Commit graph

40 commits

Author SHA1 Message Date
Stefano Brivio
01801b131f selinux: Switch to a more reasonable model for PID and socket files
Instead of restricting PID files to /var/run/passt.pid, which is a
single file and unlikely to be used, use the user_tmp_t type which
should cover any reasonable need.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2023-02-21 19:12:37 +01:00
Stefano Brivio
4902447630 selinux: Define interfaces for libvirt and similar frameworks
Services running passt will commonly need to transition to its
domain, terminate it, connect and write to its socket.

The init_daemon_domain() macro now defines the default transition to
the passt_t domain, using the passt_exec_t type.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2023-02-21 19:12:37 +01:00
Stefano Brivio
9136f74015 selinux/passt.if: Fix typo in passt_read_data interface definition
This is an example interface, currently unused, so it went undetected:
m4 macros need a backtick at the beginning of a block instead of a
single quote.

Fixes: 1f4b7fa0d7 ("passt, pasta: Add examples of SELinux policy modules")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2023-02-21 19:12:30 +01:00
Stefano Brivio
5f74465010 Remove contrib/debian, Debian package development now happens on Salsa
The development of the Debian package is now at:
  https://salsa.debian.org/sbrivio/passt

Drop contrib/debian, it's finally obsolete.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-11-16 15:11:09 +01:00
Stefano Brivio
fb7b71b86f contrib/apparmor: Merge pasta and passt profiles, update rules
AppArmor resolves executable links before profile attachment rules
are evaluated, so, as long as pasta is installed as a link to passt,
there's no way to differentiate the two cases. Merge the two profiles
and leave a TODO note behind, explaining two possible ways forward.

Update the rules so that passt and pasta are actually usable, once
the profile is installed. Most required changes are related to
isolation and sandboxing features.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-11-16 15:11:07 +01:00
Stefano Brivio
e23024ccff conf, log, Makefile: Add versioning information
Add a --version option displaying that, and also include this
information in the log files.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-10-15 02:10:28 +02:00
Stefano Brivio
bd3e6f373f contrib/podman: Rebase to latest upstream
One check moved from networking_linux.go to networking_common.go.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-09-24 00:00:32 +02:00
Stefano Brivio
e2cae8f1c3 fedora: Escape % characters in spec file's changelog
...rpmbuild otherwise expands valid macro names in changelog entries.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-09-07 11:01:22 +02:00
Stefano Brivio
7ce9fd165f fedora: Add selinux-policy Requires: tag
fedora-review says:

  Note: Directories without known owners:
  /usr/share/selinux/packages/passt, /usr/share/doc/passt,
  /usr/share/selinux, /usr/share/selinux/packages

and selinux-policy owns those two last ones.

While at it, split Requires: tags also for post and preun actions
onto different lines, for consistency.

Reported-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-09-02 18:03:57 +02:00
Stefano Brivio
96dbaf4d96 fedora: Add %dir entries for own SELinux policy directory and documentation
fedora-review says:

  Note: No known owner of /usr/share/selinux/packages/passt,
  /usr/share/doc/passt

While at it, replace "passt" by "%{name}" in a few places for
consistency.

Reported-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-09-02 17:55:23 +02:00
Stefano Brivio
0cb795e432 podman, slirp4netns.sh: Use --netns option on pasta's command line
...instead of PATH. This seems to be the only change needed in
existing pasta integrations after patch:

  Use explicit --netns option rather than multiplexing with PID

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2022-08-30 19:43:31 +02:00
Stefano Brivio
b6742d173c contrib: Rebase Podman patch to latest upstream
Trivial conflicts in man pages only.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-30 19:43:31 +02:00
Stefano Brivio
63d1390229 fedora: Pass explicit bindir, mandir, docdir, and drop OpenSUSE override
Fedora's parameters currently match the ones from the Makefile (which
is based on GNU recommendations), but that's not necessarily
guaranteed.

This should make the OpenSUSE Tumbleweed override for docdir
unnecessary: drop it.

Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-30 19:17:48 +02:00
Stefano Brivio
345192ad84 fedora: Use full versioning for SELinux subpackage Requires: tag
...as recommended in:
  https://docs.fedoraproject.org/en-US/packaging-guidelines/#_requiring_base_package

Reported-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-30 19:16:44 +02:00
Stefano Brivio
7e6617d227 fedora: Define git_hash in spec file and reuse it
...as it's used twice. The short version, however, appears hardcoded
only once in the output, and it comes straight from the rpkg macro
building the version string -- leave that macro as it is.

Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-30 19:16:44 +02:00
Stefano Brivio
cfc1984a96 fedora: Drop comment stating the spec file is an example file
...as this ends up in the actual spec file.

Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-30 19:16:44 +02:00
Stefano Brivio
6da2895cdf fedora: Drop SPDX identifier from spec file
...which makes it fall under MIT licensing terms. Daniel reports that
it's very unusual for spec files to contain explicit licensing terms
and might cause minor inconveniences later on, on mass changes to
spec files.

I originally added licensing information using SPDX identifiers to
make the project fully compliant with the REUSE Specification 3.0
(https://reuse.software/spec/), but there are anyway a few more files
not including explicit licensing information. It might be worth to
fix that later on, in any case.

Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-30 19:16:44 +02:00
Stefano Brivio
7aff403c1e fedora: Adopt versioning guideline for snapshots
The "Simple versioning" scheme:
  https://docs.fedoraproject.org/en-US/packaging-guidelines/Versioning/#_simple_versioning

probably doesn't apply to passt, given that upstream git tags are
not really releases. Switch to the "Snapshots" versioning scheme:
  https://docs.fedoraproject.org/en-US/packaging-guidelines/Versioning/#_snapshots

Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-30 19:16:01 +02:00
Stefano Brivio
7b710946b1 Makefile: Use more GNU-style directory variables, explicit docdir for OpenSUSE
It turns out that, while on most distributions "docdir" would be
/usr/share/doc, it's /usr/share/doc/packages/ on OpenSUSE Tumbleweed.
Use an explicit docdir as shown in:
  https://en.opensuse.org/openSUSE:Build_Service_cross_distribution_howto

and don't unnecessarily hardcode directory variables in the Makefile.
Otherwise, RPM builds for OpenSUSE will fail now that we have a README
there.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-21 22:25:51 +02:00
Stefano Brivio
662407de0f fedora: Fix man pages wildcards in spec file
If the man pages are not compressed, the current wildcards wouldn't
match them. Drop the trailing '.' from them.

Reported-by: Artur Frenszek-Iwicki <fedora@svgames.pl>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-20 19:07:12 +02:00
Stefano Brivio
fece3c7612 fedora: Don't hardcode CFLAGS setting, use %set_build_flags macro instead
This will also set any distribution-specific LDFLAGS. It's not needed
anymore starting from Fedora 36, but the package might be built on
other versions and distributions too (including e.g. CentOS Stream 8).

Reported-by: Artur Frenszek-Iwicki <fedora@svgames.pl>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-20 19:07:12 +02:00
Stefano Brivio
9652674abf fedora: Build SELinux subpackage as noarch
Otherwise, passt-selinux will be built separately for each supported
architecture.

Suggested-by: Artur Frenszek-Iwicki <fedora@svgames.pl>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-20 19:07:12 +02:00
Stefano Brivio
ebf9009361 fedora: Change source URL to HEAD link with explicit commit SHA
This is required as Fedora doesn't accept a temporary pointer to
a source URL.

Reported-by: Ralf Corsepius <rc040203@freenet.de>
Reported-by: Artur Frenszek-Iwicki <fedora@svgames.pl>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-20 19:07:12 +02:00
Stefano Brivio
31031d20e2 fedora: Drop VCS tag from spec file
It seems to be exposed by Koji (https://pagure.io/koji/issue/2541),
but it's not actually in use, so we have to drop that. The website
the URL tag points to reports all the needed information anyway.

Reported-by: Artur Frenszek-Iwicki <fedora@svgames.pl>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-20 19:07:12 +02:00
Stefano Brivio
7d0b29c477 fedora: Start Release tag from 1, not 0
...as specified by the Fedora Packaging Guidelines:
  https://docs.fedoraproject.org/en-US/packaging-guidelines/Versioning/#_simple_versioning

Reported-by: Artur Frenszek-Iwicki <fedora@svgames.pl>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-20 19:07:12 +02:00
Stefano Brivio
41b5ff0a14 fedora: Introduce own rpkg macro for changelog
git_dir_changelog is useful in theory, but it requires pairs of
annotated tags, which should be generated by rpkg itself to make any
sense, implying a relatively heavyweight interaction whenever I want
to push a new package version.

Also, the default content of the changelog entries include the full
list of changes, but the Fedora Packaging Guidelines specifically
mention that:

  [t]hey must never simply contain an entire copy of the source
  CHANGELOG entries.

