From 0eebeb843dfdfab0f789aa6d8f085f1bb4ef453d Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 14 May 2025 15:41:39 +0000 Subject: [PATCH] import UBI criu-3.19-9.el10 --- .criu.metadata | 1 - .gitignore | 2 +- ...45f77a34d1bc7ef146d650636afcd3cdda21.patch | 87 ++ 2549.patch | 128 +++ 2550.patch | 473 ++++++++++ 2570.patch | 452 ++++++++++ 2590.patch | 38 + ...cb90b63bce841376140a7a80107e5ec1e1a8.patch | 67 -- SOURCES/685.patch | 834 ------------------ ...0c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch | 44 - ...e3903c78ba5d243b4176e82bf4b82342cb6a.patch | 40 - .../criu-tmpfiles.conf => criu-tmpfiles.conf | 0 criu.pc.patch | 27 + SPECS/criu.spec => criu.spec | 347 ++++++-- disable.network.locking.via.rpc.patch | 12 + network.lock.nftables.patch | 11 + sources | 1 + 17 files changed, 1495 insertions(+), 1069 deletions(-) delete mode 100644 .criu.metadata create mode 100644 089345f77a34d1bc7ef146d650636afcd3cdda21.patch create mode 100644 2549.patch create mode 100644 2550.patch create mode 100644 2570.patch create mode 100644 2590.patch delete mode 100644 SOURCES/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch delete mode 100644 SOURCES/685.patch delete mode 100644 SOURCES/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch delete mode 100644 SOURCES/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch rename SOURCES/criu-tmpfiles.conf => criu-tmpfiles.conf (100%) create mode 100644 criu.pc.patch rename SPECS/criu.spec => criu.spec (57%) create mode 100644 disable.network.locking.via.rpc.patch create mode 100644 network.lock.nftables.patch create mode 100644 sources diff --git a/.criu.metadata b/.criu.metadata deleted file mode 100644 index f33f9a7..0000000 --- a/.criu.metadata +++ /dev/null @@ -1 +0,0 @@ -b2ceaf9705aa8239915010136a59664d31044fe3 SOURCES/criu-3.12.tar.bz2 diff --git a/.gitignore b/.gitignore index d9f1e8d..114f5a8 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/criu-3.12.tar.bz2 +criu-3.19.tar.gz diff --git a/089345f77a34d1bc7ef146d650636afcd3cdda21.patch b/089345f77a34d1bc7ef146d650636afcd3cdda21.patch new file mode 100644 index 0000000..d8aef52 --- /dev/null +++ b/089345f77a34d1bc7ef146d650636afcd3cdda21.patch @@ -0,0 +1,87 @@ +From 089345f77a34d1bc7ef146d650636afcd3cdda21 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Wed, 10 Jul 2024 18:34:50 +0200 +Subject: [PATCH] Adjust to glibc __rseq_size semantic change + +In commit 2e456ccf0c34a056e3ccafac4a0c7effef14d918 ("Linux: Make +__rseq_size useful for feature detection (bug 31965)") glibc 2.40 +changed the meaning of __rseq_size slightly: it is now the size +of the active/feature area (20 bytes initially), and not the size +of the entire initially defined struct (32 bytes including padding). +The reason for the change is that the size including padding does not +allow detection of newly added features while previously unused +padding is consumed. + +The prep_libc_rseq_info change in criu/cr-restore.c is not necessary +on kernels which have full ptrace support for obtaining rseq +information because the code is not used. On older kernels, it is +a correctness fix because with size 20 (the new value), rseq +registeration would fail. + +The two other changes are required to make rseq unregistration work +in tests. + +Signed-off-by: Florian Weimer +--- + criu/cr-restore.c | 8 ++++++++ + test/zdtm/static/rseq00.c | 5 ++++- + test/zdtm/transition/rseq01.c | 5 ++++- + 3 files changed, 16 insertions(+), 2 deletions(-) + +diff --git a/criu/cr-restore.c b/criu/cr-restore.c +index 4db2f4ecfc..b95d4f134b 100644 +--- a/criu/cr-restore.c ++++ b/criu/cr-restore.c +@@ -2618,7 +2618,15 @@ static void prep_libc_rseq_info(struct rst_rseq_param *rseq) + if (!kdat.has_ptrace_get_rseq_conf) { + #if defined(__GLIBC__) && defined(RSEQ_SIG) + rseq->rseq_abi_pointer = encode_pointer(__criu_thread_pointer() + __rseq_offset); ++ /* ++ * Current glibc reports the feature/active size in ++ * __rseq_size, not the size passed to the kernel. ++ * This could be 20, but older kernels expect 32 for ++ * the size argument even if only 20 bytes are used. ++ */ + rseq->rseq_abi_size = __rseq_size; ++ if (rseq->rseq_abi_size < 32) ++ rseq->rseq_abi_size = 32; + rseq->signature = RSEQ_SIG; + #else + rseq->rseq_abi_pointer = 0; +diff --git a/test/zdtm/static/rseq00.c b/test/zdtm/static/rseq00.c +index 471ad6a43f..7add7801eb 100644 +--- a/test/zdtm/static/rseq00.c ++++ b/test/zdtm/static/rseq00.c +@@ -46,12 +46,15 @@ static inline void *__criu_thread_pointer(void) + static inline void unregister_glibc_rseq(void) + { + struct rseq *rseq = (struct rseq *)((char *)__criu_thread_pointer() + __rseq_offset); ++ unsigned int size = __rseq_size; + + /* hack: mark glibc rseq structure as failed to register */ + rseq->cpu_id = RSEQ_CPU_ID_REGISTRATION_FAILED; + + /* unregister rseq */ +- syscall(__NR_rseq, (void *)rseq, __rseq_size, 1, RSEQ_SIG); ++ if (__rseq_size < 32) ++ size = 32; ++ syscall(__NR_rseq, (void *)rseq, size, 1, RSEQ_SIG); + } + #else + static inline void unregister_glibc_rseq(void) +diff --git a/test/zdtm/transition/rseq01.c b/test/zdtm/transition/rseq01.c +index 0fbcc2dca0..08a7a8e1a6 100644 +--- a/test/zdtm/transition/rseq01.c ++++ b/test/zdtm/transition/rseq01.c +@@ -33,7 +33,10 @@ static inline void *thread_pointer(void) + static inline void unregister_old_rseq(void) + { + /* unregister rseq */ +- syscall(__NR_rseq, (void *)((char *)thread_pointer() + __rseq_offset), __rseq_size, 1, RSEQ_SIG); ++ unsigned int size = __rseq_size; ++ if (__rseq_size < 32) ++ size = 32; ++ syscall(__NR_rseq, (void *)((char *)thread_pointer() + __rseq_offset), size, 1, RSEQ_SIG); + } + #else + static inline void unregister_old_rseq(void) diff --git a/2549.patch b/2549.patch new file mode 100644 index 0000000..4cbf648 --- /dev/null +++ b/2549.patch @@ -0,0 +1,128 @@ +From 0a17c4160580d9bc7092ba9eb7db86952921d221 Mon Sep 17 00:00:00 2001 +From: Adrian Reber +Date: Thu, 16 Jan 2025 07:52:42 +0000 +Subject: [PATCH 1/2] util: added cleanup_file attribute. + +Signed-off-by: Adrian Reber +--- + criu/include/util.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/criu/include/util.h b/criu/include/util.h +index ae293a68c8..4793f7f20e 100644 +--- a/criu/include/util.h ++++ b/criu/include/util.h +@@ -406,6 +406,14 @@ static inline void cleanup_freep(void *p) + free(*pp); + } + ++#define cleanup_file __attribute__((cleanup(cleanup_filep))) ++static inline void cleanup_filep(FILE **f) ++{ ++ FILE *file = *f; ++ if (file) ++ (void)fclose(file); ++} ++ + extern int run_command(char *buf, size_t buf_size, int (*child_fn)(void *), void *args); + + /* + +From 1ed4109958644fbe1cbadf7c72472c82a12834b0 Mon Sep 17 00:00:00 2001 +From: Adrian Reber +Date: Tue, 17 Dec 2024 08:52:46 +0100 +Subject: [PATCH 2/2] net: redirect nftables stdout and stderr to CRIU's log + file + +When using the nftables network locking backend and restoring a process +a second time the network locking has already been deleted by the first +restore. The second restore will print out to the console text like: + +Error: Could not process rule: No such file or directory +delete table inet CRIU-202621 + +With this change CRIU's log FD is used by libnftables stdout and stderr. + +Signed-off-by: Adrian Reber +--- + criu/net.c | 43 +++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 43 insertions(+) + +diff --git a/criu/net.c b/criu/net.c +index eee3311087..efd52db327 100644 +--- a/criu/net.c ++++ b/criu/net.c +@@ -3066,9 +3066,43 @@ static int iptables_restore(bool ipv6, char *buf, int size) + return ret; + } + ++#if defined(CONFIG_HAS_NFTABLES_LIB_API_0) || defined(CONFIG_HAS_NFTABLES_LIB_API_1) ++static inline FILE *redirect_nftables_output(struct nft_ctx *nft) ++{ ++ FILE *fp; ++ int fd; ++ ++ fd = dup(log_get_fd()); ++ if (fd < 0) { ++ pr_perror("dup() to redirect nftables output failed"); ++ return NULL; ++ } ++ ++ fp = fdopen(fd, "w"); ++ if (!fp) { ++ pr_perror("fdopen() to redirect nftables output failed"); ++ return NULL; ++ } ++ ++ /** ++ * Without setvbuf() the output from libnftables will be ++ * somewhere in the log file, probably at the end. ++ * With setvbuf() potential output will be at the correct ++ * position. ++ */ ++ setvbuf(fp, NULL, _IONBF, 0); ++ ++ nft_ctx_set_output(nft, fp); ++ nft_ctx_set_error(nft, fp); ++ ++ return fp; ++} ++#endif ++ + static inline int nftables_lock_network_internal(void) + { + #if defined(CONFIG_HAS_NFTABLES_LIB_API_0) || defined(CONFIG_HAS_NFTABLES_LIB_API_1) ++ cleanup_file FILE *fp = NULL; + struct nft_ctx *nft; + int ret = 0; + char table[32]; +@@ -3081,6 +3115,10 @@ static inline int nftables_lock_network_internal(void) + if (!nft) + return -1; + ++ fp = redirect_nftables_output(nft); ++ if (!fp) ++ goto out; ++ + snprintf(buf, sizeof(buf), "create table %s", table); + if (NFT_RUN_CMD(nft, buf)) + goto err2; +@@ -3168,6 +3206,7 @@ static inline int nftables_network_unlock(void) + { + #if defined(CONFIG_HAS_NFTABLES_LIB_API_0) || defined(CONFIG_HAS_NFTABLES_LIB_API_1) + int ret = 0; ++ cleanup_file FILE *fp = NULL; + struct nft_ctx *nft; + char table[32]; + char buf[128]; +@@ -3179,6 +3218,10 @@ static inline int nftables_network_unlock(void) + if (!nft) + return -1; + ++ fp = redirect_nftables_output(nft); ++ if (!fp) ++ return -1; ++ + snprintf(buf, sizeof(buf), "delete table %s", table); + if (NFT_RUN_CMD(nft, buf)) + ret = -1; diff --git a/2550.patch b/2550.patch new file mode 100644 index 0000000..5f67f71 --- /dev/null +++ b/2550.patch @@ -0,0 +1,473 @@ +From 9a2b7d6b3baa2b3183489ed9cebece039f9f488f Mon Sep 17 00:00:00 2001 +From: Adrian Reber +Date: Thu, 23 Jan 2025 09:26:15 +0000 +Subject: [PATCH 1/2] criu: use libuuid for criu_run_id generation + +criu_run_id will be used in upcoming changes to create and remove +network rules for network locking. Instead of trying to come up with +a way to create unique IDs, just use an existing library. + +libuuid should be installed on most systems as it is indirectly required +by systemd (via libmount). + +Signed-off-by: Adrian Reber +--- + .cirrus.yml | 2 +- + .github/workflows/check-commits.yml | 2 +- + compel/include/uapi/infect-util.h | 11 ++++++++++- + compel/src/lib/infect-util.c | 2 +- + compel/src/lib/infect.c | 2 +- + criu/Makefile.packages | 4 +++- + criu/fdstore.c | 2 +- + criu/files.c | 2 +- + criu/include/util.h | 4 +++- + criu/pidfd-store.c | 2 +- + criu/unittest/mock.c | 4 +++- + criu/util.c | 17 +++++++---------- + scripts/build/Dockerfile.alpine | 3 ++- + scripts/build/Dockerfile.amd-rocm | 1 + + scripts/build/Dockerfile.archlinux | 1 + + scripts/build/Dockerfile.hotspot-alpine | 1 + + scripts/build/Dockerfile.hotspot-ubuntu | 1 + + scripts/build/Dockerfile.linux32.tmpl | 1 + + scripts/build/Dockerfile.openj9-ubuntu | 1 + + .../build/Dockerfile.riscv64-stable-cross.tmpl | 1 + + scripts/build/Dockerfile.stable-cross.tmpl | 1 + + scripts/build/Dockerfile.tmpl | 1 + + scripts/build/Dockerfile.unstable-cross.tmpl | 1 + + scripts/ci/prepare-for-fedora-rawhide.sh | 1 + + scripts/ci/run-ci-tests.sh | 2 +- + scripts/ci/vagrant.sh | 2 +- + 26 files changed, 48 insertions(+), 24 deletions(-) + +diff --git a/compel/include/uapi/infect-util.h b/compel/include/uapi/infect-util.h +index ace6f6b6b1..658df9393d 100644 +--- a/compel/include/uapi/infect-util.h ++++ b/compel/include/uapi/infect-util.h +@@ -3,11 +3,20 @@ + + #include "common/compiler.h" + ++/** ++ * The length of the hash is based on what libuuid provides. ++ * According to the manpage this is: ++ * ++ * The uuid_unparse() function converts the supplied UUID uu from the binary ++ * representation into a 36-byte string (plus trailing '\0') ++ */ ++#define RUN_ID_HASH_LENGTH 37 ++ + /* + * compel_run_id is a unique value of the current run. It can be used to + * generate resource ID-s to avoid conflicts with other processes. + */ +-extern uint64_t compel_run_id; ++extern char compel_run_id[RUN_ID_HASH_LENGTH]; + + struct parasite_ctl; + extern int __must_check compel_util_send_fd(struct parasite_ctl *ctl, int fd); +diff --git a/compel/src/lib/infect-util.c b/compel/src/lib/infect-util.c +index 00a7c83f7d..dc57e28f7c 100644 +--- a/compel/src/lib/infect-util.c ++++ b/compel/src/lib/infect-util.c +@@ -7,7 +7,7 @@ + #include "infect-rpc.h" + #include "infect-util.h" + +-uint64_t compel_run_id; ++char compel_run_id[RUN_ID_HASH_LENGTH]; + + int compel_util_send_fd(struct parasite_ctl *ctl, int fd) + { +diff --git a/compel/src/lib/infect.c b/compel/src/lib/infect.c +index 1e3ffb9670..caf54e03fd 100644 +--- a/compel/src/lib/infect.c ++++ b/compel/src/lib/infect.c +@@ -427,7 +427,7 @@ static int gen_parasite_saddr(struct sockaddr_un *saddr, int key) + int sun_len; + + saddr->sun_family = AF_UNIX; +- snprintf(saddr->sun_path, UNIX_PATH_MAX, "X/crtools-pr-%d-%" PRIx64, key, compel_run_id); ++ snprintf(saddr->sun_path, UNIX_PATH_MAX, "X/crtools-pr-%d-%s", key, compel_run_id); + + sun_len = SUN_LEN(saddr); + *saddr->sun_path = '\0'; +diff --git a/criu/Makefile.packages b/criu/Makefile.packages +index 7f6113c8f1..3e2e6efd18 100644 +--- a/criu/Makefile.packages ++++ b/criu/Makefile.packages +@@ -6,6 +6,7 @@ REQ-RPM-PKG-NAMES += protobuf-devel + REQ-RPM-PKG-NAMES += protobuf-python + REQ-RPM-PKG-NAMES += libnl3-devel + REQ-RPM-PKG-NAMES += libcap-devel ++REQ-RPM-PKG-NAMES += libuuid-devel + + REQ-RPM-PKG-TEST-NAMES += libaio-devel + +@@ -16,6 +17,7 @@ REQ-DEB-PKG-NAMES += protobuf-compiler + REQ-DEB-PKG-NAMES += $(PYTHON)-protobuf + REQ-DEB-PKG-NAMES += libnl-3-dev + REQ-DEB-PKG-NAMES += libcap-dev ++REQ-DEB-PKG-NAMES += uuid-dev + + REQ-DEB-PKG-TEST-NAMES += $(PYTHON)-yaml + REQ-DEB-PKG-TEST-NAMES += libaio-dev +@@ -25,7 +27,7 @@ REQ-DEB-PKG-TEST-NAMES += libaio-dev + REQ-RPM-PKG-TEST-NAMES += $(PYTHON)-PyYAML + + +-export LIBS += -lprotobuf-c -ldl -lnl-3 -lsoccr -Lsoccr/ -lnet ++export LIBS += -lprotobuf-c -ldl -lnl-3 -lsoccr -Lsoccr/ -lnet -luuid + + check-packages-failed: + $(warning Can not find some of the required libraries) +diff --git a/criu/fdstore.c b/criu/fdstore.c +index d615ad15d0..6ac639c553 100644 +--- a/criu/fdstore.c ++++ b/criu/fdstore.c +@@ -58,7 +58,7 @@ int fdstore_init(void) + } + + addr.sun_family = AF_UNIX; +- addrlen = snprintf(addr.sun_path, sizeof(addr.sun_path), "X/criu-fdstore-%" PRIx64 "-%" PRIx64, st.st_ino, ++ addrlen = snprintf(addr.sun_path, sizeof(addr.sun_path), "X/criu-fdstore-%" PRIx64 "-%s", st.st_ino, + criu_run_id); + addrlen += sizeof(addr.sun_family); + +diff --git a/criu/files.c b/criu/files.c +index 31e705bcc5..f16ec32a23 100644 +--- a/criu/files.c ++++ b/criu/files.c +@@ -978,7 +978,7 @@ static int receive_fd(struct fdinfo_list_entry *fle); + static void transport_name_gen(struct sockaddr_un *addr, int *len, int pid) + { + addr->sun_family = AF_UNIX; +- snprintf(addr->sun_path, UNIX_PATH_MAX, "x/crtools-fd-%d-%" PRIx64, pid, criu_run_id); ++ snprintf(addr->sun_path, UNIX_PATH_MAX, "x/crtools-fd-%d-%s", pid, criu_run_id); + *len = SUN_LEN(addr); + *addr->sun_path = '\0'; + } +diff --git a/criu/include/util.h b/criu/include/util.h +index 4793f7f20e..194e94deeb 100644 +--- a/criu/include/util.h ++++ b/criu/include/util.h +@@ -21,6 +21,8 @@ + #include "log.h" + #include "common/err.h" + ++#include "compel/infect-util.h" ++ + #define PREF_SHIFT_OP(pref, op, size) ((size)op(pref##BYTES_SHIFT)) + #define KBYTES_SHIFT 10 + #define MBYTES_SHIFT 20 +@@ -420,7 +422,7 @@ extern int run_command(char *buf, size_t buf_size, int (*child_fn)(void *), void + * criu_run_id is a unique value of the current run. It can be used to + * generate resource ID-s to avoid conflicts with other CRIU processes. + */ +-extern uint64_t criu_run_id; ++extern char criu_run_id[RUN_ID_HASH_LENGTH]; + extern void util_init(void); + + extern char *resolve_mountpoint(char *path); +diff --git a/criu/pidfd-store.c b/criu/pidfd-store.c +index 9fdc74cb74..110f7802a2 100644 +--- a/criu/pidfd-store.c ++++ b/criu/pidfd-store.c +@@ -99,7 +99,7 @@ int init_pidfd_store_sk(pid_t pid, int sk) + goto err; + } + +- addrlen = snprintf(addr.sun_path, sizeof(addr.sun_path), "X/criu-pidfd-store-%d-%d-%" PRIx64, pid, sk, ++ addrlen = snprintf(addr.sun_path, sizeof(addr.sun_path), "X/criu-pidfd-store-%d-%d-%s", pid, sk, + criu_run_id); + addrlen += sizeof(addr.sun_family); + +diff --git a/criu/unittest/mock.c b/criu/unittest/mock.c +index e517720e42..b2d5072787 100644 +--- a/criu/unittest/mock.c ++++ b/criu/unittest/mock.c +@@ -5,6 +5,8 @@ + #include + #include + ++#include "compel/infect-util.h" ++ + int add_external(char *key) + { + return 0; +@@ -141,4 +143,4 @@ int check_mount_v2(void) + return 0; + } + +-uint64_t compel_run_id; ++char compel_run_id[RUN_ID_HASH_LENGTH]; +diff --git a/criu/util.c b/criu/util.c +index d2bc9a8657..58c18e20be 100644 +--- a/criu/util.c ++++ b/criu/util.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + + #include "linux/mount.h" + +@@ -2026,20 +2027,16 @@ int run_command(char *buf, size_t buf_size, int (*child_fn)(void *), void *args) + return fret; + } + +-uint64_t criu_run_id; ++char criu_run_id[RUN_ID_HASH_LENGTH]; + + void util_init(void) + { +- struct stat statbuf; ++ uuid_t uuid; + +- criu_run_id = getpid(); +- if (!stat("/proc/self/ns/pid", &statbuf)) +- criu_run_id |= (uint64_t)statbuf.st_ino << 32; +- else if (errno != ENOENT) +- pr_perror("Can't stat /proc/self/ns/pid - CRIU run id might not be unique"); +- +- compel_run_id = criu_run_id; +- pr_info("CRIU run id = %#" PRIx64 "\n", criu_run_id); ++ uuid_generate(uuid); ++ uuid_unparse(uuid, criu_run_id); ++ pr_info("CRIU run id = %s\n", criu_run_id); ++ memcpy(compel_run_id, criu_run_id, sizeof(criu_run_id)); + } + + /* +diff --git a/scripts/build/Dockerfile.alpine b/scripts/build/Dockerfile.alpine +index 329d7791de..d843793ea2 100644 +--- a/scripts/build/Dockerfile.alpine ++++ b/scripts/build/Dockerfile.alpine +@@ -24,7 +24,8 @@ RUN apk update && apk add \ + sudo \ + libcap-utils \ + libdrm-dev \ +- util-linux ++ util-linux \ ++ util-linux-dev + + COPY . /criu + WORKDIR /criu +diff --git a/scripts/build/Dockerfile.amd-rocm b/scripts/build/Dockerfile.amd-rocm +index c466a73d2d..ed66ae4fec 100644 +--- a/scripts/build/Dockerfile.amd-rocm ++++ b/scripts/build/Dockerfile.amd-rocm +@@ -56,6 +56,7 @@ RUN apt-get clean -qqy && apt-get update -qqy && apt-get install -qqy --no-insta + python-protobuf \ + python3-minimal \ + python-ipaddress \ ++ uuid-dev \ + curl \ + wget \ + vim \ +diff --git a/scripts/build/Dockerfile.archlinux b/scripts/build/Dockerfile.archlinux +index 4056514891..9d11194bb0 100644 +--- a/scripts/build/Dockerfile.archlinux ++++ b/scripts/build/Dockerfile.archlinux +@@ -35,6 +35,7 @@ RUN pacman -Syu --noconfirm \ + python-junit-xml \ + python-importlib-metadata \ + libdrm \ ++ util-linux-libs \ + diffutils + + COPY . /criu +diff --git a/scripts/build/Dockerfile.hotspot-alpine b/scripts/build/Dockerfile.hotspot-alpine +index cb9332fd0c..6caf9d0b1b 100644 +--- a/scripts/build/Dockerfile.hotspot-alpine ++++ b/scripts/build/Dockerfile.hotspot-alpine +@@ -19,6 +19,7 @@ RUN apk update && apk add \ + maven \ + ip6tables \ + iptables \ ++ util-linux-dev \ + bash + + COPY . /criu +diff --git a/scripts/build/Dockerfile.hotspot-ubuntu b/scripts/build/Dockerfile.hotspot-ubuntu +index 0318f650f3..67de916acb 100644 +--- a/scripts/build/Dockerfile.hotspot-ubuntu ++++ b/scripts/build/Dockerfile.hotspot-ubuntu +@@ -22,6 +22,7 @@ RUN apt-install protobuf-c-compiler \ + pkg-config \ + iptables \ + gcc \ ++ uuid-dev \ + maven + + COPY . /criu +diff --git a/scripts/build/Dockerfile.linux32.tmpl b/scripts/build/Dockerfile.linux32.tmpl +index 13e9926424..d218e06414 100644 +--- a/scripts/build/Dockerfile.linux32.tmpl ++++ b/scripts/build/Dockerfile.linux32.tmpl +@@ -21,6 +21,7 @@ RUN apt-install \ + pkg-config \ + protobuf-c-compiler \ + protobuf-compiler \ ++ uuid-dev \ + python3-minimal + + COPY . /criu +diff --git a/scripts/ci/prepare-for-fedora-rawhide.sh b/scripts/ci/prepare-for-fedora-rawhide.sh +index 09085c403b..42252c93c9 100755 +--- a/scripts/ci/prepare-for-fedora-rawhide.sh ++++ b/scripts/ci/prepare-for-fedora-rawhide.sh +@@ -36,6 +36,7 @@ dnf install -y \ + e2fsprogs \ + rubygem-asciidoctor \ + libdrm-devel \ ++ libuuid-devel \ + kmod + + # /tmp is no longer 755 in the rawhide container image and breaks CI - fix it + +From c39bce3cf17782784d1a14cf40a4cedd059059fa Mon Sep 17 00:00:00 2001 +From: Adrian Reber +Date: Thu, 23 Jan 2025 17:42:45 +0000 +Subject: [PATCH 2/2] net: remember the name of the lock chain (nftables) + +Using libnftables the chain to lock the network is composed of +("CRIU-%d", real_pid). This leads to around 40 zdtm tests failing +with errors like this: + +Error: No such file or directory; did you mean table 'CRIU-62' in family inet? +delete table inet CRIU-86 + +The reason is that as soon as a process is running in a namespace the +real PID can be anything and only the PID in the namespace is restored +correctly. Relying on the real PID does not work for the chain name. + +Using the PID of the innermost namespace would lead to the chain be +called 'CRIU-1' most of the time which is also not really unique. + +With this commit the change is now named using the already existing CRIU +run ID. To be able to correctly restore the process and delete the +locking table, the CRIU run id during checkpointing is now stored in the +inventory as dump_criu_run_id. + +Signed-off-by: Adrian Reber +--- + criu/image.c | 