Commit graph

50 commits

Author SHA1 Message Date
Stefano Brivio
42fb62516d contrib: Drop QEMU out-of-tree patches
Native support was introduced with commit 13c6be96618c, QEMU 7.2.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2023-03-09 03:44:21 +01:00
Stefano Brivio
f3cd0f9e45 contrib: Drop Podman out-of-tree patch, integration is upstream now
See https://github.com/containers/podman/pull/16141, shipped in
Podman 4.4.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2023-03-09 03:44:21 +01:00
Stefano Brivio
d361fe6e80 contrib/selinux: Let interface users set paths for log, PID, socket files
Even libvirt itself will configure passt to write log, PID and socket
files to different locations depending on whether the domain is
started as root (/var/log/libvirt/...) or as a regular user
(/var/log/<PID>/libvirt/...), and user_tmp_t would only cover the
latter.

Create interfaces for log and PID files, so that callers can specify
different file contexts for those, and modify the interface for the
UNIX socket file to allow different paths as well.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: Laine Stump <laine@redhat.com>
Reviewed-by: Laine Stump <laine@redhat.com>
2023-03-09 00:36:08 +01:00
Stefano Brivio
de9b0cb5fe contrib/selinux: Allow binding and connecting to all UDP and TCP ports
Laine reports that with a simple:

      <portForward proto='tcp'>
        <range start='2022' to='22'/>
      </portForward>

in libvirt's domain XML, passt won't start as it fails to bind
arbitrary ports. That was actually the intention behind passt_port_t:
the user or system administrator should have explicitly configured
allowed ports on a given machine. But it's probably not realistic, so
just allow any port to be bound and forwarded.

Also fix up some missing operations on sockets.

Reported-by: Laine Stump <laine@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: Laine Stump <laine@redhat.com>
Reviewed-by: Laine Stump <laine@redhat.com>
2023-03-09 00:36:08 +01:00
Stefano Brivio
41bc669866 contrib/selinux: Let passt write to stdout and stderr when it starts
Otherwise, it's unusable as stand-alone tool, or in foreground mode,
and it's also impossible to get output from --help or --version,
because for SELinux it's just a daemon.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: Laine Stump <laine@redhat.com>
Reviewed-by: Laine Stump <laine@redhat.com>
2023-03-09 00:36:08 +01:00
Stefano Brivio
009af75e45 contrib/selinux: Drop duplicate init_daemon_domain() rule
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: Laine Stump <laine@redhat.com>
Reviewed-by: Laine Stump <laine@redhat.com>
2023-03-09 00:36:08 +01:00
Stefano Brivio
b1b75bd73a contrib/apparmor: Split profile into abstractions, use them
One day, libvirt might actually support running passt to provide
guest connectivity. Should libvirtd (or virtqemud) start passt, it
will need to access socket and PID files in specific locations, and
passt needs to accept SIGTERM in case QEMU fails to start after passt
is already started.

To make this more convenient, split the current profile into two
abstractions, for passt and for pasta, so that external programmes
can include the bits they need (and especially not include the pasta
abstraction if they only need to start passt), plus whatever specific
adaptation is needed.

For stand-alone usage of passt and pasta, the 'passt' profile simply
includes both abstractions, plus rules to create and access PID and
capture files in default or reasonable ($HOME) locations.

Tested on Debian with libvirt 9.0.0 together with a local fix to start
passt as intended, namely libvirt commit c0efdbdb9f66 ("qemu_passt:
Avoid double daemonizing passt"). This is an example of how the
libvirtd profile (or virtqemud abstraction, or virtqemud profile) can
use this:

  # support for passt network back-end
  /usr/bin/passt Cx -> passt,
  profile passt {
    /usr/bin/passt r,

    owner @{run}/user/[0-9]*/libvirt/qemu/run/passt/* rw,
    signal (receive) set=("term") peer=/usr/sbin/libvirtd,
    signal (receive) set=("term") peer=libvirtd,

    include if exists <abstractions/passt>
  }

translated:

- when executing /usr/bin/passt, switch to the subprofile "passt"
  (not the "discrete", i.e. stand-alone profile), described below.
  Scrub the environment (e.g. LD_PRELOAD is dropped)

- in the "passt" subprofile:

