Stefano Brivio (8): Makefile: Honour passed CPPFLAGS, not just CFLAGS Makefile: Don't filter out -O2 from supplied flags for AVX2 builds Makefile: It's AUDIT_ARCH_MIPSEL64, not AUDIT_ARCH_MIPS64EL Makefile: Change HPPA into PARISC while building PASST_AUDIT_ARCH util, pasta: Use __clone2() instead of clone() on ia64 README: Add links to Debian package tracker contrib/apparmor: Merge pasta and passt profiles, update rules Remove contrib/debian, Debian package development now happens on Salsa Makefile | 16 ++++---- README.md | 17 ++++---- contrib/apparmor/usr.bin.passt | 73 ++++++++++++++++++++++++---------- contrib/apparmor/usr.bin.pasta | 66 ------------------------------ contrib/debian/README.Debian | 8 ---- contrib/debian/changelog | 6 --- contrib/debian/control | 22 ---------- contrib/debian/copyright | 13 ------ contrib/debian/rules | 12 ------ contrib/debian/watch | 2 - pasta.c | 9 +++++ util.h | 12 ++++++ 12 files changed, 91 insertions(+), 165 deletions(-) delete mode 100644 contrib/apparmor/usr.bin.pasta delete mode 100644 contrib/debian/README.Debian delete mode 100644 contrib/debian/changelog delete mode 100644 contrib/debian/control delete mode 100644 contrib/debian/copyright delete mode 100755 contrib/debian/rules delete mode 100644 contrib/debian/watch -- 2.35.1
CPPFLAGS allow the user to pass pre-processor flags. This is unlikely to be needed at the moment, but the Debian Hardening Walkthrough reasonably requests it to be handled in order to fully support hardened build flags: https://wiki.debian.org/HardeningWalkthrough#Handling_dpkg-buildflags_in_yo… Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com> --- Makefile | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index 6b22408..a6e3164 100644 --- a/Makefile +++ b/Makefile @@ -60,8 +60,8 @@ HEADERS = $(PASST_HEADERS) seccomp.h # csum_unaligned(). Mark csum_unaligned() as "noipa" as a quick work-around, # while we figure out if a corresponding gcc issue has already been reported. ifeq (,$(filter-out 11 12, $(shell $(CC) -dumpversion))) -ifneq (,$(filter -flto%,$(FLAGS) $(CFLAGS))) -ifneq (,$(filter -O2,$(FLAGS) $(CFLAGS))) +ifneq (,$(filter -flto%,$(FLAGS) $(CFLAGS) $(CPPFLAGS))) +ifneq (,$(filter -O2,$(FLAGS) $(CFLAGS) $(CPPFLAGS))) FLAGS += -DTCP_HASH_NOINLINE FLAGS += -DSIPHASH_20B_NOINLINE FLAGS += -DCSUM_UNALIGNED_NO_IPA @@ -121,11 +121,11 @@ seccomp.h: seccomp.sh $(PASST_SRCS) $(PASST_HEADERS) @ EXTRA_SYSCALLS="$(EXTRA_SYSCALLS)" ./seccomp.sh $(PASST_SRCS) $(PASST_HEADERS) passt: $(PASST_SRCS) $(HEADERS) - $(CC) $(FLAGS) $(CFLAGS) $(PASST_SRCS) -o passt $(LDFLAGS) + $(CC) $(FLAGS) $(CFLAGS) $(CPPFLAGS) $(PASST_SRCS) -o passt $(LDFLAGS) passt.avx2: FLAGS += -Ofast -mavx2 -ftree-vectorize -funroll-loops passt.avx2: $(PASST_SRCS) $(HEADERS) - $(CC) $(filter-out -O2,$(FLAGS) $(CFLAGS)) \ + $(CC) $(filter-out -O2,$(FLAGS) $(CFLAGS) $(CPPFLAGS)) \ $(PASST_SRCS) -o passt.avx2 $(LDFLAGS) passt.avx2: passt @@ -134,7 +134,7 @@ pasta.avx2 pasta.1 pasta: pasta%: passt% ln -s $< $@ qrap: $(QRAP_SRCS) passt.h - $(CC) $(FLAGS) $(CFLAGS) $(QRAP_SRCS) -o qrap $(LDFLAGS) + $(CC) $(FLAGS) $(CFLAGS) $(CPPFLAGS) $(QRAP_SRCS) -o qrap $(LDFLAGS) valgrind: EXTRA_SYSCALLS += rt_sigprocmask rt_sigtimedwait rt_sigaction \ getpid gettid kill clock_gettime mmap \ @@ -283,7 +283,7 @@ clang-tidy: $(SRCS) $(HEADERS) -concurrency-mt-unsafe,\ -readability-identifier-length \ -config='{CheckOptions: [{key: bugprone-suspicious-string-compare.WarnOnImplicitComparison, value: "false"}]}' \ - --warnings-as-errors=* $(SRCS) -- $(filter-out -pie,$(FLAGS) $(CFLAGS)) + --warnings-as-errors=* $(SRCS) -- $(filter-out -pie,$(FLAGS) $(CFLAGS) $(CPPFLAGS)) SYSTEM_INCLUDES := /usr/include $(wildcard /usr/include/$(TARGET)) ifeq ($(shell $(CC) -v 2>&1 | grep -c "gcc version"),1) @@ -299,5 +299,5 @@ cppcheck: $(SRCS) $(HEADERS) $(SYSTEM_INCLUDES:%=--suppress=unmatchedSuppression:%/*) \ --inline-suppr \ --suppress=unusedStructMember \ - $(filter -D%,$(FLAGS) $(CFLAGS)) \ + $(filter -D%,$(FLAGS) $(CFLAGS) $(CPPFLAGS)) \ . -- 2.35.1
