry *e) {
+ return 0;
+}
+static inline int run_setsockcreatecon(FdinfoEntry *e) {
+ return 0;
+}
+static inline int reset_setsockcreatecon() {
+ return 0;
+}
+#endif
+
#endif /* __CR_LSM_H__ */
diff --git a/criu/lsm.c b/criu/lsm.c
index b0ef0c396c..ef6ba112b3 100644
--- a/criu/lsm.c
+++ b/criu/lsm.c
@@ -3,6 +3,7 @@
#include <stdlib.h>
#include <fcntl.h>
#include <sys/types.h>
+#include <sys/xattr.h>
#include <unistd.h>
#include "common/config.h"
@@ -11,10 +12,12 @@
#include "util.h"
#include "cr_options.h"
#include "lsm.h"
+#include "fdstore.h"
#include "protobuf.h"
#include "images/inventory.pb-c.h"
#include "images/creds.pb-c.h"
+#include "images/fdinfo.pb-c.h"
#ifdef CONFIG_HAS_SELINUX
#include <selinux/selinux.h>
@@ -124,6 +127,59 @@ static int selinux_get_sockcreate_label(pid_t pid, char **output)
fclose(f);
return 0;
}
+
+int reset_setsockcreatecon()
+{
+ return setsockcreatecon_raw(NULL);
+}
+
+int run_setsockcreatecon(FdinfoEntry *e)
+{
+ char *ctx = NULL;
+
+ /* Currently this only works for SELinux. */
+ if (kdat.lsm != LSMTYPE__SELINUX)
+ return 0;
+
+ ctx = e->xattr_security_selinux;
+ /* Writing to the FD using fsetxattr() did not work for some reason. */
+ return setsockcreatecon_raw(ctx);
+}
+
+int dump_xattr_security_selinux(int fd, FdinfoEntry *e)
+{
+ char *ctx = NULL;
+ int len;
+ int ret;
+
+ /* Currently this only works for SELinux. */
+ if (kdat.lsm != LSMTYPE__SELINUX)
+ return 0;
+
+ /* Get the size of the xattr. */
+ len = fgetxattr(fd, "security.selinux", ctx, 0);
+ if (len == -1) {
+ pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
+ return -1;
+ }
+
+ ctx = xmalloc(len);
+ if (!ctx) {
+ pr_err("xmalloc to read xattr for FD %d failed\n", fd);
+ return -1;
+ }
+
+ ret = fgetxattr(fd, "security.selinux", ctx, len);
+ if (len != ret) {
+ pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
+ return -1;
+ }
+
+ e->xattr_security_selinux = ctx;
+
+ return 0;
+}
+
#endif
void kerndat_lsm(void)
diff --git a/criu/sk-inet.c b/criu/sk-inet.c
index 60ee4c3155..ca5c9bf2cd 100644
--- a/criu/sk-inet.c
+++ b/criu/sk-inet.c
@@ -23,6 +23,9 @@
#include "files.h"
#include "image.h"
#include "log.h"
+#include "lsm.h"
+#include "kerndat.h"
+#include "pstree.h"
#include "rst-malloc.h"
#include "sockets.h"
#include "sk-inet.h"
@@ -30,6 +33,8 @@
#include "util.h"
#include "namespaces.h"
+#include "images/inventory.pb-c.h"
+
#undef LOG_PREFIX
#define LOG_PREFIX "inet: "
@@ -804,12 +809,18 @@ static int open_inet_sk(struct file_desc *d, int *new_fd)
if (set_netns(ie->ns_id))
return -1;
+ if (run_setsockcreatecon(fle->fe))
+ return -1;
+
sk = socket(ie->family, ie->type, ie->proto);
if (sk < 0) {
pr_perror("Can't create inet socket");
return -1;
}
+ if (reset_setsockcreatecon())
+ return -1;
+
if (ie->v6only) {
if (restore_opt(sk, SOL_IPV6, IPV6_V6ONLY, &yes) == -1)
goto err;
@@ -895,6 +906,7 @@ static int open_inet_sk(struct file_desc *d, int *new_fd)
}
*new_fd = sk;
+
return 1;
err:
close(sk);
diff --git a/criu/sockets.c b/criu/sockets.c
index 30072ac737..7f7453ca1d 100644
--- a/criu/sockets.c
+++ b/criu/sockets.c
@@ -22,6 +22,7 @@
#include "util-pie.h"
#include "sk-packet.h"
#include "namespaces.h"
+#include "lsm.h"
#include "net.h"
#include "xmalloc.h"
#include "fs-magic.h"
@@ -663,6 +664,9 @@ int dump_socket(struct fd_parms *p, int lfd, FdinfoEntry *e)
int family;
const struct fdtype_ops *ops;
+ if (dump_xattr_security_selinux(lfd, e))
+ return -1;
+
if (dump_opt(lfd, SOL_SOCKET, SO_DOMAIN, &family))
return -1;
diff --git a/images/fdinfo.proto b/images/fdinfo.proto
index ed82ceffe7..77e375aa94 100644
--- a/images/fdinfo.proto
+++ b/images/fdinfo.proto
@@ -47,6 +47,7 @@ message fdinfo_entry {
required uint32 flags = 2;
required fd_types type = 3;
required uint32 fd = 4;
+ optional string xattr_security_selinux = 5;
}
message file_entry {
From ba42d30fad82f17a66617a33f03d3da05cc73bfe Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Tue, 30 Apr 2019 09:47:32 +0000
Subject: [PATCH 4/4] selinux: add socket label test
This adds two more SELinux test to verfy that checkpointing and
restoring SELinux socket labels works correctly, if the process uses
setsockcreatecon() or if the process leaves the default context for
newly created sockets.
