* [PATCH 1/8] Makefile: Honour passed CPPFLAGS, not just CFLAGS
2022-11-15 1:23 [PATCH 0/8] Fixes for Debian package functionality and build Stefano Brivio
@ 2022-11-15 1:23 ` Stefano Brivio
2022-11-15 5:00 ` David Gibson
2022-11-15 1:23 ` [PATCH 2/8] Makefile: Don't filter out -O2 from supplied flags for AVX2 builds Stefano Brivio
` (6 subsequent siblings)
7 siblings, 1 reply; 16+ messages in thread
From: Stefano Brivio @ 2022-11-15 1:23 UTC (permalink / raw)
To: passt-dev
CPPFLAGS allow the user to pass pre-processor flags. This is unlikely
to be needed at the moment, but the Debian Hardening Walkthrough
reasonably requests it to be handled in order to fully support
hardened build flags:
https://wiki.debian.org/HardeningWalkthrough#Handling_dpkg-buildflags_in_your_upstream_build_system
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
Makefile | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/Makefile b/Makefile
index 6b22408..a6e3164 100644
--- a/Makefile
+++ b/Makefile
@@ -60,8 +60,8 @@ HEADERS = $(PASST_HEADERS) seccomp.h
# csum_unaligned(). Mark csum_unaligned() as "noipa" as a quick work-around,
# while we figure out if a corresponding gcc issue has already been reported.
ifeq (,$(filter-out 11 12, $(shell $(CC) -dumpversion)))
-ifneq (,$(filter -flto%,$(FLAGS) $(CFLAGS)))
-ifneq (,$(filter -O2,$(FLAGS) $(CFLAGS)))
+ifneq (,$(filter -flto%,$(FLAGS) $(CFLAGS) $(CPPFLAGS)))
+ifneq (,$(filter -O2,$(FLAGS) $(CFLAGS) $(CPPFLAGS)))
FLAGS += -DTCP_HASH_NOINLINE
FLAGS += -DSIPHASH_20B_NOINLINE
FLAGS += -DCSUM_UNALIGNED_NO_IPA
@@ -121,11 +121,11 @@ seccomp.h: seccomp.sh $(PASST_SRCS) $(PASST_HEADERS)
@ EXTRA_SYSCALLS="$(EXTRA_SYSCALLS)" ./seccomp.sh $(PASST_SRCS) $(PASST_HEADERS)
passt: $(PASST_SRCS) $(HEADERS)
- $(CC) $(FLAGS) $(CFLAGS) $(PASST_SRCS) -o passt $(LDFLAGS)
+ $(CC) $(FLAGS) $(CFLAGS) $(CPPFLAGS) $(PASST_SRCS) -o passt $(LDFLAGS)
passt.avx2: FLAGS += -Ofast -mavx2 -ftree-vectorize -funroll-loops
passt.avx2: $(PASST_SRCS) $(HEADERS)
- $(CC) $(filter-out -O2,$(FLAGS) $(CFLAGS)) \
+ $(CC) $(filter-out -O2,$(FLAGS) $(CFLAGS) $(CPPFLAGS)) \
$(PASST_SRCS) -o passt.avx2 $(LDFLAGS)
passt.avx2: passt
@@ -134,7 +134,7 @@ pasta.avx2 pasta.1 pasta: pasta%: passt%
ln -s $< $@
qrap: $(QRAP_SRCS) passt.h
- $(CC) $(FLAGS) $(CFLAGS) $(QRAP_SRCS) -o qrap $(LDFLAGS)
+ $(CC) $(FLAGS) $(CFLAGS) $(CPPFLAGS) $(QRAP_SRCS) -o qrap $(LDFLAGS)
valgrind: EXTRA_SYSCALLS += rt_sigprocmask rt_sigtimedwait rt_sigaction \
getpid gettid kill clock_gettime mmap \
@@ -283,7 +283,7 @@ clang-tidy: $(SRCS) $(HEADERS)
-concurrency-mt-unsafe,\
-readability-identifier-length \
-config='{CheckOptions: [{key: bugprone-suspicious-string-compare.WarnOnImplicitComparison, value: "false"}]}' \
- --warnings-as-errors=* $(SRCS) -- $(filter-out -pie,$(FLAGS) $(CFLAGS))
+ --warnings-as-errors=* $(SRCS) -- $(filter-out -pie,$(FLAGS) $(CFLAGS) $(CPPFLAGS))
SYSTEM_INCLUDES := /usr/include $(wildcard /usr/include/$(TARGET))
ifeq ($(shell $(CC) -v 2>&1 | grep -c "gcc version"),1)
@@ -299,5 +299,5 @@ cppcheck: $(SRCS) $(HEADERS)
$(SYSTEM_INCLUDES:%=--suppress=unmatchedSuppression:%/*) \
--inline-suppr \
--suppress=unusedStructMember \
- $(filter -D%,$(FLAGS) $(CFLAGS)) \
+ $(filter -D%,$(FLAGS) $(CFLAGS) $(CPPFLAGS)) \
.
--
@@ -60,8 +60,8 @@ HEADERS = $(PASST_HEADERS) seccomp.h
# csum_unaligned(). Mark csum_unaligned() as "noipa" as a quick work-around,
# while we figure out if a corresponding gcc issue has already been reported.
ifeq (,$(filter-out 11 12, $(shell $(CC) -dumpversion)))
-ifneq (,$(filter -flto%,$(FLAGS) $(CFLAGS)))
-ifneq (,$(filter -O2,$(FLAGS) $(CFLAGS)))
+ifneq (,$(filter -flto%,$(FLAGS) $(CFLAGS) $(CPPFLAGS)))
+ifneq (,$(filter -O2,$(FLAGS) $(CFLAGS) $(CPPFLAGS)))
FLAGS += -DTCP_HASH_NOINLINE
FLAGS += -DSIPHASH_20B_NOINLINE
FLAGS += -DCSUM_UNALIGNED_NO_IPA
@@ -121,11 +121,11 @@ seccomp.h: seccomp.sh $(PASST_SRCS) $(PASST_HEADERS)
@ EXTRA_SYSCALLS="$(EXTRA_SYSCALLS)" ./seccomp.sh $(PASST_SRCS) $(PASST_HEADERS)
passt: $(PASST_SRCS) $(HEADERS)
- $(CC) $(FLAGS) $(CFLAGS) $(PASST_SRCS) -o passt $(LDFLAGS)
+ $(CC) $(FLAGS) $(CFLAGS) $(CPPFLAGS) $(PASST_SRCS) -o passt $(LDFLAGS)
passt.avx2: FLAGS += -Ofast -mavx2 -ftree-vectorize -funroll-loops
passt.avx2: $(PASST_SRCS) $(HEADERS)
- $(CC) $(filter-out -O2,$(FLAGS) $(CFLAGS)) \
+ $(CC) $(filter-out -O2,$(FLAGS) $(CFLAGS) $(CPPFLAGS)) \
$(PASST_SRCS) -o passt.avx2 $(LDFLAGS)
passt.avx2: passt
@@ -134,7 +134,7 @@ pasta.avx2 pasta.1 pasta: pasta%: passt%
ln -s $< $@
qrap: $(QRAP_SRCS) passt.h
- $(CC) $(FLAGS) $(CFLAGS) $(QRAP_SRCS) -o qrap $(LDFLAGS)
+ $(CC) $(FLAGS) $(CFLAGS) $(CPPFLAGS) $(QRAP_SRCS) -o qrap $(LDFLAGS)
valgrind: EXTRA_SYSCALLS += rt_sigprocmask rt_sigtimedwait rt_sigaction \
getpid gettid kill clock_gettime mmap \
@@ -283,7 +283,7 @@ clang-tidy: $(SRCS) $(HEADERS)
-concurrency-mt-unsafe,\
-readability-identifier-length \
-config='{CheckOptions: [{key: bugprone-suspicious-string-compare.WarnOnImplicitComparison, value: "false"}]}' \
- --warnings-as-errors=* $(SRCS) -- $(filter-out -pie,$(FLAGS) $(CFLAGS))
+ --warnings-as-errors=* $(SRCS) -- $(filter-out -pie,$(FLAGS) $(CFLAGS) $(CPPFLAGS))
SYSTEM_INCLUDES := /usr/include $(wildcard /usr/include/$(TARGET))
ifeq ($(shell $(CC) -v 2>&1 | grep -c "gcc version"),1)
@@ -299,5 +299,5 @@ cppcheck: $(SRCS) $(HEADERS)
$(SYSTEM_INCLUDES:%=--suppress=unmatchedSuppression:%/*) \
--inline-suppr \
--suppress=unusedStructMember \
- $(filter -D%,$(FLAGS) $(CFLAGS)) \
+ $(filter -D%,$(FLAGS) $(CFLAGS) $(CPPFLAGS)) \
.