On Tue, Nov 15, 2022 at 02:23:42AM +0100, Stefano Brivio wrote:CPPFLAGS allow the user to pass pre-processor flags. This is unlikely to be needed at the moment, but the Debian Hardening Walkthrough reasonably requests it to be handled in order to fully support hardened build flags: https://wiki.debian.org/HardeningWalkthrough#Handling_dpkg-buildflags_in_yo… Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com>Reviewed-by: David Gibson <david(a)gibson.dropbear.id.au> Possible refinement, though: if we moved our own flags which are really for the preprocessor (-D*) to CPPFLAGS, then we can probably pass just CPPFLAGS, not CFLAGS to the static checkers and avoid the ugly filter/filter-out expressions.--- Makefile | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index 6b22408..a6e3164 100644 --- a/Makefile +++ b/Makefile @@ -60,8 +60,8 @@ HEADERS = $(PASST_HEADERS) seccomp.h # csum_unaligned(). Mark csum_unaligned() as "noipa" as a quick work-around, # while we figure out if a corresponding gcc issue has already been reported. ifeq (,$(filter-out 11 12, $(shell $(CC) -dumpversion))) -ifneq (,$(filter -flto%,$(FLAGS) $(CFLAGS))) -ifneq (,$(filter -O2,$(FLAGS) $(CFLAGS))) +ifneq (,$(filter -flto%,$(FLAGS) $(CFLAGS) $(CPPFLAGS))) +ifneq (,$(filter -O2,$(FLAGS) $(CFLAGS) $(CPPFLAGS))) FLAGS += -DTCP_HASH_NOINLINE FLAGS += -DSIPHASH_20B_NOINLINE FLAGS += -DCSUM_UNALIGNED_NO_IPA @@ -121,11 +121,11 @@ seccomp.h: seccomp.sh $(PASST_SRCS) $(PASST_HEADERS) @ EXTRA_SYSCALLS="$(EXTRA_SYSCALLS)" ./seccomp.sh $(PASST_SRCS) $(PASST_HEADERS) passt: $(PASST_SRCS) $(HEADERS) - $(CC) $(FLAGS) $(CFLAGS) $(PASST_SRCS) -o passt $(LDFLAGS) + $(CC) $(FLAGS) $(CFLAGS) $(CPPFLAGS) $(PASST_SRCS) -o passt $(LDFLAGS) passt.avx2: FLAGS += -Ofast -mavx2 -ftree-vectorize -funroll-loops passt.avx2: $(PASST_SRCS) $(HEADERS) - $(CC) $(filter-out -O2,$(FLAGS) $(CFLAGS)) \ + $(CC) $(filter-out -O2,$(FLAGS) $(CFLAGS) $(CPPFLAGS)) \ $(PASST_SRCS) -o passt.avx2 $(LDFLAGS) passt.avx2: passt @@ -134,7 +134,7 @@ pasta.avx2 pasta.1 pasta: pasta%: passt% ln -s $< $@ qrap: $(QRAP_SRCS) passt.h - $(CC) $(FLAGS) $(CFLAGS) $(QRAP_SRCS) -o qrap $(LDFLAGS) + $(CC) $(FLAGS) $(CFLAGS) $(CPPFLAGS) $(QRAP_SRCS) -o qrap $(LDFLAGS) valgrind: EXTRA_SYSCALLS += rt_sigprocmask rt_sigtimedwait rt_sigaction \ getpid gettid kill clock_gettime mmap \ @@ -283,7 +283,7 @@ clang-tidy: $(SRCS) $(HEADERS) -concurrency-mt-unsafe,\ -readability-identifier-length \ -config='{CheckOptions: [{key: bugprone-suspicious-string-compare.WarnOnImplicitComparison, value: "false"}]}' \ - --warnings-as-errors=* $(SRCS) -- $(filter-out -pie,$(FLAGS) $(CFLAGS)) + --warnings-as-errors=* $(SRCS) -- $(filter-out -pie,$(FLAGS) $(CFLAGS) $(CPPFLAGS)) SYSTEM_INCLUDES := /usr/include $(wildcard /usr/include/$(TARGET)) ifeq ($(shell $(CC) -v 2>&1 | grep -c "gcc version"),1) @@ -299,5 +299,5 @@ cppcheck: $(SRCS) $(HEADERS) $(SYSTEM_INCLUDES:%=--suppress=unmatchedSuppression:%/*) \ --inline-suppr \ --suppress=unusedStructMember \ - $(filter -D%,$(FLAGS) $(CFLAGS)) \ + $(filter -D%,$(FLAGS) $(CFLAGS) $(CPPFLAGS)) \ .-- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson
Drop it from the internal FLAGS variable, but honour -O2 if passed in CFLAGS. In Debian packages, dpkg-buildflags uses it as hardening flag, and we get a QA warning if we drop it: https://qa.debian.org/bls/bytag/W-dpkg-buildflags-missing.html Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com> --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index a6e3164..f0b8e1d 100644 --- a/Makefile +++ b/Makefile @@ -125,7 +125,7 @@ passt: $(PASST_SRCS) $(HEADERS) passt.avx2: FLAGS += -Ofast -mavx2 -ftree-vectorize -funroll-loops passt.avx2: $(PASST_SRCS) $(HEADERS) - $(CC) $(filter-out -O2,$(FLAGS) $(CFLAGS) $(CPPFLAGS)) \ + $(CC) $(filter-out -O2,$(FLAGS)) $(CFLAGS) $(CPPFLAGS) \ $(PASST_SRCS) -o passt.avx2 $(LDFLAGS) passt.avx2: passt -- 2.35.1
On Tue, Nov 15, 2022 at 02:23:43AM +0100, Stefano Brivio wrote:Drop it from the internal FLAGS variable, but honour -O2 if passed in CFLAGS. In Debian packages, dpkg-buildflags uses it as hardening flag, and we get a QA warning if we drop it: https://qa.debian.org/bls/bytag/W-dpkg-buildflags-missing.html Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com>Reviewed-by: David Gibson <david(a)gibson.dropbear.id.au>--- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index a6e3164..f0b8e1d 100644 --- a/Makefile +++ b/Makefile @@ -125,7 +125,7 @@ passt: $(PASST_SRCS) $(HEADERS) passt.avx2: FLAGS += -Ofast -mavx2 -ftree-vectorize -funroll-loops passt.avx2: $(PASST_SRCS) $(HEADERS) - $(CC) $(filter-out -O2,$(FLAGS) $(CFLAGS) $(CPPFLAGS)) \ + $(CC) $(filter-out -O2,$(FLAGS)) $(CFLAGS) $(CPPFLAGS) \ $(PASST_SRCS) -o passt.avx2 $(LDFLAGS) passt.avx2: passt-- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson
On mips64el, gcc -dumpmachine correctly reports mips64el as architecture prefix, but for some reason seccomp.h defines AUDIT_ARCH_MIPSEL64 and not AUDIT_ARCH_MIPS64EL. Mangle AUDIT_ARCH accordingly. Build error spotted in Debian's buildd logs from Loongson build. Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com> --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index f0b8e1d..95b49ac 100644 --- a/Makefile +++ b/Makefile @@ -25,6 +25,7 @@ AUDIT_ARCH := $(shell echo $(TARGET_ARCH) | tr [a-z] [A-Z] | sed 's/^ARM.*/ARM/' AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/I[456]86/I386/') AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/PPC64/PPC/') AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/PPCLE/PPC64LE/') +AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/MIPS64EL/MIPSEL64/') FLAGS := -Wall -Wextra -pedantic -std=c99 -D_XOPEN_SOURCE=700 -D_GNU_SOURCE FLAGS += -D_FORTIFY_SOURCE=2 -O2 -pie -fPIE -- 2.35.1
On Tue, Nov 15, 2022 at 02:23:44AM +0100, Stefano Brivio wrote:On mips64el, gcc -dumpmachine correctly reports mips64el as architecture prefix, but for some reason seccomp.h defines AUDIT_ARCH_MIPSEL64 and not AUDIT_ARCH_MIPS64EL. Mangle AUDIT_ARCH accordingly. Build error spotted in Debian's buildd logs from Loongson build. Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com>Reviewed-by: David Gibson <david(a)gibson.dropbear.id.au>--- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index f0b8e1d..95b49ac 100644 --- a/Makefile +++ b/Makefile @@ -25,6 +25,7 @@ AUDIT_ARCH := $(shell echo $(TARGET_ARCH) | tr [a-z] [A-Z] | sed 's/^ARM.*/ARM/' AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/I[456]86/I386/') AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/PPC64/PPC/') AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/PPCLE/PPC64LE/') +AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/MIPS64EL/MIPSEL64/') FLAGS := -Wall -Wextra -pedantic -std=c99 -D_XOPEN_SOURCE=700 -D_GNU_SOURCE FLAGS += -D_FORTIFY_SOURCE=2 -O2 -pie -fPIE-- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson
The AUDIT_ARCH defines in seccomp.h corresponding to HPPA are AUDIT_ARCH_PARISC and AUDIT_ARCH_PARISC64. Build error spotted in Debian's buildd log on phantom.physik.fu-berlin.de. Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com> --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index 95b49ac..1dc2df5 100644 --- a/Makefile +++ b/Makefile @@ -26,6 +26,7 @@ AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/I[456]86/I386/') AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/PPC64/PPC/') AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/PPCLE/PPC64LE/') AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/MIPS64EL/MIPSEL64/') +AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/HPPA/PARISC/') FLAGS := -Wall -Wextra -pedantic -std=c99 -D_XOPEN_SOURCE=700 -D_GNU_SOURCE FLAGS += -D_FORTIFY_SOURCE=2 -O2 -pie -fPIE -- 2.35.1
On Tue, Nov 15, 2022 at 02:23:45AM +0100, Stefano Brivio wrote:The AUDIT_ARCH defines in seccomp.h corresponding to HPPA are AUDIT_ARCH_PARISC and AUDIT_ARCH_PARISC64. Build error spotted in Debian's buildd log on phantom.physik.fu-berlin.de. Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com>Reviewed-by: David Gibson <david(a)gibson.dropbear.id.au>--- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index 95b49ac..1dc2df5 100644 --- a/Makefile +++ b/Makefile @@ -26,6 +26,7 @@ AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/I[456]86/I386/') AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/PPC64/PPC/') AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/PPCLE/PPC64LE/') AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/MIPS64EL/MIPSEL64/') +AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/HPPA/PARISC/') FLAGS := -Wall -Wextra -pedantic -std=c99 -D_XOPEN_SOURCE=700 -D_GNU_SOURCE FLAGS += -D_FORTIFY_SOURCE=2 -O2 -pie -fPIE-- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson
On ia64, clone(2) is not available: the glibc wrapper is named
__clone2() and it takes, additionally, the size of the stack area
passed by the caller.