Signed-off-by: Adrian Reber <areber@redhat.com>
---
test/zdtm/static/Makefile | 3 +
test/zdtm/static/selinux01.c | 200 +++++++++++++++++++++++++++
test/zdtm/static/selinux01.checkskip | 1 +
test/zdtm/static/selinux01.desc | 1 +
test/zdtm/static/selinux01.hook | 1 +
test/zdtm/static/selinux02.c | 1 +
test/zdtm/static/selinux02.checkskip | 1 +
test/zdtm/static/selinux02.desc | 1 +
test/zdtm/static/selinux02.hook | 1 +
9 files changed, 210 insertions(+)
create mode 100644 test/zdtm/static/selinux01.c
create mode 120000 test/zdtm/static/selinux01.checkskip
create mode 120000 test/zdtm/static/selinux01.desc
create mode 120000 test/zdtm/static/selinux01.hook
create mode 120000 test/zdtm/static/selinux02.c
create mode 120000 test/zdtm/static/selinux02.checkskip
create mode 120000 test/zdtm/static/selinux02.desc
create mode 120000 test/zdtm/static/selinux02.hook
diff --git a/test/zdtm/static/Makefile b/test/zdtm/static/Makefile
index 8e3f39276a..1ffaa90394 100644
--- a/test/zdtm/static/Makefile
+++ b/test/zdtm/static/Makefile
@@ -211,6 +211,8 @@ TST_NOFILE := \
thp_disable \
pid_file \
selinux00 \
+ selinux01 \
+ selinux02 \
# jobctl00 \
ifneq ($(SRCARCH),arm)
@@ -513,6 +515,7 @@ unlink_fstat041: CFLAGS += -DUNLINK_FSTAT041 -DUNLINK_FSTAT04
ghost_holes01: CFLAGS += -DTAIL_HOLE
ghost_holes02: CFLAGS += -DHEAD_HOLE
sk-freebind-false: CFLAGS += -DZDTM_FREEBIND_FALSE
+selinux02: CFLAGS += -DUSING_SOCKCREATE
stopped01: CFLAGS += -DZDTM_STOPPED_KILL
stopped02: CFLAGS += -DZDTM_STOPPED_TKILL
stopped12: CFLAGS += -DZDTM_STOPPED_KILL -DZDTM_STOPPED_TKILL
diff --git a/test/zdtm/static/selinux01.c b/test/zdtm/static/selinux01.c
new file mode 100644
index 0000000000..9966455c47
--- /dev/null
+++ b/test/zdtm/static/selinux01.c
@@ -0,0 +1,200 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/mount.h>
+#include <sys/socket.h>
+#include <sys/xattr.h>
+#include <linux/limits.h>
+#include <signal.h>
+#include "zdtmtst.h"
+
+/* Enabling the right policy happens in selinux00.hook and selinx00.checkskip */
+
+const char *test_doc = "Check that a SELinux socket context is restored";
+const char *test_author = "Adrian Reber <areber@redhat.com>";
+
+/* This is all based on Tycho's apparmor code */
+
+#define CONTEXT "unconfined_u:unconfined_r:unconfined_dbusd_t:s0"
+
+/*
+ * This is used to store the state of SELinux. For this test
+ * SELinux is switched to permissive mode and later the previous
+ * SELinux state is restored.
