diff --git a/.criu.metadata b/.criu.metadata index f33f9a7..52bb375 100644 --- a/.criu.metadata +++ b/.criu.metadata @@ -1 +1 @@ -b2ceaf9705aa8239915010136a59664d31044fe3 SOURCES/criu-3.12.tar.bz2 +548d575d89e872c153a756c274e438995eb4e823 SOURCES/criu-3.14.tar.bz2 diff --git a/.gitignore b/.gitignore index d9f1e8d..1c6f0d3 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/criu-3.12.tar.bz2 +SOURCES/criu-3.14.tar.bz2 diff --git a/SOURCES/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch b/SOURCES/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch deleted file mode 100644 index 3b2fbd8..0000000 --- a/SOURCES/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 1e84cb90b63bce841376140a7a80107e5ec1e1a8 Mon Sep 17 00:00:00 2001 -From: Adrian Reber -Date: Fri, 3 May 2019 06:27:51 +0000 -Subject: [PATCH] lsm: fix compiler error 'unused-result' - -Reading out the xattr 'security.selinux' of checkpointed sockets with -fscanf() works (at least in theory) without checking the result of -fscanf(). There are, however, multiple CI failures when ignoring the -return value of fscanf(). - -This adds ferror() to check if the stream has an actual error or if '-1' -just mean EOF. - -Handle all errors of fscanf() // Andrei - -Signed-off-by: Adrian Reber -Signed-off-by: Andrei Vagin ---- - criu/lsm.c | 22 +++++++++++++--------- - 1 file changed, 13 insertions(+), 9 deletions(-) - -diff --git a/criu/lsm.c b/criu/lsm.c -index ef6ba112b3..9c9ac7f80e 100644 ---- a/criu/lsm.c -+++ b/criu/lsm.c -@@ -33,8 +33,8 @@ static int apparmor_get_label(pid_t pid, char **profile_name) - return -1; - - if (fscanf(f, "%ms", profile_name) != 1) { -- fclose(f); - pr_perror("err scanfing"); -+ fclose(f); - return -1; - } - -@@ -111,19 +111,23 @@ static int selinux_get_label(pid_t pid, char **output) - static int selinux_get_sockcreate_label(pid_t pid, char **output) - { - FILE *f; -+ int ret; - - f = fopen_proc(pid, "attr/sockcreate"); - if (!f) - return -1; - -- fscanf(f, "%ms", output); -- /* -- * No need to check the result of fscanf(). If there is something -- * in /proc/PID/attr/sockcreate it will be copied to *output. If -- * there is nothing it will stay NULL. So whatever fscanf() does -- * it should be correct. -- */ -- -+ ret = fscanf(f, "%ms", output); -+ if (ret == -1 && errno != 0) { -+ pr_perror("Unable to parse /proc/%d/attr/sockcreate", pid); -+ /* -+ * Only if the error indicator is set it is a real error. -+ * -1 could also be EOF, which would mean that sockcreate -+ * was just empty, which is the most common case. -+ */ -+ fclose(f); -+ return -1; -+ } - fclose(f); - return 0; - } diff --git a/SOURCES/685.patch b/SOURCES/685.patch deleted file mode 100644 index 30e1728..0000000 --- a/SOURCES/685.patch +++ /dev/null @@ -1,834 +0,0 @@ -From 3313343ba7803bff077af5d87df2260cdcd2d678 Mon Sep 17 00:00:00 2001 -From: Adrian Reber -Date: Thu, 2 May 2019 13:41:46 +0000 -Subject: [PATCH 1/4] lsm: also dump and restore sockcreate - -The file /proc/PID/attr/sockcreate is used by SELinux to label newly -created sockets with the label available at sockcreate. - -If it is NULL, the default label of the process will be used. - -This reads out that file during checkpoint and restores the value during -restore. - -This value is irrelevant for existing sockets as they might have been -created with another context. This is only to make sure that newly -created sockets have the correct context. - -Signed-off-by: Adrian Reber ---- - criu/cr-restore.c | 36 ++++++++++++++++++++++++++++++++++++ - criu/include/restorer.h | 2 ++ - criu/lsm.c | 32 ++++++++++++++++++++++++++++++++ - criu/pie/restorer.c | 15 ++++++++++----- - images/creds.proto | 1 + - 5 files changed, 81 insertions(+), 5 deletions(-) - -diff --git a/criu/cr-restore.c b/criu/cr-restore.c -index 5fd22e9246..f254cbc0eb 100644 ---- a/criu/cr-restore.c -+++ b/criu/cr-restore.c -@@ -2997,6 +2997,8 @@ static void rst_reloc_creds(struct thread_restore_args *thread_args, - - if (args->lsm_profile) - args->lsm_profile = rst_mem_remap_ptr(args->mem_lsm_profile_pos, RM_PRIVATE); -+ if (args->lsm_sockcreate) -+ args->lsm_sockcreate = rst_mem_remap_ptr(args->mem_lsm_sockcreate_pos, RM_PRIVATE); - if (args->groups) - args->groups = rst_mem_remap_ptr(args->mem_groups_pos, RM_PRIVATE); - -@@ -3062,6 +3064,40 @@ rst_prep_creds_args(CredsEntry *ce, unsigned long *prev_pos) - args->mem_lsm_profile_pos = 0; - } - -+ if (ce->lsm_sockcreate) { -+ char *rendered = NULL; -+ char *profile; -+ -+ profile = ce->lsm_sockcreate; -+ -+ if (validate_lsm(profile) < 0) -+ return ERR_PTR(-EINVAL); -+ -+ if (profile && render_lsm_profile(profile, &rendered)) { -+ return ERR_PTR(-EINVAL); -+ } -+ if (rendered) { -+ size_t lsm_sockcreate_len; -+ char *lsm_sockcreate; -+ -+ args->mem_lsm_sockcreate_pos = rst_mem_align_cpos(RM_PRIVATE); -+ lsm_sockcreate_len = strlen(rendered); -+ lsm_sockcreate = rst_mem_alloc(lsm_sockcreate_len + 1, RM_PRIVATE); -+ if (!lsm_sockcreate) { -+ xfree(rendered); -+ return ERR_PTR(-ENOMEM); -+ } -+ -+ args = rst_mem_remap_ptr(this_pos, RM_PRIVATE); -+ args->lsm_sockcreate = lsm_sockcreate; -+ strncpy(args->lsm_sockcreate, rendered, lsm_sockcreate_len); -+ xfree(rendered); -+ } -+ } else { -+ args->lsm_sockcreate = NULL; -+ args->mem_lsm_sockcreate_pos = 0; -+ } -+ - /* - * Zap fields which we can't use. - */ -diff --git a/criu/include/restorer.h b/criu/include/restorer.h -index 2884ce9e6d..b83e9130c5 100644 ---- a/criu/include/restorer.h -+++ b/criu/include/restorer.h -@@ -69,8 +69,10 @@ struct thread_creds_args { - unsigned int secbits; - char *lsm_profile; - unsigned int *groups; -+ char *lsm_sockcreate; - - unsigned long mem_lsm_profile_pos; -+ unsigned long mem_lsm_sockcreate_pos; - unsigned long mem_groups_pos; - - unsigned long mem_pos_next; -diff --git a/criu/lsm.c b/criu/lsm.c -index 849ec37cde..b0ef0c396c 100644 ---- a/criu/lsm.c -+++ b/criu/lsm.c -@@ -98,6 +98,32 @@ static int selinux_get_label(pid_t pid, char **output) - freecon(ctx); - return ret; - } -+ -+/* -+ * selinux_get_sockcreate_label reads /proc/PID/attr/sockcreate -+ * to see if the PID has a special label specified for sockets. -+ * Most of the time this will be empty and the process will use -+ * the process context also for sockets. -+ */ -+static int selinux_get_sockcreate_label(pid_t pid, char **output) -+{ -+ FILE *f; -+ -+ f = fopen_proc(pid, "attr/sockcreate"); -+ if (!f) -+ return -1; -+ -+ fscanf(f, "%ms", output); -+ /* -+ * No need to check the result of fscanf(). If there is something -+ * in /proc/PID/attr/sockcreate it will be copied to *output. If -+ * there is nothing it will stay NULL. So whatever fscanf() does -+ * it should be correct. -+ */ -+ -+ fclose(f); -+ return 0; -+} - #endif - - void kerndat_lsm(void) -@@ -132,6 +158,7 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce) - int ret; - - ce->lsm_profile = NULL; -+ ce->lsm_sockcreate = NULL; - - switch (kdat.lsm) { - case LSMTYPE__NO_LSM: -@@ -143,6 +170,9 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce) - #ifdef CONFIG_HAS_SELINUX - case LSMTYPE__SELINUX: - ret = selinux_get_label(pid, &ce->lsm_profile); -+ if (ret) -+ break; -+ ret = selinux_get_sockcreate_label(pid, &ce->lsm_sockcreate); - break; - #endif - default: -@@ -153,6 +183,8 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce) - - if (ce->lsm_profile) - pr_info("%d has lsm profile %s\n", pid, ce->lsm_profile); -+ if (ce->lsm_sockcreate) -+ pr_info("%d has lsm sockcreate label %s\n", pid, ce->lsm_sockcreate); - - return ret; - } -diff --git a/criu/pie/restorer.c b/criu/pie/restorer.c -index 6e18cc2606..4f42605a09 100644 ---- a/criu/pie/restorer.c -+++ b/criu/pie/restorer.c -@@ -149,7 +149,7 @@ static void sigchld_handler(int signal, siginfo_t *siginfo, void *data) - sys_exit_group(1); - } - --static int lsm_set_label(char *label, int procfd) -+static int lsm_set_label(char *label, char *type, int procfd) - { - int ret = -1, len, lsmfd; - char path[STD_LOG_SIMPLE_CHUNK]; -@@ -157,9 +157,9 @@ static int lsm_set_label(char *label, int procfd) - if (!label) - return 0; - -- pr_info("restoring lsm profile %s\n", label); -+ pr_info("restoring lsm profile (%s) %s\n", type, label); - -- std_sprintf(path, "self/task/%ld/attr/current", sys_gettid()); -+ std_sprintf(path, "self/task/%ld/attr/%s", sys_gettid(), type); - - lsmfd = sys_openat(procfd, path, O_WRONLY, 0); - if (lsmfd < 0) { -@@ -305,9 +305,14 @@ static int restore_creds(struct thread_creds_args *args, int procfd, - * SELinux and instead the process context is set before the - * threads are created. - */ -- if (lsm_set_label(args->lsm_profile, procfd) < 0) -+ if (lsm_set_label(args->lsm_profile, "current", procfd) < 0) - return -1; - } -+ -+ /* Also set the sockcreate label for all threads */ -+ if (lsm_set_label(args->lsm_sockcreate, "sockcreate", procfd) < 0) -+ return -1; -+ - return 0; - } - -@@ -1571,7 +1576,7 @@ long __export_restore_task(struct task_restore_args *args) - if (args->lsm_type == LSMTYPE__SELINUX) { - /* Only for SELinux */ - if (lsm_set_label(args->t->creds_args->lsm_profile, -- args->proc_fd) < 0) -+ "current", args->proc_fd) < 0) - goto core_restore_end; - } - -diff --git a/images/creds.proto b/images/creds.proto -index 29fb8652eb..23b84c7e50 100644 ---- a/images/creds.proto -+++ b/images/creds.proto -@@ -20,4 +20,5 @@ message creds_entry { - repeated uint32 groups = 14; - - optional string lsm_profile = 15; -+ optional string lsm_sockcreate = 16; - } - -From 495e6aa7ac51fcb36e6bc5f6c97f44cab7649b9c Mon Sep 17 00:00:00 2001 -From: Adrian Reber -Date: Thu, 2 May 2019 13:47:29 +0000 -Subject: [PATCH 2/4] test: Verify that sockcreate does not change during - restore - -This makes sure that sockcreate stays empty for selinux00 before and -after checkpoint/restore. - -Signed-off-by: Adrian Reber ---- - test/zdtm/static/selinux00.c | 34 ++++++++++++++++++++++++++++++++++ - 1 file changed, 34 insertions(+) - -diff --git a/test/zdtm/static/selinux00.c b/test/zdtm/static/selinux00.c -index dd9096a6fc..db8420eacb 100644 ---- a/test/zdtm/static/selinux00.c -+++ b/test/zdtm/static/selinux00.c -@@ -83,6 +83,31 @@ int checkprofile() - return 0; - } - -+int check_sockcreate() -+{ -+ char *output = NULL; -+ FILE *f = fopen("/proc/self/attr/sockcreate", "r"); -+ int ret = fscanf(f, "%ms", &output); -+ fclose(f); -+ -+ if (ret >= 1) { -+ free(output); -+ /* sockcreate should be empty, if fscanf found something -+ * it is wrong.*/ -+ fail("sockcreate should be empty\n"); -+ return -1; -+ } -+ -+ if (output) { -+ free(output); -+ /* Same here, output should still be NULL. */ -+ fail("sockcreate should be empty\n"); -+ return -1; -+ } -+ -+ return 0; -+} -+ - int main(int argc, char **argv) - { - test_init(argc, argv); -@@ -95,12 +120,21 @@ int main(int argc, char **argv) - return 0; - } - -+ if (check_sockcreate()) -+ return -1; -+ - if (setprofile()) - return -1; - -+ if (check_sockcreate()) -+ return -1; -+ - test_daemon(); - test_waitsig(); - -+ if (check_sockcreate()) -+ return -1; -+ - if (checkprofile() == 0) - pass(); - - -From fe52cf66b38a261846ff40fc425085724b2acc15 Mon Sep 17 00:00:00 2001 -From: Adrian Reber -Date: Mon, 29 Apr 2019 15:21:59 +0200 -Subject: [PATCH 3/4] sockets: dump and restore xattr security labels - -Restoring a SELinux process also requires to correctly label sockets. - -During checkpointing fgetxattr() is used to retrieve the -"security.selinux" xattr and during restore setsockcreatecon() is used -before a socket is created. - -Previous commits are already restoring the sockcreate SELinux setting if -set by the process. - -Signed-off-by: Adrian Reber ---- - criu/include/lsm.h | 18 +++++++++++++++ - criu/lsm.c | 56 +++++++++++++++++++++++++++++++++++++++++++++ - criu/sk-inet.c | 12 ++++++++++ - criu/sockets.c | 4 ++++ - images/fdinfo.proto | 1 + - 5 files changed, 91 insertions(+) - -diff --git a/criu/include/lsm.h b/criu/include/lsm.h -index b4fce13039..3b82712829 100644 ---- a/criu/include/lsm.h -+++ b/criu/include/lsm.h -@@ -3,6 +3,7 @@ - - #include "images/inventory.pb-c.h" - #include "images/creds.pb-c.h" -+#include "images/fdinfo.pb-c.h" - - #define AA_SECURITYFS_PATH "/sys/kernel/security/apparmor" - -@@ -34,4 +35,21 @@ int validate_lsm(char *profile); - int render_lsm_profile(char *profile, char **val); - - extern int lsm_check_opts(void); -+ -+#ifdef CONFIG_HAS_SELINUX -+int dump_xattr_security_selinux(int fd, FdinfoEntry *e); -+int run_setsockcreatecon(FdinfoEntry *e); -+int reset_setsockcreatecon(); -+#else -+static inline int dump_xattr_security_selinux(int fd, FdinfoEntry *e) { -+ return 0; -+} -+static inline int run_setsockcreatecon(FdinfoEntry *e) { -+ return 0; -+} -+static inline int reset_setsockcreatecon() { -+ return 0; -+} -+#endif -+ - #endif /* __CR_LSM_H__ */ -diff --git a/criu/lsm.c b/criu/lsm.c -index b0ef0c396c..ef6ba112b3 100644 ---- a/criu/lsm.c -+++ b/criu/lsm.c -@@ -3,6 +3,7 @@ - #include - #include - #include -+#include - #include - - #include "common/config.h" -@@ -11,10 +12,12 @@ - #include "util.h" - #include "cr_options.h" - #include "lsm.h" -+#include "fdstore.h" - - #include "protobuf.h" - #include "images/inventory.pb-c.h" - #include "images/creds.pb-c.h" -+#include "images/fdinfo.pb-c.h" - - #ifdef CONFIG_HAS_SELINUX - #include -@@ -124,6 +127,59 @@ static int selinux_get_sockcreate_label(pid_t pid, char **output) - fclose(f); - return 0; - } -+ -+int reset_setsockcreatecon() -+{ -+ return setsockcreatecon_raw(NULL); -+} -+ -+int run_setsockcreatecon(FdinfoEntry *e) -+{ -+ char *ctx = NULL; -+ -+ /* Currently this only works for SELinux. */ -+ if (kdat.lsm != LSMTYPE__SELINUX) -+ return 0; -+ -+ ctx = e->xattr_security_selinux; -+ /* Writing to the FD using fsetxattr() did not work for some reason. */ -+ return setsockcreatecon_raw(ctx); -+} -+ -+int dump_xattr_security_selinux(int fd, FdinfoEntry *e) -+{ -+ char *ctx = NULL; -+ int len; -+ int ret; -+ -+ /* Currently this only works for SELinux. */ -+ if (kdat.lsm != LSMTYPE__SELINUX) -+ return 0; -+ -+ /* Get the size of the xattr. */ -+ len = fgetxattr(fd, "security.selinux", ctx, 0); -+ if (len == -1) { -+ pr_err("Reading xattr %s to FD %d failed\n", ctx, fd); -+ return -1; -+ } -+ -+ ctx = xmalloc(len); -+ if (!ctx) { -+ pr_err("xmalloc to read xattr for FD %d failed\n", fd); -+ return -1; -+ } -+ -+ ret = fgetxattr(fd, "security.selinux", ctx, len); -+ if (len != ret) { -+ pr_err("Reading xattr %s to FD %d failed\n", ctx, fd); -+ return -1; -+ } -+ -+ e->xattr_security_selinux = ctx; -+ -+ return 0; -+} -+ - #endif - - void kerndat_lsm(void) -diff --git a/criu/sk-inet.c b/criu/sk-inet.c -index 60ee4c3155..ca5c9bf2cd 100644 ---- a/criu/sk-inet.c -+++ b/criu/sk-inet.c -@@ -23,6 +23,9 @@ - #include "files.h" - #include "image.h" - #include "log.h" -+#include "lsm.h" -+#include "kerndat.h" -+#include "pstree.h" - #include "rst-malloc.h" - #include "sockets.h" - #include "sk-inet.h" -@@ -30,6 +33,8 @@ - #include "util.h" - #include "namespaces.h" - -+#include "images/inventory.pb-c.h" -+ - #undef LOG_PREFIX - #define LOG_PREFIX "inet: " - -@@ -804,12 +809,18 @@ static int open_inet_sk(struct file_desc *d, int *new_fd) - if (set_netns(ie->ns_id)) - return -1; - -+ if (run_setsockcreatecon(fle->fe)) -+ return -1; -+ - sk = socket(ie->family, ie->type, ie->proto); - if (sk < 0) { - pr_perror("Can't create inet socket"); - return -1; - } - -+ if (reset_setsockcreatecon()) -+ return -1; -+ - if (ie->v6only) { - if (restore_opt(sk, SOL_IPV6, IPV6_V6ONLY, &yes) == -1) - goto err; -@@ -895,6 +906,7 @@ static int open_inet_sk(struct file_desc *d, int *new_fd) - } - - *new_fd = sk; -+ - return 1; - err: - close(sk); -diff --git a/criu/sockets.c b/criu/sockets.c -index 30072ac737..7f7453ca1d 100644 ---- a/criu/sockets.c -+++ b/criu/sockets.c -@@ -22,6 +22,7 @@ - #include "util-pie.h" - #include "sk-packet.h" - #include "namespaces.h" -+#include "lsm.h" - #include "net.h" - #include "xmalloc.h" - #include "fs-magic.h" -@@ -663,6 +664,9 @@ int dump_socket(struct fd_parms *p, int lfd, FdinfoEntry *e) - int family; - const struct fdtype_ops *ops; - -+ if (dump_xattr_security_selinux(lfd, e)) -+ return -1; -+ - if (dump_opt(lfd, SOL_SOCKET, SO_DOMAIN, &family)) - return -1; - -diff --git a/images/fdinfo.proto b/images/fdinfo.proto -index ed82ceffe7..77e375aa94 100644 ---- a/images/fdinfo.proto -+++ b/images/fdinfo.proto -@@ -47,6 +47,7 @@ message fdinfo_entry { - required uint32 flags = 2; - required fd_types type = 3; - required uint32 fd = 4; -+ optional string xattr_security_selinux = 5; - } - - message file_entry { - -From ba42d30fad82f17a66617a33f03d3da05cc73bfe Mon Sep 17 00:00:00 2001 -From: Adrian Reber -Date: Tue, 30 Apr 2019 09:47:32 +0000 -Subject: [PATCH 4/4] selinux: add socket label test - -This adds two more SELinux test to verfy that checkpointing and -restoring SELinux socket labels works correctly, if the process uses -setsockcreatecon() or if the process leaves the default context for -newly created sockets. - -Signed-off-by: Adrian Reber ---- - test/zdtm/static/Makefile | 3 + - test/zdtm/static/selinux01.c | 200 +++++++++++++++++++++++++++ - test/zdtm/static/selinux01.checkskip | 1 + - test/zdtm/static/selinux01.desc | 1 + - test/zdtm/static/selinux01.hook | 1 + - test/zdtm/static/selinux02.c | 1 + - test/zdtm/static/selinux02.checkskip | 1 + - test/zdtm/static/selinux02.desc | 1 + - test/zdtm/static/selinux02.hook | 1 + - 9 files changed, 210 insertions(+) - create mode 100644 test/zdtm/static/selinux01.c - create mode 120000 test/zdtm/static/selinux01.checkskip - create mode 120000 test/zdtm/static/selinux01.desc - create mode 120000 test/zdtm/static/selinux01.hook - create mode 120000 test/zdtm/static/selinux02.c - create mode 120000 test/zdtm/static/selinux02.checkskip - create mode 120000 test/zdtm/static/selinux02.desc - create mode 120000 test/zdtm/static/selinux02.hook - -diff --git a/test/zdtm/static/Makefile b/test/zdtm/static/Makefile -index 8e3f39276a..1ffaa90394 100644 ---- a/test/zdtm/static/Makefile -+++ b/test/zdtm/static/Makefile -@@ -211,6 +211,8 @@ TST_NOFILE := \ - thp_disable \ - pid_file \ - selinux00 \ -+ selinux01 \ -+ selinux02 \ - # jobctl00 \ - - ifneq ($(SRCARCH),arm) -@@ -513,6 +515,7 @@ unlink_fstat041: CFLAGS += -DUNLINK_FSTAT041 -DUNLINK_FSTAT04 - ghost_holes01: CFLAGS += -DTAIL_HOLE - ghost_holes02: CFLAGS += -DHEAD_HOLE - sk-freebind-false: CFLAGS += -DZDTM_FREEBIND_FALSE -+selinux02: CFLAGS += -DUSING_SOCKCREATE - stopped01: CFLAGS += -DZDTM_STOPPED_KILL - stopped02: CFLAGS += -DZDTM_STOPPED_TKILL - stopped12: CFLAGS += -DZDTM_STOPPED_KILL -DZDTM_STOPPED_TKILL -diff --git a/test/zdtm/static/selinux01.c b/test/zdtm/static/selinux01.c -new file mode 100644 -index 0000000000..9966455c47 ---- /dev/null -+++ b/test/zdtm/static/selinux01.c -@@ -0,0 +1,200 @@ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "zdtmtst.h" -+ -+/* Enabling the right policy happens in selinux00.hook and selinx00.checkskip */ -+ -+const char *test_doc = "Check that a SELinux socket context is restored"; -+const char *test_author = "Adrian