| Age | Commit message (Collapse) | Author |
|---|
|
Ugrading to coreutils 9.5 pulls in:
https://git.savannah.gnu.org/cgit/coreutils.git/commit/src/chmod.c?id=07a69fc3ba717b879218592db685a1c79869cb28
which calls fchmodat with AT_SYMLINK_NOFOLLOW.
All the docs I can find say that symlinks don't have modes and are
always readable. With the error in place, we see things like:
chmod: changing permissions of 'XXX/build-appliance-image/15.0.0/rootfs/home/builder/poky/scripts/esdk-tools/runqemu-gen-tapdevs': Function not implemented
when building build-appliance-image, which uses tools from coreutils-native.
It is only a matter of time before distros start shipping those newer tools.
I believe the correct thing to do is just return success here rather
than failure. This does fix the build failure.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
rpm 4.19 now builds with LFS64 support enabled by default,
so it calls statvfs64() to get the space available on the
filesystem it is installing packages into. Add a wrapper
for this call so the right filesystem is used.
Signed-off-by: Matt Madison <matt@madison.systems>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
[YOCTO #15074]
The syncfs probe in ports/unix/subports was failing if the compiler does not
support implicit function declarations. syncfs is protected and requires
_GNU_SOURCE, so the answer here is to pull it in.
Signed-off-by: Eilís 'pidge' Ní Fhlannagáin <pidge@baylibre.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Apparently <attr/attributes.h> was only included in order to get ENOATTR.
pseudo does not use any other functions or structs from it.
More about ENOATTR:
https://git.savannah.nongnu.org/cgit/attr.git/tree/include/attributes.h
https://github.com/rust-lang/libc/issues/1356
https://github.com/golang/go/issues/753
Signed-off-by: Tomi Belan <tomi.belan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Add a wrapper for the fcntl64 glibc function based on the fcntl
wrapper which is effectively the same.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
glibc 2.34 adds a closefrom() function call to close a range of file
descriptors. This one is problematic for us since pseudo can have its
own fds open in the close range.
To handle this we add a specific client side op, OP_CLOSEFROM, similar
to OP_CLOSE which closes the fds in the range which aren't pseudo fds.
This means manually closing some of the fds ourselves and then modifying
the call to closefrom for the rest. Not pretty but I'm struggling to see
a better way. It does mean msg/result is used in a new case to let the
caller know which fds to close as the range needs to change. This is
allowed after the previous static change.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
glibc 2.34 adds a close_range() function call. This one is straight forward
as it allows ENOSYS to be returned and the caller has to handle it so
lets do that.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
When running the test suite on my Debian 11 box I see many occurrences
of:
unknown fcntl argument 1032, assuming long argument.
(for example from test-execl.sh.)
It appears that this is F_GETPIPE_SZ and it takes no arguments. Let's
add it and the corresponding F_SETPIPE_SZ too to avoid the warning
messages.
F_SETPIPE_SZ accepts an int argument, which strictly speaking isn't the
same as the long that the wrapper expects. However, this is also true
for F_DUPFD which seems to be working correctly on all the targets that
people care about.
We need to define the command constants if the system headers don't
provide them to ensure that a binary built on an old system works
without the new commands works correctly only a newer one that tries to
use them. If the system values differ from the expected ones then such a
binary would also be incompatible, so fail the build in that case too.
Signed-off-by: Mike Crowe <mac@mcrowe.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We want a pseudo which can build on a system without statx support but work on
one with statx support. By adding a copy of the struct we can do this and then
work correclty with OE's uninative again.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
GCC emits this warning for mismatched function types unless the generic
void (*) (void) signature is used ([1]) - e.g.:
warning: cast between incompatible function types from ‘int (*)(const
char *)’ to ‘int (*)(void)’ [-Wcast-function-type]
[1] https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wcast-function-type
Signed-off-by: Philip Lorenz <philip@bithub.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We're seeing failures where a file is renamed under pseudo but an
access appears to be made to the old filename before the OP_RENAME has
hit the database but after the real_rename has applied in the kernel.
This is effectively the MAY_UNLINK problem for the original filename. There
were protections for the newpath but not the oldpath.
To try and avoid these aborts(), mark the original path as MAY_UNLINK however
we need to be careful not to trigger the DID_UNLINK but instead update
the deleting entry in the database as the rename completes. To do this,
we no clear the deleting flag during the database rename operation in SQL.