+ */
+char state;
+
+int check_for_selinux()
+{
+ if (access("/sys/fs/selinux", F_OK) == 0)
+ return 0;
+ return 1;
+}
+
+int setprofile()
+{
+ int fd, len;
+
+ fd = open("/proc/self/attr/current", O_WRONLY);
+ if (fd < 0) {
+ fail("Could not open /proc/self/attr/current\n");
+ return -1;
+ }
+
+ len = write(fd, CONTEXT, strlen(CONTEXT));
+ close(fd);
+
+ if (len < 0) {
+ fail("Could not write context\n");
+ return -1;
+ }
+
+ return 0;
+}
+
+int set_sockcreate()
+{
+ int fd, len;
+
+ fd = open("/proc/self/attr/sockcreate", O_WRONLY);
+ if (fd < 0) {
+ fail("Could not open /proc/self/attr/sockcreate\n");
+ return -1;
+ }
+
+ len = write(fd, CONTEXT, strlen(CONTEXT));
+ close(fd);
+
+ if (len < 0) {
+ fail("Could not write context\n");
+ return -1;
+ }
+
+ return 0;
+}
+
+int check_sockcreate()
+{
+ int fd;
+ char context[1024];
+ int len;
+
+
+ fd = open("/proc/self/attr/sockcreate", O_RDONLY);
+ if (fd < 0) {
+ fail("Could not open /proc/self/attr/sockcreate\n");
+ return -1;
+ }
+
+ len = read(fd, context, strlen(CONTEXT));
+ close(fd);
+ if (len != strlen(CONTEXT)) {
+ fail("SELinux context has unexpected length %d, expected %zd\n",
+ len, strlen(CONTEXT));
+ return -1;
+ }
+
+ if (strncmp(context, CONTEXT, strlen(CONTEXT)) != 0) {
+ fail("Wrong SELinux context %s expected %s\n", context, CONTEXT);
+ return -1;
+ }
+
+ return 0;
+}
+
+int check_sockcreate_empty()
+{
+ char *output = NULL;
+ FILE *f = fopen("/proc/self/attr/sockcreate", "r");
+ int ret = fscanf(f, "%ms", &output);
+ fclose(f);
+
+ if (ret >= 1) {
+ free(output);
+ /* sockcreate should be empty, if fscanf found something
+ * it is wrong.*/
+ fail("sockcreate should be empty\n");
+ return -1;
+ }
+
+ if (output) {
+ free(output);
+ /* Same here, output should still be NULL. */
+ fail("sockcreate should be empty\n");
+ return -1;
+ }
+
+ return 0;
+}
+
+int main(int argc, char **argv)
+{
+ char ctx[1024];
+ test_init(argc, argv);
+
+ if (check_for_selinux()) {
+ skip("SELinux not found on this system.");
+ test_daemon();
+ test_waitsig();
+ pass();
+ return 0;
+ }
+
+#ifdef USING_SOCKCREATE
+ if (set_sockcreate())
+ return -1;
+#else
+ if (check_sockcreate_empty())
+ return -1;
+
+ if (setprofile())
+ return -1;
+
+ if (check_sockcreate_empty())
+ return -1;
+#endif
+
+ /* Open our test socket */
+ int sk = socket(AF_INET, SOCK_STREAM, 0);
+ memset(ctx, 0, 1024);
+ /* Read out the socket label */
+ if (fgetxattr(sk, "security.selinux", ctx, 1024) == -1) {
+ fail("Reading xattr 'security.selinux' failed.\n");
+ return -1;
+ }
+ if (strncmp(ctx, CONTEXT, strlen(CONTEXT)) != 0) {
+ fail("Wrong SELinux context %s expected %s\n", ctx, CONTEXT);
+ return -1;
+ }
+ memset(ctx, 0, 1024);
+
+ test_daemon();
+ test_waitsig();
+
+ /* Read out the socket label again */
+
+ if (fgetxattr(sk, "security.selinux", ctx, 1024) == -1) {
+ fail("Reading xattr 'security.selinux' failed.\n");
+ return -1;
+ }
+ if (strncmp(ctx, CONTEXT, strlen(CONTEXT)) != 0) {
+ fail("Wrong SELinux context %s expected %s\n", ctx, CONTEXT);
+ return -1;
+ }
+
+#ifdef USING_SOCKCREATE
+ if (check_sockcreate())
+ return -1;
+#else
+ if (check_sockcreate_empty())
+ return -1;
+#endif
+
+ pass();
+
+ return 0;
+}
diff --git a/test/zdtm/static/selinux01.checkskip b/test/zdtm/static/selinux01.checkskip
new file mode 120000
index 0000000000..e8a172479e
--- /dev/null
+++ b/test/zdtm/static/selinux01.checkskip
@@ -0,0 +1 @@
+selinux00.checkskip
\ No newline at end of file
diff --git a/test/zdtm/static/selinux01.desc b/test/zdtm/static/selinux01.desc
new file mode 120000
index 0000000000..2d2961a764
--- /dev/null
+++ b/test/zdtm/static/selinux01.desc
@@ -0,0 +1 @@
+selinux00.desc
\ No newline at end of file
diff --git a/test/zdtm/static/selinux01.hook b/test/zdtm/static/selinux01.hook
new file mode 120000
index 0000000000..dd7ed6bb33
--- /dev/null
+++ b/test/zdtm/static/selinux01.hook
@@ -0,0 +1 @@
+selinux00.hook
\ No newline at end of file
diff --git a/test/zdtm/static/selinux02.c b/test/zdtm/static/selinux02.c
new file mode 120000
index 0000000000..5702677858
