rpms/criu
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import criu-3.12-9.module+el8.2.0+5029+3ac48e7d

Browse Source
This commit is contained in:
CentOS Sources 2020-01-21 16:51:55 -05:00 committed by Stepan Oksanichenko
commit d2eaf3eff6
8 changed files with 1509 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.criu.metadata Normal file
View File

@ -0,0 +1 @@
b2ceaf9705aa8239915010136a59664d31044fe3 SOURCES/criu-3.12.tar.bz2

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/criu-3.12.tar.bz2

67
SOURCES/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch Normal file
View File

@ -0,0 +1,67 @@
From 1e84cb90b63bce841376140a7a80107e5ec1e1a8 Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Fri, 3 May 2019 06:27:51 +0000
Subject: [PATCH] lsm: fix compiler error 'unused-result'
Reading out the xattr 'security.selinux' of checkpointed sockets with
fscanf() works (at least in theory) without checking the result of
fscanf(). There are, however, multiple CI failures when ignoring the
return value of fscanf().
This adds ferror() to check if the stream has an actual error or if '-1'
just mean EOF.
Handle all errors of fscanf() // Andrei
Signed-off-by: Adrian Reber <areber@redhat.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
---
criu/lsm.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/criu/lsm.c b/criu/lsm.c
index ef6ba112b3..9c9ac7f80e 100644
--- a/criu/lsm.c
+++ b/criu/lsm.c
@@ -33,8 +33,8 @@ static int apparmor_get_label(pid_t pid, char **profile_name)
return -1;
if (fscanf(f, "%ms", profile_name) != 1) {
- fclose(f);
pr_perror("err scanfing");
+ fclose(f);
return -1;
}
@@ -111,19 +111,23 @@ static int selinux_get_label(pid_t pid, char **output)
static int selinux_get_sockcreate_label(pid_t pid, char **output)
{
FILE *f;
+ int ret;
f = fopen_proc(pid, "attr/sockcreate");
if (!f)
return -1;
- fscanf(f, "%ms", output);
- /*
- * No need to check the result of fscanf(). If there is something
- * in /proc/PID/attr/sockcreate it will be copied to *output. If
- * there is nothing it will stay NULL. So whatever fscanf() does
- * it should be correct.
- */
-
+ ret = fscanf(f, "%ms", output);
+ if (ret == -1 && errno != 0) {
+ pr_perror("Unable to parse /proc/%d/attr/sockcreate", pid);
+ /*
+ * Only if the error indicator is set it is a real error.
+ * -1 could also be EOF, which would mean that sockcreate
+ * was just empty, which is the most common case.
+ */
+ fclose(f);
+ return -1;
+ }
fclose(f);
return 0;
}

