From c55b77d1a895a1c8cf6a605369e6f73ccb51c1ba Mon Sep 17 00:00:00 2001 From: James Antill Date: Mon, 20 Feb 2023 01:56:04 -0500 Subject: [PATCH] Import rpm: 401e1c09551c4ab1b4499e7c3e84b725b1475806 --- .gitignore | 1 + 0001-Fix-building-with-annobin.patch | 57 ++ ...cb90b63bce841376140a7a80107e5ec1e1a8.patch | 67 ++ 685.patch | 834 ++++++++++++++++++ ...0c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch | 44 + ...e3903c78ba5d243b4176e82bf4b82342cb6a.patch | 40 + criu-tmpfiles.conf | 1 + criu.pc.patch | 27 + criu.spec | 521 +++++++++++ gating.yaml | 6 + rpminspect.yaml | 4 + sources | 1 + tests/run-podman-checkpoint-restore.sh | 32 + tests/run-zdtm.sh | 63 ++ tests/tests.yml | 35 + 15 files changed, 1733 insertions(+) create mode 100644 .gitignore create mode 100644 0001-Fix-building-with-annobin.patch create mode 100644 1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch create mode 100644 685.patch create mode 100644 80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch create mode 100644 b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch create mode 100644 criu-tmpfiles.conf create mode 100644 criu.pc.patch create mode 100644 criu.spec create mode 100644 gating.yaml create mode 100644 rpminspect.yaml create mode 100644 sources create mode 100755 tests/run-podman-checkpoint-restore.sh create mode 100755 tests/run-zdtm.sh create mode 100644 tests/tests.yml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d9f1e8d --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/criu-3.12.tar.bz2 diff --git a/0001-Fix-building-with-annobin.patch b/0001-Fix-building-with-annobin.patch new file mode 100644 index 0000000..9083f83 --- /dev/null +++ b/0001-Fix-building-with-annobin.patch @@ -0,0 +1,57 @@ +From 4878775c8e0f2ea6869aff139d219f6eb0c4006c Mon Sep 17 00:00:00 2001 +From: Adrian Reber +Date: Fri, 28 Jan 2022 15:10:31 +0000 +Subject: [PATCH] Fix building with annobin + +Annobin (used at least in Fedora and RHEL) injects annotation into the +compiled objects which break the parasite and restorer. + +This removes the annobin flags as used in Fedora and RHEL and makes CRIU +work on Fedora and RHEL with annobin enabled. + +Signed-off-by: Adrian Reber +--- + compel/plugins/Makefile | 2 +- + criu/pie/Makefile | 2 +- + criu/pie/Makefile.library | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/compel/plugins/Makefile b/compel/plugins/Makefile +index e5fa781ac..37630d438 100644 +--- a/compel/plugins/Makefile ++++ b/compel/plugins/Makefile +@@ -1,4 +1,4 @@ +-CFLAGS := $(filter-out -pg $(CFLAGS-GCOV) $(CFLAGS-ASAN),$(CFLAGS)) ++CFLAGS := $(filter-out -pg $(CFLAGS-GCOV) $(CFLAGS-ASAN) -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1,$(CFLAGS)) + CFLAGS += -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=0 + CFLAGS += -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=0 + +diff --git a/criu/pie/Makefile b/criu/pie/Makefile +index 265dcf82b..386626334 100644 +--- a/criu/pie/Makefile ++++ b/criu/pie/Makefile +@@ -4,7 +4,7 @@ + + target := parasite restorer + +-CFLAGS := $(filter-out -pg $(CFLAGS-GCOV) $(CFLAGS-ASAN),$(CFLAGS)) ++CFLAGS := $(filter-out -pg $(CFLAGS-GCOV) $(CFLAGS-ASAN) -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1,$(CFLAGS)) + CFLAGS += $(CFLAGS_PIE) + ccflags-y += -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=0 + ccflags-y += -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=0 +diff --git a/criu/pie/Makefile.library b/criu/pie/Makefile.library +index da2a2fab3..6247afe7e 100644 +--- a/criu/pie/Makefile.library ++++ b/criu/pie/Makefile.library +@@ -21,7 +21,7 @@ ifeq ($(ARCH),arm) + lib-y += ./$(ARCH_DIR)/pie-cacheflush.o + endif + +-CFLAGS := $(filter-out -pg $(CFLAGS-GCOV) $(CFLAGS-ASAN),$(CFLAGS)) ++CFLAGS := $(filter-out -pg $(CFLAGS-GCOV) $(CFLAGS-ASAN) -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1,$(CFLAGS)) + CFLAGS += $(CFLAGS_PIE) + + ifeq ($(ARCH),mips) +-- +2.34.1 + diff --git a/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch b/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch new file mode 100644 index 0000000..3b2fbd8 --- /dev/null +++ b/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch @@ -0,0 +1,67 @@ +From 1e84cb90b63bce841376140a7a80107e5ec1e1a8 Mon Sep 17 00:00:00 2001 +From: Adrian Reber +Date: Fri, 3 May 2019 06:27:51 +0000 +Subject: [PATCH] lsm: fix compiler error 'unused-result' + +Reading out the xattr 'security.selinux' of checkpointed sockets with +fscanf() works (at least in theory) without checking the result of +fscanf(). There are, however, multiple CI failures when ignoring the +return value of fscanf(). + +This adds ferror() to check if the stream has an actual error or if '-1' +just mean EOF. + +Handle all errors of fscanf() // Andrei + +Signed-off-by: Adrian Reber +Signed-off-by: Andrei Vagin +--- + criu/lsm.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +diff --git a/criu/lsm.c b/criu/lsm.c +index ef6ba112b3..9c9ac7f80e 100644 +--- a/criu/lsm.c ++++ b/criu/lsm.c +@@ -33,8 +33,8 @@ static int apparmor_get_label(pid_t pid, char **profile_name) + return -1; + + if (fscanf(f, "%ms", profile_name) != 1) { +- fclose(f); + pr_perror("err scanfing"); ++ fclose(f); + return -1; + } + +@@ -111,19 +111,23 @@ static int selinux_get_label(pid_t pid, char **output) + static int selinux_get_sockcreate_label(pid_t pid, char **output) + { + FILE *f; ++ int ret; + + f = fopen_proc(pid, "attr/sockcreate"); + if (!f) + return -1; + +- fscanf(f, "%ms", output); +- /* +- * No need to check the result of fscanf(). If there is something +- * in /proc/PID/attr/sockcreate it will be copied to *output. If +- * there is nothing it will stay NULL. So whatever fscanf() does +- * it should be correct. +- */ +- ++ ret = fscanf(f, "%ms", output); ++ if (ret == -1 && errno != 0) { ++ pr_perror("Unable to parse /proc/%d/attr/sockcreate", pid); ++ /* ++ * Only if the error indicator is set it is a real error. ++ * -1 could also be EOF, which would mean that sockcreate ++ * was just empty, which is the most common case. ++ */ ++ fclose(f); ++ return -1; ++ } + fclose(f); + return 0; + } diff --git a/685.patch b/685.patch new file mode 100644 index 0000000..30e1728 --- /dev/null +++ b/685.patch @@ -0,0 +1,834 @@ +From 3313343ba7803bff077af5d87df2260cdcd2d678 