We don't have a CHANGELOG file, but the full git history is
conceptually equivalent for this purpose, I guess.

Introduce our own passt_git_changelog() rpkg macro, building
changelog entries, using tags in the form DATE-SHA, where DATE
is an ISO 8601 date representation, and SHA is a short (7-digits)
form of the head commit at a given moment (git push).

These changelog entries mention, specifically, changes to the
packaging information itself (entries under contrib/fedora), and
simply report a link to cgit for the ranges between tags.

Reported-by: Benson Muite <benson_muite@emailplus.org>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-20 19:07:12 +02:00
Stefano Brivio
d0c3f8fa9b fedora: Install "plain" README, instead of web version, and demo script
Suggested-by: Benson Muite <benson_muite@emailplus.org>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-20 19:07:12 +02:00
Stefano Brivio
b516d151b1 contrib, test: Rebase Podman patch, enable three-way merge on git am in demo
Given that a three-way git merge was enough to cope with context
changes in man pages, it's probably a good idea to enable that for
'git am' in the demo too.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-01 12:45:05 +02:00
Stefano Brivio
3b7ba0c432 contrib: Rebase Podman patch to latest upstream
A few trivial conflicts came up. No semantic changes.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-07-21 13:49:15 +02:00
David Gibson
2320ac3349 Don't abbreviate ip(8) arguments in examples and tests
ip(8)'s ability to take abbreviated arguments (e.g. "li sh" instead of
"link show") is very handy when using it interactively, but it doesn't make
for very readable scripts and examples when shown that way.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2022-06-15 09:38:10 +02:00
Stefano Brivio
fb59cfc909 contrib/fedora: Use pre-processing macros in spec file
...they seem to be supported by COPR now and make things simpler.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-06-08 09:43:48 +02:00
Stefano Brivio
bb8a7b8a2a contrib/fedora: Drop dashes from version
COPR doesn't like them, and I'm trying to build packages there now.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-06-07 17:06:09 +02:00
Stefano Brivio
bdcfe4749e contrib: podman: Add bound address configuration, update port specifications
Rebase the patch for Podman on top of current upstream, and:

- add support for configuration of specific addresses for forwarded
  ports

- by default, disable port forwarding, and reflect this in the man
  page changes

- adjust processing to a new, incompatible format for port storage,
  which I couldn't actually track down to a specific commit, but
  that resulted in https://github.com/containers/podman/issues/13643
  and commit eedaaf33cdbf ("fix slirp4netns port forwarding with
  ranges")

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-05-02 21:46:13 +02:00
Stefano Brivio
bc925b1da4 contrib: Add example of Debian package files
...using dh_apparmor to ship and apply AppArmor profiles. Tried on
current Debian testing (Bookworm, 12).

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-03-30 05:52:39 +02:00
Stefano Brivio
81c2461408 contrib: Add example spec file for Fedora
...with SELinux package, too. Tested on Fedora 35, but it should
work on pretty much any version.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-03-30 05:52:39 +02:00
Stefano Brivio
1f4b7fa0d7 passt, pasta: Add examples of SELinux policy modules
These should cover any reasonably common use case in distributions.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-03-29 15:35:38 +02:00
Stefano Brivio
e9d573b14f passt, pasta: Add examples of AppArmor policies
These should cover any reasonably common use case in distributions.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-03-29 15:35:38 +02:00
Stefano Brivio
e17731ba97 contrib: Add patch for Podman integration
The patch introduces a "pasta" networking mode for rootless
container, similar to the existing slirp4netns mode. Notable
differences are described in the commit message.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-21 13:41:13 +01:00
Stefano Brivio
20d271b226 contrib: Introduce PoC for Kata Containers with user-mode networking
passt can be used to implement user-mode networking for the Kata
Containers runtime, so that networking setup doesn't need elevated
privileges or capabilities.

This commit adds the patch for Kata Containers runtime and agent
to support passt as networking model and endpoint, and some basic
documentation.

See contrib/kata-containers/README.md for more details and setup
steps.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-01-28 18:51:50 +01:00
Stefano Brivio
27050b094f libvirt, qemu: Move patches to new directory, contrib
I'm about to add a new adaptation carrying out-of-tree patches
for a Kata Containers PoC -- move the existing out-of-tree patches
to their own directory to keep things easy to find in the main one.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-01-28 18:51:50 +01:00