Accepting request 1176450 from network

OBS-URL: https://build.opensuse.org/request/show/1176450
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libteam?expand=0&rev=25

0001-teamd-lw-arp_ping-bitmask-VID-in-VLAN-BPF-filter.patch

@@ -0,0 +1,43 @@
+From 337125ce8d24ed66d7f4c7e6eef50458f3e7d154 Mon Sep 17 00:00:00 2001
+From: Robert Karbowski <rkarbowski2@gmail.com>
+Date: Sun, 19 May 2024 12:40:03 +0200
+Subject: [PATCH] teamd: lw: arp_ping: bitmask VID in VLAN BPF filter
+
+BPF filter arp_vlan_rpl_flt fails if in the ARP response the VLAN tag has,
+in addition to VID, also PCP (priority code point).
+This patch is masking the last 12 bits from SKF_AD_VLAN_TAG field
+to extract VID only.
+
+Signed-off-by: Robert Karbowski <robert_karbowski@hotmail.com>
+Signed-off-by: Jiri Pirko <jiri@nvidia.com>
+---
+ teamd/teamd_lw_arp_ping.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/teamd/teamd_lw_arp_ping.c b/teamd/teamd_lw_arp_ping.c
+index c3d4710..5b5c044 100644
+--- a/teamd/teamd_lw_arp_ping.c
++++ b/teamd/teamd_lw_arp_ping.c
+@@ -90,10 +90,11 @@ static const struct sock_fprog arp_novlan_rpl_fprog = {
+ 
+ static struct sock_filter arp_vlan_rpl_flt[] = {
+ 	BPF_STMT(BPF_LD + BPF_B + BPF_ABS, SKF_AD_OFF + SKF_AD_PROTOCOL),
+-	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, ETH_P_ARP, 0, 8),
++	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, ETH_P_ARP, 0, 9),
+ 	BPF_STMT(BPF_LD + BPF_B + BPF_ABS, SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT),
+-	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, 0, 6, 0),
++	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, 0, 7, 0),
+ 	BPF_STMT(BPF_LD + BPF_B + BPF_ABS, SKF_AD_OFF + SKF_AD_VLAN_TAG),
++	BPF_STMT(BPF_ALU + BPF_AND + BPF_K, 0xfff),
+ 	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, 0xffff, 0, 4), /* 0xffff will be replaced by vland id */
+ 	BPF_STMT(BPF_LD + BPF_H + BPF_ABS, OFFSET_ARP_OP_CODE),
+ 	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, ARPOP_REPLY, 1, 0),
+@@ -103,7 +104,7 @@ static struct sock_filter arp_vlan_rpl_flt[] = {
+ };
+ 
+ /* this hack replaces vlanid value in filter code */
+-#define SET_FILTER_VLANID(fprog, vlanid) (fprog)->filter[5].k = vlanid
++#define SET_FILTER_VLANID(fprog, vlanid) (fprog)->filter[6].k = vlanid
+ 
+ static const struct sock_fprog arp_vlan_rpl_fprog = {
+ 	.len = ARRAY_SIZE(arp_vlan_rpl_flt),