Mon Sep 17 00:00:00 2001 +From: Adrian Reber +Date: Thu, 2 May 2019 13:41:46 +0000 +Subject: [PATCH 1/4] lsm: also dump and restore sockcreate + +The file /proc/PID/attr/sockcreate is used by SELinux to label newly +created sockets with the label available at sockcreate. + +If it is NULL, the default label of the process will be used. + +This reads out that file during checkpoint and restores the value during +restore. + +This value is irrelevant for existing sockets as they might have been +created with another context. This is only to make sure that newly +created sockets have the correct context. + +Signed-off-by: Adrian Reber +--- + criu/cr-restore.c | 36 ++++++++++++++++++++++++++++++++++++ + criu/include/restorer.h | 2 ++ + criu/lsm.c | 32 ++++++++++++++++++++++++++++++++ + criu/pie/restorer.c | 15 ++++++++++----- + images/creds.proto | 1 + + 5 files changed, 81 insertions(+), 5 deletions(-) + +diff --git a/criu/cr-restore.c b/criu/cr-restore.c +index 5fd22e9246..f254cbc0eb 100644 +--- a/criu/cr-restore.c ++++ b/criu/cr-restore.c +@@ -2997,6 +2997,8 @@ static void rst_reloc_creds(struct thread_restore_args *thread_args, + + if (args->lsm_profile) + args->lsm_profile = rst_mem_remap_ptr(args->mem_lsm_profile_pos, RM_PRIVATE); ++ if (args->lsm_sockcreate) ++ args->lsm_sockcreate = rst_mem_remap_ptr(args->mem_lsm_sockcreate_pos, RM_PRIVATE); + if (args->groups) + args->groups = rst_mem_remap_ptr(args->mem_groups_pos, RM_PRIVATE); + +@@ -3062,6 +3064,40 @@ rst_prep_creds_args(CredsEntry *ce, unsigned long *prev_pos) + args->mem_lsm_profile_pos = 0; + } + ++ if (ce->lsm_sockcreate) { ++ char *rendered = NULL; ++ char *profile; ++ ++ profile = ce->lsm_sockcreate; ++ ++ if (validate_lsm(profile) < 0) ++ return ERR_PTR(-EINVAL); ++ ++ if (profile && render_lsm_profile(profile, &rendered)) { ++ return ERR_PTR(-EINVAL); ++ } ++ if (rendered) { ++ size_t lsm_sockcreate_len; ++ char *lsm_sockcreate; ++ ++ args->mem_lsm_sockcreate_pos = rst_mem_align_cpos(RM_PRIVATE); ++ lsm_sockcreate_len = strlen(rendered); ++ lsm_sockcreate = rst_mem_alloc(lsm_sockcreate_len + 1, RM_PRIVATE); ++ if (!lsm_sockcreate) { ++ xfree(rendered); ++ return ERR_PTR(-ENOMEM); ++ } ++ ++ args = rst_mem_remap_ptr(this_pos, RM_PRIVATE); ++ args->lsm_sockcreate = lsm_sockcreate; ++ strncpy(args->lsm_sockcreate, rendered, lsm_sockcreate_len); ++ xfree(rendered); ++ } ++ } else { ++ args->lsm_sockcreate = NULL; ++ args->mem_lsm_sockcreate_pos = 0; ++ } ++ + /* + * Zap fields which we can't use. + */ +diff --git a/criu/include/restorer.h b/criu/include/restorer.h +index 2884ce9e6d..b83e9130c5 100644 +--- a/criu/include/restorer.h ++++ b/criu/include/restorer.h +@@ -69,8 +69,10 @@ struct thread_creds_args { + unsigned int secbits; + char *lsm_profile; + unsigned int *groups; ++ char *lsm_sockcreate; + + unsigned long mem_lsm_profile_pos; ++ unsigned long mem_lsm_sockcreate_pos; + unsigned long mem_groups_pos; + + unsigned long mem_pos_next; +diff --git a/criu/lsm.c b/criu/lsm.c +index 849ec37cde..b0ef0c396c 100644 +--- a/criu/lsm.c ++++ b/criu/lsm.c +@@ -98,6 +98,32 @@ static int selinux_get_label(pid_t pid, char **output) + freecon(ctx); + return ret; + } ++ ++/* ++ * selinux_get_sockcreate_label reads /proc/PID/attr/sockcreate ++ * to see if the PID has a special label specified for sockets. ++ * Most of the time this will be empty and the process will use ++ * the process context also for sockets. ++ */ ++static int selinux_get_sockcreate_label(pid_t pid, char **output) ++{ ++ FILE *f; ++ ++ f = fopen_proc(pid, "attr/sockcreate"); ++ if (!f) ++ return -1; ++ ++ fscanf(f, "%ms", output); ++ /* ++ * No need to check the result of fscanf(). If there is something ++ * in /proc/PID/attr/sockcreate it will be copied to *output. If ++ * there is nothing it will stay NULL. So whatever fscanf() does ++ * it should be correct. ++ */ ++ ++ fclose(f); ++ return 0; ++} + #endif + + void kerndat_lsm(void) +@@ -132,6 +158,7 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce) + int ret; + + ce->lsm_profile = NULL; ++ ce->lsm_sockcreate = NULL; + + switch (kdat.lsm) { + case LSMTYPE__NO_LSM: +@@ -143,6 +170,9 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce) + #ifdef CONFIG_HAS_SELINUX + case LSMTYPE__SELINUX: + ret = selinux_get_label(pid, &ce->lsm_profile); ++ if (ret) ++ break; ++ ret = selinux_get_sockcreate_label(pid, &ce->lsm_sockcreate); + break; + #endif + default: +@@ -153,6 +183,8 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce) + + if (ce->lsm_profile) + pr_info("%d has lsm profile %s\n", pid, ce->lsm_profile); ++ if (ce->lsm_sockcreate) ++ pr_info("%d has lsm sockcreate label %s\n", pid, ce->lsm_sockcreate); + + return ret; + } +diff --git a/criu/pie/restorer.c b/criu/pie/restorer.c +index 6e18cc2606..4f42605a09 100644 +--- a/criu/pie/restorer.c ++++ b/criu/pie/restorer.c +@@ -149,7 +149,7 @@ static void sigchld_handler(int signal, siginfo_t *siginfo, void *data) + sys_exit_group(1); + } + +-static int lsm_set_label(char *label, int procfd) ++static int lsm_set_label(char *label, char *type, int procfd) + { + int ret = -1, len, lsmfd; + char path[STD_LOG_SIMPLE_CHUNK]; +@@ -157,9 +157,9 @@ static int lsm_set_label(char *label, int procfd) + if (!label) + return 0; + +- pr_info("restoring lsm profile %s\n", label); ++ pr_info("restoring lsm profile (%s) %s\n", type, label); + +- std_sprintf(path, "self/task/%ld/attr/current", sys_gettid()); ++ std_sprintf(path, "self/task/%ld/attr/%s", sys_gettid(), type); + + lsmfd = sys_openat(procfd, path, O_WRONLY, 0); + if (lsmfd < 0) { +@@ -305,9 +305,14 @@ static int restore_creds(struct thread_creds_args *args, int procfd, + * SELinux and instead the process context is set before the + * threads are created. + */ +- if (lsm_set_label(args->lsm_profile, procfd) < 0) ++ if (lsm_set_label(args->lsm_profile, "current", procfd) < 0) + return -1; + } ++ ++ /* Also set the sockcreate label for all threads */ ++ if (lsm_set_label(args->lsm_sockcreate, "sockcreate", procfd) < 0) ++ return -1; ++ + return 0; + } + +@@ -1571,7 +1576,7 @@ long __export_restore_task(struct task_restore_args *args) + if (args->lsm_type == LSMTYPE__SELINUX) { + /* Only for SELinux */ + if (lsm_set_label(args->t->creds_args->lsm_profile, +- args->proc_fd) < 