Accepting request 330520 from home:tiwai:branches:devel:tools

- Disable systemd service as a temporary workaround for possibile security issues (CVE-2015-5228, CVE-2015-5231, bsc#943105) - Update to criu 1.7: * Improved cgroups management * Support for seccomp strict mode * Support for stream unix sockets inheritance * Support uid/gid-restricted mounts in userns * Support deleted bind-mounts * Ability to specify maximum ghost file size * OverlayFS support * Support relative unix sockets' bind paths * Altivec and PSX support for PPC * Small PIE loader * Temporary proc mountpoint is mounted with nosuid, noexec and nodev * Less memory copies when preparing restorer binary * CRIT action "show" for less keystrokes on common use-case * Fsnotify log messages now use hex everywhere :) * CRIT output doesn't mix fields any more * Many fixes OBS-URL: https://build.opensuse.org/request/show/330520 OBS-URL: https://build.opensuse.org/package/show/devel:tools/criu?expand=0&rev=29
2015-09-11 14:43:47 +00:00 · 2015-09-11 14:43:47 +00:00 · cc32e84e0a
commit cc32e84e0a
parent c980894723
7 changed files with 37 additions and 112 deletions
--- a/4c5b23e5-criu.pc.diff
+++ b/4c5b23e5-criu.pc.diff
@ -1,34 +0,0 @@
-From 4c5b23e52c1dc4e3fbbc7472b92e7b1ce9d22f02 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
-Date: Thu, 30 Jul 2015 18:44:00 +0300
-Subject: [PATCH] Fix criu.pc version
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Use CRTOOLSVERSION instead of GITID to write criu.pc version. With
-GITID, criu.pc had version '0' when built from tarballs.
-
-Signed-off-by: Cédric Bosdonnat <cbosdonnat@suse.com>
-Acked-by: Tycho Andersen <tycho.andersen@canonical.com>
-Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
---
- Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Makefile b/Makefile
-index 6ed4c90..7f5c890 100644
--- a/Makefile
-+++ b/Makefile
-@@ -339,7 +339,7 @@ install-criu: $(PROGRAM) $(CRIU-LIB) install-crit
- 	$(Q) install -m 644 scripts/sd/criu.service $(DESTDIR)$(SYSTEMDUNITDIR)
- 	$(Q) mkdir -p $(DESTDIR)$(LOGROTATEDIR)
- 	$(Q) install -m 644 scripts/logrotate.d/criu-service $(DESTDIR)$(LOGROTATEDIR)
-	$(Q) sed -e 's,@version@,$(GITID),' \
-+	$(Q) sed -e 's,@version@,$(CRTOOLSVERSION),' \
- 		-e 's,@libdir@,$(LIBDIR),' \
- 		-e 's,@includedir@,$(dir $(INCLUDEDIR)),' \
- 		lib/criu.pc.in > criu.pc
-- 
-2.1.4
-
--- a/crit-install-prefix.diff
+++ b/crit-install-prefix.diff
@ -1,15 +0,0 @@
---
- Makefile |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
--- a/Makefile
-+++ b/Makefile
-@@ -314,7 +314,7 @@ install-man:
- 
- install-crit: crit
- 	$(E) "  INSTALL crit"
-	$(Q) python scripts/crit-setup.py install --prefix=$(DESTDIR)$(PREFIX)
-+	$(Q) python scripts/crit-setup.py install --root=$(DESTDIR) --prefix=$(PREFIX)
- 
- .PHONY: install install-man install-crit
- 
--- a/criu-1.6.tar.bz2
+++ b/criu-1.6.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:35ba6f5df90bfb8a25ae5e53459272bb37b8a69790e084f86d7a9ffa0df35993
-size 484513
--- a/criu-1.7.tar.bz2
+++ b/criu-1.7.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:977cf03d94415c2858581bb9894cfb90ac0c0b4b045e9bfa7c04c230aae01a21
+size 507224
--- a/criu.changes
+++ b/criu.changes
@ -1,3 +1,26 @@
+-------------------------------------------------------------------
+Fri Sep 11 16:06:30 CEST 2015 - tiwai@suse.de
+
+- Disable systemd service as a temporary workaround for possibile
+  security issues (CVE-2015-5228, CVE-2015-5231, bsc#943105)
+- Update to criu 1.7:
+  * Improved cgroups management
+  * Support for seccomp strict mode
+  * Support for stream unix sockets inheritance
+  * Support uid/gid-restricted mounts in userns
+  * Support deleted bind-mounts
+  * Ability to specify maximum ghost file size
+  * OverlayFS support
+  * Support relative unix sockets' bind paths
+  * Altivec and PSX support for PPC
+  * Small PIE loader
+  * Temporary proc mountpoint is mounted with nosuid, noexec and nodev
+  * Less memory copies when preparing restorer binary
+  * CRIT action "show" for less keystrokes on common use-case
+  * Fsnotify log messages now use hex everywhere :)
+  * CRIT output doesn't mix fields any more
+  * Many fixes
+
 -------------------------------------------------------------------
 Fri Jul 31 07:47:22 UTC 2015 - cbosdonnat@suse.com

