passt, branch 2025_06_11.0293c6f Plug A Simple Socket Transport fedora: Hide restorecon(8) errors in post-transaction scriptlet 2025-06-11T14:24:50+00:00 Stefano Brivio sbrivio@redhat.com 2025-06-10T15:06:43+00:00 0293c6f4a316baa561a9b43388906707f8cf7e81 Commit e01932353869 ("fedora: Separately restore context for /run/user in %posttrans selinux") added a call to restorecon for /run/user in the passt-selinux post-transaction scriptlet, and we can't give a path that's more specific than that, but it often contains FUSE mountpoints that are not accessible as root, resulting in warnings as the package is installed. Hide the errors, a failure in relabeling wouldn't be really problematic in any case. Link: https://bodhi.fedoraproject.org/updates/FEDORA-2025-f454466bb6 Link: https://bugzilla.redhat.com/show_bug.cgi?id=2371159 Fixes: e01932353869 ("fedora: Separately restore context for /run/user in %posttrans selinux") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Tested-by: Max Chernoff <git@maxchernoff.ca> 
Commit e01932353869 ("fedora: Separately restore context for /run/user
in %posttrans selinux") added a call to restorecon for /run/user in
the passt-selinux post-transaction scriptlet, and we can't give a path
that's more specific than that, but it often contains FUSE mountpoints
that are not accessible as root, resulting in warnings as the package
is installed.

Hide the errors, a failure in relabeling wouldn't be really
problematic in any case.

Link: https://bodhi.fedoraproject.org/updates/FEDORA-2025-f454466bb6
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2371159
Fixes: e01932353869 ("fedora: Separately restore context for /run/user in %posttrans selinux")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: Max Chernoff <git@maxchernoff.ca>
fedora: Add container-selinux as dependency for passt-selinux 2025-06-11T14:24:47+00:00 Stefano Brivio sbrivio@redhat.com 2025-06-10T14:51:46+00:00 98da8a94693f5c138188acd83dc352f197a64817 Commit 7aeda16a7818 ("selinux: Transition to pasta_t in containers") introduces usage of container_user_r, container_runtime_t, and container_t, which are provided by the container-selinux package. Link: https://bodhi.fedoraproject.org/updates/FEDORA-2025-f454466bb6 Link: https://bugzilla.redhat.com/show_bug.cgi?id=2371159 Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Tested-by: Max Chernoff <git@maxchernoff.ca> 
Commit 7aeda16a7818 ("selinux: Transition to pasta_t in containers")
introduces usage of container_user_r, container_runtime_t, and
container_t, which are provided by the container-selinux package.

Link: https://bodhi.fedoraproject.org/updates/FEDORA-2025-f454466bb6
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2371159
Fixes: 7aeda16a7818 ("selinux: Transition to pasta_t in containers")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: Max Chernoff <git@maxchernoff.ca>
flow, repair: Proper error handling for missing passt-repair helper on target 2025-06-06T08:46:40+00:00 Stefano Brivio sbrivio@redhat.com 2025-06-04T16:23:13+00:00 754c6d728686c5d115bd97c628d53733776dd711 If the target doesn't have a connected passt-repair helper, repair_wait() sets a timeout and forcibly calls accept4(), but if the timeout expires, we don't report any error and proceed as if we had a connected helper. Later, in repair_flush(), sendmsg() will fail for each flow we try to migrate with EBADF, and we'll handle that gracefully, but it makes no sense to even try, and it also leads to noise in the logs. Similarly to how we handle a missing repair helper in flow_migrate_repair_all(), propagate timeout and other errors through repair_wait(), and don't attempt to migrate flows if repair_wait() failed. Fixes: c8b520c0625b ("flow, repair: Wait for a short while for passt-repair to connect") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
If the target doesn't have a connected passt-repair helper,
repair_wait() sets a timeout and forcibly calls accept4(), but if the
timeout expires, we don't report any error and proceed as if we had a
connected helper.

Later, in repair_flush(), sendmsg() will fail for each flow we try to
migrate with EBADF, and we'll handle that gracefully, but it makes no
sense to even try, and it also leads to noise in the logs.

