diff --git a/SOURCES/redhat-bugzilla-1981886-pmdasockets-backporting.patch b/SOURCES/redhat-bugzilla-1981886-pmdasockets-backporting.patch new file mode 100644 index 0000000..bdcc5d4 --- /dev/null +++ b/SOURCES/redhat-bugzilla-1981886-pmdasockets-backporting.patch @@ -0,0 +1,459 @@ +diff --git a/qa/1927 b/qa/1927 +new file mode 100755 +index 000000000..46afa9509 +--- /dev/null ++++ b/qa/1927 +@@ -0,0 +1,88 @@ ++#!/bin/sh ++# PCP QA Test No. 1927 ++# Exercise the sockets PMDA Install/Remove and string metric bug. ++# ++# Copyright (c) 2022 Red Hat. All Rights Reserved. ++# ++ ++seq=`basename $0` ++echo "QA output created by $seq" ++ ++# get standard environment, filters and checks ++. ./common.product ++. ./common.filter ++. ./common.check ++ ++[ -f $PCP_PMDAS_DIR/sockets/pmdasockets ] || _notrun "sockets pmda not installed" ++ ++_cleanup() ++{ ++ cd $here ++ $sudo rm -rf $tmp $tmp.* ++} ++ ++status=0 # success is the default! ++$sudo rm -rf $tmp $tmp.* $seq.full ++ ++_filter_sockets() ++{ ++ grep -v 'No value(s) available' ++} ++ ++pmdasockets_remove() ++{ ++ echo ++ echo "=== remove sockets agent ===" ++ $sudo ./Remove >$tmp.out 2>&1 ++ _filter_pmda_remove <$tmp.out ++} ++ ++pmdasockets_install() ++{ ++ # start from known starting points ++ cd $PCP_PMDAS_DIR/sockets ++ $sudo ./Remove >/dev/null 2>&1 ++ ++ echo ++ echo "=== sockets agent installation ===" ++ $sudo ./Install $tmp.out 2>&1 ++ cat $tmp.out >>$here/$seq.full ++ # Check sockets metrics have appeared ... X metrics and Y values ++ _filter_pmda_install <$tmp.out \ ++ | sed \ ++ -e 's/[0-9][0-9]* warnings, //' \ ++ | $PCP_AWK_PROG ' ++/Check network.persocket metrics have appeared/ { ++ if ($7 >= 50 && $7 <= 99) $7 = "X" ++ if ($10 >= 0) $10 = "Y" ++ } ++ { print }' ++} ++ ++_prepare_pmda sockets ++# note: _restore_auto_restart pmcd done in _cleanup_pmda() ++trap "_cleanup_pmda sockets; exit \$status" 0 1 2 3 15 ++ ++_stop_auto_restart pmcd ++ ++# real QA test starts here ++pmdasockets_install ++ ++# pmcd should have been started by the Install process - check ++if pminfo -v network.persocket > $tmp.info 2> $tmp.err ++then ++ : ++else ++ echo "... failed! ... here is the Install log ..." ++ cat $tmp.out ++fi ++cat $tmp.info $tmp.err | _filter_sockets ++ ++echo "Check the values for v6only metric are 0 or 1 ..." ++pminfo -f network.persocket.v6only | egrep -v 'value [01]$' | sed -e '/^$/d' ++ ++pmdasockets_remove ++status=0 ++ ++# success, all done ++exit +diff --git a/qa/1927.out b/qa/1927.out +new file mode 100644 +index 000000000..2ae4385fd +--- /dev/null ++++ b/qa/1927.out +@@ -0,0 +1,17 @@ ++QA output created by 1927 ++ ++=== sockets agent installation === ++Updating the Performance Metrics Name Space (PMNS) ... ++Terminate PMDA if already installed ... ++[...install files, make output...] ++Updating the PMCD control file, and notifying PMCD ... ++Check network.persocket metrics have appeared ... X metrics and Y values ++Check the values for v6only metric are 0 or 1 ... ++network.persocket.v6only ++ ++=== remove sockets agent === ++Culling the Performance Metrics Name Space ... ++network.persocket ... done ++Updating the PMCD control file, and notifying PMCD ... ++[...removing files...] ++Check network.persocket metrics have gone away ... OK +diff --git a/qa/group b/qa/group +index