Spotted in Debian's buildd logs.
Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com>
---
pasta.c | 9 +++++++++
util.h | 12 ++++++++++++
2 files changed, 21 insertions(+)
diff --git a/pasta.c b/pasta.c
index db86317..1f3afa1 100644
--- a/pasta.c
+++ b/pasta.c
@@ -226,11 +226,20 @@ void pasta_start_ns(struct ctx *c, uid_t uid, gid_t gid,
arg.argv = sh_argv;
}
+#ifdef __ia64__
+ pasta_child_pid = __clone2(pasta_spawn_cmd,
+ ns_fn_stack + sizeof(ns_fn_stack) / 2,
+ sizeof(ns_fn_stack) / 2,
+ CLONE_NEWIPC | CLONE_NEWPID | CLONE_NEWNET |
+ CLONE_NEWUTS,
+ (void *)&arg);
+#else
pasta_child_pid = clone(pasta_spawn_cmd,
ns_fn_stack + sizeof(ns_fn_stack) / 2,
CLONE_NEWIPC | CLONE_NEWPID | CLONE_NEWNET |
CLONE_NEWUTS,
(void *)&arg);
+#endif
if (pasta_child_pid == -1) {
perror("clone");
diff --git a/util.h b/util.h
index 2d4e1ff..3c48992 100644
--- a/util.h
+++ b/util.h
@@ -81,6 +81,17 @@
(((struct in_addr *)(a))->s_addr == ((struct in_addr *)b)->s_addr)
#define NS_FN_STACK_SIZE (RLIMIT_STACK_VAL * 1024 / 8)
+#ifdef __ia64__
+#define NS_CALL(fn, arg) \
+ do { \
+ char ns_fn_stack[NS_FN_STACK_SIZE]; \
+ \
+ __clone2((fn), ns_fn_stack + sizeof(ns_fn_stack) / 2, \
+ sizeof(ns_fn_stack) / 2, \
+ CLONE_VM | CLONE_VFORK | CLONE_FILES | SIGCHLD,\
+ (void *)(arg)); \
+ } while (0)
+#else
#define NS_CALL(fn, arg) \
do { \
char ns_fn_stack[NS_FN_STACK_SIZE]; \
@@ -89,6 +100,7 @@
CLONE_VM | CLONE_VFORK | CLONE_FILES | SIGCHLD, \
(void *)(arg)); \
} while (0)
+#endif
#if __BYTE_ORDER == __BIG_ENDIAN
#define L2_BUF_ETH_IP4_INIT \
--
2.35.1
On Tue, Nov 15, 2022 at 02:23:46AM +0100, Stefano Brivio wrote:On ia64, clone(2) is not available: the glibc wrapper is named __clone2() and it takes, additionally, the size of the stack area passed by the caller. Spotted in Debian's buildd logs. Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com>Urgh, I'd really prefer to make our own wrapper to reduce two ifdefs to one.--- pasta.c | 9 +++++++++ util.h | 12 ++++++++++++ 2 files changed, 21 insertions(+) diff --git a/pasta.c b/pasta.c index db86317..1f3afa1 100644 --- a/pasta.c +++ b/pasta.c @@ -226,11 +226,20 @@ void pasta_start_ns(struct ctx *c, uid_t uid, gid_t gid, arg.argv = sh_argv; } +#ifdef __ia64__ + pasta_child_pid = __clone2(pasta_spawn_cmd, + ns_fn_stack + sizeof(ns_fn_stack) / 2, + sizeof(ns_fn_stack) / 2, + CLONE_NEWIPC | CLONE_NEWPID | CLONE_NEWNET | + CLONE_NEWUTS, + (void *)&arg); +#else pasta_child_pid = clone(pasta_spawn_cmd, ns_fn_stack + sizeof(ns_fn_stack) / 2, CLONE_NEWIPC | CLONE_NEWPID | CLONE_NEWNET | CLONE_NEWUTS, (void *)&arg); +#endif if (pasta_child_pid == -1) { perror("clone"); diff --git a/util.h b/util.h index 2d4e1ff..3c48992 100644 --- a/util.h +++ b/util.h @@ -81,6 +81,17 @@ (((struct in_addr *)(a))->s_addr == ((struct in_addr *)b)->s_addr) #define NS_FN_STACK_SIZE (RLIMIT_STACK_VAL * 1024 / 8) +#ifdef __ia64__ +#define NS_CALL(fn, arg) \ + do { \ + char ns_fn_stack[NS_FN_STACK_SIZE]; \ + \ + __clone2((fn), ns_fn_stack + sizeof(ns_fn_stack) / 2, \ + sizeof(ns_fn_stack) / 2, \ + CLONE_VM | CLONE_VFORK | CLONE_FILES | SIGCHLD,\ + (void *)(arg)); \ + } while (0) +#else #define NS_CALL(fn, arg) \ do { \ char ns_fn_stack[NS_FN_STACK_SIZE]; \ @@ -89,6 +100,7 @@ CLONE_VM | CLONE_VFORK | CLONE_FILES | SIGCHLD, \ (void *)(arg)); \ } while (0) +#endif #if __BYTE_ORDER == __BIG_ENDIAN #define L2_BUF_ETH_IP4_INIT \-- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson
On Wed, 16 Nov 2022 16:17:13 +1100 David Gibson <david(a)gibson.dropbear.id.au> wrote:On Tue, Nov 15, 2022 at 02:23:46AM +0100, Stefano Brivio wrote:Hmm, right. I'd go with: __clone(int (*fn)(void *), void *stack_base, size_t stack_size, int flags, void *arg) ...where stack_base is ns_fn_stack. Better ideas (especially for the name)? -- StefanoOn ia64, clone(2) is not available: the glibc wrapper is named __clone2() and it takes, additionally, the size of the stack area passed by the caller. Spotted in Debian's buildd logs. Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com>Urgh, I'd really prefer to make our own wrapper to reduce two ifdefs to one.
Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com> --- README.md | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 0e2ca78..3d0a5b4 100644 --- a/README.md +++ b/README.md @@ -343,19 +343,20 @@ speeding up local connections, and usually requiring NAT. _pasta_: * ⌚ drop-in replacement for VPNKit (rootless Docker) ### Availability +* ✅ official [packages](https://tracker.debian.org/pkg/passt) for Debian * ✅ official [packages](https://src.fedoraproject.org/rpms/passt) for Fedora * ✅ unofficial [packages](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) for CentOS Stream, EPEL, Mageia -* ✅ unofficial packages from x86_64 static builds for other RPM-based - distributions and Debian +* ✅ unofficial [packages](https://passt.top/builds/latest/x86_64/) from x86_64 + static builds for other RPM-based distributions +* ✅ unofficial [packages](https://passt.top/builds/latest/x86_64/) from x86_64 + static builds for Debian-based distributions * ✅ testing on non-x86_64 architectures (aarch64, armv7l, i386, ppc64, ppc64le, s390x) -* ✅ example Debian [package files](/passt/tree/contrib/debian) * 🛠 official [openSUSE packages](https://build.opensuse.org/package/show/home:dfaggioli:devel/pass… -* ⌚ official packages for Debian - ([RFP](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010498)), Arch Linux +* ⌚ official packages for Arch Linux ### Services * ✅ built-in [ARP proxy](/passt/tree/arp.c) @@ -538,12 +539,13 @@ See also the [test logs](/builds/latest/test/). * alternatively, install one of the available packages: - * [Debian and Debian-based](/builds/latest/x86_64/) (unofficial, from static x86_64 builds) + * [Debian](https://tracker.debian.org/pkg/passt) (official) * [Fedora](https://src.fedoraproject.org/rpms/passt) (official) * [CentOS Stream](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial) * [EPEL](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial) * [Mageia](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial) * [openSUSE](https://build.opensuse.org/package/show/home:dfaggioli:devel/pass… (unofficial) + * [Debian-based](/builds/latest/x86_64/) (unofficial, from static x86_64 builds) * [Other RPM-based distributions](/builds/latest/x86_64/) (unofficial, from static x86_64 builds) Static binaries and packages are simply built with: @@ -587,12 +589,13 @@ See also the [test logs](/builds/latest/test/). * alternatively, install one of the available packages: - * [Debian and Debian-based](/builds/latest/x86_64/) (unofficial, from static x86_64 builds) + * [Debian](https://tracker.debian.org/pkg/passt) (official) * [Fedora](https://src.fedoraproject.org/rpms/passt) (official) * [CentOS Stream](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial) * [EPEL](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial) * [Mageia](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial) * [openSUSE](https://build.opensuse.org/package/show/home:dfaggioli:devel/pass… (unofficial) + * [Debian-based](/builds/latest/x86_64/) (unofficial, from static x86_64 builds) * [Other RPM-based distributions](/builds/latest/x86_64/) (unofficial, from static x86_64 builds) Static binaries and packages are simply built with: -- 2.35.1
On Tue, Nov 15, 2022 at 02:23:47AM +0100, Stefano Brivio wrote:Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com>Reviewed-by: David Gibson <david(a)gibson.dropbear.id.au>--- README.md | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 0e2ca78..3d0a5b4 100644 --- a/README.md +++ b/README.md @@ -343,19 +343,20 @@ speeding up local connections, and usually requiring NAT. _pasta_: * ⌚ drop-in replacement for VPNKit (rootless Docker) ### Availability +* ✅ official [packages](https://tracker.debian.org/pkg/passt) for Debian * ✅ official [packages](https://src.fedoraproject.org/rpms/passt) for Fedora * ✅ unofficial [packages](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) for CentOS Stream, EPEL, Mageia -* ✅ unofficial packages from x86_64 static builds for other RPM-based - distributions and Debian +* ✅ unofficial [packages](https://passt.top/builds/latest/x86_64/) from x86_64 + static builds for other RPM-based distributions +* ✅ unofficial [packages](https://passt.top/builds/latest/x86_64/) from x86_64 + static builds for Debian-based distributions * ✅ testing on non-x86_64 architectures (aarch64, armv7l, i386, ppc64, ppc64le, s390x) -* ✅ example Debian [package files](/passt/tree/contrib/debian) * 🛠 official [openSUSE packages](https://build.opensuse.org/package/show/home:dfaggioli:devel/pass… -* ⌚ official packages for Debian - ([RFP](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010498)), Arch Linux +* ⌚ official packages for Arch Linux ### Services * ✅ built-in [ARP proxy](/passt/tree/arp.c) @@ -538,12 +539,13 @@ See also the [test logs](/builds/latest/test/). * alternatively, install one of the available packages: - * [Debian and Debian-based](/builds/latest/x86_64/) (unofficial, from static x86_64 builds) + * [Debian](https://tracker.debian.org/pkg/passt) (official) * [Fedora](https://src.fedoraproject.org/rpms/passt) (official) * [CentOS Stream](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial) * [EPEL](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial) * [Mageia](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial) * [openSUSE](https://build.opensuse.org/package/show/home:dfaggioli:devel/pass… (unofficial) + * [Debian-based](/builds/latest/x86_64/) (unofficial, from static x86_64 builds) * [Other RPM-based distributions](/builds/latest/x86_64/) (unofficial, from static x86_64 builds) Static binaries and packages are simply built with: @@ -587,12 +589,13 @@ See also the [test logs](/builds/latest/test/). * alternatively, install one of the available packages: - * [Debian and Debian-based](/builds/latest/x86_64/) (unofficial, from static x86_64 builds) + * [Debian](https://tracker.debian.org/pkg/passt) (official) * [Fedora](https://src.fedoraproject.org/rpms/passt) (official) * [CentOS Stream](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial) * [EPEL](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial) * [Mageia](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial) * [openSUSE](https://build.opensuse.org/package/show/home:dfaggioli:devel/pass… (unofficial) + * [Debian-based](/builds/latest/x86_64/) (unofficial, from static x86_64 builds) * [Other RPM-based distributions](/builds/latest/x86_64/) (unofficial, from static x86_64 builds) Static binaries and packages are simply built with:-- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson
AppArmor resolves executable links before profile attachment rules
are evaluated, so, as long as pasta is installed as a link to passt,
there's no way to differentiate the two cases. Merge the two profiles
and leave a TODO note behind, explaining two possible ways forward.
Update the rules so that passt and pasta are actually usable, once
the profile is installed. Most required changes are related to
isolation and sandboxing features.
Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com>
---
contrib/apparmor/usr.bin.passt | 73 ++++++++++++++++++++++++----------
contrib/apparmor/usr.bin.pasta | 66 ------------------------------
2 files changed, 51 insertions(+), 88 deletions(-)
delete mode 100644 contrib/apparmor/usr.bin.pasta
diff --git a/contrib/apparmor/usr.bin.passt b/contrib/apparmor/usr.bin.passt
index a19fede..96b61ef 100644
--- a/contrib/apparmor/usr.bin.passt
+++ b/contrib/apparmor/usr.bin.passt
@@ -3,7 +3,10 @@
# PASST - Plug A Simple Socket Transport
# for qemu/UNIX domain socket mode
#
-# contrib/apparmor/usr.bin.passt - AppArmor profile example/template for passt
+# PASTA - Pack A Subtle Tap Abstraction
+# for network namespace/tap device mode
+#
+# contrib/apparmor/usr.bin.passt - AppArmor profile for passt(1) and pasta(1)
#
# Copyright (c) 2022 Red Hat GmbH
# Author: Stefano Brivio <sbrivio(a)redhat.com>
@@ -12,31 +15,29 @@ abi <abi/3.0>,
include <tunables/global>
-/usr/bin/passt {
- ### Alternatively: include <abstractions/base>
- @{etc_ro}/ld.so.cache r,
- /{usr/,}lib{,32,64}/ld-*.so r,
- /{usr/,}lib{,32,64}/libc-*.so mr,
- /{usr/,}lib/(a){multiarch}/ld-*.so r,
- /{usr/,}lib/(a){multiarch}/libc-*.so mr,
- /dev/null rw, # __daemon(), util.c
- signal receive set=int peer=unconfined,