--- /dev/null
+++ b/test/zdtm/static/selinux02.c
@@ -0,0 +1 @@
+selinux01.c
\ No newline at end of file
diff --git a/test/zdtm/static/selinux02.checkskip b/test/zdtm/static/selinux02.checkskip
new file mode 120000
index 0000000000..2696e6e3de
--- /dev/null
+++ b/test/zdtm/static/selinux02.checkskip
@@ -0,0 +1 @@
+selinux01.checkskip
\ No newline at end of file
diff --git a/test/zdtm/static/selinux02.desc b/test/zdtm/static/selinux02.desc
new file mode 120000
index 0000000000..9c6802c4da
--- /dev/null
+++ b/test/zdtm/static/selinux02.desc
@@ -0,0 +1 @@
+selinux01.desc
\ No newline at end of file
diff --git a/test/zdtm/static/selinux02.hook b/test/zdtm/static/selinux02.hook
new file mode 120000
index 0000000000..e3ea0a6c80
--- /dev/null
+++ b/test/zdtm/static/selinux02.hook
@@ -0,0 +1 @@
+selinux01.hook
\ No newline at end of file

44
SOURCES/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch
View File

@ -1,44 +0,0 @@
From 80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea Mon Sep 17 00:00:00 2001
From: Andrei Vagin <avagin@gmail.com>
Date: Sat, 4 May 2019 20:01:52 -0700
Subject: [PATCH] lsm: don't reset socket contex if SELinux is disabled
Fixes #693
---
criu/lsm.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/criu/lsm.c b/criu/lsm.c
index 9c9ac7f80e..5921138392 100644
--- a/criu/lsm.c
+++ b/criu/lsm.c
@@ -134,7 +134,15 @@ static int selinux_get_sockcreate_label(pid_t pid, char **output)
int reset_setsockcreatecon()
{
- return setsockcreatecon_raw(NULL);
+ /* Currently this only works for SELinux. */
+ if (kdat.lsm != LSMTYPE__SELINUX)
+ return 0;
+
+ if (setsockcreatecon_raw(NULL)) {
+ pr_perror("Unable to reset socket SELinux context");
+ return -1;
+ }
+ return 0;
}
int run_setsockcreatecon(FdinfoEntry *e)
@@ -147,7 +155,11 @@ int run_setsockcreatecon(FdinfoEntry *e)
ctx = e->xattr_security_selinux;
/* Writing to the FD using fsetxattr() did not work for some reason. */
- return setsockcreatecon_raw(ctx);
+ if (setsockcreatecon_raw(ctx)) {
+ pr_perror("Unable to set the %s socket SELinux context", ctx);
+ return -1;
+ }
+ return 0;
}
int dump_xattr_security_selinux(int fd, FdinfoEntry *e)

40
SOURCES/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch
View File

@ -1,40 +0,0 @@
From b9e9e3903c78ba5d243b4176e82bf4b82342cb6a Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Sat, 4 May 2019 15:27:32 +0200
Subject: [PATCH] lsm: fix compiler error on Fedora 30
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This fixes following compiler error:
criu/lsm.c: In function dump_xattr_security_selinux:
criu/include/log.h:51:2: error: %s directive argument is null [-Werror=format-overflow=]
51 | print_on_level(LOG_ERROR, \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
52 | "Error (%s:%d): " LOG_PREFIX fmt, \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
53 | __FILE__, __LINE__, ##__VA_ARGS__)
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
criu/lsm.c:166:3: note: in expansion of macro pr_err
166 | pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
| ^~~~~~
Signed-off-by: Adrian Reber <areber@redhat.com>
---
criu/lsm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/criu/lsm.c b/criu/lsm.c
index 5921138392..420585ba4f 100644
--- a/criu/lsm.c
+++ b/criu/lsm.c
@@ -175,7 +175,7 @@ int dump_xattr_security_selinux(int fd, FdinfoEntry *e)
/* Get the size of the xattr. */
len = fgetxattr(fd, "security.selinux", ctx, 0);
if (len == -1) {
- pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
+ pr_err("Reading xattr security.selinux from FD %d failed\n", fd);
return -1;
}

0
SOURCES/criu-tmpfiles.conf → criu-tmpfiles.conf
View File

27
criu.pc.patch Normal file
View File

@ -0,0 +1,27 @@
From 341ef149ee259d9432ea4c01507eefab2ef8b83c Mon Sep 17 00:00:00 2001
From: Radostin Stoyanov <radostin@redhat.com>
Date: Thu, 14 Oct 2021 12:58:56 +0100
Subject: [PATCH] criu.pc: Add libprotobuf-c as a dependency
CRIU has a dependency on protobuf-c-devel. We express this dependency
in pkgconfig to be auto-detected when building a package.