--
2.35.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH 1/8] Makefile: Honour passed CPPFLAGS, not just CFLAGS
2022-11-15 1:23 ` [PATCH 1/8] Makefile: Honour passed CPPFLAGS, not just CFLAGS Stefano Brivio
@ 2022-11-15 5:00 ` David Gibson
0 siblings, 0 replies; 16+ messages in thread
From: David Gibson @ 2022-11-15 5:00 UTC (permalink / raw)
To: Stefano Brivio; +Cc: passt-dev
[-- Attachment #1: Type: text/plain, Size: 3631 bytes --]
On Tue, Nov 15, 2022 at 02:23:42AM +0100, Stefano Brivio wrote:
> CPPFLAGS allow the user to pass pre-processor flags. This is unlikely
> to be needed at the moment, but the Debian Hardening Walkthrough
> reasonably requests it to be handled in order to fully support
> hardened build flags:
> https://wiki.debian.org/HardeningWalkthrough#Handling_dpkg-buildflags_in_your_upstream_build_system
>
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Possible refinement, though: if we moved our own flags which are
really for the preprocessor (-D*) to CPPFLAGS, then we can probably
pass just CPPFLAGS, not CFLAGS to the static checkers and avoid the
ugly filter/filter-out expressions.
> ---
> Makefile | 14 +++++++-------
> 1 file changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index 6b22408..a6e3164 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -60,8 +60,8 @@ HEADERS = $(PASST_HEADERS) seccomp.h
> # csum_unaligned(). Mark csum_unaligned() as "noipa" as a quick work-around,
> # while we figure out if a corresponding gcc issue has already been reported.
> ifeq (,$(filter-out 11 12, $(shell $(CC) -dumpversion)))
> -ifneq (,$(filter -flto%,$(FLAGS) $(CFLAGS)))
> -ifneq (,$(filter -O2,$(FLAGS) $(CFLAGS)))
> +ifneq (,$(filter -flto%,$(FLAGS) $(CFLAGS) $(CPPFLAGS)))
> +ifneq (,$(filter -O2,$(FLAGS) $(CFLAGS) $(CPPFLAGS)))
> FLAGS += -DTCP_HASH_NOINLINE
> FLAGS += -DSIPHASH_20B_NOINLINE
> FLAGS += -DCSUM_UNALIGNED_NO_IPA
> @@ -121,11 +121,11 @@ seccomp.h: seccomp.sh $(PASST_SRCS) $(PASST_HEADERS)
> @ EXTRA_SYSCALLS="$(EXTRA_SYSCALLS)" ./seccomp.sh $(PASST_SRCS) $(PASST_HEADERS)
>
> passt: $(PASST_SRCS) $(HEADERS)
> - $(CC) $(FLAGS) $(CFLAGS) $(PASST_SRCS) -o passt $(LDFLAGS)
> + $(CC) $(FLAGS) $(CFLAGS) $(CPPFLAGS) $(PASST_SRCS) -o passt $(LDFLAGS)
>
> passt.avx2: FLAGS += -Ofast -mavx2 -ftree-vectorize -funroll-loops
> passt.avx2: $(PASST_SRCS) $(HEADERS)
> - $(CC) $(filter-out -O2,$(FLAGS) $(CFLAGS)) \
> + $(CC) $(filter-out -O2,$(FLAGS) $(CFLAGS) $(CPPFLAGS)) \
> $(PASST_SRCS) -o passt.avx2 $(LDFLAGS)
>
> passt.avx2: passt
> @@ -134,7 +134,7 @@ pasta.avx2 pasta.1 pasta: pasta%: passt%
> ln -s $< $@
>
> qrap: $(QRAP_SRCS) passt.h
> - $(CC) $(FLAGS) $(CFLAGS) $(QRAP_SRCS) -o qrap $(LDFLAGS)
> + $(CC) $(FLAGS) $(CFLAGS) $(CPPFLAGS) $(QRAP_SRCS) -o qrap $(LDFLAGS)
>
> valgrind: EXTRA_SYSCALLS += rt_sigprocmask rt_sigtimedwait rt_sigaction \
> getpid gettid kill clock_gettime mmap \
> @@ -283,7 +283,7 @@ clang-tidy: $(SRCS) $(HEADERS)
> -concurrency-mt-unsafe,\
> -readability-identifier-length \
> -config='{CheckOptions: [{key: bugprone-suspicious-string-compare.WarnOnImplicitComparison, value: "false"}]}' \
> - --warnings-as-errors=* $(SRCS) -- $(filter-out -pie,$(FLAGS) $(CFLAGS))
> + --warnings-as-errors=* $(SRCS) -- $(filter-out -pie,$(FLAGS) $(CFLAGS) $(CPPFLAGS))
>
> SYSTEM_INCLUDES := /usr/include $(wildcard /usr/include/$(TARGET))
> ifeq ($(shell $(CC) -v 2>&1 | grep -c "gcc version"),1)
> @@ -299,5 +299,5 @@ cppcheck: $(SRCS) $(HEADERS)
> $(SYSTEM_INCLUDES:%=--suppress=unmatchedSuppression:%/*) \
> --inline-suppr \
> --suppress=unusedStructMember \
> - $(filter -D%,$(FLAGS) $(CFLAGS)) \
> + $(filter -D%,$(FLAGS) $(CFLAGS) $(CPPFLAGS)) \
> .
