diff --git a/.criu.metadata b/.criu.metadata
index f33f9a7..52bb375 100644
--- a/.criu.metadata
+++ b/.criu.metadata
@@ -1 +1 @@
-b2ceaf9705aa8239915010136a59664d31044fe3 SOURCES/criu-3.12.tar.bz2
+548d575d89e872c153a756c274e438995eb4e823 SOURCES/criu-3.14.tar.bz2
diff --git a/.gitignore b/.gitignore
index d9f1e8d..1c6f0d3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/criu-3.12.tar.bz2
+SOURCES/criu-3.14.tar.bz2
diff --git a/SOURCES/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch b/SOURCES/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch
deleted file mode 100644
index 3b2fbd8..0000000
--- a/SOURCES/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 1e84cb90b63bce841376140a7a80107e5ec1e1a8 Mon Sep 17 00:00:00 2001
-From: Adrian Reber <areber@redhat.com>
-Date: Fri, 3 May 2019 06:27:51 +0000
-Subject: [PATCH] lsm: fix compiler error 'unused-result'
-
-Reading out the xattr 'security.selinux' of checkpointed sockets with
-fscanf() works (at least in theory) without checking the result of
-fscanf(). There are, however, multiple CI failures when ignoring the
-return value of fscanf().
-
-This adds ferror() to check if the stream has an actual error or if '-1'
-just mean EOF.
-
-Handle all errors of fscanf() // Andrei
-
-Signed-off-by: Adrian Reber <areber@redhat.com>
-Signed-off-by: Andrei Vagin <avagin@gmail.com>
----
- criu/lsm.c | 22 +++++++++++++---------
- 1 file changed, 13 insertions(+), 9 deletions(-)
-
-diff --git a/criu/lsm.c b/criu/lsm.c
-index ef6ba112b3..9c9ac7f80e 100644
---- a/criu/lsm.c
-+++ b/criu/lsm.c
-@@ -33,8 +33,8 @@ static int apparmor_get_label(pid_t pid, char **profile_name)
- return -1;
-
- if (fscanf(f, "%ms", profile_name) != 1) {
-- fclose(f);
- pr_perror("err scanfing");
-+ fclose(f);
- return -1;
- }
-
-@@ -111,19 +111,23 @@ static int selinux_get_label(pid_t pid, char **output)
- static int selinux_get_sockcreate_label(pid_t pid, char **output)
- {
- FILE *f;
-+ int ret;
-
- f = fopen_proc(pid, "attr/sockcreate");
- if (!f)
- return -1;
-
-- fscanf(f, "%ms", output);
-- /*
-- * No need to check the result of fscanf(). If there is something
-- * in /proc/PID/attr/sockcreate it will be copied to *output. If
-- * there is nothing it will stay NULL. So whatever fscanf() does
-- * it should be correct.
-- */
--
-+ ret = fscanf(f, "%ms", output);
-+ if (ret == -1 && errno != 0) {
-+ pr_perror("Unable to parse /proc/%d/attr/sockcreate", pid);
-+ /*
-+ * Only if the error indicator is set it is a real error.
-+ * -1 could also be EOF, which would mean that sockcreate
-+ * was just empty, which is the most common case.
-+ */
-+ fclose(f);
-+ return -1;
-+ }
- fclose(f);
- return 0;
- }
diff --git a/SOURCES/685.patch b/SOURCES/685.patch
deleted file mode 100644
index 30e1728..0000000
--- a/SOURCES/685.patch
+++ /dev/null
@@ -1,834 +0,0 @@
-From 3313343ba7803bff077af5d87df2260cdcd2d678 Mon Sep 17 00:00:00 2001
-From: Adrian Reber <areber@redhat.com>
-Date: Thu, 2 May 2019 13:41:46 +0000
-Subject: [PATCH 1/4] lsm: also dump and restore sockcreate
-
-The file /proc/PID/attr/sockcreate is used by SELinux to label newly
-created sockets with the label available at sockcreate.
-
-If it is NULL, the default label of the process will be used.
-
-This reads out that file during checkpoint and restores the value during
-restore.
-
-This value is irrelevant for existing sockets as they might have been
-created with another context. This is only to make sure that newly
-created sockets have the correct context.
-
-Signed-off-by: Adrian Reber <areber@redhat.com>
----
- criu/cr-restore.c | 36 ++++++++++++++++++++++++++++++++++++
- criu/include/restorer.h | 2 ++
- criu/lsm.c | 32 ++++++++++++++++++++++++++++++++
- criu/pie/restorer.c | 15 ++++++++++-----
- images/creds.proto | 1 +
- 5 files changed, 81 insertions(+), 5 deletions(-)
-
-diff --git a/criu/cr-restore.c b/criu/cr-restore.c
-index 5fd22e9246..f254cbc0eb 100644
---- a/criu/cr-restore.c
-+++ b/criu/cr-restore.c
-@@ -2997,6 +2997,8 @@ static void rst_reloc_creds(struct thread_restore_args *thread_args,
-
- if (args->lsm_profile)
- args->lsm_profile = rst_mem_remap_ptr(args->mem_lsm_profile_pos, RM_PRIVATE);
-+ if (args->lsm_sockcreate)
-+ args->lsm_sockcreate = rst_mem_remap_ptr(args->mem_lsm_sockcreate_pos, RM_PRIVATE);
- if (args->groups)
- args->groups = rst_mem_remap_ptr(args->mem_groups_pos, RM_PRIVATE);
-
-@@ -3062,6 +3064,40 @@ rst_prep_creds_args(CredsEntry *ce, unsigned long *prev_pos)
- args->mem_lsm_profile_pos = 0;
- }
-
-+ if (ce->lsm_sockcreate) {
-+ char *rendered = NULL;
-+ char *profile;
-+
-+ profile = ce->lsm_sockcreate;
-+
-+ if (validate_lsm(profile) < 0)
-+ return ERR_PTR(-EINVAL);
-+
-+ if (profile && render_lsm_profile(profile, &rendered)) {
-+ return ERR_PTR(-EINVAL);
-+ }
-+ if (rendered) {
-+ size_t lsm_sockcreate_len;
-+ char *lsm_sockcreate;
-+
-+ args->mem_lsm_sockcreate_pos = rst_mem_align_cpos(RM_PRIVATE);
-+ lsm_sockcreate_len = strlen(rendered);
-+ lsm_sockcreate = rst_mem_alloc(lsm_sockcreate_len + 1, RM_PRIVATE);
-+ if (!lsm_sockcreate) {
-+ xfree(rendered);
-+ return ERR_PTR(-ENOMEM);
-+ }
-+
-+ args = rst_mem_remap_ptr(this_pos, RM_PRIVATE);
-+ args->lsm_sockcreate = lsm_sockcreate;
-+ strncpy(args->lsm_sockcreate, rendered, lsm_sockcreate_len);
-+ xfree(rendered);
-+ }
-+ } else {
-+ args->lsm_sockcreate = NULL;
-+ args->mem_lsm_sockcreate_pos = 0;
-+ }
-+
- /*
- * Zap fields which we can't use.