0) ++ "current", args->proc_fd) < 0) + goto core_restore_end; + } + +diff --git a/images/creds.proto b/images/creds.proto +index 29fb8652eb..23b84c7e50 100644 +--- a/images/creds.proto ++++ b/images/creds.proto +@@ -20,4 +20,5 @@ message creds_entry { + repeated uint32 groups = 14; + + optional string lsm_profile = 15; ++ optional string lsm_sockcreate = 16; + } + +From 495e6aa7ac51fcb36e6bc5f6c97f44cab7649b9c Mon Sep 17 00:00:00 2001 +From: Adrian Reber +Date: Thu, 2 May 2019 13:47:29 +0000 +Subject: [PATCH 2/4] test: Verify that sockcreate does not change during + restore + +This makes sure that sockcreate stays empty for selinux00 before and +after checkpoint/restore. + +Signed-off-by: Adrian Reber +--- + test/zdtm/static/selinux00.c | 34 ++++++++++++++++++++++++++++++++++ + 1 file changed, 34 insertions(+) + +diff --git a/test/zdtm/static/selinux00.c b/test/zdtm/static/selinux00.c +index dd9096a6fc..db8420eacb 100644 +--- a/test/zdtm/static/selinux00.c ++++ b/test/zdtm/static/selinux00.c +@@ -83,6 +83,31 @@ int checkprofile() + return 0; + } + ++int check_sockcreate() ++{ ++ char *output = NULL; ++ FILE *f = fopen("/proc/self/attr/sockcreate", "r"); ++ int ret = fscanf(f, "%ms", &output); ++ fclose(f); ++ ++ if (ret >= 1) { ++ free(output); ++ /* sockcreate should be empty, if fscanf found something ++ * it is wrong.*/ ++ fail("sockcreate should be empty\n"); ++ return -1; ++ } ++ ++ if (output) { ++ free(output); ++ /* Same here, output should still be NULL. */ ++ fail("sockcreate should be empty\n"); ++ return -1; ++ } ++ ++ return 0; ++} ++ + int main(int argc, char **argv) + { + test_init(argc, argv); +@@ -95,12 +120,21 @@ int main(int argc, char **argv) + return 0; + } + ++ if (check_sockcreate()) ++ return -1; ++ + if (setprofile()) + return -1; + ++ if (check_sockcreate()) ++ return -1; ++ + test_daemon(); + test_waitsig(); + ++ if (check_sockcreate()) ++ return -1; ++ + if (checkprofile() == 0) + pass(); + + +From fe52cf66b38a261846ff40fc425085724b2acc15 Mon Sep 17 00:00:00 2001 +From: Adrian Reber +Date: Mon, 29 Apr 2019 15:21:59 +0200 +Subject: [PATCH 3/4] sockets: dump and restore xattr security labels + +Restoring a SELinux process also requires to correctly label sockets. + +During checkpointing fgetxattr() is used to retrieve the +"security.selinux" xattr and during restore setsockcreatecon() is used +before a socket is created. + +Previous commits are already restoring the sockcreate SELinux setting if +set by the process. + +Signed-off-by: Adrian Reber +--- + criu/include/lsm.h | 18 +++++++++++++++ + criu/lsm.c | 56 +++++++++++++++++++++++++++++++++++++++++++++ + criu/sk-inet.c | 12 ++++++++++ + criu/sockets.c | 4 ++++ + images/fdinfo.proto | 1 + + 5 files changed, 91 insertions(+) + +diff --git a/criu/include/lsm.h b/criu/include/lsm.h +index b4fce13039..3b82712829 100644 +--- a/criu/include/lsm.h ++++ b/criu/include/lsm.h +@@ -3,6 +3,7 @@ + + #include "images/inventory.pb-c.h" + #include "images/creds.pb-c.h" ++#include "images/fdinfo.pb-c.h" + + #define AA_SECURITYFS_PATH "/sys/kernel/security/apparmor" + +@@ -34,4 +35,21 @@ int validate_lsm(char *profile); + int render_lsm_profile(char *profile, char **val); + + extern int lsm_check_opts(void); ++ ++#ifdef CONFIG_HAS_SELINUX ++int dump_xattr_security_selinux(int fd, FdinfoEntry *e); ++int run_setsockcreatecon(FdinfoEntry *e); ++int reset_setsockcreatecon(); ++#else ++static inline int dump_xattr_security_selinux(int fd, FdinfoEntry *e) { ++ return 0; ++} ++static inline int run_setsockcreatecon(FdinfoEntry *e) { ++ return 0; ++} ++static inline int reset_setsockcreatecon() { ++ return 0; ++} ++#endif ++ + #endif /* __CR_LSM_H__ */ +diff --git a/criu/lsm.c b/criu/lsm.c +index b0ef0c396c..ef6ba112b3 100644 +--- a/criu/lsm.c ++++ b/criu/lsm.c +@@ -3,6 +3,7 @@ + #include + #include + #include ++#include + #include + + #include "common/config.h" +@@ -11,10 +12,12 @@ + #include "util.h" + #include "cr_options.h" + #include "lsm.h" ++#include "fdstore.h" + + #include "protobuf.h" + #include "images/inventory.pb-c.h" + #include "images/creds.pb-c.h" ++#include "images/fdinfo.pb-c.h" + + #ifdef CONFIG_HAS_SELINUX + #include +@@ -124,6 +127,59 @@ static int selinux_get_sockcreate_label(pid_t pid, char **output) + fclose(f); + return 0; + } ++ ++int reset_setsockcreatecon() ++{ ++ return setsockcreatecon_raw(NULL); ++} ++ ++int run_setsockcreatecon(FdinfoEntry *e) ++{ ++ char *ctx = NULL; ++ ++ /* Currently this only works for SELinux. */ ++ if (kdat.lsm != LSMTYPE__SELINUX) ++ return 0; ++ ++ ctx = e->xattr_security_selinux; ++ /* Writing to the FD using fsetxattr() did not work for some reason. */ ++ return setsockcreatecon_raw(ctx); ++} ++ ++int dump_xattr_security_selinux(int fd, FdinfoEntry *e) ++{ ++ char *ctx = NULL; ++ int len; ++ int ret; ++ ++ /* Currently this only works for SELinux. */ ++ if (kdat.lsm != LSMTYPE__SELINUX) ++ return 0; ++ ++ /* Get the size of the xattr. */ ++ len = fgetxattr(fd, "security.selinux", ctx, 0); ++ if (len == -1) { ++ pr_err("Reading xattr %s to FD %d failed\n", ctx, fd); ++ return -1; ++ } ++ ++ ctx = xmalloc(len); ++ if (!ctx) { ++ pr_err("xmalloc to read xattr for FD %d failed\n", fd); ++ return -1; ++ } ++ ++ ret = fgetxattr(fd, "security.selinux", ctx, len); ++ if (len != ret) { ++ pr_err("Reading xattr %s to FD %d failed\n", ctx, fd); ++ return -1; ++ } ++ ++ e->xattr_security_selinux = ctx; ++ ++ return 0; ++} ++ + #endif + + void kerndat_lsm(void) +diff --git a/criu/sk-inet.c b/criu/sk-inet.c +index 60ee4c3155..ca5c9bf2cd 100644 +--- a/criu/sk-inet.c ++++ b/criu/sk-inet.c +@@ -23,6 +23,9 @@ + #include "files.h" + #include "image.h" + #include "log.h" ++#include "lsm.h" ++#include "kerndat.h" ++#include "pstree.h" + #include "rst-malloc.h" + #include "sockets.h" + #include "sk-inet.h" +@@ -30,6 +33,8 @@ + #include "util.h" + #include "namespaces.h" + ++#include "images/inventory.pb-c.h" ++ + #undef LOG_PREFIX + #define LOG_PREFIX "inet: " + +@@ -804,12 +809,18 @@ static int open_inet_sk(struct file_desc *d, int *new_fd) + if (set_netns(ie->ns_id)) + return -1; + ++ if (run_setsockcreatecon(fle->fe)) ++ return -1; ++ + sk = socket(ie->family, ie->type, ie->proto); + if (sk < 0) { + pr_perror("Can't create inet socket"); + return -1; + } + ++ if (reset_setsockcreatecon()) ++ return -1; ++ + if (ie->v6only) { + if (restore_opt(sk, SOL_IPV6, IPV6_V6ONLY, &yes) == -1) + goto err; +@@ -895,6 +906,7 @@ static int open_inet_sk(struct file_desc *d, int *new_fd) + } + + *new_fd = sk; ++ + return 1; + err: + close(sk); +diff --git a/criu/sockets.c b/criu/sockets.c +index 30072ac737..7f7453ca1d 100644 +--- a/criu/sockets.c ++++ b/criu/sockets.c +@@ -22,6 +22,7 @@ + #include "util-pie.h" + #include "sk-packet.h" + #include "namespaces.h" ++#include "lsm.h" + #include "net.h" + #include "xmalloc.h" + #include "fs-magic.h" +@@ -663,6 +664,9 @@ int dump_socket(struct fd_parms *p, int lfd, FdinfoEntry *e) + int family; + const struct fdtype_ops *ops; + ++ if (dump_xattr_security_selinux(lfd, e)) ++ return -1; ++ + if (dump_opt(lfd, SOL_SOCKET, SO_DOMAIN, &family)) + return -1; + +diff --git a/images/fdinfo.proto b/images/fdinfo.proto +index ed82ceffe7..77e375aa94 100644 +--- a/images/fdinfo.proto ++++ b/images/fdinfo.proto +@@ -47,6 +47,7 @@ message fdinfo_entry { + required uint32 flags = 2; + required fd_types type = 3; + required uint32 fd = 4; ++ optional string xattr_security_selinux = 5; + } + + message file_entry { + +From ba42d30fad82f17a66617a33f03d3da05cc73bfe Mon Sep 17 00:00:00 2001 +From: Adrian Reber +Date: Tue, 30 Apr 2019 09:47:32 +0000 +Subject: [PATCH 4/4] selinux: add socket label test + +This adds two more SELinux test to verfy that checkpointing and +restoring SELinux socket labels works correctly, if the process uses +setsockcreatecon() or if the process leaves the default context for +newly created sockets. + +Signed-off-by: Adrian Reber +--- + test/zdtm/static/Makefile | 3 + + test/zdtm/static/selinux01.c | 200 +++++++++++++++++++++++++++ + test/zdtm/static/selinux01.checkskip | 1 + + test/zdtm/static/selinux01.desc | 1 + + test/zdtm/static/selinux01.hook | 1 + + test/zdtm/static/selinux02.c | 1 + + test/zdtm/static/selinux02.checkskip | 1 + + test/zdtm/static/selinux02.desc | 1 + + test/zdtm/static/selinux02.hook | 1 + + 9 files changed, 210 insertions(+) + create mode 100644 test/zdtm/static/selinux01.c + create mode 120000 test/zdtm/static/selinux01.checkskip + create mode 120000 test/zdtm/static/selinux01.desc + create mode 120000 test/zdtm/static/selinux01.hook + create mode 120000 test/zdtm/static/selinux02.c + create mode 120000 test/zdtm/static/selinux02.checkskip + create mode 120000 test/zdtm/static/selinux02.desc + create mode 120000 test/zdtm/static/selinux02.hook + +diff --git a/test/zdtm/static/Makefile b/test/zdtm/static/Makefile +index 8e3f39276a..1ffaa90394 100644 +--- a/test/zdtm/static/Makefile ++++ b/test/zdtm/static/Makefile +@@ -211,6 +211,8 @@ TST_NOFILE := \ + thp_disable \ + pid_file \ + selinux00 \ ++ selinux01 \ ++ selinux02 \ + # jobctl00 \ + + ifneq ($(SRCARCH),arm) +@@ -513,6 +515,7 @@ unlink_fstat041: CFLAGS += -DUNLINK_FSTAT041 -DUNLINK_FSTAT04 + ghost_holes01: CFLAGS += -DTAIL_HOLE + ghost_holes02: CFLAGS += -DHEAD_HOLE + sk-freebind-false: CFLAGS += -DZDTM_FREEBIND_FALSE ++selinux02: CFLAGS += -DUSING_SOCKCREATE + stopped01: CFLAGS += -DZDTM_STOPPED_KILL + stopped02: CFLAGS += -DZDTM_STOPPED_TKILL + stopped12: CFLAGS += -DZDTM_STOPPED_KILL -DZDTM_STOPPED_TKILL +diff --git a/test/zdtm/static/selinux01.c b/test/zdtm/static/selinux01.c +new file mode 100644 +index 0000000000..9966455c47 +--- /dev/null ++++ b/test/zdtm/static/selinux01.c +@@ -0,0 +1,200 @@ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "zdtmtst.h" ++ ++/* Enabling the right policy happens in selinux00.hook and selinx00.checkskip */ ++ ++const char *test_doc = "Check that a SELinux socket context is restored"; ++const char *test_author = "Adrian Reber "; ++ ++/* This is all based on Tycho's apparmor code */ ++ ++#define CONTEXT "unconfined_u:unconfined_r:unconfined_dbusd_t:s0" ++ ++/* ++ * This is used to store the state of SELinux. For this test ++ * SELinux is switched to permissive mode and later the previous ++ * SELinux state is restored. ++ */ ++char state; ++ ++int check_for_selinux() ++{ ++ if (access("/sys/fs/selinux", F_OK) == 0) ++ return 0; ++ return 1; ++} ++ ++int setprofile() ++{ ++ int fd, len; ++ ++ fd = open("/proc/self/attr/current", O_WRONLY); ++ if (fd < 0) { ++ fail("Could not open /proc/self/attr/current\n"); ++ return -1; ++ } ++ ++ len = write(fd, CONTEXT, strlen(CONTEXT)); ++ close(fd); ++ ++ if (len < 0) { ++ fail("Could not write context\n"); ++ return -1; ++ } ++ ++ return 0; ++} ++ ++int set_sockcreate() ++{ ++ int fd, len; ++ ++ fd = open("/proc/self/attr/sockcreate", O_WRONLY); ++ if (fd < 0) { ++ fail("Could not open /proc/self/attr/sockcreate\n"); ++ return -1; ++ } ++ ++ len = write(fd, CONTEXT, strlen(CONTEXT)); ++ close(fd); ++ ++ if (len < 0) { ++ fail("Could not write context\n"); ++ return -1; ++ } ++ ++ return 0; ++} ++ ++int check_sockcreate() ++{ ++ int fd; ++ char context[1024]; ++ int len; ++ ++ ++ fd = open("/proc/self/attr/sockcreate", O_RDONLY); ++ if (fd < 0) { ++ fail("Could not open /proc/self/attr/sockcreate\n"); ++ return -1; ++ } ++ ++ len = read(fd, context, strlen(CONTEXT)); ++ close(fd); ++ if (len != strlen(CONTEXT)) { ++ fail("SELinux context has unexpected length %d, expected %zd\n", ++ len, strlen(CONTEXT)); ++ return -1; ++ } ++ ++ if (strncmp(context, CONTEXT, strlen(CONTEXT)) != 0) { ++ fail("Wrong SELinux context %s expected %s\n", context, CONTEXT); ++ return -1; ++ } ++ ++ return 0; ++} ++ ++int check_sockcreate_empty() ++{ ++ char *output = NULL; ++ FILE *f = fopen("/proc/self/attr/sockcreate", "r"); ++ int ret = fscanf(f, "%ms", &output); ++ fclose(f); ++ ++ if (ret >= 1) { ++ free(output); ++ /* sockcreate should be empty, if fscanf found something ++ * it is wrong.*/ ++ fail("sockcreate should be empty\n"); ++ return -1; ++ } ++ ++ if (output) { ++ free(output); ++ /* Same here, output should still be NULL. */ ++ fail("sockcreate should be empty\n"); ++ return -1; ++ } ++ ++ return 0; ++} ++ ++int main(int argc, char **argv) ++{ ++ char ctx[1024]; ++ test_init(argc, argv); ++ ++ if (check_for_selinux()) { ++ skip("SELinux not found on this system."); ++ test_daemon(); ++ test_waitsig(); ++ pass(); ++ return 0; ++ } ++ ++#ifdef USING_SOCKCREATE ++ if (set_sockcreate()) ++ return -1; ++#else ++ if (check_sockcreate_empty()) ++ return -1; ++ ++ if (setprofile()) ++ return -1; ++ ++ if (check_sockcreate_empty()) ++ return -1; ++#endif ++ ++ /* Open our test socket */ ++ int sk = socket(AF_INET, SOCK_STREAM, 0); ++ memset(ctx, 0, 1024); ++ /* Read out the socket label */ ++ if (fgetxattr(sk, "security.selinux", ctx, 1024) == -1) { ++ fail("Reading xattr 'security.selinux' failed.