Signed-off-by: Radostin Stoyanov <radostin@redhat.com>
---
lib/c/criu.pc.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/c/criu.pc.in b/lib/c/criu.pc.in
index 33986d10d..bcced5033 100644
--- a/lib/c/criu.pc.in
+++ b/lib/c/criu.pc.in
@@ -4,5 +4,6 @@ includedir=@includedir@
Name: CRIU
Description: RPC library for userspace checkpoint and restore
Version: @version@
+Requires.private: libprotobuf-c
Libs: -L${libdir} -lcriu
Cflags: -I${includedir}
--
2.31.1

347
SPECS/criu.spec → criu.spec
View File

@ -1,57 +1,68 @@
%if 0%{?fedora} >= 27 || 0%{?rhel} > 7
%global py_prefix python3
%global py_binary %{py_prefix}
%else
%global py_prefix python
%global py_binary python2
%endif
# With annobin enabled, CRIU does not work anymore. It seems CRIU's
# parasite code breaks if annobin is enabled.
%undefine _annotated_build
# Disable automatic call to the set_build_flags macro
# at the beginning of the build, check, and install.
# This change was introduced in Fedora 36.
%undefine _auto_set_build_flags
Name: criu
Version: 3.12
Version: 3.19
Release: 9%{?dist}
Provides: crtools = %{version}-%{release}
Obsoletes: crtools <= 1.0-2
Summary: Tool for Checkpoint/Restore in User-space
License: GPLv2
License: GPL-2.0-only AND LGPL-2.1-only AND MIT
URL: http://criu.org/
Source0: http://download.openvz.org/criu/criu-%{version}.tar.bz2
Source0: https://github.com/checkpoint-restore/criu/archive/v%{version}/criu-%{version}.tar.gz
# This switches the default network locking backend from
# iptables to nftables
Patch0: network.lock.nftables.patch
# Update restartable sequences to latest upstream code
Patch1: https://github.com/checkpoint-restore/criu/commit/089345f77a34d1bc7ef146d650636afcd3cdda21.patch
# Unfortunately crun added code to always force
# iptables backed network locking. This disables
# setting the network locking to iptables via RPC.
Patch2: disable.network.locking.via.rpc.patch
# net: redirect nftables stdout and stderr to CRIU's log file #2549
Patch3: https://patch-diff.githubusercontent.com/raw/checkpoint-restore/criu/pull/2549.patch
# net: remember the name of the lock chain (nftables) #2550
# based on https://patch-diff.githubusercontent.com/raw/checkpoint-restore/criu/pull/2550.patch
Patch4: 2550.patch
# vdso: switch from DT_HASH to DT_GNU_HASH (aarch64) #2570
Patch5: https://patch-diff.githubusercontent.com/raw/checkpoint-restore/criu/pull/2570.patch
# vdso: handle s390x correctly #2590
Patch6: https://github.com/checkpoint-restore/criu/pull/2590.patch
Patch0: https://patch-diff.githubusercontent.com/raw/checkpoint-restore/criu/pull/685.patch
Patch1: https://github.com/checkpoint-restore/criu/commit/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch
Patch2: https://github.com/checkpoint-restore/criu/commit/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch
Patch3: https://github.com/checkpoint-restore/criu/commit/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch
# Add protobuf-c as a dependency.
# We use this patch because the protobuf-c package name
# in RPM and DEB is different.
Patch99: criu.pc.patch
%if 0%{?rhel} && 0%{?rhel} <= 7
BuildRequires: perl
# RHEL has no asciidoc; take man-page from Fedora 26
# zcat /usr/share/man/man8/criu.8.gz > criu.8
Source1: criu.8
Source2: crit.1
# The patch aio-fix.patch is needed as RHEL7
# doesn't do "nr_events *= 2" in ioctx_alloc().
Patch100: aio-fix.patch
%endif
Source3: criu-tmpfiles.conf
Source5: criu-tmpfiles.conf
BuildRequires: gcc
BuildRequires: systemd
BuildRequires: libnet-devel
BuildRequires: protobuf-devel protobuf-c-devel %{py_prefix}-devel libnl3-devel libcap-devel
%if 0%{?fedora} || 0%{?rhel} > 7
BuildRequires: asciidoc xmlto
BuildRequires: %{py_prefix}-pip
BuildRequires: %{py_prefix}-setuptools
BuildRequires: %{py_prefix}-wheel
BuildRequires: %{py_prefix}-protobuf
BuildRequires: asciidoctor
BuildRequires: perl-interpreter
BuildRequires: libselinux-devel
BuildRequires: gnutls-devel
BuildRequires: nftables-devel
BuildRequires: libuuid-devel
# Checkpointing containers with a tmpfs requires tar
Recommends: tar
%if 0%{?fedora}
BuildRequires: libbsd-devel
%endif
%endif
BuildRequires: make
# user-space and kernel changes are only available for x86_64, arm,
# ppc64le, aarch64 and s390x
@ -63,10 +74,10 @@ criu is the user-space part of Checkpoint/Restore in User-space
(CRIU), a project to implement checkpoint/restore functionality for
Linux in user-space.
