passt/Makefile, branch 2022_09_24.8978f65 Plug A Simple Socket Transport Improve types and names for port forwarding configuration 2022-09-24T12:48:35+00:00 David Gibson david@gibson.dropbear.id.au 2022-09-24T09:08:16+00:00 1128fa03fe73092dc68f30d0550283f0897d1f89 enum conf_port_type is local to conf.c and is used to track the port forwarding mode during configuration. We don't keep it around in the context structure, however the 'init_detect_ports' and 'ns_detect_ports' fields in the context are based solely on this. Rather than changing encoding, just include the forwarding mode into the context structure. Move the type definition to a new port_fwd.h, which is kind of trivial at the moment but will have more stuff later. While we're there, "conf_port_type" doesn't really convey that this enum is describing how port forwarding is configured. Rename it to port_fwd_mode. The variables (now fields) of this type also have mildly confusing names since it's not immediately obvious whether 'ns' and 'init' refer to the source or destination of the packets. Use "in" (host to guest / init to ns) and "out" (guest to host / ns to init) instead. This has the added bonus that we no longer have locals 'udp_init' and 'tcp_init' which shadow global functions. In addition, add a typedef 'port_fwd_map' for a bitmap of each port number, which is used in several places. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> 
enum conf_port_type is local to conf.c and is used to track the port
forwarding mode during configuration.  We don't keep it around in the
context structure, however the 'init_detect_ports' and 'ns_detect_ports'
fields in the context are based solely on this.  Rather than changing
encoding, just include the forwarding mode into the context structure.
Move the type definition to a new port_fwd.h, which is kind of trivial at
the moment but will have more stuff later.

While we're there, "conf_port_type" doesn't really convey that this enum is
describing how port forwarding is configured.  Rename it to port_fwd_mode.
The variables (now fields) of this type also have mildly confusing names
since it's not immediately obvious whether 'ns' and 'init' refer to the
source or destination of the packets.  Use "in" (host to guest / init to
ns) and "out" (guest to host / ns to init) instead.

This has the added bonus that we no longer have locals 'udp_init' and
'tcp_init' which shadow global functions.

In addition, add a typedef 'port_fwd_map' for a bitmap of each port number,
which is used in several places.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Fix the name of the qemu-system-* executable 2022-09-24T07:12:35+00:00 Vasiliy Ulyanov vulyanov@suse.de 2022-09-23T09:56:30+00:00 11e285df8f6f5943e87c78d025da2c95ca158e0b Define the target machine architecture in lowercase. The name of the executable qemu-system-* is defined from the build flags and should be in lowercase: ( "qemu-system-" ARCH ), I.e. qemu-system-x86_64 instead of qemu-system-X86_64. Otherwise, the exec call will fail. Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de> Signed-off-by: Dario Faggioli <dfaggioli@suse.com> 
Define the target machine architecture in lowercase.

The name of the executable qemu-system-* is defined from the build flags
and should be in lowercase:

    ( "qemu-system-" ARCH ),

I.e. qemu-system-x86_64 instead of qemu-system-X86_64. Otherwise, the
exec call will fail.

Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
Makefile: Include seccomp.h in HEADERS and require it for static checkers 2022-09-22T14:53:35+00:00 Stefano Brivio sbrivio@redhat.com 2022-09-14T13:49:32+00:00 6655625c30baf7100514c2f008512e72bae8f861 Targets running static checkers (cppcheck and clang-tidy) need seccomp.h, but the latter is not included in HEADERS. Add it. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> 
Targets running static checkers (cppcheck and clang-tidy) need
seccomp.h, but the latter is not included in HEADERS. Add it.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Makefile: Allow define overrides by prepending, not appending, CFLAGS 2022-09-22T14:53:09+00:00 Stefano Brivio sbrivio@redhat.com 2022-09-14T13:34:28+00:00 512f5b1aab2a09faf8d63894ebadc8a2a96c6925 If we append CFLAGS to the ones passed via command line (if any), -D options we append will override -D options passed on command line (if any). For example, OpenSUSE build flags include -D_FORTIFY_SOURCE=3, and we want to have -D_FORTIFY_SOURCE=2, if and only if not overridden. The current behaviour implies we redefine _FORTIFY_SOURCE as 2, though. Instead of appending CFLAGS, prepend them by adding all the default build flags to another variable, a simply expanded one (defined with :=), named FLAGS, and pass that *before* CFLAGS in targets, so that defines from command line can override default flags. Reported-by: Dario Faggioli <dfaggioli@suse.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Tested-by: Dario Faggioli <dfaggioli@suse.com> 
If we append CFLAGS to the ones passed via command line (if any),
-D options we append will override -D options passed on command line
(if any).

For example, OpenSUSE build flags include -D_FORTIFY_SOURCE=3, and we
want to have -D_FORTIFY_SOURCE=2, if and only if not overridden. The
current behaviour implies we redefine _FORTIFY_SOURCE as 2, though.

Instead of appending CFLAGS, prepend them by adding all the default
build flags to another variable, a simply expanded one (defined with
:=), named FLAGS, and pass that *before* CFLAGS in targets, so that
defines from command line can override default flags.