Similarly to how we handle a missing repair helper in
flow_migrate_repair_all(), propagate timeout and other errors through
repair_wait(), and don't attempt to migrate flows if repair_wait()
failed.

Fixes: c8b520c0625b ("flow, repair: Wait for a short while for passt-repair to connect")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fedora: Depend on SELinux tools and policy version, drop circular dependency 2025-06-06T08:46:40+00:00 Vit Mojzis vmojzis@redhat.com 2025-05-30T16:37:46+00:00 a2088fef360ee262c19186470d63875b32f80917 From an original patch by Vit Mojzis: add dependencies on SELinux userspace tools and recommend the latest available version of the policy as of now. Drop circular dependency between passt and passt-selinux: passt requires passt-selinux, so passt-selinux shouldn't require passt. Link: https://src.fedoraproject.org/rpms/passt/pull-request/3 Signed-off-by: Vit Mojzis <vmojzis@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
From an original patch by Vit Mojzis: add dependencies on SELinux
userspace tools and recommend the latest available version of the
policy as of now.

Drop circular dependency between passt and passt-selinux: passt
requires passt-selinux, so passt-selinux shouldn't require passt.

Link: https://src.fedoraproject.org/rpms/passt/pull-request/3
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fedora: Call %selinux_modules_* macros only once 2025-06-06T08:46:40+00:00 Petr Lautrbach lautrbach@redhat.com 2025-05-30T08:09:14+00:00 d21bcd9f7c70d1be09a923ad366cdf883112e431 %selinux_modules_* macros has `-i %*` so that it can be used for multiple modules at once. This will improve the performace of the package (un)installation. $ sudo time -p rpm --reinstall passt-selinux-0\^20250512.g8ec1341-1.fc42.noarch.rpm real 49.09 user 44.16 sys 4.37 $ sudo time -p rpm --reinstall results_passt/0\^20250512.g8ec1341/2.fc43/passt-selinux-0\^20250512.g8ec1341-2.fc43.noarch.rpm real 17.03 user 15.06 sys 1.83 Reported-by: Richard W.M. Jones <rjones@redhat.com> Link: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/XYIZRIDTNKF5DJ5XULHDWDAFQSYOAOZC/ Link: https://src.fedoraproject.org/rpms/passt/pull-request/2 Signed-off-by: Petr Lautrbach <lautrbach@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
%selinux_modules_* macros has `-i %*` so that it can be used for
multiple modules at once. This will improve the performace of the
package (un)installation.

$ sudo time -p rpm --reinstall passt-selinux-0\^20250512.g8ec1341-1.fc42.noarch.rpm
real 49.09
user 44.16
sys 4.37

$ sudo time -p rpm --reinstall results_passt/0\^20250512.g8ec1341/2.fc43/passt-selinux-0\^20250512.g8ec1341-2.fc43.noarch.rpm
real 17.03
user 15.06
sys 1.83

Reported-by: Richard W.M. Jones <rjones@redhat.com>
Link: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/XYIZRIDTNKF5DJ5XULHDWDAFQSYOAOZC/
Link: https://src.fedoraproject.org/rpms/passt/pull-request/2
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
conf: flush stdout before early exit 2025-06-06T08:46:40+00:00 Jon Maloy jmaloy@redhat.com 2025-05-29T17:08:58+00:00 081df67d1fb28bf7a98f98c6c3417ec1d45ce6d7 Before doing an early exit any contents of stdout is normally flushed. This doesn't happen when the output goes into a pipe and we return with _exit(). We now add an explicit flush in such cases. Reported-by: John Radley <jradxl2@gmail.com> Fixes: d0006fa784a7 ("treewide: use _exit() over exit()") Signed-off-by: Jon Maloy <jmaloy@redhat.com> Reviewed-by: Paul Holzinger <pholzing@redhat.com> [sbrivio: cast fflush() calls to void to dodge clang-tidy warning] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Before doing an early exit any contents of stdout is normally flushed.
This doesn't happen when the output goes into a pipe and we return with
_exit(). We now add an explicit flush in such cases.

