rpms
/
criu
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import criu-3.12-9.el8

This commit is contained in:
CentOS Sources 2019-11-05 14:37:48 -05:00 committed by Andrew Lukoshko
parent 7203beb56c
commit c422d1845a
11 changed files with 1044 additions and 441 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.criu.metadata
View File

@ -1 +1 @@
a3598bc51ee354d7300b9862be92dc9f41e8b372 SOURCES/criu-3.10.tar.bz2
b2ceaf9705aa8239915010136a59664d31044fe3 SOURCES/criu-3.12.tar.bz2

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/criu-3.10.tar.bz2
SOURCES/criu-3.12.tar.bz2

241
SOURCES/1-2-Fix-building-with-4.18.patch
View File

@ -1,241 +0,0 @@
From patchwork Mon Jul 9 06:28:26 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [1/2] Fix building with 4.18
From: Adrian Reber <adrian@lisas.de>
X-Patchwork-Id: 8849
Message-Id: <1531117707-8173-2-git-send-email-adrian@lisas.de>
To: <criu@openvz.org>, Andrei Vagin <avagin@virtuozzo.com>
Cc: Adrian Reber <areber@redhat.com>
Date: Mon, 9 Jul 2018 06:28:26 +0000
From: Adrian Reber <areber@redhat.com>
Building CRIU against 4.18 fails with multiple re-definition errors.
This has been reported upstream
https://lore.kernel.org/lkml/20180704142116.GM17048@lisas.de/
but there has not been any answer yet. This tries to workaround those
compile errors by pulling the required aio defines directly into CRIU.
Signed-off-by: Adrian Reber <areber@redhat.com>
---
criu/cr-check.c | 2 +-
criu/include/aio.h | 73 ++++++++++++++++++++++++++++++++++++++++++++++-
criu/pie/restorer.c | 1 -
test/zdtm/static/aio01.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++--
4 files changed, 145 insertions(+), 5 deletions(-)
diff --git a/criu/cr-check.c b/criu/cr-check.c
index d3393c4..fc53afb 100644
--- a/criu/cr-check.c
+++ b/criu/cr-check.c
@@ -22,7 +22,6 @@
#include <sys/prctl.h>
#include <sched.h>
#include <sys/mount.h>
-#include <linux/aio_abi.h>
#include "../soccr/soccr.h"
@@ -51,6 +50,7 @@
#include "net.h"
#include "restorer.h"
#include "uffd.h"
+#include "aio.h"
static char *feature_name(int (*func)());
diff --git a/criu/include/aio.h b/criu/include/aio.h
index 9a58089..a749c47 100644
--- a/criu/include/aio.h
+++ b/criu/include/aio.h
@@ -1,7 +1,6 @@
#ifndef __CR_AIO_H__
#define __CR_AIO_H__
-#include <linux/aio_abi.h>
#include "images/mm.pb-c.h"
unsigned int aio_estimate_nr_reqs(unsigned int size);
int dump_aio_ring(MmEntry *mme, struct vma_area *vma);
@@ -12,6 +11,78 @@ unsigned long aio_rings_args_size(struct vm_area_list *);
struct task_restore_args;
int prepare_aios(struct pstree_item *t, struct task_restore_args *ta);
+/* copied from linux/fs.h */
+typedef int __bitwise __kernel_rwf_t;
+
+/* copied from linux/aio_abi.h */
+#ifndef COMPEL_SYSCALL_TYPES_H__
+/* The ifndef is needed to avoid a clang compiler error */
+typedef __kernel_ulong_t aio_context_t;
+#endif
+
+enum {
+ IOCB_CMD_PREAD = 0,
+ IOCB_CMD_PWRITE = 1,
+ IOCB_CMD_FSYNC = 2,
+ IOCB_CMD_FDSYNC = 3,
+ /* These two are experimental.
+ * IOCB_CMD_PREADX = 4,
+ * IOCB_CMD_POLL = 5,
+ */
+ IOCB_CMD_NOOP = 6,
+ IOCB_CMD_PREADV = 7,
+ IOCB_CMD_PWRITEV = 8,
+};
+/* read() from /dev/aio returns these structures. */
+struct io_event {
+ __u64 data; /* the data field from the iocb */
+ __u64 obj; /* what iocb this event came from */
+ __s64 res; /* result code for this event */
+ __s64 res2; /* secondary result */
+};
+
+/*
+ * we always use a 64bit off_t when communicating
+ * with userland. its up to libraries to do the
+ * proper padding and aio_error abstraction
+ */
+
+struct iocb {
+ /* these are internal to the kernel/libc. */
+ __u64 aio_data; /* data to be returned in event's data */
+
+#if defined(__BYTE_ORDER) ? __BYTE_ORDER == __LITTLE_ENDIAN : defined(__LITTLE_ENDIAN)
+ __u32 aio_key; /* the kernel sets aio_key to the req # */
+ __kernel_rwf_t aio_rw_flags; /* RWF_* flags */
+#elif defined(__BYTE_ORDER) ? __BYTE_ORDER == __BIG_ENDIAN : defined(__BIG_ENDIAN)
+ __kernel_rwf_t aio_rw_flags; /* RWF_* flags */
+ __u32 aio_key; /* the kernel sets aio_key to the req # */
+#else
+#error edit for your odd byteorder.
+#endif
+
+ /* common fields */
+ __u16 aio_lio_opcode; /* see IOCB_CMD_ above */
+ __s16 aio_reqprio;
+ __u32 aio_fildes;
+
+ __u64 aio_buf;
+ __u64 aio_nbytes;
+ __s64 aio_offset;
+
+ /* extra parameters */
+ __u64 aio_reserved2; /* TODO: use this for a (struct sigevent *) */
+
+ /* flags for the "struct iocb" */
+ __u32 aio_flags;
+
+ /*
+ * if the IOCB_FLAG_RESFD flag of "aio_flags" is set, this is an
+ * eventfd to signal AIO readiness to
+ */
+ __u32 aio_resfd;
+}; /* 64 bytes */
+
struct aio_ring {
unsigned id; /* kernel internal index number */
unsigned nr; /* number of io_events */
diff --git a/criu/pie/restorer.c b/criu/pie/restorer.c
index 9b7f6dd..f100213 100644
--- a/criu/pie/restorer.c
+++ b/criu/pie/restorer.c
@@ -3,7 +3,6 @@
#include <linux/securebits.h>
#include <linux/capability.h>
-#include <linux/aio_abi.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <sys/file.h>
diff --git a/test/zdtm/static/aio01.c b/test/zdtm/static/aio01.c
index f84fd35..4ad29a7 100644
--- a/test/zdtm/static/aio01.c
+++ b/test/zdtm/static/aio01.c
@@ -1,6 +1,5 @@
-#include <linux/aio_abi.h>
+#include <linux/types.h>
#include <sys/syscall.h>
-#include <sys/types.h>
#include <sys/stat.h>
#include <string.h>
#include <stdlib.h>
@@ -13,6 +12,77 @@
const char *test_doc = "Check head and tail restore correct";
const char *test_author = "Kirill Tkhai <ktkhai@virtuozzo.com>";
+/* copied from linux/fs.h */
+typedef int __bitwise __kernel_rwf_t;
+
+/* copied from linux/aio_abi.h */
+#ifndef COMPEL_SYSCALL_TYPES_H__
+typedef __kernel_ulong_t aio_context_t;
+#endif
+
+enum {
+ IOCB_CMD_PREAD = 0,
+ IOCB_CMD_PWRITE = 1,
+ IOCB_CMD_FSYNC = 2,
+ IOCB_CMD_FDSYNC = 3,
+ /* These two are experimental.
+ * IOCB_CMD_PREADX = 4,
+ * IOCB_CMD_POLL = 5,
+ */
+ IOCB_CMD_NOOP = 6,
+ IOCB_CMD_PREADV = 7,
+ IOCB_CMD_PWRITEV = 8,
+};
+/* read() from /dev/aio returns these structures. */
+struct io_event {
+ __u64 data; /* the data field from the iocb */
+ __u64 obj; /* what iocb this event came from */
+ __s64 res; /* result code for this event */
+ __s64 res2; /* secondary result */
+};
+
+/*
+ * we always use a 64bit off_t when communicating
+ * with userland. its up to libraries to do the
+ * proper padding and aio_error abstraction
+ */
+
+struct iocb {
+ /* these are internal to the kernel/libc. */
+ __u64 aio_data; /* data to be returned in event's data */
+
+#if defined(__BYTE_ORDER) ? __BYTE_ORDER == __LITTLE_ENDIAN : defined(__LITTLE_ENDIAN)
+ __u32 aio_key; /* the kernel sets aio_key to the req # */
+ __kernel_rwf_t aio_rw_flags; /* RWF_* flags */
+#elif defined(__BYTE_ORDER) ? __BYTE_ORDER == __BIG_ENDIAN : defined(__BIG_ENDIAN)
+ __kernel_rwf_t aio_rw_flags; /* RWF_* flags */
+ __u32 aio_key; /* the kernel sets aio_key to the req # */
+#else
+#error edit for your odd byteorder.
+#endif
+
+ /* common fields */
+ __u16 aio_lio_opcode; /* see IOCB_CMD_ above */
+ __s16 aio_reqprio;
+ __u32 aio_fildes;
+
+ __u64 aio_buf;
+ __u64 aio_nbytes;
+ __s64 aio_offset;
+
+ /* extra parameters */
+ __u64 aio_reserved2; /* TODO: use this for a (struct sigevent *) */
+
+ /* flags for the "struct iocb" */
+ __u32 aio_flags;
+
+ /*
+ * if the IOCB_FLAG_RESFD flag of "aio_flags" is set, this is an
+ * eventfd to signal AIO readiness to
+ */
+ __u32 aio_resfd;
+}; /* 64 bytes */
+
struct aio_ring {
unsigned id; /* kernel internal index number */
unsigned nr; /* number of io_events */