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH 2/8] Makefile: Don't filter out -O2 from supplied flags for AVX2 builds
2022-11-15 1:23 [PATCH 0/8] Fixes for Debian package functionality and build Stefano Brivio
2022-11-15 1:23 ` [PATCH 1/8] Makefile: Honour passed CPPFLAGS, not just CFLAGS Stefano Brivio
@ 2022-11-15 1:23 ` Stefano Brivio
2022-11-15 5:15 ` David Gibson
2022-11-15 1:23 ` [PATCH 3/8] Makefile: It's AUDIT_ARCH_MIPSEL64, not AUDIT_ARCH_MIPS64EL Stefano Brivio
` (5 subsequent siblings)
7 siblings, 1 reply; 16+ messages in thread
From: Stefano Brivio @ 2022-11-15 1:23 UTC (permalink / raw)
To: passt-dev
Drop it from the internal FLAGS variable, but honour -O2 if passed in
CFLAGS. In Debian packages, dpkg-buildflags uses it as hardening
flag, and we get a QA warning if we drop it:
https://qa.debian.org/bls/bytag/W-dpkg-buildflags-missing.html
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index a6e3164..f0b8e1d 100644
--- a/Makefile
+++ b/Makefile
@@ -125,7 +125,7 @@ passt: $(PASST_SRCS) $(HEADERS)
passt.avx2: FLAGS += -Ofast -mavx2 -ftree-vectorize -funroll-loops
passt.avx2: $(PASST_SRCS) $(HEADERS)
- $(CC) $(filter-out -O2,$(FLAGS) $(CFLAGS) $(CPPFLAGS)) \
+ $(CC) $(filter-out -O2,$(FLAGS)) $(CFLAGS) $(CPPFLAGS) \
$(PASST_SRCS) -o passt.avx2 $(LDFLAGS)
passt.avx2: passt
--
@@ -125,7 +125,7 @@ passt: $(PASST_SRCS) $(HEADERS)
passt.avx2: FLAGS += -Ofast -mavx2 -ftree-vectorize -funroll-loops
passt.avx2: $(PASST_SRCS) $(HEADERS)
- $(CC) $(filter-out -O2,$(FLAGS) $(CFLAGS) $(CPPFLAGS)) \
+ $(CC) $(filter-out -O2,$(FLAGS)) $(CFLAGS) $(CPPFLAGS) \
$(PASST_SRCS) -o passt.avx2 $(LDFLAGS)
passt.avx2: passt
--
2.35.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH 2/8] Makefile: Don't filter out -O2 from supplied flags for AVX2 builds
2022-11-15 1:23 ` [PATCH 2/8] Makefile: Don't filter out -O2 from supplied flags for AVX2 builds Stefano Brivio
@ 2022-11-15 5:15 ` David Gibson
0 siblings, 0 replies; 16+ messages in thread
From: David Gibson @ 2022-11-15 5:15 UTC (permalink / raw)
To: Stefano Brivio; +Cc: passt-dev
[-- Attachment #1: Type: text/plain, Size: 1190 bytes --]
On Tue, Nov 15, 2022 at 02:23:43AM +0100, Stefano Brivio wrote:
> Drop it from the internal FLAGS variable, but honour -O2 if passed in
> CFLAGS. In Debian packages, dpkg-buildflags uses it as hardening
> flag, and we get a QA warning if we drop it:
> https://qa.debian.org/bls/bytag/W-dpkg-buildflags-missing.html
>
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
> ---
> Makefile | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/Makefile b/Makefile
> index a6e3164..f0b8e1d 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -125,7 +125,7 @@ passt: $(PASST_SRCS) $(HEADERS)
>
> passt.avx2: FLAGS += -Ofast -mavx2 -ftree-vectorize -funroll-loops
> passt.avx2: $(PASST_SRCS) $(HEADERS)
> - $(CC) $(filter-out -O2,$(FLAGS) $(CFLAGS) $(CPPFLAGS)) \
> + $(CC) $(filter-out -O2,$(FLAGS)) $(CFLAGS) $(CPPFLAGS) \
> $(PASST_SRCS) -o passt.avx2 $(LDFLAGS)
>
> passt.avx2: passt
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH 3/8] Makefile: It's AUDIT_ARCH_MIPSEL64, not AUDIT_ARCH_MIPS64EL
2022-11-15 1:23 [PATCH 0/8] Fixes for Debian package functionality and build Stefano Brivio
2022-11-15 1:23 ` [PATCH 1/8] Makefile: Honour passed CPPFLAGS, not just CFLAGS Stefano Brivio
2022-11-15 1:23 ` [PATCH 2/8] Makefile: Don't filter out -O2 from supplied flags for AVX2 builds Stefano Brivio
@ 2022-11-15 1:23 ` Stefano Brivio
2022-11-16 5:14 ` David Gibson
2022-11-15 1:23 ` [PATCH 4/8] Makefile: Change HPPA into PARISC while building PASST_AUDIT_ARCH Stefano Brivio
` (4 subsequent siblings)
7 siblings, 1 reply; 16+ messages in thread
From: Stefano Brivio @ 2022-11-15 1:23 UTC (permalink / raw)
To: passt-dev
On mips64el, gcc -dumpmachine correctly reports mips64el as
architecture prefix, but for some reason seccomp.h defines
AUDIT_ARCH_MIPSEL64 and not AUDIT_ARCH_MIPS64EL. Mangle AUDIT_ARCH
accordingly.
Build error spotted in Debian's buildd logs from Loongson build.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
Makefile | 1 +
1 file changed, 1 insertion(+)
diff --git a/Makefile b/Makefile
index f0b8e1d..95b49ac 100644
--- a/Makefile
+++ b/Makefile
@@ -25,6 +25,7 @@ AUDIT_ARCH := $(shell echo $(TARGET_ARCH) | tr [a-z] [A-Z] | sed 's/^ARM.*/ARM/'
AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/I[456]86/I386/')
AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/PPC64/PPC/')
AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/PPCLE/PPC64LE/')
+AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/MIPS64EL/MIPSEL64/')
FLAGS := -Wall -Wextra -pedantic -std=c99 -D_XOPEN_SOURCE=700 -D_GNU_SOURCE
FLAGS += -D_FORTIFY_SOURCE=2 -O2 -pie -fPIE
--
@@ -25,6 +25,7 @@ AUDIT_ARCH := $(shell echo $(TARGET_ARCH) | tr [a-z] [A-Z] | sed 's/^ARM.*/ARM/'
AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/I[456]86/I386/')
AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/PPC64/PPC/')
AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/PPCLE/PPC64LE/')
+AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/MIPS64EL/MIPSEL64/')
FLAGS := -Wall -Wextra -pedantic -std=c99 -D_XOPEN_SOURCE=700 -D_GNU_SOURCE
FLAGS += -D_FORTIFY_SOURCE=2 -O2 -pie -fPIE
--
2.35.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH 3/8] Makefile: It's AUDIT_ARCH_MIPSEL64, not AUDIT_ARCH_MIPS64EL
2022-11-15 1:23 ` [PATCH 3/8] Makefile: It's AUDIT_ARCH_MIPSEL64, not AUDIT_ARCH_MIPS64EL Stefano Brivio
@ 2022-11-16 5:14 ` David Gibson
0 siblings, 0 replies; 16+ messages in thread
From: David Gibson @ 2022-11-16 5:14 UTC (permalink / raw)
To: Stefano Brivio; +Cc: passt-dev
[-- Attachment #1: Type: text/plain, Size: 1352 bytes --]
On Tue, Nov 15, 2022 at 02:23:44AM +0100, Stefano Brivio wrote:
> On mips64el, gcc -dumpmachine correctly reports mips64el as
> architecture prefix, but for some reason seccomp.h defines
> AUDIT_ARCH_MIPSEL64 and not AUDIT_ARCH_MIPS64EL. Mangle AUDIT_ARCH
> accordingly.
>
> Build error spotted in Debian's buildd logs from Loongson build.
>
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
> ---
> Makefile | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/Makefile b/Makefile
> index f0b8e1d..95b49ac 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -25,6 +25,7 @@ AUDIT_ARCH := $(shell echo $(TARGET_ARCH) | tr [a-z] [A-Z] | sed 's/^ARM.*/ARM/'
> AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/I[456]86/I386/')
> AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/PPC64/PPC/')
> AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/PPCLE/PPC64LE/')
> +AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/MIPS64EL/MIPSEL64/')
>
> FLAGS := -Wall -Wextra -pedantic -std=c99 -D_XOPEN_SOURCE=700 -D_GNU_SOURCE
> FLAGS += -D_FORTIFY_SOURCE=2 -O2 -pie -fPIE
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH 4/8] Makefile: Change HPPA into PARISC while building PASST_AUDIT_ARCH
2022-11-15 1:23 [PATCH 0/8] Fixes for Debian package functionality and build Stefano Brivio
` (2 preceding siblings ...)