834
SOURCES/685.patch Normal file
View File

@ -0,0 +1,834 @@
From 3313343ba7803bff077af5d87df2260cdcd2d678 Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Thu, 2 May 2019 13:41:46 +0000
Subject: [PATCH 1/4] lsm: also dump and restore sockcreate
The file /proc/PID/attr/sockcreate is used by SELinux to label newly
created sockets with the label available at sockcreate.
If it is NULL, the default label of the process will be used.
This reads out that file during checkpoint and restores the value during
restore.
This value is irrelevant for existing sockets as they might have been
created with another context. This is only to make sure that newly
created sockets have the correct context.
Signed-off-by: Adrian Reber <areber@redhat.com>
---
criu/cr-restore.c | 36 ++++++++++++++++++++++++++++++++++++
criu/include/restorer.h | 2 ++
criu/lsm.c | 32 ++++++++++++++++++++++++++++++++
criu/pie/restorer.c | 15 ++++++++++-----
images/creds.proto | 1 +
5 files changed, 81 insertions(+), 5 deletions(-)
diff --git a/criu/cr-restore.c b/criu/cr-restore.c
index 5fd22e9246..f254cbc0eb 100644
--- a/criu/cr-restore.c
+++ b/criu/cr-restore.c
@@ -2997,6 +2997,8 @@ static void rst_reloc_creds(struct thread_restore_args *thread_args,
if (args->lsm_profile)
args->lsm_profile = rst_mem_remap_ptr(args->mem_lsm_profile_pos, RM_PRIVATE);
+ if (args->lsm_sockcreate)
+ args->lsm_sockcreate = rst_mem_remap_ptr(args->mem_lsm_sockcreate_pos, RM_PRIVATE);
if (args->groups)
args->groups = rst_mem_remap_ptr(args->mem_groups_pos, RM_PRIVATE);
@@ -3062,6 +3064,40 @@ rst_prep_creds_args(CredsEntry *ce, unsigned long *prev_pos)
args->mem_lsm_profile_pos = 0;
}
+ if (ce->lsm_sockcreate) {
+ char *rendered = NULL;
+ char *profile;
+
+ profile = ce->lsm_sockcreate;
+
+ if (validate_lsm(profile) < 0)
+ return ERR_PTR(-EINVAL);
+
+ if (profile && render_lsm_profile(profile, &rendered)) {
+ return ERR_PTR(-EINVAL);
+ }
+ if (rendered) {
+ size_t lsm_sockcreate_len;
+ char *lsm_sockcreate;
+
+ args->mem_lsm_sockcreate_pos = rst_mem_align_cpos(RM_PRIVATE);
+ lsm_sockcreate_len = strlen(rendered);
+ lsm_sockcreate = rst_mem_alloc(lsm_sockcreate_len + 1, RM_PRIVATE);
+ if (!lsm_sockcreate) {
+ xfree(rendered);
+ return ERR_PTR(-ENOMEM);
+ }
+
+ args = rst_mem_remap_ptr(this_pos, RM_PRIVATE);
+ args->lsm_sockcreate = lsm_sockcreate;
+ strncpy(args->lsm_sockcreate, rendered, lsm_sockcreate_len);
+ xfree(rendered);
+ }
+ } else {
+ args->lsm_sockcreate = NULL;
+ args->mem_lsm_sockcreate_pos = 0;
+ }
+
/*
* Zap fields which we can't use.
*/
diff --git a/criu/include/restorer.h b/criu/include/restorer.h
index 2884ce9e6d..b83e9130c5 100644
--- a/criu/include/restorer.h
+++ b/criu/include/restorer.h
@@ -69,8 +69,10 @@ struct thread_creds_args {
unsigned int secbits;
char *lsm_profile;
unsigned int *groups;
+ char *lsm_sockcreate;
unsigned long mem_lsm_profile_pos;
+ unsigned long mem_lsm_sockcreate_pos;
unsigned long mem_groups_pos;
unsigned long mem_pos_next;
diff --git a/criu/lsm.c b/criu/lsm.c
index 849ec37cde..b0ef0c396c 100644
--- a/criu/lsm.c
+++ b/criu/lsm.c
@@ -98,6 +98,32 @@ static int selinux_get_label(pid_t pid, char **output)
freecon(ctx);
return ret;
}
+
+/*
+ * selinux_get_sockcreate_label reads /proc/PID/attr/sockcreate
+ * to see if the PID has a special label specified for sockets.
+ * Most of the time this will be empty and the process will use
+ * the process context also for sockets.
+ */
+static int selinux_get_sockcreate_label(pid_t pid, char **output)
+{
+ FILE *f;
+
+ f = fopen_proc(pid, "attr/sockcreate");
+ if (!f)
+ return -1;
+
+ fscanf(f, "%ms", output);
+ /*
+ * No need to check the result of fscanf(). If there is something
+ * in /proc/PID/attr/sockcreate it will be copied to *output. If
+ * there is nothing it will stay NULL. So whatever fscanf() does
+ * it should be correct.
+ */
+
+ fclose(f);
+ return 0;
+}
#endif
void kerndat_lsm(void)
@@ -132,6 +158,7 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce)
int ret;
ce->lsm_profile = NULL;
+ ce->lsm_sockcreate = NULL;
switch (kdat.lsm) {
case LSMTYPE__NO_LSM:
@@ -143,6 +170,9 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce)
#ifdef CONFIG_HAS_SELINUX
case LSMTYPE__SELINUX:
ret = selinux_get_label(pid, &ce->lsm_profile);
+ if (ret)
+ break;
+ ret = selinux_get_sockcreate_label(pid, &ce->lsm_sockcreate);
break;
#endif
default:
@@ -153,6 +183,8 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce)
if (ce->lsm_profile)
pr_info("%d has lsm profile %s\n", pid, ce->lsm_profile);
+ if (ce->lsm_sockcreate)
+ pr_info("%d has lsm sockcreate label %s\n", pid, ce->lsm_sockcreate);
return ret;
}
diff --git a/criu/pie/restorer.c b/criu/pie/restorer.c
index 6e18cc2606..4f42605a09 100644
--- a/criu/pie/restorer.c
+++ b/criu/pie/restorer.c
@@ -149,7 +149,7 @@ static void sigchld_handler(int signal, siginfo_t *siginfo, void *data)
sys_exit_group(1);
}
-static int lsm_set_label(char *label, int procfd)
+static int lsm_set_label(char *label, char *type, int procfd)
{
int ret = -1, len, lsmfd;
char path[STD_LOG_SIMPLE_CHUNK];
@@ -157,9 +157,9 @@ static int lsm_set_label(char *label, int procfd)
if (!label)
return 0;
- pr_info("restoring lsm profile %s\n", label);
+ pr_info("restoring lsm profile (%s) %s\n", type, label);