  - allow reading the binary

  - allow read and write access to PID and socket files

  - make passt accept SIGTERM from /usr/sbin/libvirtd, and
    libvirtd peer names

  - include anything else that's needed by passt itself

Suggested-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2023-02-27 18:56:32 +01:00
Stefano Brivio
933aa1014b selinux/passt.te: Allow setting socket option on routing netlink socket
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2023-02-21 19:12:37 +01:00
Stefano Brivio
0c11355e83 selinux/passt.te: Allow /etc/resolv.conf symlinks to be followed
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2023-02-21 19:12:37 +01:00
Stefano Brivio
7d9150db0a selinux/passt.te: Allow setcap on the process itself
This is needed by the new functions in isolate.c, add the
corresponding rule.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2023-02-21 19:12:37 +01:00
Stefano Brivio
01801b131f selinux: Switch to a more reasonable model for PID and socket files
Instead of restricting PID files to /var/run/passt.pid, which is a
single file and unlikely to be used, use the user_tmp_t type which
should cover any reasonable need.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2023-02-21 19:12:37 +01:00
Stefano Brivio
4902447630 selinux: Define interfaces for libvirt and similar frameworks
Services running passt will commonly need to transition to its
domain, terminate it, connect and write to its socket.

The init_daemon_domain() macro now defines the default transition to
the passt_t domain, using the passt_exec_t type.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2023-02-21 19:12:37 +01:00
Stefano Brivio
9136f74015 selinux/passt.if: Fix typo in passt_read_data interface definition
This is an example interface, currently unused, so it went undetected:
m4 macros need a backtick at the beginning of a block instead of a
single quote.

Fixes: 1f4b7fa0d7 ("passt, pasta: Add examples of SELinux policy modules")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2023-02-21 19:12:30 +01:00
Stefano Brivio
5f74465010 Remove contrib/debian, Debian package development now happens on Salsa
The development of the Debian package is now at:
  https://salsa.debian.org/sbrivio/passt

Drop contrib/debian, it's finally obsolete.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-11-16 15:11:09 +01:00
Stefano Brivio
fb7b71b86f contrib/apparmor: Merge pasta and passt profiles, update rules
AppArmor resolves executable links before profile attachment rules
are evaluated, so, as long as pasta is installed as a link to passt,
there's no way to differentiate the two cases. Merge the two profiles
and leave a TODO note behind, explaining two possible ways forward.

Update the rules so that passt and pasta are actually usable, once
the profile is installed. Most required changes are related to
isolation and sandboxing features.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-11-16 15:11:07 +01:00
Stefano Brivio
e23024ccff conf, log, Makefile: Add versioning information
Add a --version option displaying that, and also include this
information in the log files.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-10-15 02:10:28 +02:00
Stefano Brivio
bd3e6f373f contrib/podman: Rebase to latest upstream
One check moved from networking_linux.go to networking_common.go.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-09-24 00:00:32 +02:00
Stefano Brivio
e2cae8f1c3 fedora: Escape % characters in spec file's changelog
...rpmbuild otherwise expands valid macro names in changelog entries.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-09-07 11:01:22 +02:00
Stefano Brivio
7ce9fd165f fedora: Add selinux-policy Requires: tag
fedora-review says:

  Note: Directories without known owners:
  /usr/share/selinux/packages/passt, /usr/share/doc/passt,
  /usr/share/selinux, /usr/share/selinux/packages

and selinux-policy owns those two last ones.

While at it, split Requires: tags also for post and preun actions
onto different lines, for consistency.

Reported-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-09-02 18:03:57 +02:00
Stefano Brivio
96dbaf4d96 fedora: Add %dir entries for own SELinux policy directory and documentation
fedora-review says:

  Note: No known owner of /usr/share/selinux/packages/passt,
  /usr/share/doc/passt

While at it, replace "passt" by "%{name}" in a few places for
consistency.

Reported-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-09-02 17:55:23 +02:00
Stefano Brivio
0cb795e432 podman, slirp4netns.sh: Use --netns option on pasta's command line
...instead of PATH. This seems to be the only change needed in
existing pasta integrations after patch:

  Use explicit --netns option rather than multiplexing with PID

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2022-08-30 19:43:31 +02:00
Stefano Brivio
b6742d173c contrib: Rebase Podman patch to latest upstream
Trivial conflicts in man pages only.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-30 19:43:31 +02:00
Stefano Brivio
63d1390229 fedora: Pass explicit bindir, mandir, docdir, and drop OpenSUSE override
Fedora's parameters currently match the ones from the Makefile (which
is based on GNU recommendations), but that's not necessarily
guaranteed.

This should make the OpenSUSE Tumbleweed override for docdir
unnecessary: drop it.

Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-30 19:17:48 +02:00
Stefano Brivio
345192ad84 fedora: Use full versioning for SELinux subpackage Requires: tag
...as recommended in:
  https://docs.fedoraproject.org/en-US/packaging-guidelines/#_requiring_base_package

Reported-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-30 19:16:44 +02:00
Stefano Brivio
7e6617d227 fedora: Define git_hash in spec file and reuse it
...as it's used twice. The short version, however, appears hardcoded
only once in the output, and it comes straight from the rpkg macro
building the version string -- leave that macro as it is.

Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-30 19:16:44 +02:00
Stefano Brivio
cfc1984a96 fedora: Drop comment stating the spec file is an example file
...as this ends up in the actual spec file.

Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-30 19:16:44 +02:00
Stefano Brivio
6da2895cdf fedora: Drop SPDX identifier from spec file
...which makes it fall under MIT licensing terms. Daniel reports that
it's very unusual for spec files to contain explicit licensing terms
and might cause minor inconveniences later on, on mass changes to
spec files.

I originally added licensing information using SPDX identifiers to
make the project fully compliant with the REUSE Specification 3.0
(https://reuse.software/spec/), but there are anyway a few more files
not including explicit licensing information. It might be worth to
fix that later on, in any case.

Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-30 19:16:44 +02:00
Stefano Brivio
7aff403c1e fedora: Adopt versioning guideline for snapshots
The "Simple versioning" scheme:
  https://docs.fedoraproject.org/en-US/packaging-guidelines/Versioning/#_simple_versioning

probably doesn't apply to passt, given that upstream git tags are
not really releases. Switch to the "Snapshots" versioning scheme:
  https://docs.fedoraproject.org/en-US/packaging-guidelines/Versioning/#_snapshots

Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-30 19:16:01 +02:00
Stefano Brivio
7b710946b1 Makefile: Use more GNU-style directory variables, explicit docdir for OpenSUSE
It turns out that, while on most distributions "docdir" would be
/usr/share/doc, it's /usr/share/doc/packages/ on OpenSUSE Tumbleweed.
Use an explicit docdir as shown in:
  https://en.opensuse.org/openSUSE:Build_Service_cross_distribution_howto

and don't unnecessarily hardcode directory variables in the Makefile.
Otherwise, RPM builds for OpenSUSE will fail now that we have a README
there.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-21 22:25:51 +02:00
Stefano Brivio
662407de0f fedora: Fix man pages wildcards in spec file
If the man pages are not compressed, the current wildcards wouldn't
match them. Drop the trailing '.' from them.

Reported-by: Artur Frenszek-Iwicki <fedora@svgames.pl>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-20 19:07:12 +02:00
Stefano Brivio
fece3c7612 fedora: Don't hardcode CFLAGS setting, use %set_build_flags macro instead
This will also set any distribution-specific LDFLAGS. It's not needed
anymore starting from Fedora 36, but the package might be built on
other versions and distributions too (including e.g. CentOS Stream 8).

Reported-by: Artur Frenszek-Iwicki <fedora@svgames.pl>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-20 19:07:12 +02:00
Stefano Brivio
9652674abf fedora: Build SELinux subpackage as noarch
Otherwise, passt-selinux will be built separately for each supported
architecture.

Suggested-by: Artur Frenszek-Iwicki <fedora@svgames.pl>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-20 19:07:12 +02:00
Stefano Brivio
ebf9009361 fedora: Change source URL to HEAD link with explicit commit SHA
This is required as Fedora doesn't accept a temporary pointer to
a source URL.

Reported-by: Ralf Corsepius <rc040203@freenet.de>
Reported-by: Artur Frenszek-Iwicki <fedora@svgames.pl>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-20 19:07:12 +02:00
Stefano Brivio
31031d20e2 fedora: Drop VCS tag from spec file
It seems to be exposed by Koji (https://pagure.io/koji/issue/2541),
but it's not actually in use, so we have to drop that. The website
the URL tag points to reports all the needed information anyway.

Reported-by: Artur Frenszek-Iwicki <fedora@svgames.pl>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-20 19:07:12 +02:00
Stefano Brivio
7d0b29c477 fedora: Start Release tag from 1, not 0
...as specified by the Fedora Packaging Guidelines:
  https://docs.fedoraproject.org/en-US/packaging-guidelines/Versioning/#_simple_versioning

Reported-by: Artur Frenszek-Iwicki <fedora@svgames.pl>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-20 19:07:12 +02:00
Stefano Brivio
41b5ff0a14 fedora: Introduce own rpkg macro for changelog
git_dir_changelog is useful in theory, but it requires pairs of
annotated tags, which should be generated by rpkg itself to make any
sense, implying a relatively heavyweight interaction whenever I want
to push a new package version.