2022-11-15 1:23 ` [PATCH 3/8] Makefile: It's AUDIT_ARCH_MIPSEL64, not AUDIT_ARCH_MIPS64EL Stefano Brivio
@ 2022-11-15 1:23 ` Stefano Brivio
2022-11-16 5:15 ` David Gibson
2022-11-15 1:23 ` [PATCH 5/8] util, pasta: Use __clone2() instead of clone() on ia64 Stefano Brivio
` (3 subsequent siblings)
7 siblings, 1 reply; 16+ messages in thread
From: Stefano Brivio @ 2022-11-15 1:23 UTC (permalink / raw)
To: passt-dev
The AUDIT_ARCH defines in seccomp.h corresponding to HPPA are
AUDIT_ARCH_PARISC and AUDIT_ARCH_PARISC64.
Build error spotted in Debian's buildd log on
phantom.physik.fu-berlin.de.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
Makefile | 1 +
1 file changed, 1 insertion(+)
diff --git a/Makefile b/Makefile
index 95b49ac..1dc2df5 100644
--- a/Makefile
+++ b/Makefile
@@ -26,6 +26,7 @@ AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/I[456]86/I386/')
AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/PPC64/PPC/')
AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/PPCLE/PPC64LE/')
AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/MIPS64EL/MIPSEL64/')
+AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/HPPA/PARISC/')
FLAGS := -Wall -Wextra -pedantic -std=c99 -D_XOPEN_SOURCE=700 -D_GNU_SOURCE
FLAGS += -D_FORTIFY_SOURCE=2 -O2 -pie -fPIE
--
@@ -26,6 +26,7 @@ AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/I[456]86/I386/')
AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/PPC64/PPC/')
AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/PPCLE/PPC64LE/')
AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/MIPS64EL/MIPSEL64/')
+AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/HPPA/PARISC/')
FLAGS := -Wall -Wextra -pedantic -std=c99 -D_XOPEN_SOURCE=700 -D_GNU_SOURCE
FLAGS += -D_FORTIFY_SOURCE=2 -O2 -pie -fPIE
--
2.35.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH 4/8] Makefile: Change HPPA into PARISC while building PASST_AUDIT_ARCH
2022-11-15 1:23 ` [PATCH 4/8] Makefile: Change HPPA into PARISC while building PASST_AUDIT_ARCH Stefano Brivio
@ 2022-11-16 5:15 ` David Gibson
0 siblings, 0 replies; 16+ messages in thread
From: David Gibson @ 2022-11-16 5:15 UTC (permalink / raw)
To: Stefano Brivio; +Cc: passt-dev
[-- Attachment #1: Type: text/plain, Size: 1249 bytes --]
On Tue, Nov 15, 2022 at 02:23:45AM +0100, Stefano Brivio wrote:
> The AUDIT_ARCH defines in seccomp.h corresponding to HPPA are
> AUDIT_ARCH_PARISC and AUDIT_ARCH_PARISC64.
>
> Build error spotted in Debian's buildd log on
> phantom.physik.fu-berlin.de.
>
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
> ---
> Makefile | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/Makefile b/Makefile
> index 95b49ac..1dc2df5 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -26,6 +26,7 @@ AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/I[456]86/I386/')
> AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/PPC64/PPC/')
> AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/PPCLE/PPC64LE/')
> AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/MIPS64EL/MIPSEL64/')
> +AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/HPPA/PARISC/')
>
> FLAGS := -Wall -Wextra -pedantic -std=c99 -D_XOPEN_SOURCE=700 -D_GNU_SOURCE
> FLAGS += -D_FORTIFY_SOURCE=2 -O2 -pie -fPIE
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH 5/8] util, pasta: Use __clone2() instead of clone() on ia64
2022-11-15 1:23 [PATCH 0/8] Fixes for Debian package functionality and build Stefano Brivio
` (3 preceding siblings ...)
2022-11-15 1:23 ` [PATCH 4/8] Makefile: Change HPPA into PARISC while building PASST_AUDIT_ARCH Stefano Brivio
@ 2022-11-15 1:23 ` Stefano Brivio
2022-11-16 5:17 ` David Gibson
2022-11-15 1:23 ` [PATCH 6/8] README: Add links to Debian package tracker Stefano Brivio
` (2 subsequent siblings)
7 siblings, 1 reply; 16+ messages in thread
From: Stefano Brivio @ 2022-11-15 1:23 UTC (permalink / raw)
To: passt-dev
On ia64, clone(2) is not available: the glibc wrapper is named
__clone2() and it takes, additionally, the size of the stack area
passed by the caller.
Spotted in Debian's buildd logs.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
pasta.c | 9 +++++++++
util.h | 12 ++++++++++++
2 files changed, 21 insertions(+)
diff --git a/pasta.c b/pasta.c
index db86317..1f3afa1 100644
--- a/pasta.c
+++ b/pasta.c
@@ -226,11 +226,20 @@ void pasta_start_ns(struct ctx *c, uid_t uid, gid_t gid,
arg.argv = sh_argv;
}
+#ifdef __ia64__
+ pasta_child_pid = __clone2(pasta_spawn_cmd,
+ ns_fn_stack + sizeof(ns_fn_stack) / 2,
+ sizeof(ns_fn_stack) / 2,
+ CLONE_NEWIPC | CLONE_NEWPID | CLONE_NEWNET |
+ CLONE_NEWUTS,
+ (void *)&arg);
+#else
pasta_child_pid = clone(pasta_spawn_cmd,
ns_fn_stack + sizeof(ns_fn_stack) / 2,
CLONE_NEWIPC | CLONE_NEWPID | CLONE_NEWNET |
CLONE_NEWUTS,
(void *)&arg);
+#endif
if (pasta_child_pid == -1) {
perror("clone");
diff --git a/util.h b/util.h
index 2d4e1ff..3c48992 100644
--- a/util.h
+++ b/util.h
@@ -81,6 +81,17 @@
(((struct in_addr *)(a))->s_addr == ((struct in_addr *)b)->s_addr)
#define NS_FN_STACK_SIZE (RLIMIT_STACK_VAL * 1024 / 8)
+#ifdef __ia64__
+#define NS_CALL(fn, arg) \
+ do { \
+ char ns_fn_stack[NS_FN_STACK_SIZE]; \
+ \
+ __clone2((fn), ns_fn_stack + sizeof(ns_fn_stack) / 2, \
+ sizeof(ns_fn_stack) / 2, \
+ CLONE_VM | CLONE_VFORK | CLONE_FILES | SIGCHLD,\
+ (void *)(arg)); \
+ } while (0)
+#else
#define NS_CALL(fn, arg) \
do { \
char ns_fn_stack[NS_FN_STACK_SIZE]; \
@@ -89,6 +100,7 @@
CLONE_VM | CLONE_VFORK | CLONE_FILES | SIGCHLD, \
(void *)(arg)); \
} while (0)
+#endif
#if __BYTE_ORDER == __BIG_ENDIAN
#define L2_BUF_ETH_IP4_INIT \
--
@@ -81,6 +81,17 @@
(((struct in_addr *)(a))->s_addr == ((struct in_addr *)b)->s_addr)
#define NS_FN_STACK_SIZE (RLIMIT_STACK_VAL * 1024 / 8)
+#ifdef __ia64__
+#define NS_CALL(fn, arg) \
+ do { \
+ char ns_fn_stack[NS_FN_STACK_SIZE]; \
+ \
+ __clone2((fn), ns_fn_stack + sizeof(ns_fn_stack) / 2, \
+ sizeof(ns_fn_stack) / 2, \
+ CLONE_VM | CLONE_VFORK | CLONE_FILES | SIGCHLD,\
+ (void *)(arg)); \
+ } while (0)
+#else
#define NS_CALL(fn, arg) \
do { \
char ns_fn_stack[NS_FN_STACK_SIZE]; \
@@ -89,6 +100,7 @@
CLONE_VM | CLONE_VFORK | CLONE_FILES | SIGCHLD, \
(void *)(arg)); \
} while (0)
+#endif
#if __BYTE_ORDER == __BIG_ENDIAN
#define L2_BUF_ETH_IP4_INIT \
--
2.35.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH 5/8] util, pasta: Use __clone2() instead of clone() on ia64
2022-11-15 1:23 ` [PATCH 5/8] util, pasta: Use __clone2() instead of clone() on ia64 Stefano Brivio
@ 2022-11-16 5:17 ` David Gibson
2022-11-16 8:12 ` Stefano Brivio
0 siblings, 1 reply; 16+ messages in thread
From: David Gibson @ 2022-11-16 5:17 UTC (permalink / raw)
To: Stefano Brivio; +Cc: passt-dev
[-- Attachment #1: Type: text/plain, Size: 2396 bytes --]
On Tue, Nov 15, 2022 at 02:23:46AM +0100, Stefano Brivio wrote:
> On ia64, clone(2) is not available: the glibc wrapper is named
> __clone2() and it takes, additionally, the size of the stack area
> passed by the caller.
