Age | Commit message (Collapse) | Author |
|
|
|
Having the same logic twice was sorta bugging me. Now the
function-like-macro is sorta bugging me, and I'll just let
it.
|
|
This is derived in significant part from contributions to oe-core
by Peter A. Bigot. I reworked the path routine a bit to use an
already duplicated string instead of allocating copies of parts of
it.
The first issue was just that there was a missing antimagic() around
some of the path operations. The second is that we wanted to have
a way to provide a fallback password file which isn't the host's,
but which can be used in the case where the target filesystem hasn't
got a password yet, for bootstrapping purposes. (So there's a minimal
password file that just has root, basically.)
Also, I noticed a design flaw, which is that if you ended up
calling pseudo_pwd_lck_open() twice in a row, the second time
through, pseudo would first check whether it had a path name
for the file (it does), and thus not allocate one, then call
the close routine (which frees it and nulls the pointer), then
open a new one... and not have a file name, so the next attempt
to close it wouldn't unlink the file. This shouldn't ever
come up in real code, but it was bugging me.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
It turns out that "a/" is equivalent to "a/.", and that in particular
it should fail when a is not a directory. Pseudo's been silently stripping
them and this breaks things. Attempt to fix that, lightly tested.
|
|
|
|
Trying to track down problems which sometimes result in files showing
up as nameless files, producing clashes later. Looks like there were two
issues; one is we were creating links for files that we'd already
found by inode. The other is that rename was sending bogus LINK messages
in some cases. Also simplified the find_file_dev path to extract the
path as part of the initial operation, since there wasn't any case where
that wasn't being done immediately afterwards.
|
|
So it turns out that the sanity checks should be skipped on did_unlink,
because otherwise if an inode gets reused for a different file type,
it'll get nuked. This is pretty rare, but appears to bite us occasionally
during debug stripping.
|
|
It turns out that, in the fairly common case where the did-unlink stuff
has saved us from worse problems, pseudo produces probably-spurious
error messages about the path mismatch when the did-unlink shows up.
Change that into a debug message. Also fix a typo in a comment.
|
|
XFS apparently has 64-bit inodes. Our inode data path was
*almost* 64-bit clean. This doesn't require a database format change
because sqlite3 doesn't distinguish, but it will probably
invalidate existing files.db things on XFS. But they were broken
anyway.
|
|
|
|
|
|
The assumption that a host is either x86_64 or x86_32 does not
hold well on target systems.
|
|
We don't want to pick up newer memcpy because pseudo sometimes has to
run host binaries even when built against a newer libc.
|
|
More complicated, because we actually need to make com.apple stuff work
probably.
|
|
The sqlite flags don't need to be present if they don't have
meaningful values. I think.
|
|
strlen(array) isn't a constant expression, even though gcc can sometimes
figure it out at compile time.
|
|
Also for lstat, but that probably never matters because in Linux
you will never actually call lstat without working really hard at
it, because you end up calling __lxstat anyway. (Was already
doing the right thing for Darwin.)
|
|
So it turns out that if you fix a bug inside an #ifdef that hasn't
applied to anything in years, it doesn't actually fix the bug.
|
|
|
|
We used to rely on filesystem operations to apply the umask when
appropriate, but when we started masking out 022, that stopped working.
Start watching umask.
|
|
PSEUDO_DB_MODE restores a proposed mode's 0700 bits, but now that we're
masking 022 out, it should also restore those. Change it to restore
0722 from a proposed mode before sending to database.
|
|
Various wrappers checked for a non-null pseudo_get_value("PSEUDO_UNLOAD") to
determine whether the environment should include the pseudo variables. None
of those checks freed the returned value when it was not null. The new
check function does.
The new check function also sees whether PSEUDO_UNLOAD was defined in the
environment that should be used in the wrapped system call. This allows
pkg_postinst scripts to strip out the LD_PRELOAD setting, for example before
invoking qemu to execute commands in an environment that does not have
libpseudo.so.
[YOCTO #4843]
Signed-off-by: Peter A. Bigot <pab@pabigot.com>
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
Wait until the server has finished processing all of our messages
before exiting. Otherwise, it's possible for a command which sends
a no-response message and then exits to be followed by another
command which assumes the first one's done, and the second command's
messages can get processed first.
|
|
Change the handling of fchmodat(AT_SYMLINK_NOFOLLOW) to reject it
if the host system does, so we preserve host system behavior.
Mask out group/other write bits when actually creating files to
reduce risks to filesystem integrity.
|
|
underlying fchmodat() will just fail, but GNU tar calls it that way
anyway, figuring it'll just retry on failure, but we don't report
the failure. Nor do we want to, because that's expensive and slow
and will result in additional database round trips. But I don't want
to fail out right away, so for now, just strip the flag.
|
|
Turns out the checks for feature support were using plain cc,
not ${CC}, which could break tests. Also add a sanity check to the
xattr support to confirm that <attr/xattr.h> is available.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
Clean-up: Allow specification of environment hints for subports
scripts, such as whether xattr support is available. Also make
configure guess at a bit width if none is specified.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
The test case is based on the simple test of doing:
touch foo
getfattr -d foo
setfattr -n "user.dummy" -v "test" foo
getfattr -d foo
# file: foo
user.dummy="test"
setfattr -n "security.dummy" -v "test" foo
getfattr -n "security.dummy" foo
If pseudo is not running, the first part should work as long as extended
attributes are enabled, but the attempt to set "security...."
should result in a failure similar to:
setfattr: foo: Operation not permitted
As long as pseudo is working properly, no errors should be reported, and
the data should come back with the same values as were originally set.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
The "/* flags = AT_SYMLINK_NOFOLLOW */" comment only works if
it comes AFTER the semicolon in wrapfuncs.in. Who knew? Fix
those. Also rename the "flags" arguments for *setxattr() to
"xflags" to avoid any confusion about the flags variable.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
Was using the length of the name instead of the length of the
value on insert, but not on update, so initial settings of values
were busted often.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
The xattr first-pass implementation was allocating a buffer to
hold the name and value for a set operation, then pseudo_client was
allocating *another* buffer to hold the path and those two values.
pseudo_client_op develops more nuanced argument handling, and also
uses a static buffer for the extended paths it sometimes needs. So
for the typical use case, only occasional operations will need to
reallocate/expand the buffer, and we'll be down to copying things
into that buffer once per operation, instead of having two alloc/free
pairs and two copies.
