rpms
/
criu
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: rpms:i8c-stream-2.0
Branches Tags
rpms:i10cs
rpms:cs10
rpms:i10c-beta
rpms:c10-beta
rpms:i8c-stream-rhel8
rpms:c8-stream-rhel8
rpms:i8c-beta-stream-rhel8
rpms:c8-beta-stream-rhel8
rpms:i9c-beta
rpms:c9-beta
rpms:i8c-stream-4.0
rpms:c8-stream-4.0
rpms:i8c-stream-3.0
rpms:c8-stream-3.0
rpms:i8c-stream-2.0
rpms:c8-stream-2.0
rpms:i8c-stream-1.0
rpms:c8-stream-1.0
rpms:i9c
rpms:c9
rpms:i8c
rpms:c8
..
compare: rpms:c9
Branches Tags
rpms:i10cs
rpms:cs10
rpms:i10c-beta
rpms:c10-beta
rpms:i8c-stream-rhel8
rpms:c8-stream-rhel8
rpms:i8c-beta-stream-rhel8
rpms:c8-beta-stream-rhel8
rpms:i9c-beta
rpms:c9-beta
rpms:i8c-stream-4.0
rpms:c8-stream-4.0
rpms:i8c-stream-3.0
rpms:c8-stream-3.0
rpms:i8c-stream-2.0
rpms:c8-stream-2.0
rpms:i8c-stream-1.0
rpms:c8-stream-1.0
rpms:i9c
rpms:c9
rpms:i8c
rpms:c8

No commits in common. 'i8c-stream-2.0' and 'c9' have entirely different histories.
i8c-stream ... c9

11 changed files with 344 additions and 1080 deletions
Show Stats

2
.criu.metadata
Unescape View File

@ -1 +1 @@
b2ceaf9705aa8239915010136a59664d31044fe3 SOURCES/criu-3.12.tar.bz2
f359d9a3af080f5d3293c847af5ab10f58639d85 SOURCES/criu-3.18.tar.gz

2
.gitignore vendored
Unescape View File

@ -1 +1 @@
SOURCES/criu-3.12.tar.bz2
SOURCES/criu-3.18.tar.gz

57
SOURCES/0001-Fix-building-with-annobin.patch
Unescape View File

@ -0,0 +1,57 @@
From 4878775c8e0f2ea6869aff139d219f6eb0c4006c Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Fri, 28 Jan 2022 15:10:31 +0000
Subject: [PATCH] Fix building with annobin
Annobin (used at least in Fedora and RHEL) injects annotation into the
compiled objects which break the parasite and restorer.
This removes the annobin flags as used in Fedora and RHEL and makes CRIU
work on Fedora and RHEL with annobin enabled.
Signed-off-by: Adrian Reber <areber@redhat.com>
---
compel/plugins/Makefile | 2 +-
criu/pie/Makefile | 2 +-
criu/pie/Makefile.library | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/compel/plugins/Makefile b/compel/plugins/Makefile
index e5fa781ac..37630d438 100644
--- a/compel/plugins/Makefile
+++ b/compel/plugins/Makefile
@@ -1,4 +1,4 @@
-CFLAGS := $(filter-out -pg $(CFLAGS-GCOV) $(CFLAGS-ASAN),$(CFLAGS))
+CFLAGS := $(filter-out -pg $(CFLAGS-GCOV) $(CFLAGS-ASAN) -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1,$(CFLAGS))
CFLAGS += -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=0
CFLAGS += -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=0
diff --git a/criu/pie/Makefile b/criu/pie/Makefile
index 265dcf82b..386626334 100644
--- a/criu/pie/Makefile
+++ b/criu/pie/Makefile
@@ -4,7 +4,7 @@
target := parasite restorer
-CFLAGS := $(filter-out -pg $(CFLAGS-GCOV) $(CFLAGS-ASAN),$(CFLAGS))
+CFLAGS := $(filter-out -pg $(CFLAGS-GCOV) $(CFLAGS-ASAN) -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1,$(CFLAGS))
CFLAGS += $(CFLAGS_PIE)
ccflags-y += -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=0
ccflags-y += -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=0
diff --git a/criu/pie/Makefile.library b/criu/pie/Makefile.library
index da2a2fab3..6247afe7e 100644
--- a/criu/pie/Makefile.library
+++ b/criu/pie/Makefile.library
@@ -21,7 +21,7 @@ ifeq ($(ARCH),arm)
lib-y += ./$(ARCH_DIR)/pie-cacheflush.o
endif
-CFLAGS := $(filter-out -pg $(CFLAGS-GCOV) $(CFLAGS-ASAN),$(CFLAGS))
+CFLAGS := $(filter-out -pg $(CFLAGS-GCOV) $(CFLAGS-ASAN) -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1,$(CFLAGS))
CFLAGS += $(CFLAGS_PIE)
ifeq ($(ARCH),mips)
--
2.34.1

67
SOURCES/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch
Unescape View File

@ -1,67 +0,0 @@
From 1e84cb90b63bce841376140a7a80107e5ec1e1a8 Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Fri, 3 May 2019 06:27:51 +0000
Subject: [PATCH] lsm: fix compiler error 'unused-result'
Reading out the xattr 'security.selinux' of checkpointed sockets with
fscanf() works (at least in theory) without checking the result of
fscanf(). There are, however, multiple CI failures when ignoring the
return value of fscanf().
This adds ferror() to check if the stream has an actual error or if '-1'
just mean EOF.
Handle all errors of fscanf() // Andrei
Signed-off-by: Adrian Reber <areber@redhat.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
---
criu/lsm.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/criu/lsm.c b/criu/lsm.c
index ef6ba112b3..9c9ac7f80e 100644
--- a/criu/lsm.c
+++ b/criu/lsm.c
@@ -33,8 +33,8 @@ static int apparmor_get_label(pid_t pid, char **profile_name)
return -1;
if (fscanf(f, "%ms", profile_name) != 1) {
- fclose(f);
pr_perror("err scanfing");
+ fclose(f);
return -1;
}
@@ -111,19 +111,23 @@ static int selinux_get_label(pid_t pid, char **output)
static int selinux_get_sockcreate_label(pid_t pid, char **output)
{
FILE *f;
+ int ret;
f = fopen_proc(pid, "attr/sockcreate");
if (!f)
return -1;
- fscanf(f, "%ms", output);
- /*
- * No need to check the result of fscanf(). If there is something
- * in /proc/PID/attr/sockcreate it will be copied to *output. If
- * there is nothing it will stay NULL. So whatever fscanf() does
- * it should be correct.
- */
-
+ ret = fscanf(f, "%ms", output);
+ if (ret == -1 && errno != 0) {
+ pr_perror("Unable to parse /proc/%d/attr/sockcreate", pid);
+ /*
+ * Only if the error indicator is set it is a real error.
+ * -1 could also be EOF, which would mean that sockcreate
+ * was just empty, which is the most common case.
+ */
+ fclose(f);
+ return -1;
+ }
fclose(f);
return 0;
}