%if 0%{?fedora}
%package devel
Summary: Header files and libraries for %{name}
Requires: %{name} = %{version}-%{release}
Requires: %{name}-libs = %{version}-%{release}
%description devel
This package contains header files and libraries for %{name}.
@ -77,18 +88,11 @@ Requires: %{name} = %{version}-%{release}
%description libs
This package contains the libraries for %{name}
%endif
%package -n %{py_prefix}-%{name}
%{?python_provide:%python_provide %{py_prefix}-%{name}}
Summary: Python bindings for %{name}
%if 0%{?rhel} && 0%{?rhel} <= 7
Requires: protobuf-python
Requires: %{name} = %{version}-%{release} %{py_prefix}-ipaddr
%else
Requires: %{py_prefix}-protobuf
Obsoletes: python2-criu < 3.10-1
%endif
%description -n %{py_prefix}-%{name}
%{py_prefix}-%{name} contains Python bindings for %{name}.
@ -101,62 +105,61 @@ Requires: %{py_prefix}-%{name} = %{version}-%{release}
crit is a tool designed to decode CRIU binary dump files and show
their content in human-readable form.
%package -n criu-ns
Summary: Tool to run CRIU in different namespaces
Requires: %{name} = %{version}-%{release}
%description -n criu-ns
The purpose of the criu-ns wrapper script is to enable restoring a process
tree that might require a specific PID that is already used on the system.
This script can help to workaround the so called "PID mismatch" problem.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%if 0%{?rhel} && 0%{?rhel} <= 7
%patch100 -p1
%endif
%patch -P 0 -p1
%patch -P 1 -p1
%patch -P 2 -p1
%patch -P 3 -p1
%patch -P 4 -p1
%patch -P 5 -p1
%patch -P 6 -p1
%patch -P 99 -p1
%build
# This package calls LD directly without specifying the LTO plugins. Until
# that is fixed, disable LTO.
%define _lto_cflags %{nil}
# %{?_smp_mflags} does not work
# -fstack-protector breaks build
CFLAGS+=`echo %{optflags} | sed -e 's,-fstack-protector\S*,,g'` make V=1 WERROR=0 PREFIX=%{_prefix} RUNDIR=/run/criu PYTHON=%{py_binary}
%if 0%{?fedora} || 0%{?rhel} > 7
make docs V=1
%endif
%install
sed -e "s,--upgrade --ignore-installed,--no-index --no-deps -v --no-build-isolation,g" -i lib/Makefile -i crit/Makefile
make install-criu DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir}
make install-lib DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir} PYTHON=%{py_binary}
%if 0%{?fedora} || 0%{?rhel} > 7
# only install documentation on Fedora as it requires asciidoc,
# which is not available on RHEL7
make install-crit DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir} PYTHON=%{py_binary}
make install-man DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir}
%else
install -p -m 644 -D %{SOURCE1} $RPM_BUILD_ROOT%{_mandir}/man8/%{name}.8
install -p -m 644 -D %{SOURCE2} $RPM_BUILD_ROOT%{_mandir}/man1/crit.1
%endif
rm -f $RPM_BUILD_ROOT%{_mandir}/man1/compel.1
rm -f $RPM_BUILD_ROOT%{_mandir}/man1/criu-amdgpu-plugin.1
mkdir -p %{buildroot}%{_tmpfilesdir}
install -m 0644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}/%{name}.conf
install -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
install -d -m 0755 %{buildroot}/run/%{name}/
%if 0%{?rhel}
# remove devel and libs packages
rm -rf $RPM_BUILD_ROOT%{_includedir}/criu
rm $RPM_BUILD_ROOT%{_libdir}/*.so*
rm -rf $RPM_BUILD_ROOT%{_libdir}/pkgconfig
rm -rf $RPM_BUILD_ROOT%{_libexecdir}/%{name}
%endif
# remove static lib
rm -f $RPM_BUILD_ROOT%{_libdir}/libcriu.a
%files
%{_sbindir}/%{name}
%doc %{_mandir}/man8/criu.8*
%if 0%{?fedora}
%{_libexecdir}/%{name}
%endif
%dir /run/%{name}
%{_tmpfilesdir}/%{name}.conf
%doc README.md COPYING
%if 0%{?fedora}
%files devel
%{_includedir}/criu
%{_libdir}/*.so
@ -164,24 +167,205 @@ rm -rf $RPM_BUILD_ROOT%{_libexecdir}/%{name}
%files libs
%{_libdir}/*.so.*
%endif
%files -n %{py_prefix}-%{name}
%if 0%{?rhel} && 0%{?rhel} <= 7
%{python2_sitelib}/pycriu/*
%{python2_sitelib}/*egg-info
%else
%{python3_sitelib}/pycriu/*
%{python3_sitelib}/*egg-info
%endif
%{python3_sitelib}/pycriu*
%files -n crit
%{_bindir}/crit
%{python3_sitelib}/crit-%{version}.dist-info/
%{python3_sitelib}/crit
%doc %{_mandir}/man1/crit.1*