acfc5d208..846c0c4bd 100644 +--- a/qa/group ++++ b/qa/group +@@ -1967,6 +1967,7 @@ x11 + 1901 pmlogger local + 1902 help local + 1914 atop local ++1927 pmda.sockets local + 1937 pmlogrewrite pmda.xfs local + 1955 libpcp pmda pmda.pmcd local + 1956 pmda.linux pmcd local +diff --git a/src/pmdas/linux_sockets/pmda.c b/src/pmdas/linux_sockets/pmda.c +index d10eacf29..5a3018d8a 100644 +--- a/src/pmdas/linux_sockets/pmda.c ++++ b/src/pmdas/linux_sockets/pmda.c +@@ -1,7 +1,7 @@ + /* + * Sockets PMDA + * +- * Copyright (c) 2021 Red Hat. ++ * Copyright (c) 2021-2022 Red Hat. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the +@@ -14,6 +14,7 @@ + * for more details. + */ + ++#include + #include "pmapi.h" + #include "pmda.h" + +@@ -147,6 +148,31 @@ sockets_fetchCallBack(pmdaMetric *metric, unsigned int inst, pmAtomValue *atom) + return PMDA_FETCH_STATIC; + } + ++/* ++ * Restrict the allowed filter strings to only limited special ++ * characters (open and close brackets - everthing else can be ++ * done with alphanumerics) to limit any attack surface here. ++ * The ss filtering language is more complex than we ever want ++ * to be attempting to parse ourself, so we leave that side of ++ * things to the ss command itself. ++ */ ++int ++sockets_check_filter(const char *string) ++{ ++ const char *p; ++ ++ for (p = string; *p; p++) { ++ if (isspace(*p)) ++ continue; ++ if (isalnum(*p)) ++ continue; ++ if (*p == '(' || *p == ')') ++ continue; ++ return 0; /* disallow */ ++ } ++ return 1; ++} ++ + static int + sockets_store(pmResult *result, pmdaExt *pmda) + { +@@ -165,9 +191,14 @@ sockets_store(pmResult *result, pmdaExt *pmda) + case 0: /* network.persocket.filter */ + if ((sts = pmExtractValue(vsp->valfmt, &vsp->vlist[0], + PM_TYPE_STRING, &av, PM_TYPE_STRING)) >= 0) { ++ if (sockets_check_filter(av.cp)) { ++ sts = PM_ERR_BADSTORE; ++ free(av.cp); ++ break; ++ } + if (ss_filter) + free(ss_filter); +- ss_filter = av.cp; /* TODO filter syntax check */ ++ ss_filter = av.cp; + } + break; + default: +diff --git a/src/pmdas/linux_sockets/ss_parse.c b/src/pmdas/linux_sockets/ss_parse.c +index 94c5e16e9..9f3afc691 100644 +--- a/src/pmdas/linux_sockets/ss_parse.c ++++ b/src/pmdas/linux_sockets/ss_parse.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2021 Red Hat. ++ * Copyright (c) 2021-2022 Red Hat. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the +@@ -21,65 +21,70 @@ static ss_stats_t ss_p; + /* boolean value with no separate value, default 0 */ + #define PM_TYPE_BOOL (PM_TYPE_UNKNOWN-1) + ++/* helper macros to extract field address and size */ ++#define SSFIELD(str,type,f) {(str), (sizeof(str)-1), type, (&(f)), (sizeof(f))} ++#define SSNULLFIELD(str) {(str), (sizeof(str)-1), PM_TYPE_UNKNOWN, NULL} ++ + static struct { + char *field; + int len; + int type; + void *addr; ++ int size; + int found; + } parse_table[] = { +- { "timer:", 6, PM_TYPE_STRING, &ss_p.timer_str }, +- { "uid:", 4, PM_TYPE_U32, &ss_p.uid }, +- { "ino:", 4, PM_TYPE_64, &ss_p.inode }, +- { "sk:", 3, PM_TYPE_U64, &ss_p.sk }, +- { "cgroup:", 7, PM_TYPE_STRING, &ss_p.cgroup }, +- { "v6only:", 7, PM_TYPE_32, &ss_p.v6only }, +- { "--- ", 4, PM_TYPE_UNKNOWN, NULL }, +- { "<-> ", 4, PM_TYPE_UNKNOWN, NULL }, +- { "--> ", 4, PM_TYPE_UNKNOWN, NULL }, +- { "skmem:", 6, PM_TYPE_STRING, &ss_p.skmem_str, }, +- { "ts ", 3, PM_TYPE_BOOL, &ss_p.ts }, +- { "sack ", 5, PM_TYPE_BOOL, &ss_p.sack }, +- { "cubic ", 6, PM_TYPE_BOOL, &ss_p.cubic }, +- { "wscale:", 7, PM_TYPE_STRING, &ss_p.wscale_str }, +- { "rto:", 4, PM_TYPE_DOUBLE, &ss_p.rto }, +- { "rtt:", 4, PM_TYPE_STRING, &ss_p.round_trip_str }, +- { "ato:", 4, PM_TYPE_DOUBLE, &ss_p.ato }, +- { "backoff:", 8, PM_TYPE_32, &ss_p.backoff }, +- { "mss:", 4, PM_TYPE_U32, &ss_p.mss }, +- { "pmtu:", 5, PM_TYPE_U32, &ss_p.pmtu }, +- { "rcvmss:", 7, PM_TYPE_U32, &ss_p.rcvmss }, +- { "advmss:", 7, PM_TYPE_U32, &ss_p.advmss }, +- { "cwnd:", 5, PM_TYPE_U32, &ss_p.cwnd }, +- { "lost:", 5, PM_TYPE_32, &ss_p.lost }, +- { "ssthresh:", 9, PM_TYPE_U32, &ss_p.ssthresh }, +- { "bytes_sent:", 11, PM_TYPE_U64, &ss_p.bytes_sent }, +- { "bytes_retrans:", 14, PM_TYPE_U64, &ss_p.bytes_retrans }, +- { "bytes_acked:", 12, PM_TYPE_U64, &ss_p.bytes_acked }, +- { "bytes_received:", 15, PM_TYPE_U64, &ss_p.bytes_received }, +- { "segs_out:", 9, PM_TYPE_U32, &ss_p.segs_out }, +- { "segs_in:", 8, PM_TYPE_U32, &ss_p.segs_in }, +- { "data_segs_out:", 14, PM_TYPE_U32, &ss_p.data_segs_out }, +- { "data_segs_in:", 13, PM_TYPE_U32, &ss_p.data_segs_in }, +- { "send ", 5, PM_TYPE_DOUBLE, &ss_p.send }, /* no ':' */ +- { "lastsnd:", 8, PM_TYPE_U32, &ss_p.lastsnd }, +- { "lastrcv:", 8, PM_TYPE_U32, &ss_p.lastrcv }, +- { "lastack:", 8, PM_TYPE_U32, &ss_p.lastack }, +- { "pacing_rate ", 12, PM_TYPE_DOUBLE, &ss_p.pacing_rate }, /* no ':' */ +- { "delivery_rate ", 14, PM_TYPE_DOUBLE, &ss_p.delivery_rate }, /* no ':' */ +- { "delivered:", 10, PM_TYPE_U32, &ss_p.delivered }, +- { "app_limited ", 12, PM_TYPE_BOOL, &ss_p.app_limited }, +- { "reord_seen:", 11, PM_TYPE_32, &ss_p.reord_seen }, +- { "busy:", 5, PM_TYPE_U64, &ss_p.busy }, +- { "unacked:", 8, PM_TYPE_32, &ss_p.unacked }, +- { "rwnd_limited:", 13, PM_TYPE_U64, &ss_p.rwnd_limited }, +- { "retrans:", 8, PM_TYPE_STRING, &ss_p.retrans_str }, +- { "dsack_dups:", 11, PM_TYPE_U32, &ss_p.dsack_dups }, +- { "rcv_rtt:", 8, PM_TYPE_DOUBLE, &ss_p.rcv_rtt }, +- { "rcv_space:", 10, PM_TYPE_32, &ss_p.rcv_space }, +- { "rcv_ssthresh:", 13, PM_TYPE_32, &ss_p.rcv_ssthresh }, +- { "minrtt:", 7, PM_TYPE_DOUBLE, &ss_p.minrtt }, +- { "notsent:", 8, PM_TYPE_U32, &ss_p.notsent }, ++ SSFIELD("timer:", PM_TYPE_STRING, ss_p.timer_str), ++ SSFIELD("uid:", PM_TYPE_U32, ss_p.uid), ++ SSFIELD("ino:", PM_TYPE_64, ss_p.inode), ++ SSFIELD("sk:", PM_TYPE_U64, ss_p.sk), ++ SSFIELD("cgroup:", PM_TYPE_STRING, ss_p.cgroup), ++ SSFIELD("v6only:", PM_TYPE_32, ss_p.v6only), ++ SSNULLFIELD("--- "), ++ SSNULLFIELD("<-> "), ++ SSNULLFIELD("--> "), ++ SSFIELD("skmem:", PM_TYPE_STRING, ss_p.skmem_str), ++ SSFIELD("ts ", PM_TYPE_BOOL, ss_p.ts), ++ SSFIELD("sack ", PM_TYPE_BOOL, ss_p.sack), ++ SSFIELD("cubic ", PM_TYPE_BOOL, ss_p.cubic), ++ SSFIELD("wscale:", PM_TYPE_STRING, ss_p.wscale_str), ++ SSFIELD("rto:", PM_TYPE_DOUBLE, ss_p.rto), ++ SSFIELD("rtt:", PM_TYPE_STRING, ss_p.round_trip_str), ++ SSFIELD("ato:", PM_TYPE_DOUBLE, ss_p.ato), ++ SSFIELD("backoff:", PM_TYPE_32, ss_p.backoff), ++ SSFIELD("mss:", PM_TYPE_U32, ss_p.mss), ++ SSFIELD("pmtu:", PM_TYPE_U32, ss_p.pmtu), ++ SSFIELD("rcvmss:", PM_TYPE_U32, ss_p.rcvmss), ++ SSFIELD("advmss:", PM_TYPE_U32, ss_p.advmss), ++ SSFIELD("cwnd:", PM_TYPE_U32, ss_p.cwnd), ++ SSFIELD("lost:", PM_TYPE_32, ss_p.lost), ++ SSFIELD("ssthresh:", PM_TYPE_U32, ss_p.ssthresh), ++ SSFIELD("bytes_sent:", PM_TYPE_U64, ss_p.bytes_sent), ++ SSFIELD("bytes_retrans:", PM_TYPE_U64, ss_p.bytes_retrans), ++ SSFIELD("bytes_acked:", PM_TYPE_U64, ss_p.bytes_acked), ++ SSFIELD("bytes_received:", PM_TYPE_U64, ss_p.bytes_received), ++ SSFIELD("segs_out:", PM_TYPE_U32, ss_p.segs_out), ++ SSFIELD("segs_in:", PM_TYPE_U32, ss_p.segs_in), ++ SSFIELD("data_segs_out:", PM_TYPE_U32, ss_p.data_segs_out), ++ SSFIELD("data_segs_in:", PM_TYPE_U32, ss_p.data_segs_in), ++ SSFIELD("send ", PM_TYPE_DOUBLE, ss_p.send), /* no ':' */ ++ SSFIELD("lastsnd:", PM_TYPE_U32, ss_p.lastsnd), ++ SSFIELD("lastrcv:", PM_TYPE_U32, ss_p.lastrcv), ++ SSFIELD("lastack:", PM_TYPE_U32, ss_p.lastack), ++ SSFIELD("pacing_rate ", PM_TYPE_DOUBLE, ss_p.pacing_rate), /* no ':' */ ++ SSFIELD("delivery_rate ", PM_TYPE_DOUBLE, ss_p.delivery_rate), /* no ':' */ ++ SSFIELD("delivered:", PM_TYPE_U32, ss_p.delivered), ++ SSFIELD("app_limited ", PM_TYPE_BOOL, ss_p.app_limited), ++ SSFIELD("reord_seen:", PM_TYPE_32, ss_p.reord_seen), ++ SSFIELD("busy:", PM_TYPE_U64, ss_p.busy), ++ SSFIELD("unacked:", PM_TYPE_32, ss_p.unacked), ++ SSFIELD("rwnd_limited:", PM_TYPE_U64, ss_p.rwnd_limited), ++ SSFIELD("retrans:", PM_TYPE_STRING, ss_p.retrans_str), ++ SSFIELD("dsack_dups:", PM_TYPE_U32, ss_p.dsack_dups), ++ SSFIELD("rcv_rtt:", PM_TYPE_DOUBLE, ss_p.rcv_rtt), ++ SSFIELD("rcv_space:", PM_TYPE_32, ss_p.rcv_space), ++ SSFIELD("rcv_ssthresh:", PM_TYPE_32, ss_p.rcv_ssthresh), ++ SSFIELD("minrtt:", PM_TYPE_DOUBLE, ss_p.minrtt), ++ SSFIELD("notsent:", PM_TYPE_U32, ss_p.notsent), + + { NULL } + }; +@@ -225,8 +230,11 @@ ss_parse(char *line, int has_state_field, ss_stats_t *ss) + if (*p == '(') + p++; + r = (char *)parse_table[i].addr; +- for (s=p; *s && *s != ' ' && *s != '\n' && *s != ')'; s++) +- *r++ = *s; /* TODO check r len */ ++ for (s=p; *s && *s != ' ' && *s != '\n' && *s != ')'; s++) { ++ *r++ = *s; ++ if (r - (char *)parse_table[i].addr >= parse_table[i].size - 1) ++ break; ++ } + *r = '\0'; + break; + case PM_TYPE_32: +diff --git a/src/pmdas/linux_sockets/ss_stats.h b/src/pmdas/linux_sockets/ss_stats.h +index 183db5afa..009a00cd9 100644 +--- a/src/pmdas/linux_sockets/ss_stats.h ++++ b/src/pmdas/linux_sockets/ss_stats.h +@@ -1,11 +1,11 @@ + /* +- * Copyright (c) 2021 Red Hat. +- * ++ * Copyright (c) 2021-2022 Red Hat. ++ * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. +- * ++ * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +@@ -26,7 +26,7 @@ typedef struct ss_stats { + __int32_t timer_retrans; + __uint32_t uid; + __uint64_t sk; +- char cgroup[64]; ++ char cgroup[128]; + __int32_t v6only; + char skmem_str[64]; + __int32_t skmem_rmem_alloc; +commit 77ba20d5e76ada83283a262dd2083b2fc284b5f8 +Author: Nathan Scott +Date: Thu May 5 09:33:46 2022 +1000 + + selinux: policy updates needed for the pmdasockets metrics + + Thanks to Jan Kurík and Miloš Malík we have the additional + selinux policy requirements - without these we see QE test + failures for this agent with pcp-ss(1) on RHEL. + + Related to Red Hat BZ #1981886. + +diff --git a/qa/917.out.in b/qa/917.out.in +index 3bd1dc15e..6a4356a12 100644 +--- a/qa/917.out.in ++++ b/qa/917.out.in +@@ -154,9 +154,9 @@ Checking policies. + # -- end logging_watch_journal_dirs(pcp_domain) expansion + allow [pcp_pmcd_t] [cluster_tmpfs_t] : [file] { write }; + allow [pcp_pmcd_t] [drbd_exec_t] : [file] { execute execute_no_trans }; +- allow [pcp_pmcd_t] self : [netlink_generic_socket] { bind create getattr setopt write read }; +- allow [pcp_pmcd_t] [sbd_exec_t] : [file] { execute execute_no_trans }; +- allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { bind create getattr nlmsg_read setopt }; ++! allow [pcp_pmcd_t] self : [netlink_generic_socket] { bind create getattr setopt write read }; ++! allow [pcp_pmcd_t] [sbd_exec_t] : [file] { execute execute_no_trans }; ++! allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write }; + allow [syslogd_t] [pcp_log_t] : [fifo_file] { open read write }; + allow [pcp_pmcd_t] [etc_t] : [dir] { open read search getattr lock ioctl }; + allow [pcp_pmcd_t] [shadow_t] : [file] { getattr ioctl lock open read }; +diff --git a/src/selinux/GNUlocaldefs b/src/selinux/GNUlocaldefs +index 1a1b1428c..1462c5ccb 100644 +--- a/src/selinux/GNUlocaldefs ++++ b/src/selinux/GNUlocaldefs +@@ -138,8 +138,8 @@ PCP_NETLINK_GENERIC_SOCKET_RULE="allow pcp_pmcd_t self:netlink_generic_socket { + endif + + ifeq "$(PCP_SELINUX_NETLINK_TCPDIAG_SOCKET_CLASS)" "true" +-PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { bind create getattr nlmsg_read setopt };" +-PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { bind create getattr nlmsg_read setopt };" ++PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };" ++PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };" + endif + + ifeq "$(PCP_SELINUX_LOCKDOWN_CLASS)" "true" +commit a6222992fe5f97f94bdddd928ce9557be1918bfd +Author: Jan Kurik +Date: Fri May 6 08:04:46 2022 +1000 + + selinux: fine-tune netlink_tcpdiag_socket policy for all platforms + + Previous policy set did not apply correctly on ppc64le and aarch64 + architectures. After some tweaking the following set of permissions + was found to work on all the supported architectures and fixes the + behavior of the sockets PMDA. + + Related to Red Hat BZ #1981886. + +diff --git a/qa/917.out.in b/qa/917.out.in +index 6a4356a12..723193aa2 100644 +--- a/qa/917.out.in ++++ b/qa/917.out.in +@@ -156,7 +156,7 @@ Checking policies. + allow [pcp_pmcd_t] [drbd_exec_t] : [file] { execute execute_no_trans }; + ! allow [pcp_pmcd_t] self : [netlink_generic_socket] { bind create getattr setopt write read }; + ! allow [pcp_pmcd_t] [sbd_exec_t] : [file] { execute execute_no_trans }; +-! allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write }; ++! allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { append bind connect create getattr getopt ioctl lock nlmsg_read nlmsg_write read setattr setopt shutdown write }; + allow [syslogd_t] [pcp_log_t] : [fifo_file] { open read write }; + allow [pcp_pmcd_t] [etc_t] : [dir] { open read search getattr lock ioctl }; + allow [pcp_pmcd_t] [shadow_t] : [file] { getattr ioctl lock open read }; +diff --git a/src/selinux/GNUlocaldefs b/src/selinux/GNUlocaldefs +index 1462c5ccb..9733aead9 100644 +--- a/src/selinux/GNUlocaldefs ++++ b/src/selinux/GNUlocaldefs +@@ -138,8 +138,8 @@ PCP_NETLINK_GENERIC_SOCKET_RULE="allow pcp_pmcd_t self:netlink_generic_socket { + endif + + ifeq "$(PCP_SELINUX_NETLINK_TCPDIAG_SOCKET_CLASS)" "true" +-PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };" +-PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };" ++PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock nlmsg_read nlmsg_write read setattr setopt shutdown write };" ++PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock nlmsg_read nlmsg_write read setattr setopt shutdown write };" + endif + + ifeq "$(PCP_SELINUX_LOCKDOWN_CLASS)" "true" diff --git a/SOURCES/redhat-bugzilla-2059461-pmie-systemd-fixup.patch b/SOURCES/redhat-bugzilla-2059461-pmie-systemd-fixup.patch new file mode 100644 index 0000000..b3190a7 --- /dev/null +++ b/SOURCES/redhat-bugzilla-2059461-pmie-systemd-fixup.patch @@ -0,0 +1,11 @@ +diff -Naurp pcp-5.3.7.orig/src/pmie/GNUmakefile pcp-5.3.7/src/pmie/GNUmakefile +--- pcp-5.3.7.orig/src/pmie/GNUmakefile 2022-02-02 11:53:05.000000000 +1100 ++++ pcp-5.3.7/src/pmie/GNUmakefile 2022-05-03 11:45:12.108743480 +1000 +@@ -80,6 +80,7 @@ pmie.service : pmie.service.in + $(SED) <$< >$@ \ + -e 's;@PCP_RC_DIR@;'$(PCP_RC_DIR)';' \ + -e 's;@PCP_RUN_DIR@;'$(PCP_RUN_DIR)';' \ ++ -e 's;@PCP_SYSCONFIG_DIR@;'$(PCP_SYSCONFIG_DIR)';' \ + # END + + pmie_farm.service : pmie_farm.service.in diff --git a/SOURCES/redhat-bugzilla-2059463-pmdapostfix-harden.patch b/SOURCES/redhat-bugzilla-2059463-pmdapostfix-harden.patch new file mode 100644 index 0000000..73236d6 --- /dev/null +++ b/SOURCES/redhat-bugzilla-2059463-pmdapostfix-harden.patch @@ -0,0 +1,146 @@ +commit f54eddf494e474531e5af609bcc376037a918977 +Author: Nathan Scott +Date: Tue Apr 26 14:32:59 2022 +1000 + + pmdapostfix: harden against a not-yet-running postfix + + Ensure the postfix PMDA can start and service requests even + if postfix is not yet started. + +diff --git a/src/perl/PMDA/local.c b/src/perl/PMDA/local.c +index e223bde7a..33130bc5d 100644 +--- a/src/perl/PMDA/local.c ++++ b/src/perl/PMDA/local.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2012-2017 Red Hat. ++ * Copyright (c) 2012-2017,2022 Red Hat. + * Copyright (c) 2008-2011 Aconex. All Rights Reserved. + * + * This program is free software; you can redistribute it and/or modify it +@@ -139,18 +139,15 @@ int + local_tail(char *file, scalar_t *callback, int cookie) + { + int fd = open(file, O_RDONLY | O_NDELAY); +- struct stat stats; ++ struct stat stats = {0}; + int me; + +- if (fd < 0) { +- pmNotifyErr(LOG_ERR, "open failed (%s): %s", file, osstrerror()); +- exit(1); +- } +- if (fstat(fd, &stats) < 0) { +- pmNotifyErr(LOG_ERR, "fstat failed (%s): %s", file, osstrerror()); +- exit(1); +- } +- lseek(fd, 0L, SEEK_END); ++ if (fd < 0) ++ pmNotifyErr(LOG_INFO, "open failed (%s): %s", file, osstrerror()); ++ else if (fstat(fd, &stats) < 0) ++ pmNotifyErr(LOG_INFO, "fstat failed (%s): %s", file, osstrerror()); ++ else ++ lseek(fd, 0L, SEEK_END); + me = local_file(FILE_TAIL, fd, callback, cookie); + files[me].me.tail.path = strdup(file); + files[me].me.tail.dev = stats.st_dev; +@@ -416,10 +413,11 @@ local_pmdaMain(pmdaInterface *self) + } + + for (i = 0; i < nfiles; i++) { +- fd = files[i].fd; + /* check for log rotation or host reconnection needed */ + if ((count % 10) == 0) /* but only once every 10 */ + local_connection(&files[i]); ++ if ((fd = files[i].fd) < 0) ++ continue; + if (files[i].type != FILE_TAIL && !