>
> Spotted in Debian's buildd logs.
>
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Urgh, I'd really prefer to make our own wrapper to reduce two ifdefs
to one.
> ---
> pasta.c | 9 +++++++++
> util.h | 12 ++++++++++++
> 2 files changed, 21 insertions(+)
>
> diff --git a/pasta.c b/pasta.c
> index db86317..1f3afa1 100644
> --- a/pasta.c
> +++ b/pasta.c
> @@ -226,11 +226,20 @@ void pasta_start_ns(struct ctx *c, uid_t uid, gid_t gid,
> arg.argv = sh_argv;
> }
>
> +#ifdef __ia64__
> + pasta_child_pid = __clone2(pasta_spawn_cmd,
> + ns_fn_stack + sizeof(ns_fn_stack) / 2,
> + sizeof(ns_fn_stack) / 2,
> + CLONE_NEWIPC | CLONE_NEWPID | CLONE_NEWNET |
> + CLONE_NEWUTS,
> + (void *)&arg);
> +#else
> pasta_child_pid = clone(pasta_spawn_cmd,
> ns_fn_stack + sizeof(ns_fn_stack) / 2,
> CLONE_NEWIPC | CLONE_NEWPID | CLONE_NEWNET |
> CLONE_NEWUTS,
> (void *)&arg);
> +#endif
>
> if (pasta_child_pid == -1) {
> perror("clone");
> diff --git a/util.h b/util.h
> index 2d4e1ff..3c48992 100644
> --- a/util.h
> +++ b/util.h
> @@ -81,6 +81,17 @@
> (((struct in_addr *)(a))->s_addr == ((struct in_addr *)b)->s_addr)
>
> #define NS_FN_STACK_SIZE (RLIMIT_STACK_VAL * 1024 / 8)
> +#ifdef __ia64__
> +#define NS_CALL(fn, arg) \
> + do { \
> + char ns_fn_stack[NS_FN_STACK_SIZE]; \
> + \
> + __clone2((fn), ns_fn_stack + sizeof(ns_fn_stack) / 2, \
> + sizeof(ns_fn_stack) / 2, \
> + CLONE_VM | CLONE_VFORK | CLONE_FILES | SIGCHLD,\
> + (void *)(arg)); \
> + } while (0)
> +#else
> #define NS_CALL(fn, arg) \
> do { \
> char ns_fn_stack[NS_FN_STACK_SIZE]; \
> @@ -89,6 +100,7 @@
> CLONE_VM | CLONE_VFORK | CLONE_FILES | SIGCHLD, \
> (void *)(arg)); \
> } while (0)
> +#endif
>
> #if __BYTE_ORDER == __BIG_ENDIAN
> #define L2_BUF_ETH_IP4_INIT \
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 5/8] util, pasta: Use __clone2() instead of clone() on ia64
2022-11-16 5:17 ` David Gibson
@ 2022-11-16 8:12 ` Stefano Brivio
0 siblings, 0 replies; 16+ messages in thread
From: Stefano Brivio @ 2022-11-16 8:12 UTC (permalink / raw)
To: David Gibson; +Cc: passt-dev
On Wed, 16 Nov 2022 16:17:13 +1100
David Gibson <david@gibson.dropbear.id.au> wrote:
> On Tue, Nov 15, 2022 at 02:23:46AM +0100, Stefano Brivio wrote:
> > On ia64, clone(2) is not available: the glibc wrapper is named
> > __clone2() and it takes, additionally, the size of the stack area
> > passed by the caller.
> >
> > Spotted in Debian's buildd logs.
> >
> > Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
>
> Urgh, I'd really prefer to make our own wrapper to reduce two ifdefs
> to one.
Hmm, right. I'd go with:
__clone(int (*fn)(void *), void *stack_base, size_t stack_size,
int flags, void *arg)
...where stack_base is ns_fn_stack. Better ideas (especially for the
name)?
--
Stefano
^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH 6/8] README: Add links to Debian package tracker
2022-11-15 1:23 [PATCH 0/8] Fixes for Debian package functionality and build Stefano Brivio
` (4 preceding siblings ...)
2022-11-15 1:23 ` [PATCH 5/8] util, pasta: Use __clone2() instead of clone() on ia64 Stefano Brivio
@ 2022-11-15 1:23 ` Stefano Brivio
2022-11-16 5:18 ` David Gibson
2022-11-15 1:23 ` [PATCH 7/8] contrib/apparmor: Merge pasta and passt profiles, update rules Stefano Brivio
2022-11-15 1:23 ` [PATCH 8/8] Remove contrib/debian, Debian package development now happens on Salsa Stefano Brivio
7 siblings, 1 reply; 16+ messages in thread
From: Stefano Brivio @ 2022-11-15 1:23 UTC (permalink / raw)
To: passt-dev
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
README.md | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/README.md b/README.md
index 0e2ca78..3d0a5b4 100644
--- a/README.md
+++ b/README.md
@@ -343,19 +343,20 @@ speeding up local connections, and usually requiring NAT. _pasta_:
* ⌚ drop-in replacement for VPNKit (rootless Docker)
### Availability
+* ✅ official [packages](https://tracker.debian.org/pkg/passt) for Debian
* ✅ official [packages](https://src.fedoraproject.org/rpms/passt) for Fedora
* ✅ unofficial
[packages](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) for CentOS
Stream, EPEL, Mageia
-* ✅ unofficial packages from x86_64 static builds for other RPM-based
- distributions and Debian
+* ✅ unofficial [packages](https://passt.top/builds/latest/x86_64/) from x86_64
+ static builds for other RPM-based distributions
+* ✅ unofficial [packages](https://passt.top/builds/latest/x86_64/) from x86_64
+ static builds for Debian-based distributions
* ✅ testing on non-x86_64 architectures (aarch64, armv7l, i386, ppc64, ppc64le,
s390x)
-* ✅ example Debian [package files](/passt/tree/contrib/debian)
* 🛠 official
[openSUSE packages](https://build.opensuse.org/package/show/home:dfaggioli:devel/passt)
-* ⌚ official packages for Debian
- ([RFP](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010498)), Arch Linux
+* ⌚ official packages for Arch Linux
### Services
* ✅ built-in [ARP proxy](/passt/tree/arp.c)
@@ -538,12 +539,13 @@ See also the [test logs](/builds/latest/test/).