834
SOURCES/685.patch
Unescape View File

@ -1,834 +0,0 @@
From 3313343ba7803bff077af5d87df2260cdcd2d678 Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Thu, 2 May 2019 13:41:46 +0000
Subject: [PATCH 1/4] lsm: also dump and restore sockcreate
The file /proc/PID/attr/sockcreate is used by SELinux to label newly
created sockets with the label available at sockcreate.
If it is NULL, the default label of the process will be used.
This reads out that file during checkpoint and restores the value during
restore.
This value is irrelevant for existing sockets as they might have been
created with another context. This is only to make sure that newly
created sockets have the correct context.
Signed-off-by: Adrian Reber <areber@redhat.com>
---
criu/cr-restore.c | 36 ++++++++++++++++++++++++++++++++++++
criu/include/restorer.h | 2 ++
criu/lsm.c | 32 ++++++++++++++++++++++++++++++++
criu/pie/restorer.c | 15 ++++++++++-----
images/creds.proto | 1 +
5 files changed, 81 insertions(+), 5 deletions(-)
diff --git a/criu/cr-restore.c b/criu/cr-restore.c
index 5fd22e9246..f254cbc0eb 100644
--- a/criu/cr-restore.c
+++ b/criu/cr-restore.c
@@ -2997,6 +2997,8 @@ static void rst_reloc_creds(struct thread_restore_args *thread_args,
if (args->lsm_profile)
args->lsm_profile = rst_mem_remap_ptr(args->mem_lsm_profile_pos, RM_PRIVATE);
+ if (args->lsm_sockcreate)
+ args->lsm_sockcreate = rst_mem_remap_ptr(args->mem_lsm_sockcreate_pos, RM_PRIVATE);
if (args->groups)
args->groups = rst_mem_remap_ptr(args->mem_groups_pos, RM_PRIVATE);
@@ -3062,6 +3064,40 @@ rst_prep_creds_args(CredsEntry *ce, unsigned long *prev_pos)
args->mem_lsm_profile_pos = 0;
}
+ if (ce->lsm_sockcreate) {
+ char *rendered = NULL;
+ char *profile;
+
+ profile = ce->lsm_sockcreate;
+
+ if (validate_lsm(profile) < 0)
+ return ERR_PTR(-EINVAL);
+
+ if (profile && render_lsm_profile(profile, &rendered)) {
+ return ERR_PTR(-EINVAL);
+ }
+ if (rendered) {
+ size_t lsm_sockcreate_len;
+ char *lsm_sockcreate;
+
+ args->mem_lsm_sockcreate_pos = rst_mem_align_cpos(RM_PRIVATE);
+ lsm_sockcreate_len = strlen(rendered);
+ lsm_sockcreate = rst_mem_alloc(lsm_sockcreate_len + 1, RM_PRIVATE);
+ if (!lsm_sockcreate) {
+ xfree(rendered);
+ return ERR_PTR(-ENOMEM);
+ }
+
+ args = rst_mem_remap_ptr(this_pos, RM_PRIVATE);
+ args->lsm_sockcreate = lsm_sockcreate;
+ strncpy(args->lsm_sockcreate, rendered, lsm_sockcreate_len);
+ xfree(rendered);
+ }
+ } else {
+ args->lsm_sockcreate = NULL;
+ args->mem_lsm_sockcreate_pos = 0;
+ }
+
/*
* Zap fields which we can't use.
*/
diff --git a/criu/include/restorer.h b/criu/include/restorer.h
index 2884ce9e6d..b83e9130c5 100644
--- a/criu/include/restorer.h
+++ b/criu/include/restorer.h
@@ -69,8 +69,10 @@ struct thread_creds_args {
unsigned int secbits;
char *lsm_profile;
unsigned int *groups;
+ char *lsm_sockcreate;
unsigned long mem_lsm_profile_pos;
+ unsigned long mem_lsm_sockcreate_pos;
unsigned long mem_groups_pos;
unsigned long mem_pos_next;
diff --git a/criu/lsm.c b/criu/lsm.c
index 849ec37cde..b0ef0c396c 100644
--- a/criu/lsm.c
+++ b/criu/lsm.c
@@ -98,6 +98,32 @@ static int selinux_get_label(pid_t pid, char **output)
freecon(ctx);
return ret;
}
+
+/*
+ * selinux_get_sockcreate_label reads /proc/PID/attr/sockcreate
+ * to see if the PID has a special label specified for sockets.
+ * Most of the time this will be empty and the process will use
+ * the process context also for sockets.
+ */
+static int selinux_get_sockcreate_label(pid_t pid, char **output)
+{
+ FILE *f;
+
+ f = fopen_proc(pid, "attr/sockcreate");
+ if (!f)
+ return -1;
+
+ fscanf(f, "%ms", output);
+ /*
+ * No need to check the result of fscanf(). If there is something
+ * in /proc/PID/attr/sockcreate it will be copied to *output. If
+ * there is nothing it will stay NULL. So whatever fscanf() does
+ * it should be correct.
+ */
+
+ fclose(f);
+ return 0;
+}
#endif
void kerndat_lsm(void)
@@ -132,6 +158,7 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce)
int ret;
ce->lsm_profile = NULL;
+ ce->lsm_sockcreate = NULL;
switch (kdat.lsm) {
case LSMTYPE__NO_LSM:
@@ -143,6 +170,9 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce)
#ifdef CONFIG_HAS_SELINUX
case LSMTYPE__SELINUX:
ret = selinux_get_label(pid, &ce->lsm_profile);
+ if (ret)
+ break;
+ ret = selinux_get_sockcreate_label(pid, &ce->lsm_sockcreate);
break;
#endif
default:
@@ -153,6 +183,8 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce)
if (ce->lsm_profile)
pr_info("%d has lsm profile %s\n", pid, ce->lsm_profile);
+ if (ce->lsm_sockcreate)
+ pr_info("%d has lsm sockcreate label %s\n", pid, ce->lsm_sockcreate);
return ret;
}
diff --git a/criu/pie/restorer.c b/criu/pie/restorer.c
index 6e18cc2606..4f42605a09 100644
--- a/criu/pie/restorer.c
+++ b/criu/pie/restorer.c
@@ -149,7 +149,7 @@ static void sigchld_handler(int signal, siginfo_t *siginfo, void *data)
sys_exit_group(1);
}
-static int lsm_set_label(char *label, int procfd)
+static int lsm_set_label(char *label, char *type, int procfd)
{
int ret = -1, len, lsmfd;
char path[STD_LOG_SIMPLE_CHUNK];
@@ -157,9 +157,9 @@ static int lsm_set_label(char *label, int procfd)
if (!label)
return 0;
- pr_info("restoring lsm profile %s\n", label);
+ pr_info("restoring lsm profile (%s) %s\n", type, label);
- std_sprintf(path, "self/task/%ld/attr/current", sys_gettid());
+ std_sprintf(path, "self/task/%ld/attr/%s", sys_gettid(), type);
lsmfd = sys_openat(procfd, path, O_WRONLY, 0);
if (lsmfd < 0) {
@@ -305,9 +305,14 @@ static int restore_creds(struct thread_creds_args *args, int procfd,
* SELinux and instead the process context is set before the
* threads are created.
*/
- if (lsm_set_label(args->lsm_profile, procfd) < 0)
+ if (lsm_set_label(args->lsm_profile, "current", procfd) < 0)
return -1;
}
+
+ /* Also set the sockcreate label for all threads */
+ if (lsm_set_label(args->lsm_sockcreate, "sockcreate", procfd) < 0)
+ return -1;
+
return 0;
}
@@ -1571,7 +1576,7 @@ long __export_restore_task(struct task_restore_args *args)
if (args->lsm_type == LSMTYPE__SELINUX) {
/* Only for SELinux */
if (lsm_set_label(args->t->creds_args->lsm_profile,
- args->proc_fd) < 0)
+ "current", args->proc_fd) < 0)
goto core_restore_end;
}
diff --git a/images/creds.proto b/images/creds.proto
index 29fb8652eb..23b84c7e50 100644
--- a/images/creds.proto
+++ b/images/creds.proto
@@ -20,4 +20,5 @@ message creds_entry {
repeated uint32 groups = 14;
optional string lsm_profile = 15;
+ optional string lsm_sockcreate = 16;
}
From 495e6aa7ac51fcb36e6bc5f6c97f44cab7649b9c Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Thu, 2 May 2019 13:47:29 +0000
Subject: [PATCH 2/4] test: Verify that sockcreate does not change during
restore
This makes sure that sockcreate stays empty for selinux00 before and
after checkpoint/restore.
Signed-off-by: Adrian Reber <areber@redhat.com>
---
test/zdtm/static/selinux00.c | 34 ++++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/test/zdtm/static/selinux00.c b/test/zdtm/static/selinux00.c
index dd9096a6fc..db8420eacb 100644