Also, we have to stop removing the by_ino matches where by_ino.deleting is
set, else we may lose the renamed file's attributes that way.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Add wrappers for the faccessat and faccessat2 glibc functions matching
the way access.c works. faccessat2 was added in glibc 2.33.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The man page for access() does not allow for a return value of EPERM,
should be EACCES. Fix.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
In glibc 2.33, they've removed the _STAT_VER and _MKNOD_VER definitions
from public headers. They have no plans to add these back so pseudo needs
to attempt its own definitions. There is some protection as if they were
wrong and there was a mismatch, we'd get an error art runtime.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The xattr functions need to use a specific version of the symbols to avoid
calling into libattr.so, which on Tumbleweed causes failures[1].
However on arm64 systems the glibc version is different. This means that
searching for llistattr(GLIBC_2.3) fails to initially match the symbol in
libc.so, and instead if libattr.so is linked then the symbol in that library
is used. This is simply a wrapper that is intended to call the symbol in
libc.so but instead calls the symbol in pseudo, so infinite loops.
Using the just-added architecture overrides, add the right versions for
arm64 systems so the correct symbols in libc.so are found.
[ YOCTO #14133 ]
[1] b94fa2fc81cde25865ee223ca437d07377229a53
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Newer versions of glibc have a lchmod function which we need to wrap.
Add this, and tweak fchmodat to be able to handle the "no symlink
resolution" case rather than duplicate code.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Similar to mkstemp64 when oflags=0, therefore move the wrapper and call
from mkstemp64. Note that some glibc versions would have one but not the other
so ensure fall back to the real function is correct on those versions.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
There is magic in the posts where specific variable names have specific
magic. For that magic to work, "path" needs to be used not "pathname" as
is currently there. Fix this, which fixes path issues on systems using
statx (Ubuntu 20.04 in particular).
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
In the xattr handling functions, if result is NULL, which it can be
with the path ignore code, there is a NULL pointer dereference and
segfault. Everywhere else checks result first, this appears to just
be an omission.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Consider what happens if a program does:
fd = fopen("A")
link("A", "B")
unlink("A")
fchown(fd)
Assuming we can't use the database, in order to handle this correctly,
we need to change the open fd to point at B when A us unlinked.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Currently, pseudo considers any path accessed whist its running to be
a valid entry to track in its database. The way OpenEmbedded uses pseudo,
there are paths we care about accesses to from a pseudo perspective and paths
which we simply don't care about.
This patch adds a PSEUDO_IGNORE_PATHS environment variable which is a comma
separated list of path prefixes to ignore accesses to.
To do this, we add some functions which can check a path argument or a file
descriptor argument and use these in the pseudo wrappers where path or fd
arguments are present. Where paths are being ignored, we skip straight to
the underlying real function.
Psuedo needs to keep track of the open fd mappings to files so we still need
to allow those cases into the pseudo_op function. Specficially this means
OP_CLOSE, OP_OPEN, OP_DUP and OP_CHDIR.
Apart from OP_OPEN which could call the server, the other operations are client
side only so passed through. We 'tag' the functions using these operations so
that the path ignore code isn't triggered. For OP_OPEN we exit early and skip
the server op. We also have a catch all in client_op to ensure any operatings
we didn't manage to skip early still get skipped correctly.
OP_CHROOT is a special case. Where ignored path prefixes are used as a chroot,
for the lifetime of the chroot, the path is effectively dropped from the
PSEUDO_IGNORE_PATHS list. Whilst slightly counter intuaitive, this turned out
to be the most effective way to do things due to commands like useradd and
their use of chroots.
For sqlite3 and appropriate path filtering in OE, this took the database from
45,000 entries to about 180. For dbus this was 88,000 down to 760. Given the
number of client to server trips these numbers of paths involves, the win
is seemingly worthwhile.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The pseudo rename guts test for an item being renamed to
itself, only after information about it has been deleted.
We move the test to before we play with the database.
Note that pseudo does not support renameat2().
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Linux 3.15 and newer introduced new open file description locks.
Currently pseudo prints a warning if fcntl is used with OFD locks:
unknown fcntl argument 37, assuming long argument.
However, calls to fcntl with a OFC lock set need a struct flock
pointer. Treat F_OFD_GETLK (and friends) like F_GETLK (and friends).
This issue has been observed with ostree. Comparing strace output
between two runs with/without this patch shows the same fcntl calls,
hence it seems not to matter in practice.
