Accepting request 1323134 from Virtualization:containers

OBS-URL: https://build.opensuse.org/request/show/1323134
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/passt?expand=0&rev=34

_service

@@ -4,7 +4,7 @@
     <param name="scm">git</param>
     <param name="changesgenerate">enable</param>
     <param name="versionformat">%cs.%h</param>
-    <param name="revision">2025_04_15.2340bbf</param>
+    <param name="revision">2025_12_15.b40f5cd</param>
   </service>
   <service mode="manual" name="recompress">
     <param name="file">*.tar</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://passt.top/passt</param>
-              <param name="changesrevision">2340bbf867e6c3c3b5ac67345b0e841ab49bbaa5</param></service></servicedata>
+              <param name="changesrevision">b40f5cd8c8e16c6eceb1f26eb895527fda84068b</param></service></servicedata>

passt-20251215.b40f5cd.tar.zst

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:84d3f46687e4ca0675e833b4470ec451f1bf378147e187bc524e5f85e93fe467
+size 303899

passt.changes

@@ -1,3 +1,265 @@
+-------------------------------------------------------------------
+Tue Dec 16 07:01:12 UTC 2025 - Danish Prakash <danish.prakash@suse.com>
+
+- spec: drop restorecon trigger now that file context rules use regex (bsc#1246291)
+  (https://archives.passt.top/passt-dev/20251016074045.562352-1-contact@danishpraka.sh/)
+- Update to version 20251215.b40f5cd:
+  * tcp: Use less-than-MSS window on no queued data, or no data sent recently
+  * conf, fwd: Move initialisation of auto port scanning out of conf()
+  * tcp: Remove extra space from TCP_INFO debug messages (trivial)
+  * pasta: Clean up waiting pasta child on failures
+  * treewide: Introduce passt_exit() helper
+  * tcp: Suppress new instance of cppcheck bug 14191
+  * pif: Correctly set scope_id for guest-side link local addresses
+  * tcp: Correct timer expiry value in trace message
+  * tcp_splice, flow: Add socket to epoll set before connect(), drop assert
+  * fedora: Fix build on Fedora 43, selinux_requires_min not available on Copr builders
+  * tcp: Skip redundant ACK on partial sendmsg() failure
+  * tcp: Send a duplicate ACK also on complete sendmsg() failure
+  * tcp: Allow exceeding the available sending buffer size in window advertisements
+  * tcp: Don't limit window to less-than-MSS values, use zero instead
+  * tcp: Acknowledge everything if it looks like bulk traffic, not interactive
+  * tcp: Don't clear ACK_TO_TAP_DUE if we're advertising a zero-sized window
+  * tcp: Adaptive interval based on RTT for socket-side acknowledgement checks
+  * tcp: Limit advertised window to available, not total sending buffer size
+  * tcp: Change usage factor of sending buffer in tcp_get_sndbuf() to 75%
+  * tcp, util: Add function for scaling to linearly interpolated factor, use it
+  * iov: Fix coding style of basic (non-IOV_TAIL) parts
+  * tcp, udp: Pad batched frames for vhost-user modes to 60 bytes (802.3 minimum)
+  * tcp, udp: Pad batched frames to 60 bytes (802.3 minimum) in non-vhost-user modes
+  * udp: Fix coding style for comment to enum udp_iov_idx
+  * tcp: Fix coding style for comment to enum tcp_iov_parts
+  * tap: Pad non-batched frames to 802.3 minimum (60 bytes) if needed
+  * test: Update Makefile to avoid failing on missing images
+  * conf: Separate local mode for each IP version, don't enable disabled IP version
+  * vu_common: Clarify prototype of vu_collect()
+  * test: Expand tmux right status bar to fit pass/fail/skipped counter and time
+  * tcp: Enable SO_KEEPALIVE if we see keep-alive segments from container / guest
+  * seccomp: Fix build and operation on 32-bit musl targets
+  * fwd: Preserve non-standard loopback address when splice forwarding
+  * tcp: Always populate oaddr field for socket initiated flows
+  * util: Rename sock_l4_dualstack() to sock_l4_dualstack_any()