--- a/test/zdtm/static/selinux00.c
+++ b/test/zdtm/static/selinux00.c
@@ -83,6 +83,31 @@ int checkprofile()
return 0;
}
+int check_sockcreate()
+{
+ char *output = NULL;
+ FILE *f = fopen("/proc/self/attr/sockcreate", "r");
+ int ret = fscanf(f, "%ms", &output);
+ fclose(f);
+
+ if (ret >= 1) {
+ free(output);
+ /* sockcreate should be empty, if fscanf found something
+ * it is wrong.*/
+ fail("sockcreate should be empty\n");
+ return -1;
+ }
+
+ if (output) {
+ free(output);
+ /* Same here, output should still be NULL. */
+ fail("sockcreate should be empty\n");
+ return -1;
+ }
+
+ return 0;
+}
+
int main(int argc, char **argv)
{
test_init(argc, argv);
@@ -95,12 +120,21 @@ int main(int argc, char **argv)
return 0;
}
+ if (check_sockcreate())
+ return -1;
+
if (setprofile())
return -1;
+ if (check_sockcreate())
+ return -1;
+
test_daemon();
test_waitsig();
+ if (check_sockcreate())
+ return -1;
+
if (checkprofile() == 0)
pass();
From fe52cf66b38a261846ff40fc425085724b2acc15 Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Mon, 29 Apr 2019 15:21:59 +0200
Subject: [PATCH 3/4] sockets: dump and restore xattr security labels
Restoring a SELinux process also requires to correctly label sockets.
During checkpointing fgetxattr() is used to retrieve the
"security.selinux" xattr and during restore setsockcreatecon() is used
before a socket is created.
Previous commits are already restoring the sockcreate SELinux setting if
set by the process.
Signed-off-by: Adrian Reber <areber@redhat.com>
---
criu/include/lsm.h | 18 +++++++++++++++
criu/lsm.c | 56 +++++++++++++++++++++++++++++++++++++++++++++
criu/sk-inet.c | 12 ++++++++++
criu/sockets.c | 4 ++++
images/fdinfo.proto | 1 +
5 files changed, 91 insertions(+)
diff --git a/criu/include/lsm.h b/criu/include/lsm.h
index b4fce13039..3b82712829 100644
--- a/criu/include/lsm.h
+++ b/criu/include/lsm.h
@@ -3,6 +3,7 @@
#include "images/inventory.pb-c.h"
#include "images/creds.pb-c.h"
+#include "images/fdinfo.pb-c.h"
#define AA_SECURITYFS_PATH "/sys/kernel/security/apparmor"
@@ -34,4 +35,21 @@ int validate_lsm(char *profile);
int render_lsm_profile(char *profile, char **val);
extern int lsm_check_opts(void);
+
+#ifdef CONFIG_HAS_SELINUX
+int dump_xattr_security_selinux(int fd, FdinfoEntry *e);
+int run_setsockcreatecon(FdinfoEntry *e);
+int reset_setsockcreatecon();
+#else
+static inline int dump_xattr_security_selinux(int fd, FdinfoEntry *e) {
+ return 0;
+}
+static inline int run_setsockcreatecon(FdinfoEntry *e) {
+ return 0;
+}
+static inline int reset_setsockcreatecon() {
+ return 0;
+}
+#endif
+
#endif /* __CR_LSM_H__ */
diff --git a/criu/lsm.c b/criu/lsm.c
index b0ef0c396c..ef6ba112b3 100644
--- a/criu/lsm.c
+++ b/criu/lsm.c
@@ -3,6 +3,7 @@
#include <stdlib.h>
#include <fcntl.h>
#include <sys/types.h>
+#include <sys/xattr.h>
#include <unistd.h>
#include "common/config.h"
@@ -11,10 +12,12 @@
#include "util.h"
#include "cr_options.h"
#include "lsm.h"
+#include "fdstore.h"
#include "protobuf.h"
#include "images/inventory.pb-c.h"
#include "images/creds.pb-c.h"
+#include "images/fdinfo.pb-c.h"
#ifdef CONFIG_HAS_SELINUX
#include <selinux/selinux.h>
@@ -124,6 +127,59 @@ static int selinux_get_sockcreate_label(pid_t pid, char **output)
fclose(f);
return 0;
}
+
+int reset_setsockcreatecon()
+{
+ return setsockcreatecon_raw(NULL);
+}
+
+int run_setsockcreatecon(FdinfoEntry *e)
+{
+ char *ctx = NULL;
+
+ /* Currently this only works for SELinux. */
+ if (kdat.lsm != LSMTYPE__SELINUX)
+ return 0;
+
+ ctx = e->xattr_security_selinux;
+ /* Writing to the FD using fsetxattr() did not work for some reason. */
+ return setsockcreatecon_raw(ctx);
+}
+
+int dump_xattr_security_selinux(int fd, FdinfoEntry *e)
+{
+ char *ctx = NULL;
+ int len;
+ int ret;
+
+ /* Currently this only works for SELinux. */
+ if (kdat.lsm != LSMTYPE__SELINUX)
+ return 0;
+
+ /* Get the size of the xattr. */
+ len = fgetxattr(fd, "security.selinux", ctx, 0);
+ if (len == -1) {
+ pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
+ return -1;
+ }
+
+ ctx = xmalloc(len);
+ if (!ctx) {
+ pr_err("xmalloc to read xattr for FD %d failed\n", fd);
+ return -1;
+ }
+
+ ret = fgetxattr(fd, "security.selinux", ctx, len);
+ if (len != ret) {
+ pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
+ return -1;
+ }
+
+ e->xattr_security_selinux = ctx;
+
+ return 0;
+}
+
#endif
void kerndat_lsm(void)
diff --git a/criu/sk-inet.c b/criu/sk-inet.c
index 60ee4c3155..ca5c9bf2cd 100644
--- a/criu/sk-inet.c
+++ b/criu/sk-inet.c
@@ -23,6 +23,9 @@
#include "files.h"
#include "image.h"
#include "log.h"
+#include "lsm.h"
+#include "kerndat.h"
+#include "pstree.h"
#include "rst-malloc.h"
#include "sockets.h"
#include "sk-inet.h"
@@ -30,6 +33,8 @@
#include "util.h"
#include "namespaces.h"
+#include "images/inventory.pb-c.h"
+
#undef LOG_PREFIX
#define LOG_PREFIX "inet: "
@@ -804,12 +809,18 @@ static int open_inet_sk(struct file_desc *d, int *new_fd)
if (set_netns(ie->ns_id))
return -1;
+ if (run_setsockcreatecon(fle->fe))
+ return -1;
+
sk = socket(ie->family, ie->type, ie->proto);
if (sk < 0) {
pr_perror("Can't create inet socket");
return -1;
}
+ if (reset_setsockcreatecon())
+ return -1;
+
if (ie->v6only) {
if (restore_opt(sk, SOL_IPV6, IPV6_V6ONLY, &yes) == -1)
goto err;
@@ -895,6 +906,7 @@ static int open_inet_sk(struct file_desc *d, int *new_fd)
}
*new_fd = sk;
+
return 1;
err:
close(sk);
diff --git a/criu/sockets.c b/criu/sockets.c
index 30072ac737..7f7453ca1d 100644
--- a/criu/sockets.c
+++ b/criu/sockets.c
@@ -22,6 +22,7 @@
#include "util-pie.h"
#include "sk-packet.h"
#include "namespaces.h"
+#include "lsm.h"
#include "net.h"
#include "xmalloc.h"
#include "fs-magic.h"
@@ -663,6 +664,9 @@ int dump_socket(struct fd_parms *p, int lfd, FdinfoEntry *e)
int family;
const struct fdtype_ops *ops;
+ if (dump_xattr_security_selinux(lfd, e))
+ return -1;
+
if (dump_opt(lfd, SOL_SOCKET, SO_DOMAIN, &family))
return -1;
diff --git a/images/fdinfo.proto b/images/fdinfo.proto
index ed82ceffe7..77e375aa94 100644
--- a/images/fdinfo.proto
+++ b/images/fdinfo.proto
@@ -47,6 +47,7 @@ message fdinfo_entry {
required uint32 flags = 2;
required fd_types type = 3;
required uint32 fd = 4;
+ optional string xattr_security_selinux = 5;
}
message file_entry {
From ba42d30fad82f17a66617a33f03d3da05cc73bfe Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Tue, 30 Apr 2019 09:47:32 +0000
Subject: [PATCH 4/4] selinux: add socket label test
This adds two more SELinux test to verfy that checkpointing and
restoring SELinux socket labels works correctly, if the process uses
setsockcreatecon() or if the process leaves the default context for
newly created sockets.
Signed-off-by: Adrian Reber <areber@redhat.com>
---
test/zdtm/static/Makefile | 3 +
test/zdtm/static/selinux01.c | 200 +++++++++++++++++++++++++++
test/zdtm/static/selinux01.checkskip | 1 +
test/zdtm/static/selinux01.desc | 1 +
test/zdtm/static/selinux01.hook | 1 +
test/zdtm/static/selinux02.c | 1 +
test/zdtm/static/selinux02.checkskip | 1 +