- std_sprintf(path, "self/task/%ld/attr/current", sys_gettid());
+ std_sprintf(path, "self/task/%ld/attr/%s", sys_gettid(), type);
lsmfd = sys_openat(procfd, path, O_WRONLY, 0);
if (lsmfd < 0) {
@@ -305,9 +305,14 @@ static int restore_creds(struct thread_creds_args *args, int procfd,
* SELinux and instead the process context is set before the
* threads are created.
*/
- if (lsm_set_label(args->lsm_profile, procfd) < 0)
+ if (lsm_set_label(args->lsm_profile, "current", procfd) < 0)
return -1;
}
+
+ /* Also set the sockcreate label for all threads */
+ if (lsm_set_label(args->lsm_sockcreate, "sockcreate", procfd) < 0)
+ return -1;
+
return 0;
}
@@ -1571,7 +1576,7 @@ long __export_restore_task(struct task_restore_args *args)
if (args->lsm_type == LSMTYPE__SELINUX) {
/* Only for SELinux */
if (lsm_set_label(args->t->creds_args->lsm_profile,
- args->proc_fd) < 0)
+ "current", args->proc_fd) < 0)
goto core_restore_end;
}
diff --git a/images/creds.proto b/images/creds.proto
index 29fb8652eb..23b84c7e50 100644
--- a/images/creds.proto
+++ b/images/creds.proto
@@ -20,4 +20,5 @@ message creds_entry {
repeated uint32 groups = 14;
optional string lsm_profile = 15;
+ optional string lsm_sockcreate = 16;
}
From 495e6aa7ac51fcb36e6bc5f6c97f44cab7649b9c Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Thu, 2 May 2019 13:47:29 +0000
Subject: [PATCH 2/4] test: Verify that sockcreate does not change during
restore
This makes sure that sockcreate stays empty for selinux00 before and
after checkpoint/restore.
Signed-off-by: Adrian Reber <areber@redhat.com>
---
test/zdtm/static/selinux00.c | 34 ++++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/test/zdtm/static/selinux00.c b/test/zdtm/static/selinux00.c
index dd9096a6fc..db8420eacb 100644
--- a/test/zdtm/static/selinux00.c
+++ b/test/zdtm/static/selinux00.c
@@ -83,6 +83,31 @@ int checkprofile()
return 0;
}
+int check_sockcreate()
+{
+ char *output = NULL;
+ FILE *f = fopen("/proc/self/attr/sockcreate", "r");
+ int ret = fscanf(f, "%ms", &output);
+ fclose(f);
+
+ if (ret >= 1) {
+ free(output);
+ /* sockcreate should be empty, if fscanf found something
+ * it is wrong.*/
+ fail("sockcreate should be empty\n");
+ return -1;
+ }
+
+ if (output) {
+ free(output);
+ /* Same here, output should still be NULL. */
+ fail("sockcreate should be empty\n");
+ return -1;
+ }
+
+ return 0;
+}
+
int main(int argc, char **argv)
{
test_init(argc, argv);
@@ -95,12 +120,21 @@ int main(int argc, char **argv)
return 0;
}
+ if (check_sockcreate())
+ return -1;
+
if (setprofile())
return -1;
+ if (check_sockcreate())
+ return -1;
+
test_daemon();
test_waitsig();
+ if (check_sockcreate())
+ return -1;
+
if (checkprofile() == 0)
pass();
From fe52cf66b38a261846ff40fc425085724b2acc15 Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Mon, 29 Apr 2019 15:21:59 +0200
Subject: [PATCH 3/4] sockets: dump and restore xattr security labels
Restoring a SELinux process also requires to correctly label sockets.
During checkpointing fgetxattr() is used to retrieve the
"security.selinux" xattr and during restore setsockcreatecon() is used
before a socket is created.
Previous commits are already restoring the sockcreate SELinux setting if
set by the process.
Signed-off-by: Adrian Reber <areber@redhat.com>
---
criu/include/lsm.h | 18 +++++++++++++++
criu/lsm.c | 56 +++++++++++++++++++++++++++++++++++++++++++++
criu/sk-inet.c | 12 ++++++++++
criu/sockets.c | 4 ++++
images/fdinfo.proto | 1 +
5 files changed, 91 insertions(+)
diff --git a/criu/include/lsm.h b/criu/include/lsm.h
index b4fce13039..3b82712829 100644
--- a/criu/include/lsm.h
+++ b/criu/include/lsm.h
@@ -3,6 +3,7 @@
#include "images/inventory.pb-c.h"
#include "images/creds.pb-c.h"
+#include "images/fdinfo.pb-c.h"
#define AA_SECURITYFS_PATH "/sys/kernel/security/apparmor"
@@ -34,4 +35,21 @@ int validate_lsm(char *profile);
int render_lsm_profile(char *profile, char **val);
extern int lsm_check_opts(void);
+
+#ifdef CONFIG_HAS_SELINUX
+int dump_xattr_security_selinux(int fd, FdinfoEntry *e);
+int run_setsockcreatecon(FdinfoEntry *e);
+int reset_setsockcreatecon();
+#else
+static inline int dump_xattr_security_selinux(int fd, FdinfoEntry *e) {
+ return 0;
+}
+static inline int run_setsockcreatecon(FdinfoEntry *e) {
+ return 0;
+}
+static inline int reset_setsockcreatecon() {
+ return 0;
+}
+#endif
+
#endif /* __CR_LSM_H__ */
diff --git a/criu/lsm.c b/criu/lsm.c
index b0ef0c396c..ef6ba112b3 100644
--- a/criu/lsm.c
+++ b/criu/lsm.c
@@ -3,6 +3,7 @@
#include <stdlib.h>
#include <fcntl.h>
#include <sys/types.h>
+#include <sys/xattr.h>
#include <unistd.h>
#include "common/config.h"
@@ -11,10 +12,12 @@
#include "util.h"
#include "cr_options.h"
#include "lsm.h"
+#include "fdstore.h"
#include "protobuf.h"
#include "images/inventory.pb-c.h"
#include "images/creds.pb-c.h"
+#include "images/fdinfo.pb-c.h"
#ifdef CONFIG_HAS_SELINUX
#include <selinux/selinux.h>
@@ -124,6 +127,59 @@ static int selinux_get_sockcreate_label(pid_t pid, char **output)
fclose(f);
return 0;
}
+
+int reset_setsockcreatecon()
+{
+ return setsockcreatecon_raw(NULL);
+}
+
+int run_setsockcreatecon(FdinfoEntry *e)
+{
+ char *ctx = NULL;
+
+ /* Currently this only works for SELinux. */
+ if (kdat.lsm != LSMTYPE__SELINUX)
+ return 0;
+