- */
-diff --git a/criu/include/restorer.h b/criu/include/restorer.h
-index 2884ce9e6d..b83e9130c5 100644
---- a/criu/include/restorer.h
-+++ b/criu/include/restorer.h
-@@ -69,8 +69,10 @@ struct thread_creds_args {
- unsigned int secbits;
- char *lsm_profile;
- unsigned int *groups;
-+ char *lsm_sockcreate;
-
- unsigned long mem_lsm_profile_pos;
-+ unsigned long mem_lsm_sockcreate_pos;
- unsigned long mem_groups_pos;
-
- unsigned long mem_pos_next;
-diff --git a/criu/lsm.c b/criu/lsm.c
-index 849ec37cde..b0ef0c396c 100644
---- a/criu/lsm.c
-+++ b/criu/lsm.c
-@@ -98,6 +98,32 @@ static int selinux_get_label(pid_t pid, char **output)
- freecon(ctx);
- return ret;
- }
-+
-+/*
-+ * selinux_get_sockcreate_label reads /proc/PID/attr/sockcreate
-+ * to see if the PID has a special label specified for sockets.
-+ * Most of the time this will be empty and the process will use
-+ * the process context also for sockets.
-+ */
-+static int selinux_get_sockcreate_label(pid_t pid, char **output)
-+{
-+ FILE *f;
-+
-+ f = fopen_proc(pid, "attr/sockcreate");
-+ if (!f)
-+ return -1;
-+
-+ fscanf(f, "%ms", output);
-+ /*
-+ * No need to check the result of fscanf(). If there is something
-+ * in /proc/PID/attr/sockcreate it will be copied to *output. If
-+ * there is nothing it will stay NULL. So whatever fscanf() does
-+ * it should be correct.
-+ */
-+
-+ fclose(f);
-+ return 0;
-+}
- #endif
-
- void kerndat_lsm(void)
-@@ -132,6 +158,7 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce)
- int ret;
-
- ce->lsm_profile = NULL;
-+ ce->lsm_sockcreate = NULL;
-
- switch (kdat.lsm) {
- case LSMTYPE__NO_LSM:
-@@ -143,6 +170,9 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce)
- #ifdef CONFIG_HAS_SELINUX
- case LSMTYPE__SELINUX:
- ret = selinux_get_label(pid, &ce->lsm_profile);
-+ if (ret)
-+ break;
-+ ret = selinux_get_sockcreate_label(pid, &ce->lsm_sockcreate);
- break;
- #endif
- default:
-@@ -153,6 +183,8 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce)
-
- if (ce->lsm_profile)
- pr_info("%d has lsm profile %s\n", pid, ce->lsm_profile);
-+ if (ce->lsm_sockcreate)
-+ pr_info("%d has lsm sockcreate label %s\n", pid, ce->lsm_sockcreate);
-
- return ret;
- }
-diff --git a/criu/pie/restorer.c b/criu/pie/restorer.c
-index 6e18cc2606..4f42605a09 100644
---- a/criu/pie/restorer.c
-+++ b/criu/pie/restorer.c
-@@ -149,7 +149,7 @@ static void sigchld_handler(int signal, siginfo_t *siginfo, void *data)
- sys_exit_group(1);
- }
-
--static int lsm_set_label(char *label, int procfd)
-+static int lsm_set_label(char *label, char *type, int procfd)
- {
- int ret = -1, len, lsmfd;
- char path[STD_LOG_SIMPLE_CHUNK];
-@@ -157,9 +157,9 @@ static int lsm_set_label(char *label, int procfd)
- if (!label)
- return 0;
-
-- pr_info("restoring lsm profile %s\n", label);
-+ pr_info("restoring lsm profile (%s) %s\n", type, label);
-
-- std_sprintf(path, "self/task/%ld/attr/current", sys_gettid());
-+ std_sprintf(path, "self/task/%ld/attr/%s", sys_gettid(), type);
-
- lsmfd = sys_openat(procfd, path, O_WRONLY, 0);
- if (lsmfd < 0) {
-@@ -305,9 +305,14 @@ static int restore_creds(struct thread_creds_args *args, int procfd,
- * SELinux and instead the process context is set before the
- * threads are created.
- */
-- if (lsm_set_label(args->lsm_profile, procfd) < 0)
-+ if (lsm_set_label(args->lsm_profile, "current", procfd) < 0)
- return -1;
- }
-+
-+ /* Also set the sockcreate label for all threads */
-+ if (lsm_set_label(args->lsm_sockcreate, "sockcreate", procfd) < 0)
-+ return -1;
-+
- return 0;
- }
-
-@@ -1571,7 +1576,7 @@ long __export_restore_task(struct task_restore_args *args)
- if (args->lsm_type == LSMTYPE__SELINUX) {
- /* Only for SELinux */
- if (lsm_set_label(args->t->creds_args->lsm_profile,
-- args->proc_fd) < 0)
-+ "current", args->proc_fd) < 0)
- goto core_restore_end;
- }
-
-diff --git a/images/creds.proto b/images/creds.proto
-index 29fb8652eb..23b84c7e50 100644
---- a/images/creds.proto
-+++ b/images/creds.proto
-@@ -20,4 +20,5 @@ message creds_entry {
- repeated uint32 groups = 14;
-
- optional string lsm_profile = 15;
-+ optional string lsm_sockcreate = 16;
- }
-
-From 495e6aa7ac51fcb36e6bc5f6c97f44cab7649b9c Mon Sep 17 00:00:00 2001
-From: Adrian Reber <areber@redhat.com>
-Date: Thu, 2 May 2019 13:47:29 +0000
-Subject: [PATCH 2/4] test: Verify that sockcreate does not change during
- restore
-
-This makes sure that sockcreate stays empty for selinux00 before and
-after checkpoint/restore.