test/zdtm/static/selinux02.desc | 1 +
test/zdtm/static/selinux02.hook | 1 +
9 files changed, 210 insertions(+)
create mode 100644 test/zdtm/static/selinux01.c
create mode 120000 test/zdtm/static/selinux01.checkskip
create mode 120000 test/zdtm/static/selinux01.desc
create mode 120000 test/zdtm/static/selinux01.hook
create mode 120000 test/zdtm/static/selinux02.c
create mode 120000 test/zdtm/static/selinux02.checkskip
create mode 120000 test/zdtm/static/selinux02.desc
create mode 120000 test/zdtm/static/selinux02.hook
diff --git a/test/zdtm/static/Makefile b/test/zdtm/static/Makefile
index 8e3f39276a..1ffaa90394 100644
--- a/test/zdtm/static/Makefile
+++ b/test/zdtm/static/Makefile
@@ -211,6 +211,8 @@ TST_NOFILE := \
thp_disable \
pid_file \
selinux00 \
+ selinux01 \
+ selinux02 \
# jobctl00 \
ifneq ($(SRCARCH),arm)
@@ -513,6 +515,7 @@ unlink_fstat041: CFLAGS += -DUNLINK_FSTAT041 -DUNLINK_FSTAT04
ghost_holes01: CFLAGS += -DTAIL_HOLE
ghost_holes02: CFLAGS += -DHEAD_HOLE
sk-freebind-false: CFLAGS += -DZDTM_FREEBIND_FALSE
+selinux02: CFLAGS += -DUSING_SOCKCREATE
stopped01: CFLAGS += -DZDTM_STOPPED_KILL
stopped02: CFLAGS += -DZDTM_STOPPED_TKILL
stopped12: CFLAGS += -DZDTM_STOPPED_KILL -DZDTM_STOPPED_TKILL
diff --git a/test/zdtm/static/selinux01.c b/test/zdtm/static/selinux01.c
new file mode 100644
index 0000000000..9966455c47
--- /dev/null
+++ b/test/zdtm/static/selinux01.c
@@ -0,0 +1,200 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/mount.h>
+#include <sys/socket.h>
+#include <sys/xattr.h>
+#include <linux/limits.h>
+#include <signal.h>
+#include "zdtmtst.h"
+
+/* Enabling the right policy happens in selinux00.hook and selinx00.checkskip */
+
+const char *test_doc = "Check that a SELinux socket context is restored";
+const char *test_author = "Adrian Reber <areber@redhat.com>";
+
+/* This is all based on Tycho's apparmor code */
+
+#define CONTEXT "unconfined_u:unconfined_r:unconfined_dbusd_t:s0"
+
+/*
+ * This is used to store the state of SELinux. For this test
+ * SELinux is switched to permissive mode and later the previous
+ * SELinux state is restored.
+ */
+char state;
+
+int check_for_selinux()
+{
+ if (access("/sys/fs/selinux", F_OK) == 0)
+ return 0;
+ return 1;
+}
+
+int setprofile()
+{
+ int fd, len;
+
+ fd = open("/proc/self/attr/current", O_WRONLY);
+ if (fd < 0) {
+ fail("Could not open /proc/self/attr/current\n");
+ return -1;
+ }
+
+ len = write(fd, CONTEXT, strlen(CONTEXT));
+ close(fd);
+
+ if (len < 0) {
+ fail("Could not write context\n");
+ return -1;
+ }
+
+ return 0;
+}
+
+int set_sockcreate()
+{
+ int fd, len;
+
+ fd = open("/proc/self/attr/sockcreate", O_WRONLY);
+ if (fd < 0) {
+ fail("Could not open /proc/self/attr/sockcreate\n");
+ return -1;
+ }
+
+ len = write(fd, CONTEXT, strlen(CONTEXT));
+ close(fd);
+
+ if (len < 0) {
+ fail("Could not write context\n");
+ return -1;
+ }
+
+ return 0;
+}
+
+int check_sockcreate()
+{
+ int fd;
+ char context[1024];
+ int len;
+
+
+ fd = open("/proc/self/attr/sockcreate", O_RDONLY);
+ if (fd < 0) {
+ fail("Could not open /proc/self/attr/sockcreate\n");
+ return -1;
+ }
+
+ len = read(fd, context, strlen(CONTEXT));
+ close(fd);
+ if (len != strlen(CONTEXT)) {
+ fail("SELinux context has unexpected length %d, expected %zd\n",
+ len, strlen(CONTEXT));
+ return -1;
+ }
+
+ if (strncmp(context, CONTEXT, strlen(CONTEXT)) != 0) {
+ fail("Wrong SELinux context %s expected %s\n", context, CONTEXT);
+ return -1;
+ }
+
+ return 0;
+}
+
+int check_sockcreate_empty()
+{
+ char *output = NULL;
+ FILE *f = fopen("/proc/self/attr/sockcreate", "r");
+ int ret = fscanf(f, "%ms", &output);
+ fclose(f);
+
+ if (ret >= 1) {
+ free(output);
+ /* sockcreate should be empty, if fscanf found something
+ * it is wrong.*/
+ fail("sockcreate should be empty\n");
+ return -1;
+ }
+
+ if (output) {
+ free(output);
+ /* Same here, output should still be NULL. */
+ fail("sockcreate should be empty\n");
+ return -1;
+ }
+
+ return 0;
+}
+
+int main(int argc, char **argv)
+{
+ char ctx[1024];
+ test_init(argc, argv);
+
+ if (check_for_selinux()) {
+ skip("SELinux not found on this system.");
+ test_daemon();
+ test_waitsig();
+ pass();
+ return 0;
+ }
+
+#ifdef USING_SOCKCREATE
+ if (set_sockcreate())
+ return -1;
+#else
+ if (check_sockcreate_empty())
+ return -1;
+
+ if (setprofile())
+ return -1;
+
+ if (check_sockcreate_empty())
+ return -1;
+#endif
+
+ /* Open our test socket */
+ int sk = socket(AF_INET, SOCK_STREAM, 0);
+ memset(ctx, 0, 1024);
+ /* Read out the socket label */
+ if (fgetxattr(sk, "security.selinux", ctx, 1024) == -1) {
+ fail("Reading xattr 'security.selinux' failed.\n");
+ return -1;
+ }
+ if (strncmp(ctx, CONTEXT, strlen(CONTEXT)) != 0) {
+ fail("Wrong SELinux context %s expected %s\n", ctx, CONTEXT);
+ return -1;
+ }
+ memset(ctx, 0, 1024);
+
+ test_daemon();
+ test_waitsig();
+
+ /* Read out the socket label again */
+
+ if (fgetxattr(sk, "security.selinux", ctx, 1024) == -1) {
+ fail("Reading xattr 'security.selinux' failed.\n");
+ return -1;
+ }
+ if (strncmp(ctx, CONTEXT, strlen(CONTEXT)) != 0) {
+ fail("Wrong SELinux context %s expected %s\n", ctx, CONTEXT);
+ return -1;
+ }
+
+#ifdef USING_SOCKCREATE
+ if (check_sockcreate())
+ return -1;
+#else
+ if (check_sockcreate_empty())
+ return -1;
+#endif
+
+ pass();
+
+ return 0;
+}
diff --git a/test/zdtm/static/selinux01.checkskip b/test/zdtm/static/selinux01.checkskip
new file mode 120000
index 0000000000..e8a172479e
--- /dev/null
+++ b/test/zdtm/static/selinux01.checkskip
@@ -0,0 +1 @@
+selinux00.checkskip
\ No newline at end of file
diff --git a/test/zdtm/static/selinux01.desc b/test/zdtm/static/selinux01.desc
new file mode 120000
index 0000000000..2d2961a764
--- /dev/null
+++ b/test/zdtm/static/selinux01.desc
@@ -0,0 +1 @@
+selinux00.desc
\ No newline at end of file
diff --git a/test/zdtm/static/selinux01.hook b/test/zdtm/static/selinux01.hook
new file mode 120000
index 0000000000..dd7ed6bb33
--- /dev/null
+++ b/test/zdtm/static/selinux01.hook
@@ -0,0 +1 @@
+selinux00.hook
\ No newline at end of file
diff --git a/test/zdtm/static/selinux02.c b/test/zdtm/static/selinux02.c
new file mode 120000
index 0000000000..5702677858
--- /dev/null
+++ b/test/zdtm/static/selinux02.c
@@ -0,0 +1 @@
+selinux01.c
\ No newline at end of file
diff --git a/test/zdtm/static/selinux02.checkskip b/test/zdtm/static/selinux02.checkskip
new file mode 120000
index 0000000000..2696e6e3de
--- /dev/null
+++ b/test/zdtm/static/selinux02.checkskip
@@ -0,0 +1 @@
+selinux01.checkskip
\ No newline at end of file
diff --git a/test/zdtm/static/selinux02.desc b/test/zdtm/static/selinux02.desc
new file mode 120000
index 0000000000..9c6802c4da
--- /dev/null
+++ b/test/zdtm/static/selinux02.desc
@@ -0,0 +1 @@
+selinux01.desc
\ No newline at end of file
diff --git a/test/zdtm/static/selinux02.hook b/test/zdtm/static/selinux02.hook
new file mode 120000
index 0000000000..e3ea0a6c80
--- /dev/null
+++ b/test/zdtm/static/selinux02.hook
@@ -0,0 +1 @@
+selinux01.hook
\ No newline at end of file