+  * tcp, udp: Bind outbound listening sockets by interface instead of address
+  * tcp, udp: Remove fallback if creating dual stack socket fails
+  * util: Fix setting of IPV6_V6ONLY socket option
+  * udp: Move udp_sock_init() special case to its caller
+  * udp: Unify some more inbound/outbound parts of udp_sock_init()
+  * tcp: Merge tcp_ns_sock_init[46]() into tcp_sock_init_one()
+  * util, flow, pif: Simplify sock_l4_sa() interface
+  * inany: Let length of sockaddr_inany be implicit from the family
+  * flow: Remove bogus @path field from flowside_sock_args
+  * conf: More useful errors for kernels without SO_BINDTODEVICE
+  * util: Extend sock_probe_mem() to sock_probe_features()
+  * util: Correct error message on SO_BINDTODEVICE failure
+  * tcp: Clamp the retry timeout
+  * tcp: Update data retransmission timeout
+  * tcp: Resend SYN for inbound connections
+  * util: Introduce read_file() and read_file_integer() function
+  * tcp: Rename "retrans" to "retries"
+  * arp/ndp: don't send messages on uninitialized tap interface
+  * test: Fix IPv6 address/prefix mismatch error
+  * spec: use %selinux_requires_min macro, drop overlapping dependencies
+  * fwd: Don't explicitly exclude reverse-direction TCP ports for UDP
+  * fwd: Exclude ports based on prior mapping state
+  * Revert "fwd: Update all port maps before applying exclusions"
+  * udp: Use IP_FREEBIND for flow sockets as well as listening sockets
+  * tcp: Properly remove sockets from epoll loop when connection is closed
+  * seccomp.sh: Quote tr character ranges to prevent glob expansion
+  * contrib/selinux: use regex instead of SELinux template
+  * tcp, udp: Don't exclude ports in {tcp,udp}_port_rebind()
+  * fwd: Update all port maps before applying exclusions
+  * fwd: Check forwarding mode in fwd_scan_ports_*() rather than caller
+  * fwd: Share port scanning logic between init and timer cases
+  * fwd: Move port exclusion handling from procfs_scan_listen() to callers
+  * fwd: Consolidate scans (not rebinds) in fwd.c
+  * tcp, udp, fwd: Run all port scanning from a single timer
+  * icmp: Remove vestiges of ICMP timer
+  * passt: Move main event loop processing into passt_worker()
+  * udp: Use epoll instance management for UDP flows
+  * icmp: Use epoll instance management for ICMP flows
+  * tcp, flow: Replace per-connection in_epoll flag with an epollid in flow_common
+  * util: Move epoll registration out of sock_l4_sa()
+  * epoll_ctl: Extract epoll operations
+  * util: Simplify epoll_del() interface to take epollfd directly
+  * icmp: let icmp use mac address from flowside structure
+  * tap: change signature of function tap_push_l2h()
+  * tcp: forward external source MAC address through tap interface
+  * udp: forward external source MAC address through tap interface
+  * flow: add MAC address of LAN local remote hosts to flow
+  * arp/ndp: send ARP announcement / unsolicited NA when neigbour entry added
+  * arp/ndp: respond with true MAC address of LAN local remote hosts
+  * fwd: Add cache table for ARP/NDP contents
+  * netlink: add subscription on changes in NDP/ARP table
+  * Add reverse Christmas tree to CONTRIBUTING.md
+  * fwd: Fix misspelling
+  * test: Fix the escaping issue in memory/passt test
+  * test: Update the threshold value for some perf tests
+  * tap: Update some function comments for accuracy
+  * passt: Rename EPOLL_EVENTS to NUM_EPOLL_EVENTS
+  * Fix the wrong command in CONTRIBUTING.md
+  * test: For missing static checkers, skip rather than failing tests
+  * test: Add some missing quoting in exeter runner
+  * test: Use ${} consistently in lib/exeter
+  * isolation: keep CAP_DAC_OVERRIDE initially
+  * tcp: Clarify logic calculating how much guest data to ack
+  * tcp: On partial send (incomplete sendmsg()), request a retransmission right away
+  * tcp: Don't consider FIN flags with mismatching sequence
+  * tcp: Completely ignore data segment in CLOSE-WAIT state, log a message