30 ++++++++++++++++++++++++++++++ + criu/include/util.h | 2 ++ + criu/netfilter.c | 20 +++++++++++++++++++- + images/inventory.proto | 4 ++++ + 4 files changed, 55 insertions(+), 1 deletion(-) + +diff --git a/criu/image.c b/criu/image.c +index 9589167fb1..f3747d6ff5 100644 +--- a/criu/image.c ++++ b/criu/image.c +@@ -25,6 +25,7 @@ bool img_common_magic = true; + TaskKobjIdsEntry *root_ids; + u32 root_cg_set; + Lsmtype image_lsm; ++char dump_criu_run_id[RUN_ID_HASH_LENGTH]; + + int check_img_inventory(bool restore) + { +@@ -120,6 +121,24 @@ int check_img_inventory(bool restore) + } else { + opts.network_lock_method = he->network_lock_method; + } ++ ++ /** ++ * This contains the criu_run_id during dumping of the process. ++ * For things like removing network locking (nftables) this ++ * information is needed to identify the name of the network ++ * locking table. ++ */ ++ if (he->dump_criu_run_id) { ++ strncpy(dump_criu_run_id, he->dump_criu_run_id, sizeof(dump_criu_run_id) - 1); ++ pr_info("Dump CRIU run id = %s\n", dump_criu_run_id); ++ } else { ++ /** ++ * If restoring from an old image this is a marker ++ * that no dump_criu_run_id exists. ++ */ ++ dump_criu_run_id[0] = NO_DUMP_CRIU_RUN_ID; ++ } ++ + } + + ret = 0; +@@ -367,6 +386,17 @@ int prepare_inventory(InventoryEntry *he) + he->has_network_lock_method = true; + he->network_lock_method = opts.network_lock_method; + ++ /** ++ * This contains the criu_run_id during dumping of the process. ++ * For things like removing network locking (nftables) this ++ * information is needed to identify the name of the network ++ * locking table. ++ */ ++ he->dump_criu_run_id = xstrdup(criu_run_id); ++ ++ if (!he->dump_criu_run_id) ++ return -1; ++ + return 0; + } + +diff --git a/criu/include/util.h b/criu/include/util.h +index 194e94deeb..55ad5b63cf 100644 +--- a/criu/include/util.h ++++ b/criu/include/util.h +@@ -424,6 +424,8 @@ extern int run_command(char *buf, size_t buf_size, int (*child_fn)(void *), void + */ + extern char criu_run_id[RUN_ID_HASH_LENGTH]; + extern void util_init(void); ++#define NO_DUMP_CRIU_RUN_ID 0x7f ++extern char dump_criu_run_id[RUN_ID_HASH_LENGTH]; + + extern char *resolve_mountpoint(char *path); + +diff --git a/criu/netfilter.c b/criu/netfilter.c +index 9e78dc4b03..e2c82764f2 100644 +--- a/criu/netfilter.c ++++ b/criu/netfilter.c +@@ -299,7 +299,25 @@ int nftables_lock_connection(struct inet_sk_desc *sk) + + int nftables_get_table(char *table, int n) + { +- if (snprintf(table, n, "inet CRIU-%d", root_item->pid->real) < 0) { ++ int ret; ++ ++ switch(dump_criu_run_id[0]) { ++ case 0: ++ /* This is not a restore.*/ ++ ret = snprintf(table, n, "inet CRIU-%s", criu_run_id); ++ break; ++ case NO_DUMP_CRIU_RUN_ID: ++ /** ++ * This is a restore from an older image with no ++ * dump_criu_run_id available. Let's use the old ID. ++ */ ++ ret = snprintf(table, n, "inet CRIU-%d", root_item->pid->real); ++ break; ++ default: ++ ret = snprintf(table, n, "inet CRIU-%s", dump_criu_run_id); ++ } ++ ++ if (ret < 0) { + pr_err("Cannot generate CRIU's nftables table name\n"); + return -1; + } +diff --git a/images/inventory.proto b/images/inventory.proto +index 7f655031bc..1e18815bb9 100644 +--- a/images/inventory.proto ++++ b/images/inventory.proto +@@ -29,4 +29,8 @@ message inventory_entry { + optional uint32 pre_dump_mode = 9; + optional bool tcp_close = 10; + optional uint32 network_lock_method = 11; ++ // Remember the criu_run_id when CRIU dumped the process. ++ // This is currently used to delete the correct nftables ++ // network locking rule. ++ optional string dump_criu_run_id = 13; + } diff --git a/2570.patch b/2570.patch new file mode 100644 index 0000000..d504860 --- /dev/null +++ b/2570.patch @@ -0,0 +1,452 @@ +From ed2468f0a3c1c3c3b40b41047ffd97ce32346a4e Mon Sep 17 00:00:00 2001 +From: Adrian Reber +Date: Wed, 22 Jan 2025 14:35:26 +0100 +Subject: [PATCH] vdso: switch from DT_HASH to DT_GNU_HASH (aarch64) + +Trying to run latest CRIU on CentOS Stream 10 or Ubuntu 24.04 (aarch64) +fails like this: + + # criu/criu check -v4 + [...] + (00.096460) vdso: Parsing at ffffb2e2a000 ffffb2e2c000 + (00.096539) vdso: PT_LOAD p_vaddr: 0 + (00.096567) vdso: DT_STRTAB: 1d0 + (00.096592) vdso: DT_SYMTAB: 128 + (00.096616) vdso: DT_STRSZ: 8a + (00.096640) vdso: DT_SYMENT: 18 + (00.096663) Error (criu/pie-util-vdso.c:193): vdso: Not all dynamic entries are present + (00.096688) Error (criu/vdso.c:627): vdso: Failed to fill self vdso symtable + (00.096713) Error (criu/kerndat.c:1906): kerndat_vdso_fill_symtable failed when initializing kerndat. + (00.096812) Found mmap_min_addr 0x10000 + (00.096881) files stat: fs/nr_open 1073741816 + (00.096908) Error (criu/crtools.c:267): Could not initialize kernel features detection. + +This seems to be related to the kernel (6.12.0-41.el10.aarch64). The +Ubuntu user-space is running in a container on the same kernel. + +Looking at the kernel this seems to be related to: + + commit 48f6430505c0b0498ee9020ce3cf9558b1caaaeb + Author: Fangrui Song + Date: Thu Jul 18 10:34:23 2024 -0700 + + arm64/vdso: Remove --hash-style=sysv + + glibc added support for .gnu.hash in 2006 and .hash has been obsoleted + for more than one decade in many Linux distributions. Using + --hash-style=sysv might imply unaddressed issues and confuse readers. + + Just drop the option and rely on the linker default, which is likely + "both", or "gnu" when the distribution really wants to eliminate sysv + hash overhead. + + Similar to commit 6b7e26547fad ("x86/vdso: Emit a GNU hash"). + +The commit basically does: + + -ldflags-y := -shared -soname=linux-vdso.so.1 --hash-style=sysv \ + +ldflags-y := -shared -soname=linux-vdso.so.1 \ + +Which results in only a GNU hash being added to the ELF header. This +change has been merged with 6.11. + +Looking at the referenced x86 commit: + + commit 6b7e26547fad7ace3dcb27a5babd2317fb9d1e12 + Author: Andy Lutomirski + Date: Thu Aug 6 14:45:45 2015 -0700 + + x86/vdso: Emit a GNU hash + + Some dynamic loaders may be slightly faster if a GNU hash is + available. Strangely, this seems to have no effect at all on + the vdso size. + + This is unlikely to have any measurable effect on the time it + takes to resolve vdso symbols (since there are so few of them). + In some contexts, it can be a win for a different reason: if + every DSO has a GNU hash section, then libc can avoid + calculating SysV hashes at all. Both musl and glibc appear to + have this optimization. + + It's plausible that this breaks some ancient glibc version. If + so, then, depending on what glibc versions break, we could + either require COMPAT_VDSO for them or consider reverting. + +Which is also a really simple change: + + -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv) \ + +VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=both) \ + +The big difference here is that for x86 both hash sections are +generated. For aarch64 only the newer GNU hash is generated. That is why +we only see this error on kernel >= 6.11 and aarch64. + +Changing from DT_HASH to DT_GNU_HASH seems to work on aarch64. The test +suite runs without any errors. + +Unfortunately I am not aware of all implication of this change and if a +successful test suite run means that it still works. + +Looking at the kernel I see following hash styles for the VDSO: + +aarch64: not specified (only GNU hash style) +arm: --hash-style=sysv +loongarch: --hash-style=sysv +mips: --hash-style=sysv +powerpc: --hash-style=both +riscv: --hash-style=both +s390: --hash-style=both +x86: --hash-style=both + +Only aarch64 on kernels >= 6.11 is a problem right now, because all +other platforms provide the old style hashing. + +Signed-off-by: Adrian Reber +Co-developed-by: Dmitry Safonov +Co-authored-by: Dmitry Safonov +Signed-off-by: Dmitry Safonov +--- + criu/pie/util-vdso.c | 245 ++++++++++++++++++++++++++++++++++--------- + 1 file changed, 198 insertions(+), 47 deletions(-) + +diff --git a/criu/pie/util-vdso.c b/criu/pie/util-vdso.c +index f1e3239ff5..9819335d81 100644 +--- a/criu/pie/util-vdso.c ++++ b/criu/pie/util-vdso.c +@@ -5,6 +5,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -48,10 +49,25 @@ static bool __ptr_struct_oob(uintptr_t ptr, size_t struct_size, uintptr_t start, + return __ptr_oob(ptr, start, size) || __ptr_struct_end_oob(ptr, struct_size, start, size); + } + ++/* Local strlen implementation */ ++static size_t __strlen(const char *str) ++{ ++ const char *ptr; ++ ++ if (!str) ++ return 0; ++ ++ ptr = str; ++ while (*ptr != '\0') ++ ptr++; ++ ++ return ptr - str; ++} ++ + /* + * Elf hash, see format specification. + */ +-static unsigned long elf_hash(const unsigned char *name) ++static unsigned long elf_sysv_hash(const unsigned char *name) + { + unsigned long h = 0, g; + +@@ -65,6 +81,15 @@ static unsigned long elf_hash(const unsigned char *name) + return h; + } + ++/* * The GNU hash format. Taken from glibc. */ ++static unsigned long elf_gnu_hash(const unsigned char *name) ++{ ++ unsigned long h = 5381; ++ for (unsigned char c = *name; c != '\0'; c = *++name) ++ h = h * 33 + c; ++ return h; ++} ++ + #if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + #define BORD ELFDATA2MSB /* 0x02 */ + #else +@@ -149,11 +174,14 @@ static int parse_elf_phdr(uintptr_t mem, size_t size, Phdr_t **dynamic, Phdr_t * + * Output parameters are: + * @dyn_strtab - address of the symbol table + * @dyn_symtab - address of the string table section +- * @dyn_hash - address of the symbol hash table ++ * @dyn_hash - address of the symbol hash table ++ * @use_gnu_hash - the format of hash DT_HASH or DT_GNU_HASH + */ +-static int parse_elf_dynamic(uintptr_t mem, size_t size, Phdr_t *dynamic, Dyn_t **dyn_strtab, Dyn_t **dyn_symtab, +- Dyn_t **dyn_hash) ++static int parse_elf_dynamic(uintptr_t mem, size_t size, Phdr_t *dynamic, ++ Dyn_t **dyn_strtab, Dyn_t **dyn_symtab, ++ Dyn_t **dyn_hash, bool *use_gnu_hash) + { ++ Dyn_t *dyn_gnu_hash = NULL, *dyn_sysv_hash = NULL; + Dyn_t *dyn_syment = NULL; + Dyn_t *dyn_strsz = NULL; + uintptr_t addr; +@@ -184,16 +212,52 @@ static int parse_elf_dynamic(uintptr_t mem, size_t size, Phdr_t *dynamic, Dyn_t + dyn_syment = d; + pr_debug("DT_SYMENT: %lx\n", (unsigned long)d->d_un.d_val); + } else if (d->d_tag == DT_HASH) { +- *dyn_hash = d; ++ dyn_sysv_hash = d; + pr_debug("DT_HASH: %lx\n", (unsigned long)d->d_un.d_ptr); ++ } else if (d->d_tag == DT_GNU_HASH) { ++ /* ++ * This is complicated. ++ * ++ * Looking at the Linux kernel source, the following can be seen ++ * regarding which hashing style the VDSO uses on each arch: ++ * ++ * aarch64: not specified (depends on linker, can be ++ * only GNU hash style) ++ * arm: --hash-style=sysv ++ * loongarch: --hash-style=sysv ++ * mips: --hash-style=sysv ++ * powerpc: --hash-style=both ++ * riscv: --hash-style=both ++ * s390: --hash-style=both ++ * x86: --hash-style=both ++ * ++ * Some architectures are using both hash-styles, that ++ * is the easiest for CRIU. Some architectures are only ++ * using the old style (sysv), that is what CRIU supports. ++ * ++ * Starting with Linux 6.11, aarch64 unfortunately decided ++ * to switch from '--hash-style=sysv' to ''. Specifying ++ * nothing unfortunately may mean GNU hash style only and not ++ * 'both' (depending on the linker). ++ */ ++ dyn_gnu_hash = d; ++ pr_debug("DT_GNU_HASH: %lx\n", (unsigned long)d->d_un.d_ptr); + } + } + +- if (!