\n"); ++ return -1; ++ } ++ if (strncmp(ctx, CONTEXT, strlen(CONTEXT)) != 0) { ++ fail("Wrong SELinux context %s expected %s\n", ctx, CONTEXT); ++ return -1; ++ } ++ memset(ctx, 0, 1024); ++ ++ test_daemon(); ++ test_waitsig(); ++ ++ /* Read out the socket label again */ ++ ++ if (fgetxattr(sk, "security.selinux", ctx, 1024) == -1) { ++ fail("Reading xattr 'security.selinux' failed.\n"); ++ return -1; ++ } ++ if (strncmp(ctx, CONTEXT, strlen(CONTEXT)) != 0) { ++ fail("Wrong SELinux context %s expected %s\n", ctx, CONTEXT); ++ return -1; ++ } ++ ++#ifdef USING_SOCKCREATE ++ if (check_sockcreate()) ++ return -1; ++#else ++ if (check_sockcreate_empty()) ++ return -1; ++#endif ++ ++ pass(); ++ ++ return 0; ++} +diff --git a/test/zdtm/static/selinux01.checkskip b/test/zdtm/static/selinux01.checkskip +new file mode 120000 +index 0000000000..e8a172479e +--- /dev/null ++++ b/test/zdtm/static/selinux01.checkskip +@@ -0,0 +1 @@ ++selinux00.checkskip +\ No newline at end of file +diff --git a/test/zdtm/static/selinux01.desc b/test/zdtm/static/selinux01.desc +new file mode 120000 +index 0000000000..2d2961a764 +--- /dev/null ++++ b/test/zdtm/static/selinux01.desc +@@ -0,0 +1 @@ ++selinux00.desc +\ No newline at end of file +diff --git a/test/zdtm/static/selinux01.hook b/test/zdtm/static/selinux01.hook +new file mode 120000 +index 0000000000..dd7ed6bb33 +--- /dev/null ++++ b/test/zdtm/static/selinux01.hook +@@ -0,0 +1 @@ ++selinux00.hook +\ No newline at end of file +diff --git a/test/zdtm/static/selinux02.c b/test/zdtm/static/selinux02.c +new file mode 120000 +index 0000000000..5702677858 +--- /dev/null ++++ b/test/zdtm/static/selinux02.c +@@ -0,0 +1 @@ ++selinux01.c +\ No newline at end of file +diff --git a/test/zdtm/static/selinux02.checkskip b/test/zdtm/static/selinux02.checkskip +new file mode 120000 +index 0000000000..2696e6e3de +--- /dev/null ++++ b/test/zdtm/static/selinux02.checkskip +@@ -0,0 +1 @@ ++selinux01.checkskip +\ No newline at end of file +diff --git a/test/zdtm/static/selinux02.desc b/test/zdtm/static/selinux02.desc +new file mode 120000 +index 0000000000..9c6802c4da +--- /dev/null ++++ b/test/zdtm/static/selinux02.desc +@@ -0,0 +1 @@ ++selinux01.desc +\ No newline at end of file +diff --git a/test/zdtm/static/selinux02.hook b/test/zdtm/static/selinux02.hook +new file mode 120000 +index 0000000000..e3ea0a6c80 +--- /dev/null ++++ b/test/zdtm/static/selinux02.hook +@@ -0,0 +1 @@ ++selinux01.hook +\ No newline at end of file diff --git a/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch b/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch new file mode 100644 index 0000000..09446a6 --- /dev/null +++ b/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch @@ -0,0 +1,44 @@ +From 80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea Mon Sep 17 00:00:00 2001 +From: Andrei Vagin +Date: Sat, 4 May 2019 20:01:52 -0700 +Subject: [PATCH] lsm: don't reset socket contex if SELinux is disabled + +Fixes #693 +--- + criu/lsm.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/criu/lsm.c b/criu/lsm.c +index 9c9ac7f80e..5921138392 100644 +--- a/criu/lsm.c ++++ b/criu/lsm.c +@@ -134,7 +134,15 @@ static int selinux_get_sockcreate_label(pid_t pid, char **output) + + int reset_setsockcreatecon() + { +- return setsockcreatecon_raw(NULL); ++ /* Currently this only works for SELinux. */ ++ if (kdat.lsm != LSMTYPE__SELINUX) ++ return 0; ++ ++ if (setsockcreatecon_raw(NULL)) { ++ pr_perror("Unable to reset socket SELinux context"); ++ return -1; ++ } ++ return 0; + } + + int run_setsockcreatecon(FdinfoEntry *e) +@@ -147,7 +155,11 @@ int run_setsockcreatecon(FdinfoEntry *e) + + ctx = e->xattr_security_selinux; + /* Writing to the FD using fsetxattr() did not work for some reason. */ +- return setsockcreatecon_raw(ctx); ++ if (setsockcreatecon_raw(ctx)) { ++ pr_perror("Unable to set the %s socket SELinux context", ctx); ++ return -1; ++ } ++ return 0; + } + + int dump_xattr_security_selinux(int fd, FdinfoEntry *e) diff --git a/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch b/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch new file mode 100644 index 0000000..ec0cf00 --- /dev/null +++ b/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch @@ -0,0 +1,40 @@ +From b9e9e3903c78ba5d243b4176e82bf4b82342cb6a Mon Sep 17 00:00:00 2001 +From: Adrian Reber +Date: Sat, 4 May 2019 15:27:32 +0200 +Subject: [PATCH] lsm: fix compiler error on Fedora 30 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This fixes following compiler error: + +criu/lsm.c: In function ‘dump_xattr_security_selinux’: +criu/include/log.h:51:2: error: ‘%s’ directive argument is null [-Werror=format-overflow=] + 51 | print_on_level(LOG_ERROR, \ + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 52 | "Error (%s:%d): " LOG_PREFIX fmt, \ + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 53 | __FILE__, __LINE__, ##__VA_ARGS__) + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +criu/lsm.c:166:3: note: in expansion of macro ‘pr_err’ + 166 | pr_err("Reading xattr %s to FD %d failed\n", ctx, fd); + | ^~~~~~ + +Signed-off-by: Adrian Reber +--- + criu/lsm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/criu/lsm.c b/criu/lsm.c +index 5921138392..420585ba4f 100644 +--- a/criu/lsm.c ++++ b/criu/lsm.c +@@ -175,7 +175,7 @@ int dump_xattr_security_selinux(int fd, FdinfoEntry *e) + /* Get the size of the xattr. */ + len = fgetxattr(fd, "security.selinux", ctx, 0); + if (len == -1) { +- pr_err("Reading xattr %s to FD %d failed\n", ctx, fd); ++ pr_err("Reading xattr security.selinux from FD %d failed\n", fd); + return -1; + } + diff --git a/criu-tmpfiles.conf b/criu-tmpfiles.conf new file mode 100644 index 0000000..66cc5bf --- /dev/null +++ b/criu-tmpfiles.conf @@ -0,0 +1 @@ +d /run/criu 0755 root root - diff --git a/criu.pc.patch b/criu.pc.patch new file mode 100644 index 0000000..6211f2c --- /dev/null +++ b/criu.pc.patch @@ -0,0 +1,27 @@ +From 341ef149ee259d9432ea4c01507eefab2ef8b83c Mon Sep 17 00:00:00 2001 +From: Radostin Stoyanov +Date: Thu, 14 Oct 2021 12:58:56 +0100 +Subject: [PATCH] criu.pc: Add libprotobuf-c as a dependency + +CRIU has a dependency on protobuf-c-devel. We express this dependency +in pkgconfig to be auto-detected when building a package. + +Signed-off-by: Radostin Stoyanov +--- + lib/c/criu.pc.