+  * tcp: Fix ACK sequence on FIN to tap
+  * test: Add linting of Python test scripts
+  * test: Don't delete exetool on make clean
+  * cppcheck: Suppress variable scope warnings in dhcpv6()
+  * cppcheck: Suppress a buggy cppcheck warning
+  * cppcheck: Suppress the suppression of a suppression
+  * clang-tidy: Suppress redundant expression warning
+  * test: Update passt.mbuto and passt.mem.mbuto
+  * netlink: Don't require address to be global, just not link local
+  * test: Fix printf error when debug is enabled
+  * test: Update README.md
+  * test: Update mbuto profile to fix the symlink of /bin
+  * test: Update lib/term for clearer output when DEBUG is enabled
+  * test: fix 'make assets' failure as root
+  * tap: Drop frames if no client connected
+  * Add --stats option to display event statistics
+  * netlink: Drop nexthop state flags from routes we duplicate
+  * Add CONTRIBUTING.md
+  * selinux: add missing file contexts for Podman
+  * selinux: add container_var_run_t type transition
+  * dhcp: Fix coding style violations in dhcp() function
+  * Improve clarity of comment
+  * Send an initial ARP and NDP request to resolve the guest IP address
+  * Fix --no-icmp description and make it imply --no-ndp
+  * Introduce constant MAC_BROADCAST
+  * Show debug message whenever we observe a new guest MAC address
+  * tcp: Store the owner connections for flags frames
+  * Reduce tcp_buf_discard size
+  * tcp: Don't send FIN segment to guest yet if we have pending unacknowledged data
+  * tcp: Fast re-transmit if half-closed, make TAP_FIN_RCVD path consistent
+  * tcp: Cast operands of sequence comparison macros to uint32_t before using them
+  * tcp: Don't try to transmit right after the peer shrank the window to zero
+  * tcp: Fix closing logic for half-closed connections
+  * tcp: Rewind sequence when guest shrinks window to zero
+  * tcp: Factor sequence rewind for retransmissions into a new function
+  * tcp: FIN flags have to be retransmitted as well
+  * test: Fix the download link for debian-11-generic-ppc64el image
+  * tcp_vu: Pass virtqueue pointer to tcp_vu_sock_recv()
+  * udp_vu: Pass virtqueue pointer to udp_vu_sock_recv()
+  * vhost-user: Fix VHOST_USER_GET_QUEUE_NUM to return number of queues
+  * Add missing explicit PSH assignment
+  * Fix typo in doc comment
+  * test: Explicit specify forwarding ports for pasta in log rotation tests
+  * test: Allow exeter & podman tests to be parallel executed with BATS
+  * test: Convert build tests to exeter
+  * test: Run static checkers as exeter tests
+  * test: Extend test scripts to allow running exeter tests.
+  * packet: Add support for multi-vector packets
+  * packet: Refactor vhost-user memory region handling
+  * packet: remove unused parameter from PACKET_POOL_DECL()
+  * packet: remove PACKET_POOL() and PACKET_POOL_P()
+  * ndp: use iov_tail rather than pool
+  * icmp: use iov_tail rather than pool
+  * dhcpv6: use iov_tail rather than pool
+  * dhcp: use iov_tail rather than pool
+  * arp: use iov_tail rather than pool
+  * packet: rename packet_data() to packet_get()
+  * tap: Convert tap6_handler() to iov_tail
+  * tap: Convert tap4_handler() to iov_tail
+  * ip: Use iov_tail in ipv6_l4hdr()
+  * dhcp: Convert to iov_tail
+  * dhcpv6: Use iov_tail in dhcpv6_opt()
+  * dhcpv6: Convert to iov_tail
+  * dhcpv6: Extract sending of NotOnLink status
+  * dhcpv6: move offset initialization out of dhcpv6_opt()
+  * tcp: Convert tcp_data_from_tap() to use iov_tail
+  * tcp: Convert tcp_tap_handler() to use iov_tail
+  * udp: Convert to iov_tail
+  * icmp: Convert to iov_tail
+  * ndp: Convert to iov_tail
+  * arp: Convert to iov_tail
+  * packet: Add packet_data()
+  * packet: Use iov_tail with packet_add()
+  * tap: Use iov_tail with tap_add_packet()
+  * iov: Update IOV_REMOVE_HEADER() and IOV_PEEK_HEADER()