- signal receive set=term peer=unconfined,
- ###
+profile passt /usr/bin/passt{,.avx2} flags=(attach_disconnected) {
+ ### Common rules for passt and pasta
- ### Alternatively: include <abstractions/nameservice>
+ include <abstractions/base>
+
+ # Alternatively: include <abstractions/nameservice>
@{etc_ro}/resolv.conf r, # get_dns(), conf.c
- ###
- capability sys_admin, # sandbox(), passt.c
- capability setpcap, # drop_caps(), util.c
+ capability net_bind_service, # isolation.c, conf.c
+ capability setuid,
+ capability setgid,
+ capability sys_admin,
+ capability setpcap,
+ capability net_admin,
+ capability sys_ptrace,
- mount "" -> "/", # sandbox(), passt.c
+ / r, # isolate_prefork(), isolation.c
+ mount "" -> "/",
mount "" -> "/tmp/",
pivot_root "/tmp/" -> "/tmp/",
umount "/",
- network netlink raw, # netlink.c
+ network netlink raw, # nl_sock_init_do(), netlink.c
network inet stream, # tcp.c
network inet6 stream,
@@ -46,14 +47,42 @@ include <tunables/global>
network unix stream, # tap.c
- network unix dgram, # __openlog(), util.c
+ network unix dgram, # __openlog(), log.c
- ### Alternatively: include <abstractions/user-tmp>
+ # Alternatively: include <abstractions/user-tmp>
owner /tmp/** w, # tap_sock_unix_init(), pcap(),
- # write_pidfile()
- ###
+ # write_pidfile(),
+ # logfile_init()
owner @{HOME}/** w, # pcap(), write_pidfile()
/usr/bin/passt.avx2 ix, # arch_avx2_exec(), arch.c
+
+
+ ### Rules for pasta
+ ###
+ ### TODO: AppArmor doesn't give us the chance to attach a separate profile
+ ### depending on the executable symlink. That's possible with SELinux. Two
+ ### alternatives: implement that in AppArmor, or consider aa_change_hat(2).
+ ### With this, rules for passt(1) could be restricted significantly. Note that
+ ### the attach_disconnected flag is not needed for passt(1).
+
+ @{PROC}/net/tcp r, # procfs_scan_listen(), util.c
+ @{PROC}/net/tcp6 r,
+ @{PROC}/net/udp r,
+ @{PROC}/net/udp6 r,
+
+ @{run}/user/@{uid}/netns/* r, # pasta_open_ns(), pasta.c
+
+ @{PROC}/[0-9]*/ns/net r, # pasta_wait_for_ns(),
+ @{PROC}/[0-9]*/ns/user r, # conf_pasta_ns()
+
+ /dev/net/tun rw, # tap_ns_tun(), tap.c
+
+ owner @{PROC}/@{pid}/gid_map w, # pasta_start_ns(), conf_ugid()
+ owner @{PROC}/@{pid}/setgroups w,
+ owner @{PROC}/@{pid}/uid_map rw,
+
+ owner @{PROC}/sys/net/ipv4/ping_group_range w, # pasta_spawn_cmd(), pasta.c
+ /{usr/,}bin/** Ux,
}
diff --git a/contrib/apparmor/usr.bin.pasta b/contrib/apparmor/usr.bin.pasta
deleted file mode 100644
index 844fcf3..0000000
--- a/contrib/apparmor/usr.bin.pasta
+++ /dev/null
@@ -1,66 +0,0 @@
-# SPDX-License-Identifier: AGPL-3.0-or-later
-#
-# PASTA - Pack A Subtle Tap Abstraction
-# for network namespace/tap device mode
-#
-# contrib/apparmor/usr.bin.pasta - AppArmor profile example/template for pasta
-#
-# Copyright (c) 2022 Red Hat GmbH
-# Author: Stefano Brivio <sbrivio(a)redhat.com>
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-/usr/bin/pasta flags=(attach_disconnected) {
- include <abstractions/base> # Interactive shell
- include <abstractions/nameservice>
- include <abstractions/consoles>
- include <abstractions/bash>
- owner /proc/**/ns/user r,
- / r,
- capability sys_ptrace, # bash
- capability dac_read_search,
- capability dac_override,
- @{etc_ro}/** r,
- /usr/** r,
- /lib/** r,
- owner @{HOME}/** rw,
- owner /tmp/** rw,
-
- /proc/*/net/tcp r, # procfs_scan_listen(), util.c
- /proc/*/net/tcp6 r,
- /proc/*/net/udp r,
- /proc/*/net/udp6 r,
-
- /dev/net/tun rw, # tap_ns_tun(), tap.c
-
- capability net_admin, # for network namespace only
- capability setpcap, # drop_caps(), util.c
- capability sys_admin, # sandbox(), passt.c
-
- mount "" -> "/", # sandbox(), passt.c
- mount "" -> "/tmp/",
- pivot_root "/tmp/" -> "/tmp/",
- umount "/",
-
- network netlink raw, # netlink.c
-
- network inet stream, # tcp.c
- network inet6 stream,
-
- network inet dgram, # udp.c
- network inet6 dgram,
-
- network unix stream, # tap.c
-
- network unix dgram, # __openlog(), util.c
-
- owner /proc/*/gid_map w, # pasta_setup_ns()
- owner /proc/*/setgroups w,
- owner /proc/*/uid_map w,
- owner /proc/sys/net/ipv4/ping_group_range w,