*dyn_strtab || !*dyn_symtab || !dyn_strsz || !dyn_syment || !*dyn_hash) { ++ if (!*dyn_strtab || !*dyn_symtab || !dyn_strsz || !dyn_syment || ++ (!dyn_gnu_hash && !dyn_sysv_hash)) { + pr_err("Not all dynamic entries are present\n"); + return -EINVAL; + } + ++ /* ++ * Prefer DT_HASH over DT_GNU_HASH as it's been more tested and ++ * as a result more stable. ++ */ ++ *use_gnu_hash = !dyn_sysv_hash; ++ *dyn_hash = dyn_sysv_hash ?: dyn_gnu_hash; ++ + return 0; + + err_oob: +@@ -208,60 +272,141 @@ typedef unsigned long Hash_t; + typedef Word_t Hash_t; + #endif + +-static void parse_elf_symbols(uintptr_t mem, size_t size, Phdr_t *load, struct vdso_symtable *t, +- uintptr_t dynsymbol_names, Hash_t *hash, Dyn_t *dyn_symtab) ++static bool elf_symbol_match(uintptr_t mem, size_t size, ++ uintptr_t dynsymbol_names, Sym_t *sym, ++ const char *symbol, const size_t vdso_symbol_length) + { +- ARCH_VDSO_SYMBOLS_LIST +- +- const char *vdso_symbols[VDSO_SYMBOL_MAX] = { ARCH_VDSO_SYMBOLS }; +- const size_t vdso_symbol_length = sizeof(t->symbols[0].name) - 1; ++ uintptr_t addr = (uintptr_t)sym; ++ char *name; + +- Hash_t nbucket, nchain; +- Hash_t *bucket, *chain; ++ if (__ptr_struct_oob(addr, sizeof(Sym_t), mem, size)) ++ return false; + +- unsigned int i, j, k; +- uintptr_t addr; ++ if (ELF_ST_TYPE(sym->st_info) != STT_FUNC && ELF_ST_BIND(sym->st_info) != STB_GLOBAL) ++ return false; + +- nbucket = hash[0]; +- nchain = hash[1]; +- bucket = &hash[2]; +- chain = &hash[nbucket + 2]; ++ addr = dynsymbol_names + sym->st_name; ++ if (__ptr_struct_oob(addr, vdso_symbol_length, mem, size)) ++ return false; ++ name = (void *)addr; + +- pr_debug("nbucket %lx nchain %lx bucket %lx chain %lx\n", (long)nbucket, (long)nchain, (unsigned long)bucket, +- (unsigned long)chain); ++ return !std_strncmp(name, symbol, vdso_symbol_length); ++} + +- for (i = 0; i < VDSO_SYMBOL_MAX; i++) { +- const char *symbol = vdso_symbols[i]; +- k = elf_hash((const unsigned char *)symbol); + +- for (j = bucket[k % nbucket]; j < nchain && j != STN_UNDEF; j = chain[j]) { +- Sym_t *sym; +- char *name; ++static unsigned long elf_symbol_lookup(uintptr_t mem, size_t size, ++ const char *symbol, uint32_t symbol_hash, unsigned int sym_off, ++ uintptr_t dynsymbol_names, Dyn_t *dyn_symtab, Phdr_t *load, ++ Hash_t nbucket, Hash_t nchain, Hash_t *bucket, Hash_t *chain, ++ const size_t vdso_symbol_length, bool use_gnu_hash) ++{ ++ unsigned int j; ++ uintptr_t addr; + +- addr = mem + dyn_symtab->d_un.d_ptr - load->p_vaddr; ++ j = bucket[symbol_hash % nbucket]; ++ if (j == STN_UNDEF) ++ return 0; ++ ++ addr = mem + dyn_symtab->d_un.d_ptr - load->p_vaddr; ++ ++ if (use_gnu_hash) { ++ uint32_t *h = bucket + nbucket + (j - sym_off); ++ uint32_t hash_val; ++ ++ symbol_hash |= 1; ++ do { ++ Sym_t *sym = (void *)addr + sizeof(Sym_t) * j; ++ ++ hash_val = *h++; ++ if ((hash_val | 1) == symbol_hash && ++ elf_symbol_match(mem, size, dynsymbol_names, sym, ++ symbol, vdso_symbol_length)) ++ return sym->st_value; ++ j++; ++ } while (!(hash_val & 1)); ++ } else { ++ for (; j < nchain && j != STN_UNDEF; j = chain[j]) { ++ Sym_t *sym = (void *)addr + sizeof(Sym_t) * j; ++ ++ if (elf_symbol_match(mem, size, dynsymbol_names, sym, ++ symbol, vdso_symbol_length)) ++ return sym->st_value; ++ } ++ } ++ return 0; ++} + +- addr += sizeof(Sym_t) * j; +- if (__ptr_struct_oob(addr, sizeof(Sym_t), mem, size)) +- continue; +- sym = (void *)addr; ++static int parse_elf_symbols(uintptr_t mem, size_t size, Phdr_t *load, ++ struct vdso_symtable *t, uintptr_t dynsymbol_names, ++ Hash_t *hash, Dyn_t *dyn_symtab, bool use_gnu_hash) ++{ ++ ARCH_VDSO_SYMBOLS_LIST + +- if (ELF_ST_TYPE(sym->st_info) != STT_FUNC && ELF_ST_BIND(sym->st_info) != STB_GLOBAL) +- continue; ++ const char *vdso_symbols[VDSO_SYMBOL_MAX] = { ARCH_VDSO_SYMBOLS }; ++ const size_t vdso_symbol_length = sizeof(t->symbols[0].name) - 1; + +- addr = dynsymbol_names + sym->st_name; +- if (__ptr_struct_oob(addr, vdso_symbol_length, mem, size)) +- continue; +- name = (void *)addr; ++ Hash_t *bucket = NULL; ++ Hash_t *chain = NULL; ++ Hash_t nbucket = 0; ++ Hash_t nchain = 0; ++ ++ unsigned int sym_off = 0; ++ unsigned int i = 0; ++ ++ unsigned long (*elf_hash)(const unsigned char *); ++ ++ if (use_gnu_hash) { ++ uint32_t *gnu_hash = (uint32_t *)hash; ++ uint32_t bloom_sz; ++ size_t *bloom; ++ ++ nbucket = gnu_hash[0]; ++ sym_off = gnu_hash[1]; ++ bloom_sz = gnu_hash[2]; ++ bloom = (size_t *)&gnu_hash[4]; ++ bucket = (Hash_t *)(&bloom[bloom_sz]); ++ elf_hash = &elf_gnu_hash; ++ pr_debug("nbucket %lx sym_off %lx bloom_sz %lx bloom %lx bucket %lx\n", ++ (unsigned long)nbucket, (unsigned long)sym_off, ++ (unsigned long)bloom_sz, (unsigned long)bloom, ++ (unsigned long)bucket); ++ } else { ++ nbucket = hash[0]; ++ nchain = hash[1]; ++ bucket = &hash[2]; ++ chain = &hash[nbucket + 2]; ++ elf_hash = &elf_sysv_hash; ++ pr_debug("nbucket %lx nchain %lx bucket %lx chain %lx\n", ++ (unsigned long)nbucket, (unsigned long)nchain, ++ (unsigned long)bucket, (unsigned long)chain); ++ } + +- if (std_strncmp(name, symbol, vdso_symbol_length)) +- continue; + +- /* XXX: provide strncpy() implementation for PIE */ +- memcpy(t->symbols[i].name, name, vdso_symbol_length); +- t->symbols[i].offset = (unsigned long)sym->st_value - load->p_vaddr; +- break; ++ for (i = 0; i < VDSO_SYMBOL_MAX; i++) { ++ const char *symbol = vdso_symbols[i]; ++ unsigned long addr, symbol_hash; ++ const size_t symbol_length = __strlen(symbol); ++ ++ symbol_hash = elf_hash((const unsigned char *)symbol); ++ addr = elf_symbol_lookup(mem, size, symbol, symbol_hash, ++ sym_off, dynsymbol_names, dyn_symtab, load, ++ nbucket, nchain, bucket, chain, ++ vdso_symbol_length, use_gnu_hash); ++ pr_debug("symbol %s at address %lx\n", symbol, addr); ++ if (!addr) ++ continue; ++ ++ /* XXX: provide strncpy() implementation for PIE */ ++ if (symbol_length > vdso_symbol_length) { ++ pr_err("strlen(%s) %zd, only %zd bytes available\n", ++ symbol, symbol_length, vdso_symbol_length); ++ return -EINVAL; + } ++ memcpy(t->symbols[i].name, symbol, symbol_length); ++ t->symbols[i].offset = addr - load->p_vaddr; + } ++ ++ return 0; + } + + int vdso_fill_symtable(uintptr_t mem, size_t size, struct vdso_symtable *t) +@@ -271,6 +416,7 @@ int vdso_fill_symtable(uintptr_t mem, size_t size, struct vdso_symtable *t) + Dyn_t *dyn_symtab = NULL; + Dyn_t *dyn_hash = NULL; + Hash_t *hash = NULL; ++ bool use_gnu_hash; + + uintptr_t dynsymbol_names; + uintptr_t addr; +@@ -296,7 +442,8 @@ int vdso_fill_symtable(uintptr_t mem, size_t size, struct vdso_symtable *t) + * needed. Note that we're interested in a small set of tags. + */ + +- ret = parse_elf_dynamic(mem, size, dynamic, &dyn_strtab, &dyn_symtab, &dyn_hash); ++ ret = parse_elf_dynamic(mem, size, dynamic, &dyn_strtab, &dyn_symtab, ++ &dyn_hash, &use_gnu_hash); + if (ret < 0) + return ret; + +@@ -310,7 +457,11 @@ int vdso_fill_symtable(uintptr_t mem, size_t size, struct vdso_symtable *t) + goto err_oob; + hash = (void *)addr; + +- parse_elf_symbols(mem, size, load, t, dynsymbol_names, hash, dyn_symtab); ++ ret = parse_elf_symbols(mem, size, load, t, dynsymbol_names, hash, dyn_symtab, ++ use_gnu_hash); ++ ++ if (ret <0) ++ return ret; + + return 0; + diff --git a/2590.patch b/2590.patch new file mode 100644 index 0000000..b890e68 --- /dev/null +++ b/2590.patch @@ -0,0 +1,38 @@ +From de5dba8c47ffe4e16fae17539270d55e1a8604d1 Mon Sep 17 00:00:00 2001 +From: Adrian Reber +Date: Fri, 7 Feb 2025 09:24:19 +0100 +Subject: [PATCH] vdso: handle s390x correctly +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +On s390x there is currently a build failure: + +criu/pie/util-vdso.c: In function ‘elf_symbol_lookup’: +criu/pie/util-vdso.c:313:31: error: initialization of ‘uint32_t *’ {aka ‘unsigned int *’} from incompatible pointer type ‘Hash_t *’ {aka ‘long unsigned int *’} [-Wincompatible-pointer-types] + 313 | uint32_t *h = bucket + nbucket + (j - sym_off); + | ^~~~~~ + +Replacing uint32_t with Hash_t which is defined behind a architecture +specific ifdef solves this error. + +Signed-off-by: Adrian Reber +--- + criu/pie/util-vdso.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/criu/pie/util-vdso.c b/criu/pie/util-vdso.c +index 9819335d81..d16fd85f43 100644 +--- a/criu/pie/util-vdso.c ++++ b/criu/pie/util-vdso.c +@@ -310,8 +310,8 @@ static unsigned long elf_symbol_lookup(uintptr_t mem, size_t size, + addr = mem + dyn_symtab->d_un.d_ptr - load->p_vaddr; + + if (use_gnu_hash) { +- uint32_t *h = bucket + nbucket + (j - sym_off); +- uint32_t hash_val; ++ Hash_t *h = bucket + nbucket + (j - sym_off); ++ Hash_t hash_val; + + symbol_hash |= 1; + do { diff --git a/SOURCES/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch b/SOURCES/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch deleted file mode 100644 index 3b2fbd8..0000000 --- a/SOURCES/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 1e84cb90b63bce841376140a7a80107e5ec1e1a8 Mon Sep 17 00:00:00 2001 -From: Adrian Reber -Date: Fri, 3 May 2019 06:27:51 +0000 -Subject: [PATCH] lsm: fix compiler error 'unused-result' - -Reading out the xattr 'security.selinux' of checkpointed sockets with -fscanf() works (at least in theory) without checking the result of -fscanf(). There are, however, multiple CI failures when ignoring the -return value of fscanf(). - -This adds ferror() to check if the stream has an actual error or if '-1' -just mean EOF. - -Handle all errors of fscanf() // Andrei - -Signed-off-by: Adrian Reber -Signed-off-by: Andrei Vagin ---- - criu/lsm.c | 22 +++++++++++++--------- - 1 file changed, 13 insertions(+), 9 deletions(-) - -diff --git a/criu/lsm.c b/criu/lsm.c -index ef6ba112b3..9c9ac7f80e 100644 ---- a/criu/lsm.c -+++ b/criu/lsm.c -@@ -33,8 +33,8 @@ static int apparmor_get_label(pid_t pid, char **profile_name) - return -1; - - if (fscanf(f, "%ms", profile_name) != 1) { -- fclose(f); - pr_perror("err scanfing"); -+ fclose(f); - return -1; - } - -@@ -111,19 +111,23 @@ static int selinux_get_label(pid_t pid, char **output) - static