44
SOURCES/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch
Unescape View File

@ -1,44 +0,0 @@
From 80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea Mon Sep 17 00:00:00 2001
From: Andrei Vagin <avagin@gmail.com>
Date: Sat, 4 May 2019 20:01:52 -0700
Subject: [PATCH] lsm: don't reset socket contex if SELinux is disabled
Fixes #693
---
criu/lsm.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/criu/lsm.c b/criu/lsm.c
index 9c9ac7f80e..5921138392 100644
--- a/criu/lsm.c
+++ b/criu/lsm.c
@@ -134,7 +134,15 @@ static int selinux_get_sockcreate_label(pid_t pid, char **output)
int reset_setsockcreatecon()
{
- return setsockcreatecon_raw(NULL);
+ /* Currently this only works for SELinux. */
+ if (kdat.lsm != LSMTYPE__SELINUX)
+ return 0;
+
+ if (setsockcreatecon_raw(NULL)) {
+ pr_perror("Unable to reset socket SELinux context");
+ return -1;
+ }
+ return 0;
}
int run_setsockcreatecon(FdinfoEntry *e)
@@ -147,7 +155,11 @@ int run_setsockcreatecon(FdinfoEntry *e)
ctx = e->xattr_security_selinux;
/* Writing to the FD using fsetxattr() did not work for some reason. */
- return setsockcreatecon_raw(ctx);
+ if (setsockcreatecon_raw(ctx)) {
+ pr_perror("Unable to set the %s socket SELinux context", ctx);
+ return -1;
+ }
+ return 0;
}
int dump_xattr_security_selinux(int fd, FdinfoEntry *e)