+  * iov: Introduce iov_tail_clone() and iov_drop_header().
+  * arp: Don't mix incoming and outgoing buffers
+  * build: Fix errors of TCP_REPAIR_* undeclared
+  * treewide: Flush pcap and log files, if used, before exiting
+  * selinux: pasta accesses /etc/resolv.conf
+  * treewide: By default, don't quit source after migration, keep sockets open
+  * test: Deal with /bin, /sbin unification in Fedora
+  * style: Add parentheses to function names in comments
+  * style: Fix 'Return' comment style
+
+-------------------------------------------------------------------
+Tue Dec  9 07:45:46 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Escape macro in comment (boo#1254579)
+
+-------------------------------------------------------------------
+Wed Jul  9 04:41:56 UTC 2025 - Danish Prakash <danish.prakash@suse.com>
+
+- Fixes to spec (ref: bsc#1245074):
+  * Install binaries for pasta, and not symlinks
+  * Remove circular dependency between passt and passt-selinux
+  * Install missing passt-repair.pp SELinux policy module
+  * Install modules at the correct location .../selinux/packages/%{selinuxtype}/
+  * Require container-selinux for container related policies
+  * Single line macro to load SELinux policies for better performance
+
+-------------------------------------------------------------------
+Mon Jun 16 13:44:00 UTC 2025 - dcermak@suse.com
+
+- Update to version 20250611.0293c6f:
+  * fedora: Hide restorecon(8) errors in post-transaction scriptlet
+  * fedora: Add container-selinux as dependency for passt-selinux
+  * flow, repair: Proper error handling for missing passt-repair helper on target
+  * fedora: Depend on SELinux tools and policy version, drop circular dependency
+  * fedora: Call %selinux_modules_* macros only once
+  * conf: flush stdout before early exit
+  * passt-repair: Fix missing newlines in error messages
+  * Correct various function comment headers
+  * tap: Avoid bogus missingReturn cppcheck warning in tap_l2_max_len()
+  * fedora: Separately restore context for /run/user in %posttrans selinux
+  * selinux: Transition to pasta_t in containers
+  * iov: Standardize function comment headers
+  * virtio: Correct and align comment headers
+  * vhost_user: Correct and align function comment headers
+  * codespell: Correct typos in comments and error message
+  * test: Display count of skipped tests in status and summary
+  * flow: Fix clang error (clang-analyzer-security.PointerSub)
+  * ndp: Fix Clang analyzer warning (clang-analyzer-security.PointerSub)
+  * virtio: Fix Clang warning (bugprone-sizeof-expression, cert-arr39-c)
+  * dhcpv6: fix GCC error (unterminated-string-initialization)
+
+-------------------------------------------------------------------
+Tue May 13 15:02:15 UTC 2025 - dcermak@suse.com
+
+- Update to version 20250512.8ec1341:
+  * flow: close socket fd on error
+  * flow: fix wrong macro name in comments
+
+-------------------------------------------------------------------
+Fri May 09 12:44:10 UTC 2025 - dcermak@suse.com
+
+- Update to version 20250507.eea8a76:
+  * flow: fix podman issue #26073
+
+-------------------------------------------------------------------
+Mon May 05 08:25:44 UTC 2025 - dcermak@suse.com
+
+- Update to version 20250503.587980c:
+  * udp: Actually discard datagrams we can't forward
+  * fwd: fix doc typo
+  * selinux: Add getattr to class udp_socket
+  * flow: fix podman issue #25959
+  * util: Fix typo, ASSSERTION -> ASSERTION
+  * passt-repair: Hide bogus gcc warning from -Og
+  * conf: allow --fd 0
+  * udp: Translate offender addresses for ICMP messages
+  * udp: Rework offender address handling in udp_sock_recverr()
+  * treewide: Improve robustness against sockaddrs of unexpected family
+  * fwd: Split out helpers for port-independent NAT
+
 -------------------------------------------------------------------
 Wed Apr 16 06:17:16 UTC 2025 - dcermak@suse.com
 