int selinux_get_sockcreate_label(pid_t pid, char **output) - { - FILE *f; -+ int ret; - - f = fopen_proc(pid, "attr/sockcreate"); - if (!f) - return -1; - -- fscanf(f, "%ms", output); -- /* -- * No need to check the result of fscanf(). If there is something -- * in /proc/PID/attr/sockcreate it will be copied to *output. If -- * there is nothing it will stay NULL. So whatever fscanf() does -- * it should be correct. -- */ -- -+ ret = fscanf(f, "%ms", output); -+ if (ret == -1 && errno != 0) { -+ pr_perror("Unable to parse /proc/%d/attr/sockcreate", pid); -+ /* -+ * Only if the error indicator is set it is a real error. -+ * -1 could also be EOF, which would mean that sockcreate -+ * was just empty, which is the most common case. -+ */ -+ fclose(f); -+ return -1; -+ } - fclose(f); - return 0; - } diff --git a/SOURCES/685.patch b/SOURCES/685.patch deleted file mode 100644 index 30e1728..0000000 --- a/SOURCES/685.patch +++ /dev/null @@ -1,834 +0,0 @@ -From 3313343ba7803bff077af5d87df2260cdcd2d678 Mon Sep 17 00:00:00 2001 -From: Adrian Reber -Date: Thu, 2 May 2019 13:41:46 +0000 -Subject: [PATCH 1/4] lsm: also dump and restore sockcreate - -The file /proc/PID/attr/sockcreate is used by SELinux to label newly -created sockets with the label available at sockcreate. - -If it is NULL, the default label of the process will be used. - -This reads out that file during checkpoint and restores the value during -restore. - -This value is irrelevant for existing sockets as they might have been -created with another context. This is only to make sure that newly -created sockets have the correct context. - -Signed-off-by: Adrian Reber ---- - criu/cr-restore.c | 36 ++++++++++++++++++++++++++++++++++++ - criu/include/restorer.h | 2 ++ - criu/lsm.c | 32 ++++++++++++++++++++++++++++++++ - criu/pie/restorer.c | 15 ++++++++++----- - images/creds.proto | 1 + - 5 files changed, 81 insertions(+), 5 deletions(-) - -diff --git a/criu/cr-restore.c b/criu/cr-restore.c -index 5fd22e9246..f254cbc0eb 100644 ---- a/criu/cr-restore.c -+++ b/criu/cr-restore.c -@@ -2997,6 +2997,8 @@ static void rst_reloc_creds(struct thread_restore_args *thread_args, - - if (args->lsm_profile) - args->lsm_profile = rst_mem_remap_ptr(args->mem_lsm_profile_pos, RM_PRIVATE); -+ if (args->lsm_sockcreate) -+ args->lsm_sockcreate = rst_mem_remap_ptr(args->mem_lsm_sockcreate_pos, RM_PRIVATE); - if (args->groups) - args->groups = rst_mem_remap_ptr(args->mem_groups_pos, RM_PRIVATE); - -@@ -3062,6 +3064,40 @@ rst_prep_creds_args(CredsEntry *ce, unsigned long *prev_pos) - args->mem_lsm_profile_pos = 0; - } - -+ if (ce->lsm_sockcreate) { -+ char *rendered = NULL; -+ char *profile; -+ -+ profile = ce->lsm_sockcreate; -+ -+ if (validate_lsm(profile) < 0) -+ return ERR_PTR(-EINVAL); -+ -+ if (profile && render_lsm_profile(profile, &rendered)) { -+ return ERR_PTR(-EINVAL); -+ } -+ if (rendered) { -+ size_t lsm_sockcreate_len; -+ char *lsm_sockcreate; -+ -+ args->mem_lsm_sockcreate_pos = rst_mem_align_cpos(RM_PRIVATE); -+ lsm_sockcreate_len = strlen(rendered); -+ lsm_sockcreate = rst_mem_alloc(lsm_sockcreate_len + 1, RM_PRIVATE); -+ if (!lsm_sockcreate) { -+ xfree(rendered); -+ return ERR_PTR(-ENOMEM); -+ } -+ -+ args = rst_mem_remap_ptr(this_pos, RM_PRIVATE); -+ args->lsm_sockcreate = lsm_sockcreate; -+ strncpy(args->lsm_sockcreate, rendered, lsm_sockcreate_len); -+ xfree(rendered); -+ } -+ } else { -+ args->lsm_sockcreate = NULL; -+ args->mem_lsm_sockcreate_pos = 0; -+ } -+ - /* - * Zap fields which we can't use. - */ -diff --git a/criu/include/restorer.h b/criu/include/restorer.h -index 2884ce9e6d..b83e9130c5 100644 ---- a/criu/include/restorer.h -+++ b/criu/include/restorer.h -@@ -69,8 +69,10 @@ struct thread_creds_args { - unsigned int secbits; - char *lsm_profile; - unsigned int *groups; -+ char *lsm_sockcreate; - - unsigned long mem_lsm_profile_pos; -+ unsigned long mem_lsm_sockcreate_pos; - unsigned long mem_groups_pos; - - unsigned long mem_pos_next; -diff --git a/criu/lsm.c b/criu/lsm.c -index 849ec37cde..b0ef0c396c 100644 ---- a/criu/lsm.c -+++ b/criu/lsm.c -@@ -98,6 +98,32 @@ static int selinux_get_label(pid_t pid, char **output) - freecon(ctx); - return ret; - } -+ -+/* -+ * selinux_get_sockcreate_label reads /proc/PID/attr/sockcreate -+ * to see if the PID has a special label specified for sockets. -+ * Most of the time this will be empty and the process will use -+ * the process context also for sockets. -+ */ -+static int selinux_get_sockcreate_label(pid_t pid, char **output) -+{ -+ FILE *f; -+ -+ f = fopen_proc(pid, "attr/sockcreate"); -+ if (!f) -+ return -1; -+ -+ fscanf(f, "%ms", output); -+ /* -+ * No need to check the result of fscanf(). If there is something -+ * in /proc/PID/attr/sockcreate it will be copied to *output. If -+ * there is nothing it will stay NULL. So whatever fscanf() does -+ * it should be correct. -+ */ -+ -+ fclose(f); -+ return 0; -+} - #endif - - void kerndat_lsm(void) -@@ -132,6 +158,7 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce) - int ret; - - ce->lsm_profile = NULL; -+ ce->lsm_sockcreate = NULL; - - switch (kdat.lsm) { - case LSMTYPE__NO_LSM: -@@ -143,6 +170,9 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce) - #ifdef CONFIG_HAS_SELINUX - case LSMTYPE__SELINUX: - ret = selinux_get_label(pid, &ce->lsm_profile); -+ if (ret) -+ break; -+ ret = selinux_get_sockcreate_label(pid, &ce->lsm_sockcreate); - break; - #endif - default: -@@ -153,6 +183,8 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce) - - if (ce->lsm_profile) - pr_info("%d has lsm profile %s\n", pid, ce->lsm_profile); -+ if (ce->lsm_sockcreate) -+ pr_info("%d has lsm sockcreate label %s\n", pid, ce->lsm_sockcreate); - - return ret; - } -diff --git a/criu/pie/restorer.c b/criu/pie/restorer.c -index 6e18cc2606..4f42605a09 100644 ---- a/criu/pie/restorer.c -+++ b/criu/pie/restorer.c -@@ -149,7 +149,7 @@ static void sigchld_handler(int signal, siginfo_t *siginfo, void *data) - sys_exit_group(1); - } - --static int lsm_set_label(char *label, int procfd) -+static int lsm_set_label(char *label, char *type, int procfd) - { - int ret = -1, len, lsmfd; - char path[STD_LOG_SIMPLE_CHUNK]; -@@ -157,9 +157,9 @@ static int lsm_set_label(char *label, int procfd) - if (!label) - return 0; - -- pr_info("restoring lsm profile %s\n", label); -+ pr_info("restoring lsm profile (%s) %s\n", type, label); - -- std_sprintf(path, "self/task/%ld/attr/current", sys_gettid()); -+ std_sprintf(path, "self/task/%ld/attr/%s", sys_gettid(), type); - - lsmfd = sys_openat(procfd, path, O_WRONLY, 0); - if (lsmfd < 0) { -@@ -305,9 +305,14 @@ static int restore_creds(struct thread_creds_args *args, int procfd, - * SELinux and instead the process context is set before the - * threads are created. - */ -- if (lsm_set_label(args->lsm_profile, procfd) < 0) -+ if (lsm_set_label(args->lsm_profile, "current", procfd) < 0) - return -1; - } -+ -+ /* Also set the sockcreate label for all threads */ -+ if (lsm_set_label(args->lsm_sockcreate, "sockcreate", procfd) < 0) -+ return -1; -+ - return 0; - } - -@@ -1571,7 +1576,7 @@ long __export_restore_task(struct task_restore_args *args) - if (args->lsm_type == LSMTYPE__SELINUX) { - /* Only for SELinux */ - if (lsm_set_label(args->t->creds_args->lsm_profile, -- args->proc_fd) < 0) -+ "current", args->proc_fd) < 0) - goto core_restore_end; - } - -diff --git a/images/creds.proto b/images/creds.proto -index 29fb8652eb..23b84c7e50 100644 ---- a/images/creds.proto -+++ b/images/creds.proto -@@ -20,4 +20,5 @@ message creds_entry { - repeated uint32 groups = 14; - - optional string lsm_profile = 15; -+ optional string lsm_sockcreate = 16; - } - -From 495e6aa7ac51fcb36e6bc5f6c97f44cab7649b9c Mon Sep 17 00:00:00 2001 -From: Adrian Reber -Date: Thu, 2 May 2019 13:47:29 +0000 -Subject: [PATCH 2/4] test: Verify that sockcreate does not change during - restore - -This makes sure that sockcreate stays empty for selinux00 before and -after checkpoint/restore. - -Signed-off-by: Adrian Reber ---- - test/zdtm/static/selinux00.c | 34 ++++++++++++++++++++++++++++++++++ - 1 file changed, 34 insertions(+) - -diff --git a/test/zdtm/static/selinux00.c b/test/zdtm/static/selinux00.c -index dd9096a6fc..db8420eacb 100644 ---- a/test/zdtm/static/selinux00.c -+++ b/test/zdtm/static/selinux00.c -@@ -83,6 +83,31 @@ int checkprofile() - return 0; - } - -+int check_sockcreate() -+{ -+ char *output = NULL; -+ FILE *f = fopen("/proc/self/attr/sockcreate", "r"); -+ int ret = fscanf(f, "%ms", &output); -+ fclose(f); -+ -+ if (ret >= 1) { -+ free(output); -+ /* sockcreate should be empty, if fscanf found something -+ * it is wrong.*/ -+ fail("sockcreate should be empty\n"); -+ return -1; -+ } -+ -+ if (output) { -+ free(output); -+ /* Same here, output should still be NULL. */ -+ fail("sockcreate should be empty\n"); -+ return -1; -+ } -+ -+ return 0; -+} -+ - int main(int argc, char **argv) - { - test_init(argc, argv); -@@ -95,12 +120,21 @@ int main(int argc, char **argv) - return 0; - } - -+ if (check_sockcreate()) -+ return -1; -+ - if (setprofile()) - return -1; - -+ if (check_sockcreate()) -+ return -1; -+ - test_daemon(); - test_waitsig(); - -+ if (check_sockcreate()) -+ return -1; -+ - if (checkprofile() == 0) - pass(); - - -From fe52cf66b38a261846ff40fc425085724b2acc15 Mon Sep 17 00:00:00 2001 -From: Adrian Reber -Date: Mon, 29 Apr 2019 15:21:59 +0200 -Subject: [PATCH 3/4] sockets: dump and restore xattr security labels - -Restoring a SELinux process also requires to correctly label sockets. - -During checkpointing fgetxattr() is used to retrieve the -"security.selinux" xattr and during restore setsockcreatecon() is used -before a socket is created. - -Previous commits are already restoring the sockcreate SELinux setting if -set by the process. - -Signed-off-by: Adrian Reber ---- - criu/include/lsm.h | 18 +++++++++++++++ - criu/lsm.c | 56 +++++++++++++++++++++++++++++++++++++++++++++ - criu/sk-inet.c | 12 ++++++++++ - criu/sockets.c | 4 ++++ - images/fdinfo.proto | 1 + - 5 files changed, 91 insertions(+) - -diff --git a/criu/include/lsm.h b/criu/include/lsm.h -index b4fce13039..3b82712829 100644 ---- a/criu/include/lsm.h -+++ b/criu/include/lsm.h -@@ -3,6 +3,7 @@ - - #include "images/inventory.pb-c.h" - #include "images/creds.pb-c.h" -+#include "images/fdinfo.pb-c.h" - - #define AA_SECURITYFS_PATH "/sys/kernel/security/apparmor" - -@@ -34,4 +35,21 @@ int validate_lsm(char *profile); - int render_lsm_profile(char *profile, char **val); - - extern int lsm_check_opts(void); -+ -+#ifdef CONFIG_HAS_SELINUX -+int dump_xattr_security_selinux(int fd, FdinfoEntry *e); -+int run_setsockcreatecon(FdinfoEntry *e); -+int reset_setsockcreatecon(); -+#else -+static