* alternatively, install one of the available packages:
- * [Debian and Debian-based](/builds/latest/x86_64/) (unofficial, from static x86_64 builds)
+ * [Debian](https://tracker.debian.org/pkg/passt) (official)
* [Fedora](https://src.fedoraproject.org/rpms/passt) (official)
* [CentOS Stream](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial)
* [EPEL](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial)
* [Mageia](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial)
* [openSUSE](https://build.opensuse.org/package/show/home:dfaggioli:devel/passt) (unofficial)
+ * [Debian-based](/builds/latest/x86_64/) (unofficial, from static x86_64 builds)
* [Other RPM-based distributions](/builds/latest/x86_64/) (unofficial, from static x86_64 builds)
Static binaries and packages are simply built with:
@@ -587,12 +589,13 @@ See also the [test logs](/builds/latest/test/).
* alternatively, install one of the available packages:
- * [Debian and Debian-based](/builds/latest/x86_64/) (unofficial, from static x86_64 builds)
+ * [Debian](https://tracker.debian.org/pkg/passt) (official)
* [Fedora](https://src.fedoraproject.org/rpms/passt) (official)
* [CentOS Stream](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial)
* [EPEL](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial)
* [Mageia](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial)
* [openSUSE](https://build.opensuse.org/package/show/home:dfaggioli:devel/passt) (unofficial)
+ * [Debian-based](/builds/latest/x86_64/) (unofficial, from static x86_64 builds)
* [Other RPM-based distributions](/builds/latest/x86_64/) (unofficial, from static x86_64 builds)
Static binaries and packages are simply built with:
--
@@ -343,19 +343,20 @@ speeding up local connections, and usually requiring NAT. _pasta_:
* ⌚ drop-in replacement for VPNKit (rootless Docker)
### Availability
+* ✅ official [packages](https://tracker.debian.org/pkg/passt) for Debian
* ✅ official [packages](https://src.fedoraproject.org/rpms/passt) for Fedora
* ✅ unofficial
[packages](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) for CentOS
Stream, EPEL, Mageia
-* ✅ unofficial packages from x86_64 static builds for other RPM-based
- distributions and Debian
+* ✅ unofficial [packages](https://passt.top/builds/latest/x86_64/) from x86_64
+ static builds for other RPM-based distributions
+* ✅ unofficial [packages](https://passt.top/builds/latest/x86_64/) from x86_64
+ static builds for Debian-based distributions
* ✅ testing on non-x86_64 architectures (aarch64, armv7l, i386, ppc64, ppc64le,
s390x)
-* ✅ example Debian [package files](/passt/tree/contrib/debian)
* 🛠 official
[openSUSE packages](https://build.opensuse.org/package/show/home:dfaggioli:devel/passt)
-* ⌚ official packages for Debian
- ([RFP](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010498)), Arch Linux
+* ⌚ official packages for Arch Linux
### Services
* ✅ built-in [ARP proxy](/passt/tree/arp.c)
@@ -538,12 +539,13 @@ See also the [test logs](/builds/latest/test/).
* alternatively, install one of the available packages:
- * [Debian and Debian-based](/builds/latest/x86_64/) (unofficial, from static x86_64 builds)
+ * [Debian](https://tracker.debian.org/pkg/passt) (official)
* [Fedora](https://src.fedoraproject.org/rpms/passt) (official)
* [CentOS Stream](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial)
* [EPEL](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial)
* [Mageia](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial)
* [openSUSE](https://build.opensuse.org/package/show/home:dfaggioli:devel/passt) (unofficial)
+ * [Debian-based](/builds/latest/x86_64/) (unofficial, from static x86_64 builds)
* [Other RPM-based distributions](/builds/latest/x86_64/) (unofficial, from static x86_64 builds)
Static binaries and packages are simply built with:
@@ -587,12 +589,13 @@ See also the [test logs](/builds/latest/test/).
* alternatively, install one of the available packages:
- * [Debian and Debian-based](/builds/latest/x86_64/) (unofficial, from static x86_64 builds)
+ * [Debian](https://tracker.debian.org/pkg/passt) (official)
* [Fedora](https://src.fedoraproject.org/rpms/passt) (official)
* [CentOS Stream](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial)
* [EPEL](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial)
* [Mageia](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial)
* [openSUSE](https://build.opensuse.org/package/show/home:dfaggioli:devel/passt) (unofficial)
+ * [Debian-based](/builds/latest/x86_64/) (unofficial, from static x86_64 builds)
* [Other RPM-based distributions](/builds/latest/x86_64/) (unofficial, from static x86_64 builds)
Static binaries and packages are simply built with:
--
2.35.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH 6/8] README: Add links to Debian package tracker
2022-11-15 1:23 ` [PATCH 6/8] README: Add links to Debian package tracker Stefano Brivio
@ 2022-11-16 5:18 ` David Gibson
0 siblings, 0 replies; 16+ messages in thread
From: David Gibson @ 2022-11-16 5:18 UTC (permalink / raw)
To: Stefano Brivio; +Cc: passt-dev
[-- Attachment #1: Type: text/plain, Size: 4076 bytes --]
On Tue, Nov 15, 2022 at 02:23:47AM +0100, Stefano Brivio wrote:
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
> ---
> README.md | 17 ++++++++++-------
> 1 file changed, 10 insertions(+), 7 deletions(-)
>
> diff --git a/README.md b/README.md
> index 0e2ca78..3d0a5b4 100644
> --- a/README.md
> +++ b/README.md
> @@ -343,19 +343,20 @@ speeding up local connections, and usually requiring NAT. _pasta_:
> * ⌚ drop-in replacement for VPNKit (rootless Docker)
>
> ### Availability
> +* ✅ official [packages](https://tracker.debian.org/pkg/passt) for Debian
> * ✅ official [packages](https://src.fedoraproject.org/rpms/passt) for Fedora
> * ✅ unofficial
> [packages](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) for CentOS
> Stream, EPEL, Mageia
> -* ✅ unofficial packages from x86_64 static builds for other RPM-based
> - distributions and Debian
> +* ✅ unofficial [packages](https://passt.top/builds/latest/x86_64/) from x86_64
> + static builds for other RPM-based distributions
> +* ✅ unofficial [packages](https://passt.top/builds/latest/x86_64/) from x86_64
> + static builds for Debian-based distributions
> * ✅ testing on non-x86_64 architectures (aarch64, armv7l, i386, ppc64, ppc64le,
> s390x)
> -* ✅ example Debian [package files](/passt/tree/contrib/debian)
> * 🛠 official
> [openSUSE packages](https://build.opensuse.org/package/show/home:dfaggioli:devel/passt)
> -* ⌚ official packages for Debian
> - ([RFP](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010498)), Arch Linux
> +* ⌚ official packages for Arch Linux
>
> ### Services
> * ✅ built-in [ARP proxy](/passt/tree/arp.c)
> @@ -538,12 +539,13 @@ See also the [test logs](/builds/latest/test/).