+ ctx = e->xattr_security_selinux;
+ /* Writing to the FD using fsetxattr() did not work for some reason. */
+ return setsockcreatecon_raw(ctx);
+}
+
+int dump_xattr_security_selinux(int fd, FdinfoEntry *e)
+{
+ char *ctx = NULL;
+ int len;
+ int ret;
+
+ /* Currently this only works for SELinux. */
+ if (kdat.lsm != LSMTYPE__SELINUX)
+ return 0;
+
+ /* Get the size of the xattr. */
+ len = fgetxattr(fd, "security.selinux", ctx, 0);
+ if (len == -1) {
+ pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
+ return -1;
+ }
+
+ ctx = xmalloc(len);
+ if (!ctx) {
+ pr_err("xmalloc to read xattr for FD %d failed\n", fd);
+ return -1;
+ }
+
+ ret = fgetxattr(fd, "security.selinux", ctx, len);
+ if (len != ret) {
+ pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
+ return -1;
+ }
+
+ e->xattr_security_selinux = ctx;
+
+ return 0;
+}
+
#endif
void kerndat_lsm(void)
diff --git a/criu/sk-inet.c b/criu/sk-inet.c
index 60ee4c3155..ca5c9bf2cd 100644
--- a/criu/sk-inet.c
+++ b/criu/sk-inet.c
@@ -23,6 +23,9 @@
#include "files.h"
#include "image.h"
#include "log.h"
+#include "lsm.h"
+#include "kerndat.h"
+#include "pstree.h"
#include "rst-malloc.h"
#include "sockets.h"
#include "sk-inet.h"
@@ -30,6 +33,8 @@
#include "util.h"
#include "namespaces.h"
+#include "images/inventory.pb-c.h"
+
#undef LOG_PREFIX
#define LOG_PREFIX "inet: "
@@ -804,12 +809,18 @@ static int open_inet_sk(struct file_desc *d, int *new_fd)
if (set_netns(ie->ns_id))
return -1;
+ if (run_setsockcreatecon(fle->fe))
+ return -1;
+
sk = socket(ie->family, ie->type, ie->proto);
if (sk < 0) {
pr_perror("Can't create inet socket");
return -1;
}
+ if (reset_setsockcreatecon())
+ return -1;
+
if (ie->v6only) {
if (restore_opt(sk, SOL_IPV6, IPV6_V6ONLY, &yes) == -1)
goto err;
@@ -895,6 +906,7 @@ static int open_inet_sk(struct file_desc *d, int *new_fd)
}
*new_fd = sk;
+
return 1;
err:
close(sk);
diff --git a/criu/sockets.c b/criu/sockets.c
index 30072ac737..7f7453ca1d 100644
--- a/criu/sockets.c
+++ b/criu/sockets.c
@@ -22,6 +22,7 @@
#include "util-pie.h"
#include "sk-packet.h"
#include "namespaces.h"
+#include "lsm.h"
#include "net.h"
#include "xmalloc.h"
#include "fs-magic.h"
@@ -663,6 +664,9 @@ int dump_socket(struct fd_parms *p, int lfd, FdinfoEntry *e)
int family;
const struct fdtype_ops *ops;
+ if (dump_xattr_security_selinux(lfd, e))
+ return -1;
+
if (dump_opt(lfd, SOL_SOCKET, SO_DOMAIN, &family))
return -1;
diff --git a/images/fdinfo.proto b/images/fdinfo.proto
index ed82ceffe7..77e375aa94 100644
--- a/images/fdinfo.proto
+++ b/images/fdinfo.proto
@@ -47,6 +47,7 @@ message fdinfo_entry {
required uint32 flags = 2;
required fd_types type = 3;
required uint32 fd = 4;
+ optional string xattr_security_selinux = 5;
}
message file_entry {
From ba42d30fad82f17a66617a33f03d3da05cc73bfe Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Tue, 30 Apr 2019 09:47:32 +0000
Subject: [PATCH 4/4] selinux: add socket label test
This adds two more SELinux test to verfy that checkpointing and
restoring SELinux socket labels works correctly, if the process uses
setsockcreatecon() or if the process leaves the default context for
newly created sockets.
Signed-off-by: Adrian Reber <areber@redhat.com>
---
test/zdtm/static/Makefile | 3 +
test/zdtm/static/selinux01.c | 200 +++++++++++++++++++++++++++
test/zdtm/static/selinux01.checkskip | 1 +
test/zdtm/static/selinux01.desc | 1 +
test/zdtm/static/selinux01.hook | 1 +
test/zdtm/static/selinux02.c | 1 +
test/zdtm/static/selinux02.checkskip | 1 +
test/zdtm/static/selinux02.desc | 1 +
test/zdtm/static/selinux02.hook | 1 +
9 files changed, 210 insertions(+)
create mode 100644 test/zdtm/static/selinux01.c
create mode 120000 test/zdtm/static/selinux01.checkskip
create mode 120000 test/zdtm/static/selinux01.desc
create mode 120000 test/zdtm/static/selinux01.hook
create mode 120000 test/zdtm/static/selinux02.c
create mode 120000 test/zdtm/static/selinux02.checkskip
create mode 120000 test/zdtm/static/selinux02.desc
create mode 120000 test/zdtm/static/selinux02.hook
diff --git a/test/zdtm/static/Makefile b/test/zdtm/static/Makefile
index 8e3f39276a..1ffaa90394 100644
--- a/test/zdtm/static/Makefile
+++ b/test/zdtm/static/Makefile
@@ -211,6 +211,8 @@ TST_NOFILE := \
thp_disable \
pid_file \
selinux00 \
+ selinux01 \
+ selinux02 \
# jobctl00 \
ifneq ($(SRCARCH),arm)
@@ -513,6 +515,7 @@ unlink_fstat041: CFLAGS += -DUNLINK_FSTAT041 -DUNLINK_FSTAT04
ghost_holes01: CFLAGS += -DTAIL_HOLE
ghost_holes02: CFLAGS += -DHEAD_HOLE
sk-freebind-false: CFLAGS += -DZDTM_FREEBIND_FALSE
+selinux02: CFLAGS += -DUSING_SOCKCREATE
stopped01: CFLAGS += -DZDTM_STOPPED_KILL
stopped02: CFLAGS += -DZDTM_STOPPED_TKILL
stopped12: CFLAGS += -DZDTM_STOPPED_KILL -DZDTM_STOPPED_TKILL
diff --git a/test/zdtm/static/selinux01.c b/test/zdtm/static/selinux01.c
new file mode 100644
index 0000000000..9966455c47
--- /dev/null
+++ b/test/zdtm/static/selinux01.c
@@ -0,0 +1,200 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/mount.h>
+#include <sys/socket.h>
+#include <sys/xattr.h>
+#include <linux/limits.h>
+#include <signal.h>
+#include "zdtmtst.h"
+
+/* Enabling the right policy happens in selinux00.hook and selinx00.checkskip */
+
+const char *test_doc = "Check that a SELinux socket context is restored";
