Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package crun for openSUSE:Factory checked in at 2023-12-05 17:00:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/crun (Old) and /work/SRC/openSUSE:Factory/.crun.new.25432 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "crun" Tue Dec 5 17:00:54 2023 rev:19 rq:1130688 version:1.12 Changes: -------- --- /work/SRC/openSUSE:Factory/crun/crun.changes 2023-11-16 20:27:12.437373331 +0100 +++ /work/SRC/openSUSE:Factory/.crun.new.25432/crun.changes 2023-12-05 17:01:01.560303659 +0100 @@ -1,0 +2,22 @@ +Fri Dec 1 13:41:35 UTC 2023 - Dan Äermák <[email protected]> + +- New upstream release 1.12: + + * add new WebAssembly handler: spin. + * systemd: fallback to system bus if session bus is not available. + * configure the cpu rt and cpuset controllers before joining them to + avoid running temporarily the workload on the wrong cpus. + * preconfigure the cpuset with required resources instead of using the + parent's set. This prevents needless churn in the kernel as it + tracks which CPUs have load balancing disabled. + * try attr/<lsm>/* before the attr/* files. Writes to the attr/* + files may fail if apparmor is not the first "major" LSM in the list + of loaded LSMs (e.g. lsm=apparmor,bpf vs lsm=bpf,apparmor). + +- New upstream release 1.11.2: + + * fix a regression caused by 1.11.1 where the process crashes if there + are no CPU limits configured on cgroup v1. (bsc#1217590) + * fix error code check for the ptsname_r function. + +------------------------------------------------------------------- Old: ---- crun-1.11.1.tar.xz crun-1.11.1.tar.xz.asc New: ---- crun-1.12.tar.xz crun-1.12.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ crun.spec ++++++ --- /var/tmp/diff_new_pack.fAR1ZF/_old 2023-12-05 17:01:02.324331822 +0100 +++ /var/tmp/diff_new_pack.fAR1ZF/_new 2023-12-05 17:01:02.324331822 +0100 @@ -23,7 +23,7 @@ %endif Name: crun -Version: 1.11.1 +Version: 1.12 Release: 0 Summary: OCI runtime written in C License: GPL-2.0-or-later ++++++ crun-1.11.1.tar.xz -> crun-1.12.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.11.1/.tarball-git-version.h new/crun-1.12/.tarball-git-version.h --- old/crun-1.11.1/.tarball-git-version.h 2023-10-30 21:07:55.000000000 +0100 +++ new/crun-1.12/.tarball-git-version.h 2023-11-23 17:38:27.000000000 +0100 @@ -1,4 +1,4 @@ /* autogenerated. */ #ifndef GIT_VERSION -# define GIT_VERSION "1084f9527c143699b593b44c23555fb3cc4ff2f3" +# define GIT_VERSION "ce429cb2e277d001c2179df1ac66a470f00802ae" #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.11.1/.tarball-version new/crun-1.12/.tarball-version --- old/crun-1.11.1/.tarball-version 2023-10-30 21:07:55.000000000 +0100 +++ new/crun-1.12/.tarball-version 2023-11-23 17:38:27.000000000 +0100 @@ -1 +1 @@ -1.11.1 +1.12 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.11.1/Makefile.am new/crun-1.12/Makefile.am --- old/crun-1.11.1/Makefile.am 2023-10-19 11:15:59.000000000 +0200 +++ new/crun-1.12/Makefile.am 2023-11-23 17:37:16.000000000 +0100 @@ -51,6 +51,7 @@ src/libcrun/handlers/handler-utils.c \ src/libcrun/handlers/krun.c \ src/libcrun/handlers/mono.c \ + src/libcrun/handlers/spin.c \ src/libcrun/handlers/wasmedge.c \ src/libcrun/handlers/wasmer.c \ src/libcrun/handlers/wasmtime.c \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.11.1/Makefile.in new/crun-1.12/Makefile.in --- old/crun-1.11.1/Makefile.in 2023-10-30 21:07:26.000000000 +0100 +++ new/crun-1.12/Makefile.in 2023-11-23 17:37:51.000000000 +0100 @@ -179,6 +179,7 @@ src/libcrun/handlers/libcrun_testing_a-handler-utils.$(OBJEXT) \ src/libcrun/handlers/libcrun_testing_a-krun.$(OBJEXT) \ src/libcrun/handlers/libcrun_testing_a-mono.$(OBJEXT) \ + src/libcrun/handlers/libcrun_testing_a-spin.$(OBJEXT) \ src/libcrun/handlers/libcrun_testing_a-wasmedge.$(OBJEXT) \ src/libcrun/handlers/libcrun_testing_a-wasmer.$(OBJEXT) \ src/libcrun/handlers/libcrun_testing_a-wasmtime.