Reber "; -+ -+/* This is all based on Tycho's apparmor code */ -+ -+#define CONTEXT "unconfined_u:unconfined_r:unconfined_dbusd_t:s0" -+ -+/* -+ * This is used to store the state of SELinux. For this test -+ * SELinux is switched to permissive mode and later the previous -+ * SELinux state is restored. -+ */ -+char state; -+ -+int check_for_selinux() -+{ -+ if (access("/sys/fs/selinux", F_OK) == 0) -+ return 0; -+ return 1; -+} -+ -+int setprofile() -+{ -+ int fd, len; -+ -+ fd = open("/proc/self/attr/current", O_WRONLY); -+ if (fd < 0) { -+ fail("Could not open /proc/self/attr/current\n"); -+ return -1; -+ } -+ -+ len = write(fd, CONTEXT, strlen(CONTEXT)); -+ close(fd); -+ -+ if (len < 0) { -+ fail("Could not write context\n"); -+ return -1; -+ } -+ -+ return 0; -+} -+ -+int set_sockcreate() -+{ -+ int fd, len; -+ -+ fd = open("/proc/self/attr/sockcreate", O_WRONLY); -+ if (fd < 0) { -+ fail("Could not open /proc/self/attr/sockcreate\n"); -+ return -1; -+ } -+ -+ len = write(fd, CONTEXT, strlen(CONTEXT)); -+ close(fd); -+ -+ if (len < 0) { -+ fail("Could not write context\n"); -+ return -1; -+ } -+ -+ return 0; -+} -+ -+int check_sockcreate() -+{ -+ int fd; -+ char context[1024]; -+ int len; -+ -+ -+ fd = open("/proc/self/attr/sockcreate", O_RDONLY); -+ if (fd < 0) { -+ fail("Could not open /proc/self/attr/sockcreate\n"); -+ return -1; -+ } -+ -+ len = read(fd, context, strlen(CONTEXT)); -+ close(fd); -+ if (len != strlen(CONTEXT)) { -+ fail("SELinux context has unexpected length %d, expected %zd\n", -+ len, strlen(CONTEXT)); -+ return -1; -+ } -+ -+ if (strncmp(context, CONTEXT, strlen(CONTEXT)) != 0) { -+ fail("Wrong SELinux context %s expected %s\n", context, CONTEXT); -+ return -1; -+ } -+ -+ return 0; -+} -+ -+int check_sockcreate_empty() -+{ -+ char *output = NULL; -+ FILE *f = fopen("/proc/self/attr/sockcreate", "r"); -+ int ret = fscanf(f, "%ms", &output); -+ fclose(f); -+ -+ if (ret >= 1) { -+ free(output); -+ /* sockcreate should be empty, if fscanf found something -+ * it is wrong.*/ -+ fail("sockcreate should be empty\n"); -+ return -1; -+ } -+ -+ if (output) { -+ free(output); -+ /* Same here, output should still be NULL. */ -+ fail("sockcreate should be empty\n"); -+ return -1; -+ } -+ -+ return 0; -+} -+ -+int main(int argc, char **argv) -+{ -+ char ctx[1024]; -+ test_init(argc, argv); -+ -+ if (check_for_selinux()) { -+ skip("SELinux not found on this system."); -+ test_daemon(); -+ test_waitsig(); -+ pass(); -+ return 0; -+ } -+ -+#ifdef USING_SOCKCREATE -+ if (set_sockcreate()) -+ return -1; -+#else -+ if (check_sockcreate_empty()) -+ return -1; -+ -+ if (setprofile()) -+ return -1; -+ -+ if (check_sockcreate_empty()) -+ return -1; -+#endif -+ -+ /* Open our test socket */ -+ int sk = socket(AF_INET, SOCK_STREAM, 0); -+ memset(ctx, 0, 1024); -+ /* Read out the socket label */ -+ if (fgetxattr(sk, "security.selinux", ctx, 1024) == -1) { -+ fail("Reading xattr 'security.selinux' failed.\n"); -+ return -1; -+ } -+ if (strncmp(ctx, CONTEXT, strlen(CONTEXT)) != 0) { -+ fail("Wrong SELinux context %s expected %s\n", ctx, CONTEXT); -+ return -1; -+ } -+ memset(ctx, 0, 1024); -+ -+ test_daemon(); -+ test_waitsig(); -+ -+ /* Read out the socket label again */ -+ -+ if (fgetxattr(sk, "security.selinux", ctx, 1024) == -1) { -+ fail("Reading xattr 'security.selinux' failed.\n"); -+ return -1; -+ } -+ if (strncmp(ctx, CONTEXT, strlen(CONTEXT)) != 0) { -+ fail("Wrong SELinux context %s expected %s\n", ctx, CONTEXT); -+ return -1; -+ } -+ -+#ifdef USING_SOCKCREATE -+ if (check_sockcreate()) -+ return -1; -+#else -+ if (check_sockcreate_empty()) -+ return -1; -+#endif -+ -+ pass(); -+ -+ return 0; -+} -diff --git a/test/zdtm/static/selinux01.checkskip b/test/zdtm/static/selinux01.checkskip -new file mode 120000 -index 0000000000..e8a172479e ---- /dev/null -+++ b/test/zdtm/static/selinux01.checkskip -@@ -0,0 +1 @@ -+selinux00.checkskip -\ No newline at end of file -diff --git a/test/zdtm/static/selinux01.desc b/test/zdtm/static/selinux01.desc -new file mode 120000 -index 0000000000..2d2961a764 ---- /dev/null -+++ b/test/zdtm/static/selinux01.desc -@@ -0,0 +1 @@ -+selinux00.desc -\ No newline at end of file -diff --git a/test/zdtm/static/selinux01.hook b/test/zdtm/static/selinux01.hook -new file mode 120000 -index 0000000000..dd7ed6bb33 ---- /dev/null -+++ b/test/zdtm/static/selinux01.hook -@@ -0,0 +1 @@ -+selinux00.hook -\ No newline at end of file -diff --git a/test/zdtm/static/selinux02.c b/test/zdtm/static/selinux02.c -new file mode 120000 -index 0000000000..5702677858 ---- /dev/null -+++ b/test/zdtm/static/selinux02.c -@@ -0,0 +1 @@ -+selinux01.c -\ No newline at end of file -diff --git a/test/zdtm/static/selinux02.checkskip b/test/zdtm/static/selinux02.checkskip -new