import CS passt-0^20250217.ga1e48a0-1.el9

.gitignore

@@ -1 +1 @@
-SOURCES/passt-ee36266a55478672ad2c5f4efbd6ca0bef3d37cd.tar.xz
+SOURCES/passt-a1e48a02ff3550eb7875a7df6726086e9b3a1213.tar.xz

.passt.metadata

@@ -1 +1 @@
-421a821e193faa31035a158c913c70d7fc13bf68 SOURCES/passt-ee36266a55478672ad2c5f4efbd6ca0bef3d37cd.tar.xz
+6561fdc75b29dc6566bc1fb30b88d6846ef5e23b SOURCES/passt-a1e48a02ff3550eb7875a7df6726086e9b3a1213.tar.xz

SOURCES/0001-selinux-Drop-user_namespace-create-allow-rules.patch

@@ -24,29 +24,28 @@ Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
  2 files changed, 2 deletions(-)
 
 diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te
-index facc2d1..de10f45 100644
+index c6cea34..131fadc 100644
 --- a/contrib/selinux/passt.te
 +++ b/contrib/selinux/passt.te
-@@ -93,7 +93,6 @@ allow syslogd_t self:cap_userns sys_ptrace;
+@@ -92,7 +92,6 @@ allow syslogd_t self:cap_userns sys_ptrace;
  allow passt_t self:process setcap;
  allow passt_t self:capability { sys_tty_config setpcap net_bind_service setuid setgid};
  allow passt_t self:cap_userns { setpcap sys_admin sys_ptrace };
 -allow passt_t self:user_namespace create;
  
- allow passt_t passwd_file_t:file read_file_perms;
- sssd_search_lib(passt_t)
+ auth_read_passwd(passt_t)
+ 
 diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
-index ed70c5f..3226e37 100644
+index 69be081..892edae 100644
 --- a/contrib/selinux/pasta.te
 +++ b/contrib/selinux/pasta.te
-@@ -113,7 +113,6 @@ init_daemon_domain(pasta_t, pasta_exec_t)
+@@ -110,7 +110,6 @@ init_daemon_domain(pasta_t, pasta_exec_t)
  
  allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource setuid setgid };
  allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service };
 -allow pasta_t self:user_namespace create;
  
- allow pasta_t passwd_file_t:file read_file_perms;
- sssd_search_lib(pasta_t)
+ auth_read_passwd(pasta_t)
+ 
 -- 
 2.39.2
-

SOURCES/0002-flow-Don-t-crash-if-guest-attempts-to-connect-to-por.patch

@@ -1,64 +0,0 @@
-From 002b2a23380d4df552bac7665d462ac4c7bced0b Mon Sep 17 00:00:00 2001
-From: David Gibson <david@gibson.dropbear.id.au>
-Date: Wed, 14 Aug 2024 20:03:33 +1000
-Subject: [PATCH] flow: Don't crash if guest attempts to connect to port 0
-
-Using a zero port on TCP or UDP is dubious, and we can't really deal with
-forwarding such a flow within the constraints of the socket API.  Hence
-we ASSERT()ed that we had non-zero ports in flow_hash().
-
-The intention was to make sure that the protocol code sanitizes such ports
-before completing a flow entry.  Unfortunately, flow_hash() is also called
-on new packets to see if they have an existing flow, so the unsanitized
-guest packet can crash passt with the assert.
-
-Correct this by moving the assert from flow_hash() to flow_sidx_hash()
-which is only used on entries already in the table, not on unsanitized
-data.
-
-Reported-by: Matt Hamilton <matt@thmail.io>
-Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
-Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
----
- flow.c | 18 ++++++++++--------
- 1 file changed, 10 insertions(+), 8 deletions(-)
-
-diff --git a/flow.c b/flow.c
-index 687e9fd..93b687d 100644
---- a/flow.c
-+++ b/flow.c
-@@ -561,12 +561,6 @@ static uint64_t flow_hash(const struct ctx *c, uint8_t proto, uint8_t pif,
- {
- 	struct siphash_state state = SIPHASH_INIT(c->hash_secret);
- 
--	/* For the hash table to work, we need complete endpoint information,
--	 * and at least a forwarding port.
--	 */
--	ASSERT(pif != PIF_NONE && !inany_is_unspecified(&side->eaddr) &&
--	       side->eport != 0 && side->fport != 0);
--
- 	inany_siphash_feed(&state, &side->faddr);
- 	inany_siphash_feed(&state, &side->eaddr);
- 
-@@ -586,8 +580,16 @@ static uint64_t flow_hash(const struct ctx *c, uint8_t proto, uint8_t pif,
- static uint64_t flow_sidx_hash(const struct ctx *c, flow_sidx_t sidx)
- {
- 	const struct flow_common *f = &flow_at_sidx(sidx)->f;
--	return flow_hash(c, FLOW_PROTO(f),
--			 f->pif[sidx.sidei], &f->side[sidx.sidei]);
-+	const struct flowside *side = &f->side[sidx.sidei];
-+	uint8_t pif = f->pif[sidx.sidei];
-+
-+	/* For the hash table to work, entries must have complete endpoint
-+	 * information, and at least a forwarding port.
-+	 */
-+	ASSERT(pif != PIF_NONE && !inany_is_unspecified(&side->eaddr) &&
-+	       side->eport != 0 && side->fport != 0);
-+
-+	return flow_hash(c, FLOW_PROTO(f), pif, side);
- }
- 
- /**
--- 
-2.43.0
-