(__pmFD_ISSET(fd, &readyfds))) + continue; + offset = 0; +@@ -431,21 +429,16 @@ multiread: + (oserror() == EAGAIN) || + (oserror() == EWOULDBLOCK))) + continue; +- if (files[i].type == FILE_SOCK) { +- close(files[i].fd); +- files[i].fd = -1; +- continue; +- } +- pmNotifyErr(LOG_ERR, "Data read error on %s: %s\n", +- local_filetype(files[i].type), osstrerror()); +- exit(1); ++ close(files[i].fd); ++ files[i].fd = -1; ++ continue; + } + if (bytes == 0) { + if (files[i].type == FILE_TAIL) + continue; +- pmNotifyErr(LOG_ERR, "No data to read - %s may be closed\n", +- local_filetype(files[i].type)); +- exit(1); ++ close(files[i].fd); ++ files[i].fd = -1; ++ continue; + } + /* + * good read ... data up to buffer + offset + bytes is all OK +diff --git a/src/pmdas/postfix/pmdapostfix.pl b/src/pmdas/postfix/pmdapostfix.pl +index ac46816bc..d6d3f4d3a 100644 +--- a/src/pmdas/postfix/pmdapostfix.pl ++++ b/src/pmdas/postfix/pmdapostfix.pl +@@ -1,5 +1,5 @@ + # +-# Copyright (c) 2012-2015 Red Hat. ++# Copyright (c) 2012-2015,2022 Red Hat. + # Copyright (c) 2009-2010 Josef 'Jeff' Sipek + # + # This program is free software; you can redistribute it and/or modify it +@@ -56,8 +56,6 @@ my @postfix_received_dom = ( + 1 => 'smtp', + ); + +-my $setup = defined($ENV{'PCP_PERL_PMNS'}) || defined($ENV{'PCP_PERL_DOMAIN'}); +- + sub postfix_do_refresh + { + QUEUE: +@@ -212,7 +210,7 @@ $logstats{"received"}{1} = 0; + + # Note: + # Environment variables. +-# $PMDA_POSTFIX_QSHAPE: alternative executable qshape scrpipt (for QA) ++# $PMDA_POSTFIX_QSHAPE: alternative executable qshape script (for QA) + # ... over-rides default and command line argument. + # ... over-rides default arguments -b 10 -t $refresh + # $PMDA_POSTFIX_REFRESH: alternative refresh rate (for QA) +@@ -228,7 +226,7 @@ if (defined($ENV{'PMDA_POSTFIX_QSHAPE'})) { + $qshape = $ENV{'PMDA_POSTFIX_QSHAPE'}; + $qshape_args = ''; + } +-if (!$setup) { $pmda->log("qshape cmd: $qshape $qshape_args "); } ++unless (pmda_install()) { $pmda->log("qshape cmd: $qshape $qshape_args "); } + + if (defined($ENV{'PMDA_POSTFIX_REFRESH'})) { $refresh = $ENV{'PMDA_POSTFIX_REFRESH'}; } + +@@ -238,12 +236,15 @@ foreach my $file ( @logfiles ) { + } + } + if (defined($ENV{'PMDA_POSTFIX_LOG'})) { $logfile = $ENV{'PMDA_POSTFIX_LOG'}; } +-unless(defined($logfile)) +-{ +- $pmda->log("Fatal: No Postfix log file found in: @logfiles"); +- die 'No Postfix log file found'; ++unless (pmda_install()) { ++ if (defined($logfile)) { ++ $pmda->log("logfile: $logfile"); ++ } else { ++ $pmda->log("Warning: assuming logfile: $logfiles[0] as no Postfix log found yet from: @logfiles"); ++ } + } +-if (!$setup) { $pmda->log("logfile: $logfile"); } ++# set a good default if none found, before continuing ++unless (defined($logfile)) { $logfile = $logfiles[0]; } + + $pmda->add_indom($postfix_queues_indom, \@postfix_queues_dom, '', ''); + $pmda->add_indom($postfix_sent_indom, \@postfix_sent_dom, '', ''); diff --git a/SOURCES/redhat-bugzilla-2081262-pmdaproc-cgroups-fix.patch b/SOURCES/redhat-bugzilla-2081262-pmdaproc-cgroups-fix.patch new file mode 100644 index 0000000..77256ef --- /dev/null +++ b/SOURCES/redhat-bugzilla-2081262-pmdaproc-cgroups-fix.patch @@ -0,0 +1,44 @@ +commit d874d2e486c8a64fa9945ed7aa0048cccbd46f77 +Author: Nathan Scott +Date: Wed May 4 17:11:19 2022 +1000 + + pmdaproc: fix cgroup cpu metrics refresh structures + + Jan Kurik encountered