%files -n criu-ns
%{_sbindir}/criu-ns
%doc %{_mandir}/man1/criu-ns.1*
%changelog
* Mon May 13 2019 Adrian Reber <adrian@lisas.de> - 3.12-9
* Fri Feb 07 2025 Adrian Reber <areber@redhat.com> - 3.19-9
- Fix VDSO compile error on s390x
* Tue Feb 04 2025 Adrian Reber <areber@redhat.com> - 3.19-8
- Adapt patches to patches merged upstream
- Fix running on aarch64
* Tue Dec 10 2024 Adrian Reber <areber@redhat.com> - 3.19-7
- Switch network locking backend default to nftables
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 3.19-6
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.19-5
- Bump release for June 2024 mass rebuild
* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.19-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.19-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Tue Nov 28 2023 Adrian Reber <adrian@lisas.de> - 3.19-2
- Fix test setup
* Tue Nov 28 2023 Adrian Reber <adrian@lisas.de> - 3.19-1
- Update to 3.19
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.18-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Thu Jul 06 2023 Adrian Reber <adrian@lisas.de> - 3.18-3
- migrated to SPDX license
- remove RHEL 7 conditionals
* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 3.18-2
- Rebuilt for Python 3.12
* Tue Apr 25 2023 Adrian Reber <adrian@lisas.de> - 3.18-1
- Update to 3.18
- Apply patch from upstream to support newer CPUs
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.17.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Fri Dec 2 2022 Florian Weimer <fweimer@redhat.com> - 3.17.1-4
- Fix FTBFS with glibc 2.36
* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.17.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Fri Jul 08 2022 Adrian Reber <adrian@lisas.de> - 3.17.1-2
- Rebuilt to pick up glibc rseq() changes
* Mon Jun 27 2022 Radostin Stoyanov <rstoyanov@fedoraproject.org> - 3.17.1-1
- Update to release version 3.17.1
* Mon Jun 20 2022 Adrian Reber <adrian@lisas.de> - 3.17-4
- Apply upstream patch to fix mount v2 errors
* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 3.17-3
- Rebuilt for Python 3.11
* Thu May 19 2022 Radostin Stoyanov <rstoyanov@fedoraproject.org> - 3.17-2
- Use mntns-compat-mode as a temporary fix for runc
* Fri May 6 2022 Radostin Stoyanov <rstoyanov@fedoraproject.org> - 3.17-1
- Update to release version 3.17
- Do not install compel and amdgpu_plugin man pages
* Tue Apr 5 2022 Radostin Stoyanov <rstoyanov@fedoraproject.org> - 3.16.1-12
- Update rseq patches
* Tue Apr 5 2022 Radostin Stoyanov <rstoyanov@fedoraproject.org> - 3.16.1-11
- Update rseq patches
* Tue Apr 5 2022 Radostin Stoyanov <rstoyanov@fedoraproject.org> - 3.16.1-10
- Update fixup patch
* Tue Apr 5 2022 Radostin Stoyanov <rstoyanov@fedoraproject.org> - 3.16.1-9
- Update rseq support patches
* Fri Feb 18 2022 Radostin Stoyanov <rstoyanov@fedoraproject.org> - 3.16.1-8
- rebuilt
* Tue Feb 8 2022 Radostin Stoyanov <radostin@redhat.com> - 3.16.1-7
- Drop global -ffreestanding
* Mon Jan 31 2022 Radostin Stoyanov <radostin@redhat.com> - 3.16.1-6
- Fix typo in changelog
- Replace `asciidoc` and `xmlto` with `asciidoctor`
- Enable initial rseq support
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.16.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Sat Nov 06 2021 Adrian Reber <adrian@lisas.de> - 3.16.1-4
- Rebuilt for protobuf 3.19.0
* Mon Oct 25 2021 Adrian Reber <adrian@lisas.de> - 3.16.1-3
- Rebuilt for protobuf 3.18.1
* Tue Oct 19 2021 Radostin Stoyanov <radostin@redhat.com> - 3.16.1-2
- Update protobuf-c to libprotobuf-c requirement
* Thu Oct 14 2021 Radostin Stoyanov <radostin@redhat.com> - 3.16.1-1
- Update to 3.16.1
- Add protobuf-c as required dependency (#2013775)
* Tue Oct 05 2021 Adrian Reber <adrian@lisas.de> - 3.16-3
- Fix build on RHEL 8
* Thu Sep 23 2021 Adrian Reber <adrian@lisas.de> - 3.16-2
- Include criu-ns sub package
- Use new github Source0 location
* Wed Sep 22 2021 Adrian Reber <adrian@lisas.de> - 3.16-1
- Update to 3.16
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.15-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 3.15-5