Reported-by: Dario Faggioli <dfaggioli@suse.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: Dario Faggioli <dfaggioli@suse.com>
Move self-isolation code into a separate file 2022-09-13T03:31:51+00:00 David Gibson david@gibson.dropbear.id.au 2022-09-12T12:24:03+00:00 d72a1e7bb96b461eb47d921436f7fe344e7b268a passt/pasta contains a number of routines designed to isolate passt from the rest of the system for security. These are spread through util.c and passt.c. Move them together into a new isolation.c file. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> 
passt/pasta contains a number of routines designed to isolate passt from
the rest of the system for security.  These are spread through util.c and
passt.c.  Move them together into a new isolation.c file.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Makefile: Honour LDFLAGS for binary targets 2022-09-07T09:01:10+00:00 Stefano Brivio sbrivio@redhat.com 2022-09-06T15:44:57+00:00 b2ee37ad38fe6629b4648e18ca4dd338ac9c017d We don't set any, but we should use them if they are passed in the environment. On a Fedora Rawhide package build, annocheck (https://sourceware.org/annobin/) reports: Hardened: /usr/bin/passt: FAIL: bind-now test because not linked with -Wl,-z,now ...despite the build system exporting -Wl,-z,now in LDFLAGS. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> 
We don't set any, but we should use them if they are passed in the
environment. On a Fedora Rawhide package build, annocheck
(https://sourceware.org/annobin/) reports:

  Hardened: /usr/bin/passt: FAIL: bind-now test because not linked with -Wl,-z,now

...despite the build system exporting -Wl,-z,now in LDFLAGS.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Makefile: Use more GNU-style directory variables, explicit docdir for OpenSUSE 2022-08-21T20:25:51+00:00 Stefano Brivio sbrivio@redhat.com 2022-08-21T09:23:54+00:00 7b710946b152fabab0f3c838e5518576beb9020c It turns out that, while on most distributions "docdir" would be /usr/share/doc, it's /usr/share/doc/packages/ on OpenSUSE Tumbleweed. Use an explicit docdir as shown in: https://en.opensuse.org/openSUSE:Build_Service_cross_distribution_howto and don't unnecessarily hardcode directory variables in the Makefile. Otherwise, RPM builds for OpenSUSE will fail now that we have a README there. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
It turns out that, while on most distributions "docdir" would be
/usr/share/doc, it's /usr/share/doc/packages/ on OpenSUSE Tumbleweed.
Use an explicit docdir as shown in:
  https://en.opensuse.org/openSUSE:Build_Service_cross_distribution_howto

and don't unnecessarily hardcode directory variables in the Makefile.
Otherwise, RPM builds for OpenSUSE will fail now that we have a README
there.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Makefile: Install demo.sh too, uninstall stuff under /usr/share 2022-08-20T17:07:12+00:00 Stefano Brivio sbrivio@redhat.com 2022-08-17T11:33:38+00:00 be0fe6502f4fa893e2f960d8caef1bd6faeb0062 Suggested-by: Benson Muite <benson_muite@emailplus.org> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Suggested-by: Benson Muite <benson_muite@emailplus.org>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Makefile: Ugly hack to get a "plain" Markdown version of README 2022-08-20T17:07:12+00:00 Stefano Brivio sbrivio@redhat.com 2022-08-09T22:21:09+00:00 c5f4ba1b1b27a6879855127dcd4947a081e0d249 Distribution packages reasonably expect to have a human-readable Markdown version of the README under /usr/share/doc/, but all we have right now is a heavily web-oriented version. Introduce a ugly hack to strip web-oriented parts from the current README and install it. It should probably work the other way around: a human-readable README could be used as a source for the web page. But cgit needs a file that's in the tree, not something that can be built, and https://passt.top/ is based on cgit. It should eventually be doable to work around this in cgit, instead. Reported-by: Benson Muite <benson_muite@emailplus.org> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Distribution packages reasonably expect to have a human-readable
Markdown version of the README under /usr/share/doc/, but all we have
right now is a heavily web-oriented version.

Introduce a ugly hack to strip web-oriented parts from the current
README and install it.

It should probably work the other way around: a human-readable README
could be used as a source for the web page. But cgit needs a file
that's in the tree, not something that can be built, and
https://passt.top/ is based on cgit. It should eventually be doable
to work around this in cgit, instead.

Reported-by: Benson Muite <benson_muite@emailplus.org>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
valgrind needs futex 2022-07-22T17:41:42+00:00 David Gibson david@gibson.dropbear.id.au 2022-07-15T05:21:33+00:00 05dc1c65c11c05709ebde73e74d91fd29226ba9c Some versions of valgrind (such as the version on my Fedora laptop - valgrind-3.19.0-3.fc36.x86_64) use futexes. But futex is currently not allowed in the seccomp filter, even with the extra calls added for valgrind builds. Add it, to avoid spurious valgrind failures. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> 
Some versions of valgrind (such as the version on my Fedora laptop -
valgrind-3.19.0-3.fc36.x86_64) use futexes.  But futex is currently not
allowed in the seccomp filter, even with the extra calls added for
valgrind builds.  Add it, to avoid spurious valgrind failures.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>