better_handle_failures_to_chown.patch

@@ -0,0 +1,75 @@
+From 44ed6a1724bac01cd1c1dd25defb62237df5f379 Mon Sep 17 00:00:00 2001
+From: Thomas Haller <thaller@redhat.com>
+Date: Fri, 21 May 2021 18:32:07 +0200
+Subject: [PATCH 1/1] teamd: better handle failures to chown(TEAMD_RUN_DIR)
+ during teamd_drop_privileges()
+
+NetworkManager is exec-ing teamd while running without CAP_CHOWN.
+
+When teamd is configured to drop privileges, then it will call chown
+while still running as root user. But the command will fail because of
+lack of CAP_CHOWN.
+
+Note that chown() succeeds if the calling process has CAP_CHOWN or if
+the file already is owned by the calling user/group (whereas, changing
+the group will still work, if the user is a member of that group).
+
+The directory might have already been prepared with the right user/group.
+Let's handle that. If the first chown() as root succeeds, we are good.
+If it fails, we will retry after changing the user id. If the directory
+already has the right/compatible user, this command will succeeds too
+and teamd can proceed.
+
+See-also: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/722
+
+Signed-off-by: Thomas Haller <thaller@redhat.com>
+---
+ teamd/teamd.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/teamd/teamd.c b/teamd/teamd.c
+index b310140570c5..3ef3d6cf09f6 100644
+--- a/teamd/teamd.c
++++ b/teamd/teamd.c
+@@ -1714,6 +1714,7 @@ static int teamd_drop_privileges()
+ 	cap_t my_caps;
+ 	struct passwd *pw = NULL;
+ 	struct group *grpent = NULL;
++	int chown_succeeded;
+ 
+ 	if ((pw = getpwnam(TEAMD_USER)) == NULL) {
+ 		fprintf(stderr, "Error reading user %s entry (%m)\n", TEAMD_USER);
+@@ -1734,11 +1735,12 @@ static int teamd_drop_privileges()
+ 		goto error;
+ 	}
+ 
+-	if (chown(TEAMD_RUN_DIR, pw->pw_uid, pw->pw_gid) < 0) {
+-		fprintf(stderr, "Unable to change ownership of %s to %s/%s (%m)\n",
+-			TEAMD_RUN_DIR, TEAMD_USER, TEAMD_GROUP);
+-		goto error;
+-	}
++	/* Try to change owner while still being root. We might not have
++	 * capabilities, so this might fail. At this point, we accept that,
++	 * because the directory might have been prepared with a suitable owner
++	 * already. But on failure, we will retry as the new user below.
++	 */
++	chown_succeeded = (chown(TEAMD_RUN_DIR, pw->pw_uid, pw->pw_gid) == 0);
+ 
+ 	if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0)
+ 		goto error;
+@@ -1758,6 +1760,12 @@ static int teamd_drop_privileges()
+ 		goto error;
+ 	}
+ 
++	if (!chown_succeeded && chown(TEAMD_RUN_DIR, pw->pw_uid, pw->pw_gid) < 0) {
++		fprintf(stderr, "Unable to change ownership of %s to %s/%s (%m)\n",
++			TEAMD_RUN_DIR, TEAMD_USER, TEAMD_GROUP);
++		goto error;
++	}
++
+ 	if ((my_caps = cap_init()) == NULL)
+ 		goto error;
+ 	if (cap_set_flag(my_caps, CAP_EFFECTIVE, ARRAY_SIZE(cv), cv, CAP_SET) < 0)
+-- 
+2.31.1
+

harden_teamd@.service.patch

@@ -0,0 +1,22 @@
+Index: libteam-1.31/teamd/redhat/systemd/teamd@.service
+===================================================================
+--- libteam-1.31.orig/teamd/redhat/systemd/teamd@.service
++++ libteam-1.31/teamd/redhat/systemd/teamd@.service
+@@ -4,6 +4,17 @@ Before=network-pre.target
+ Wants=network-pre.target
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectHostname=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ BusName=org.libteam.teamd.%i
+ ExecStart=/usr/sbin/teamd -U -D -o -t %i -f /run/teamd/%i.conf
+ Restart=on-failure

libteam-1.29.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:4a850d34abae06b5609b00fd1c69b298c4fe5e81184fd220b2328a05df027854
-size 562993

libteam-1.32.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a0a0fbf75423cbb835c2fc667e861090c925f9899f162b1d1f893b75c0ad5cfe
+size 573063