- Rebuilt for Python 3.10
* Fri Apr 09 2021 Adrian Reber <adrian@lisas.de> - 3.15-4
- Test for testing
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.15-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Jan 13 2021 Adrian Reber <adrian@lisas.de> - 3.15-2
- Rebuilt for protobuf 3.14
* Wed Nov 04 2020 Adrian Reber <adrian@lisas.de> - 3.15-1
- Update to 3.15
* Wed Sep 23 2020 Adrian Reber <adrian@lisas.de> - 3.14-8
- Rebuilt for protobuf 3.13
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.14-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 14 2020 Jeff Law <law@redhat.com> - 3.14-6
- Disable LTO
* Sun Jun 14 2020 Adrian Reber <adrian@lisas.de> - 3.14-5
- Rebuilt for protobuf 3.12
* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 3.14-4
- Rebuilt for Python 3.9
* Thu Apr 30 2020 Adrian Reber <adrian@lisas.de> - 3.14-3
- BuildRequire nftables-devel for working CI
* Thu Apr 30 2020 Adrian Reber <adrian@lisas.de> - 3.14-2
- Rebuild for CI fixes
* Wed Apr 29 2020 Adrian Reber <adrian@lisas.de> - 3.14-1
- Update to 3.14 (#1829399)
* Sun Mar 29 2020 Andrei Vagin <avagin@gmail.com> - 3.13-7
- Added patch for gcc-10
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.13-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Mon Sep 16 2019 Adrian Reber <adrian@lisas.de> - 3.13-5
- Update to 3.13 (#1751146)
- Drop upstreamed patches
- Drop static library
- Add compel man-page
* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 3.12-14
- Rebuilt for Python 3.8
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.12-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Tue May 14 2019 Adrian Reber <adrian@lisas.de> - 3.12-11
- Test different decision_context in gating.yaml
* Mon May 13 2019 Adrian Reber <adrian@lisas.de> - 3.12-10
- Added additional fixup patches for the socket labelling
* Sat May 04 2019 Adrian Reber <adrian@lisas.de> - 3.12-8
@ -202,16 +386,15 @@ rm -rf $RPM_BUILD_ROOT%{_libexecdir}/%{name}
- Build against SELinux (Fedora and RHEL8)
- Build against libbsd (Fedora)
* Thu Feb 14 2019 Adrian Reber <areber@redhat.com> - 3.11-2
- Updated to 3.11
- Removed upstreamed patches
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.11-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Sat Jan 19 2019 Adrian Reber <adrian@lisas.de> - 3.11-2
- Added patch for gcc-9
* Tue Dec 11 2018 Adrian Reber <adrian@lisas.de> - 3.10-7
- Fix 'criu check --feature link_nsid' with more than 10 interfaces (#1652442)
* Tue Dec 11 2018 Adrian Reber <adrian@lisas.de> - 3.10-6
- Make sure no iptables rules are left after restore (#1652471)
* Tue Nov 06 2018 Adrian Reber <adrian@lisas.de> - 3.11-1
- Updated to 3.11
- Removed upstreamed patches
* Tue Oct 30 2018 Adrian Reber <adrian@lisas.de> - 3.10-5
- Added Recommends: tar

12
disable.network.locking.via.rpc.patch Normal file
View File

@ -0,0 +1,12 @@
diff -ur ../criu-3.19/criu/cr-service.c criu-3.19/criu/cr-service.c
--- ../criu-3.19/criu/cr-service.c 2023-11-28 01:47:16.000000000 +0100
+++ criu-3.19/criu/cr-service.c 2024-12-17 19:53:43.865616992 +0100
@@ -570,7 +570,7 @@
if (req->has_network_lock) {
switch (req->network_lock) {
case CRIU_NETWORK_LOCK_METHOD__IPTABLES:
- opts.network_lock_method = NETWORK_LOCK_IPTABLES;
+ opts.network_lock_method = NETWORK_LOCK_NFTABLES;
break;
case CRIU_NETWORK_LOCK_METHOD__NFTABLES:
opts.network_lock_method = NETWORK_LOCK_NFTABLES;

11
network.lock.nftables.patch Normal file
View File

@ -0,0 +1,11 @@
--- a/criu/include/cr_options.h.orig 2024-12-10 16:57:20.061293476 +0100
+++ b/criu/include/cr_options.h 2024-12-10 16:57:34.789131372 +0100
@@ -70,7 +70,7 @@
NETWORK_LOCK_SKIP,
};
-#define NETWORK_LOCK_DEFAULT NETWORK_LOCK_IPTABLES
+#define NETWORK_LOCK_DEFAULT NETWORK_LOCK_NFTABLES
/*
* Ghost file size we allow to carry by default.

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (criu-3.19.tar.gz) = d243818cdac51580c952a80e9164786a67ce5e294c0faa6dc700f5e8da8e36495f0b64f5c27b345ede7d6697ed7a69fa4e9a85cef451f32e3ffeb78564884571