-
-Signed-off-by: Adrian Reber <areber@redhat.com>
----
- test/zdtm/static/selinux00.c | 34 ++++++++++++++++++++++++++++++++++
- 1 file changed, 34 insertions(+)
-
-diff --git a/test/zdtm/static/selinux00.c b/test/zdtm/static/selinux00.c
-index dd9096a6fc..db8420eacb 100644
---- a/test/zdtm/static/selinux00.c
-+++ b/test/zdtm/static/selinux00.c
-@@ -83,6 +83,31 @@ int checkprofile()
- return 0;
- }
-
-+int check_sockcreate()
-+{
-+ char *output = NULL;
-+ FILE *f = fopen("/proc/self/attr/sockcreate", "r");
-+ int ret = fscanf(f, "%ms", &output);
-+ fclose(f);
-+
-+ if (ret >= 1) {
-+ free(output);
-+ /* sockcreate should be empty, if fscanf found something
-+ * it is wrong.*/
-+ fail("sockcreate should be empty\n");
-+ return -1;
-+ }
-+
-+ if (output) {
-+ free(output);
-+ /* Same here, output should still be NULL. */
-+ fail("sockcreate should be empty\n");
-+ return -1;
-+ }
-+
-+ return 0;
-+}
-+
- int main(int argc, char **argv)
- {
- test_init(argc, argv);
-@@ -95,12 +120,21 @@ int main(int argc, char **argv)
- return 0;
- }
-
-+ if (check_sockcreate())
-+ return -1;
-+
- if (setprofile())
- return -1;
-
-+ if (check_sockcreate())
-+ return -1;
-+
- test_daemon();
- test_waitsig();
-
-+ if (check_sockcreate())
-+ return -1;
-+
- if (checkprofile() == 0)
- pass();
-
-
-From fe52cf66b38a261846ff40fc425085724b2acc15 Mon Sep 17 00:00:00 2001
-From: Adrian Reber <areber@redhat.com>
-Date: Mon, 29 Apr 2019 15:21:59 +0200
-Subject: [PATCH 3/4] sockets: dump and restore xattr security labels
-
-Restoring a SELinux process also requires to correctly label sockets.
-
-During checkpointing fgetxattr() is used to retrieve the
-"security.selinux" xattr and during restore setsockcreatecon() is used
-before a socket is created.
-
-Previous commits are already restoring the sockcreate SELinux setting if
-set by the process.
-
-Signed-off-by: Adrian Reber <areber@redhat.com>
----
- criu/include/lsm.h | 18 +++++++++++++++
- criu/lsm.c | 56 +++++++++++++++++++++++++++++++++++++++++++++
- criu/sk-inet.c | 12 ++++++++++
- criu/sockets.c | 4 ++++
- images/fdinfo.proto | 1 +
- 5 files changed, 91 insertions(+)
-
-diff --git a/criu/include/lsm.h b/criu/include/lsm.h
-index b4fce13039..3b82712829 100644
---- a/criu/include/lsm.h
-+++ b/criu/include/lsm.h
-@@ -3,6 +3,7 @@
-
- #include "images/inventory.pb-c.h"
- #include "images/creds.pb-c.h"
-+#include "images/fdinfo.pb-c.h"
-
- #define AA_SECURITYFS_PATH "/sys/kernel/security/apparmor"
-
-@@ -34,4 +35,21 @@ int validate_lsm(char *profile);
- int render_lsm_profile(char *profile, char **val);
-
- extern int lsm_check_opts(void);
-+
-+#ifdef CONFIG_HAS_SELINUX
-+int dump_xattr_security_selinux(int fd, FdinfoEntry *e);
-+int run_setsockcreatecon(FdinfoEntry *e);
-+int reset_setsockcreatecon();
-+#else
-+static inline int dump_xattr_security_selinux(int fd, FdinfoEntry *e) {
-+ return 0;
-+}
-+static inline int run_setsockcreatecon(FdinfoEntry *e) {
-+ return 0;
-+}
-+static inline int reset_setsockcreatecon() {
-+ return 0;
-+}
-+#endif
-+
- #endif /* __CR_LSM_H__ */
-diff --git a/criu/lsm.c b/criu/lsm.c
-index b0ef0c396c..ef6ba112b3 100644
---- a/criu/lsm.c
-+++ b/criu/lsm.c
-@@ -3,6 +3,7 @@
- #include <stdlib.h>
- #include <fcntl.h>
- #include <sys/types.h>
-+#include <sys/xattr.h>
- #include <unistd.h>
-
- #include "common/config.h"
-@@ -11,10 +12,12 @@
- #include "util.h"
- #include "cr_options.h"
- #include "lsm.h"
-+#include "fdstore.h"
-
- #include "protobuf.h"
- #include "images/inventory.pb-c.h"
- #include "images/creds.pb-c.h"
-+#include "images/fdinfo.pb-c.h"
-
- #ifdef CONFIG_HAS_SELINUX
- #include <selinux/selinux.h>
-@@ -124,6 +127,59 @@ static int selinux_get_sockcreate_label(pid_t pid, char **output)
- fclose(f);
- return 0;
- }
-+
-+int reset_setsockcreatecon()
-+{
-+ return setsockcreatecon_raw(NULL);
-+}
-+
-+int run_setsockcreatecon(FdinfoEntry *e)
-+{
-+ char *ctx = NULL;
-+
-+ /* Currently this only works for SELinux. */
-+ if (kdat.lsm != LSMTYPE__SELINUX)
-+ return 0;
-+
-+ ctx = e->xattr_security_selinux;
-+ /* Writing to the FD using fsetxattr() did not work for some reason. */
-+ return setsockcreatecon_raw(ctx);
-+}
-+
-+int dump_xattr_security_selinux(int fd, FdinfoEntry *e)
-+{
-+ char *ctx = NULL;
-+ int len;
-+ int ret;
-+
-+ /* Currently this only works for SELinux. */
-+ if (kdat.lsm != LSMTYPE__SELINUX)
-+ return 0;
-+
-+ /* Get the size of the xattr. */
-+ len = fgetxattr(fd, "security.selinux", ctx, 0);
-+ if (len == -1) {
-+ pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
-+ return -1;
-+ }
-+
-+ ctx = xmalloc(len);
-+ if (!ctx) {
-+ pr_err("xmalloc to read xattr for FD %d failed\n", fd);
-+ return -1;
-+ }
-+
-+ ret = fgetxattr(fd, "security.selinux", ctx, len);
-+ if (len != ret) {
-+ pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
-+ return -1;
-+ }
-+
-+ e->xattr_security_selinux = ctx;
-+
-+ return 0;
-+}
-+
- #endif
-
- void kerndat_lsm(void)
-diff --git a/criu/sk-inet.c b/criu/sk-inet.c
-index 60ee4c3155..ca5c9bf2cd 100644