$(OBJEXT) \ @@ -213,6 +214,7 @@ src/libcrun/handlers/libcrun_la-handler-utils.lo \ src/libcrun/handlers/libcrun_la-krun.lo \ src/libcrun/handlers/libcrun_la-mono.lo \ + src/libcrun/handlers/libcrun_la-spin.lo \ src/libcrun/handlers/libcrun_la-wasmedge.lo \ src/libcrun/handlers/libcrun_la-wasmer.lo \ src/libcrun/handlers/libcrun_la-wasmtime.lo \ @@ -399,12 +401,14 @@ src/libcrun/handlers/$(DEPDIR)/libcrun_la-handler-utils.Plo \ src/libcrun/handlers/$(DEPDIR)/libcrun_la-krun.Plo \ src/libcrun/handlers/$(DEPDIR)/libcrun_la-mono.Plo \ + src/libcrun/handlers/$(DEPDIR)/libcrun_la-spin.Plo \ src/libcrun/handlers/$(DEPDIR)/libcrun_la-wasmedge.Plo \ src/libcrun/handlers/$(DEPDIR)/libcrun_la-wasmer.Plo \ src/libcrun/handlers/$(DEPDIR)/libcrun_la-wasmtime.Plo \ src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-handler-utils.Po \ src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-krun.Po \ src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-mono.Po \ + src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-spin.Po \ src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-wasmedge.Po \ src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-wasmer.Po \ src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-wasmtime.Po \ @@ -905,6 +909,7 @@ src/libcrun/handlers/handler-utils.c \ src/libcrun/handlers/krun.c \ src/libcrun/handlers/mono.c \ + src/libcrun/handlers/spin.c \ src/libcrun/handlers/wasmedge.c \ src/libcrun/handlers/wasmer.c \ src/libcrun/handlers/wasmtime.c \ @@ -1319,6 +1324,9 @@ src/libcrun/handlers/libcrun_testing_a-mono.$(OBJEXT): \ src/libcrun/handlers/$(am__dirstamp) \ src/libcrun/handlers/$(DEPDIR)/$(am__dirstamp) +src/libcrun/handlers/libcrun_testing_a-spin.$(OBJEXT): \ + src/libcrun/handlers/$(am__dirstamp) \ + src/libcrun/handlers/$(DEPDIR)/$(am__dirstamp) src/libcrun/handlers/libcrun_testing_a-wasmedge.$(OBJEXT): \ src/libcrun/handlers/$(am__dirstamp) \ src/libcrun/handlers/$(DEPDIR)/$(am__dirstamp) @@ -1403,6 +1411,9 @@ src/libcrun/handlers/libcrun_la-mono.lo: \ src/libcrun/handlers/$(am__dirstamp) \ src/libcrun/handlers/$(DEPDIR)/$(am__dirstamp) +src/libcrun/handlers/libcrun_la-spin.lo: \ + src/libcrun/handlers/$(am__dirstamp) \ + src/libcrun/handlers/$(DEPDIR)/$(am__dirstamp) src/libcrun/handlers/libcrun_la-wasmedge.lo: \ src/libcrun/handlers/$(am__dirstamp) \ src/libcrun/handlers/$(DEPDIR)/$(am__dirstamp) @@ -1627,12 +1638,14 @@ @AMDEP_TRUE@@am__include@ @am__quote@src/libcrun/handlers/$(DEPDIR)/libcrun_la-handler-utils.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@src/libcrun/handlers/$(DEPDIR)/libcrun_la-krun.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@src/libcrun/handlers/$(DEPDIR)/libcrun_la-mono.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@src/libcrun/handlers/$(DEPDIR)/libcrun_la-spin.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@src/libcrun/handlers/$(DEPDIR)/libcrun_la-wasmedge.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@src/libcrun/handlers/$(DEPDIR)/libcrun_la-wasmer.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@src/libcrun/handlers/$(DEPDIR)/libcrun_la-wasmtime.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-handler-utils.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-krun.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-mono.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-spin.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-wasmedge.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-wasmer.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-wasmtime.Po@am__quote@ # am--include-marker @@ -1910,6 +1923,20 @@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcrun_testing_a_CFLAGS) $(CFLAGS) -c -o src/libcrun/handlers/libcrun_testing_a-mono.obj `if test -f 'src/libcrun/handlers/mono.c'; then $(CYGPATH_W) 'src/libcrun/handlers/mono.c'; else $(CYGPATH_W) '$(srcdir)/src/libcrun/handlers/mono.c'; fi` +src/libcrun/handlers/libcrun_testing_a-spin.o: src/libcrun/handlers/spin.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcrun_testing_a_CFLAGS) $(CFLAGS) -MT src/libcrun/handlers/libcrun_testing_a-spin.o -MD -MP -MF src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-spin.Tpo -c -o src/libcrun/handlers/libcrun_testing_a-spin.o `test -f 'src/libcrun/handlers/spin.c' || echo '$(srcdir)/'`src/libcrun/handlers/spin.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-spin.Tpo src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-spin.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/libcrun/handlers/spin.c' object='src/libcrun/handlers/libcrun_testing_a-spin.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcrun_testing_a_CFLAGS) $(CFLAGS) -c -o src/libcrun/handlers/libcrun_testing_a-spin.o `test -f 'src/libcrun/handlers/spin.c' || echo '$(srcdir)/'`src/libcrun/handlers/spin.c + +src/libcrun/handlers/libcrun_testing_a-spin.obj: src/libcrun/handlers/spin.