inline int dump_xattr_security_selinux(int fd, FdinfoEntry *e) { -+ return 0; -+} -+static inline int run_setsockcreatecon(FdinfoEntry *e) { -+ return 0; -+} -+static inline int reset_setsockcreatecon() { -+ return 0; -+} -+#endif -+ - #endif /* __CR_LSM_H__ */ -diff --git a/criu/lsm.c b/criu/lsm.c -index b0ef0c396c..ef6ba112b3 100644 ---- a/criu/lsm.c -+++ b/criu/lsm.c -@@ -3,6 +3,7 @@ - #include - #include - #include -+#include - #include - - #include "common/config.h" -@@ -11,10 +12,12 @@ - #include "util.h" - #include "cr_options.h" - #include "lsm.h" -+#include "fdstore.h" - - #include "protobuf.h" - #include "images/inventory.pb-c.h" - #include "images/creds.pb-c.h" -+#include "images/fdinfo.pb-c.h" - - #ifdef CONFIG_HAS_SELINUX - #include -@@ -124,6 +127,59 @@ static int selinux_get_sockcreate_label(pid_t pid, char **output) - fclose(f); - return 0; - } -+ -+int reset_setsockcreatecon() -+{ -+ return setsockcreatecon_raw(NULL); -+} -+ -+int run_setsockcreatecon(FdinfoEntry *e) -+{ -+ char *ctx = NULL; -+ -+ /* Currently this only works for SELinux. */ -+ if (kdat.lsm != LSMTYPE__SELINUX) -+ return 0; -+ -+ ctx = e->xattr_security_selinux; -+ /* Writing to the FD using fsetxattr() did not work for some reason. */ -+ return setsockcreatecon_raw(ctx); -+} -+ -+int dump_xattr_security_selinux(int fd, FdinfoEntry *e) -+{ -+ char *ctx = NULL; -+ int len; -+ int ret; -+ -+ /* Currently this only works for SELinux. */ -+ if (kdat.lsm != LSMTYPE__SELINUX) -+ return 0; -+ -+ /* Get the size of the xattr. */ -+ len = fgetxattr(fd, "security.selinux", ctx, 0); -+ if (len == -1) { -+ pr_err("Reading xattr %s to FD %d failed\n", ctx, fd); -+ return -1; -+ } -+ -+ ctx = xmalloc(len); -+ if (!ctx) { -+ pr_err("xmalloc to read xattr for FD %d failed\n", fd); -+ return -1; -+ } -+ -+ ret = fgetxattr(fd, "security.selinux", ctx, len); -+ if (len != ret) { -+ pr_err("Reading xattr %s to FD %d failed\n", ctx, fd); -+ return -1; -+ } -+ -+ e->xattr_security_selinux = ctx; -+ -+ return 0; -+} -+ - #endif - - void kerndat_lsm(void) -diff --git a/criu/sk-inet.c b/criu/sk-inet.c -index 60ee4c3155..ca5c9bf2cd 100644 ---- a/criu/sk-inet.c -+++ b/criu/sk-inet.c -@@ -23,6 +23,9 @@ - #include "files.h" - #include "image.h" - #include "log.h" -+#include "lsm.h" -+#include "kerndat.h" -+#include "pstree.h" - #include "rst-malloc.h" - #include "sockets.h" - #include "sk-inet.h" -@@ -30,6 +33,8 @@ - #include "util.h" - #include "namespaces.h" - -+#include "images/inventory.pb-c.h" -+ - #undef LOG_PREFIX - #define LOG_PREFIX "inet: " - -@@ -804,12 +809,18 @@ static int open_inet_sk(struct file_desc *d, int *new_fd) - if (set_netns(ie->ns_id)) - return -1; - -+ if (run_setsockcreatecon(fle->fe)) -+ return -1; -+ - sk = socket(ie->family, ie->type, ie->proto); - if (sk < 0) { - pr_perror("Can't create inet socket"); - return -1; - } - -+ if (reset_setsockcreatecon()) -+ return -1; -+ - if (ie->v6only) { - if (restore_opt(sk, SOL_IPV6, IPV6_V6ONLY, &yes) == -1) - goto err; -@@ -895,6 +906,7 @@ static int open_inet_sk(struct file_desc *d, int *new_fd) - } - - *new_fd = sk; -+ - return 1; - err: - close(sk); -diff --git a/criu/sockets.c b/criu/sockets.c -index 30072ac737..7f7453ca1d 100644 ---- a/criu/sockets.c -+++ b/criu/sockets.c -@@ -22,6 +22,7 @@ - #include "util-pie.h" - #include "sk-packet.h" - #include "namespaces.h" -+#include "lsm.h" - #include "net.h" - #include "xmalloc.h" - #include "fs-magic.h" -@@ -663,6 +664,9 @@ int dump_socket(struct fd_parms *p, int lfd, FdinfoEntry *e) - int family; - const struct fdtype_ops *ops; - -+ if (dump_xattr_security_selinux(lfd, e)) -+ return -1; -+ - if (dump_opt(lfd, SOL_SOCKET, SO_DOMAIN, &family)) - return -1; - -diff --git a/images/fdinfo.proto b/images/fdinfo.proto -index ed82ceffe7..77e375aa94 100644 ---- a/images/fdinfo.proto -+++ b/images/fdinfo.proto -@@ -47,6 +47,7 @@ message fdinfo_entry { - required uint32 flags = 2; - required fd_types type = 3; - required uint32 fd = 4; -+ optional string xattr_security_selinux = 5; - } - - message file_entry { - -From ba42d30fad82f17a66617a33f03d3da05cc73bfe Mon Sep 17 00:00:00 2001 -From: Adrian Reber -Date: Tue, 30 Apr 2019 09:47:32 +0000 -Subject: [PATCH 4/4] selinux: add socket label test - -This adds two more SELinux test to verfy that checkpointing and -restoring SELinux socket labels works correctly, if the process uses -setsockcreatecon() or if the process leaves the default context for -newly created sockets. - -Signed-off-by: Adrian Reber ---- - test/zdtm/static/Makefile | 3 + - test/zdtm/static/selinux01.c | 200 +++++++++++++++++++++++++++ - test/zdtm/static/selinux01.checkskip | 1 + - test/zdtm/static/selinux01.desc | 1 + - test/zdtm/static/selinux01.hook | 1 + - test/zdtm/static/selinux02.c | 1 + - test/zdtm/static/selinux02.checkskip | 1 + - test/zdtm/static/selinux02.desc | 1 + - test/zdtm/static/selinux02.hook | 1 + - 9 files changed, 210 insertions(+) - create mode 100644 test/zdtm/static/selinux01.c - create mode 120000 test/zdtm/static/selinux01.checkskip - create mode 120000 test/zdtm/static/selinux01.desc - create mode 120000 test/zdtm/static/selinux01.hook - create mode 120000 test/zdtm/static/selinux02.c - create mode 120000 test/zdtm/static/selinux02.checkskip - create mode 120000 test/zdtm/static/selinux02.desc - create mode 120000 test/zdtm/static/selinux02.hook - -diff --git a/test/zdtm/static/Makefile b/test/zdtm/static/Makefile -index 8e3f39276a..1ffaa90394 100644 ---- a/test/zdtm/static/Makefile -+++ b/test/zdtm/static/Makefile -@@ -211,6 +211,8 @@ TST_NOFILE := \ - thp_disable \ - pid_file \ - selinux00 \ -+ selinux01 \ -+ selinux02 \ - # jobctl00 \ - - ifneq ($(SRCARCH),arm) -@@ -513,6 +515,7 @@ unlink_fstat041: CFLAGS += -DUNLINK_FSTAT041 -DUNLINK_FSTAT04 - ghost_holes01: CFLAGS += -DTAIL_HOLE - ghost_holes02: CFLAGS += -DHEAD_HOLE - sk-freebind-false: CFLAGS += -DZDTM_FREEBIND_FALSE -+selinux02: CFLAGS += -DUSING_SOCKCREATE - stopped01: CFLAGS += -DZDTM_STOPPED_KILL - stopped02: CFLAGS += -DZDTM_STOPPED_TKILL - stopped12: CFLAGS += -DZDTM_STOPPED_KILL -DZDTM_STOPPED_TKILL -diff --git a/test/zdtm/static/selinux01.c b/test/zdtm/static/selinux01.c -new file mode 100644 -index 0000000000..9966455c47 ---- /dev/null -+++ b/test/zdtm/static/selinux01.c -@@ -0,0 +1,200 @@ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "zdtmtst.h" -+ -+/* Enabling the right policy happens in selinux00.hook and selinx00.checkskip */ -+ -+const char *test_doc = "Check that a SELinux socket context is restored"; -+const char *test_author = "Adrian Reber "; -+ -+/* This is all based on Tycho's apparmor code */ -+ -+#define CONTEXT "unconfined_u:unconfined_r:unconfined_dbusd_t:s0" -+ -+/* -+ * This is used to store the state of SELinux. For this test -+ * SELinux is switched to permissive mode and later the previous -+ * SELinux state is restored. -+ */ -+char state; -+ -+int check_for_selinux() -+{ -+ if (access("/sys/fs/selinux", F_OK) == 0) -+ return 0; -+ return 1; -+} -+ -+int setprofile() -+{ -+ int fd, len; -+ -+ fd = open("/proc/self/attr/current", O_WRONLY); -+ if (fd < 0) { -+ fail("Could not open /proc/self/attr/current\n"); -+ return -1; -+ } -+ -+ len = write(fd, CONTEXT, strlen(CONTEXT)); -+ close(fd); -+ -+ if (len < 0) { -+ fail("Could not write context\n"); -+ return -1; -+ } -+ -+ return 0; -+} -+ -+int set_sockcreate() -+{ -+ int fd, len; -+ -+ fd = open("/proc/self/attr/sockcreate", O_WRONLY); -+ if (fd < 0) { -+ fail("Could not open /proc/self/attr/sockcreate\n"); -+ return -1; -+ } -+ -+ len = write(fd, CONTEXT, strlen(CONTEXT)); -+ close(fd); -+ -+ if (len < 0) { -+ fail("Could not write context\n"); -+ return -1; -+ } -+ -+ return 0; -+} -+ -+int check_sockcreate() -+{ -+ int fd; -+ char context[1024]; -+ int len; -+ -+ -+ fd = open("/proc/self/attr/sockcreate", O_RDONLY); -+ if (fd < 0) { -+ fail("Could not open /proc/self/attr/sockcreate\n"); -+ return -1; -+ } -+ -+ len = read(fd, context, strlen(CONTEXT)); -+ close(fd); -+ if (len != strlen(CONTEXT)) { -+ fail("SELinux context has unexpected length %d, expected %zd\n", -+ len, strlen(CONTEXT)); -+ return -1; -+ } -+ -+ if (strncmp(context, CONTEXT, strlen(CONTEXT)) != 0) { -+ fail("Wrong SELinux context %s expected %s\n", context, CONTEXT); -+ return -1; -+ } -+ -+ return 0; -+} -+ -+int check_sockcreate_empty() -+{ -+ char *output = NULL; -+ FILE *f = fopen("/proc/self/attr/sockcreate", "r"); -+ int ret = fscanf(f, "%ms", &output); -+ fclose(f); -+ -+ if (ret >= 1) { -+ free(output); -+ /* sockcreate should be empty, if fscanf found something -+ * it is wrong.*/ -+ fail("sockcreate should be empty\n"); -+ return -1; -+ } -+ -+ if (output) { -+ free(output); -+ /* Same here, output should still be NULL. */ -+ fail("sockcreate should be empty\n"); -+ return -1; -+ } -+ -+ return 0; -+} -+ -+int main(int argc, char **argv) -+{ -+ char ctx[1024]; -+ test_init(argc, argv); -+ -+ if (check_for_selinux()) { -+ skip("SELinux not found on this system."); -+ test_daemon(); -+ test_waitsig(); -+ pass(); -+ return 0; -+ } -+ -+#ifdef USING_SOCKCREATE -+ if (set_sockcreate()) -+ return -1; -+#else -+ if (check_sockcreate_empty()) -+ return -1; -+ -+ if (setprofile()) -+ return -1; -+ -+ if (check_sockcreate_empty()) -+ return -1; -+#endif -+ -+ /* Open our test socket */ -+ int sk = socket(AF_INET, SOCK_STREAM, 0); -+ memset(ctx, 0, 1024); -+ /* Read out the socket label */ -+ if (fgetxattr(sk, "security.selinux", ctx, 1024) == -1) { -+ fail("Reading xattr 'security.selinux' failed.\n"); -+ return -1; -+ } -+ if (strncmp(ctx, CONTEXT, strlen(CONTEXT)) != 0) { -+ fail("Wrong SELinux context %s expected %s\n", ctx, CONTEXT); -+ return -1; -+ } -+ memset(ctx, 0, 1024); -+ -+ test_daemon(); -+ test_waitsig(); -+ -+ /* Read out the socket label again */ -+ -+ if (fgetxattr(sk, "security.selinux", ctx, 1024) == -1) { -+ fail("Reading xattr 'security.selinux' failed.