+const char *test_author = "Adrian Reber <areber@redhat.com>";
+
+/* This is all based on Tycho's apparmor code */
+
+#define CONTEXT "unconfined_u:unconfined_r:unconfined_dbusd_t:s0"
+
+/*
+ * This is used to store the state of SELinux. For this test
+ * SELinux is switched to permissive mode and later the previous
+ * SELinux state is restored.
+ */
+char state;
+
+int check_for_selinux()
+{
+ if (access("/sys/fs/selinux", F_OK) == 0)
+ return 0;
+ return 1;
+}
+
+int setprofile()
+{
+ int fd, len;
+
+ fd = open("/proc/self/attr/current", O_WRONLY);
+ if (fd < 0) {
+ fail("Could not open /proc/self/attr/current\n");
+ return -1;
+ }
+
+ len = write(fd, CONTEXT, strlen(CONTEXT));
+ close(fd);
+
+ if (len < 0) {
+ fail("Could not write context\n");
+ return -1;
+ }
+
+ return 0;
+}
+
+int set_sockcreate()
+{
+ int fd, len;
+
+ fd = open("/proc/self/attr/sockcreate", O_WRONLY);
+ if (fd < 0) {
+ fail("Could not open /proc/self/attr/sockcreate\n");
+ return -1;
+ }
+
+ len = write(fd, CONTEXT, strlen(CONTEXT));
+ close(fd);
+
+ if (len < 0) {
+ fail("Could not write context\n");
+ return -1;
+ }
+
+ return 0;
+}
+
+int check_sockcreate()
+{
+ int fd;
+ char context[1024];
+ int len;
+
+
+ fd = open("/proc/self/attr/sockcreate", O_RDONLY);
+ if (fd < 0) {
+ fail("Could not open /proc/self/attr/sockcreate\n");
+ return -1;
+ }
+
+ len = read(fd, context, strlen(CONTEXT));
+ close(fd);
+ if (len != strlen(CONTEXT)) {
+ fail("SELinux context has unexpected length %d, expected %zd\n",
+ len, strlen(CONTEXT));
+ return -1;
+ }
+
+ if (strncmp(context, CONTEXT, strlen(CONTEXT)) != 0) {
+ fail("Wrong SELinux context %s expected %s\n", context, CONTEXT);
+ return -1;
+ }
+
+ return 0;
+}
+
+int check_sockcreate_empty()
+{
+ char *output = NULL;
+ FILE *f = fopen("/proc/self/attr/sockcreate", "r");
+ int ret = fscanf(f, "%ms", &output);
+ fclose(f);
+
+ if (ret >= 1) {
+ free(output);
+ /* sockcreate should be empty, if fscanf found something
+ * it is wrong.*/
+ fail("sockcreate should be empty\n");
+ return -1;
+ }
+
+ if (output) {
+ free(output);
+ /* Same here, output should still be NULL. */
+ fail("sockcreate should be empty\n");
+ return -1;
+ }
+
+ return 0;
+}
+
+int main(int argc, char **argv)
+{
+ char ctx[1024];
+ test_init(argc, argv);
+
+ if (check_for_selinux()) {
+ skip("SELinux not found on this system.");
+ test_daemon();
+ test_waitsig();
+ pass();
+ return 0;
+ }
+
+#ifdef USING_SOCKCREATE
+ if (set_sockcreate())
+ return -1;
+#else
+ if (check_sockcreate_empty())
+ return -1;
+
+ if (setprofile())
+ return -1;
+
+ if (check_sockcreate_empty())
+ return -1;
+#endif
+
+ /* Open our test socket */
+ int sk = socket(AF_INET, SOCK_STREAM, 0);
+ memset(ctx, 0, 1024);
+ /* Read out the socket label */
+ if (fgetxattr(sk, "security.selinux", ctx, 1024) == -1) {
+ fail("Reading xattr 'security.selinux' failed.\n");
+ return -1;
+ }
+ if (strncmp(ctx, CONTEXT, strlen(CONTEXT)) != 0) {
+ fail("Wrong SELinux context %s expected %s\n", ctx, CONTEXT);
+ return -1;
+ }
+ memset(ctx, 0, 1024);
+
+ test_daemon();
+ test_waitsig();
+
+ /* Read out the socket label again */
+
+ if (fgetxattr(sk, "security.selinux", ctx, 1024) == -1) {
+ fail("Reading xattr 'security.selinux' failed.\n");
+ return -1;
+ }
+ if (strncmp(ctx, CONTEXT, strlen(CONTEXT)) != 0) {
+ fail("Wrong SELinux context %s expected %s\n", ctx, CONTEXT);
+ return -1;
+ }
+
+#ifdef USING_SOCKCREATE
+ if (check_sockcreate())
+ return -1;
+#else
+ if (check_sockcreate_empty())
+ return -1;
+#endif
+
+ pass();
+
+ return 0;
+}
diff --git a/test/zdtm/static/selinux01.checkskip b/test/zdtm/static/selinux01.checkskip
new file mode 120000
index 0000000000..e8a172479e
--- /dev/null
+++ b/test/zdtm/static/selinux01.checkskip
@@ -0,0 +1 @@
+selinux00.checkskip
\ No newline at end of file
diff --git a/test/zdtm/static/selinux01.desc b/test/zdtm/static/selinux01.desc
new file mode 120000
index 0000000000..2d2961a764
--- /dev/null
+++ b/test/zdtm/static/selinux01.desc
@@ -0,0 +1 @@
+selinux00.desc
\ No newline at end of file
diff --git a/test/zdtm/static/selinux01.hook b/test/zdtm/static/selinux01.hook
new file mode 120000
index 0000000000..dd7ed6bb33
--- /dev/null
+++ b/test/zdtm/static/selinux01.hook
@@ -0,0 +1 @@
+selinux00.hook
\ No newline at end of file
diff --git a/test/zdtm/static/selinux02.c b/test/zdtm/static/selinux02.c
new file mode 120000
index 0000000000..5702677858
--- /dev/null
+++ b/test/zdtm/static/selinux02.c
@@ -0,0 +1 @@
+selinux01.c
\ No newline at end of file
diff --git a/test/zdtm/static/selinux02.checkskip b/test/zdtm/static/selinux02.checkskip
new file mode 120000
index 0000000000..2696e6e3de
--- /dev/null
+++ b/test/zdtm/static/selinux02.checkskip
@@ -0,0 +1 @@
+selinux01.checkskip
\ No newline at end of file
diff --git a/test/zdtm/static/selinux02.desc b/test/zdtm/static/selinux02.desc
new file mode 120000
index 0000000000..9c6802c4da
--- /dev/null
+++ b/test/zdtm/static/selinux02.desc
@@ -0,0 +1 @@
+selinux01.desc
\ No newline at end of file
diff --git a/test/zdtm/static/selinux02.hook b/test/zdtm/static/selinux02.hook
new file mode 120000
index 0000000000..e3ea0a6c80
--- /dev/null
+++ b/test/zdtm/static/selinux02.hook
@@ -0,0 +1 @@
+selinux01.hook
\ No newline at end of file