67
SOURCES/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch Normal file
View File

@ -0,0 +1,67 @@
From 1e84cb90b63bce841376140a7a80107e5ec1e1a8 Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Fri, 3 May 2019 06:27:51 +0000
Subject: [PATCH] lsm: fix compiler error 'unused-result'
Reading out the xattr 'security.selinux' of checkpointed sockets with
fscanf() works (at least in theory) without checking the result of
fscanf(). There are, however, multiple CI failures when ignoring the
return value of fscanf().
This adds ferror() to check if the stream has an actual error or if '-1'
just mean EOF.
Handle all errors of fscanf() // Andrei
Signed-off-by: Adrian Reber <areber@redhat.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
---
criu/lsm.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/criu/lsm.c b/criu/lsm.c
index ef6ba112b3..9c9ac7f80e 100644
--- a/criu/lsm.c
+++ b/criu/lsm.c
@@ -33,8 +33,8 @@ static int apparmor_get_label(pid_t pid, char **profile_name)
return -1;
if (fscanf(f, "%ms", profile_name) != 1) {
- fclose(f);
pr_perror("err scanfing");
+ fclose(f);
return -1;
}
@@ -111,19 +111,23 @@ static int selinux_get_label(pid_t pid, char **output)
static int selinux_get_sockcreate_label(pid_t pid, char **output)
{
FILE *f;
+ int ret;
f = fopen_proc(pid, "attr/sockcreate");
if (!f)
return -1;
- fscanf(f, "%ms", output);
- /*
- * No need to check the result of fscanf(). If there is something
- * in /proc/PID/attr/sockcreate it will be copied to *output. If
- * there is nothing it will stay NULL. So whatever fscanf() does
- * it should be correct.
- */
-
+ ret = fscanf(f, "%ms", output);
+ if (ret == -1 && errno != 0) {
+ pr_perror("Unable to parse /proc/%d/attr/sockcreate", pid);
+ /*
+ * Only if the error indicator is set it is a real error.
+ * -1 could also be EOF, which would mean that sockcreate
+ * was just empty, which is the most common case.
+ */
+ fclose(f);
+ return -1;
+ }
fclose(f);
return 0;
}

83
SOURCES/27034e7c64b00a1f2467afb5ebb1d5b9b1a06ce1.patch
View File

@ -1,83 +0,0 @@
From 27034e7c64b00a1f2467afb5ebb1d5b9b1a06ce1 Mon Sep 17 00:00:00 2001
From: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Date: Wed, 11 Jul 2018 13:43:33 +0300
Subject: [PATCH] mount: fix regression where open_mountpoint failed on
readonly fs
If we fail to create temporary directory for doing a clean mount we can
make mount clean reusing the code which enters new mountns to umount
overmounts. As when last process exits mntns all mounts are implicitly
cleaned from children, see in kernel source - sys_exit->do_exit
->exit_task_namespaces->switch_task_namespaces->free_nsproxy
->put_mnt_ns->umount_tree->drop_collected_mounts->umount_tree:
/* Hide the mounts from mnt_mounts */
list_for_each_entry(p, &tmp_list, mnt_list) {
list_del_init(&p->mnt_child);
}
Fixes commit b6cfb1ce2948 ("mount: make open_mountpoint handle overmouts
properly")
https://github.com/checkpoint-restore/criu/issues/520
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Acked-by: Adrian Reber <areber@redhat.com>
Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>
---
criu/mount.c | 28 ++++++++++++++++++++--------
1 file changed, 20 insertions(+), 8 deletions(-)
diff --git a/criu/mount.c b/criu/mount.c
index b56164e953..9cc8f6e940 100644
--- a/criu/mount.c
+++ b/criu/mount.c
@@ -1325,10 +1325,18 @@ int ns_open_mountpoint(void *arg)
if (umount_overmounts(mi))
goto err;
- /* Save fd which we opened for parent due to CLONE_FILES flag */
- *fd = get_clean_fd(mi);
- if (*fd < 0)
+ /*
+ * Save fd which we opened for parent due to CLONE_FILES flag
+ *
+ * Mount can still have children in it, but we don't need to clean it
+ * explicitly as when last process exits mntns all mounts in it are
+ * cleaned from their children, and we are exactly the last process.
+ */
+ *fd = open(mi->mountpoint, O_DIRECTORY|O_RDONLY);
+ if (*fd < 0) {
+ pr_perror("Unable to open %s", mi->mountpoint);
goto err;
+ }
return 0;
err:
@@ -1367,18 +1375,22 @@ int open_mountpoint(struct mount_info *pm)
if (!mnt_is_overmounted(pm)) {
pr_info("\tmount has children %s\n", pm->mountpoint);
-
fd = get_clean_fd(pm);
- if (fd < 0)
- goto err;
- } else {
+ }
+
+ /*
+ * Mount is overmounted or probably we can't create a temporary
+ * direcotry for a cleaned mount
+ */
+ if (fd < 0) {
int pid, status;
struct clone_arg ca = {
.mi = pm,
.fd = &fd
};
- pr_info("\tmount is overmounted %s\n", pm->mountpoint);
+ pr_info("\tmount is overmounted or has children %s\n",
+ pm->mountpoint);
/*
* We are overmounted - not accessible in a regular way. We

