passt-0^20251210.gd04c480-2.el9

Resolves: RHEL-136313 RHEL-136461 RHEL-137439 RHEL-137588

0002-selinux-Use-systemd_logind_exec_t-instead-of-systemd.patch

@@ -0,0 +1,41 @@
+From 2244df26b2cb63acb51a20485e1ca7ad0649b152 Mon Sep 17 00:00:00 2001
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Mon, 22 Dec 2025 21:48:32 -0500
+Subject: [PATCH] selinux: Use systemd_logind_exec_t instead of
+ systemd_user_runtimedir_exec_t
+
+On CentOS Stream 9, selinux-policy doesn't contain commit
+700b3622d575 ("Confine /usr/lib/systemd/systemd-user-runtime-dir"),
+so the file context of /usr/lib/systemd/systemd-user-runtime-dir is
+still systemd_logind_exec_t there.
+
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+---
+ contrib/selinux/pasta.te | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
+index 7e1e821..d29d6c4 100644
+--- a/contrib/selinux/pasta.te
++++ b/contrib/selinux/pasta.te
+@@ -98,7 +98,7 @@ require {
+ 	type container_runtime_t;
+ 	type container_var_run_t;
+ 	type container_t;
+-	type systemd_user_runtimedir_t;
++	type systemd_logind_exec_t;
+ }
+ 
+ type pasta_t;
+@@ -250,7 +250,7 @@ type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "rootles
+ type_transition container_runtime_t container_var_run_t : dir ifconfig_var_run_t "rootless-netns";
+ allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write };
+ allow pasta_t ifconfig_var_run_t:file { create open write };
+-allow systemd_user_runtimedir_t ifconfig_var_run_t:dir rmdir;
++allow systemd_logind_exec_t ifconfig_var_run_t:dir rmdir;
+ 
+ # Allow pasta to bind to any port
+ bool pasta_bind_all_ports true;
+-- 
+2.47.1
+