40
SOURCES/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch
Unescape View File

@ -1,40 +0,0 @@
From b9e9e3903c78ba5d243b4176e82bf4b82342cb6a Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Sat, 4 May 2019 15:27:32 +0200
Subject: [PATCH] lsm: fix compiler error on Fedora 30
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This fixes following compiler error:
criu/lsm.c: In function dump_xattr_security_selinux:
criu/include/log.h:51:2: error: %s directive argument is null [-Werror=format-overflow=]
51 | print_on_level(LOG_ERROR, \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
52 | "Error (%s:%d): " LOG_PREFIX fmt, \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
53 | __FILE__, __LINE__, ##__VA_ARGS__)
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
criu/lsm.c:166:3: note: in expansion of macro pr_err
166 | pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
| ^~~~~~
Signed-off-by: Adrian Reber <areber@redhat.com>
---
criu/lsm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/criu/lsm.c b/criu/lsm.c
index 5921138392..420585ba4f 100644
--- a/criu/lsm.c
+++ b/criu/lsm.c
@@ -175,7 +175,7 @@ int dump_xattr_security_selinux(int fd, FdinfoEntry *e)
/* Get the size of the xattr. */
len = fgetxattr(fd, "security.selinux", ctx, 0);
if (len == -1) {
- pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
+ pr_err("Reading xattr security.selinux from FD %d failed\n", fd);
return -1;
}

27
SOURCES/criu.pc.patch
Unescape View File

@ -0,0 +1,27 @@
From 341ef149ee259d9432ea4c01507eefab2ef8b83c Mon Sep 17 00:00:00 2001
From: Radostin Stoyanov <radostin@redhat.com>
Date: Thu, 14 Oct 2021 12:58:56 +0100
Subject: [PATCH] criu.pc: Add libprotobuf-c as a dependency
CRIU has a dependency on protobuf-c-devel. We express this dependency
in pkgconfig to be auto-detected when building a package.
Signed-off-by: Radostin Stoyanov <radostin@redhat.com>
---
lib/c/criu.pc.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/c/criu.pc.in b/lib/c/criu.pc.in
index 33986d10d..bcced5033 100644
--- a/lib/c/criu.pc.in
+++ b/lib/c/criu.pc.in
@@ -4,5 +4,6 @@ includedir=@includedir@
Name: CRIU
Description: RPC library for userspace checkpoint and restore
Version: @version@
+Requires.private: libprotobuf-c
Libs: -L${libdir} -lcriu
Cflags: -I${includedir}
--
2.31.1

74
SOURCES/d739260c57576c636759afb312340fa3827312f6.patch
Unescape View File

@ -0,0 +1,74 @@
From d739260c57576c636759afb312340fa3827312f6 Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Mon, 24 Apr 2023 09:28:19 +0200
Subject: [PATCH] compel: support XSAVE on newer Intel CPUs
Newer Intel CPUs (Sapphire Rapids) have a much larger xsave area than
before. Looking at older CPUs I see 2440 bytes.
# cpuid -1 -l 0xd -s 0
...
bytes required by XSAVE/XRSTOR area = 0x00000988 (2440)
On newer CPUs (Sapphire Rapids) it grows to 11008 bytes.
# cpuid -1 -l 0xd -s 0
...
bytes required by XSAVE/XRSTOR area = 0x00002b00 (11008)
This increase the xsave area from one page to four pages.
Without this patch the fpu03 test fails, with this patch it works again.
Signed-off-by: Adrian Reber <areber@redhat.com>
---
.../arch/x86/src/lib/include/uapi/asm/fpu.h | 28 +++++++++++++++++--
1 file changed, 26 insertions(+), 2 deletions(-)
diff --git a/compel/arch/x86/src/lib/include/uapi/asm/fpu.h b/compel/arch/x86/src/lib/include/uapi/asm/fpu.h
index bd3b0cbd5c..8c83dd9ae4 100644
--- a/compel/arch/x86/src/lib/include/uapi/asm/fpu.h
+++ b/compel/arch/x86/src/lib/include/uapi/asm/fpu.h
@@ -21,7 +21,28 @@
#define XSTATE_YMM 0x4
#define FXSAVE_SIZE 512
-#define XSAVE_SIZE 4096
+/*
+ * This used to be 4096 (one page). There is a comment below concerning
+ * this size:
+ * "One page should be enough for the whole xsave state ;-)"
+ * Which is kind of funny as it is no longer enough ;-)
+ *
+ * Older CPUs:
+ * # cpuid -1 -l 0xd -s 0
+ * ...
+ * bytes required by XSAVE/XRSTOR area = 0x00000988 (2440)
+ *
+ * Newer CPUs (Sapphire Rapids):
+ * # cpuid -1 -l 0xd -s 0
+ * ...
+ * bytes required by XSAVE/XRSTOR area = 0x00002b00 (11008)
+ *
+ * So one page is no longer enough... But:
+ *
+ * Four pages should be enough for the whole xsave state ;-)
+ */
+
+#define XSAVE_SIZE 4*4096
#define XSAVE_HDR_SIZE 64
#define XSAVE_HDR_OFFSET FXSAVE_SIZE
@@ -235,8 +256,11 @@ struct pkru_state {
*
*
* One page should be enough for the whole xsave state ;-)
+ *
+ * Of course it was not ;-) Now using four pages...
+ *
*/
-#define EXTENDED_STATE_AREA_SIZE (4096 - sizeof(struct i387_fxsave_struct) - sizeof(struct xsave_hdr_struct))
+#define EXTENDED_STATE_AREA_SIZE (XSAVE_SIZE - sizeof(struct i387_fxsave_struct) - sizeof(struct xsave_hdr_struct))
/*
* cpu requires it to be 64 byte aligned