44
SOURCES/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch Normal file
View File

@ -0,0 +1,44 @@
From 80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea Mon Sep 17 00:00:00 2001
From: Andrei Vagin <avagin@gmail.com>
Date: Sat, 4 May 2019 20:01:52 -0700
Subject: [PATCH] lsm: don't reset socket contex if SELinux is disabled
Fixes #693
---
criu/lsm.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/criu/lsm.c b/criu/lsm.c
index 9c9ac7f80e..5921138392 100644
--- a/criu/lsm.c
+++ b/criu/lsm.c
@@ -134,7 +134,15 @@ static int selinux_get_sockcreate_label(pid_t pid, char **output)
int reset_setsockcreatecon()
{
- return setsockcreatecon_raw(NULL);
+ /* Currently this only works for SELinux. */
+ if (kdat.lsm != LSMTYPE__SELINUX)
+ return 0;
+
+ if (setsockcreatecon_raw(NULL)) {
+ pr_perror("Unable to reset socket SELinux context");
+ return -1;
+ }
+ return 0;
}
int run_setsockcreatecon(FdinfoEntry *e)
@@ -147,7 +155,11 @@ int run_setsockcreatecon(FdinfoEntry *e)
ctx = e->xattr_security_selinux;
/* Writing to the FD using fsetxattr() did not work for some reason. */
- return setsockcreatecon_raw(ctx);
+ if (setsockcreatecon_raw(ctx)) {
+ pr_perror("Unable to set the %s socket SELinux context", ctx);
+ return -1;
+ }
+ return 0;
}
int dump_xattr_security_selinux(int fd, FdinfoEntry *e)

40
SOURCES/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch Normal file
View File

@ -0,0 +1,40 @@
From b9e9e3903c78ba5d243b4176e82bf4b82342cb6a Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Sat, 4 May 2019 15:27:32 +0200
Subject: [PATCH] lsm: fix compiler error on Fedora 30
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This fixes following compiler error:
criu/lsm.c: In function dump_xattr_security_selinux:
criu/include/log.h:51:2: error: %s directive argument is null [-Werror=format-overflow=]
51 | print_on_level(LOG_ERROR, \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
52 | "Error (%s:%d): " LOG_PREFIX fmt, \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
53 | __FILE__, __LINE__, ##__VA_ARGS__)
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
criu/lsm.c:166:3: note: in expansion of macro pr_err
166 | pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
| ^~~~~~
Signed-off-by: Adrian Reber <areber@redhat.com>
---
criu/lsm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/criu/lsm.c b/criu/lsm.c
index 5921138392..420585ba4f 100644
--- a/criu/lsm.c
+++ b/criu/lsm.c
@@ -175,7 +175,7 @@ int dump_xattr_security_selinux(int fd, FdinfoEntry *e)
/* Get the size of the xattr. */
len = fgetxattr(fd, "security.selinux", ctx, 0);
if (len == -1) {
- pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
+ pr_err("Reading xattr security.selinux from FD %d failed\n", fd);
return -1;
}