0003-tcp-Use-less-than-MSS-window-on-no-queued-data-or-no.patch

@@ -0,0 +1,110 @@
+From b40f5cd8c8e16c6eceb1f26eb895527fda84068b Mon Sep 17 00:00:00 2001
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Sat, 13 Dec 2025 14:19:13 +0100
+Subject: [PATCH] tcp: Use less-than-MSS window on no queued data, or no data
+ sent recently
+
+We limit the advertised window to guests and containers to the
+available length of the sending buffer, and if it's less than the MSS,
+since commit cf1925fb7b77 ("tcp: Don't limit window to less-than-MSS
+values, use zero instead"), we approximate that limit to zero.
+
+This way, we'll trigger a window update as soon as we realise that we
+can advertise a larger value, just like we do in all other cases where
+we advertise a zero-sized window.
+
+By doing that, we don't wait for the peer to send us data before we
+update the window. This matters because the guest or container might
+be trying to aggregate more data and won't send us anything at all if
+the advertised window is too small.
+
+However, this might be problematic in two situations:
+
+1. one, reported by Tyler, where the remote (receiving) peer
+   advertises a window that's smaller than what we usually get and
+   very close to the MSS, causing the kernel to give us a starting
+   size of the buffer that's less than the MSS we advertise to the
+   guest or container.
+
+   If this happens, we'll never advertise a non-zero window after
+   the handshake, and the container or guest will never send us any
+   data at all.
+
+   With a simple 'curl https://cloudflare.com/', we get, with default
+   TCP memory parameters, a 65535-byte window from the peer, and 46080
+   bytes of initial sending buffer from the kernel. But we advertised
+   a 65480-byte MSS, and we'll never actually receive the client
+   request.
+
+   This seems to be specific to Cloudflare for some reason, probably
+   deriving from a particular tuning of TCP parameters on their
+   servers.
+
+2. another one, hypothesised by David, where the peer might only be
+   willing to process (and acknowledge) data in batches.
+
+   We might have queued outbound data which is, at the same time, not
+   enough to fill one of these batches and be acknowledged and removed
+   from the sending queue, but enough to make our available buffer
+   smaller than the MSS, and the connection will hang.
+
+Take care of both cases by:
+
+a. not approximating the sending buffer to zero if we have no outboud
+   queued data at all, because in that case we don't expect the
+   available buffer to increase if we don't send any data, so there's
+   no point in waiting for it to grow larger than the MSS.
+
+   This fixes problem 1. above.
+
+b. also using the full sending buffer size if we haven't send data to
+   the socket for a while (reported by tcpi_last_data_sent). This part
+   was already suggested by David in:
+
+     https://archives.passt.top/passt-dev/aTZzgtcKWLb28zrf@zatzit/
+
+   and I'm now picking ten times the RTT as a somewhat arbitrary
+   threshold.
+
+   This is meant to take care of potential problem 2. above, but it
+   also happens to fix 1.
+
+Reported-by: Tyler Cloud <tcloud@redhat.com>
+Link: https://bugs.passt.top/show_bug.cgi?id=183
+Suggested-by: David Gibson <david@gibson.dropbear.id.au>
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
+---
+ tcp.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/tcp.c b/tcp.c
+index 81bc114..b179e39 100644
+--- a/tcp.c
++++ b/tcp.c
+@@ -1211,8 +1211,21 @@ int tcp_update_seqack_wnd(const struct ctx *c, struct tcp_tap_conn *conn,
+ 		 * the MSS to zero, as we already have mechanisms in place to
+ 		 * force updates after the window becomes zero. This matches the
+ 		 * suggestion from RFC 813, Section 4.
++		 *
++		 * But don't do this if, either:
++		 *
++		 * - there's nothing in the outbound queue: the size of the
++		 *   sending buffer is limiting us, and it won't increase if we
++		 *   don't send data, so there's no point in waiting, or
++		 *
++		 * - we haven't sent data in a while (somewhat arbitrarily, ten
++		 *   times the RTT), as that might indicate that the receiver
++		 *   will only process data in batches that are large enough,
++		 *   but we won't send enough to fill one because we're stuck
++		 *   with pending data in the outbound queue
+ 		 */
+-		if (limit < MSS_GET(conn))
++		if (limit < MSS_GET(conn) && sendq &&
++		    tinfo->tcpi_last_data_sent < tinfo->tcpi_rtt / 1000 * 10)
+ 			limit = 0;
+ 
+ 		new_wnd_to_tap = MIN((int)tinfo->tcpi_snd_wnd, limit);
+-- 
+2.47.1
+

0004-pasta-Warn-disable-matching-IP-version-if-not-suppor.patch

@@ -0,0 +1,90 @@
+From 75dcbc300bf09c3649823b12d30c4f24de7271d4 Mon Sep 17 00:00:00 2001
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Tue, 23 Dec 2025 13:39:17 +0100
+Subject: [PATCH] pasta: Warn, disable matching IP version if not supported, in
+ local mode
+
+...instead of exiting, but only if local mode is enabled, that is, if
+we couldn't find a template interface or if the user didn't specify
+one.
+
+With IPv4, we always try to set or copy an address, so check if that
+fails.
+
+With IPv6, in local mode, we rely on the link-local address that's
+automatically generated inside the target namespace, and only fail
+later, as we try to set up routes. Check if that fails, instead.
+
+Otherwise, we'll fail to start if IPv6 support is not built in or
+disabled by the kernel ("ipv6.disable=1" on the command line),
+because, in that case, we'll try to enable local mode by default, and
+then fail to set any address or route.
+
+It would probably be more elegant to check for IP version support in
+conf_ip4_local() and conf_ip6_local(), and not even try to enable
+connectivity for unsupported versions, but it looks less robust than
+trying and failing, as there might be other ways to disable a given
+IP version.
+
+Note that there's currently no way to disable IPv4 support on the
+kernel command line, that is, there's no such thing as an
+ipv4.disable boot parameter. But I guess that's due to be eventually
+implemented, one day, so let's cover that case as well, also for
+consistency.
+
+Reported-by: Iyan <iyanmv@gmail.com>
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2424192
+Fixes: 4ddd59bc6085 ("conf: Separate local mode for each IP version, don't enable disabled IP version")
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+---
+ pasta.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/pasta.c b/pasta.c
+index c307b8a..0ddd6b0 100644
+--- a/pasta.c
++++ b/pasta.c
+@@ -348,6 +348,12 @@ void pasta_ns_conf(struct ctx *c)
+ 						 AF_INET);
+ 			}
+ 
++			if (c->ifi4 == -1 && rc == -ENOTSUP) {
++				warn("IPv4 not supported, disabling");
++				c->ifi4 = 0;
++				goto ipv4_done;
++			}
++
+ 			if (rc < 0) {
+ 				die("Couldn't set IPv4 address(es) in namespace: %s",
+ 				    strerror_(-rc));
+@@ -367,6 +373,7 @@ void pasta_ns_conf(struct ctx *c)
+ 				    strerror_(-rc));
+ 			}
+ 		}
++ipv4_done:
+ 
+ 		if (c->ifi6) {
+ 			rc = nl_addr_get_ll(nl_sock_ns, c->pasta_ifi,
+@@ -413,12 +420,19 @@ void pasta_ns_conf(struct ctx *c)
+ 						  AF_INET6);
+ 			}
+ 
++			if (c->ifi6 == -1 && rc == -ENOTSUP) {
++				warn("IPv6 not supported, disabling");
++				c->ifi6 = 0;
++				goto ipv6_done;
++			}
++
+ 			if (rc < 0) {
+ 				die("Couldn't set IPv6 route(s) in guest: %s",
+ 				    strerror_(-rc));
+ 			}
+ 		}
+ 	}
++ipv6_done:
+ 
+ 	proto_update_l2_buf(c->guest_mac);
+ }
+-- 
+2.47.1
+