30
SOURCES/pycriu-setup-py
Unescape View File

@ -0,0 +1,30 @@
import os
from setuptools import setup, find_packages
print(find_packages('.'))
def get_version():
version = '0.0.1'
env = os.environ
if 'CRIU_VERSION_MAJOR' in env and 'CRIU_VERSION_MINOR' in env:
version = '{}.{}'.format(
env['CRIU_VERSION_MAJOR'],
env['CRIU_VERSION_MINOR']
)
if 'CRIU_VERSION_SUBLEVEL' in env and env['CRIU_VERSION_SUBLEVEL']:
version += '.' + env['CRIU_VERSION_SUBLEVEL']
return version
setup(
name='pycriu',
version=get_version(),
description='CRiu Image Tool',
author='CRIU team',
author_email='criu@openvz.org',
license='GPLv2',
url='https://github.com/checkpoint-restore/criu',
packages=['pycriu','pycriu.images'],
package_dir = {'pycriu': '.', 'pycriu.images':'images'}
)

247
SPECS/criu.spec
Unescape View File

@ -1,57 +1,40 @@
%if 0%{?fedora} >= 27 || 0%{?rhel} > 7
%global py_prefix python3
%global py_binary %{py_prefix}
%else
%global py_prefix python
%global py_binary python2
%endif
# With annobin enabled, CRIU does not work anymore. It seems CRIU's
# parasite code breaks if annobin is enabled.
%undefine _annotated_build
# This package calls LD directly without specifying the LTO plugins. Until
# that is fixed, disable LTO.
%global _lto_cflags %%{nil}
Name: criu
Version: 3.12
Release: 9%{?dist}
Version: 3.18
Release: 1%{?dist}
Provides: crtools = %{version}-%{release}
Obsoletes: crtools <= 1.0-2
Summary: Tool for Checkpoint/Restore in User-space
License: GPLv2
URL: http://criu.org/
Source0: http://download.openvz.org/criu/criu-%{version}.tar.bz2
Patch0: https://patch-diff.githubusercontent.com/raw/checkpoint-restore/criu/pull/685.patch
Patch1: https://github.com/checkpoint-restore/criu/commit/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch
Patch2: https://github.com/checkpoint-restore/criu/commit/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch
Patch3: https://github.com/checkpoint-restore/criu/commit/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch
%if 0%{?rhel} && 0%{?rhel} <= 7
BuildRequires: perl
# RHEL has no asciidoc; take man-page from Fedora 26
# zcat /usr/share/man/man8/criu.8.gz > criu.8
Source1: criu.8
Source2: crit.1
# The patch aio-fix.patch is needed as RHEL7
# doesn't do "nr_events *= 2" in ioctx_alloc().
Patch100: aio-fix.patch
%endif
Source3: criu-tmpfiles.conf
Source0: https://github.com/checkpoint-restore/criu/archive/v%{version}/criu-%{version}.tar.gz
Source1: criu-tmpfiles.conf
Source2: pycriu-setup-py
BuildRequires: gcc
BuildRequires: systemd
BuildRequires: libnet-devel
BuildRequires: protobuf-devel protobuf-c-devel %{py_prefix}-devel libnl3-devel libcap-devel
%if 0%{?fedora} || 0%{?rhel} > 7
BuildRequires: asciidoc xmlto
BuildRequires: %{py_prefix}-pip
BuildRequires: %{py_prefix}-setuptools
BuildRequires: %{py_prefix}-wheel
BuildRequires: perl-interpreter
BuildRequires: libselinux-devel
BuildRequires: gnutls-devel
BuildRequires: make
# Checkpointing containers with a tmpfs requires tar
Recommends: tar
%if 0%{?fedora}
BuildRequires: libbsd-devel
%endif
%endif
Patch0: 0001-Fix-building-with-annobin.patch
Patch1: criu.pc.patch
# Fix to work on CPUs with larger XSAVE area (Sapphire Rapids)
Patch2: https://github.com/checkpoint-restore/criu/commit/d739260c57576c636759afb312340fa3827312f6.patch
# user-space and kernel changes are only available for x86_64, arm,
# ppc64le, aarch64 and s390x
@ -63,10 +46,10 @@ criu is the user-space part of Checkpoint/Restore in User-space
(CRIU), a project to implement checkpoint/restore functionality for
Linux in user-space.
%if 0%{?fedora}
%package devel
Summary: Header files and libraries for %{name}
Requires: %{name} = %{version}-%{release}
Requires: %{name}-libs = %{version}-%{release}
%description devel
This package contains header files and libraries for %{name}.
@ -77,18 +60,12 @@ Requires: %{name} = %{version}-%{release}
%description libs
This package contains the libraries for %{name}
%endif
%package -n %{py_prefix}-%{name}
%{?python_provide:%python_provide %{py_prefix}-%{name}}
Summary: Python bindings for %{name}
%if 0%{?rhel} && 0%{?rhel} <= 7
Requires: protobuf-python
Requires: %{name} = %{version}-%{release} %{py_prefix}-ipaddr
%else
Requires: %{py_prefix}-protobuf
Obsoletes: python2-criu < 3.10-1
%endif
%description -n %{py_prefix}-%{name}
%{py_prefix}-%{name} contains Python bindings for %{name}.
@ -101,62 +78,48 @@ Requires: %{py_prefix}-%{name} = %{version}-%{release}
crit is a tool designed to decode CRIU binary dump files and show
their content in human-readable form.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%if 0%{?rhel} && 0%{?rhel} <= 7
%patch100 -p1
%endif
%patch -P 0 -p1
%patch -P 1 -p1
%patch -P 2 -p1
%build
# %{?_smp_mflags} does not work
# -fstack-protector breaks build
CFLAGS+=`echo %{optflags} | sed -e 's,-fstack-protector\S*,,g'` make V=1 WERROR=0 PREFIX=%{_prefix} RUNDIR=/run/criu PYTHON=%{py_binary}
%if 0%{?fedora} || 0%{?rhel} > 7
make docs V=1
%endif
%install
cp %{SOURCE2} lib/py/setup.py
sed -e "s,--upgrade --force-reinstall,--disable-pip-version-check --progress-bar off --verbose,g;
s,\./crit,./crit lib/py,g;" -i lib/Makefile
rm -f crit/pyproject.toml
make install-criu DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir}
make install-lib DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir} PYTHON=%{py_binary}
%if 0%{?fedora} || 0%{?rhel} > 7
# only install documentation on Fedora as it requires asciidoc,
# which is not available on RHEL7
make install-man DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir}
%else
install -p -m 644 -D %{SOURCE1} $RPM_BUILD_ROOT%{_mandir}/man8/%{name}.8
install -p -m 644 -D %{SOURCE2} $RPM_BUILD_ROOT%{_mandir}/man1/crit.1
%endif
mkdir -p %{buildroot}%{_tmpfilesdir}
install -m 0644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}/%{name}.conf
install -m 0644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/%{name}.conf
install -d -m 0755 %{buildroot}/run/%{name}/