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/c/criu.pc.in b/lib/c/criu.pc.in +index 33986d10d..bcced5033 100644 +--- a/lib/c/criu.pc.in ++++ b/lib/c/criu.pc.in +@@ -4,5 +4,6 @@ includedir=@includedir@ + Name: CRIU + Description: RPC library for userspace checkpoint and restore + Version: @version@ ++Requires.private: libprotobuf-c + Libs: -L${libdir} -lcriu + Cflags: -I${includedir} +-- +2.31.1 + diff --git a/criu.spec b/criu.spec new file mode 100644 index 0000000..44e484e --- /dev/null +++ b/criu.spec @@ -0,0 +1,521 @@ +%if 0%{?fedora} >= 27 || 0%{?rhel} > 7 +%global py_prefix python3 +%global py_binary %{py_prefix} +%else +%global py_prefix python +%global py_binary python2 +%endif + +# With annobin enabled, CRIU does not work anymore. It seems CRIU's +# parasite code breaks if annobin is enabled. +%undefine _annotated_build + +Name: criu +Version: 3.12 +Release: 9%{?dist} +Provides: crtools = %{version}-%{release} +Obsoletes: crtools <= 1.0-2 +Summary: Tool for Checkpoint/Restore in User-space +License: GPLv2 +URL: http://criu.org/ +Source0: http://download.openvz.org/criu/criu-%{version}.tar.bz2 + +Patch0: https://patch-diff.githubusercontent.com/raw/checkpoint-restore/criu/pull/685.patch +Patch1: https://github.com/checkpoint-restore/criu/commit/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch +Patch2: https://github.com/checkpoint-restore/criu/commit/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch +Patch3: https://github.com/checkpoint-restore/criu/commit/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch + +%if 0%{?rhel} && 0%{?rhel} <= 7 +BuildRequires: perl +# RHEL has no asciidoc; take man-page from Fedora 26 +# zcat /usr/share/man/man8/criu.8.gz > criu.8 +Source1: criu.8 +Source2: crit.1 +# The patch aio-fix.patch is needed as RHEL7 +# doesn't do "nr_events *= 2" in ioctx_alloc(). +Patch100: aio-fix.patch +%endif + +Source3: criu-tmpfiles.conf + +BuildRequires: gcc +BuildRequires: systemd +BuildRequires: libnet-devel +BuildRequires: protobuf-devel protobuf-c-devel %{py_prefix}-devel libnl3-devel libcap-devel +%if 0%{?fedora} || 0%{?rhel} > 7 +BuildRequires: asciidoc xmlto +BuildRequires: perl-interpreter +BuildRequires: libselinux-devel +# Checkpointing containers with a tmpfs requires tar +Recommends: tar +%if 0%{?fedora} +BuildRequires: libbsd-devel +%endif +%endif + +# user-space and kernel changes are only available for x86_64, arm, +# ppc64le, aarch64 and s390x +# https://bugzilla.redhat.com/show_bug.cgi?id=902875 +ExclusiveArch: x86_64 %{arm} ppc64le aarch64 s390x + +%description +criu is the user-space part of Checkpoint/Restore in User-space +(CRIU), a project to implement checkpoint/restore functionality for +Linux in user-space. + +%if 0%{?fedora} +%package devel +Summary: Header files and libraries for %{name} +Requires: %{name} = %{version}-%{release} + +%description devel +This package contains header files and libraries for %{name}. + +%package libs +Summary: Libraries for %{name} +Requires: %{name} = %{version}-%{release} + +%description libs +This package contains the libraries for %{name} +%endif + +%package -n %{py_prefix}-%{name} +%{?python_provide:%python_provide %{py_prefix}-%{name}} +Summary: Python bindings for %{name} +%if 0%{?rhel} && 0%{?rhel} <= 7 +Requires: protobuf-python +Requires: %{name} = %{version}-%{release} %{py_prefix}-ipaddr +%else +Requires: %{py_prefix}-protobuf +Obsoletes: python2-criu < 3.10-1 +%endif + +%description -n %{py_prefix}-%{name} +%{py_prefix}-%{name} contains Python bindings for %{name}. + +%package -n crit +Summary: CRIU image tool +Requires: %{py_prefix}-%{name} = %{version}-%{release} + +%description -n crit +crit is a tool designed to decode CRIU binary dump files and show +their content in human-readable form. + + +%prep +%setup -q +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 + +%if 0%{?rhel} && 0%{?rhel} <= 7 +%patch100 -p1 +%endif + +%build +# %{?_smp_mflags} does not work +# -fstack-protector breaks build +CFLAGS+=`echo %{optflags} | sed -e 's,-fstack-protector\S*,,g'` make V=1 WERROR=0 PREFIX=%{_prefix} RUNDIR=/run/criu PYTHON=%{py_binary} +%if 0%{?fedora} || 0%{?rhel} > 7 +make docs V=1 +%endif + + +%install +make install-criu DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir} +make install-lib DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir} PYTHON=%{py_binary} +%if 0%{?fedora} || 0%{?rhel} > 7 +# only install documentation on Fedora as it requires asciidoc, +# which is not available on RHEL7 +make install-man DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir} +%else +install -p -m 644 -D %{SOURCE1} $RPM_BUILD_ROOT%{_mandir}/man8/%{name}.8 +install -p -m 644 -D %{SOURCE2} $RPM_BUILD_ROOT%{_mandir}/man1/crit.1 +%endif + +mkdir -p %{buildroot}%{_tmpfilesdir} +install -m 0644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}/%{name}.conf +install -d -m 0755 %{buildroot}/run/%{name}/ + +%if 0%{?rhel} +# remove devel and libs packages +rm -rf $RPM_BUILD_ROOT%{_includedir}/criu +rm $RPM_BUILD_ROOT%{_libdir}/*.so* +rm -rf $RPM_BUILD_ROOT%{_libdir}/pkgconfig +rm -rf $RPM_BUILD_ROOT%{_libexecdir}/%{name} +%endif + +%files +%{_sbindir}/%{name} +%doc %{_mandir}/man8/criu.8* +%if 0%{?fedora} +%{_libexecdir}/%{name} +%endif +%dir /run/%{name} +%{_tmpfilesdir}/%{name}.conf +%doc README.md COPYING + +%if 0%{?fedora} +%files devel +%{_includedir}/criu +%{_libdir}/*.so +%{_libdir}/pkgconfig/*.pc + +%files libs +%{_libdir}/*.so.