\n"); -+ return -1; -+ } -+ if (strncmp(ctx, CONTEXT, strlen(CONTEXT)) != 0) { -+ fail("Wrong SELinux context %s expected %s\n", ctx, CONTEXT); -+ return -1; -+ } -+ -+#ifdef USING_SOCKCREATE -+ if (check_sockcreate()) -+ return -1; -+#else -+ if (check_sockcreate_empty()) -+ return -1; -+#endif -+ -+ pass(); -+ -+ return 0; -+} -diff --git a/test/zdtm/static/selinux01.checkskip b/test/zdtm/static/selinux01.checkskip -new file mode 120000 -index 0000000000..e8a172479e ---- /dev/null -+++ b/test/zdtm/static/selinux01.checkskip -@@ -0,0 +1 @@ -+selinux00.checkskip -\ No newline at end of file -diff --git a/test/zdtm/static/selinux01.desc b/test/zdtm/static/selinux01.desc -new file mode 120000 -index 0000000000..2d2961a764 ---- /dev/null -+++ b/test/zdtm/static/selinux01.desc -@@ -0,0 +1 @@ -+selinux00.desc -\ No newline at end of file -diff --git a/test/zdtm/static/selinux01.hook b/test/zdtm/static/selinux01.hook -new file mode 120000 -index 0000000000..dd7ed6bb33 ---- /dev/null -+++ b/test/zdtm/static/selinux01.hook -@@ -0,0 +1 @@ -+selinux00.hook -\ No newline at end of file -diff --git a/test/zdtm/static/selinux02.c b/test/zdtm/static/selinux02.c -new file mode 120000 -index 0000000000..5702677858 ---- /dev/null -+++ b/test/zdtm/static/selinux02.c -@@ -0,0 +1 @@ -+selinux01.c -\ No newline at end of file -diff --git a/test/zdtm/static/selinux02.checkskip b/test/zdtm/static/selinux02.checkskip -new file mode 120000 -index 0000000000..2696e6e3de ---- /dev/null -+++ b/test/zdtm/static/selinux02.checkskip -@@ -0,0 +1 @@ -+selinux01.checkskip -\ No newline at end of file -diff --git a/test/zdtm/static/selinux02.desc b/test/zdtm/static/selinux02.desc -new file mode 120000 -index 0000000000..9c6802c4da ---- /dev/null -+++ b/test/zdtm/static/selinux02.desc -@@ -0,0 +1 @@ -+selinux01.desc -\ No newline at end of file -diff --git a/test/zdtm/static/selinux02.hook b/test/zdtm/static/selinux02.hook -new file mode 120000 -index 0000000000..e3ea0a6c80 ---- /dev/null -+++ b/test/zdtm/static/selinux02.hook -@@ -0,0 +1 @@ -+selinux01.hook -\ No newline at end of file diff --git a/SOURCES/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch b/SOURCES/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch deleted file mode 100644 index 09446a6..0000000 --- a/SOURCES/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea Mon Sep 17 00:00:00 2001 -From: Andrei Vagin -Date: Sat, 4 May 2019 20:01:52 -0700 -Subject: [PATCH] lsm: don't reset socket contex if SELinux is disabled - -Fixes #693 ---- - criu/lsm.c | 16 ++++++++++++++-- - 1 file changed, 14 insertions(+), 2 deletions(-) - -diff --git a/criu/lsm.c b/criu/lsm.c -index 9c9ac7f80e..5921138392 100644 ---- a/criu/lsm.c -+++ b/criu/lsm.c -@@ -134,7 +134,15 @@ static int selinux_get_sockcreate_label(pid_t pid, char **output) - - int reset_setsockcreatecon() - { -- return setsockcreatecon_raw(NULL); -+ /* Currently this only works for SELinux. */ -+ if (kdat.lsm != LSMTYPE__SELINUX) -+ return 0; -+ -+ if (setsockcreatecon_raw(NULL)) { -+ pr_perror("Unable to reset socket SELinux context"); -+ return -1; -+ } -+ return 0; - } - - int run_setsockcreatecon(FdinfoEntry *e) -@@ -147,7 +155,11 @@ int run_setsockcreatecon(FdinfoEntry *e) - - ctx = e->xattr_security_selinux; - /* Writing to the FD using fsetxattr() did not work for some reason. */ -- return setsockcreatecon_raw(ctx); -+ if (setsockcreatecon_raw(ctx)) { -+ pr_perror("Unable to set the %s socket SELinux context", ctx); -+ return -1; -+ } -+ return 0; - } - - int dump_xattr_security_selinux(int fd, FdinfoEntry *e) diff --git a/SOURCES/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch b/SOURCES/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch deleted file mode 100644 index ec0cf00..0000000 --- a/SOURCES/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch +++ /dev/null @@ -1,40 +0,0 @@ -From b9e9e3903c78ba5d243b4176e82bf4b82342cb6a Mon Sep 17 00:00:00 2001 -From: Adrian Reber -Date: Sat, 4 May 2019 15:27:32 +0200 -Subject: [PATCH] lsm: fix compiler error on Fedora 30 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This fixes following compiler error: - -criu/lsm.c: In function ‘dump_xattr_security_selinux’: -criu/include/log.h:51:2: error: ‘%s’ directive argument is null [-Werror=format-overflow=] - 51 | print_on_level(LOG_ERROR, \ - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - 52 | "Error (%s:%d): " LOG_PREFIX fmt, \ - | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - 53 | __FILE__, __LINE__, ##__VA_ARGS__) - | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -criu/lsm.c:166:3: note: in expansion of macro ‘pr_err’ - 166 | pr_err("Reading xattr %s to FD %d failed\n", ctx, fd); - | ^~~~~~ - -Signed-off-by: Adrian Reber ---- - criu/lsm.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/criu/lsm.c b/criu/lsm.c -index 5921138392..420585ba4f 100644 ---- a/criu/lsm.c -+++ b/criu/lsm.c -@@ -175,7 +175,7 @@ int dump_xattr_security_selinux(int fd, FdinfoEntry *e) - /* Get the size of the xattr. */ - len = fgetxattr(fd, "security.selinux", ctx, 0); - if (len == -1) { -- pr_err("Reading xattr %s to FD %d failed\n", ctx, fd); -+ pr_err("Reading xattr security.selinux from FD %d failed\n", fd); - return -1; - } - diff --git a/SOURCES/criu-tmpfiles.conf b/criu-tmpfiles.conf similarity index 100% rename from SOURCES/criu-tmpfiles.conf rename to criu-tmpfiles.conf diff --git a/criu.pc.patch b/criu.pc.patch new file mode 100644 index 0000000..6211f2c --- /dev/null +++ b/criu.pc.patch @@ -0,0 +1,27 @@ +From 341ef149ee259d9432ea4c01507eefab2ef8b83c Mon Sep 17 00:00:00 2001 +From: Radostin Stoyanov +Date: Thu, 14 Oct 2021 12:58:56 +0100 +Subject: [PATCH] criu.pc: Add libprotobuf-c as a dependency + +CRIU has a dependency on protobuf-c-devel. We express this dependency +in pkgconfig to be auto-detected when building a package. + +Signed-off-by: Radostin Stoyanov +--- + lib/c/criu.pc.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/c/criu.pc.in b/lib/c/criu.pc.in +index 33986d10d..bcced5033 100644 +--- a/lib/c/criu.pc.in ++++ b/lib/c/criu.pc.in +@@ -4,5 +4,6 @@ includedir=@includedir@ + Name: CRIU + Description: RPC library for userspace checkpoint and restore + Version: @version@ ++Requires.private: libprotobuf-c + Libs: -L${libdir} -lcriu + Cflags: -I${includedir} +-- +2.31.1 + diff --git a/SPECS/criu.spec b/criu.spec similarity index 57% rename from SPECS/criu.spec rename to criu.spec index 44e484e..d066bc9 100644 --- a/SPECS/criu.spec +++ b/criu.spec @@ -1,57 +1,68 @@ -%if 0%{?fedora} >= 27 || 0%{?rhel} > 7 %global py_prefix python3 %global py_binary %{py_prefix} -%else -%global py_prefix python -%global py_binary python2 -%endif # With annobin enabled, CRIU does not work anymore. It seems CRIU's # parasite code breaks if annobin is enabled. %undefine _annotated_build +# Disable automatic call to the set_build_flags macro +# at the beginning of the build, check, and install. +# This change was introduced in Fedora 36. +%undefine _auto_set_build_flags + Name: criu -Version: 3.12 +Version: 3.19 Release: 9%{?dist} -Provides: crtools = %{version}-%{release} -Obsoletes: crtools <= 1.0-2 Summary: Tool for Checkpoint/Restore in User-space -License: GPLv2 +License: GPL-2.0-only AND LGPL-2.1-only AND MIT URL: http://criu.org/ -Source0: http://download.openvz.org/criu/criu-%{version}.tar.bz2 +Source0: https://github.com/checkpoint-restore/criu/archive/v%{version}/criu-%{version}.tar.gz +# This switches the default network locking backend from +# iptables to nftables +Patch0: network.lock.nftables.patch +# Update restartable sequences to latest upstream code +Patch1: https://github.com/checkpoint-restore/criu/commit/089345f77a34d1bc7ef146d650636afcd3cdda21.patch +# Unfortunately crun added code to always force +# iptables backed network locking. This disables +# setting the network locking to iptables via RPC. +Patch2: disable.network.locking.via.rpc.patch +# net: redirect nftables stdout and stderr to CRIU's log file #2549 +Patch3: https://patch-diff.githubusercontent.com/raw/checkpoint-restore/criu/pull/2549.patch +# net: remember the name of the lock chain (nftables) #2550 +# based on https://patch-diff.githubusercontent.com/raw/checkpoint-restore/criu/pull/2550.patch +Patch4: 2550.patch +# vdso: switch from DT_HASH to DT_GNU_HASH (aarch64) #2570 +Patch5: https://patch-diff.githubusercontent.com/raw/checkpoint-restore/criu/pull/2570.patch +# vdso: handle s390x correctly #2590 +Patch6: https://github.com/checkpoint-restore/criu/pull/2590.patch -Patch0: https://patch-diff.githubusercontent.com/raw/checkpoint-restore/criu/pull/685.patch -Patch1: https://github.com/checkpoint-restore/criu/commit/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch -Patch2: https://github.com/checkpoint-restore/criu/commit/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch -Patch3: https://github.com/checkpoint-restore/criu/commit/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch +# Add protobuf-c as a dependency. +# We use this patch because the protobuf-c package name +# in RPM and DEB is different. +Patch99: criu.pc.patch -%if 0%{?rhel} && 0%{?rhel} <= 7 -BuildRequires: perl -# RHEL has no asciidoc; take man-page from Fedora 26 -# zcat /usr/share/man/man8/criu.8.gz > criu.8 -Source1: criu.8 -Source2: crit.1 -# The patch aio-fix.patch is needed as RHEL7 -# doesn't do "nr_events *= 2" in ioctx_alloc(). -Patch100: aio-fix.patch -%endif - -Source3: criu-tmpfiles.conf +Source5: criu-tmpfiles.conf BuildRequires: gcc BuildRequires: systemd BuildRequires: libnet-devel BuildRequires: protobuf-devel protobuf-c-devel %{py_prefix}-devel libnl3-devel libcap-devel -%if 0%{?fedora} || 0%{?rhel} > 7 -BuildRequires: asciidoc xmlto +BuildRequires: %{py_prefix}-pip +BuildRequires: %{py_prefix}-setuptools +BuildRequires: %{py_prefix}-wheel +BuildRequires: %{py_prefix}-protobuf +BuildRequires: asciidoctor BuildRequires: perl-interpreter BuildRequires: libselinux-devel +BuildRequires: gnutls-devel +BuildRequires: nftables-devel +BuildRequires: libuuid-devel # Checkpointing containers with a tmpfs requires tar Recommends: tar %if 0%{?fedora} BuildRequires: libbsd-devel %endif -%endif +BuildRequires: make # user-space and kernel changes are only available for x86_64, arm, # ppc64le, aarch64 and s390x @@ -63,10 +74,10 @@ criu is the user-space part of Checkpoint/Restore in User-space (CRIU), a project to implement checkpoint/restore functionality for Linux in user-space. -%if 0%{?fedora} %package devel Summary: Header files and libraries for %{name} Requires: %{name} = %{version}-%{release} +Requires: %{name}-libs = %{version}-%{release} %description devel This package contains header files and libraries for %{name}. @@ -77,18 +88,11 @@ Requires: %{name} = %{version}-%{release} %description libs This package contains the libraries for %{name} -%endif %package -n %{py_prefix}-%{name} %{?python_provide:%python_provide %{py_prefix}-%{name}} Summary: Python bindings for %{name} -%if 0%{?rhel} && 0%{?rhel} <= 7 -Requires: protobuf-python -Requires: %{name} = %{version}-%{release} %{py_prefix}-ipaddr -%else Requires: %{py_prefix}-protobuf -Obsoletes: python2-criu < 3.10-1 -%endif %description -n %{py_prefix}-%{name} %{py_prefix}-%{name} contains Python bindings for %{name}. @@ -101,62 +105,61 @@ Requires: %{py_prefix}-%{name} = %{version}-%{release} crit is a tool designed to decode CRIU binary dump files and show their content in human-readable form. +%package -n criu-ns +Summary: Tool to run CRIU in different namespaces +Requires: %{name} = %{version}-%{release} + +%description -n criu-ns +The purpose of the criu-ns wrapper script is to enable restoring a process +tree that might require a specific PID that is already used on the system. +This script can help to workaround the so called "PID mismatch" problem. %prep %setup -q -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 - -%if 0%{?rhel} && 0%{?rhel} <= 7 -%patch100 -p1 -%endif +%patch -P 0 -p1 +%patch -P 1 -p1 +%patch -P 2 -p1 +%patch -P 3 -p1 +%patch -P 4 -p1 +%patch -P 5 -p1 +%patch -P 6 -p1 +%patch -P 99 -p1 %build +# This package calls LD directly without specifying the LTO plugins. Until +# that is fixed, disable LTO. +%define _lto_cflags %{nil} + # %{?