From 0a048bd314ab4d38c82c778e0b2fe2fcd8ec59b8 Mon Sep 17 00:00:00 2001 From: Stefano Brivio Date: Tue, 10 Feb 2026 18:42:13 -0500 Subject: [PATCH] passt-0^20251210.gd04c480-3.el9 Resolves: RHEL-137588 RHEL-136313 --- ...pen-permissions-on-netns-directory-o.patch | 68 +++++++++++++++++ ...-issue-in-check-for-approximating-wi.patch | 74 +++++++++++++++++++ passt.spec | 7 +- 3 files changed, 148 insertions(+), 1 deletion(-) create mode 100644 0006-selinux-Enable-open-permissions-on-netns-directory-o.patch create mode 100644 0007-tcp-Fix-rounding-issue-in-check-for-approximating-wi.patch diff --git a/0006-selinux-Enable-open-permissions-on-netns-directory-o.patch b/0006-selinux-Enable-open-permissions-on-netns-directory-o.patch new file mode 100644 index 0000000..3072efd --- /dev/null +++ b/0006-selinux-Enable-open-permissions-on-netns-directory-o.patch @@ -0,0 +1,68 @@ +From 6babaa8a88eb337e4b81aeff673fcebb28015f36 Mon Sep 17 00:00:00 2001 +From: Stefano Brivio +Date: Fri, 16 Jan 2026 16:48:46 +0100 +Subject: [PATCH 6/7] selinux: Enable open permissions on netns directory, + operations on container_var_run_t + +Tuomo reports two further SELinux denials after upgrading to a +passt-selinux version that includes the transition to pasta_t for +containers, one I could reproduce: + + denied { open } for pid=3343050 comm="pasta.avx2" path="/run/user/1000/netns" dev="tmpfs" ino=51 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1 + +which I didn't take care of in the previous commit, d2c5133990a7 +("selinux: Enable read and watch permissions on netns directory as +well"), as it didn't appear in my quick test. But I can make pasta use +"open" on the network namespace entry by simply using it to make +connections. + +So, for that, add "open" to the existing rule for user_tmp_t:dir. + +Then, another one I couldn't reproduce instead: + + denied { write } for pid=3589324 comm="pasta.avx2" name="rootless-netns" dev="tmpfs" ino=36 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:container_var_run_t:s0 tclass=dir permissive=0 + +which, I think, comes from a specific combination of versions of +container-selinux, Podman, and passt-selinux packages, which +prevents the expected type transition on container_var_run_t unless +restorecon is invoked manually, or until a reboot. + +Allowing the same permissions on container_var_run_t as we do on +ifconfig_var_run_t is harmless, so do that to prevent this further +denial. + +Reported-by: Tuomo Soini +Fixes: d2c5133990a7 ("selinux: Enable read and watch permissions on netns directory as well") +Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers") +Signed-off-by: Stefano Brivio +(cherry picked from commit a6d92ca82c9ea0b395aa56c568ee6b6e6d4ac81e) +--- + contrib/selinux/pasta.te | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te +index 22daa77..abeafa4 100644 +--- a/contrib/selinux/pasta.te ++++ b/contrib/selinux/pasta.te +@@ -148,7 +148,7 @@ allow pasta_t root_t:dir mounton; + manage_files_pattern(pasta_t, pasta_pid_t, pasta_pid_t) + files_pid_filetrans(pasta_t, pasta_pid_t, file) + +-allow pasta_t user_tmp_t:dir { add_name read remove_name search watch write }; ++allow pasta_t user_tmp_t:dir { add_name open read remove_name search watch write }; + allow pasta_t user_tmp_t:fifo_file append; + allow pasta_t user_tmp_t:file { create open write }; + allow pasta_t user_tmp_t:sock_file { create unlink }; +@@ -248,7 +248,9 @@ type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "netns"; + type_transition container_runtime_t container_var_run_t : dir ifconfig_var_run_t "netns"; + type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "rootless-netns"; + type_transition container_runtime_t container_var_run_t : dir ifconfig_var_run_t "rootless-netns"; ++allow pasta_t container_var_run_t:dir { add_name open rmdir write }; + allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write }; ++allow pasta_t container_var_run_t:file { create open write }; + allow pasta_t ifconfig_var_run_t:file { create open write }; + allow systemd_logind_exec_t ifconfig_var_run_t:dir rmdir; + +-- +2.47.1 + diff --git a/0007-tcp-Fix-rounding-issue-in-check-for-approximating-wi.patch b/0007-tcp-Fix-rounding-issue-in-check-for-approximating-wi.patch new file mode 100644 