* +%endif + +%files -n %{py_prefix}-%{name} +%if 0%{?rhel} && 0%{?rhel} <= 7 +%{python2_sitelib}/pycriu/* +%{python2_sitelib}/*egg-info +%else +%{python3_sitelib}/pycriu/* +%{python3_sitelib}/*egg-info +%endif + +%files -n crit +%{_bindir}/crit +%doc %{_mandir}/man1/crit.1* + + +%changelog +* Mon May 13 2019 Adrian Reber - 3.12-9 +- Added additional fixup patches for the socket labelling + +* Sat May 04 2019 Adrian Reber - 3.12-8 +- Patch for socket labelling has changed upstream + +* Mon Apr 29 2019 Adrian Reber - 3.12-4 +- Applied patch to correctly restore socket()s + +* Sat Apr 27 2019 Adrian Reber - 3.12-3 +- Correctly exclude libs and devel for RHEL + +* Thu Apr 25 2019 Adrian Reber - 3.12-2 +- Updated to official 3.12 + +* Tue Apr 23 2019 Adrian Reber - 3.12-0.1 +- Updated to 3.12 (pre-release) +- Create libs subpackage +- Build against SELinux (Fedora and RHEL8) +- Build against libbsd (Fedora) + +* Thu Feb 14 2019 Adrian Reber - 3.11-2 +- Updated to 3.11 +- Removed upstreamed patches +- Added patch for gcc-9 + +* Tue Dec 11 2018 Adrian Reber - 3.10-7 +- Fix 'criu check --feature link_nsid' with more than 10 interfaces (#1652442) + +* Tue Dec 11 2018 Adrian Reber - 3.10-6 +- Make sure no iptables rules are left after restore (#1652471) + +* Tue Oct 30 2018 Adrian Reber - 3.10-5 +- Added Recommends: tar + It is necessary when checkpointing containers with a tmpfs + +* Mon Jul 16 2018 Adrian Reber - 3.10-4 +- Add patch to fix errors with read-only runc + +* Thu Jul 12 2018 Fedora Release Engineering - 3.10-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Jul 11 2018 Adrian Reber - 3.10-2 +- Disable annobin as it seems to break CRIU + +* Tue Jul 10 2018 Adrian Reber - 3.10-1 +- Update to 3.10 (#1599710) +- Switch to python3 + +* Wed Jun 06 2018 Adrian Reber - 3.9-2 +- Simplify ExclusiveArch now that there is no more F26 + +* Fri Jun 01 2018 Adrian Reber - 3.9-1 +- Update to 3.9 + +* Tue Apr 03 2018 Adrian Reber - 3.8.1-1 +- Update to 3.8.1 + +* Thu Mar 22 2018 Adrian Reber - 3.8-2 +- Bump release for COPR + +* Wed Mar 14 2018 Adrian Reber - 3.8-1 +- Update to 3.8 + +* Wed Feb 07 2018 Fedora Release Engineering - 3.7-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sat Feb 03 2018 Igor Gnatenko - 3.7-4 +- Switch to %%ldconfig_scriptlets + +* Fri Jan 12 2018 Adrian Reber - 3.7-3 +- Fix python/python2 dependencies accross all branches + +* Wed Jan 03 2018 Merlin Mathesius - 3.7-2 +- Cleanup spec file conditionals + +* Sat Dec 30 2017 Adrian Reber - 3.7-1 +- Update to 3.7 + +* Fri Dec 15 2017 Iryna Shcherbina - 3.6-2 +- Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) + +* Thu Oct 26 2017 Adrian Reber - 3.6-1 +- Update to 3.6 + +* Wed Oct 18 2017 Adrian Reber - 3.5-5 +- Added patch to fix build on Fedora rawhide aarch64 + +* Tue Oct 10 2017 Adrian Reber - 3.5-4 +- Upgrade imported manpages to 3.5 + +* Mon Oct 09 2017 Adrian Reber - 3.5-3 +- Fix ExclusiveArch on RHEL + +* Mon Oct 02 2017 Adrian Reber - 3.5-2 +- Merge RHEL and Fedora spec file + +* Thu Sep 28 2017 Adrian Reber - 3.5-1 +- Update to 3.5 (#1496614) + +* Sun Aug 27 2017 Adrian Reber - 3.4-1 +- Update to 3.4 (#1483774) +- Removed upstreamed patches +- Added s390x (#1475719) + +* Sat Aug 19 2017 Zbigniew Jędrzejewski-Szmek - 3.3-5 +- Python 2 binary package renamed to python2-criu + See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 + +* Wed Aug 02 2017 Fedora Release Engineering - 3.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 3.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Thu Jul 20 2017 Adrian Reber - 3.3-2 +- Added patches to handle changes in glibc + +* Wed Jul 19 2017 Adrian Reber - 3.3-1 +- Update to 3.3 + +* Fri Jun 30 2017 Adrian Reber - 3.2.1-2 +- Added patches to handle unified hierarchy and new glibc + +* Wed Jun 28 2017 Adrian Reber - 3.2.1-1 +- Update to 3.2.1-1 + +* Tue Jun 13 2017 Orion Poplawski - 3.1-2 +- Rebuild for protobuf 3.3.1 + +* Mon May 22 2017 Adrian Reber - 3.1-1 +- Update to 3.1 + +* Tue Apr 25 2017 Adrian Reber - 3.0-1 +- Update to 3.0 + +* Thu Mar 09 2017 Adrian Reber - 2.12-1 +- Update to 2.12 + +* Fri Feb 17 2017 Adrian Reber - 2.11.1-1 +- Update to 2.11.1 + +* Thu Feb 16 2017 Adrian Reber - 2.11-1 +- Update to 2.11 + +* Mon Feb 13 2017 Adrian Reber - 2.10-4 +- Added patch to fix build on ppc64le + +* Fri Feb 10 2017 Fedora Release Engineering - 2.10-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Jan 23 2017 Orion Poplawski - 2.10-2 +- Rebuild for protobuf 3.2.0 + +* Mon Jan 16 2017 Adrian Reber - 2.10-1 +- Update to 2.10 + +* Mon Dec 12 2016 Adrian Reber - 2.9-1 +- Update to 2.9 +- Added crit manpage to crit subpackage + +* Sat Nov 19 2016 Orion Poplawski - 2.8-2 +- Rebuild for protobuf 3.1.0 + +* Tue Nov 15 2016 Adrian Reber - 2.8-1 +- Update to 2.8 +- Dropped 'mount_resolve_path()' patch + +* Wed Oct 19 2016 Adrian Reber - 2.7-2 +- Added upstream patch to fix #1381351 + ("criu: mount_resolve_path(): criu killed by SIGSEGV") + +* Wed Oct 19 2016 Adrian Reber - 2.7-1 +- Update to 2.7 + +* Tue Sep 13 2016 Adrian Reber - 2.6-1 +- Update to 2.6 + +* Tue Aug 30 2016 Adrian Reber - 2.5-1 +- Update to 2.5 + +* Tue Jul 19 2016 Fedora Release Engineering - 2.4-2 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Tue Jul 12 2016 Adrian Reber - 2.4-1 +- Update to 2.4 + +* Tue Jun 14 2016 Adrian Reber - 2.3-1 +- Update to 2.3 +- Copy man-page from Fedora 24 for RHEL + +* Mon May 23 2016 Adrian Reber - 2.2-1 +- Update to 2.2 + +* Tue Apr 12 2016 Adrian Reber - 2.1-2 +- Remove crtools symbolic link + +* Mon Apr 11 2016 Adrian Reber - 2.1-1 +- Update to 2.1 + +* Wed Apr 06 2016 Adrian Reber - 2.0-2 +- Merge changes from Fedora + +* Thu Mar 10 2016 Andrey Vagin - 2.0-1 +- Update to 2.0 + +* Wed Feb 03 2016 Fedora Release Engineering - 1.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Mon Dec 07 2015 Adrian Reber - 1.8-1 +- Update to 1.8 + +* Mon Nov 02 2015 Adrian Reber - 1.7.2-1 +- Update to 1.7.2 + +* Mon Sep 7 2015 Andrey Vagin - 1.7-1 +- Update to 1.7 + +* Thu Sep 3 2015 Andrey Vagin - 1.6.1-3 +- Build only for power64le + +* Thu Sep 3 2015 Andrey Vagin - 1.6.1-2 +- Build for aarch64 and power64 + +* Thu Aug 13 2015 Adrian Reber - 1.6.1-1 +- Update to 1.6.1 +- Merge changes for RHEL packaging + +* Wed Jun 17 2015 Fedora Release Engineering - 1.