---- a/criu/sk-inet.c
-+++ b/criu/sk-inet.c
-@@ -23,6 +23,9 @@
- #include "files.h"
- #include "image.h"
- #include "log.h"
-+#include "lsm.h"
-+#include "kerndat.h"
-+#include "pstree.h"
- #include "rst-malloc.h"
- #include "sockets.h"
- #include "sk-inet.h"
-@@ -30,6 +33,8 @@
- #include "util.h"
- #include "namespaces.h"
-
-+#include "images/inventory.pb-c.h"
-+
- #undef LOG_PREFIX
- #define LOG_PREFIX "inet: "
-
-@@ -804,12 +809,18 @@ static int open_inet_sk(struct file_desc *d, int *new_fd)
- if (set_netns(ie->ns_id))
- return -1;
-
-+ if (run_setsockcreatecon(fle->fe))
-+ return -1;
-+
- sk = socket(ie->family, ie->type, ie->proto);
- if (sk < 0) {
- pr_perror("Can't create inet socket");
- return -1;
- }
-
-+ if (reset_setsockcreatecon())
-+ return -1;
-+
- if (ie->v6only) {
- if (restore_opt(sk, SOL_IPV6, IPV6_V6ONLY, &yes) == -1)
- goto err;
-@@ -895,6 +906,7 @@ static int open_inet_sk(struct file_desc *d, int *new_fd)
- }
-
- *new_fd = sk;
-+
- return 1;
- err:
- close(sk);
-diff --git a/criu/sockets.c b/criu/sockets.c
-index 30072ac737..7f7453ca1d 100644
---- a/criu/sockets.c
-+++ b/criu/sockets.c
-@@ -22,6 +22,7 @@
- #include "util-pie.h"
- #include "sk-packet.h"
- #include "namespaces.h"
-+#include "lsm.h"
- #include "net.h"
- #include "xmalloc.h"
- #include "fs-magic.h"
-@@ -663,6 +664,9 @@ int dump_socket(struct fd_parms *p, int lfd, FdinfoEntry *e)
- int family;
- const struct fdtype_ops *ops;
-
-+ if (dump_xattr_security_selinux(lfd, e))
-+ return -1;
-+
- if (dump_opt(lfd, SOL_SOCKET, SO_DOMAIN, &family))
- return -1;
-
-diff --git a/images/fdinfo.proto b/images/fdinfo.proto
-index ed82ceffe7..77e375aa94 100644
---- a/images/fdinfo.proto
-+++ b/images/fdinfo.proto
-@@ -47,6 +47,7 @@ message fdinfo_entry {
- required uint32 flags = 2;
- required fd_types type = 3;
- required uint32 fd = 4;
-+ optional string xattr_security_selinux = 5;
- }
-
- message file_entry {
-
-From ba42d30fad82f17a66617a33f03d3da05cc73bfe Mon Sep 17 00:00:00 2001
-From: Adrian Reber <areber@redhat.com>
-Date: Tue, 30 Apr 2019 09:47:32 +0000
-Subject: [PATCH 4/4] selinux: add socket label test
-
-This adds two more SELinux test to verfy that checkpointing and
-restoring SELinux socket labels works correctly, if the process uses
-setsockcreatecon() or if the process leaves the default context for
-newly created sockets.
-
-Signed-off-by: Adrian Reber <areber@redhat.com>
----
- test/zdtm/static/Makefile | 3 +
- test/zdtm/static/selinux01.c | 200 +++++++++++++++++++++++++++
- test/zdtm/static/selinux01.checkskip | 1 +
- test/zdtm/static/selinux01.desc | 1 +
- test/zdtm/static/selinux01.hook | 1 +
- test/zdtm/static/selinux02.c | 1 +
- test/zdtm/static/selinux02.checkskip | 1 +
- test/zdtm/static/selinux02.desc | 1 +
- test/zdtm/static/selinux02.hook | 1 +
- 9 files changed, 210 insertions(+)
- create mode 100644 test/zdtm/static/selinux01.c
- create mode 120000 test/zdtm/static/selinux01.checkskip
- create mode 120000 test/zdtm/static/selinux01.desc
- create mode 120000 test/zdtm/static/selinux01.hook
- create mode 120000 test/zdtm/static/selinux02.c
- create mode 120000 test/zdtm/static/selinux02.checkskip
- create mode 120000 test/zdtm/static/selinux02.desc
- create mode 120000 test/zdtm/static/selinux02.hook
-
-diff --git a/test/zdtm/static/Makefile b/test/zdtm/static/Makefile
-index 8e3f39276a..1ffaa90394 100644
---- a/test/zdtm/static/Makefile
-+++ b/test/zdtm/static/Makefile
-@@ -211,6 +211,8 @@ TST_NOFILE := \
- thp_disable \
- pid_file \
- selinux00 \
-+ selinux01 \
-+ selinux02 \
- # jobctl00 \
-
- ifneq ($(SRCARCH),arm)
-@@ -513,6 +515,7 @@ unlink_fstat041: CFLAGS += -DUNLINK_FSTAT041 -DUNLINK_FSTAT04
- ghost_holes01: CFLAGS += -DTAIL_HOLE
- ghost_holes02: CFLAGS += -DHEAD_HOLE
- sk-freebind-false: CFLAGS += -DZDTM_FREEBIND_FALSE
-+selinux02: CFLAGS += -DUSING_SOCKCREATE
- stopped01: CFLAGS += -DZDTM_STOPPED_KILL
- stopped02: CFLAGS += -DZDTM_STOPPED_TKILL
- stopped12: CFLAGS += -DZDTM_STOPPED_KILL -DZDTM_STOPPED_TKILL
-diff --git a/test/zdtm/static/selinux01.c b/test/zdtm/static/selinux01.c
-new file mode 100644
-index 0000000000..9966455c47
---- /dev/null
-+++ b/test/zdtm/static/selinux01.c
-@@ -0,0 +1,200 @@
-+#include <unistd.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <fcntl.h>
-+#include <sys/stat.h>
-+#include <sys/types.h>
-+#include <sys/mount.h>
-+#include <sys/socket.h>
-+#include <sys/xattr.h>
-+#include <linux/limits.h>
-+#include <signal.h>
-+#include "zdtmtst.h"
-+
-+/* Enabling the right policy happens in selinux00.hook and selinx00.checkskip */
-+
-+const char *test_doc = "Check that a SELinux socket context is restored";
-+const char *test_author = "Adrian Reber <areber@redhat.com>";
-+
-+/* This is all based on Tycho's apparmor code */
-+
-+#define CONTEXT "unconfined_u:unconfined_r:unconfined_dbusd_t:s0"
-+
-+/*
-+ * This is used to store the state of SELinux. For this test
-+ * SELinux is switched to permissive mode and later the previous
-+ * SELinux state is restored.