834
SOURCES/685.patch Normal file
View File

@ -0,0 +1,834 @@
From 3313343ba7803bff077af5d87df2260cdcd2d678 Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Thu, 2 May 2019 13:41:46 +0000
Subject: [PATCH 1/4] lsm: also dump and restore sockcreate
The file /proc/PID/attr/sockcreate is used by SELinux to label newly
created sockets with the label available at sockcreate.
If it is NULL, the default label of the process will be used.
This reads out that file during checkpoint and restores the value during
restore.
This value is irrelevant for existing sockets as they might have been
created with another context. This is only to make sure that newly
created sockets have the correct context.
Signed-off-by: Adrian Reber <areber@redhat.com>
---
criu/cr-restore.c | 36 ++++++++++++++++++++++++++++++++++++
criu/include/restorer.h | 2 ++
criu/lsm.c | 32 ++++++++++++++++++++++++++++++++
criu/pie/restorer.c | 15 ++++++++++-----
images/creds.proto | 1 +
5 files changed, 81 insertions(+), 5 deletions(-)
diff --git a/criu/cr-restore.c b/criu/cr-restore.c
index 5fd22e9246..f254cbc0eb 100644
--- a/criu/cr-restore.c
+++ b/criu/cr-restore.c
@@ -2997,6 +2997,8 @@ static void rst_reloc_creds(struct thread_restore_args *thread_args,
if (args->lsm_profile)
args->lsm_profile = rst_mem_remap_ptr(args->mem_lsm_profile_pos, RM_PRIVATE);
+ if (args->lsm_sockcreate)
+ args->lsm_sockcreate = rst_mem_remap_ptr(args->mem_lsm_sockcreate_pos, RM_PRIVATE);
if (args->groups)
args->groups = rst_mem_remap_ptr(args->mem_groups_pos, RM_PRIVATE);
@@ -3062,6 +3064,40 @@ rst_prep_creds_args(CredsEntry *ce, unsigned long *prev_pos)
args->mem_lsm_profile_pos = 0;
}
+ if (ce->lsm_sockcreate) {
+ char *rendered = NULL;
+ char *profile;
+
+ profile = ce->lsm_sockcreate;
+
+ if (validate_lsm(profile) < 0)
+ return ERR_PTR(-EINVAL);
+
+ if (profile && render_lsm_profile(profile, &rendered)) {
+ return ERR_PTR(-EINVAL);
+ }
+ if (rendered) {
+ size_t lsm_sockcreate_len;
+ char *lsm_sockcreate;
+
+ args->mem_lsm_sockcreate_pos = rst_mem_align_cpos(RM_PRIVATE);
+ lsm_sockcreate_len = strlen(rendered);
+ lsm_sockcreate = rst_mem_alloc(lsm_sockcreate_len + 1, RM_PRIVATE);
+ if (!lsm_sockcreate) {
+ xfree(rendered);
+ return ERR_PTR(-ENOMEM);
+ }
+
+ args = rst_mem_remap_ptr(this_pos, RM_PRIVATE);
+ args->lsm_sockcreate = lsm_sockcreate;
+ strncpy(args->lsm_sockcreate, rendered, lsm_sockcreate_len);
+ xfree(rendered);
+ }
+ } else {
+ args->lsm_sockcreate = NULL;
+ args->mem_lsm_sockcreate_pos = 0;
+ }
+
/*
* Zap fields which we can't use.
*/
diff --git a/criu/include/restorer.h b/criu/include/restorer.h
index 2884ce9e6d..b83e9130c5 100644
--- a/criu/include/restorer.h
+++ b/criu/include/restorer.h
@@ -69,8 +69,10 @@ struct thread_creds_args {
unsigned int secbits;
char *lsm_profile;
unsigned int *groups;
+ char *lsm_sockcreate;
unsigned long mem_lsm_profile_pos;
+ unsigned long mem_lsm_sockcreate_pos;
unsigned long mem_groups_pos;
unsigned long mem_pos_next;
diff --git a/criu/lsm.c b/criu/lsm.c
index 849ec37cde..b0ef0c396c 100644
--- a/criu/lsm.c
+++ b/criu/lsm.c
@@ -98,6 +98,32 @@ static int selinux_get_label(pid_t pid, char **output)
freecon(ctx);
return ret;
}
+
+/*
+ * selinux_get_sockcreate_label reads /proc/PID/attr/sockcreate
+ * to see if the PID has a special label specified for sockets.
+ * Most of the time this will be empty and the process will use
+ * the process context also for sockets.
+ */
+static int selinux_get_sockcreate_label(pid_t pid, char **output)
+{
+ FILE *f;
+
+ f = fopen_proc(pid, "attr/sockcreate");
+ if (!f)
+ return -1;
+
+ fscanf(f, "%ms", output);
+ /*
+ * No need to check the result of fscanf(). If there is something
+ * in /proc/PID/attr/sockcreate it will be copied to *output. If
+ * there is nothing it will stay NULL. So whatever fscanf() does
+ * it should be correct.
+ */
+
+ fclose(f);
+ return 0;
+}
#endif
void kerndat_lsm(void)
@@ -132,6 +158,7 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce)
int ret;
ce->lsm_profile = NULL;
+ ce->lsm_sockcreate = NULL;
switch (kdat.lsm) {
case LSMTYPE__NO_LSM:
@@ -143,6 +170,9 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce)
#ifdef CONFIG_HAS_SELINUX
case LSMTYPE__SELINUX:
ret = selinux_get_label(pid, &ce->lsm_profile);
+ if (ret)
+ break;
+ ret = selinux_get_sockcreate_label(pid, &ce->lsm_sockcreate);
break;
#endif
default:
@@ -153,6 +183,8 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce)
if (ce->lsm_profile)
pr_info("%d has lsm profile %s\n", pid, ce->lsm_profile);
+ if (ce->lsm_sockcreate)
+ pr_info("%d has lsm sockcreate label %s\n", pid, ce->lsm_sockcreate);
return ret;
}
diff --git a/criu/pie/restorer.c b/criu/pie/restorer.c
index 6e18cc2606..4f42605a09 100644
--- a/criu/pie/restorer.c
+++ b/criu/pie/restorer.c
@@ -149,7 +149,7 @@ static void sigchld_handler(int signal, siginfo_t *siginfo, void *data)
sys_exit_group(1);
}
-static int lsm_set_label(char *label, int procfd)
+static int lsm_set_label(char *label, char *type, int procfd)
{
int ret = -1, len, lsmfd;
char path[STD_LOG_SIMPLE_CHUNK];
@@ -157,9 +157,9 @@ static int lsm_set_label(char *label, int procfd)
if (!label)
return 0;
- pr_info("restoring lsm profile %s\n", label);
+ pr_info("restoring lsm profile (%s) %s\n", type, label);