0005-selinux-Enable-read-and-watch-permissions-on-netns-d.patch

@@ -0,0 +1,58 @@
+From d2c5133990a7758bfa567fc73216393498949e9b Mon Sep 17 00:00:00 2001
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Tue, 23 Dec 2025 01:59:34 +0100
+Subject: [PATCH] selinux: Enable read and watch permissions on netns directory
+ as well
+
+With commit 7aeda16a7818 ("selinux: Transition to pasta_t in
+containers"), we need to make sure that pasta can access the target
+namespace directory passed by Podman, and, in a general case, we have
+all the permissions we need.
+
+But if we now start a container without the Podman changes referenced
+by commit fd1bcc30af07 ("selinux: add container_var_run_t type
+transition"), or with them, but with the container being created
+before those and without a reboot in between, we'll additionally need
+'read' and 'watch' permissions on user_tmp_t directory as well, as
+user_tmp_t is still the (inconsistent) context of the namespace entry.
+
+Otherwise, on a container start/restart, we'll get SELinux denials:
+
+  type=AVC msg=audit(1766451401.296:184): avc:  denied  { read } for  pid=2159 comm="pasta.avx2" name="netns" dev="tmpfs" ino=60 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:obje
+ct_r:user_tmp_t:s0 tclass=dir permissive=1
+  type=AVC msg=audit(1766451401.298:185): avc:  denied  { watch } for  pid=2159 comm="pasta.avx2" path="/run/user/1001/netns" dev="tmpfs" ino=60 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1
+
+This can be reproduced quite simply:
+
+  $ podman create -q --name hello hello
+  6c4eaf15a03edf799673a97d84d0331f3a3f34a11015b58c69318101a3232770
+
+  [upgrade passt's SELinux policy to a version including 7aeda16a7818]
+
+  $ podman start hello
+  Error: unable to start container "6c4eaf15a03edf799673a97d84d0331f3a3f34a11015b58c69318101a3232770": pasta failed with exit code 1:
+  netns dir open: Permission denied, exiting
+
+Reported-by: Tuomo Soini <tis@foobar.fi>
+Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers")
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+---
+ contrib/selinux/pasta.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
+index 95fe42a..3eb58f6 100644
+--- a/contrib/selinux/pasta.te
++++ b/contrib/selinux/pasta.te
+@@ -149,7 +149,7 @@ allow pasta_t root_t:dir mounton;
+ manage_files_pattern(pasta_t, pasta_pid_t, pasta_pid_t)
+ files_pid_filetrans(pasta_t, pasta_pid_t, file)
+ 
+-allow pasta_t user_tmp_t:dir { add_name remove_name search write };
++allow pasta_t user_tmp_t:dir { add_name read remove_name search watch write };
+ allow pasta_t user_tmp_t:fifo_file append;
+ allow pasta_t user_tmp_t:file { create open write };
+ allow pasta_t user_tmp_t:sock_file { create unlink };
+-- 
+2.47.1
+

passt.spec

@@ -9,10 +9,11 @@
 
 %global git_hash d04c48032bcf724550d0b8f652fd00efcd2dfad0
 %global selinuxtype targeted
+%global selinux_policy_version 41.41
 