passt.spec

@@ -45,7 +45,7 @@
 
 %global selinuxtype targeted
 Name:           passt
-Version:        20250415.2340bbf
+Version:        20251215.b40f5cd
 Release:        0
 Summary:        User-mode networking daemons for virtual machines and namespaces
 License:        GPL-2.0-or-later AND BSD-3-Clause
@@ -57,9 +57,6 @@ BuildRequires:  zstd
 BuildRequires:  gcc, make
 %if %{with selinux}
 Requires:       (%{name}-selinux = %{version}-%{release} if selinux-policy-targeted)
-BuildRequires:  checkpolicy
-BuildRequires:  selinux-policy-devel
-BuildRequires:  selinux-policy-targeted
 %endif
 %if %{with apparmor}
 BuildRequires:  apparmor-abstractions, apparmor-rpm-macros, libapparmor-devel
@@ -90,15 +87,18 @@ This package contains Apparmor profiles for passt and pasta.
 %endif
 
 %if %{with selinux}
-%package    selinux
-BuildArch:  noarch
-Summary:    SELinux support for passt and pasta
-Requires:   %{name} = %{version}-%{release}
-Requires:   selinux-policy
-Requires(post): %{name}
-Requires(post): policycoreutils
-Requires(preun): %{name}
-Requires(preun): policycoreutils
+%package            selinux
+BuildArch:          noarch
+Summary:            SELinux support for passt and pasta
+Requires:           %{name} = %{version}-%{release}
+Requires:           selinux-policy
+Requires:           container-selinux
+Requires(post):     policycoreutils
+Requires(post):     container-selinux
+Requires(preun):    policycoreutils
+BuildRequires:      checkpolicy
+BuildRequires:      selinux-policy-devel
+Recommends:         selinux-policy-%{selinuxtype}
 
 %description selinux
 This package adds SELinux enforcement to passt(1) and pasta(1).
@@ -109,7 +109,18 @@ This package adds SELinux enforcement to passt(1) and pasta(1).
 
 %build
 %set_build_flags
-%make_build VERSION=%{version}-%{release}
+# The Makefile creates symbolic links for pasta, but we need actual copies for
+# SELinux file contexts to work as intended. Same with pasta.avx2 if present.
+# Build twice, changing the version string, to avoid duplicate Build-IDs.
+# Ran into something similar for apparmor - https://github.com/containers/buildah/issues/5440.
+%make_build VERSION=%{version}-%{release}-pasta
+%ifarch x86_64
+mv -f passt.avx2 pasta.avx2
+%make_build passt passt.avx2 VERSION="%{version}-%{release}"
+%else
+%make_build passt VERSION="%{version}-%{release}"
+%endif
+
 
 %install
 %make_install prefix=%{_prefix} bindir=%{_bindir} mandir=%{_mandir} docdir=%{_docdir}/%{name}
@@ -136,9 +147,10 @@ ln -f passt.avx2 %{buildroot}%{_bindir}/pasta.avx2
 %if %{with selinux}
 pushd contrib/selinux
 make -f %{_datadir}/selinux/devel/Makefile
-install -p -m 644 -D passt.pp %{buildroot}%{_datadir}/selinux/packages/%{name}/passt.pp
+install -p -m 644 -D passt.pp %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/passt.pp
+install -p -m 644 -D passt-repair.pp %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/passt-repair.pp
+install -p -m 644 -D pasta.pp %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp
 install -p -m 644 -D passt.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/passt.if
-install -p -m 644 -D pasta.pp %{buildroot}%{_datadir}/selinux/packages/%{name}/pasta.pp
 popd
 %endif
 
@@ -153,13 +165,11 @@ popd
 %selinux_relabel_pre -s %{selinuxtype}
 
 %post selinux
-%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{name}/passt.pp
-%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{name}/pasta.pp
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/passt.pp %{_datadir}/selinux/packages/%{selinuxtype}/passt-repair.pp %{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp
 
 %postun selinux
 if [ $1 -eq 0 ]; then
-        %selinux_modules_uninstall -s %{selinuxtype} passt
-        %selinux_modules_uninstall -s %{selinuxtype} pasta
+        %selinux_modules_uninstall -s %{selinuxtype} passt pasta passt-repair
 fi
 
 %posttrans selinux
@@ -188,9 +198,10 @@ fi
 
 %if %{with selinux}
 %files selinux
-%dir %{_datadir}/selinux/packages/%{name}
-%{_datadir}/selinux/packages/%{name}/passt.pp
-%{_datadir}/selinux/packages/%{name}/pasta.pp
+%dir %{_datadir}/selinux/packages/%{selinuxtype}
+%{_datadir}/selinux/packages/%{selinuxtype}/passt.pp
+%{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp
+%{_datadir}/selinux/packages/%{selinuxtype}/passt-repair.pp
 %dir %{_datadir}/selinux/devel/include/distributed
 %{_datadir}/selinux/devel/include/distributed/passt.if
 %endif