diff --git a/.gitignore b/.gitignore index 9858ca1..45484d2 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ /passt-1ee2ecade3f41e2a3e51c1e580b08cba977a7c8d.tar.xz /passt-57a21d2df1467302dee71ee9d5683a8b96e6ce7f.tar.xz /passt-ee36266a55478672ad2c5f4efbd6ca0bef3d37cd.tar.xz +/passt-238c69f9af458e41dea5ad8c988dbf65b05b5172.tar.xz diff --git a/0001-selinux-Drop-user_namespace-create-allow-rules.patch b/0001-selinux-Drop-user_namespace-create-allow-rules.patch index 4cac1f7..4149192 100644 --- a/0001-selinux-Drop-user_namespace-create-allow-rules.patch +++ b/0001-selinux-Drop-user_namespace-create-allow-rules.patch @@ -24,29 +24,28 @@ Signed-off-by: Stefano Brivio 2 files changed, 2 deletions(-) diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te -index facc2d1..de10f45 100644 +index c6cea34..131fadc 100644 --- a/contrib/selinux/passt.te +++ b/contrib/selinux/passt.te -@@ -93,7 +93,6 @@ allow syslogd_t self:cap_userns sys_ptrace; +@@ -92,7 +92,6 @@ allow syslogd_t self:cap_userns sys_ptrace; allow passt_t self:process setcap; allow passt_t self:capability { sys_tty_config setpcap net_bind_service setuid setgid}; allow passt_t self:cap_userns { setpcap sys_admin sys_ptrace }; -allow passt_t self:user_namespace create; - allow passt_t passwd_file_t:file read_file_perms; - sssd_search_lib(passt_t) + auth_read_passwd(passt_t) + diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te -index ed70c5f..3226e37 100644 +index 69be081..892edae 100644 --- a/contrib/selinux/pasta.te +++ b/contrib/selinux/pasta.te -@@ -113,7 +113,6 @@ init_daemon_domain(pasta_t, pasta_exec_t) +@@ -110,7 +110,6 @@ init_daemon_domain(pasta_t, pasta_exec_t) allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource setuid setgid }; allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service }; -allow pasta_t self:user_namespace create; - allow pasta_t passwd_file_t:file read_file_perms; - sssd_search_lib(pasta_t) + auth_read_passwd(pasta_t) + -- 2.39.2 - diff --git a/0002-flow-Don-t-crash-if-guest-attempts-to-connect-to-por.patch b/0002-flow-Don-t-crash-if-guest-attempts-to-connect-to-por.patch deleted file mode 100644 index 00692fa..0000000 --- a/0002-flow-Don-t-crash-if-guest-attempts-to-connect-to-por.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 002b2a23380d4df552bac7665d462ac4c7bced0b Mon Sep 17 00:00:00 2001 -From: David Gibson -Date: Wed, 14 Aug 2024 20:03:33 +1000 -Subject: [PATCH] flow: Don't crash if guest attempts to connect to port 0 - -Using a zero port on TCP or UDP is dubious, and we can't really deal with -forwarding such a flow within the constraints of the socket API. Hence -we ASSERT()ed that we had non-zero ports in flow_hash(). - -The intention was to make sure that the protocol code sanitizes such ports -before completing a flow entry. Unfortunately, flow_hash() is also called -on new packets to see if they have an existing flow, so the unsanitized -guest packet can crash passt with the assert. - -Correct this by moving the assert from flow_hash() to flow_sidx_hash() -which is only used on entries already in the table, not on unsanitized -data. - -Reported-by: Matt Hamilton -Signed-off-by: David Gibson -Signed-off-by: Stefano Brivio ---- - flow.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/flow.c b/flow.c -index 687e9fd..93b687d 100644 ---- a/flow.c -+++ b/flow.c -@@ -561,12 +561,6 @@ static uint64_t flow_hash(const struct ctx *c, uint8_t proto, uint8_t pif, - { - struct siphash_state state = SIPHASH_INIT(c->hash_secret); - -- /* For the hash table to work, we need complete endpoint information, -- * and at least a forwarding port. -- */ -- ASSERT(pif != PIF_NONE && !inany_is_unspecified(&side->eaddr) && -- side->eport != 0 && side->fport != 0); -- - inany_siphash_feed(&state, &side->faddr); - inany_siphash_feed(&state, &side->eaddr); - -@@ -586,8 +580,16 @@ static uint64_t flow_hash(const struct ctx *c, uint8_t proto, uint8_t pif, - static uint64_t flow_sidx_hash(const struct ctx *c, flow_sidx_t sidx) - { - const struct flow_common *f = &flow_at_sidx(sidx)->f; -- return flow_hash(c, FLOW_PROTO(f), -- f->pif[sidx.sidei], &f->side[sidx.sidei]); -+ const struct flowside *side = &f->side[sidx.sidei]; -+ uint8_t pif = f->pif[sidx.sidei]; -+ -+ /* For the hash table to work, entries must have complete endpoint -+ * information, and at least a forwarding port. -+ */ -+ ASSERT(pif != PIF_NONE && !inany_is_unspecified(&side->eaddr) && -+ side->eport != 0 && side->fport != 0); -+ -+ return flow_hash(c, FLOW_PROTO(f), pif, side); - } - - /** --- -2.43.0 - diff --git a/passt.spec b/passt.spec index 6b9e6f5..eaedb55 100644 --- a/passt.spec +++ b/passt.spec @@ -7,12 +7,12 @@ # Copyright (c) 2022 Red Hat GmbH # Author: Stefano Brivio -%global git_hash ee36266a55478672ad2c5f4efbd6ca0bef3d37cd +%global git_hash 238c69f9af458e41dea5ad8c988dbf65b05b5172 %global selinuxtype targeted Name: passt -Version: 0^20240806.gee36266 -Release: 2%{?dist} +Version: 0^20241121.g238c69f +Release: 1%{?dist} Summary: User-mode networking daemons for virtual machines and namespaces License: GPL-2.0-or-later AND BSD-3-Clause Group: System Environment/Daemons @@ -20,7 +20,6 @@ URL: https://passt.top/ Source: https://passt.top/passt/snapshot/passt-%{git_hash}.tar.xz Patch1: 0001-selinux-Drop-user_namespace-create-allow-rules.patch -Patch2: 0002-flow-Don-t-crash-if-guest-attempts-to-connect-to-por.patch BuildRequires: gcc, make, git, checkpolicy, selinux-policy-devel Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype}) @@ -127,6 +126,9 @@ fi %{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp %changelog +* Thu Nov 21 2024 Stefano Brivio - 0^20241121.g238c69f-1 +- Resolves: RHEL-65502 + * Wed Aug 14 2024 Stefano Brivio - 0^20240806-gee36266-2 - Resolves: RHEL-54268 diff --git a/sources b/sources index 8ba9cf6..bb55ad6 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (passt-ee36266a55478672ad2c5f4efbd6ca0bef3d37cd.tar.xz) = f3d6b8155ffdd58f7bf291c78ec0607e1acbc879880fc69aaa1a29d6ba96f80fef5a0c8bca6f0ddd3916eeae823d2d3a006f4598fce9f9a3b489413561c72727 +SHA512 (passt-238c69f9af458e41dea5ad8c988dbf65b05b5172.tar.xz) = c170bdeabe6d9752f5750a11f3292ea8f96562f9d971a3fdedcddb036334fda44b8491be362bbb0892312de8da575ab4ef1842232253ad66edcadae10ac8cd49