this issue when running the regression + testsuite (especially qa/359) on non-x86_64 architectures. + + Something must've changed in the toolchain recently on these + platforms since we've not seen this before, but this bug has + been in our code for some time. It works everywhere else by + good fortune, when there just happen to be NULLs after these + cgroups CPU parsing data structures. + + Resolves Red Hat BZ #2081262. + +diff --git a/src/pmdas/linux_proc/cgroups.c b/src/pmdas/linux_proc/cgroups.c +index 413a72343..26d59863a 100644 +--- a/src/pmdas/linux_proc/cgroups.c ++++ b/src/pmdas/linux_proc/cgroups.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2012-2019 Red Hat. ++ * Copyright (c) 2012-2019,2022 Red Hat. + * Copyright (c) 2010 Aconex. All Rights Reserved. + * + * This program is free software; you can redistribute it and/or modify it +@@ -863,6 +863,7 @@ read_cpu_time(const char *file, cgroup_cputime_t *ccp) + { "usage_usec", &cputime.usage }, + { "user_usec", &cputime.user }, + { "system_usec", &cputime.system }, ++ { NULL, NULL } + }; + char buffer[4096], name[64]; + unsigned long long value; +@@ -903,6 +904,7 @@ read_cpu_stats(const char *file, cgroup_cpustat_t *ccp) + { "nr_periods", &cpustat.nr_periods }, + { "nr_throttled", &cpustat.nr_throttled }, + { "throttled_time", &cpustat.throttled_time }, ++ { NULL, NULL } + }; + char buffer[4096], name[64]; + unsigned long long value; diff --git a/SPECS/pcp.spec b/SPECS/pcp.spec index e072a7d..83c905f 100644 --- a/SPECS/pcp.spec +++ b/SPECS/pcp.spec @@ -1,6 +1,6 @@ Name: pcp Version: 5.3.7 -Release: 1%{?dist} +Release: 7%{?dist} Summary: System-level performance monitoring and performance management License: GPLv2+ and LGPLv2+ and CC-BY URL: https://pcp.io @@ -8,6 +8,10 @@ URL: https://pcp.io %global artifactory https://performancecopilot.jfrog.io/artifactory Source0: %{artifactory}/pcp-source-release/pcp-%{version}.src.tar.gz Patch0: redhat-bugzilla-2003956-pmdabcc-update-kernel-version-check-due-to-backporting.patch +Patch1: redhat-bugzilla-1981886-pmdasockets-backporting.patch +Patch2: redhat-bugzilla-2059461-pmie-systemd-fixup.patch +Patch3: redhat-bugzilla-2081262-pmdaproc-cgroups-fix.patch +Patch4: redhat-bugzilla-2059463-pmdapostfix-harden.patch # The additional linker flags break out-of-tree PMDAs. # https://bugzilla.redhat.com/show_bug.cgi?id=2043092 @@ -2287,6 +2291,10 @@ updated policy package. %prep %setup -q %patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 %build # the buildsubdir macro gets defined in %setup and is apparently only available in the next step (i.e. the %build step) @@ -3344,6 +3352,17 @@ PCP_LOG_DIR=%{_logsdir} %files zeroconf -f pcp-zeroconf-files.rpm %changelog +* Mon May 09 2022 Nathan Scott - 5.3.7-7 +- Additional selinux policy rules for pmdasockets (BZ 1981886) + +* Thu May 05 2022 Nathan Scott - 5.3.7-5 +- Harden pmdapostfix(1) against missing Postfix (BZ 2059463) +- Fix cgroups failure on non-x86_64 platforms (BZ 2081262) + +* Tue May 03 2022 Nathan Scott - 5.3.7-3 +- Fix remaining issues in the pcp-ss(1) utility (BZ 1981886) +- Remove benign warning message from pmie systemd unit file. + * Tue Apr 05 2022 Nathan Scott - 5.3.7-1 - Fix several issues in the pcp-ss(1) utility (BZ 1981886) - Document pmproxy archive discovery further (BZ 2026726)