SPECS/passt.spec

@@ -7,12 +7,12 @@
 # Copyright (c) 2022 Red Hat GmbH
 # Author: Stefano Brivio <sbrivio@redhat.com>
 
-%global git_hash ee36266a55478672ad2c5f4efbd6ca0bef3d37cd
+%global git_hash a1e48a02ff3550eb7875a7df6726086e9b3a1213
 %global selinuxtype targeted
 
 Name:		passt
-Version:	0^20240806.gee36266
-Release:	2%{?dist}
+Version:	0^20250217.ga1e48a0
+Release:	1%{?dist}
 Summary:	User-mode networking daemons for virtual machines and namespaces
 License:	GPL-2.0-or-later AND BSD-3-Clause
 Group:		System Environment/Daemons
@@ -20,7 +20,6 @@ URL:		https://passt.top/
 Source:		https://passt.top/passt/snapshot/passt-%{git_hash}.tar.xz
 
 Patch1:		0001-selinux-Drop-user_namespace-create-allow-rules.patch
-Patch2:		0002-flow-Don-t-crash-if-guest-attempts-to-connect-to-por.patch
 
 BuildRequires:	gcc, make, git, checkpolicy, selinux-policy-devel
 Requires:	(%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
@@ -47,7 +46,7 @@ Requires(preun): %{name}
 Requires(preun): policycoreutils
 
 %description selinux
-This package adds SELinux enforcement to passt(1) and pasta(1).
+This package adds SELinux enforcement to passt(1), pasta(1), passt-repair(1).
 
 %prep
 %autosetup -S git_am -n passt-%{git_hash}
@@ -85,6 +84,7 @@ make -f %{_datadir}/selinux/devel/Makefile
 install -p -m 644 -D passt.pp %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/passt.pp
 install -p -m 644 -D passt.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/passt.if
 install -p -m 644 -D pasta.pp %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp
+install -p -m 644 -D passt-repair.pp %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/passt-repair.pp
 popd
 
 %pre selinux
@@ -93,11 +93,13 @@ popd
 %post selinux
 %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/passt.pp
 %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/passt-repair.pp
 
 %postun selinux
 if [ $1 -eq 0 ]; then
 	%selinux_modules_uninstall -s %{selinuxtype} passt
 	%selinux_modules_uninstall -s %{selinuxtype} pasta
+	%selinux_modules_uninstall -s %{selinuxtype} passt-repair
 fi
 
 %posttrans selinux
@@ -111,9 +113,11 @@ fi
 %{_bindir}/passt
 %{_bindir}/pasta
 %{_bindir}/qrap
+%{_bindir}/passt-repair
 %{_mandir}/man1/passt.1*
 %{_mandir}/man1/pasta.1*
 %{_mandir}/man1/qrap.1*
+%{_mandir}/man1/passt-repair.1*
 %ifarch x86_64
 %{_bindir}/passt.avx2
 %{_mandir}/man1/passt.avx2.1*
@@ -125,8 +129,21 @@ fi
 %{_datadir}/selinux/packages/%{selinuxtype}/passt.pp
 %{_datadir}/selinux/devel/include/distributed/passt.if
 %{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp
+%{_datadir}/selinux/packages/%{selinuxtype}/passt-repair.pp
 
 %changelog
+* Mon Feb 17 2025 Stefano Brivio <sbrivio@redhat.com> - 0^20250217.ga1e48a0-1
+- Resolves: RHEL-79787
+
+* Wed Jan 22 2025 Stefano Brivio <sbrivio@redhat.com> - 0^20250121.g4f2c8e7-3
+- Resolves: RHEL-75654
+
+* Tue Jan 21 2025 Stefano Brivio <sbrivio@redhat.com> - 0^20250121.g4f2c8e7-1
+- Resolves: RHEL-75654
+
+* Thu Nov 21 2024 Stefano Brivio <sbrivio@redhat.com> - 0^20241121.g238c69f-1
+- Resolves: RHEL-65502
+
 * Wed Aug 14 2024 Stefano Brivio <sbrivio@redhat.com> - 0^20240806-gee36266-2
 - Resolves: RHEL-54268