 Name:		passt
 Version:	0^20251210.gd04c480
-Release:	1%{?dist}
+Release:	2%{?dist}
 Summary:	User-mode networking daemons for virtual machines and namespaces
 License:	GPL-2.0-or-later AND BSD-3-Clause
 Group:		System Environment/Daemons
@@ -20,6 +21,10 @@ URL:		https://passt.top/
 Source:		https://passt.top/passt/snapshot/passt-%{git_hash}.tar.xz
 
 Patch1:		0001-selinux-Drop-user_namespace-create-allow-rules.patch
+Patch2:		0002-selinux-Use-systemd_logind_exec_t-instead-of-systemd.patch
+Patch3:		0003-tcp-Use-less-than-MSS-window-on-no-queued-data-or-no.patch
+Patch4:		0004-pasta-Warn-disable-matching-IP-version-if-not-suppor.patch
+Patch5:		0005-selinux-Enable-read-and-watch-permissions-on-netns-d.patch
 
 BuildRequires:	gcc, make, git, checkpolicy, selinux-policy-devel
 Requires:	(%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
@@ -35,15 +40,21 @@ for network namespaces: traffic is forwarded using a tap interface inside the
 namespace, without the need to create further interfaces on the host, hence not
 requiring any capabilities or privileges.
 
-%package    selinux
-BuildArch:  noarch
-Summary:    SELinux support for passt and pasta
-Requires:   %{name} = %{version}-%{release}
-Requires:   selinux-policy
-Requires(post): %{name}
-Requires(post): policycoreutils
-Requires(preun): %{name}
-Requires(preun): policycoreutils
+%package		    selinux
+BuildArch:		    noarch
+Summary:		    SELinux support for passt and pasta
+%if 0%{?fedora} > 43
+BuildRequires:      selinux-policy-devel
+%selinux_requires_min
+%else
+BuildRequires:      pkgconfig(systemd)
+Requires(post):     libselinux-utils
+Requires(post):     policycoreutils
+%endif
+Requires:		    container-selinux
+Requires:		    selinux-policy-%{selinuxtype}
+Requires(post):		container-selinux
+Requires(post):		selinux-policy-%{selinuxtype}
 
 %description selinux
 This package adds SELinux enforcement to passt(1), pasta(1), passt-repair(1).
@@ -91,15 +102,11 @@ popd
 %selinux_relabel_pre -s %{selinuxtype}
 
 %post selinux
-%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/passt.pp
-%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp
-%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/passt-repair.pp
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/passt.pp %{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp %{_datadir}/selinux/packages/%{selinuxtype}/passt-repair.pp
 
 %postun selinux
 if [ $1 -eq 0 ]; then
-	%selinux_modules_uninstall -s %{selinuxtype} passt
-	%selinux_modules_uninstall -s %{selinuxtype} pasta
-	%selinux_modules_uninstall -s %{selinuxtype} passt-repair
+	%selinux_modules_uninstall -s %{selinuxtype} passt pasta passt-repair
 fi
 
 %posttrans selinux
@@ -132,6 +139,9 @@ fi
 %{_datadir}/selinux/packages/%{selinuxtype}/passt-repair.pp
 
 %changelog
+* Wed Dec 24 2025 Stefano Brivio <sbrivio@redhat.com> - 0^20251210.gd04c480-2
+- Resolves: RHEL-136313 RHEL-136461 RHEL-137439 RHEL-137588
+
 * Wed Dec 10 2025 Stefano Brivio <sbrivio@redhat.com> - 0^20251210.gd04c480-1
 - Resolves: RHEL-134942 RHEL-134943