- /{usr/,}bin/** mrix, # spawning shell
-
- /usr/bin/pasta.avx2 ix, # arch_avx2_exec(), arch.c
-}
--
2.35.1
The development of the Debian package is now at: https://salsa.debian.org/sbrivio/passt Drop contrib/debian, it's finally obsolete. Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com> --- contrib/debian/README.Debian | 8 -------- contrib/debian/changelog | 6 ------ contrib/debian/control | 22 ---------------------- contrib/debian/copyright | 13 ------------- contrib/debian/rules | 12 ------------ contrib/debian/watch | 2 -- 6 files changed, 63 deletions(-) delete mode 100644 contrib/debian/README.Debian delete mode 100644 contrib/debian/changelog delete mode 100644 contrib/debian/control delete mode 100644 contrib/debian/copyright delete mode 100755 contrib/debian/rules delete mode 100644 contrib/debian/watch diff --git a/contrib/debian/README.Debian b/contrib/debian/README.Debian deleted file mode 100644 index 43bb1b5..0000000 --- a/contrib/debian/README.Debian +++ /dev/null @@ -1,8 +0,0 @@ -passt for Debian - -Please edit this to provide information specific to -this passt Debian package. - - (Describe here) - - -- Stefano Brivio <> Mon, 28 Mar 2022 15:54:11 +0200 diff --git a/contrib/debian/changelog b/contrib/debian/changelog deleted file mode 100644 index d3ac798..0000000 --- a/contrib/debian/changelog +++ /dev/null @@ -1,6 +0,0 @@ -passt (0+gitXXXXXXXXXXXX-1) UNRELEASED; urgency=low - - * Initial release. Closes: #nnnn - <nnnn is the bug number of your ITP> - - -- Stefano Brivio <> Mon, 28 Mar 2022 15:54:11 +0200 diff --git a/contrib/debian/control b/contrib/debian/control deleted file mode 100644 index a62d3e0..0000000 --- a/contrib/debian/control +++ /dev/null @@ -1,22 +0,0 @@ -Source: passt -Section: net -Priority: optional -Maintainer: Stefano Brivio <sbrivio(a)redhat.com> -Build-Depends: debhelper-compat (= 12), dh-apparmor -Standards-Version: 4.5.0 -Homepage: https://passt.top/ - -Suggests: apparmor -Package: passt -Architecture: any -Multi-Arch: foreign -Depends: ${misc:Depends}, ${shlibs:Depends} -Description: user-mode networking daemons for virtual machines and namespaces - passt implements a translation layer between a Layer-2 network interface and - native Layer-4 sockets (TCP, UDP, ICMP/ICMPv6 echo) on a host. It doesn't - require any capabilities or privileges, and it can be used as a simple - replacement for Slirp. - pasta (same binary as passt, different command) offers equivalent functionality, - for network namespaces: traffic is forwarded using a tap interface inside the - namespace, without the need to create further interfaces on the host, hence not - requiring any capabilities or privileges. diff --git a/contrib/debian/copyright b/contrib/debian/copyright deleted file mode 100644 index 0f2df74..0000000 --- a/contrib/debian/copyright +++ /dev/null @@ -1,13 +0,0 @@ -Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ -Upstream-Name: passt -Upstream-Contact: Stefano Brivio <sbrivio(a)redhat.com> -Upstream-Contact: passt-dev(a)passt.top -Source: https://passt.top/ - -Files: * -Copyright: 2020-2022, Red Hat GmbH, Stefano Brivio <sbrivio(a)redhat.com> -License: AGPL-3.0-or-later - -Files: checksum.c -Copyright: 2021, Red Hat GmbH, Stefano Brivio <sbrivio(a)redhat.com> -License: AGPL-3.0-or-later AND BSD-3-Clause diff --git a/contrib/debian/rules b/contrib/debian/rules deleted file mode 100755 index a926d32..0000000 --- a/contrib/debian/rules +++ /dev/null @@ -1,12 +0,0 @@ -#!/usr/bin/make -f - -override_dh_auto_install: - dh_auto_install -- prefix=/usr - mkdir -p debian/passt/etc/apparmor.d/ - cp contrib/apparmor/usr.bin.passt debian/passt/etc/apparmor.d/usr.bin.passt - dh_apparmor --profile-name=usr.bin.passt -ppasst - cp contrib/apparmor/usr.bin.pasta debian/passt/etc/apparmor.d/usr.bin.pasta - dh_apparmor --profile-name=usr.bin.pasta -ppasst - -%: - dh $@ diff --git a/contrib/debian/watch b/contrib/debian/watch deleted file mode 100644 index 76575dc..0000000 --- a/contrib/debian/watch +++ /dev/null @@ -1,2 +0,0 @@ -# You must remove unused comment lines for the released package. -version=3 -- 2.35.1