file mode 120000 -index 0000000000..2696e6e3de ---- /dev/null -+++ b/test/zdtm/static/selinux02.checkskip -@@ -0,0 +1 @@ -+selinux01.checkskip -\ No newline at end of file -diff --git a/test/zdtm/static/selinux02.desc b/test/zdtm/static/selinux02.desc -new file mode 120000 -index 0000000000..9c6802c4da ---- /dev/null -+++ b/test/zdtm/static/selinux02.desc -@@ -0,0 +1 @@ -+selinux01.desc -\ No newline at end of file -diff --git a/test/zdtm/static/selinux02.hook b/test/zdtm/static/selinux02.hook -new file mode 120000 -index 0000000000..e3ea0a6c80 ---- /dev/null -+++ b/test/zdtm/static/selinux02.hook -@@ -0,0 +1 @@ -+selinux01.hook -\ No newline at end of file diff --git a/SOURCES/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch b/SOURCES/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch deleted file mode 100644 index 09446a6..0000000 --- a/SOURCES/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea Mon Sep 17 00:00:00 2001 -From: Andrei Vagin -Date: Sat, 4 May 2019 20:01:52 -0700 -Subject: [PATCH] lsm: don't reset socket contex if SELinux is disabled - -Fixes #693 ---- - criu/lsm.c | 16 ++++++++++++++-- - 1 file changed, 14 insertions(+), 2 deletions(-) - -diff --git a/criu/lsm.c b/criu/lsm.c -index 9c9ac7f80e..5921138392 100644 ---- a/criu/lsm.c -+++ b/criu/lsm.c -@@ -134,7 +134,15 @@ static int selinux_get_sockcreate_label(pid_t pid, char **output) - - int reset_setsockcreatecon() - { -- return setsockcreatecon_raw(NULL); -+ /* Currently this only works for SELinux. */ -+ if (kdat.lsm != LSMTYPE__SELINUX) -+ return 0; -+ -+ if (setsockcreatecon_raw(NULL)) { -+ pr_perror("Unable to reset socket SELinux context"); -+ return -1; -+ } -+ return 0; - } - - int run_setsockcreatecon(FdinfoEntry *e) -@@ -147,7 +155,11 @@ int run_setsockcreatecon(FdinfoEntry *e) - - ctx = e->xattr_security_selinux; - /* Writing to the FD using fsetxattr() did not work for some reason. */ -- return setsockcreatecon_raw(ctx); -+ if (setsockcreatecon_raw(ctx)) { -+ pr_perror("Unable to set the %s socket SELinux context", ctx); -+ return -1; -+ } -+ return 0; - } - - int dump_xattr_security_selinux(int fd, FdinfoEntry *e) diff --git a/SOURCES/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch b/SOURCES/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch deleted file mode 100644 index ec0cf00..0000000 --- a/SOURCES/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch +++ /dev/null @@ -1,40 +0,0 @@ -From b9e9e3903c78ba5d243b4176e82bf4b82342cb6a Mon Sep 17 00:00:00 2001 -From: Adrian Reber -Date: Sat, 4 May 2019 15:27:32 +0200 -Subject: [PATCH] lsm: fix compiler error on Fedora 30 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This fixes following compiler error: - -criu/lsm.c: In function ‘dump_xattr_security_selinux’: -criu/include/log.h:51:2: error: ‘%s’ directive argument is null [-Werror=format-overflow=] - 51 | print_on_level(LOG_ERROR, \ - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - 52 | "Error (%s:%d): " LOG_PREFIX fmt, \ - | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - 53 | __FILE__, __LINE__, ##__VA_ARGS__) - | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -criu/lsm.c:166:3: note: in expansion of macro ‘pr_err’ - 166 | pr_err("Reading xattr %s to FD %d failed\n", ctx, fd); - | ^~~~~~ - -Signed-off-by: Adrian Reber ---- - criu/lsm.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/criu/lsm.c b/criu/lsm.c -index 5921138392..420585ba4f 100644 ---- a/criu/lsm.c -+++ b/criu/lsm.c -@@ -175,7 +175,7 @@ int dump_xattr_security_selinux(int fd, FdinfoEntry *e) - /* Get the size of the xattr. */ - len = fgetxattr(fd, "security.selinux", ctx, 0); - if (len == -1) { -- pr_err("Reading xattr %s to FD %d failed\n", ctx, fd); -+ pr_err("Reading xattr security.selinux from FD %d failed\n", fd); - return -1; - } - diff --git a/SOURCES/criu-1838991.patch b/SOURCES/criu-1838991.patch new file mode 100644 index 0000000..f8c2a03 --- /dev/null +++ b/SOURCES/criu-1838991.patch @@ -0,0 +1,121 @@ +From ce733f4be5791911c009c57e803f3a08d3270a0c Mon Sep 17 00:00:00 2001 +From: Adrian Reber +Date: Wed, 20 May 2020 11:57:22 +0000 +Subject: [PATCH 1/3] coverity: fix RESOURCE_LEAK criu/timens.c: 67 + + 7. criu-3.14/criu/timens.c:67: leaked_storage: Variable "img" going out of scope leaks the storage it points to. + 65| if (id == 0 && empty_image(img)) { + 66| pr_warn("Clocks values have not been dumped\n"); + 67|-> return 0; + 68| } + +Signed-off-by: Adrian Reber +--- + criu/timens.