Reported-by: John Radley <jradxl2@gmail.com>
Fixes: d0006fa784a7 ("treewide: use _exit() over exit()")
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Reviewed-by: Paul Holzinger <pholzing@redhat.com>
[sbrivio: cast fflush() calls to void to dodge clang-tidy warning]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
passt-repair: Fix missing newlines in error messages 2025-06-06T08:46:29+00:00 Stefano Brivio sbrivio@redhat.com 2025-05-23T13:10:06+00:00 bcb559600545498ae7598617ef82d2810937132c Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> 
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Correct various function comment headers 2025-06-04T10:32:04+00:00 Laurent Vivier lvivier@redhat.com 2025-05-19T08:52:56+00:00 2c883498b58a3dab702b3376a2ca828e61d3283d This commit refines function comment headers for improved accuracy and consistency. Key changes include: - Corrected parameter/return descriptions (e.g., `logtime`, `__daemon`). - Added missing and removed incorrect parameter documentation (e.g., `tcp_vu_sock_recv`, `ndp`). - Standardized comments to the `/** ... */` style for functions like `udp_flow_close` and `ns_enter`. - Ensured function names in comments consistently use `()`. - Addressed minor typos and updated comments for renamed functions. Signed-off-by: Laurent Vivier <lvivier@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
This commit refines function comment headers for improved accuracy
and consistency. Key changes include:

- Corrected parameter/return descriptions (e.g., `logtime`, `__daemon`).
- Added missing and removed incorrect parameter documentation (e.g.,
  `tcp_vu_sock_recv`, `ndp`).
- Standardized comments to the `/** ... */` style for functions
  like `udp_flow_close` and `ns_enter`.
- Ensured function names in comments consistently use `()`.
- Addressed minor typos and updated comments for renamed functions.

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
tap: Avoid bogus missingReturn cppcheck warning in tap_l2_max_len() 2025-06-04T10:32:04+00:00 Stefano Brivio sbrivio@redhat.com 2025-05-15T16:05:01+00:00 515b5ee53aac7b04254b5072ab624def58dac0d8 Cppcheck 2.14.2 on Alpine Linux (musl) says that: tap.c:111:19: error: Found an exit path from function with non-void return type that has missing return statement [missingReturn] switch (c->mode) { ^ This exit path is not reachable because we ASSERT(0) after the switch, but for some reason cppcheck doesn't see this with musl headers. Hide the warning with a redundant return statement. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Cppcheck 2.14.2 on Alpine Linux (musl) says that:

tap.c:111:19: error: Found an exit path from function with non-void return type that has missing return statement [missingReturn]
 switch (c->mode) {
                  ^

This exit path is not reachable because we ASSERT(0) after the switch,
but for some reason cppcheck doesn't see this with musl headers. Hide
the warning with a redundant return statement.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fedora: Separately restore context for /run/user in %posttrans selinux 2025-06-04T10:24:13+00:00 Stefano Brivio sbrivio@redhat.com 2025-05-22T21:04:15+00:00 e019323538699967c155c29411545223dadfc0f5 The previous change introduces specific file contexts for /run/user/%{USERID}/netns and /run/user/%{USERID}/containers/networks/rootless-netns, but %selinux_relabel_post can't handle that, see comments for more details. Add a separate restorecon(8) call for /run/user as post-transaction scriptlet for the SELinux subpackage. Reported-by: Max Chernoff <git@maxchernoff.ca> Link: https://bugs.passt.top/show_bug.cgi?id=81 Link: https://github.com/containers/podman/discussions/26100#discussioncomment-13088518 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Tested-by: Max Chernoff <git@maxchernoff.ca> 
The previous change introduces specific file contexts for
/run/user/%{USERID}/netns and
/run/user/%{USERID}/containers/networks/rootless-netns, but
%selinux_relabel_post can't handle that, see comments for more
details.

Add a separate restorecon(8) call for /run/user as post-transaction
scriptlet for the SELinux subpackage.

Reported-by: Max Chernoff <git@maxchernoff.ca>
Link: https://bugs.passt.top/show_bug.cgi?id=81
Link: https://github.com/containers/podman/discussions/26100#discussioncomment-13088518
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: Max Chernoff <git@maxchernoff.ca>