-+ */
-+char state;
-+
-+int check_for_selinux()
-+{
-+ if (access("/sys/fs/selinux", F_OK) == 0)
-+ return 0;
-+ return 1;
-+}
-+
-+int setprofile()
-+{
-+ int fd, len;
-+
-+ fd = open("/proc/self/attr/current", O_WRONLY);
-+ if (fd < 0) {
-+ fail("Could not open /proc/self/attr/current\n");
-+ return -1;
-+ }
-+
-+ len = write(fd, CONTEXT, strlen(CONTEXT));
-+ close(fd);
-+
-+ if (len < 0) {
-+ fail("Could not write context\n");
-+ return -1;
-+ }
-+
-+ return 0;
-+}
-+
-+int set_sockcreate()
-+{
-+ int fd, len;
-+
-+ fd = open("/proc/self/attr/sockcreate", O_WRONLY);
-+ if (fd < 0) {
-+ fail("Could not open /proc/self/attr/sockcreate\n");
-+ return -1;
-+ }
-+
-+ len = write(fd, CONTEXT, strlen(CONTEXT));
-+ close(fd);
-+
-+ if (len < 0) {
-+ fail("Could not write context\n");
-+ return -1;
-+ }
-+
-+ return 0;
-+}
-+
-+int check_sockcreate()
-+{
-+ int fd;
-+ char context[1024];
-+ int len;
-+
-+
-+ fd = open("/proc/self/attr/sockcreate", O_RDONLY);
-+ if (fd < 0) {
-+ fail("Could not open /proc/self/attr/sockcreate\n");
-+ return -1;
-+ }
-+
-+ len = read(fd, context, strlen(CONTEXT));
-+ close(fd);
-+ if (len != strlen(CONTEXT)) {
-+ fail("SELinux context has unexpected length %d, expected %zd\n",
-+ len, strlen(CONTEXT));
-+ return -1;
-+ }
-+
-+ if (strncmp(context, CONTEXT, strlen(CONTEXT)) != 0) {
-+ fail("Wrong SELinux context %s expected %s\n", context, CONTEXT);
-+ return -1;
-+ }
-+
-+ return 0;
-+}
-+
-+int check_sockcreate_empty()
-+{
-+ char *output = NULL;
-+ FILE *f = fopen("/proc/self/attr/sockcreate", "r");
-+ int ret = fscanf(f, "%ms", &output);
-+ fclose(f);
-+
-+ if (ret >= 1) {
-+ free(output);
-+ /* sockcreate should be empty, if fscanf found something
-+ * it is wrong.*/
-+ fail("sockcreate should be empty\n");
-+ return -1;
-+ }
-+
-+ if (output) {
-+ free(output);
-+ /* Same here, output should still be NULL. */
-+ fail("sockcreate should be empty\n");
-+ return -1;
-+ }
-+
-+ return 0;
-+}
-+
-+int main(int argc, char **argv)
-+{
-+ char ctx[1024];
-+ test_init(argc, argv);
-+
-+ if (check_for_selinux()) {
-+ skip("SELinux not found on this system.");
-+ test_daemon();
-+ test_waitsig();
-+ pass();
-+ return 0;
-+ }
-+
-+#ifdef USING_SOCKCREATE
-+ if (set_sockcreate())
-+ return -1;
-+#else
-+ if (check_sockcreate_empty())
-+ return -1;
-+
-+ if (setprofile())
-+ return -1;
-+
-+ if (check_sockcreate_empty())
-+ return -1;
-+#endif
-+
-+ /* Open our test socket */
-+ int sk = socket(AF_INET, SOCK_STREAM, 0);
-+ memset(ctx, 0, 1024);
-+ /* Read out the socket label */
-+ if (fgetxattr(sk, "security.selinux", ctx, 1024) == -1) {
-+ fail("Reading xattr 'security.selinux' failed.\n");
-+ return -1;
-+ }
-+ if (strncmp(ctx, CONTEXT, strlen(CONTEXT)) != 0) {
-+ fail("Wrong SELinux context %s expected %s\n", ctx, CONTEXT);
-+ return -1;
-+ }
-+ memset(ctx, 0, 1024);
-+
-+ test_daemon();
-+ test_waitsig();
-+
-+ /* Read out the socket label again */
-+
-+ if (fgetxattr(sk, "security.selinux", ctx, 1024) == -1) {
-+ fail("Reading xattr 'security.selinux' failed.\n");
-+ return -1;
-+ }
-+ if (strncmp(ctx, CONTEXT, strlen(CONTEXT)) != 0) {
-+ fail("Wrong SELinux context %s expected %s\n", ctx, CONTEXT);
-+ return -1;
-+ }
-+
-+#ifdef USING_SOCKCREATE
-+ if (check_sockcreate())
-+ return -1;
-+#else
-+ if (check_sockcreate_empty())
-+ return -1;
-+#endif
-+
-+ pass();
-+
-+ return 0;
-+}
-diff --git a/test/zdtm/static/selinux01.checkskip b/test/zdtm/static/selinux01.checkskip
-new file mode 120000
-index 0000000000..e8a172479e
---- /dev/null
-+++ b/test/zdtm/static/selinux01.checkskip
-@@ -0,0 +1 @@
-+selinux00.checkskip
-\ No newline at end of file
-diff --git a/test/zdtm/static/selinux01.desc b/test/zdtm/static/selinux01.desc
-new file mode 120000
-index 0000000000..2d2961a764
---- /dev/null
-+++ b/test/zdtm/static/selinux01.desc
-@@ -0,0 +1 @@
-+selinux00.desc
-\ No newline at end of file
-diff --git a/test/zdtm/static/selinux01.hook b/test/zdtm/static/selinux01.hook
-new file mode 120000
-index 0000000000..dd7ed6bb33
---- /dev/null
-+++ b/test/zdtm/static/selinux01.hook
-@@ -0,0 +1 @@
-+selinux00.hook
-\ No newline at end of file
-diff --git a/test/zdtm/static/selinux02.c b/test/zdtm/static/selinux02.c
-new file mode 120000
-index 0000000000..5702677858
---- /dev/null
-+++ b/test/zdtm/static/selinux02.c
-@@ -0,0 +1 @@
-+selinux01.c
-\ No newline at end of file
