Added additional fixup patches for the socket labelling
This commit is contained in:
Adrian Reber
parent
7c8402231e
commit
ed2d9e8c3f
67
1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch
Normal file
67
1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch
Normal file
@ -0,0 +1,67 @@
|
||||
From 1e84cb90b63bce841376140a7a80107e5ec1e1a8 Mon Sep 17 00:00:00 2001
|
||||
From: Adrian Reber <areber@redhat.com>
|
||||
Date: Fri, 3 May 2019 06:27:51 +0000
|
||||
Subject: [PATCH] lsm: fix compiler error 'unused-result'
|
||||
|
||||
Reading out the xattr 'security.selinux' of checkpointed sockets with
|
||||
fscanf() works (at least in theory) without checking the result of
|
||||
fscanf(). There are, however, multiple CI failures when ignoring the
|
||||
return value of fscanf().
|
||||
|
||||
This adds ferror() to check if the stream has an actual error or if '-1'
|
||||
just mean EOF.
|
||||
|
||||
Handle all errors of fscanf() // Andrei
|
||||
|
||||
Signed-off-by: Adrian Reber <areber@redhat.com>
|
||||
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
||||
---
|
||||
criu/lsm.c | 22 +++++++++++++---------
|
||||
1 file changed, 13 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/criu/lsm.c b/criu/lsm.c
|
||||
index ef6ba112b3..9c9ac7f80e 100644
|
||||
--- a/criu/lsm.c
|
||||
+++ b/criu/lsm.c
|
||||
@@ -33,8 +33,8 @@ static int apparmor_get_label(pid_t pid, char **profile_name)
|
||||
return -1;
|
||||
|
||||
if (fscanf(f, "%ms", profile_name) != 1) {
|
||||
- fclose(f);
|
||||
pr_perror("err scanfing");
|
||||
+ fclose(f);
|
||||
return -1;
|
||||
}
|
||||
|
||||
@@ -111,19 +111,23 @@ static int selinux_get_label(pid_t pid, char **output)
|
||||
static int selinux_get_sockcreate_label(pid_t pid, char **output)
|
||||
{
|
||||
FILE *f;
|
||||
+ int ret;
|
||||
|
||||
f = fopen_proc(pid, "attr/sockcreate");
|
||||
if (!f)
|
||||
return -1;
|
||||
|
||||
- fscanf(f, "%ms", output);
|
||||
- /*
|
||||
- * No need to check the result of fscanf(). If there is something
|
||||
- * in /proc/PID/attr/sockcreate it will be copied to *output. If
|
||||
- * there is nothing it will stay NULL. So whatever fscanf() does
|
||||
- * it should be correct.
|
||||
- */
|
||||
-
|
||||
+ ret = fscanf(f, "%ms", output);
|
||||
+ if (ret == -1 && errno != 0) {
|
||||
+ pr_perror("Unable to parse /proc/%d/attr/sockcreate", pid);
|
||||
+ /*
|
||||
+ * Only if the error indicator is set it is a real error.
|
||||
+ * -1 could also be EOF, which would mean that sockcreate
|
||||
+ * was just empty, which is the most common case.