index 0000000..b7cb942 --- /dev/null +++ b/0007-tcp-Fix-rounding-issue-in-check-for-approximating-wi.patch @@ -0,0 +1,74 @@ +From dbfbc33776290260b87bb29bb5572750f9709b35 Mon Sep 17 00:00:00 2001 +From: Stefano Brivio +Date: Fri, 9 Jan 2026 13:52:00 +0100 +Subject: [PATCH 7/7] tcp: Fix rounding issue in check for approximating window + to zero + +In general, we approximate the advertised window to zero if we would +otherwise advertise less than a MSS worth, and the reasoning behind +that is explained in cf1925fb7b77 ("tcp: Don't limit window to +less-than-MSS values, use zero instead"). + +Then, in commit b40f5cd8c8e1 ("tcp: Use less-than-MSS window on no +queued data, or no data sent recently"), I introduced some conditions +under which we won't do that, including a check on whether any data +was sent recently. + +As an arbitrary but probably reasonable threshold, we consider data to +have recently been sent if that occurred less than ten times the +round-trip time (RTT) ago. + +The time elapsed since the last data transmission is reported by the +kernel in milliseconds, in the tcpi_last_data_sent field of struct +tcp_info, and the RTT is reported in microseconds instead, in +tcpi_rtt. + +To avoid the risk of overflow in a simple way, for the purpose of this +comparison, I converted tcpi_rtt to milliseconds first, but this means +that the check will always be false (and we'll never approximate the +window to zero) if the RTT is below one millisecond. + +This, in turn, reintroduces nasty delay issues in transfers in +non-local connections which have however almost-local (low) latency. + +Given that we want to use ten times the RTT as an arbitrary "long +enough" upper bound, round the RTT up while converting it to +milliseconds. + +As an alternative, we could perform the comparison in microseconds, +but we would need a slightly more complicated implementation to +exclude overflows, and it's definitely not worth it given the nature +of this threshold. + +Fixes: b40f5cd8c8e1 ("tcp: Use less-than-MSS window on no queued data, or no data sent recently") +Signed-off-by: Stefano Brivio +Reviewed-by: David Gibson +(cherry picked from commit 2be0e790804f99580b1c8a1781c49913440607f2) +--- + tcp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tcp.c b/tcp.c +index 23fcbc3..8f4f087 100644 +--- a/tcp.c ++++ b/tcp.c +@@ -1180,6 +1180,7 @@ int tcp_update_seqack_wnd(const struct ctx *c, struct tcp_tap_conn *conn, + if ((conn->flags & LOCAL) || tcp_rtt_dst_low(conn)) { + new_wnd_to_tap = tinfo->tcpi_snd_wnd; + } else { ++ unsigned rtt_ms_ceiling = DIV_ROUND_UP(tinfo->tcpi_rtt, 1000); + uint32_t sendq; + int limit; + +@@ -1223,7 +1224,7 @@ int tcp_update_seqack_wnd(const struct ctx *c, struct tcp_tap_conn *conn, + * with pending data in the outbound queue + */ + if (limit < MSS_GET(conn) && sendq && +- tinfo->tcpi_last_data_sent < tinfo->tcpi_rtt / 1000 * 10) ++ tinfo->tcpi_last_data_sent < rtt_ms_ceiling * 10) + limit = 0; + + new_wnd_to_tap = MIN((int)tinfo->tcpi_snd_wnd, limit); +-- +2.47.1 + diff --git a/passt.spec b/passt.spec index 62c0880..4c5fc5e 100644 --- a/passt.spec +++ b/passt.spec @@ -13,7 +13,7 @@ Name: passt Version: 0^20251210.gd04c480 -Release: 2%{?dist} +Release: 3%{?dist} Summary: User-mode networking daemons for virtual machines and namespaces License: GPL-2.0-or-later AND BSD-3-Clause Group: System Environment/Daemons @@ -25,6 +25,8 @@ Patch2: 0002-selinux-Use-systemd_logind_exec_t-instead-of-systemd.patch Patch3: 0003-tcp-Use-less-than-MSS-window-on-no-queued-data-or-no.patch Patch4: 0004-pasta-Warn-disable-matching-IP-version-if-not-suppor.patch Patch5: 0005-selinux-Enable-read-and-watch-permissions-on-netns-d.patch +Patch6: 0006-selinux-Enable-open-permissions-on-netns-directory-o.patch +Patch7: 0007-tcp-Fix-rounding-issue-in-check-for-approximating-wi.patch BuildRequires: gcc, make, git, checkpolicy, selinux-policy-devel Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype}) @@ -139,6 +141,9 @@ fi %{_datadir}/selinux/packages/%{selinuxtype}/passt-repair.pp %changelog +* Wed Feb 11 2026 Stefano Brivio - 0^20251210.gd04c480-3 +- Resolves: RHEL-137588 RHEL-136313 + * Wed Dec 24 2025 Stefano Brivio - 0^20251210.gd04c480-2 - Resolves: RHEL-136313 RHEL-136461 RHEL-137439 RHEL-137588