-diff --git a/test/zdtm/static/selinux02.checkskip b/test/zdtm/static/selinux02.checkskip
-new file mode 120000
-index 0000000000..2696e6e3de
---- /dev/null
-+++ b/test/zdtm/static/selinux02.checkskip
-@@ -0,0 +1 @@
-+selinux01.checkskip
-\ No newline at end of file
-diff --git a/test/zdtm/static/selinux02.desc b/test/zdtm/static/selinux02.desc
-new file mode 120000
-index 0000000000..9c6802c4da
---- /dev/null
-+++ b/test/zdtm/static/selinux02.desc
-@@ -0,0 +1 @@
-+selinux01.desc
-\ No newline at end of file
-diff --git a/test/zdtm/static/selinux02.hook b/test/zdtm/static/selinux02.hook
-new file mode 120000
-index 0000000000..e3ea0a6c80
---- /dev/null
-+++ b/test/zdtm/static/selinux02.hook
-@@ -0,0 +1 @@
-+selinux01.hook
-\ No newline at end of file
diff --git a/SOURCES/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch b/SOURCES/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch
deleted file mode 100644
index 09446a6..0000000
--- a/SOURCES/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea Mon Sep 17 00:00:00 2001
-From: Andrei Vagin <avagin@gmail.com>
-Date: Sat, 4 May 2019 20:01:52 -0700
-Subject: [PATCH] lsm: don't reset socket contex if SELinux is disabled
-
-Fixes #693
----
- criu/lsm.c | 16 ++++++++++++++--
- 1 file changed, 14 insertions(+), 2 deletions(-)
-
-diff --git a/criu/lsm.c b/criu/lsm.c
-index 9c9ac7f80e..5921138392 100644
---- a/criu/lsm.c
-+++ b/criu/lsm.c
-@@ -134,7 +134,15 @@ static int selinux_get_sockcreate_label(pid_t pid, char **output)
-
- int reset_setsockcreatecon()
- {
-- return setsockcreatecon_raw(NULL);
-+ /* Currently this only works for SELinux. */
-+ if (kdat.lsm != LSMTYPE__SELINUX)
-+ return 0;
-+
-+ if (setsockcreatecon_raw(NULL)) {
-+ pr_perror("Unable to reset socket SELinux context");
-+ return -1;
-+ }
-+ return 0;
- }
-
- int run_setsockcreatecon(FdinfoEntry *e)
-@@ -147,7 +155,11 @@ int run_setsockcreatecon(FdinfoEntry *e)
-
- ctx = e->xattr_security_selinux;
- /* Writing to the FD using fsetxattr() did not work for some reason. */
-- return setsockcreatecon_raw(ctx);
-+ if (setsockcreatecon_raw(ctx)) {
-+ pr_perror("Unable to set the %s socket SELinux context", ctx);
-+ return -1;
-+ }
-+ return 0;
- }
-
- int dump_xattr_security_selinux(int fd, FdinfoEntry *e)
diff --git a/SOURCES/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch b/SOURCES/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch
deleted file mode 100644
index ec0cf00..0000000
--- a/SOURCES/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From b9e9e3903c78ba5d243b4176e82bf4b82342cb6a Mon Sep 17 00:00:00 2001
-From: Adrian Reber <areber@redhat.com>
-Date: Sat, 4 May 2019 15:27:32 +0200
-Subject: [PATCH] lsm: fix compiler error on Fedora 30
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This fixes following compiler error:
-
-criu/lsm.c: In function ‘dump_xattr_security_selinux’:
-criu/include/log.h:51:2: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
- 51 | print_on_level(LOG_ERROR, \
- | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- 52 | "Error (%s:%d): " LOG_PREFIX fmt, \
- | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- 53 | __FILE__, __LINE__, ##__VA_ARGS__)
- | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-criu/lsm.c:166:3: note: in expansion of macro ‘pr_err’
- 166 | pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
- | ^~~~~~
-
-Signed-off-by: Adrian Reber <areber@redhat.com>
----
- criu/lsm.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/criu/lsm.c b/criu/lsm.c
-index 5921138392..420585ba4f 100644
---- a/criu/lsm.c
-+++ b/criu/lsm.c
-@@ -175,7 +175,7 @@ int dump_xattr_security_selinux(int fd, FdinfoEntry *e)
- /* Get the size of the xattr. */
- len = fgetxattr(fd, "security.selinux", ctx, 0);
- if (len == -1) {
-- pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
-+ pr_err("Reading xattr security.selinux from FD %d failed\n", fd);
- return -1;
- }
-
diff --git a/SOURCES/criu-1838991.patch b/SOURCES/criu-1838991.patch
new file mode 100644
index 0000000..f8c2a03
--- /dev/null
+++ b/SOURCES/criu-1838991.patch
@@ -0,0 +1,121 @@
+From ce733f4be5791911c009c57e803f3a08d3270a0c Mon Sep 17 00:00:00 2001
+From: Adrian Reber <areber@redhat.com>
+Date: Wed, 20 May 2020 11:57:22 +0000
+Subject: [PATCH 1/3] coverity: fix RESOURCE_LEAK criu/timens.c: 67
+
+ 7. criu-3.14/criu/timens.c:67: leaked_storage: Variable "img" going out of scope leaks the storage it points to.