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue Jun 09 2015 Adrian Reber - 1.6-1.1 +- adapt to RHEL7 + +* Mon Jun 01 2015 Andrew Vagin - 1.6-1 +- Update to 1.6 + +* Thu Apr 30 2015 Andrew Vagin - 1.5.2-2 +- Require protobuf-python and python-ipaddr for python-criu + +* Tue Apr 28 2015 Andrew Vagin - 1.5.2 +- Update to 1.5.2 + +* Sun Apr 19 2015 Nikita Spiridonov - 1.5.1-2 +- Create python-criu and crit subpackages + +* Tue Mar 31 2015 Andrew Vagin - 1.5.1 +- Update to 1.5.1 + +* Sat Dec 06 2014 Adrian Reber - 1.4-1 +- Update to 1.4 + +* Tue Sep 23 2014 Adrian Reber - 1.3.1-1 +- Update to 1.3.1 (#1142896) + +* Tue Sep 02 2014 Adrian Reber - 1.3-1 +- Update to 1.3 +- Dropped all upstreamed patches +- included pkgconfig file in -devel + +* Sat Aug 16 2014 Fedora Release Engineering - 1.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Thu Aug 07 2014 Andrew Vagin - 1.2-4 +- Include inttypes.h for PRI helpers + +* Thu Aug 07 2014 Andrew Vagin - 1.2-3 +- Rebuilt for https://bugzilla.redhat.com/show_bug.cgi?id=1126751 + +* Sat Jun 07 2014 Fedora Release Engineering - 1.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Fri Feb 28 2014 Adrian Reber - 1.2-1 +- Update to 1.2 +- Dropped all upstreamed patches + +* Tue Feb 04 2014 Adrian Reber - 1.1-4 +- Create -devel subpackage + +* Wed Dec 11 2013 Andrew Vagin - 1.0-3 +- Fix the epoch of crtools + +* Tue Dec 10 2013 Andrew Vagin - 1.0-2 +- Rename crtools to criu #1034677 + +* Wed Nov 27 2013 Andrew Vagin - 1.0-1 +- Update to 1.0 + +* Thu Oct 24 2013 Andrew Vagin - 0.8-1 +- Update to 0.8 + +* Tue Sep 10 2013 Andrew Vagin - 0.7-1 +- Update to 0.7 + +* Sat Aug 03 2013 Fedora Release Engineering - 0.6-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed Jul 24 2013 Andrew Vagin - 0.6-3 +- Delete all kind of -fstack-protector gcc options + +* Wed Jul 24 2013 Andrew Vagin - 0.6-3 +- Added arm macro to ExclusiveArch + +* Wed Jul 03 2013 Andrew Vagin - 0.6-2 +- fix building on ARM +- fix null pointer dereference + +* Tue Jul 02 2013 Adrian Reber - 0.6-1 +- updated to 0.6 +- upstream moved binaries to sbin +- using upstream's make install + +* Tue May 14 2013 Adrian Reber - 0.5-1 +- updated to 0.5 + +* Fri Feb 22 2013 Adrian Reber - 0.4-1 +- updated to 0.4 + +* Wed Feb 13 2013 Fedora Release Engineering - 0.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Tue Jan 22 2013 Adrian Reber - 0.3-3 +- added ExclusiveArch blocker bug + +* Fri Jan 18 2013 Adrian Reber - 0.3-2 +- improved Summary and Description + +* Mon Jan 14 2013 Adrian Reber - 0.3-1 +- updated to 0.3 +- fix building Documentation/ + +* Tue Aug 21 2012 Adrian Reber - 0.2-2 +- remove macros like %%{__mkdir_p} and %%{__install} +- add comment why it is only x86_64 + +* Tue Aug 21 2012 Adrian Reber - 0.2-1 +- initial release diff --git a/gating.yaml b/gating.yaml new file mode 100644 index 0000000..648918d --- /dev/null +++ b/gating.yaml @@ -0,0 +1,6 @@ +--- !Policy +product_versions: + - rhel-9 +decision_context: osci_compose_gate +rules: + - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional} diff --git a/rpminspect.yaml b/rpminspect.yaml new file mode 100644 index 0000000..77c04ec --- /dev/null +++ b/rpminspect.yaml @@ -0,0 +1,4 @@ +--- +annocheck: + jobs: + - hardened: --verbose --skip-pie --skip-bind-now --skip-stack-prot diff --git a/sources b/sources new file mode 100644 index 0000000..29b4af9 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA1 (criu-3.12.tar.bz2) = b2ceaf9705aa8239915010136a59664d31044fe3 diff --git a/tests/run-podman-checkpoint-restore.sh b/tests/run-podman-checkpoint-restore.sh new file mode 100755 index 0000000..b606d9b --- /dev/null +++ b/tests/run-podman-checkpoint-restore.sh @@ -0,0 +1,32 @@ +#!/bin/bash + +set -eux + +ls -la + +if ! crun checkpoint --help; then + echo "crun doesn't support checkpoint/restore" + exit 0 +fi + +echo "Start container" +podman --log-level debug run -d quay.io/adrianreber/counter + +echo "See which containers are running" +podman ps + +echo "Connect to the container" +curl `podman inspect -l | jq -r '.[0].NetworkSettings.IPAddress'`:8088 + +echo "Checkpoint container" +podman --log-level debug container checkpoint -l + +podman ps -a +echo "Restore container" +podman --log-level debug container restore -l + +podman ps -a +echo "Check if we can connect to the restored container" +curl `podman inspect -l | jq -r '.[0].NetworkSettings.IPAddress'`:8088 + +ls -la diff --git a/tests/run-zdtm.sh b/tests/run-zdtm.sh new file mode 100755 index 0000000..350f0a9 --- /dev/null +++ b/tests/run-zdtm.sh @@ -0,0 +1,63 @@ +#!/bin/bash + +set -x + +uname -a + +# These zdtm tests are skipped because they fail only in CI system +EXCLUDES=" \ + -x zdtm/static/socket-tcp-reseted \ + -x zdtm/static/socket-tcp-closed \ + -x zdtm/static/socket-tcp-closed-last-ack \ + -x zdtm/static/socket-tcp6-closed \ + -x zdtm/static/socket-tcp4v6-closed \ + -x zdtm/static/maps01 \ + -x zdtm/static/maps04 \ + -x zdtm/static/cgroup04 \ + -x zdtm/static/cgroup_ifpriomap \ + -x zdtm/static/netns_sub \ + -x zdtm/static/netns_sub_veth \ + -x zdtm/static/file_locks01 \ + -x zdtm/static/cgroup02 " + +run_test() { + ./zdtm.py run --criu-bin /usr/sbin/criu ${EXCLUDES} \ + -a --ignore-taint --keep-going + + RESULT=$? +} + + +RESULT=42 + +python -V + +# this socket brakes CRIU's test cases +rm -f /var/lib/sss/pipes/nss + +# Move away the nft binary to avoid confusions with CRIU. +# This is already fixed upstream. + +[ -e /usr/sbin/nft ] && mv /usr/sbin/nft /usr/sbin/nft.away + +cd source + +echo "Build CRIU" +make + +cd test + +echo "Run the actual CRIU test suite" +run_test + +if [ "$RESULT" -ne "0" ]; then + # Run tests a second time to make sure it is a real failure + echo "Something failed. Run the actual CRIU test suite a second time" + run_test + if [ "$RESULT" -ne "0" ]; then + echo "Still a test suite error. Something seems to be actually broken" + exit $RESULT + fi +fi + +exit 0 diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..ff1c692 --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,35 @@ +--- +- hosts: localhost + roles: + - role: standard-test-source + tags: + - classic + - role: standard-test-basic + tags: + - classic + required_packages: + - podman + - curl + - jq + - checkpolicy + - policycoreutils + - make + - gcc + - python3 + - libnet-devel + - protobuf-devel + - protobuf-c-devel + - python3-devel + - libnl3-devel + - libcap-devel + - libaio-devel + - python3-pyyaml + - python3-protobuf + - python-unversioned-command + tests: + - zdtm: + dir: . + run: ./run-zdtm.sh + - podman: + dir: . + run: ./run-podman-checkpoint-restore.sh