1
SOURCES/criu-tmpfiles.conf Normal file
View File

@ -0,0 +1 @@
d /run/criu 0755 root root -

521
SPECS/criu.spec Normal file
View File

@ -0,0 +1,521 @@
%if 0%{?fedora} >= 27 || 0%{?rhel} > 7
%global py_prefix python3
%global py_binary %{py_prefix}
%else
%global py_prefix python
%global py_binary python2
%endif
# With annobin enabled, CRIU does not work anymore. It seems CRIU's
# parasite code breaks if annobin is enabled.
%undefine _annotated_build
Name: criu
Version: 3.12
Release: 9%{?dist}
Provides: crtools = %{version}-%{release}
Obsoletes: crtools <= 1.0-2
Summary: Tool for Checkpoint/Restore in User-space
License: GPLv2
URL: http://criu.org/
Source0: http://download.openvz.org/criu/criu-%{version}.tar.bz2
Patch0: https://patch-diff.githubusercontent.com/raw/checkpoint-restore/criu/pull/685.patch
Patch1: https://github.com/checkpoint-restore/criu/commit/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch
Patch2: https://github.com/checkpoint-restore/criu/commit/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch
Patch3: https://github.com/checkpoint-restore/criu/commit/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch
%if 0%{?rhel} && 0%{?rhel} <= 7
BuildRequires: perl
# RHEL has no asciidoc; take man-page from Fedora 26
# zcat /usr/share/man/man8/criu.8.gz > criu.8
Source1: criu.8
Source2: crit.1
# The patch aio-fix.patch is needed as RHEL7
# doesn't do "nr_events *= 2" in ioctx_alloc().
Patch100: aio-fix.patch
%endif
Source3: criu-tmpfiles.conf
BuildRequires: gcc
BuildRequires: systemd
BuildRequires: libnet-devel
BuildRequires: protobuf-devel protobuf-c-devel %{py_prefix}-devel libnl3-devel libcap-devel
%if 0%{?fedora} || 0%{?rhel} > 7
BuildRequires: asciidoc xmlto
BuildRequires: perl-interpreter
BuildRequires: libselinux-devel
# Checkpointing containers with a tmpfs requires tar
Recommends: tar
%if 0%{?fedora}
BuildRequires: libbsd-devel
%endif
%endif
# user-space and kernel changes are only available for x86_64, arm,
# ppc64le, aarch64 and s390x
# https://bugzilla.redhat.com/show_bug.cgi?id=902875
ExclusiveArch: x86_64 %{arm} ppc64le aarch64 s390x
%description
criu is the user-space part of Checkpoint/Restore in User-space
(CRIU), a project to implement checkpoint/restore functionality for
Linux in user-space.
%if 0%{?fedora}
%package devel
Summary: Header files and libraries for %{name}
Requires: %{name} = %{version}-%{release}
%description devel
This package contains header files and libraries for %{name}.
%package libs
Summary: Libraries for %{name}
Requires: %{name} = %{version}-%{release}
%description libs
This package contains the libraries for %{name}
%endif
%package -n %{py_prefix}-%{name}
%{?python_provide:%python_provide %{py_prefix}-%{name}}
Summary: Python bindings for %{name}
%if 0%{?rhel} && 0%{?rhel} <= 7
Requires: protobuf-python
Requires: %{name} = %{version}-%{release} %{py_prefix}-ipaddr
%else
Requires: %{py_prefix}-protobuf
Obsoletes: python2-criu < 3.10-1
%endif
%description -n %{py_prefix}-%{name}
%{py_prefix}-%{name} contains Python bindings for %{name}.
%package -n crit
Summary: CRIU image tool
Requires: %{py_prefix}-%{name} = %{version}-%{release}
%description -n crit
crit is a tool designed to decode CRIU binary dump files and show
their content in human-readable form.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%if 0%{?rhel} && 0%{?rhel} <= 7
%patch100 -p1
%endif
%build
# %{?_smp_mflags} does not work
# -fstack-protector breaks build
CFLAGS+=`echo %{optflags} | sed -e 's,-fstack-protector\S*,,g'` make V=1 WERROR=0 PREFIX=%{_prefix} RUNDIR=/run/criu PYTHON=%{py_binary}
%if 0%{?fedora} || 0%{?rhel} > 7
make docs V=1
%endif
%install
make install-criu DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir}
make install-lib DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir} PYTHON=%{py_binary}
%if 0%{?fedora} || 0%{?rhel} > 7
# only install documentation on Fedora as it requires asciidoc,
# which is not available on RHEL7
make install-man DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir}
%else
install -p -m 644 -D %{SOURCE1} $RPM_BUILD_ROOT%{_mandir}/man8/%{name}.8
install -p -m 644 -D %{SOURCE2} $RPM_BUILD_ROOT%{_mandir}/man1/crit.1
%endif
mkdir -p %{buildroot}%{_tmpfilesdir}
install -m 0644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}/%{name}.conf
install -d -m 0755 %{buildroot}/run/%{name}/
%if 0%{?rhel}
# remove devel and libs packages
rm -rf $RPM_BUILD_ROOT%{_includedir}/criu
rm $RPM_BUILD_ROOT%{_libdir}/*.so*
rm -rf $RPM_BUILD_ROOT%{_libdir}/pkgconfig
rm -rf $RPM_BUILD_ROOT%{_libexecdir}/%{name}
%endif
%files
%{_sbindir}/%{name}
%doc %{_mandir}/man8/criu.8*
%if 0%{?fedora}
%{_libexecdir}/%{name}
%endif
%dir /run/%{name}
%{_tmpfilesdir}/%{name}.conf
%doc README.md COPYING
%if 0%{?fedora}
%files devel
%{_includedir}/criu
%{_libdir}/*.so
%{_libdir}/pkgconfig/*.pc
%files libs
%{_libdir}/*.so.*
%endif
%files -n %{py_prefix}-%{name}
%if 0%{?rhel} && 0%{?rhel} <= 7
%{python2_sitelib}/pycriu/*
%{python2_sitelib}/*egg-info
%else
%{python3_sitelib}/pycriu/*
%{python3_sitelib}/*egg-info
%endif
%files -n crit
%{_bindir}/crit
%doc %{_mandir}/man1/crit.1*
%changelog
* Mon May 13 2019 Adrian Reber <adrian@lisas.de> - 3.12-9
- Added additional fixup patches for the socket labelling
* Sat May 04 2019 Adrian Reber <adrian@lisas.de> - 3.12-8
- Patch for socket labelling has changed upstream
* Mon Apr 29 2019 Adrian Reber <adrian@lisas.de> - 3.12-4
- Applied patch to correctly restore socket()s
* Sat Apr 27 2019 Adrian Reber <adrian@lisas.de> - 3.12-3
- Correctly exclude libs and devel for RHEL
* Thu Apr 25 2019 Adrian Reber <adrian@lisas.de> - 3.12-2
- Updated to official 3.12
* Tue Apr 23 2019 Adrian Reber <adrian@lisas.de> - 3.12-0.1
- Updated to 3.12 (pre-release)
- Create libs subpackage
- Build against SELinux (Fedora and RHEL8)
- Build against libbsd (Fedora)
* Thu Feb 14 2019 Adrian Reber <areber@redhat.com> - 3.11-2
- Updated to 3.11
- Removed upstreamed patches
- Added patch for gcc-9
* Tue Dec 11 2018 Adrian Reber <adrian@lisas.de> - 3.10-7
- Fix 'criu check --feature link_nsid' with more than 10 interfaces (#1652442)
* Tue Dec 11 2018 Adrian Reber <adrian@lisas.de> - 3.10-6
- Make sure no iptables rules are left after restore (#1652471)
* Tue Oct 30 2018 Adrian Reber <adrian@lisas.de> - 3.10-5
- Added Recommends: tar
It is necessary when checkpointing containers with a tmpfs
* Mon Jul 16 2018 Adrian Reber <adrian@lisas.de> - 3.10-4
- Add patch to fix errors with read-only runc
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.10-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Jul 11 2018 Adrian Reber <adrian@lisas.de> - 3.10-2
- Disable annobin as it seems to break CRIU
* Tue Jul 10 2018 Adrian Reber <adrian@lisas.de> - 3.10-1
- Update to 3.10 (#1599710)
- Switch to python3
* Wed Jun 06 2018 Adrian Reber <adrian@lisas.de> - 3.9-2
- Simplify ExclusiveArch now that there is no more F26
* Fri Jun 01 2018 Adrian Reber <adrian@lisas.de> - 3.9-1
- Update to 3.9
* Tue Apr 03 2018 Adrian Reber <adrian@lisas.de> - 3.8.1-1
- Update to 3.8.1
* Thu Mar 22 2018 Adrian Reber <adrian@lisas.de> - 3.8-2
- Bump release for COPR
* Wed Mar 14 2018 Adrian Reber <adrian@lisas.de> - 3.8-1
- Update to 3.8
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.7-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Sat Feb 03 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 3.7-4
- Switch to %%ldconfig_scriptlets
* Fri Jan 12 2018 Adrian Reber <adrian@lisas.de> - 3.7-3