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcrun_testing_a_CFLAGS) $(CFLAGS) -MT src/libcrun/handlers/libcrun_testing_a-spin.obj -MD -MP -MF src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-spin.Tpo -c -o src/libcrun/handlers/libcrun_testing_a-spin.obj `if test -f 'src/libcrun/handlers/spin.c'; then $(CYGPATH_W) 'src/libcrun/handlers/spin.c'; else $(CYGPATH_W) '$(srcdir)/src/libcrun/handlers/spin.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-spin.Tpo src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-spin.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/libcrun/handlers/spin.c' object='src/libcrun/handlers/libcrun_testing_a-spin.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcrun_testing_a_CFLAGS) $(CFLAGS) -c -o src/libcrun/handlers/libcrun_testing_a-spin.obj `if test -f 'src/libcrun/handlers/spin.c'; then $(CYGPATH_W) 'src/libcrun/handlers/spin.c'; else $(CYGPATH_W) '$(srcdir)/src/libcrun/handlers/spin.c'; fi` + src/libcrun/handlers/libcrun_testing_a-wasmedge.o: src/libcrun/handlers/wasmedge.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcrun_testing_a_CFLAGS) $(CFLAGS) -MT src/libcrun/handlers/libcrun_testing_a-wasmedge.o -MD -MP -MF src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-wasmedge.Tpo -c -o src/libcrun/handlers/libcrun_testing_a-wasmedge.o `test -f 'src/libcrun/handlers/wasmedge.c' || echo '$(srcdir)/'`src/libcrun/handlers/wasmedge.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-wasmedge.Tpo src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-wasmedge.Po @@ -2211,6 +2238,13 @@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcrun_la_CFLAGS) $(CFLAGS) -c -o src/libcrun/handlers/libcrun_la-mono.lo `test -f 'src/libcrun/handlers/mono.c' || echo '$(srcdir)/'`src/libcrun/handlers/mono.c +src/libcrun/handlers/libcrun_la-spin.lo: src/libcrun/handlers/spin.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcrun_la_CFLAGS) $(CFLAGS) -MT src/libcrun/handlers/libcrun_la-spin.lo -MD -MP -MF src/libcrun/handlers/$(DEPDIR)/libcrun_la-spin.Tpo -c -o src/libcrun/handlers/libcrun_la-spin.lo `test -f 'src/libcrun/handlers/spin.c' || echo '$(srcdir)/'`src/libcrun/handlers/spin.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/libcrun/handlers/$(DEPDIR)/libcrun_la-spin.Tpo src/libcrun/handlers/$(DEPDIR)/libcrun_la-spin.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/libcrun/handlers/spin.c' object='src/libcrun/handlers/libcrun_la-spin.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcrun_la_CFLAGS) $(CFLAGS) -c -o src/libcrun/handlers/libcrun_la-spin.lo `test -f 'src/libcrun/handlers/spin.c' || echo '$(srcdir)/'`src/libcrun/handlers/spin.c + src/libcrun/handlers/libcrun_la-wasmedge.lo: src/libcrun/handlers/wasmedge.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcrun_la_CFLAGS) $(CFLAGS) -MT src/libcrun/handlers/libcrun_la-wasmedge.lo -MD -MP -MF src/libcrun/handlers/$(DEPDIR)/libcrun_la-wasmedge.Tpo -c -o src/libcrun/handlers/libcrun_la-wasmedge.lo `test -f 'src/libcrun/handlers/wasmedge.c' || echo '$(srcdir)/'`src/libcrun/handlers/wasmedge.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/libcrun/handlers/$(DEPDIR)/libcrun_la-wasmedge.Tpo src/libcrun/handlers/$(DEPDIR)/libcrun_la-wasmedge.Plo @@ -3302,12 +3336,14 @@ -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_la-handler-utils.Plo -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_la-krun.Plo -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_la-mono.Plo + -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_la-spin.Plo -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_la-wasmedge.Plo -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_la-wasmer.Plo -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_la-wasmtime.Plo -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-handler-utils.Po -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-krun.Po -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-mono.Po + -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-spin.Po -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-wasmedge.Po -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-wasmer.Po -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-wasmtime.Po @@ -3435,12 +3471,14 @@ -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_la-handler-utils.Plo -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_la-krun.Plo -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_la-mono.Plo + -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_la-spin.Plo -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_la-wasmedge.Plo -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_la-wasmer.Plo -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_la-wasmtime.Plo -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-handler-utils.Po -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-krun.Po -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-mono.Po + -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-spin.Po -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-wasmedge.Po -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-wasmer.Po -rm -f src/libcrun/handlers/$(DEPDIR)/libcrun_testing_a-wasmtime.Po diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.11.1/NEWS new/crun-1.12/NEWS --- old/crun-1.11.1/NEWS 2023-10-30 21:06:54.000000000 +0100 +++ new/crun-1.12/NEWS 2023-11-23 17:37:16.000000000 +0100 @@ -1,3 +1,22 @@ +* crun-1.12 + +- add new WebAssembly handler: spin. +- systemd: fallback to system bus if session bus is not available. +- configure the cpu rt and cpuset controllers before joining them to + avoid running temporarily the workload on the wrong cpus. +- preconfigure the cpuset with required resources instead of using the + parent's set. This prevents needless churn in the kernel as it + tracks which CPUs have load balancing disabled. +- try attr/<lsm>/* before the attr/* files. Writes to the attr/* + files may fail if apparmor is not the first "major" LSM in the list + of loaded LSMs (e.g. lsm=apparmor,bpf vs lsm=bpf,apparmor). + +* crun-1.11.2 + +- fix a regression caused by 1.11.1 where the process crashes if there + are no CPU limits configured on cgroup v1. +- fix error code check for the ptsname_r function. + * crun-1.11.1 - force a remount operation with bind mounts from the host to correctly diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.11.1/README.md new/crun-1.12/README.md --- old/crun-1.11.1/README.md 2023-03-21 15:02:56.000000000 +0100 +++ new/crun-1.12/README.md 2023-11-23 17:37:16.000000000 +0100 @@ -144,7 +144,7 @@ It is possible to build a statically linked binary of crun by using the officially provided -[nix](https://nixos.org/nixos/packages.html?attr=crun&channel=nixpkgs-unstable&query=crun) +[nix](https://nixos.org/nixos/packages.html?attr=crun&channel=unstable&query=crun) package and the derivation of it [within this repository](nix/). The builds are completely reproducible and will create a x86\_64/amd64 stripped ELF binary for [glibc](https://www.gnu.org/software/libc). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.11.1/config.h.in new/crun-1.12/config.h.in --- old/crun-1.11.1/config.h.in 2023-10-30 21:07:25.000000000 +0100 +++ new/crun-1.12/config.h.in 2023-11-23 17:37:49.000000000 +0100 @@ -108,6 +108,9 @@ /* Define to 1 if you have the <seccomp.h> header file. */ #undef HAVE_SECCOMP_H +/* Define if spin is available */ +#undef HAVE_SPIN + /* Define to 1 if you have the `statx' function. */ #undef HAVE_STATX diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.11.1/configure new/crun-1.12/configure --- old/crun-1.11.1/configure 2023-10-30 21:07:24.000000000 +0100 +++ new/crun-1.12/configure 2023-11-23 17:37:49.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for crun 1.11.1. +# Generated by GNU Autoconf 2.69 for crun 1.12. # # Report bugs to <[email protected]>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='crun' PACKAGE_TARNAME='crun' -PACKAGE_VERSION='1.11.1' -PACKAGE_STRING='crun 1.11.1' +PACKAGE_VERSION='1.12' +PACKAGE_STRING='crun 1.12' PACKAGE_BUGREPORT='[email protected]' PACKAGE_URL='' @@ -845,6 +845,7 @@ with_wasmtime with_wasmedge with_libkrun +with_spin enable_seccomp enable_systemd enable_bpf @@ -1430,7 +1431,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures crun 1.11.1 to adapt to many kinds of systems. +\`configure' configures crun 1.12 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1501,7 +1502,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of crun 1.11.1:";; + short | recursive ) echo "Configuration of crun 1.12:";; esac cat <<\_ACEOF @@ -1555,6 +1556,7 @@ --with-wasmtime build with wasmtime support --with-wasmedge build with WasmEdge support --with-libkrun build