+ 65| if (id == 0 && empty_image(img)) {
+ 66| pr_warn("Clocks values have not been dumped\n");
+ 67|-> return 0;
+ 68| }
+
+Signed-off-by: Adrian Reber <areber@redhat.com>
+---
+ criu/timens.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/criu/timens.c b/criu/timens.c
+index 2a7e952845..f81808abf8 100644
+--- criu-3.14/criu/timens.c
++++ criu-3.14/criu/timens.c
+@@ -64,6 +64,7 @@ int prepare_timens(int id)
+
+ if (id == 0 && empty_image(img)) {
+ pr_warn("Clocks values have not been dumped\n");
++ close_image(img);
+ return 0;
+ }
+
+
+From e7e4e46cfebd69efe8681395380528826df0d529 Mon Sep 17 00:00:00 2001
+From: Adrian Reber <areber@redhat.com>
+Date: Wed, 20 May 2020 12:19:36 +0000
+Subject: [PATCH 2/3] coverity: fix FORWARD_NULL in criu/proc_parse.c: 1481
+
+8. criu-3.14/criu/proc_parse.c:1511: var_deref_model: Passing null pointer "f" to "fclose", which dereferences it.
+ 1509| exit_code = 0;
+ 1510| out:
+ 1511|-> fclose(f);
+ 1512| return exit_code;
+ 1513| }
+
+Signed-off-by: Adrian Reber <areber@redhat.com>
+---
+ criu/proc_parse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/criu/proc_parse.c b/criu/proc_parse.c
+index 4a22700aa3..d1ccd9281b 100644
+--- criu-3.14/criu/proc_parse.c
++++ criu-3.14/criu/proc_parse.c
+@@ -1480,7 +1480,7 @@ int parse_timens_offsets(struct timespec *boff, struct timespec *moff)
+ f = fopen_proc(PROC_SELF, "timens_offsets");
+ if (!f) {
+ pr_perror("Unable to open /proc/self/timens_offsets");
+- goto out;
++ return exit_code;
+ }
+ while (fgets(buf, BUF_SIZE, f)) {
+ int64_t sec, nsec;
+
+From 6b44ddf4587ecbda65c15d462a94708ac2f6f602 Mon Sep 17 00:00:00 2001
+From: Adrian Reber <areber@redhat.com>
+Date: Wed, 20 May 2020 12:38:55 +0000
+Subject: [PATCH 3/3] clang: Branch condition evaluates to a garbage value
+
+criu-3.14/criu/namespaces.c:692:7: warning: Branch condition evaluates to a garbage value
+
+criu-3.14/criu/namespaces.c:690:3: note: 'supported' declared without an initial value
+ protobuf_c_boolean supported;
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
+criu-3.14/criu/namespaces.c:691:8: note: Calling 'get_ns_id'
+ id = get_ns_id(pid, &time_for_children_ns_desc, &supported);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+criu-3.14/criu/namespaces.c:479:9: note: Calling '__get_ns_id'
+ return __get_ns_id(pid, nd, supported, NULL);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+criu-3.14/criu/namespaces.c:454:6: note: Assuming 'proc_dir' is < 0
+ if (proc_dir < 0)
+ ^~~~~~~~~~~~
+criu-3.14/criu/namespaces.c:454:2: note: Taking true branch
+ if (proc_dir < 0)
+ ^
+criu-3.14/criu/namespaces.c:455:3: note: Returning without writing to '*supported'
+ return 0;
+ ^
+criu-3.14/criu/namespaces.c:479:9: note: Returning from '__get_ns_id'
+ return __get_ns_id(pid, nd, supported, NULL);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+criu-3.14/criu/namespaces.c:479:2: note: Returning without writing to '*supported'
+ return __get_ns_id(pid, nd, supported, NULL);
+ ^
+criu-3.14/criu/namespaces.c:691:8: note: Returning from 'get_ns_id'
+ id = get_ns_id(pid, &time_for_children_ns_desc, &supported);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+criu-3.14/criu/namespaces.c:692:7: note: Branch condition evaluates to a garbage value
+ if (!supported || !id) {
+ ^~~~~~~~~~
+690| protobuf_c_boolean supported;
+691| id = get_ns_id(pid, &time_for_children_ns_desc, &supported);
+692|-> if (!supported || !id) {
+693| pr_err("Can't make timens id\n");
+694|
+
+Signed-off-by: Adrian Reber <areber@redhat.com>
+---
+ criu/namespaces.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/criu/namespaces.c b/criu/namespaces.c
+index 89d97c7bce..04f242505d 100644
+--- criu-3.14/criu/namespaces.c
++++ criu-3.14/criu/namespaces.c
+@@ -687,7 +687,7 @@ int dump_task_ns_ids(struct pstree_item *item)
+ }
+ if (ids->has_time_ns_id) {
+ unsigned int id;
+- protobuf_c_boolean supported;
++ protobuf_c_boolean supported = false;
+ id = get_ns_id(pid, &time_for_children_ns_desc, &supported);
+ if (!supported || !id) {
+ pr_err("Can't make timens id\n");
diff --git a/SPECS/criu.spec b/SPECS/criu.spec
index 44e484e..75ba0d9 100644
--- a/SPECS/criu.spec
+++ b/SPECS/criu.spec
@@ -1,57 +1,32 @@
-%if 0%{?fedora} >= 27 || 0%{?rhel} > 7
%global py_prefix python3
%global py_binary %{py_prefix}
-%else
-%global py_prefix python
-%global py_binary python2
-%endif
# With annobin enabled, CRIU does not work anymore. It seems CRIU's
# parasite code breaks if annobin is enabled.
%undefine _annotated_build
Name: criu
-Version: 3.12
-Release: 9%{?dist}
+Version: 3.14
+Release: 2%{?dist}
Provides: crtools = %{version}-%{release}
Obsoletes: crtools <= 1.0-2
Summary: Tool for Checkpoint/Restore in User-space
License: GPLv2
URL: http://criu.org/
Source0: http://download.openvz.org/criu/criu-%{version}.tar.bz2
-
-Patch0: https://patch-diff.githubusercontent.com/raw/checkpoint-restore/criu/pull/685.patch
-Patch1: https://github.com/checkpoint-restore/criu/commit/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch
-Patch2: https://github.com/checkpoint-restore/criu/commit/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch
-Patch3: https://github.com/checkpoint-restore/criu/commit/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch
-
-%if 0%{?rhel} && 0%{?rhel} <= 7
-BuildRequires: perl
-# RHEL has no asciidoc; take man-page from Fedora 26
-# zcat /usr/share/man/man8/criu.8.gz > criu.8
-Source1: criu.8
-Source2: crit.1
-# The patch aio-fix.patch is needed as RHEL7
-# doesn't do "nr_events *= 2" in ioctx_alloc().