libteam.changes

@@ -1,3 +1,59 @@
+-------------------------------------------------------------------
+Thu May 23 11:22:27 UTC 2024 - Otto Hollmann <otto.hollmann@suse.com>
+
+- teamd: lw: arp_ping: bitmask VID in VLAN BPF filter [bsc#1224798]
+  * Add 0001-teamd-lw-arp_ping-bitmask-VID-in-VLAN-BPF-filter.patch
+
+-------------------------------------------------------------------
+Tue Sep 26 14:47:59 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
+
+- update to 1.32:
+  * teamd: Add option to change evaluation logic of multiple
+    link-watchers
+  * teamd: lacp: don't move the port state from disabled when admin
+    state
+  * teamd: lacp: set port to disabled state during removal
+  * libteam: clear changed bits in case of TEAM_IFINFO_CHANGE
+  * teamd: stop iterating callbacks when a loop restart is
+    requested
+  * teamd: do no remove the ports on shutdown with -N
+  * binding/python: ifindex 0 is invalid so do not process it
+  * libteamdctl: validate the bus name before using it
+  * teamd: lacp: increase "min_ports" upper limit to 1024
+  * teamd: increase the waitting time for daemon killing
+  * Do regard current state when considering port enablement
+- Remove 0001-teamd-Add-option-to-change-evaluation-logic-of-multi.patch
+
+-------------------------------------------------------------------
+Mon Jun 26 13:28:06 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
+
+- Add option to change evaluation logic of multiple link-watchers (jsc@PED2209)
+  Add 0001-teamd-Add-option-to-change-evaluation-logic-of-multi.patch
+
+-------------------------------------------------------------------
+Fri Nov  5 17:14:17 UTC 2021 - Otto Hollmann <otto.hollmann@suse.com>
+
+- teamd: better handle failures to chown(TEAMD_RUN_DIR) during
+  teamd_drop_privileges() (bsc#1185424) 
+   [+ better_handle_failures_to_chown.patch]
+
+-------------------------------------------------------------------
+Fri Oct 15 07:32:26 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_teamd@.service.patch
+
+-------------------------------------------------------------------
+Tue Aug 25 15:45:19 UTC 2020 - Dirk Mueller <dmueller@suse.com>
+
+- update to 1.31:
+  * teamd: fix build error in expansion of macro teamd_log_dbgx  
+  * teamd/lacp: fix segfault due to NULL pointer dereference
+  * teamd: fix possible race in master ifname callback
+  * Fix ifinfo_link_with_port race condition with newlink 
+  * Skip setting the same hwaddr to a lag port if not needed
+  * teamd/lacp: silence ignore none LACP frames
+
 -------------------------------------------------------------------
 Mon Aug 26 09:02:37 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
 

libteam.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libteam
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -12,16 +12,18 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
 %bcond_without python2
+# _tmpfilesdir is not defined in systemd macros up to openSUSE 13.2
+%{!?_tmpfilesdir: %global _tmpfilesdir %{_libexecdir}/tmpfiles.d }
 Name:           libteam
-Version:        1.29
+Version:        1.32
 Release:        0
 Summary:        Utilities for controlling 802.1AX team network device
-License:        LGPL-2.1+
+License:        LGPL-2.1-or-later
 Group:          System/Kernel
 URL:            http://libteam.org/
 
@@ -31,6 +33,10 @@ Patch1:         check_if_psr_ops_were_initialized.patch
 Patch2:         start_teamd_from_usr_sbin.patch
 Patch3:         ignore_ebusy_for_team_hwaddr_set.patch
 Patch4:         0001-allow-send_interface-dbus.patch
+Patch5:         harden_teamd@.service.patch
+Patch6:         better_handle_failures_to_chown.patch
+# PATCH-FIX-UPSTREAM bsc#1224798 teamd: lw: arp_ping: bitmask VID in VLAN BPF filter
+Patch7:         0001-teamd-lw-arp_ping-bitmask-VID-in-VLAN-BPF-filter.patch
 BuildRequires:  doxygen
 BuildRequires:  libcap-devel
 BuildRequires:  libtool
@@ -144,6 +150,14 @@ python ./setup.py install --root="$b" --prefix="%_prefix"
 popd
 %endif
 
+# Install /usr/lib/tmpfiles.d/libteam.conf
+mkdir -p %{buildroot}%{_tmpfilesdir}
+cat > %{buildroot}%{_tmpfilesdir}/libteam.conf <<EOF
+# See tmpfiles.d(5) for details
+# Type(d=directory) Path Mode UID GID Age(until delete when cleaning)
+d %teamd_daemon_directory 0755 %teamd_user %teamd_group -
+EOF
+
 rm -f "$b/%_libdir"/*.la
 %if 0%{?_unitdir:1}
 mkdir -p "$b/%_unitdir"
@@ -167,6 +181,8 @@ test -L %teamd_daemon_directory  || rm -rf %teamd_daemon_directory && :
 %endif
 
 %post tools
+# Use %%tmpfiles_create when 13.2 is oldest in support scope
+/usr/bin/systemd-tmpfiles --create %{_tmpfilesdir}/libteam.conf || :
 # reload dbus to apply new teamd's policy
 systemctl reload dbus.service 2>/dev/null || :
 %if 0%{?_unitdir:1}
@@ -216,6 +232,7 @@ fi
 %if 0%{?_unitdir:1}
 %_unitdir
 %endif
+%{_tmpfilesdir}/libteam.conf
 
 %if %{with python2}
 %files -n python-libteam