>
> * alternatively, install one of the available packages:
>
> - * [Debian and Debian-based](/builds/latest/x86_64/) (unofficial, from static x86_64 builds)
> + * [Debian](https://tracker.debian.org/pkg/passt) (official)
> * [Fedora](https://src.fedoraproject.org/rpms/passt) (official)
> * [CentOS Stream](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial)
> * [EPEL](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial)
> * [Mageia](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial)
> * [openSUSE](https://build.opensuse.org/package/show/home:dfaggioli:devel/passt) (unofficial)
> + * [Debian-based](/builds/latest/x86_64/) (unofficial, from static x86_64 builds)
> * [Other RPM-based distributions](/builds/latest/x86_64/) (unofficial, from static x86_64 builds)
>
> Static binaries and packages are simply built with:
> @@ -587,12 +589,13 @@ See also the [test logs](/builds/latest/test/).
>
> * alternatively, install one of the available packages:
>
> - * [Debian and Debian-based](/builds/latest/x86_64/) (unofficial, from static x86_64 builds)
> + * [Debian](https://tracker.debian.org/pkg/passt) (official)
> * [Fedora](https://src.fedoraproject.org/rpms/passt) (official)
> * [CentOS Stream](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial)
> * [EPEL](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial)
> * [Mageia](https://copr.fedorainfracloud.org/coprs/sbrivio/passt/) (unofficial)
> * [openSUSE](https://build.opensuse.org/package/show/home:dfaggioli:devel/passt) (unofficial)
> + * [Debian-based](/builds/latest/x86_64/) (unofficial, from static x86_64 builds)
> * [Other RPM-based distributions](/builds/latest/x86_64/) (unofficial, from static x86_64 builds)
>
> Static binaries and packages are simply built with:
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH 7/8] contrib/apparmor: Merge pasta and passt profiles, update rules
2022-11-15 1:23 [PATCH 0/8] Fixes for Debian package functionality and build Stefano Brivio
` (5 preceding siblings ...)
2022-11-15 1:23 ` [PATCH 6/8] README: Add links to Debian package tracker Stefano Brivio
@ 2022-11-15 1:23 ` Stefano Brivio
2022-11-15 1:23 ` [PATCH 8/8] Remove contrib/debian, Debian package development now happens on Salsa Stefano Brivio
7 siblings, 0 replies; 16+ messages in thread
From: Stefano Brivio @ 2022-11-15 1:23 UTC (permalink / raw)
To: passt-dev
AppArmor resolves executable links before profile attachment rules
are evaluated, so, as long as pasta is installed as a link to passt,
there's no way to differentiate the two cases. Merge the two profiles
and leave a TODO note behind, explaining two possible ways forward.
Update the rules so that passt and pasta are actually usable, once
the profile is installed. Most required changes are related to
isolation and sandboxing features.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
contrib/apparmor/usr.bin.passt | 73 ++++++++++++++++++++++++----------
contrib/apparmor/usr.bin.pasta | 66 ------------------------------
2 files changed, 51 insertions(+), 88 deletions(-)
delete mode 100644 contrib/apparmor/usr.bin.pasta
diff --git a/contrib/apparmor/usr.bin.passt b/contrib/apparmor/usr.bin.passt
index a19fede..96b61ef 100644
--- a/contrib/apparmor/usr.bin.passt
+++ b/contrib/apparmor/usr.bin.passt
@@ -3,7 +3,10 @@
# PASST - Plug A Simple Socket Transport
# for qemu/UNIX domain socket mode
#
-# contrib/apparmor/usr.bin.passt - AppArmor profile example/template for passt
+# PASTA - Pack A Subtle Tap Abstraction
+# for network namespace/tap device mode
+#
+# contrib/apparmor/usr.bin.passt - AppArmor profile for passt(1) and pasta(1)
#
# Copyright (c) 2022 Red Hat GmbH
# Author: Stefano Brivio <sbrivio@redhat.com>
@@ -12,31 +15,29 @@ abi <abi/3.0>,
include <tunables/global>
-/usr/bin/passt {
- ### Alternatively: include <abstractions/base>
- @{etc_ro}/ld.so.cache r,
- /{usr/,}lib{,32,64}/ld-*.so r,
- /{usr/,}lib{,32,64}/libc-*.so mr,
- /{usr/,}lib/@{multiarch}/ld-*.so r,
- /{usr/,}lib/@{multiarch}/libc-*.so mr,
- /dev/null rw, # __daemon(), util.c
- signal receive set=int peer=unconfined,
- signal receive set=term peer=unconfined,
- ###
+profile passt /usr/bin/passt{,.avx2} flags=(attach_disconnected) {
+ ### Common rules for passt and pasta
- ### Alternatively: include <abstractions/nameservice>
+ include <abstractions/base>
+
+ # Alternatively: include <abstractions/nameservice>
@{etc_ro}/resolv.conf r, # get_dns(), conf.c
- ###
- capability sys_admin, # sandbox(), passt.c
- capability setpcap, # drop_caps(), util.c
+ capability net_bind_service, # isolation.c, conf.c
+ capability setuid,
+ capability setgid,
+ capability sys_admin,
+ capability setpcap,
+ capability net_admin,
+ capability sys_ptrace,
- mount "" -> "/", # sandbox(), passt.c
+ / r, # isolate_prefork(), isolation.c
+ mount "" -> "/",
mount "" -> "/tmp/",
pivot_root "/tmp/" -> "/tmp/",
umount "/",
- network netlink raw, # netlink.c
+ network netlink raw, # nl_sock_init_do(), netlink.c
network inet stream, # tcp.c
network inet6 stream,
@@ -46,14 +47,42 @@ include <tunables/global>
network unix stream, # tap.c
- network unix dgram, # __openlog(), util.c
+ network unix dgram, # __openlog(), log.c
- ### Alternatively: include <abstractions/user-tmp>
+ # Alternatively: include <abstractions/user-tmp>
owner /tmp/** w, # tap_sock_unix_init(), pcap(),
- # write_pidfile()
- ###
+ # write_pidfile(),
+ # logfile_init()
owner @{HOME}/** w, # pcap(), write_pidfile()
/usr/bin/passt.avx2 ix, # arch_avx2_exec(), arch.c
+
+
+ ### Rules for pasta
+ ###
+ ### TODO: AppArmor doesn't give us the chance to attach a separate profile
+ ### depending on the executable symlink. That's possible with SELinux. Two
+ ### alternatives: implement that in AppArmor, or consider aa_change_hat(2).
+ ### With this, rules for passt(1) could be restricted significantly. Note that
+ ### the attach_disconnected flag is not needed for passt(1).