-Patch100: aio-fix.patch
-%endif
-
-Source3: criu-tmpfiles.conf
-
+Source1: criu-tmpfiles.conf
+# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1838991
+# patch: https://patch-diff.githubusercontent.com/raw/checkpoint-restore/criu/pull/1075.patch
+Patch0: criu-1838991.patch
BuildRequires: gcc
BuildRequires: systemd
BuildRequires: libnet-devel
BuildRequires: protobuf-devel protobuf-c-devel %{py_prefix}-devel libnl3-devel libcap-devel
-%if 0%{?fedora} || 0%{?rhel} > 7
BuildRequires: asciidoc xmlto
BuildRequires: perl-interpreter
BuildRequires: libselinux-devel
# Checkpointing containers with a tmpfs requires tar
Recommends: tar
-%if 0%{?fedora}
-BuildRequires: libbsd-devel
-%endif
-%endif
# user-space and kernel changes are only available for x86_64, arm,
# ppc64le, aarch64 and s390x
@@ -63,32 +38,11 @@ criu is the user-space part of Checkpoint/Restore in User-space
(CRIU), a project to implement checkpoint/restore functionality for
Linux in user-space.
-%if 0%{?fedora}
-%package devel
-Summary: Header files and libraries for %{name}
-Requires: %{name} = %{version}-%{release}
-
-%description devel
-This package contains header files and libraries for %{name}.
-
-%package libs
-Summary: Libraries for %{name}
-Requires: %{name} = %{version}-%{release}
-
-%description libs
-This package contains the libraries for %{name}
-%endif
-
%package -n %{py_prefix}-%{name}
%{?python_provide:%python_provide %{py_prefix}-%{name}}
Summary: Python bindings for %{name}
-%if 0%{?rhel} && 0%{?rhel} <= 7
-Requires: protobuf-python
-Requires: %{name} = %{version}-%{release} %{py_prefix}-ipaddr
-%else
Requires: %{py_prefix}-protobuf
Obsoletes: python2-criu < 3.10-1
-%endif
%description -n %{py_prefix}-%{name}
%{py_prefix}-%{name} contains Python bindings for %{name}.
@@ -101,86 +55,59 @@ Requires: %{py_prefix}-%{name} = %{version}-%{release}
crit is a tool designed to decode CRIU binary dump files and show
their content in human-readable form.
-
%prep
-%setup -q
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-
-%if 0%{?rhel} && 0%{?rhel} <= 7
-%patch100 -p1
-%endif
+%autosetup -p1
%build
# %{?_smp_mflags} does not work
# -fstack-protector breaks build
CFLAGS+=`echo %{optflags} | sed -e 's,-fstack-protector\S*,,g'` make V=1 WERROR=0 PREFIX=%{_prefix} RUNDIR=/run/criu PYTHON=%{py_binary}
-%if 0%{?fedora} || 0%{?rhel} > 7
make docs V=1
-%endif
-
%install
make install-criu DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir}
make install-lib DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir} PYTHON=%{py_binary}
-%if 0%{?fedora} || 0%{?rhel} > 7
-# only install documentation on Fedora as it requires asciidoc,
-# which is not available on RHEL7
make install-man DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir}
-%else
-install -p -m 644 -D %{SOURCE1} $RPM_BUILD_ROOT%{_mandir}/man8/%{name}.8
-install -p -m 644 -D %{SOURCE2} $RPM_BUILD_ROOT%{_mandir}/man1/crit.1
-%endif
-
mkdir -p %{buildroot}%{_tmpfilesdir}
-install -m 0644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}/%{name}.conf
+install -m 0644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/%{name}.conf
install -d -m 0755 %{buildroot}/run/%{name}/
-%if 0%{?rhel}
# remove devel and libs packages
rm -rf $RPM_BUILD_ROOT%{_includedir}/criu
rm $RPM_BUILD_ROOT%{_libdir}/*.so*
+rm $RPM_BUILD_ROOT%{_libdir}/*.a
+rm $RPM_BUILD_ROOT%{_mandir}/man1/compel.1*
rm -rf $RPM_BUILD_ROOT%{_libdir}/pkgconfig
rm -rf $RPM_BUILD_ROOT%{_libexecdir}/%{name}
-%endif
%files
%{_sbindir}/%{name}
-%doc %{_mandir}/man8/criu.8*
-%if 0%{?fedora}
-%{_libexecdir}/%{name}
-%endif
+%{_mandir}/man8/criu.8*
%dir /run/%{name}
%{_tmpfilesdir}/%{name}.conf
%doc README.md COPYING
-%if 0%{?fedora}
-%files devel
-%{_includedir}/criu
-%{_libdir}/*.so
-%{_libdir}/pkgconfig/*.pc
-
-%files libs
-%{_libdir}/*.so.*
-%endif
-
%files -n %{py_prefix}-%{name}
-%if 0%{?rhel} && 0%{?rhel} <= 7
-%{python2_sitelib}/pycriu/*
-%{python2_sitelib}/*egg-info
-%else
%{python3_sitelib}/pycriu/*
%{python3_sitelib}/*egg-info
-%endif
%files -n crit
%{_bindir}/crit
%doc %{_mandir}/man1/crit.1*
-
%changelog
+* Mon May 25 2020 Jindrich Novy <jnovy@redhat.com> - 3.14-2
+- fix "Need to fix bugs found by coverity."
+- Resolves: #1838991
+
+* Thu Apr 30 2020 Jindrich Novy <jnovy@redhat.com> - 3.14-1
+- update to https://github.com/checkpoint-restore/criu/releases/tag/v3.14
+- Related: RHELPLAN-39206
+
+* Sat Apr 18 2020 Jindrich Novy <jnovy@redhat.com> - 3.13-1
+- update to 3.13
+- Related: RHELPLAN-39206
+
* Mon May 13 2019 Adrian Reber <adrian@lisas.de> - 3.12-9
- Added additional fixup patches for the socket labelling