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/criu/timens.c b/criu/timens.c +index 2a7e952845..f81808abf8 100644 +--- criu-3.14/criu/timens.c ++++ criu-3.14/criu/timens.c +@@ -64,6 +64,7 @@ int prepare_timens(int id) + + if (id == 0 && empty_image(img)) { + pr_warn("Clocks values have not been dumped\n"); ++ close_image(img); + return 0; + } + + +From e7e4e46cfebd69efe8681395380528826df0d529 Mon Sep 17 00:00:00 2001 +From: Adrian Reber +Date: Wed, 20 May 2020 12:19:36 +0000 +Subject: [PATCH 2/3] coverity: fix FORWARD_NULL in criu/proc_parse.c: 1481 + +8. criu-3.14/criu/proc_parse.c:1511: var_deref_model: Passing null pointer "f" to "fclose", which dereferences it. + 1509| exit_code = 0; + 1510| out: + 1511|-> fclose(f); + 1512| return exit_code; + 1513| } + +Signed-off-by: Adrian Reber +--- + criu/proc_parse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/criu/proc_parse.c b/criu/proc_parse.c +index 4a22700aa3..d1ccd9281b 100644 +--- criu-3.14/criu/proc_parse.c ++++ criu-3.14/criu/proc_parse.c +@@ -1480,7 +1480,7 @@ int parse_timens_offsets(struct timespec *boff, struct timespec *moff) + f = fopen_proc(PROC_SELF, "timens_offsets"); + if (!f) { + pr_perror("Unable to open /proc/self/timens_offsets"); +- goto out; ++ return exit_code; + } + while (fgets(buf, BUF_SIZE, f)) { + int64_t sec, nsec; + +From 6b44ddf4587ecbda65c15d462a94708ac2f6f602 Mon Sep 17 00:00:00 2001 +From: Adrian Reber +Date: Wed, 20 May 2020 12:38:55 +0000 +Subject: [PATCH 3/3] clang: Branch condition evaluates to a garbage value + +criu-3.14/criu/namespaces.c:692:7: warning: Branch condition evaluates to a garbage value + +criu-3.14/criu/namespaces.c:690:3: note: 'supported' declared without an initial value + protobuf_c_boolean supported; + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ +criu-3.14/criu/namespaces.c:691:8: note: Calling 'get_ns_id' + id = get_ns_id(pid, &time_for_children_ns_desc, &supported); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +criu-3.14/criu/namespaces.c:479:9: note: Calling '__get_ns_id' + return __get_ns_id(pid, nd, supported, NULL); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +criu-3.14/criu/namespaces.c:454:6: note: Assuming 'proc_dir' is < 0 + if (proc_dir < 0) + ^~~~~~~~~~~~ +criu-3.14/criu/namespaces.c:454:2: note: Taking true branch + if (proc_dir < 0) + ^ +criu-3.14/criu/namespaces.c:455:3: note: Returning without writing to '*supported' + return 0; + ^ +criu-3.14/criu/namespaces.c:479:9: note: Returning from '__get_ns_id' + return __get_ns_id(pid, nd, supported, NULL); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +criu-3.14/criu/namespaces.c:479:2: note: Returning without writing to '*supported' + return __get_ns_id(pid, nd, supported, NULL); + ^ +criu-3.14/criu/namespaces.c:691:8: note: Returning from 'get_ns_id' + id = get_ns_id(pid, &time_for_children_ns_desc, &supported); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +criu-3.14/criu/namespaces.c:692:7: note: Branch condition evaluates to a garbage value + if (!supported || !id) { + ^~~~~~~~~~ +690| protobuf_c_boolean supported; +691| id = get_ns_id(pid, &time_for_children_ns_desc, &supported); +692|-> if (!supported || !id) { +693| pr_err("Can't make timens id\n"); +694| + +Signed-off-by: Adrian Reber +--- + criu/namespaces.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/criu/namespaces.c b/criu/namespaces.c +index 89d97c7bce..04f242505d 100644 +--- criu-3.14/criu/namespaces.c ++++ criu-3.14/criu/namespaces.c +@@ -687,7 +687,7 @@ int dump_task_ns_ids(struct pstree_item *item) + } + if (ids->has_time_ns_id) { + unsigned int id; +- protobuf_c_boolean supported; ++ protobuf_c_boolean supported = false; + id = get_ns_id(pid, &time_for_children_ns_desc, &supported); + if (!supported || !id) { + pr_err("Can't make timens id\n"); diff --git a/SPECS/criu.spec b/SPECS/criu.spec index 44e484e..75ba0d9 100644 --- a/SPECS/criu.spec +++ b/SPECS/criu.spec @@ -1,57 +1,32 @@ -%if 0%{?fedora} >= 27 || 0%{?rhel} > 7 %global py_prefix python3 %global py_binary %{py_prefix} -%else -%global py_prefix python -%global py_binary python2 -%endif # With annobin enabled, CRIU does not work anymore. It seems CRIU's # parasite code breaks if annobin is enabled. %undefine _annotated_build Name: criu -Version: 3.12 -Release: 9%{?dist} +Version: 3.14 +Release: 2%{?dist} Provides: crtools = %{version}-%{release} Obsoletes: crtools <= 1.0-2 Summary: Tool for Checkpoint/Restore in User-space License: GPLv2 URL: http://criu.org/ Source0: http://download.openvz.org/criu/criu-%{version}.tar.bz2 - -Patch0: https://patch-diff.githubusercontent.com/raw/checkpoint-restore/criu/pull/685.patch -Patch1: https://github.com/checkpoint-restore/criu/commit/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch -Patch2: https://github.com/checkpoint-restore/criu/commit/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch -Patch3: https://github.com/checkpoint-restore/criu/commit/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch - -%if 0%{?rhel} && 0%{?rhel} <= 7 -BuildRequires: perl -# RHEL has no asciidoc; take man-page from Fedora 26 -# zcat /usr/share/man/man8/criu.8.gz > criu.8 -Source1: criu.8 -Source2: crit.1 -# The patch aio-fix.patch is needed as RHEL7 -# doesn't do "nr_events *= 2" in ioctx_alloc(). -Patch100: aio-fix.patch -%endif - -Source3: criu-tmpfiles.conf - +Source1: criu-tmpfiles.conf +# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1838991 +# patch: https://patch-diff.githubusercontent.com/raw/checkpoint-restore/criu/pull/1075.patch +Patch0: criu-1838991.patch BuildRequires: gcc BuildRequires: systemd BuildRequires: libnet-devel BuildRequires: protobuf-devel protobuf-c-devel %{py_prefix}-devel libnl3-devel libcap-devel -%if 0%{?fedora} || 0%{?rhel} > 7 BuildRequires: asciidoc xmlto BuildRequires: perl-interpreter BuildRequires: libselinux-devel # Checkpointing containers with a tmpfs requires tar Recommends: tar -%if 0%{?fedora} -BuildRequires: libbsd-devel -%endif -%endif # user-space and kernel changes are only available for x86_64, arm, # ppc64le, aarch64 and s390x @@ -63,32 +38,11 @@ criu is the user-space part of Checkpoint/Restore in User-space (CRIU), a project to implement checkpoint/restore functionality for Linux in user-space. -%if 0%{?fedora} -%package devel -Summary: Header files and libraries for %{name} -Requires: %{name} = %{version}-%{release} - -%description devel -This package contains header files and libraries for %{name}. - -%package libs -Summary: Libraries for %{name} -Requires: %{name} = %{version}-%{release} - -%description libs -This package contains the libraries for %{name} -%endif - %package -n %{py_prefix}-%{name} %{?python_provide:%python_provide %{py_prefix}-%{name}} Summary: Python bindings for %{name} -%if 0%{?rhel} && 0%{?rhel} <= 7 -Requires: protobuf-python -Requires: %{name} = %{version}-%{release} %{py_prefix}-ipaddr -%else Requires: %{py_prefix}-protobuf Obsoletes: python2-criu < 3.10-1 -%endif %description -n %{py_prefix}-%{name} %{py_prefix}-%{name} contains Python bindings for %{name}. @@ -101,86 +55,59 @@ Requires: %{py_prefix}-%{name} = %{version}-%{release} crit is a tool designed to decode CRIU binary dump files and show their content in human-readable form. - %prep -%setup -q -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 - -%if 0%{?rhel} && 0%{?rhel} <= 7 -%patch100 -p1 -%endif +%autosetup -p1 %build # %{?_smp_mflags} does not work # -fstack-protector breaks build CFLAGS+=`echo %{optflags} | sed -e 's,-fstack-protector\S*,,g'` make V=1 WERROR=0 PREFIX=%{_prefix} RUNDIR=/run/criu PYTHON=%{py_binary} -%if 0%{?fedora} || 0%{?rhel} > 7 make docs V=1 -%endif - %install make install-criu DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir} make install-lib DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir} PYTHON=%{py_binary} -%if 0%{?fedora} || 0%{?rhel} > 7 -# only install documentation on Fedora as it requires asciidoc, -# which is not available on RHEL7 make install-man DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir} -%else -install -p -m 644 -D %{SOURCE1} $RPM_BUILD_ROOT%{_mandir}/man8/%{name}.8 -install -p -m 644 -D %{SOURCE2} $RPM_BUILD_ROOT%{_mandir}/man1/crit.1 -%endif - mkdir -p %{buildroot}%{_tmpfilesdir} -install -m 0644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}/%{name}.conf +install -m 0644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/%{name}.conf install -d -m 0755 %{buildroot}/run/%{name}/ -%if 0%{?rhel} # remove devel and libs packages rm -rf $RPM_BUILD_ROOT%{_includedir}/criu rm $RPM_BUILD_ROOT%{_libdir}/*.so* +rm $RPM_BUILD_ROOT%{_libdir}/*.a +rm $RPM_BUILD_ROOT%{_mandir}/man1/compel.1* rm -rf $RPM_BUILD_ROOT%{_libdir}/pkgconfig rm -rf $RPM_BUILD_ROOT%{_libexecdir}/%{name} -%endif %files %{_sbindir}/%{name} -%doc %{_mandir}/man8/criu.8* -%if 0%{?fedora} -%{_libexecdir}/%{name} -%endif +%{_mandir}/man8/criu.8* %dir /run/%{name} %{_tmpfilesdir}/%{name}.conf %doc README.md COPYING -%if 0%{?fedora} -%files devel -%{_includedir}/criu -%{_libdir}/*.so -%{_libdir}/pkgconfig/*.pc - -%files libs -%{_libdir}/*.so.* -%endif - %files -n %{py_prefix}-%{name} -%if 0%{?rhel} && 0%{?rhel} <= 7 -%{python2_sitelib}/pycriu/* -%{python2_sitelib}/*egg-info -%else %{python3_sitelib}/pycriu/* %{python3_sitelib}/*egg-info -%endif %files -n crit %{_bindir}/crit %doc %{_mandir}/man1/crit.1* - %changelog +* Mon May 25 2020 Jindrich Novy - 3.14-2 +- fix "Need to fix bugs found by coverity." +- Resolves: #1838991 + +* Thu Apr 30 2020 Jindrich Novy - 3.14-1 +- update to https://github.com/checkpoint-restore/criu/releases/tag/v3.14 +- Related: RHELPLAN-39206 + +* Sat Apr 18 2020 Jindrich Novy - 3.13-1 +- update to 3.13 +- Related: RHELPLAN-39206 + * Mon May 13 2019 Adrian Reber - 3.12-9 - Added additional fixup patches for the socket labelling