- std_sprintf(path, "self/task/%ld/attr/current", sys_gettid());
+ std_sprintf(path, "self/task/%ld/attr/%s", sys_gettid(), type);
lsmfd = sys_openat(procfd, path, O_WRONLY, 0);
if (lsmfd < 0) {
@@ -305,9 +305,14 @@ static int restore_creds(struct thread_creds_args *args, int procfd,
* SELinux and instead the process context is set before the
* threads are created.
*/
- if (lsm_set_label(args->lsm_profile, procfd) < 0)
+ if (lsm_set_label(args->lsm_profile, "current", procfd) < 0)
return -1;
}
+
+ /* Also set the sockcreate label for all threads */
+ if (lsm_set_label(args->lsm_sockcreate, "sockcreate", procfd) < 0)
+ return -1;
+
return 0;
}
@@ -1571,7 +1576,7 @@ long __export_restore_task(struct task_restore_args *args)
if (args->lsm_type == LSMTYPE__SELINUX) {
/* Only for SELinux */
if (lsm_set_label(args->t->creds_args->lsm_profile,
- args->proc_fd) < 0)
+ "current", args->proc_fd) < 0)
goto core_restore_end;
}
diff --git a/images/creds.proto b/images/creds.proto
index 29fb8652eb..23b84c7e50 100644
--- a/images/creds.proto
+++ b/images/creds.proto
@@ -20,4 +20,5 @@ message creds_entry {
repeated uint32 groups = 14;
optional string lsm_profile = 15;
+ optional string lsm_sockcreate = 16;
}
From 495e6aa7ac51fcb36e6bc5f6c97f44cab7649b9c Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Thu, 2 May 2019 13:47:29 +0000
Subject: [PATCH 2/4] test: Verify that sockcreate does not change during
restore
This makes sure that sockcreate stays empty for selinux00 before and
after checkpoint/restore.
Signed-off-by: Adrian Reber <areber@redhat.com>
---
test/zdtm/static/selinux00.c | 34 ++++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/test/zdtm/static/selinux00.c b/test/zdtm/static/selinux00.c
index dd9096a6fc..db8420eacb 100644
--- a/test/zdtm/static/selinux00.c
+++ b/test/zdtm/static/selinux00.c
@@ -83,6 +83,31 @@ int checkprofile()
return 0;
}
+int check_sockcreate()
+{
+ char *output = NULL;
+ FILE *f = fopen("/proc/self/attr/sockcreate", "r");
+ int ret = fscanf(f, "%ms", &output);
+ fclose(f);
+
+ if (ret >= 1) {
+ free(output);
+ /* sockcreate should be empty, if fscanf found something
+ * it is wrong.*/
+ fail("sockcreate should be empty\n");
+ return -1;
+ }
+
+ if (output) {
+ free(output);
+ /* Same here, output should still be NULL. */
+ fail("sockcreate should be empty\n");
+ return -1;
+ }
+
+ return 0;
+}
+
int main(int argc, char **argv)
{
test_init(argc, argv);
@@ -95,12 +120,21 @@ int main(int argc, char **argv)
return 0;
}
+ if (check_sockcreate())
+ return -1;
+
if (setprofile())
return -1;
+ if (check_sockcreate())
+ return -1;
+
test_daemon();
test_waitsig();
+ if (check_sockcreate())
+ return -1;
+
if (checkprofile() == 0)
pass();
From fe52cf66b38a261846ff40fc425085724b2acc15 Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Mon, 29 Apr 2019 15:21:59 +0200
Subject: [PATCH 3/4] sockets: dump and restore xattr security labels
Restoring a SELinux process also requires to correctly label sockets.
During checkpointing fgetxattr() is used to retrieve the
"security.selinux" xattr and during restore setsockcreatecon() is used
before a socket is created.
Previous commits are already restoring the sockcreate SELinux setting if
set by the process.
Signed-off-by: Adrian Reber <areber@redhat.com>
---
criu/include/lsm.h | 18 +++++++++++++++
criu/lsm.c | 56 +++++++++++++++++++++++++++++++++++++++++++++
criu/sk-inet.c | 12 ++++++++++
criu/sockets.c | 4 ++++
images/fdinfo.proto | 1 +
5 files changed, 91 insertions(+)
diff --git a/criu/include/lsm.h b/criu/include/lsm.h
index b4fce13039..3b82712829 100644
--- a/criu/include/lsm.h
+++ b/criu/include/lsm.h
@@ -3,6 +3,7 @@
#include "images/inventory.pb-c.h"
#include "images/creds.pb-c.h"
+#include "images/fdinfo.pb-c.h"
#define AA_SECURITYFS_PATH "/sys/kernel/security/apparmor"
@@ -34,4 +35,21 @@ int validate_lsm(char *profile);
int render_lsm_profile(char *profile, char **val);
extern int lsm_check_opts(void);
+
+#ifdef CONFIG_HAS_SELINUX
+int dump_xattr_security_selinux(int fd, FdinfoEntry *e);
+int run_setsockcreatecon(FdinfoEntry *e);
+int reset_setsockcreatecon();
+#else
+static inline int dump_xattr_security_selinux(int fd, FdinfoEntry *e) {
+ return 0;
+}
+static inline int run_setsockcreatecon(FdinfoEntry *e) {
+ return 0;
+}
+static inline int reset_setsockcreatecon() {
+ return 0;
+}
+#endif
+
#endif /* __CR_LSM_H__ */
diff --git a/criu/lsm.c b/criu/lsm.c
index b0ef0c396c..ef6ba112b3 100644
--- a/criu/lsm.c
+++ b/criu/lsm.c
@@ -3,6 +3,7 @@
#include <stdlib.h>
#include <fcntl.h>
#include <sys/types.h>
+#include <sys/xattr.h>
#include <unistd.h>
#include "common/config.h"
@@ -11,10 +12,12 @@
#include "util.h"
#include "cr_options.h"
#include "lsm.h"
+#include "fdstore.h"
#include "protobuf.h"
#include "images/inventory.pb-c.h"
#include "images/creds.pb-c.h"
+#include "images/fdinfo.pb-c.h"
#ifdef CONFIG_HAS_SELINUX
#include <selinux/selinux.h>
@@ -124,6 +127,59 @@ static int selinux_get_sockcreate_label(pid_t pid, char **output)
fclose(f);
return 0;
}
+
+int reset_setsockcreatecon()
+{
+ return setsockcreatecon_raw(NULL);
+}
+
+int run_setsockcreatecon(FdinfoEntry *e)
+{
+ char *ctx = NULL;
+
+ /* Currently this only works for SELinux. */
+ if (kdat.lsm != LSMTYPE__SELINUX)
+ return 0;
+