And of course, that wasn't two alloc/free pairs, it was one alloc/free
pair and one alloc without a free. Whoops.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
In the fairly common case where someone is using
setxattr() to specify the "posix_acl_access" attribute, but in fact
the ACL list specified can be fully represented in a plain old mode,
we intercept the request and just do a chmod. Even if the request
can't be fully represented, we try to represent any aspects of it that
we can in the plain old mode.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
Issue #1: If an operation came in for an item with no path
provided by the wrapper, the client would not construct the
combined "path" value. Fixed, and missing paths are now
consistently handled as 0-byte paths.
Issue #2: The database code was assuming the values were
strings, and ignoring a specified length.
Issue #3: The computation of the length of the stored value
was off by one, because it was including the extra terminating
null the client added in case the value was a path.
With this in place, "cp -a" on CentOS is consistently
duplicating the system.posix_acl_access fields as expected,
but unfortunately not handling their permissions too.
(Intent is to translate a system.posix_acl_access setxattr
into corresponding permissions whenever possible.)
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
Initial, incomplete, support for extended attributes. Extended
attributes are implemented fairly naively, using a second table
in the file database using the primary file table's id as a
foreign key. The ON DELETE CASCADE behavior requires sqlite 3.6.19
or later with foreign key and trigger support compiled in.
To reduce round-trips, the client does not check for existing
attributes, but rather, sends three distinct set messages;
OP_SET_XATTR, OP_CREATE_XATTR, OP_REPLACE_XATTR. A SET message
always succeeds, a CREATE fails if the attribute already
exists, and a REPLACE fails if the attribute does not already
exist.
The /* flags */ feature of makewrappers is used to correct
path names appropriately, so all functions are already working
with complete paths, and can always use functions that work
on links; if they were supposed to dereference, the path
fixup code got that.
The xattr support is enabled, for now, conditional on
whether getfattr --help succeeds.
Not yet implemented: Translation for system.posix_acl_access,
which is used by "cp -a" (or "cp --preserve-all") on some
systems to try to copy modes.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
When invoked as a non-daemon, either with a command or to get a
shell, shut the server down automatically. This is currently
implemented by sending a shutdown request; I also considered
adding an environment flag for "shut down when there's no clients",
but this was simpler.
Main reason this is useful: In development, it's often the case
that I want to run a single command under pseudo, then check
the database directly with sqlite.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
Ports can provide pseudo_wrappers.c or portdefs.h, and individual
functions have implementations. These dependencies aren't known until
post-configure. Make the Makefile include two sub-Makefiles which can
be updated by makewrappers.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
|
|
|
|
|
|
|
|
In some cases, we'd rather pseudo fail than fall back to using
/etc/passwd or /etc/group. Make the determination of what to fall
back to when neither PSEUDO_PASSWD nor a chroot directory contains
passwd/group files controllable by a configure-time flag, controlled
by --with-passwd-fallback= or --without-passwd-fallback.
|
|
|
|
|
|
|
|
|
|
This is a moderately intrusive change. The basic overall effect:
Debugging messages are now controlled, not by a numeric "level",
but by a series of flags, which are expressed as a string of
letters. Each flag has a single-letter form used for string
specifications, a name, a description, a numeric value (1 through N),
and a flag value (which is 1 << the numeric value). (This does mean
that no flag has the value 1, so we only have 31 bits available.
Tiny violins play.)
The other significant change is that the pseudo_debug calls
are now implemented with a do/while macro containing a conditional,
so that computationally-expensive arguments are never evaluated
if the corresponding debug flags weren't set. The assumption is
that in the vast majority of cases (specifically, all of them
so far) the debug flags for a given call are a compile-time constant,
so the nested conditional will never actually show up in code
when compiled with optimization; we'll just see the appropriate
conditional test.
The VERBOSE flag is magical, in that if the VERBOSE flag is
used in a message, the debug flags have to have both VERBOSE and
at least one other flag for the call to be made.
This should dramatically improve performance for a lot of cases
without as much need for PSEUDO_NDEBUG, and improve the ability of
users to get coherent debugging output that means something and is
relevant to a given case.
It's also intended to set the stage for future development work
involving improving the clarity and legibility of pseudo's diagnostic
messages in general.
Old things which used numeric values for PSEUDO_DEBUG will sort
of continue to work, though they will almost always be less verbose
than they used to. There should probably be a pass through adding
"| PDBGF_CONSISTENCY" to a lot of the messages that are specific
to some other type.
|
|
No idea how this survived so long, but the clone() syscall
prototype on RHEL 4.7 doesn't have the "..." for additional
arguments, so we can't pass them. Also had unused variables
that would otherwise have been being filled in from va_args
and passed. But there's no extra args to pass.
Interestingly, this contradicts the clone() man page in
RHEL 4.7. If you have problems with clone() there, that's
probably why.
|
|
|
|
|
|
Some filesystems have buggy semantics where stat(2) will return incorrect
sizes for files for a while after some changes, sometimes, unless they've
been fsync'd. We still want to disable fsync most of the time, but enabling
it for specific programs can be useful.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|