|
||||
+ */
|
||||
+ fclose(f);
|
||||
+ return -1;
|
||||
+ }
|
||||
fclose(f);
|
||||
return 0;
|
||||
}
|
||||
44
80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch
Normal file
44
80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From 80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea Mon Sep 17 00:00:00 2001
|
||||
From: Andrei Vagin <avagin@gmail.com>
|
||||
Date: Sat, 4 May 2019 20:01:52 -0700
|
||||
Subject: [PATCH] lsm: don't reset socket contex if SELinux is disabled
|
||||
|
||||
Fixes #693
|
||||
---
|
||||
criu/lsm.c | 16 ++++++++++++++--
|
||||
1 file changed, 14 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/criu/lsm.c b/criu/lsm.c
|
||||
index 9c9ac7f80e..5921138392 100644
|
||||
--- a/criu/lsm.c
|
||||
+++ b/criu/lsm.c
|
||||
@@ -134,7 +134,15 @@ static int selinux_get_sockcreate_label(pid_t pid, char **output)
|
||||
|
||||
int reset_setsockcreatecon()
|
||||
{
|
||||
- return setsockcreatecon_raw(NULL);
|
||||
+ /* Currently this only works for SELinux. */
|
||||
+ if (kdat.lsm != LSMTYPE__SELINUX)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (setsockcreatecon_raw(NULL)) {
|
||||
+ pr_perror("Unable to reset socket SELinux context");
|
||||
+ return -1;
|
||||
+ }
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
int run_setsockcreatecon(FdinfoEntry *e)
|
||||
@@ -147,7 +155,11 @@ int run_setsockcreatecon(FdinfoEntry *e)
|
||||
|
||||
ctx = e->xattr_security_selinux;
|
||||
/* Writing to the FD using fsetxattr() did not work for some reason. */
|
||||
- return setsockcreatecon_raw(ctx);
|
||||
+ if (setsockcreatecon_raw(ctx)) {
|
||||
+ pr_perror("Unable to set the %s socket SELinux context", ctx);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
int dump_xattr_security_selinux(int fd, FdinfoEntry *e)
|
||||
40
b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch
Normal file
40
b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch
Normal file
@ -0,0 +1,40 @@
|
||||
From b9e9e3903c78ba5d243b4176e82bf4b82342cb6a Mon Sep 17 00:00:00 2001
|
||||
From: Adrian Reber <areber@redhat.com>
|
||||
Date: Sat, 4 May 2019 15:27:32 +0200
|
||||
Subject: [PATCH] lsm: fix compiler error on Fedora 30
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This fixes following compiler error:
|
||||
|
||||
criu/lsm.c: In function ‘dump_xattr_security_selinux’:
|
||||
criu/include/log.h:51:2: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
|
||||
51 | print_on_level(LOG_ERROR, \
|
||||
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
52 | "Error (%s:%d): " LOG_PREFIX fmt, \
|
||||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
53 | __FILE__, __LINE__, ##__VA_ARGS__)
|
||||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
criu/lsm.c:166:3: note: in expansion of macro ‘pr_err’
|
||||
166 | pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
|
||||
| ^~~~~~
|
||||
|
||||
Signed-off-by: Adrian Reber <areber@redhat.com>
|
||||
---
|
||||
criu/lsm.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/criu/lsm.c b/criu/lsm.c
|
||||
index 5921138392..420585ba4f 100644
|
||||
--- a/criu/lsm.c
|
||||
+++ b/criu/lsm.c
|
||||
@@ -175,7 +175,7 @@ int dump_xattr_security_selinux(int fd, FdinfoEntry *e)
|
||||
/* Get the size of the xattr. */
|
||||
len = fgetxattr(fd, "security.selinux", ctx, 0);
|
||||
if (len == -1) {
|
||||
- pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
|
||||
+ pr_err("Reading xattr security.selinux from FD %d failed\n", fd);
|
||||
return -1;
|
||||
}
|
||||
|
||||
11
criu.spec
11
criu.spec
@ -12,7 +12,7 @@
|
||||
|
||||
Name: criu
|
||||
Version: 3.12
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
Provides: crtools = %{version}-%{release}
|
||||
Obsoletes: crtools <= 1.0-2
|
||||
Summary: Tool for Checkpoint/Restore in User-space
|
||||
@ -21,6 +21,9 @@ URL: http://criu.org/
|
||||
Source0: http://download.openvz.org/criu/criu-%{version}.tar.bz2
|
||||
|
||||
Patch0: https://patch-diff.githubusercontent.com/raw/checkpoint-restore/criu/pull/685.patch
|
||||
Patch1: https://github.com/checkpoint-restore/criu/commit/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch
|
||||
Patch2: https://github.com/checkpoint-restore/criu/commit/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch
|
||||
Patch3: https://github.com/checkpoint-restore/criu/commit/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch
|
||||
|
||||
%if 0%{?rhel} && 0%{?rhel} <= 7
|
||||
BuildRequires: perl
|
||||
@ -102,6 +105,9 @@ their content in human-readable form.
|
||||
%prep
|
||||
%setup -q
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
|
||||
%if 0%{?rhel} && 0%{?rhel} <= 7
|
||||
%patch100 -p1
|
||||
@ -175,6 +181,9 @@ rm -rf $RPM_BUILD_ROOT%{_libexecdir}/%{name}
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon May 13 2019 Adrian Reber <adrian@lisas.de> - 3.12-9
|
||||
- Added additional fixup patches for the socket labelling
|
||||
|
||||
* Sat May 04 2019 Adrian Reber <adrian@lisas.de> - 3.12-8
|
||||
- Patch for socket labelling has changed upstream
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user