with libkrun support + --with-spin build with spin support --with-python-bindings build the Python bindings --with-lua-bindings build the Lua bindings @@ -1660,7 +1662,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -crun configure 1.11.1 +crun configure 1.12 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2266,7 +2268,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by crun $as_me 1.11.1, which was +It was created by crun $as_me 1.12, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -12118,7 +12120,7 @@ # Define the identity of the package. PACKAGE='crun' - VERSION='1.11.1' + VERSION='1.12' cat >>confdefs.h <<_ACEOF @@ -14372,6 +14374,18 @@ +# Check whether --with-spin was given. +if test "${with_spin+set}" = set; then : + withval=$with_spin; +fi + +if test "x$with_spin" = "xyes"; then : + +$as_echo "#define HAVE_SPIN 1" >>confdefs.h + +fi + + # Check whether --enable-seccomp was given. if test "${enable_seccomp+set}" = set; then : enableval=$enable_seccomp; @@ -16705,7 +16719,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by crun $as_me 1.11.1, which was +This file was extended by crun $as_me 1.12, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -16771,7 +16785,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -crun config.status 1.11.1 +crun config.status 1.12 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.11.1/configure.ac new/crun-1.12/configure.ac --- old/crun-1.11.1/configure.ac 2023-09-27 22:33:35.000000000 +0200 +++ new/crun-1.12/configure.ac 2023-11-23 17:37:16.000000000 +0100 @@ -132,6 +132,10 @@ AM_CONDITIONAL([ENABLE_KRUN], [test "x$with_libkrun" = xyes]) +dnl include support for spin (EXPERIMENTAL) +AC_ARG_WITH([spin], AS_HELP_STRING([--with-spin], [build with spin support])) +AS_IF([test "x$with_spin" = "xyes"], AC_DEFINE([HAVE_SPIN], 1, [Define if spin is available])) + dnl libseccomp AC_ARG_ENABLE([seccomp], diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.11.1/src/libcrun/cgroup-internal.h new/crun-1.12/src/libcrun/cgroup-internal.h --- old/crun-1.11.1/src/libcrun/cgroup-internal.h 2023-10-26 16:46:50.000000000 +0200 +++ new/crun-1.12/src/libcrun/cgroup-internal.h 2023-11-23 17:37:16.000000000 +0100 @@ -81,6 +81,7 @@ } int initialize_cpuset_subsystem (const char *path, libcrun_error_t *err); +int initialize_cpuset_subsystem_resources (const char *path, runtime_spec_schema_config_linux_resources *resources, libcrun_error_t *err); int write_cpuset_resources (int dirfd_cpuset, int cgroup2, runtime_spec_schema_config_linux_resources_cpu *cpu, libcrun_error_t *err); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.11.1/src/libcrun/cgroup-resources.c new/crun-1.12/src/libcrun/cgroup-resources.c --- old/crun-1.11.1/src/libcrun/cgroup-resources.c 2023-10-26 16:46:50.000000000 +0200 +++ new/crun-1.12/src/libcrun/cgroup-resources.c 2023-11-07 13:17:29.000000000 +0100 @@ -1037,6 +1037,9 @@ { int ret; + if (cpu == NULL) + return 0; + if (cpu->cpus) { ret = write_file_and_check_controllers_at (cgroup2, dirfd_cpuset, "cpuset.cpus", "cpus", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.11.1/src/libcrun/cgroup-setup.c new/crun-1.12/src/libcrun/cgroup-setup.c --- old/crun-1.11.1/src/libcrun/cgroup-setup.c 2023-10-26 16:46:50.000000000 +0200 +++ new/crun-1.12/src/libcrun/cgroup-setup.c 2023-11-23 17:37:16.000000000 +0100 @@ -40,7 +40,7 @@ #include <libgen.h> static int -initialize_cpuset_subsystem_rec (char *path, size_t path_len, char *cpus, char *mems, libcrun_error_t *err) +initialize_cpuset_subsystem_rec (char *path, size_t path_len, char *cpus, char *mems, runtime_spec_schema_config_linux_resources *resources, libcrun_error_t *err) { cleanup_close int dirfd = -1; cleanup_close int mems_fd = -1; @@ -95,7 +95,7 @@ return 0; path[parent_path_len] = '\0'; - ret = initialize_cpuset_subsystem_rec (path, parent_path_len, cpus, mems, err); + ret = initialize_cpuset_subsystem_rec (path, parent_path_len, cpus, mems, resources, err); path[parent_path_len] = '/'; if (UNLIKELY (ret < 0)) { @@ -104,6 +104,15 @@ } } + /* If we know the resources, use them, instead of initializing with the full set, only to revert it later. */ + if (resources && resources->cpu) + { + if (resources->cpu->cpus) + cpus = xstrdup (resources->cpu->cpus); + if (resources->cpu->mems) + mems = xstrdup (resources->cpu->mems); + } + if (cpus_fd >= 0) { b_len = TEMP_FAILURE_RETRY (write (cpus_fd, cpus, strlen (cpus))); @@ -129,7 +138,18 @@ char mems_buf[257]; cpus_buf[0] = mems_buf[0] = '\0'; - return initialize_cpuset_subsystem_rec (tmp_path, strlen (tmp_path), cpus_buf, mems_buf, err); + return initialize_cpuset_subsystem_rec (tmp_path, strlen (tmp_path), cpus_buf, mems_buf, NULL, err); +} + +int +initialize_cpuset_subsystem_resources (const char *path, runtime_spec_schema_config_linux_resources *resources, libcrun_error_t *err) +{ + cleanup_free char *tmp_path = xstrdup (path); + char cpus_buf[257]; + char mems_buf[257]; + + cpus_buf[0] = mems_buf[0] = '\0'; + return initialize_cpuset_subsystem_rec (tmp_path, strlen (tmp_path), cpus_buf, mems_buf, resources, err); } static int diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.11.1/src/libcrun/cgroup-systemd.c new/crun-1.12/src/libcrun/cgroup-systemd.c --- old/crun-1.11.1/src/libcrun/cgroup-systemd.c 2023-10-26 16:46:50.000000000 +0200 +++ new/crun-1.12/src/libcrun/cgroup-systemd.c 2023-11-23 17:37:16.000000000 +0100 @@ -160,6 +160,10 @@ if (UNLIKELY (ret < 0)) return ret; + ret = crun_ensure_directory (cgroup_path, 0755, true, err); + if (UNLIKELY (ret < 0)) + return ret; + dirfd = open (cgroup_path, O_DIRECTORY | O_CLOEXEC); if (UNLIKELY (dirfd < 0)) return crun_make_error (err, errno, "open `%s`", cgroup_path); @@ -244,7 +248,11 @@ if (UNLIKELY (ret < 0)) return ret; - ret = initialize_cpuset_subsystem (cgroup_path, err); + ret = crun_ensure_directory (cgroup_path, 0755, true, err); + if (UNLIKELY (ret < 0)) + return ret; + + ret = initialize_cpuset_subsystem_resources (cgroup_path, resources, err); if (UNLIKELY (ret < 0)) return ret; @@ -320,6 +328,14 @@ if (geteuid ()) return 0; + ret = setup_rt_runtime (resources, path, err); + if (UNLIKELY (ret < 0)) + return ret; + + ret = setup_cpuset_for_systemd_v1 (resources, path, err); + if (UNLIKELY (ret < 0)) + return ret; + for (from = strtok_r (content, "\n", &saveptr); from; from = strtok_r (NULL, "\n", &saveptr)) { char *subpath, *subsystem; @@ -351,14 +367,6 @@ } } - ret = setup_rt_runtime (resources, path, err); - if (UNLIKELY (ret < 0)) - return ret; - - ret = setup_cpuset_for_systemd_v1 (resources, path, err); - if (UNLIKELY (ret < 0)) - return ret; - break; case CGROUP_MODE_UNIFIED: @@ -746,7 +754,7 @@ open_sd_bus_connection (sd_bus **bus, libcrun_error_t *err) { int rootless; - int sd_err; + int sd_err = 0; rootless = is_rootless (err); if (UNLIKELY (rootless < 0)) @@ -754,7 +762,7 @@ if (rootless) sd_err = sd_bus_default_user (bus); - else + if (! rootless || sd_err < 0) sd_err = sd_bus_default_system (bus); if (sd_err < 0) return crun_make_error (err, -sd_err, "cannot open sd-bus"); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.11.1/src/libcrun/cloned_binary.c new/crun-1.12/src/libcrun/cloned_binary.c --- old/crun-1.11.1/src/libcrun/cloned_binary.c 2023-03-21 15:02:56.000000000 +0100 +++ new/crun-1.12/src/libcrun/cloned_binary.c 2023-11-07 13:17:29.000000000 +0100 @@ -119,7 +119,7 @@ * Is the binary a fully-sealed memfd? We don't need CLONED_BINARY_ENV for * this, because you cannot write to a sealed memfd no matter what (so * sharing it isn't a bad thing -- and an admin could bind-mount a sealed - * memfd to /usr/bin/crun to allow re-use). + * memfd to /usr/bin/crun to allow reuse). */ ret = fcntl(fd, F_GET_SEALS); if (ret >= 0) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.11.1/src/libcrun/container.c new/crun-1.12/src/libcrun/container.c --- old/crun-1.11.1/src/libcrun/container.c 2023-10-19 11:15:59.000000000 +0200 +++ new/crun-1.12/src/libcrun/container.c 2023-11-23 17:37:16.000000000 +0100 @@ -3925,8 +3925,10 @@ // Populate namespaces populate_array_field (&((*info)->linux.namespaces), namespaces, num_namspaces); +#ifdef HAVE_CAP // Populate capabilities populate_capabilities (*info, &capabilities, &num_capabilities); +#endif // Hardcode the values for cgroup (*info)->linux.cgroup.v1 = true; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.11.1/src/libcrun/container.h new/crun-1.12/src/libcrun/container.h --- old/crun-1.11.1/src/libcrun/container.h 2023-10-19 11:15:59.000000000 +0200 +++ new/crun-1.12/src/libcrun/container.h 2023-11-23 17:37:16.000000000 +0100 @@ -300,10 +300,12 @@ cleanup_struct_features_free (struct features_info_s **info) { size_t i; - struct features_info_s *ptr = *info; + struct features_info_s *ptr; if (info == NULL || *info == NULL) return; + ptr = *info; + // Free oci_version_min if it is not NULL if (ptr->oci_version_min != NULL) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.11.1/src/libcrun/custom-handler.c new/crun-1.12/src/libcrun/custom-handler.c --- old/crun-1.11.1/src/libcrun/custom-handler.c 2023-09-26 16:45:32.000000000 +0200 +++ new/crun-1.12/src/libcrun/custom-handler.c 2023-11-23 17:37:16.000000000 +0100 @@ -48,6 +48,9 @@ #if HAVE_DLOPEN && HAVE_MONO extern struct custom_handler_s handler_mono; #endif +#if HAVE_DLOPEN && HAVE_SPIN +extern struct custom_handler_s handler_spin; +#endif static struct custom_handler_s *static_handlers[] = { #if HAVE_DLOPEN && HAVE_LIBKRUN @@ -65,6 +68,9 @@ #if HAVE_DLOPEN && HAVE_MONO &handler_mono, #endif +#if HAVE_DLOPEN && HAVE_SPIN + &handler_spin, +#endif NULL, }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.11.1/src/libcrun/handlers/spin.c new/crun-1.12/src/libcrun/handlers/spin.c --- old/crun-1.11.1/src/libcrun/handlers/spin.c 1970-01-01 01:00:00.000000000 +0100 +++ new/crun-1.12/src/libcrun/handlers/spin.c 2023-11-23 17:37:16.000000000 +0100 @@ -0,0 +1,121 @@ +/* + * crun - OCI runtime written in C + * + * Copyright (C) 2023 Sven Pfennig <[email protected]> + * crun is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or + * (at your option) any later version. + * + * crun is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with crun. If not, see <http://www.gnu.org/licenses/>. + */ +#define _GNU_SOURCE + +#include <config.h> +#include "../custom-handler.h" +#include "../linux.h" +#include <sys/stat.h> + +#ifdef HAVE_DLOPEN +# include <dlfcn.h> +#endif + +#ifdef HAVE_SPIN + +#endif + +#if HAVE_DLOPEN && HAVE_SPIN +static int +spin_exec (void *cookie arg_unused, libcrun_container_t *container arg_unused, + const char *pathname arg_unused, char *const argv[] arg_unused) +{ + // wasmtime fails to determine default config path if $HOME is not set + char *newenviron[] = { "HOME=/root", NULL }; + char *newargv[] = { "/bin/spin", "up", "--listen", "0.0.0.0:80", NULL }; + + // spin up needs a /tmp folder + int dir_result = mkdir ("/tmp", 0777); + if (dir_result != 0 && errno != EEXIST) + { + error (EXIT_FAILURE, errno, "failed to execute mkdir `/tmp`"); + } + + execve (newargv[0], newargv, newenviron); + perror ("execve"); + exit (EXIT_FAILURE); +} + +static int +spin_load (void **cookie, libcrun_error_t *err) +{ + struct stat st = { 0 }; + if (stat ("/usr/local/bin/spin", &st) == -1) + { + return crun_make_error (err, 0, "Could not find statically linked spin cli at `/usr/local/bin/spin` on host file system"); + } + return 0; +} + +static int +spin_configure_container (void *cookie arg_unused, enum handler_configure_phase phase, + libcrun_context_t *context arg_unused, libcrun_container_t *container, + const char *rootfs arg_unused, libcrun_error_t *err) +{ + int ret; + if (phase != HANDLER_CONFIGURE_MOUNTS) + return 0; + + char *options[] = { + "ro", + "rprivate", + "nosuid", + "nodev", + "rbind" + }; + + ret = libcrun_container_do_bind_mount (container, "/usr/local/bin/spin", "/bin/spin", options, 5, err); + if (ret != 0) + return ret; + + /* release any error if set since we are going to be returning from here */ + crun_error_release (err); + + return 0; +} + +static int +spin_unload (void *cookie, libcrun_error_t *err) +{ + return 0; +} + +static int +spin_can_handle_container (libcrun_container_t *container, libcrun_error_t *err arg_unused) +{ + const char *entrypoint_executable; + + if (container->container_def->process == NULL || container->container_def->process->args == NULL) + return 0; + + entrypoint_executable = container->container_def->process->args[0]; + return strcmp (entrypoint_executable, "/") ? 0 : 1; +} + +struct custom_handler_s handler_spin = { + .name = "spin", + .alias = NULL, + .feature_string = "WASM:spin", + .load = spin_load, + .unload = spin_unload, + .run_func = spin_exec, + .can_handle_container = spin_can_handle_container, + .configure_container = spin_configure_container, +}; + +#endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.11.1/src/libcrun/linux.c new/crun-1.12/src/libcrun/linux.c --- old/crun-1.11.1/src/libcrun/linux.c 2023-10-30 21:06:54.000000000 +0100 +++ new/crun-1.12/src/libcrun/linux.c 2023-11-07 13:17:29.000000000 +0100 @@ -3086,7 +3086,7 @@ return 0; } -#define CAP_TO_MASK_0(x) (1L << ((x) &31)) +#define