+
+ @{PROC}/net/tcp r, # procfs_scan_listen(), util.c
+ @{PROC}/net/tcp6 r,
+ @{PROC}/net/udp r,
+ @{PROC}/net/udp6 r,
+
+ @{run}/user/@{uid}/netns/* r, # pasta_open_ns(), pasta.c
+
+ @{PROC}/[0-9]*/ns/net r, # pasta_wait_for_ns(),
+ @{PROC}/[0-9]*/ns/user r, # conf_pasta_ns()
+
+ /dev/net/tun rw, # tap_ns_tun(), tap.c
+
+ owner @{PROC}/@{pid}/gid_map w, # pasta_start_ns(), conf_ugid()
+ owner @{PROC}/@{pid}/setgroups w,
+ owner @{PROC}/@{pid}/uid_map rw,
+
+ owner @{PROC}/sys/net/ipv4/ping_group_range w, # pasta_spawn_cmd(), pasta.c
+ /{usr/,}bin/** Ux,
}
diff --git a/contrib/apparmor/usr.bin.pasta b/contrib/apparmor/usr.bin.pasta
deleted file mode 100644
index 844fcf3..0000000
--- a/contrib/apparmor/usr.bin.pasta
+++ /dev/null
@@ -1,66 +0,0 @@
-# SPDX-License-Identifier: AGPL-3.0-or-later
-#
-# PASTA - Pack A Subtle Tap Abstraction
-# for network namespace/tap device mode
-#
-# contrib/apparmor/usr.bin.pasta - AppArmor profile example/template for pasta
-#
-# Copyright (c) 2022 Red Hat GmbH
-# Author: Stefano Brivio <sbrivio@redhat.com>
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-/usr/bin/pasta flags=(attach_disconnected) {
- include <abstractions/base> # Interactive shell
- include <abstractions/nameservice>
- include <abstractions/consoles>
- include <abstractions/bash>
- owner /proc/**/ns/user r,
- / r,
- capability sys_ptrace, # bash
- capability dac_read_search,
- capability dac_override,
- @{etc_ro}/** r,
- /usr/** r,
- /lib/** r,
- owner @{HOME}/** rw,
- owner /tmp/** rw,
-
- /proc/*/net/tcp r, # procfs_scan_listen(), util.c
- /proc/*/net/tcp6 r,
- /proc/*/net/udp r,
- /proc/*/net/udp6 r,
-
- /dev/net/tun rw, # tap_ns_tun(), tap.c
-
- capability net_admin, # for network namespace only
- capability setpcap, # drop_caps(), util.c
- capability sys_admin, # sandbox(), passt.c
-
- mount "" -> "/", # sandbox(), passt.c
- mount "" -> "/tmp/",
- pivot_root "/tmp/" -> "/tmp/",
- umount "/",
-
- network netlink raw, # netlink.c
-
- network inet stream, # tcp.c
- network inet6 stream,
-
- network inet dgram, # udp.c
- network inet6 dgram,
-
- network unix stream, # tap.c
-
- network unix dgram, # __openlog(), util.c
-
- owner /proc/*/gid_map w, # pasta_setup_ns()
- owner /proc/*/setgroups w,
- owner /proc/*/uid_map w,
- owner /proc/sys/net/ipv4/ping_group_range w,
- /{usr/,}bin/** mrix, # spawning shell
-
- /usr/bin/pasta.avx2 ix, # arch_avx2_exec(), arch.c
-}
--
2.35.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH 8/8] Remove contrib/debian, Debian package development now happens on Salsa
2022-11-15 1:23 [PATCH 0/8] Fixes for Debian package functionality and build Stefano Brivio
` (6 preceding siblings ...)
2022-11-15 1:23 ` [PATCH 7/8] contrib/apparmor: Merge pasta and passt profiles, update rules Stefano Brivio
@ 2022-11-15 1:23 ` Stefano Brivio
7 siblings, 0 replies; 16+ messages in thread
From: Stefano Brivio @ 2022-11-15 1:23 UTC (permalink / raw)
To: passt-dev
The development of the Debian package is now at:
https://salsa.debian.org/sbrivio/passt
Drop contrib/debian, it's finally obsolete.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
contrib/debian/README.Debian | 8 --------
contrib/debian/changelog | 6 ------
contrib/debian/control | 22 ----------------------
contrib/debian/copyright | 13 -------------
contrib/debian/rules | 12 ------------
contrib/debian/watch | 2 --
6 files changed, 63 deletions(-)
delete mode 100644 contrib/debian/README.Debian
delete mode 100644 contrib/debian/changelog
delete mode 100644 contrib/debian/control
delete mode 100644 contrib/debian/copyright
delete mode 100755 contrib/debian/rules
delete mode 100644 contrib/debian/watch
diff --git a/contrib/debian/README.Debian b/contrib/debian/README.Debian
deleted file mode 100644
index 43bb1b5..0000000
--- a/contrib/debian/README.Debian
+++ /dev/null
@@ -1,8 +0,0 @@
-passt for Debian
-
-Please edit this to provide information specific to
-this passt Debian package.
-
- (Describe here)
-
- -- Stefano Brivio <> Mon, 28 Mar 2022 15:54:11 +0200
diff --git a/contrib/debian/changelog b/contrib/debian/changelog
deleted file mode 100644
index d3ac798..0000000
--- a/contrib/debian/changelog
+++ /dev/null
@@ -1,6 +0,0 @@
-passt (0+gitXXXXXXXXXXXX-1) UNRELEASED; urgency=low
-
- * Initial release. Closes: #nnnn
- <nnnn is the bug number of your ITP>
-
- -- Stefano Brivio <> Mon, 28 Mar 2022 15:54:11 +0200
diff --git a/contrib/debian/control b/contrib/debian/control
deleted file mode 100644
index a62d3e0..0000000
--- a/contrib/debian/control
+++ /dev/null
@@ -1,22 +0,0 @@
-Source: passt
-Section: net
-Priority: optional
-Maintainer: Stefano Brivio <sbrivio@redhat.com>
-Build-Depends: debhelper-compat (= 12), dh-apparmor
-Standards-Version: 4.5.0
-Homepage: https://passt.top/
-
-Suggests: apparmor
-Package: passt
-Architecture: any
-Multi-Arch: foreign
-Depends: ${misc:Depends}, ${shlibs:Depends}
-Description: user-mode networking daemons for virtual machines and namespaces
- passt implements a translation layer between a Layer-2 network interface and
- native Layer-4 sockets (TCP, UDP, ICMP/ICMPv6 echo) on a host. It doesn't
- require any capabilities or privileges, and it can be used as a simple
- replacement for Slirp.
- pasta (same binary as passt, different command) offers equivalent functionality,
- for network namespaces: traffic is forwarded using a tap interface inside the
- namespace, without the need to create further interfaces on the host, hence not
- requiring any capabilities or privileges.
diff --git a/contrib/debian/copyright b/contrib/debian/copyright
deleted file mode 100644
index 0f2df74..0000000
--- a/contrib/debian/copyright
+++ /dev/null
@@ -1,13 +0,0 @@
-Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
-Upstream-Name: passt
-Upstream-Contact: Stefano Brivio <sbrivio@redhat.com>
-Upstream-Contact: passt-dev@passt.top
-Source: https://passt.top/
-
-Files: *
-Copyright: 2020-2022, Red Hat GmbH, Stefano Brivio <sbrivio@redhat.com>
-License: AGPL-3.0-or-later
-
-Files: checksum.c
-Copyright: 2021, Red Hat GmbH, Stefano Brivio <sbrivio@redhat.com>
-License: AGPL-3.0-or-later AND BSD-3-Clause
diff --git a/contrib/debian/rules b/contrib/debian/rules
deleted file mode 100755
index a926d32..0000000
--- a/contrib/debian/rules
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/usr/bin/make -f
-
-override_dh_auto_install:
- dh_auto_install -- prefix=/usr
- mkdir -p debian/passt/etc/apparmor.d/
- cp contrib/apparmor/usr.bin.passt debian/passt/etc/apparmor.d/usr.bin.passt
- dh_apparmor --profile-name=usr.bin.passt -ppasst
- cp contrib/apparmor/usr.bin.pasta debian/passt/etc/apparmor.d/usr.bin.pasta
- dh_apparmor --profile-name=usr.bin.pasta -ppasst
-
-%:
- dh $@
diff --git a/contrib/debian/watch b/contrib/debian/watch
deleted file mode 100644
index 76575dc..0000000
--- a/contrib/debian/watch
+++ /dev/null
@@ -1,2 +0,0 @@
-# You must remove unused comment lines for the released package.
-version=3
--
2.35.1
^ permalink raw reply related [flat|nested] 16+ messages in thread