--- a/criu.spec
+++ b/criu.spec
@ -1,7 +1,7 @@
 #
 # spec file for package criu
 #
-# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -16,18 +16,16 @@
 #


-%define package_version 1.6
+%define with_systemd_service 0
+%define package_version 1.7
 Name:           criu
-Version:        1.6
+Version:        1.7
 Release:        0
 Summary:        Checkpoint/Restore In Userspace Tools
 License:        GPL-2.0
 Group:          System/Console
 Url:            http://criu.org/
 Source0:        http://download.openvz.org/criu/criu-%{package_version}.tar.bz2
-Patch1:         crit-install-prefix.diff
-Patch2:         lsm-prototype-fix.diff
-Patch3:         4c5b23e5-criu.pc.diff
 BuildRequires:  asciidoc
 BuildRequires:  pkg-config
 BuildRequires:  protobuf-c
@ -67,9 +65,6 @@ to develop applications with CRIU library.

 %prep
 %setup -q -n %{name}-%{package_version}
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
 # fix up the broken protobuf descriptor.proto (comment-in-comment)
 rm -f protobuf/google/protobuf/descriptor.proto
 sed -e's@/\*@@g' -e's@\*/@@g' /usr/include/google/protobuf/descriptor.proto > protobuf/google/protobuf/descriptor.proto
@ -92,7 +87,11 @@ mv %{buildroot}%{_sysconfdir}/logrotate.d/criu-service \
 # for compatiblity
 ln -s criu %{buildroot}%{_sbindir}/crtools
 ln -s criu.8 %{buildroot}%{_mandir}/man8/crtools.8
+%if !%with_systemd_service
+rm -f %{buildroot}%{_unitdir}/criu.*
+%endif

+%if %with_systemd_service
 %pre
 %service_add_pre criu.service criu.socket
 exit 0
@ -108,6 +107,7 @@ exit 0
 %postun
 %service_del_postun criu.service criu.socket
 exit 0
+%endif

 %post -n libcriu1 -p /sbin/ldconfig

@ -119,7 +119,9 @@ exit 0
 %{_sbindir}/*
 %{_bindir}/*
 %{_mandir}/man*/*
+%if %with_systemd_service
 %{_unitdir}/criu.*
+%endif
 %config %{_sysconfdir}/logrotate.d/*
 /usr/lib/python*/site-packages/crit-*.egg-info
 /usr/lib/python*/site-packages/pycriu
--- a/lsm-prototype-fix.diff
+++ b/lsm-prototype-fix.diff
@ -1,51 +0,0 @@
---
- include/lsm.h |    6 +++---
- lsm.c         |    4 ++--
- 2 files changed, 5 insertions(+), 5 deletions(-)
-
--- a/include/lsm.h
-+++ b/include/lsm.h
-@@ -7,12 +7,12 @@
- /*
-  * Get the Lsmtype for the current host.
-  */
-extern Lsmtype host_lsm_type();
-+extern Lsmtype host_lsm_type(void);
- 
- /*
-  * Initilize the Lsmtype for the current host
-  */
-extern void kerndat_lsm();
-+extern void kerndat_lsm(void);
- 
- /*
-  * Read the LSM profile for the pstree item
-@@ -23,7 +23,7 @@ extern int collect_lsm_profile(pid_t, Cr
-  * Validate that the LSM profiles can be correctly applied (must happen after
-  * pstree is set up).
-  */
-extern int validate_lsm();
-+int validate_lsm(CredsEntry *ce);
- 
- /*
-  * Render the profile name in the way that the LSM wants it written to
--- a/lsm.c
-+++ b/lsm.c
-@@ -102,7 +102,7 @@ static int selinux_get_label(pid_t pid,
- }
- #endif
- 
-void kerndat_lsm()
-+void kerndat_lsm(void)
- {
- 	if (access("/sys/kernel/security/apparmor", F_OK) == 0) {
- 		get_label = apparmor_get_label;
-@@ -130,7 +130,7 @@ void kerndat_lsm()
- 	name = "none";
- }
- 
-Lsmtype host_lsm_type()
-+Lsmtype host_lsm_type(void)
- {
- 	return lsmtype;
- }