+ ctx = e->xattr_security_selinux;
+ /* Writing to the FD using fsetxattr() did not work for some reason. */
+ return setsockcreatecon_raw(ctx);
+}
+
+int dump_xattr_security_selinux(int fd, FdinfoEntry *e)
+{
+ char *ctx = NULL;
+ int len;
+ int ret;
+
+ /* Currently this only works for SELinux. */
+ if (kdat.lsm != LSMTYPE__SELINUX)
+ return 0;
+
+ /* Get the size of the xattr. */
+ len = fgetxattr(fd, "security.selinux", ctx, 0);
+ if (len == -1) {
+ pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
+ return -1;
+ }
+
+ ctx = xmalloc(len);
+ if (!ctx) {
+ pr_err("xmalloc to read xattr for FD %d failed\n", fd);
+ return -1;
+ }
+
+ ret = fgetxattr(fd, "security.selinux", ctx, len);
+ if (len != ret) {
+ pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
+ return -1;
+ }
+
+ e->xattr_security_selinux = ctx;
+
+ return 0;
+}
+
#endif
void kerndat_lsm(void)
diff --git a/criu/sk-inet.c b/criu/sk-inet.c
index 60ee4c3155..ca5c9bf2cd 100644
--- a/criu/sk-inet.c
+++ b/criu/sk-inet.c
@@ -23,6 +23,9 @@
#include "files.h"
#include "image.h"
#include "log.h"
+#include "lsm.h"
+#include "kerndat.h"
+#include "pstree.h"
#include "rst-malloc.h"
#include "sockets.h"
#include "sk-inet.h"
@@ -30,6 +33,8 @@
#include "util.h"
#include "namespaces.h"
+#include "images/inventory.pb-c.h"
+
#undef LOG_PREFIX
#define LOG_PREFIX "inet: "
@@ -804,12 +809,18 @@ static int open_inet_sk(struct file_desc *d, int *new_fd)
if (set_netns(ie->ns_id))
return -1;
+ if (run_setsockcreatecon(fle->fe))
+ return -1;
+
sk = socket(ie->family, ie->type, ie->proto);
if (sk < 0) {
pr_perror("Can't create inet socket");
return -1;
}
+ if (reset_setsockcreatecon())
+ return -1;
+
if (ie->v6only) {
if (restore_opt(sk, SOL_IPV6, IPV6_V6ONLY, &yes) == -1)
goto err;
@@ -895,6 +906,7 @@ static int open_inet_sk(struct file_desc *d, int *new_fd)
}
*new_fd = sk;
+
return 1;
err:
close(sk);
diff --git a/criu/sockets.c b/criu/sockets.c
index 30072ac737..7f7453ca1d 100644
--- a/criu/sockets.c
+++ b/criu/sockets.c
@@ -22,6 +22,7 @@
#include "util-pie.h"
#include "sk-packet.h"
#include "namespaces.h"
+#include "lsm.h"
#include "net.h"
#include "xmalloc.h"
#include "fs-magic.h"
@@ -663,6 +664,9 @@ int dump_socket(struct fd_parms *p, int lfd, FdinfoEntry *e)
int family;
const struct fdtype_ops *ops;
+ if (dump_xattr_security_selinux(lfd, e))
+ return -1;
+
if (dump_opt(lfd, SOL_SOCKET, SO_DOMAIN, &family))
return -1;
diff --git a/images/fdinfo.proto b/images/fdinfo.proto
index ed82ceffe7..77e375aa94 100644
--- a/images/fdinfo.proto
+++ b/images/fdinfo.proto
@@ -47,6 +47,7 @@ message fdinfo_entry {
required uint32 flags = 2;
required fd_types type = 3;
required uint32 fd = 4;
+ optional string xattr_security_selinux = 5;
}
message file_entry {
From ba42d30fad82f17a66617a33f03d3da05cc73bfe Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Tue, 30 Apr 2019 09:47:32 +0000
Subject: [PATCH 4/4] selinux: add socket label test
This adds two more SELinux test to verfy that checkpointing and
restoring SELinux socket labels works correctly, if the process uses
setsockcreatecon() or if the process leaves the default context for
newly created sockets.
Signed-off-by: Adrian Reber <areber@redhat.com>
---
test/zdtm/static/Makefile | 3 +
test/zdtm/static/selinux01.c | 200 +++++++++++++++++++++++++++
test/zdtm/static/selinux01.checkskip | 1 +
test/zdtm/static/selinux01.desc | 1 +
test/zdtm/static/selinux01.hook | 1 +
test/zdtm/static/selinux02.c | 1 +
test/zdtm/static/selinux02.checkskip | 1 +
test/zdtm/static/selinux02.desc | 1 +
test/zdtm/static/selinux02.hook | 1 +
9 files changed, 210 insertions(+)
create mode 100644 test/zdtm/static/selinux01.c
create mode 120000 test/zdtm/static/selinux01.checkskip
create mode 120000 test/zdtm/static/selinux01.desc
create mode 120000 test/zdtm/static/selinux01.hook
create mode 120000 test/zdtm/static/selinux02.c
create mode 120000 test/zdtm/static/selinux02.checkskip
create mode 120000 test/zdtm/static/selinux02.desc
create mode 120000 test/zdtm/static/selinux02.hook
diff --git a/test/zdtm/static/Makefile b/test/zdtm/static/Makefile
index 8e3f39276a..1ffaa90394 100644
--- a/test/zdtm/static/Makefile
+++ b/test/zdtm/static/Makefile
@@ -211,6 +211,8 @@ TST_NOFILE := \
thp_disable \
pid_file \
selinux00 \
+ selinux01 \
+ selinux02 \
# jobctl00 \
ifneq ($(SRCARCH),arm)
@@ -513,6 +515,7 @@ unlink_fstat041: CFLAGS += -DUNLINK_FSTAT041 -DUNLINK_FSTAT04
ghost_holes01: CFLAGS += -DTAIL_HOLE
ghost_holes02: CFLAGS += -DHEAD_HOLE
sk-freebind-false: CFLAGS += -DZDTM_FREEBIND_FALSE
+selinux02: CFLAGS += -DUSING_SOCKCREATE
stopped01: CFLAGS += -DZDTM_STOPPED_KILL
stopped02: CFLAGS += -DZDTM_STOPPED_TKILL
stopped12: CFLAGS += -DZDTM_STOPPED_KILL -DZDTM_STOPPED_TKILL
diff --git a/test/zdtm/static/selinux01.c b/test/zdtm/static/selinux01.c
new file mode 100644
index 0000000000..9966455c47
--- /dev/null
+++ b/test/zdtm/static/selinux01.c
@@ -0,0 +1,200 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/mount.h>
+#include <sys/socket.h>
+#include <sys/xattr.h>
+#include <linux/limits.h>
+#include <signal.h>
+#include "zdtmtst.h"
+
+/* Enabling the right policy happens in selinux00.hook and selinx00.checkskip */
+
+const char *test_doc = "Check that a SELinux socket context is restored";