_smp_mflags} does not work # -fstack-protector breaks build CFLAGS+=`echo %{optflags} | sed -e 's,-fstack-protector\S*,,g'` make V=1 WERROR=0 PREFIX=%{_prefix} RUNDIR=/run/criu PYTHON=%{py_binary} -%if 0%{?fedora} || 0%{?rhel} > 7 make docs V=1 -%endif %install +sed -e "s,--upgrade --ignore-installed,--no-index --no-deps -v --no-build-isolation,g" -i lib/Makefile -i crit/Makefile make install-criu DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir} make install-lib DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir} PYTHON=%{py_binary} -%if 0%{?fedora} || 0%{?rhel} > 7 -# only install documentation on Fedora as it requires asciidoc, -# which is not available on RHEL7 +make install-crit DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir} PYTHON=%{py_binary} make install-man DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir} -%else -install -p -m 644 -D %{SOURCE1} $RPM_BUILD_ROOT%{_mandir}/man8/%{name}.8 -install -p -m 644 -D %{SOURCE2} $RPM_BUILD_ROOT%{_mandir}/man1/crit.1 -%endif +rm -f $RPM_BUILD_ROOT%{_mandir}/man1/compel.1 +rm -f $RPM_BUILD_ROOT%{_mandir}/man1/criu-amdgpu-plugin.1 mkdir -p %{buildroot}%{_tmpfilesdir} -install -m 0644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}/%{name}.conf +install -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf install -d -m 0755 %{buildroot}/run/%{name}/ -%if 0%{?rhel} -# remove devel and libs packages -rm -rf $RPM_BUILD_ROOT%{_includedir}/criu -rm $RPM_BUILD_ROOT%{_libdir}/*.so* -rm -rf $RPM_BUILD_ROOT%{_libdir}/pkgconfig -rm -rf $RPM_BUILD_ROOT%{_libexecdir}/%{name} -%endif +# remove static lib +rm -f $RPM_BUILD_ROOT%{_libdir}/libcriu.a %files %{_sbindir}/%{name} %doc %{_mandir}/man8/criu.8* -%if 0%{?fedora} %{_libexecdir}/%{name} -%endif %dir /run/%{name} %{_tmpfilesdir}/%{name}.conf %doc README.md COPYING -%if 0%{?fedora} %files devel %{_includedir}/criu %{_libdir}/*.so @@ -164,24 +167,205 @@ rm -rf $RPM_BUILD_ROOT%{_libexecdir}/%{name} %files libs %{_libdir}/*.so.* -%endif %files -n %{py_prefix}-%{name} -%if 0%{?rhel} && 0%{?rhel} <= 7 -%{python2_sitelib}/pycriu/* -%{python2_sitelib}/*egg-info -%else -%{python3_sitelib}/pycriu/* -%{python3_sitelib}/*egg-info -%endif +%{python3_sitelib}/pycriu* %files -n crit %{_bindir}/crit +%{python3_sitelib}/crit-%{version}.dist-info/ +%{python3_sitelib}/crit %doc %{_mandir}/man1/crit.1* +%files -n criu-ns +%{_sbindir}/criu-ns +%doc %{_mandir}/man1/criu-ns.1* %changelog -* Mon May 13 2019 Adrian Reber - 3.12-9 +* Fri Feb 07 2025 Adrian Reber - 3.19-9 +- Fix VDSO compile error on s390x + +* Tue Feb 04 2025 Adrian Reber - 3.19-8 +- Adapt patches to patches merged upstream +- Fix running on aarch64 + +* Tue Dec 10 2024 Adrian Reber - 3.19-7 +- Switch network locking backend default to nftables + +* Tue Oct 29 2024 Troy Dawson - 3.19-6 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 + +* Mon Jun 24 2024 Troy Dawson - 3.19-5 +- Bump release for June 2024 mass rebuild + +* Wed Jan 24 2024 Fedora Release Engineering - 3.19-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Jan 19 2024 Fedora Release Engineering - 3.19-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Tue Nov 28 2023 Adrian Reber - 3.19-2 +- Fix test setup + +* Tue Nov 28 2023 Adrian Reber - 3.19-1 +- Update to 3.19 + +* Wed Jul 19 2023 Fedora Release Engineering - 3.18-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Thu Jul 06 2023 Adrian Reber - 3.18-3 +- migrated to SPDX license +- remove RHEL 7 conditionals + +* Tue Jun 13 2023 Python Maint - 3.18-2 +- Rebuilt for Python 3.12 + +* Tue Apr 25 2023 Adrian Reber - 3.18-1 +- Update to 3.18 +- Apply patch from upstream to support newer CPUs + +* Thu Jan 19 2023 Fedora Release Engineering - 3.17.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Fri Dec 2 2022 Florian Weimer - 3.17.1-4 +- Fix FTBFS with glibc 2.36 + +* Wed Jul 20 2022 Fedora Release Engineering - 3.17.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Fri Jul 08 2022 Adrian Reber - 3.17.1-2 +- Rebuilt to pick up glibc rseq() changes + +* Mon Jun 27 2022 Radostin Stoyanov - 3.17.1-1 +- Update to release version 3.17.1 + +* Mon Jun 20 2022 Adrian Reber - 3.17-4 +- Apply upstream patch to fix mount v2 errors + +* Mon Jun 13 2022 Python Maint - 3.17-3 +- Rebuilt for Python 3.11 + +* Thu May 19 2022 Radostin Stoyanov - 3.17-2 +- Use mntns-compat-mode as a temporary fix for runc + +* Fri May 6 2022 Radostin Stoyanov - 3.17-1 +- Update to release version 3.17 +- Do not install compel and amdgpu_plugin man pages + +* Tue Apr 5 2022 Radostin Stoyanov - 3.16.1-12 +- Update rseq patches + +* Tue Apr 5 2022 Radostin Stoyanov - 3.16.1-11 +- Update rseq patches + +* Tue Apr 5 2022 Radostin Stoyanov - 3.16.1-10 +- Update fixup patch + +* Tue Apr 5 2022 Radostin Stoyanov - 3.16.1-9 +- Update rseq support patches + +* Fri Feb 18 2022 Radostin Stoyanov - 3.16.1-8 +- rebuilt + +* Tue Feb 8 2022 Radostin Stoyanov - 3.16.1-7 +- Drop global -ffreestanding + +* Mon Jan 31 2022 Radostin Stoyanov - 3.16.1-6 +- Fix typo in changelog +- Replace `asciidoc` and `xmlto` with `asciidoctor` +- Enable initial rseq support + +* Thu Jan 20 2022 Fedora Release Engineering - 3.16.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Sat Nov 06 2021 Adrian Reber - 3.16.1-4 +- Rebuilt for protobuf 3.19.0 + +* Mon Oct 25 2021 Adrian Reber - 3.16.1-3 +- Rebuilt for protobuf 3.18.1 + +* Tue Oct 19 2021 Radostin Stoyanov - 3.16.1-2 +- Update protobuf-c to libprotobuf-c requirement + +* Thu Oct 14 2021 Radostin Stoyanov - 3.16.1-1 +- Update to 3.16.1 +- Add protobuf-c as required dependency (#2013775) + +* Tue Oct 05 2021 Adrian Reber - 3.16-3 +- Fix build on RHEL 8 + +* Thu Sep 23 2021 Adrian Reber - 3.16-2 +- Include criu-ns sub package +- Use new github Source0 location + +* Wed Sep 22 2021 Adrian Reber - 3.16-1 +- Update to 3.16 + +* Wed Jul 21 2021 Fedora Release Engineering - 3.15-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Fri Jun 04 2021 Python Maint - 3.15-5 +- Rebuilt for Python 3.10 + +* Fri Apr 09 2021 Adrian Reber - 3.15-4 +- Test for testing + +* Tue Jan 26 2021 Fedora Release Engineering - 3.15-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Jan 13 2021 Adrian Reber - 3.15-2 +- Rebuilt for protobuf 3.14 + +* Wed Nov 04 2020 Adrian Reber - 3.15-1 +- Update to 3.15 + +* Wed Sep 23 2020 Adrian Reber - 3.14-8 +- Rebuilt for protobuf 3.13 + +* Mon Jul 27 2020 Fedora Release Engineering - 3.14-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 14 2020 Jeff Law - 3.14-6 +- Disable LTO + +* Sun Jun 14 2020 Adrian Reber - 3.14-5 +- Rebuilt for protobuf 3.12 + +* Tue May 26 2020 Miro Hrončok - 3.14-4 +- Rebuilt for Python 3.9 + +* Thu Apr 30 2020 Adrian Reber - 3.14-3 +- BuildRequire nftables-devel for working CI + +* Thu Apr 30 2020 Adrian Reber - 3.14-2 +- Rebuild for CI fixes + +* Wed Apr 29 2020 Adrian Reber - 3.14-1 +- Update to 3.14 (#1829399) + +* Sun Mar 29 2020 Andrei Vagin - 3.13-7 +- Added patch for gcc-10 + +* Tue Jan 28 2020 Fedora Release Engineering - 3.13-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Mon Sep 16 2019 Adrian Reber - 3.13-5 +- Update to 3.13 (#1751146) +- Drop upstreamed patches +- Drop static library +- Add compel man-page + +* Mon Aug 19 2019 Miro Hrončok - 3.12-14 +- Rebuilt for Python 3.8 + +* Wed Jul 24 2019 Fedora Release Engineering - 3.12-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue May 14 2019 Adrian Reber - 3.12-11 +- Test different decision_context in gating.yaml + +* Mon May 13 2019 Adrian Reber - 3.12-10 - Added additional fixup patches for the socket labelling * Sat May 04 2019 Adrian Reber - 3.12-8 @@ -202,16 +386,15 @@ rm -rf $RPM_BUILD_ROOT%{_libexecdir}/%{name} - Build against SELinux (Fedora and RHEL8) - Build against libbsd (Fedora) -* Thu Feb 14 2019 Adrian Reber - 3.11-2 -- Updated to 3.11 -- Removed upstreamed patches +* Thu Jan 31 2019 Fedora Release Engineering - 3.11-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sat Jan 19 2019 Adrian Reber - 3.11-2 - Added patch for gcc-9 -* Tue Dec 11 2018 Adrian Reber - 3.10-7 -- Fix 'criu check --feature link_nsid' with more than 10 interfaces (#1652442) - -* Tue Dec 11 2018 Adrian Reber - 3.10-6 -- Make sure no iptables rules are left after restore (#1652471) +* Tue Nov 06 2018 Adrian Reber - 3.11-1 +- Updated to 3.11 +- Removed upstreamed patches * Tue Oct 30 2018 Adrian Reber - 3.10-5 - Added Recommends: tar diff --git a/disable.network.locking.via.rpc.patch b/disable.network.locking.via.rpc.patch new file mode 100644 index 0000000..1a25b1d --- /dev/null +++ b/disable.network.locking.via.rpc.patch @@ -0,0 +1,12 @@ +diff -ur ../criu-3.19/criu/cr-service.c criu-3.19/criu/cr-service.c +--- ../criu-3.19/criu/cr-service.c 2023-11-28 01:47:16.000000000 +0100 ++++ criu-3.19/criu/cr-service.c 2024-12-17 19:53:43.865616992 +0100 +@@ -570,7 +570,7 @@ + if (req->has_network_lock) { + switch (req->network_lock) { + case CRIU_NETWORK_LOCK_METHOD__IPTABLES: +- opts.network_lock_method = NETWORK_LOCK_IPTABLES; ++ opts.network_lock_method = NETWORK_LOCK_NFTABLES; + break; + case CRIU_NETWORK_LOCK_METHOD__NFTABLES: + opts.network_lock_method = NETWORK_LOCK_NFTABLES; diff --git a/network.lock.nftables.patch b/network.lock.nftables.patch new file mode 100644 index 0000000..c74ca04 --- /dev/null +++ b/network.lock.nftables.patch @@ -0,0 +1,11 @@ +--- a/criu/include/cr_options.h.orig 2024-12-10 16:57:20.061293476 +0100 ++++ b/criu/include/cr_options.h 2024-12-10 16:57:34.789131372 +0100 +@@ -70,7 +70,7 @@ + NETWORK_LOCK_SKIP, + }; + +-#define NETWORK_LOCK_DEFAULT NETWORK_LOCK_IPTABLES ++#define NETWORK_LOCK_DEFAULT NETWORK_LOCK_NFTABLES + + /* + * Ghost file size we allow to carry by default. diff --git a/sources b/sources new file mode 100644 index 0000000..bb80cdd --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (criu-3.19.tar.gz) = d243818cdac51580c952a80e9164786a67ce5e294c0faa6dc700f5e8da8e36495f0b64f5c27b345ede7d6697ed7a69fa4e9a85cef451f32e3ffeb78564884571