Also, the default content of the changelog entries include the full
list of changes, but the Fedora Packaging Guidelines specifically
mention that:

  [t]hey must never simply contain an entire copy of the source
  CHANGELOG entries.

We don't have a CHANGELOG file, but the full git history is
conceptually equivalent for this purpose, I guess.

Introduce our own passt_git_changelog() rpkg macro, building
changelog entries, using tags in the form DATE-SHA, where DATE
is an ISO 8601 date representation, and SHA is a short (7-digits)
form of the head commit at a given moment (git push).

These changelog entries mention, specifically, changes to the
packaging information itself (entries under contrib/fedora), and
simply report a link to cgit for the ranges between tags.

Reported-by: Benson Muite <benson_muite@emailplus.org>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-20 19:07:12 +02:00
Stefano Brivio
d0c3f8fa9b fedora: Install "plain" README, instead of web version, and demo script
Suggested-by: Benson Muite <benson_muite@emailplus.org>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-20 19:07:12 +02:00
Stefano Brivio
b516d151b1 contrib, test: Rebase Podman patch, enable three-way merge on git am in demo
Given that a three-way git merge was enough to cope with context
changes in man pages, it's probably a good idea to enable that for
'git am' in the demo too.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-08-01 12:45:05 +02:00
Stefano Brivio
3b7ba0c432 contrib: Rebase Podman patch to latest upstream
A few trivial conflicts came up. No semantic changes.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-07-21 13:49:15 +02:00
David Gibson
2320ac3349 Don't abbreviate ip(8) arguments in examples and tests
ip(8)'s ability to take abbreviated arguments (e.g. "li sh" instead of
"link show") is very handy when using it interactively, but it doesn't make
for very readable scripts and examples when shown that way.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2022-06-15 09:38:10 +02:00
Stefano Brivio
fb59cfc909 contrib/fedora: Use pre-processing macros in spec file
...they seem to be supported by COPR now and make things simpler.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-06-08 09:43:48 +02:00
Stefano Brivio
bb8a7b8a2a contrib/fedora: Drop dashes from version
COPR doesn't like them, and I'm trying to build packages there now.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-06-07 17:06:09 +02:00
Stefano Brivio
bdcfe4749e contrib: podman: Add bound address configuration, update port specifications
Rebase the patch for Podman on top of current upstream, and:

- add support for configuration of specific addresses for forwarded
  ports

- by default, disable port forwarding, and reflect this in the man
  page changes

- adjust processing to a new, incompatible format for port storage,
  which I couldn't actually track down to a specific commit, but
  that resulted in https://github.com/containers/podman/issues/13643
  and commit eedaaf33cdbf ("fix slirp4netns port forwarding with
  ranges")

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-05-02 21:46:13 +02:00
Stefano Brivio
bc925b1da4 contrib: Add example of Debian package files
...using dh_apparmor to ship and apply AppArmor profiles. Tried on
current Debian testing (Bookworm, 12).

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-03-30 05:52:39 +02:00
Stefano Brivio
81c2461408 contrib: Add example spec file for Fedora
...with SELinux package, too. Tested on Fedora 35, but it should
work on pretty much any version.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-03-30 05:52:39 +02:00
Stefano Brivio
1f4b7fa0d7 passt, pasta: Add examples of SELinux policy modules
These should cover any reasonably common use case in distributions.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-03-29 15:35:38 +02:00
Stefano Brivio
e9d573b14f passt, pasta: Add examples of AppArmor policies
These should cover any reasonably common use case in distributions.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-03-29 15:35:38 +02:00
Stefano Brivio
e17731ba97 contrib: Add patch for Podman integration
The patch introduces a "pasta" networking mode for rootless
container, similar to the existing slirp4netns mode. Notable
differences are described in the commit message.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-21 13:41:13 +01:00
Stefano Brivio
20d271b226 contrib: Introduce PoC for Kata Containers with user-mode networking
passt can be used to implement user-mode networking for the Kata
Containers runtime, so that networking setup doesn't need elevated
privileges or capabilities.

This commit adds the patch for Kata Containers runtime and agent
to support passt as networking model and endpoint, and some basic
documentation.

See contrib/kata-containers/README.md for more details and setup
steps.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-01-28 18:51:50 +01:00
Stefano Brivio
27050b094f libvirt, qemu: Move patches to new directory, contrib
I'm about to add a new adaptation carrying out-of-tree patches
for a Kata Containers PoC -- move the existing out-of-tree patches
to their own directory to keep things easy to find in the main one.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-01-28 18:51:50 +01:00