+const char *test_author = "Adrian Reber <areber@redhat.com>";
+
+/* This is all based on Tycho's apparmor code */
+
+#define CONTEXT "unconfined_u:unconfined_r:unconfined_dbusd_t:s0"
+
+/*
+ * This is used to store the state of SELinux. For this test
+ * SELinux is switched to permissive mode and later the previous
+ * SELinux state is restored.
+ */
+char state;
+
+int check_for_selinux()
+{
+ if (access("/sys/fs/selinux", F_OK) == 0)
+ return 0;
+ return 1;
+}
+
+int setprofile()
+{
+ int fd, len;
+
+ fd = open("/proc/self/attr/current", O_WRONLY);
+ if (fd < 0) {
+ fail("Could not open /proc/self/attr/current\n");
+ return -1;
+ }
+
+ len = write(fd, CONTEXT, strlen(CONTEXT));
+ close(fd);
+
+ if (len < 0) {
+ fail("Could not write context\n");
+ return -1;
+ }
+
+ return 0;
+}
+
+int set_sockcreate()
+{
+ int fd, len;
+
+ fd = open("/proc/self/attr/sockcreate", O_WRONLY);
+ if (fd < 0) {
+ fail("Could not open /proc/self/attr/sockcreate\n");
+ return -1;
+ }
+
+ len = write(fd, CONTEXT, strlen(CONTEXT));
+ close(fd);
+
+ if (len < 0) {
+ fail("Could not write context\n");
+ return -1;
+ }
+
+ return 0;
+}
+
+int check_sockcreate()
+{
+ int fd;
+ char context[1024];
+ int len;
+
+
+ fd = open("/proc/self/attr/sockcreate", O_RDONLY);
+ if (fd < 0) {
+ fail("Could not open /proc/self/attr/sockcreate\n");
+ return -1;
+ }
+
+ len = read(fd, context, strlen(CONTEXT));
+ close(fd);
+ if (len != strlen(CONTEXT)) {
+ fail("SELinux context has unexpected length %d, expected %zd\n",
+ len, strlen(CONTEXT));
+ return -1;
+ }
+
+ if (strncmp(context, CONTEXT, strlen(CONTEXT)) != 0) {
+ fail("Wrong SELinux context %s expected %s\n", context, CONTEXT);
+ return -1;
+ }
+
+ return 0;
+}
+
+int check_sockcreate_empty()
+{
+ char *output = NULL;
+ FILE *f = fopen("/proc/self/attr/sockcreate", "r");
+ int ret = fscanf(f, "%ms", &output);
+ fclose(f);
+
+ if (ret >= 1) {
+ free(output);
+ /* sockcreate should be empty, if fscanf found something
+ * it is wrong.*/
+ fail("sockcreate should be empty\n");
+ return -1;
+ }
+
+ if (output) {
+ free(output);
+ /* Same here, output should still be NULL. */
+ fail("sockcreate should be empty\n");
+ return -1;
+ }
+
+ return 0;
+}
+
+int main(int argc, char **argv)
+{
+ char ctx[1024];
+ test_init(argc, argv);
+
+ if (check_for_selinux()) {
+ skip("SELinux not found on this system.");
+ test_daemon();
+ test_waitsig();
+ pass();
+ return 0;
+ }
+
+#ifdef USING_SOCKCREATE
+ if (set_sockcreate())
+ return -1;
+#else
+ if (check_sockcreate_empty())
+ return -1;
+
+ if (setprofile())
+ return -1;
+
+ if (check_sockcreate_empty())
+ return -1;
+#endif
+
+ /* Open our test socket */
+ int sk = socket(AF_INET, SOCK_STREAM, 0);
+ memset(ctx, 0, 1024);
+ /* Read out the socket label */
+ if (fgetxattr(sk, "security.selinux", ctx, 1024) == -1) {
+ fail("Reading xattr 'security.selinux' failed.\n");
+ return -1;
+ }
+ if (strncmp(ctx, CONTEXT, strlen(CONTEXT)) != 0) {
+ fail("Wrong SELinux context %s expected %s\n", ctx, CONTEXT);
+ return -1;
+ }
+ memset(ctx, 0, 1024);
+
+ test_daemon();
+ test_waitsig();
+
+ /* Read out the socket label again */
+
+ if (fgetxattr(sk, "security.selinux", ctx, 1024) == -1) {
+ fail("Reading xattr 'security.selinux' failed.\n");
+ return -1;
+ }
+ if (strncmp(ctx, CONTEXT, strlen(CONTEXT)) != 0) {
+ fail("Wrong SELinux context %s expected %s\n", ctx, CONTEXT);
+ return -1;
+ }
+
+#ifdef USING_SOCKCREATE
+ if (check_sockcreate())
+ return -1;
+#else
+ if (check_sockcreate_empty())
+ return -1;
+#endif
+
+ pass();
+
+ return 0;
+}
diff --git a/test/zdtm/static/selinux01.checkskip b/test/zdtm/static/selinux01.checkskip
new file mode 120000
index 0000000000..e8a172479e
--- /dev/null
+++ b/test/zdtm/static/selinux01.checkskip
@@ -0,0 +1 @@
+selinux00.checkskip
\ No newline at end of file
diff --git a/test/zdtm/static/selinux01.desc b/test/zdtm/static/selinux01.desc
new file mode 120000
index 0000000000..2d2961a764
--- /dev/null
+++ b/test/zdtm/static/selinux01.desc
@@ -0,0 +1 @@
+selinux00.desc
\ No newline at end of file
diff --git a/test/zdtm/static/selinux01.hook b/test/zdtm/static/selinux01.hook
new file mode 120000
index 0000000000..dd7ed6bb33
--- /dev/null
+++ b/test/zdtm/static/selinux01.hook
@@ -0,0 +1 @@
+selinux00.hook
\ No newline at end of file
diff --git a/test/zdtm/static/selinux02.c b/test/zdtm/static/selinux02.c
new file mode 120000
index 0000000000..5702677858
--- /dev/null
+++ b/test/zdtm/static/selinux02.c
@@ -0,0 +1 @@
+selinux01.c
\ No newline at end of file
diff --git a/test/zdtm/static/selinux02.checkskip b/test/zdtm/static/selinux02.checkskip
new file mode 120000
index 0000000000..2696e6e3de
--- /dev/null
+++ b/test/zdtm/static/selinux02.checkskip
@@ -0,0 +1 @@
+selinux01.checkskip
\ No newline at end of file
diff --git a/test/zdtm/static/selinux02.desc b/test/zdtm/static/selinux02.desc
new file mode 120000
index 0000000000..9c6802c4da
--- /dev/null
+++ b/test/zdtm/static/selinux02.desc
@@ -0,0 +1 @@
+selinux01.desc
\ No newline at end of file
diff --git a/test/zdtm/static/selinux02.hook b/test/zdtm/static/selinux02.hook
new file mode 120000
index 0000000000..e3ea0a6c80
--- /dev/null
+++ b/test/zdtm/static/selinux02.hook
@@ -0,0 +1 @@
+selinux01.hook
\ No newline at end of file