%if 0%{?rhel}
# remove devel and libs packages
rm -rf $RPM_BUILD_ROOT%{_includedir}/criu
rm $RPM_BUILD_ROOT%{_libdir}/*.so*
rm -rf $RPM_BUILD_ROOT%{_libdir}/pkgconfig
# remove static libs
rm $RPM_BUILD_ROOT%{_libdir}/*.a
rm -rf $RPM_BUILD_ROOT%{_libexecdir}/%{name}
%endif
# remove compel man-page
rm $RPM_BUILD_ROOT%{_mandir}/man1/compel.1*
# remove amdgpu plugin man-page
rm $RPM_BUILD_ROOT%{_mandir}/man1/amdgpu_plugin.1*
# remove criu-ns
rm $RPM_BUILD_ROOT%{_sbindir}/criu-ns
rm $RPM_BUILD_ROOT%{_mandir}/man1/criu-ns.1*
%files
%{_sbindir}/%{name}
%doc %{_mandir}/man8/criu.8*
%if 0%{?fedora}
%{_libexecdir}/%{name}
%endif
%{_mandir}/man8/criu.8*
%dir /run/%{name}
%{_tmpfilesdir}/%{name}.conf
%doc README.md COPYING
%if 0%{?fedora}
%files devel
%{_includedir}/criu
%{_libdir}/*.so
@ -164,27 +127,126 @@ rm -rf $RPM_BUILD_ROOT%{_libexecdir}/%{name}
%files libs
%{_libdir}/*.so.*
%endif
%files -n %{py_prefix}-%{name}
%if 0%{?rhel} && 0%{?rhel} <= 7
%{python2_sitelib}/pycriu/*
%{python2_sitelib}/*egg-info
%else
%{python3_sitelib}/pycriu/*
%{python3_sitelib}/*egg-info
%endif
%{python3_sitelib}/pycriu-%{version}.dist-info
%files -n crit
%{_bindir}/crit
%{python3_sitelib}/crit-%{version}.dist-info
%doc %{_mandir}/man1/crit.1*
%changelog
* Sun Dec 10 2023 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 3.12-9
- Rebuilt for MSVSphere 8.8
* Tue Apr 25 2034 Adrian Reber <adrian@lisas.de> - 3.18-1
- Update to 3.18
- Apply patch from upstream to support newer CPUs
* Fri Mar 31 2023 Jindrich Novy <jnovy@redhat.com> - 3.17.1-1
- update to https://github.com/checkpoint-restore/criu/releases/tag/v3.17.1
- Related: #2176063
* Mon Jul 11 2022 Radostin Stoyanov <radostin@redhat.com> - 3.17-4
- Rebuilt to pick up glibc rseq() changes
* Mon Jul 04 2022 Radostin Stoyanov <radostin@redhat.com> - 3.17-3
- Add libprotobuf-c dependency requirement
* Mon May 09 2022 Adrian Reber <areber@redhat.com> - 3.17-2
- Update to 3.17
- Drop upstreamed patch
- Remove compel man-page
* Mon Jan 31 2022 Adrian Reber <areber@redhat.com> - 3.15-13
- Apply patch to build with annobin enabled
- Apply patch to fix unsafe IPv6 handling
* Mon Sep 6 2021 Radostin Stoyanov <radostin@redhat.com> - 3.15-12
- Increase release number from 11 to 12
- Disable podman test when crun doesn't support checkpoint/restore
* Tue Aug 31 2021 Adrian Reber <areber@redhat.com> - 3.15-11
- Remove unnecessary Requires: criu-libs
- Remove wrong BR nftables-devel
- Bump release for rebuild
* Mon Aug 16 2021 Jindrich Novy <jnovy@redhat.com> - 3.15-10
- disable LTO on RHEL9 again
- Related: #1970747
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.15-9
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Fri Aug 06 2021 Jindrich Novy <jnovy@redhat.com> - 3.15-8
- add Requires: criu-libs = %%{version}-%%{release} in criu-devel
- Related: #1970747
* Wed Aug 04 2021 Jindrich Novy <jnovy@redhat.com> - 3.15-7
- remove pre-RHEL9 hacks
* Wed May 05 2021 Adrian Reber <areber@redhat.com> - 3.15-6
- Enable criu-devel and criu-libs for RHEL 9
- Remove nftables-devel dependency for now
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 3.15-4
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.15-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Jan 13 09:45:16 CET 2021 Adrian Reber <adrian@lisas.de> - 3.15-2
- Rebuilt for protobuf 3.14
* Mon May 13 2019 Adrian Reber <adrian@lisas.de> - 3.12-9
* Wed Nov 04 2020 Adrian Reber <adrian@lisas.de> - 3.15-1
- Update to 3.15
* Wed Sep 23 2020 Adrian Reber <adrian@lisas.de> - 3.14-8
- Rebuilt for protobuf 3.13
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.14-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 14 2020 Jeff Law <law@redhat.com> - 3.14-6
- Disable LTO
* Sun Jun 14 2020 Adrian Reber <adrian@lisas.de> - 3.14-5
- Rebuilt for protobuf 3.12
* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 3.14-4
- Rebuilt for Python 3.9
* Thu Apr 30 2020 Adrian Reber <adrian@lisas.de> - 3.14-3
- BuildRequire nftables-devel for working CI
* Thu Apr 30 2020 Adrian Reber <adrian@lisas.de> - 3.14-2
- Rebuild for CI fixes
* Wed Apr 29 2020 Adrian Reber <adrian@lisas.de> - 3.14-1
- Update to 3.14 (#1829399)
* Sun Mar 29 2020 Andrei Vagin <avagin@gmail.com> - 3.13-7
- Added patch for gcc-10
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.13-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Mon Sep 16 2019 Adrian Reber <adrian@lisas.de> - 3.13-5
- Update to 3.13 (#1751146)
- Drop upstreamed patches
- Drop static library
- Add compel man-page
* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 3.12-14
- Rebuilt for Python 3.8
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.12-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Tue May 14 2019 Adrian Reber <adrian@lisas.de> - 3.12-11
- Test different decision_context in gating.yaml
* Mon May 13 2019 Adrian Reber <adrian@lisas.de> - 3.12-10
- Added additional fixup patches for the socket labelling
* Sat May 04 2019 Adrian Reber <adrian@lisas.de> - 3.12-8
@ -205,16 +267,15 @@ rm -rf $RPM_BUILD_ROOT%{_libexecdir}/%{name}
- Build against SELinux (Fedora and RHEL8)
- Build against libbsd (Fedora)
* Thu Feb 14 2019 Adrian Reber <areber@redhat.com> - 3.11-2
- Updated to 3.11
- Removed upstreamed patches
- Added patch for gcc-9
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.11-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Tue Dec 11 2018 Adrian Reber <adrian@lisas.de> - 3.10-7
- Fix 'criu check --feature link_nsid' with more than 10 interfaces (#1652442)
* Sat Jan 19 2019 Adrian Reber <adrian@lisas.de> - 3.11-2
- Added patch for gcc-9
* Tue Dec 11 2018 Adrian Reber <adrian@lisas.de> - 3.10-6
- Make sure no iptables rules are left after restore (#1652471)
* Tue Nov 06 2018 Adrian Reber <adrian@lisas.de> - 3.11-1
- Updated to 3.11
- Removed upstreamed patches
* Tue Oct 30 2018 Adrian Reber <adrian@lisas.de> - 3.10-5
- Added Recommends: tar

Write Preview
Loading…
Cancel
Save