CAP_TO_MASK_0(x) (1L << ((x) & 31)) #define CAP_TO_MASK_1(x) CAP_TO_MASK_0 (x - 32) struct all_caps_s diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.11.1/src/libcrun/terminal.c new/crun-1.12/src/libcrun/terminal.c --- old/crun-1.11.1/src/libcrun/terminal.c 2023-09-26 16:45:32.000000000 +0200 +++ new/crun-1.12/src/libcrun/terminal.c 2023-11-07 13:17:29.000000000 +0100 @@ -46,7 +46,7 @@ return crun_make_error (err, errno, "open `/dev/ptmx`"); ret = ptsname_r (fd, buf, sizeof (buf)); - if (UNLIKELY (ret < 0)) + if (UNLIKELY (ret != 0)) return crun_make_error (err, errno, "ptsname"); ret = unlockpt (fd); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.11.1/src/libcrun/utils.c new/crun-1.12/src/libcrun/utils.c --- old/crun-1.11.1/src/libcrun/utils.c 2023-10-19 11:15:59.000000000 +0200 +++ new/crun-1.12/src/libcrun/utils.c 2023-11-23 17:37:16.000000000 +0100 @@ -40,7 +40,6 @@ #include <sys/vfs.h> #include <linux/magic.h> #include <limits.h> -#include <stdarg.h> #include <sys/mman.h> #ifdef HAVE_LINUX_OPENAT2_H # include <linux/openat2.h> @@ -821,27 +820,53 @@ } static int -write_file_and_check_fs_type (const char *file, const char *data, size_t len, unsigned int type, const char *type_name, - libcrun_error_t *err) +set_security_attr (const char *lsm, const char *fname, const char *data, libcrun_error_t *err) { int ret; struct statfs sfs; + + cleanup_close int attr_dirfd = -1; + cleanup_close int lsm_dirfd = -1; cleanup_close int fd = -1; - fd = open (file, O_WRONLY | O_CLOEXEC); + attr_dirfd = open ("/proc/thread-self/attr", O_DIRECTORY | O_RDONLY | O_CLOEXEC); + if (UNLIKELY (attr_dirfd < 0)) + return crun_make_error (err, errno, "open `/proc/thread-self/attr`"); + + // Check for newer scoped interface in /proc/thread-self/attr/<lsm> + if (lsm != NULL) + { + lsm_dirfd = openat (attr_dirfd, lsm, O_DIRECTORY | O_RDONLY | O_CLOEXEC); + + if (UNLIKELY (lsm_dirfd < 0 && errno != ENOENT)) + return crun_make_error (err, errno, "open `/proc/thread-self/attr/%s`", lsm); + } + + // Use scoped interface if available, fall back to unscoped + if (lsm_dirfd >= 0) + fd = openat (lsm_dirfd, fname, O_WRONLY | O_CLOEXEC); + else + fd = openat (attr_dirfd, fname, O_WRONLY | O_CLOEXEC); + if (UNLIKELY (fd < 0)) - return crun_make_error (err, errno, "open file `%s`", file); + return crun_make_error (err, errno, "open `/proc/thread-self/attr/%s%s%s`", + lsm_dirfd >= 0 ? lsm : "", lsm_dirfd >= 0 ? "/" : "", fname); + // Check that the file system type is indeed procfs ret = fstatfs (fd, &sfs); if (UNLIKELY (ret < 0)) - return crun_make_error (err, errno, "statfs `%s`", file); + return crun_make_error (err, errno, "statfs `/proc/thread-self/attr/%s%s%s`", + lsm_dirfd >= 0 ? lsm : "", lsm_dirfd >= 0 ? "/" : "", fname); - if (sfs.f_type != type) - return crun_make_error (err, 0, "the file `%s` is not on file system type `%s`", file, type_name); + if (sfs.f_type != PROC_SUPER_MAGIC) + return crun_make_error (err, 0, "the file `/proc/thread-self/attr/%s%s%s` is not on a `procfs` file system", + lsm_dirfd >= 0 ? lsm : "", lsm_dirfd >= 0 ? "/" : "", fname); - ret = TEMP_FAILURE_RETRY (write (fd, data, len)); + // Write out data + ret = TEMP_FAILURE_RETRY (write (fd, data, strlen (data))); if (UNLIKELY (ret < 0)) - return crun_make_error (err, errno, "write file `%s`", file); + return crun_make_error (err, errno, "write file `/proc/thread-self/attr/%s%s%s`", + lsm_dirfd >= 0 ? lsm : "", lsm_dirfd >= 0 ? "/" : "", fname); return 0; } @@ -856,14 +881,7 @@ return ret; if (ret) - { - const char *fname = now ? "/proc/thread-self/attr/current" : "/proc/thread-self/attr/exec"; - ret = write_file_and_check_fs_type (fname, label, - strlen (label), PROC_SUPER_MAGIC, - "procfs", err); - if (UNLIKELY (ret < 0)) - return ret; - } + return set_security_attr (NULL, now ? "current" : "exec", label, err); return 0; } @@ -883,17 +901,14 @@ ret = libcrun_is_apparmor_enabled (err); if (UNLIKELY (ret < 0)) return ret; + if (ret) { - const char *fname = now ? "/proc/thread-self/attr/current" : "/proc/thread-self/attr/exec"; cleanup_free char *buf = NULL; xasprintf (&buf, "%s %s", now ? "changeprofile" : "exec", profile); - ret = write_file_and_check_fs_type (fname, buf, strlen (buf), PROC_SUPER_MAGIC, "procfs", - err); - if (UNLIKELY (ret < 0)) - return ret; + return set_security_attr ("apparmor", now ? "current" : "exec", buf, err); } return 0; }