44
SOURCES/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch Normal file
View File

@ -0,0 +1,44 @@
From 80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea Mon Sep 17 00:00:00 2001
From: Andrei Vagin <avagin@gmail.com>
Date: Sat, 4 May 2019 20:01:52 -0700
Subject: [PATCH] lsm: don't reset socket contex if SELinux is disabled
Fixes #693
---
criu/lsm.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/criu/lsm.c b/criu/lsm.c
index 9c9ac7f80e..5921138392 100644
--- a/criu/lsm.c
+++ b/criu/lsm.c
@@ -134,7 +134,15 @@ static int selinux_get_sockcreate_label(pid_t pid, char **output)
int reset_setsockcreatecon()
{
- return setsockcreatecon_raw(NULL);
+ /* Currently this only works for SELinux. */
+ if (kdat.lsm != LSMTYPE__SELINUX)
+ return 0;
+
+ if (setsockcreatecon_raw(NULL)) {
+ pr_perror("Unable to reset socket SELinux context");
+ return -1;
+ }
+ return 0;
}
int run_setsockcreatecon(FdinfoEntry *e)
@@ -147,7 +155,11 @@ int run_setsockcreatecon(FdinfoEntry *e)
ctx = e->xattr_security_selinux;
/* Writing to the FD using fsetxattr() did not work for some reason. */
- return setsockcreatecon_raw(ctx);
+ if (setsockcreatecon_raw(ctx)) {
+ pr_perror("Unable to set the %s socket SELinux context", ctx);
+ return -1;
+ }
+ return 0;
}
int dump_xattr_security_selinux(int fd, FdinfoEntry *e)

40
SOURCES/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch Normal file
View File

@ -0,0 +1,40 @@
From b9e9e3903c78ba5d243b4176e82bf4b82342cb6a Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Sat, 4 May 2019 15:27:32 +0200
Subject: [PATCH] lsm: fix compiler error on Fedora 30
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This fixes following compiler error:
criu/lsm.c: In function dump_xattr_security_selinux:
criu/include/log.h:51:2: error: %s directive argument is null [-Werror=format-overflow=]
51 | print_on_level(LOG_ERROR, \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
52 | "Error (%s:%d): " LOG_PREFIX fmt, \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
53 | __FILE__, __LINE__, ##__VA_ARGS__)
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
criu/lsm.c:166:3: note: in expansion of macro pr_err
166 | pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
| ^~~~~~
Signed-off-by: Adrian Reber <areber@redhat.com>
---
criu/lsm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/criu/lsm.c b/criu/lsm.c
index 5921138392..420585ba4f 100644
--- a/criu/lsm.c
+++ b/criu/lsm.c
@@ -175,7 +175,7 @@ int dump_xattr_security_selinux(int fd, FdinfoEntry *e)
/* Get the size of the xattr. */
len = fgetxattr(fd, "security.selinux", ctx, 0);
if (len == -1) {
- pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
+ pr_err("Reading xattr security.selinux from FD %d failed\n", fd);
return -1;
}

58
SOURCES/c321cc07607cfe4215fc90e426ae4491fca4c49c.patch
View File

@ -1,58 +0,0 @@
From c321cc07607cfe4215fc90e426ae4491fca4c49c Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Thu, 22 Nov 2018 13:44:03 +0000
Subject: [PATCH] Fix kerndat_link_nsid() on systems with more than 10
interfaces
On a system with more than 10 network interfaces the link_nsid check
fails:
$ criu check --feature link_nsid
Warn (criu/cr-check.c:1237): NSID isn't supported
The function kerndat_link_nsid() uses:
nde.ifindex = 10;
This fails as there is already an interface with ifindex 10.
This patch moves the creation of the socket into the second network
namespace and the feature check succeeds.
Suggested-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: Adrian Reber <areber@redhat.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
---
criu/net.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/criu/net.c b/criu/net.c
index ec66d1e6c3..c1a6e3094f 100644
--- a/criu/net.c
+++ b/criu/net.c
@@ -3148,12 +3148,6 @@ int kerndat_link_nsid()
};
int nsfd, sk, ret;
- sk = socket(PF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
- if (sk < 0) {
- pr_perror("Unable to create a netlink socket");
- exit(1);
- }
-
if (unshare(CLONE_NEWNET)) {
pr_perror("Unable create a network namespace");
exit(1);
@@ -3168,6 +3162,12 @@ int kerndat_link_nsid()
exit(1);
}
+ sk = socket(PF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
+ if (sk < 0) {
+ pr_perror("Unable to create a netlink socket");
+ exit(1);
+ }
+
nde.type = ND_TYPE__VETH;
nde.name = "veth";
nde.ifindex = 10;

33
SOURCES/f44f8ef6e4d594bd74c041e25261bf275e52621b.patch
View File

@ -1,33 +0,0 @@
From f44f8ef6e4d594bd74c041e25261bf275e52621b Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Thu, 29 Nov 2018 09:24:01 +0000
Subject: [PATCH] Do not lock network if running in the host network namespace
Related: https://github.com/checkpoint-restore/criu/issues/577
Restoring a runc container which is running in the host's network
namespace locked the network (iptables-restore) without unlocking it.
This disables network logging if running in the host's network
namespace.
Suggested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: Adrian Reber <areber@redhat.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
---
criu/cr-restore.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/criu/cr-restore.c b/criu/cr-restore.c
index 6086d65238..d8fe352a63 100644
--- a/criu/cr-restore.c
+++ b/criu/cr-restore.c
@@ -2135,7 +2135,7 @@ static int restore_root_task(struct pstree_item *init)
goto out_kill;
}
- if (opts.empty_ns & CLONE_NEWNET) {
+ if (root_ns_mask & opts.empty_ns & CLONE_NEWNET) {
/*
* Local TCP connections were locked by network_lock_internal()
* on dump and normally should have been C/R-ed by respectively