- Fix python/python2 dependencies accross all branches
* Wed Jan 03 2018 Merlin Mathesius <mmathesi@redhat.com> - 3.7-2
- Cleanup spec file conditionals
* Sat Dec 30 2017 Adrian Reber <adrian@lisas.de> - 3.7-1
- Update to 3.7
* Fri Dec 15 2017 Iryna Shcherbina <ishcherb@redhat.com> - 3.6-2
- Update Python 2 dependency declarations to new packaging standards
(See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
* Thu Oct 26 2017 Adrian Reber <adrian@lisas.de> - 3.6-1
- Update to 3.6
* Wed Oct 18 2017 Adrian Reber <adrian@lisas.de> - 3.5-5
- Added patch to fix build on Fedora rawhide aarch64
* Tue Oct 10 2017 Adrian Reber <areber@redhat.com> - 3.5-4
- Upgrade imported manpages to 3.5
* Mon Oct 09 2017 Adrian Reber <areber@redhat.com> - 3.5-3
- Fix ExclusiveArch on RHEL
* Mon Oct 02 2017 Adrian Reber <adrian@lisas.de> - 3.5-2
- Merge RHEL and Fedora spec file
* Thu Sep 28 2017 Adrian Reber <adrian@lisas.de> - 3.5-1
- Update to 3.5 (#1496614)
* Sun Aug 27 2017 Adrian Reber <adrian@lisas.de> - 3.4-1
- Update to 3.4 (#1483774)
- Removed upstreamed patches
- Added s390x (#1475719)
* Sat Aug 19 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 3.3-5
- Python 2 binary package renamed to python2-criu
See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Thu Jul 20 2017 Adrian Reber <adrian@lisas.de> - 3.3-2
- Added patches to handle changes in glibc
* Wed Jul 19 2017 Adrian Reber <adrian@lisas.de> - 3.3-1
- Update to 3.3
* Fri Jun 30 2017 Adrian Reber <adrian@lisas.de> - 3.2.1-2
- Added patches to handle unified hierarchy and new glibc
* Wed Jun 28 2017 Adrian Reber <adrian@lisas.de> - 3.2.1-1
- Update to 3.2.1-1
* Tue Jun 13 2017 Orion Poplawski <orion@cora.nwra.com> - 3.1-2
- Rebuild for protobuf 3.3.1
* Mon May 22 2017 Adrian Reber <adrian@lisas.de> - 3.1-1
- Update to 3.1
* Tue Apr 25 2017 Adrian Reber <adrian@lisas.de> - 3.0-1
- Update to 3.0
* Thu Mar 09 2017 Adrian Reber <adrian@lisas.de> - 2.12-1
- Update to 2.12
* Fri Feb 17 2017 Adrian Reber <adrian@lisas.de> - 2.11.1-1
- Update to 2.11.1
* Thu Feb 16 2017 Adrian Reber <adrian@lisas.de> - 2.11-1
- Update to 2.11
* Mon Feb 13 2017 Adrian Reber <adrian@lisas.de> - 2.10-4
- Added patch to fix build on ppc64le
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.10-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Mon Jan 23 2017 Orion Poplawski <orion@cora.nwra.com> - 2.10-2
- Rebuild for protobuf 3.2.0
* Mon Jan 16 2017 Adrian Reber <adrian@lisas.de> - 2.10-1
- Update to 2.10
* Mon Dec 12 2016 Adrian Reber <adrian@lisas.de> - 2.9-1
- Update to 2.9
- Added crit manpage to crit subpackage
* Sat Nov 19 2016 Orion Poplawski <orion@cora.nwra.com> - 2.8-2
- Rebuild for protobuf 3.1.0
* Tue Nov 15 2016 Adrian Reber <adrian@lisas.de> - 2.8-1
- Update to 2.8
- Dropped 'mount_resolve_path()' patch
* Wed Oct 19 2016 Adrian Reber <adrian@lisas.de> - 2.7-2
- Added upstream patch to fix #1381351
("criu: mount_resolve_path(): criu killed by SIGSEGV")
* Wed Oct 19 2016 Adrian Reber <adrian@lisas.de> - 2.7-1
- Update to 2.7
* Tue Sep 13 2016 Adrian Reber <adrian@lisas.de> - 2.6-1
- Update to 2.6
* Tue Aug 30 2016 Adrian Reber <adrian@lisas.de> - 2.5-1
- Update to 2.5
* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4-2
- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
* Tue Jul 12 2016 Adrian Reber <adrian@lisas.de> - 2.4-1
- Update to 2.4
* Tue Jun 14 2016 Adrian Reber <areber@redhat.com> - 2.3-1
- Update to 2.3
- Copy man-page from Fedora 24 for RHEL
* Mon May 23 2016 Adrian Reber <adrian@lisas.de> - 2.2-1
- Update to 2.2
* Tue Apr 12 2016 Adrian Reber <adrian@lisas.de> - 2.1-2
- Remove crtools symbolic link
* Mon Apr 11 2016 Adrian Reber <adrian@lisas.de> - 2.1-1
- Update to 2.1
* Wed Apr 06 2016 Adrian Reber <areber@redhat.com> - 2.0-2
- Merge changes from Fedora
* Thu Mar 10 2016 Andrey Vagin <avagin@openvz.org> - 2.0-1
- Update to 2.0
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Mon Dec 07 2015 Adrian Reber <adrian@lisas.de> - 1.8-1
- Update to 1.8
* Mon Nov 02 2015 Adrian Reber <adrian@lisas.de> - 1.7.2-1
- Update to 1.7.2
* Mon Sep 7 2015 Andrey Vagin <avagin@openvz.org> - 1.7-1
- Update to 1.7
* Thu Sep 3 2015 Andrey Vagin <avagin@openvz.org> - 1.6.1-3
- Build only for power64le
* Thu Sep 3 2015 Andrey Vagin <avagin@openvz.org> - 1.6.1-2
- Build for aarch64 and power64
* Thu Aug 13 2015 Adrian Reber <adrian@lisas.de> - 1.6.1-1
- Update to 1.6.1
- Merge changes for RHEL packaging
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Tue Jun 09 2015 Adrian Reber <areber@redhat.com> - 1.6-1.1
- adapt to RHEL7
* Mon Jun 01 2015 Andrew Vagin <avagin@openvz.org> - 1.6-1
- Update to 1.6
* Thu Apr 30 2015 Andrew Vagin <avagin@openvz.org> - 1.5.2-2
- Require protobuf-python and python-ipaddr for python-criu
* Tue Apr 28 2015 Andrew Vagin <avagin@openvz.org> - 1.5.2
- Update to 1.5.2
* Sun Apr 19 2015 Nikita Spiridonov <nspiridonov@odin.com> - 1.5.1-2
- Create python-criu and crit subpackages
* Tue Mar 31 2015 Andrew Vagin <avagin@openvz.org> - 1.5.1
- Update to 1.5.1
* Sat Dec 06 2014 Adrian Reber <adrian@lisas.de> - 1.4-1
- Update to 1.4
* Tue Sep 23 2014 Adrian Reber <adrian@lisas.de> - 1.3.1-1
- Update to 1.3.1 (#1142896)
* Tue Sep 02 2014 Adrian Reber <adrian@lisas.de> - 1.3-1
- Update to 1.3
- Dropped all upstreamed patches
- included pkgconfig file in -devel
* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Thu Aug 07 2014 Andrew Vagin <avagin@openvz.org> - 1.2-4
- Include inttypes.h for PRI helpers
* Thu Aug 07 2014 Andrew Vagin <avagin@openvz.org> - 1.2-3
- Rebuilt for https://bugzilla.redhat.com/show_bug.cgi?id=1126751
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Fri Feb 28 2014 Adrian Reber <adrian@lisas.de> - 1.2-1
- Update to 1.2
- Dropped all upstreamed patches
* Tue Feb 04 2014 Adrian Reber <adrian@lisas.de> - 1.1-4
- Create -devel subpackage
* Wed Dec 11 2013 Andrew Vagin <avagin@openvz.org> - 1.0-3
- Fix the epoch of crtools
* Tue Dec 10 2013 Andrew Vagin <avagin@openvz.org> - 1.0-2
- Rename crtools to criu #1034677
* Wed Nov 27 2013 Andrew Vagin <avagin@openvz.org> - 1.0-1
- Update to 1.0
* Thu Oct 24 2013 Andrew Vagin <avagin@openvz.org> - 0.8-1
- Update to 0.8
* Tue Sep 10 2013 Andrew Vagin <avagin@openvz.org> - 0.7-1
- Update to 0.7
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.6-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Wed Jul 24 2013 Andrew Vagin <avagin@openvz.org> - 0.6-3
- Delete all kind of -fstack-protector gcc options
* Wed Jul 24 2013 Andrew Vagin <avagin@openvz.org> - 0.6-3
- Added arm macro to ExclusiveArch
* Wed Jul 03 2013 Andrew Vagin <avagin@openvz.org> - 0.6-2
- fix building on ARM
- fix null pointer dereference
* Tue Jul 02 2013 Adrian Reber <adrian@lisas.de> - 0.6-1
- updated to 0.6
- upstream moved binaries to sbin
- using upstream's make install
* Tue May 14 2013 Adrian Reber <adrian@lisas.de> - 0.5-1
- updated to 0.5
* Fri Feb 22 2013 Adrian Reber <adrian@lisas.de> - 0.4-1
- updated to 0.4
* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Tue Jan 22 2013 Adrian Reber <adrian@lisas.de> - 0.3-3
- added ExclusiveArch blocker bug
* Fri Jan 18 2013 Adrian Reber <adrian@lisas.de> - 0.3-2
- improved Summary and Description
* Mon Jan 14 2013 Adrian Reber <adrian@lisas.de> - 0.3-1
- updated to 0.3
- fix building Documentation/
* Tue Aug 21 2012 Adrian Reber <adrian@lisas.de> - 0.2-2
- remove macros like %%{__mkdir_p} and %%{__install}
- add comment why it is only x86_64
* Tue Aug 21 2012 Adrian Reber <adrian@lisas.de> - 0.2-1
- initial release