81
SPECS/criu.spec
View File

@ -1,7 +1,9 @@
%if 0%{?fedora} >= 27 || 0%{?rhel} > 7
%global py_prefix python3
%global py_binary %{py_prefix}
%else
%global py_prefix python
%global py_binary python2
%endif
# With annobin enabled, CRIU does not work anymore. It seems CRIU's
@ -9,23 +11,19 @@
%undefine _annotated_build
Name: criu
Version: 3.10
Release: 7%{?dist}
Version: 3.12
Release: 9%{?dist}
Provides: crtools = %{version}-%{release}
Obsoletes: crtools <= 1.0-2
Summary: Tool for Checkpoint/Restore in User-space
Group: System Environment/Base
License: GPLv2
URL: http://criu.org/
Source0: http://download.openvz.org/criu/criu-%{version}.tar.bz2
# https://patchwork.criu.org/patch/8849/mbox/
Patch1: 1-2-Fix-building-with-4.18.patch
# Fixes errors with read-only runc
Patch2: https://github.com/checkpoint-restore/criu/commit/27034e7c64b00a1f2467afb5ebb1d5b9b1a06ce1.patch
# Do not lock network if running in the host network namespace
Patch3: https://github.com/checkpoint-restore/criu/commit/f44f8ef6e4d594bd74c041e25261bf275e52621b.patch
# Fix 'criu check --feature link_nsid' with more than 10 interfaces
Patch4: https://github.com/checkpoint-restore/criu/commit/c321cc07607cfe4215fc90e426ae4491fca4c49c.patch
Patch0: https://patch-diff.githubusercontent.com/raw/checkpoint-restore/criu/pull/685.patch
Patch1: https://github.com/checkpoint-restore/criu/commit/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch
Patch2: https://github.com/checkpoint-restore/criu/commit/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch
Patch3: https://github.com/checkpoint-restore/criu/commit/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch
%if 0%{?rhel} && 0%{?rhel} <= 7
BuildRequires: perl
@ -47,8 +45,12 @@ BuildRequires: protobuf-devel protobuf-c-devel %{py_prefix}-devel libnl3-devel l
%if 0%{?fedora} || 0%{?rhel} > 7
BuildRequires: asciidoc xmlto
BuildRequires: perl-interpreter
BuildRequires: libselinux-devel
# Checkpointing containers with a tmpfs requires tar
Recommends: tar
%if 0%{?fedora}
BuildRequires: libbsd-devel
%endif
%endif
# user-space and kernel changes are only available for x86_64, arm,
@ -61,20 +63,25 @@ criu is the user-space part of Checkpoint/Restore in User-space
(CRIU), a project to implement checkpoint/restore functionality for
Linux in user-space.
%if 0%{?fedora} || 0%{?rhel} > 7
%if 0%{?fedora}
%package devel
Summary: Header files and libraries for %{name}
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
%description devel
This package contains header files and libraries for %{name}.
%package libs
Summary: Libraries for %{name}
Requires: %{name} = %{version}-%{release}
%description libs
This package contains the libraries for %{name}
%endif
%package -n %{py_prefix}-%{name}
%{?python_provide:%python_provide %{py_prefix}-%{name}}
Summary: Python bindings for %{name}
Group: Development/Languages
%if 0%{?rhel} && 0%{?rhel} <= 7
Requires: protobuf-python
Requires: %{name} = %{version}-%{release} %{py_prefix}-ipaddr
@ -97,10 +104,10 @@ their content in human-readable form.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%if 0%{?rhel} && 0%{?rhel} <= 7
%patch100 -p1
@ -109,7 +116,7 @@ their content in human-readable form.
%build
# %{?_smp_mflags} does not work
# -fstack-protector breaks build
CFLAGS+=`echo %{optflags} | sed -e 's,-fstack-protector\S*,,g'` make V=1 WERROR=0 PREFIX=%{_prefix} RUNDIR=/run/criu PYTHON=%{py_prefix}
CFLAGS+=`echo %{optflags} | sed -e 's,-fstack-protector\S*,,g'` make V=1 WERROR=0 PREFIX=%{_prefix} RUNDIR=/run/criu PYTHON=%{py_binary}
%if 0%{?fedora} || 0%{?rhel} > 7
make docs V=1
%endif
@ -117,7 +124,7 @@ make docs V=1
%install
make install-criu DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir}
make install-lib DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir} PYTHON=%{py_prefix}
make install-lib DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir} PYTHON=%{py_binary}
%if 0%{?fedora} || 0%{?rhel} > 7
# only install documentation on Fedora as it requires asciidoc,
# which is not available on RHEL7
@ -131,32 +138,32 @@ mkdir -p %{buildroot}%{_tmpfilesdir}
install -m 0644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}/%{name}.conf
install -d -m 0755 %{buildroot}/run/%{name}/
%if 0%{?rhel} && 0%{?rhel} <= 7
# remove devel package
%if 0%{?rhel}
# remove devel and libs packages
rm -rf $RPM_BUILD_ROOT%{_includedir}/criu
rm $RPM_BUILD_ROOT%{_libdir}/*.so*
rm -rf $RPM_BUILD_ROOT%{_libdir}/pkgconfig
rm -rf $RPM_BUILD_ROOT%{_libexecdir}/%{name}
%endif
%ldconfig_scriptlets
%files
%{_sbindir}/%{name}
%doc %{_mandir}/man8/criu.8*
%if 0%{?fedora} || 0%{?rhel} > 7
%{_libdir}/*.so.*
%if 0%{?fedora}
%{_libexecdir}/%{name}
%endif
%dir /run/%{name}
%{_tmpfilesdir}/%{name}.conf
%doc README.md COPYING
%if 0%{?fedora} || 0%{?rhel} > 7
%if 0%{?fedora}
%files devel
%{_includedir}/criu
%{_libdir}/*.so
%{_libdir}/pkgconfig/*.pc
%files libs
%{_libdir}/*.so.*
%endif
%files -n %{py_prefix}-%{name}
@ -174,6 +181,32 @@ rm -rf $RPM_BUILD_ROOT%{_libexecdir}/%{name}
%changelog
* Mon May 13 2019 Adrian Reber <adrian@lisas.de> - 3.12-9
- Added additional fixup patches for the socket labelling
* Sat May 04 2019 Adrian Reber <adrian@lisas.de> - 3.12-8
- Patch for socket labelling has changed upstream
* Mon Apr 29 2019 Adrian Reber <adrian@lisas.de> - 3.12-4
- Applied patch to correctly restore socket()s
* Sat Apr 27 2019 Adrian Reber <adrian@lisas.de> - 3.12-3
- Correctly exclude libs and devel for RHEL
* Thu Apr 25 2019 Adrian Reber <adrian@lisas.de> - 3.12-2
- Updated to official 3.12
* Tue Apr 23 2019 Adrian Reber <adrian@lisas.de> - 3.12-0.1
- Updated to 3.12 (pre-release)
- Create libs subpackage
- Build against SELinux (Fedora and RHEL8)
- Build against libbsd (Fedora)
* Thu Feb 14 2019 Adrian Reber <areber@redhat.com> - 3.11-2
- Updated to 3.11
- Removed upstreamed patches
- Added patch for gcc-9
* Tue Dec 11 2018 Adrian Reber <adrian@lisas.de> - 3.10-7
- Fix 'criu check --feature link_nsid' with more than 10 interfaces (#1652442)