Signed-off-by: Stefan Agner <stefan@agner.ch>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The file mode was accidentally overwritten with only the permission
bits, causing the server to falsely assume that the database was
corrupted (because the msg_header.mode did not contain S_IFDIR
anymore) even though it was the client doing the corruption.
In practice that had the effect of leaking the UID of the user, into
the pseudo environment.
This fixes Bug 13959 -- https://bugzilla.yoctoproject.org/show_bug.cgi?id=13959
Signed-off-by: Johannes Beisswenger <johannes.beisswenger@cetitec.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
pseudo: ENOSYS for 'fsetxattr'.
which was being caused by dlsym() for that function returning NULL. This
appears to be due to it finding an unresolved symbol in libacl for this
symbol in libattr. It hasn't been resolved so its NULL. dlerror() returns
nothing since this is a valid symbol entry, its just not the one we want.
We can add the glibc version string for the symbol we actually want so we get
that version rather than the libattr/libacl one.
To quote libattr:
"""
These dumb wrappers are for backwards compatibility only.
Actual syscall wrappers are long gone to libc.
"""
and they are simply wrappers around the libc version so our attaching
to the libc versions should intercept any accesses via these too.
RP 2020/06/22
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org
Upstream-Status: Pending [discussed with seebs on irc and appears the correct fix]
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
seccomp. Therefore intercept the seccomp syscall and alter it, pretending that
seccomp was setup when in fact we do nothing. If we error as unsupported,
utilities like file will exit with errors so we can't just disable it.
Also, it fails to compile pseudo-native on centos 7:
| ports/linux/pseudo_wrappers.c: In function ‘prctl’:
| ports/linux/pseudo_wrappers.c:129:14: error: ‘SECCOMP_SET_MODE_FILTER’ undeclared (first use in this function)
| if (cmd == SECCOMP_SET_MODE_FILTER) {
| ^
Add macro guard for seccomp to avoid the failure.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Latest versions of attr have removed the xattr.h header,
with the rationale that libc is providing the same wrappers.
attr/attributes.h is providing the ENOATTR definition.
Upstream-Status: Pending
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Linux system's realpath() remove trailing slashes, but pseudo's doesn't, need
make them identical.
E.g., the following code (rel.c) prints '/tmp' with system's realpath, but
pseudo's realpath prints '/tmp/':
#include <stdio.h>
#include <limits.h>
#include <stdlib.h>
int main() {
char out[PATH_MAX];
printf("%s\n", realpath("/tmp/", out));
return 0;
}
$ bitbake base-passwd -cdevshell # For pseudo env
$ gcc rel.c
$ ./a.out
/tmp/ (but should be /tmp)
This patch fixes the problem.
Upstream-Status: Submitted [https://lists.yoctoproject.org/g/poky/message/11879]
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Modern distros (e.g. fedora30) are starting to use the new statx() syscall through
the newly exposed glibc wrapper function in software like coreutils (e.g. the ls
command). Add support to intercept this to pseudo.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upstream-Status: Submitted [Emailed to seebs]
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
When statting a file that we may or may not be opening with O_NOFOLLOW,
we should use lstat (or AT_SYMLINK_NOFOLLOW) to try to get information
about the right file.
Also when we want to check whether a bit is set, we should use & rather
than |. I am an experienced programmer and know the difference between
those.
|
|
Did you know that, similar to AT_SYMLINK_NOFOLLOW, there's
an O_NOFOLLOW available in flags for open/openat?
I didn't.
|
|
This adds SPDX license headers to all source files in pseudo so license
identification models current best practise.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Clean up the "unused parameter" warnings in renameat2.
|
|
This is a heck of a special case: If you call open on a FIFO/pipe,
and you didn't have O_NONBLOCK, and you used O_RDONLY or O_WRONLY,
but not O_RDWR, the open can block forever. Unfortunately, pseudo
assumes syscalls complete. We attempt to drop the lock and restore
our state, then recover it later.
Why? Because the .NET runtime does this for a debug hook.
|
|
So renameat2 now has a glibc wrapper in some recent glibc, which
means that mv can use it, and thus bypass all our clever testing,
and since we can't intercept the actual syscall (gnulib's implementation
apparently doesn't hit the glibc syscall() wrapper?), this results
in files being moved without pseudo knowing about them.
Implementing the semantics properly is Very Hard, but possibly we
can just fail politely for now.
We'll be back to this later.
|
|
openat() was passing its flags unaltered to pseudo_root_path(), which
assumes that a flags argument other than 0 means "don't follow symlinks
in last path component". This is completely wrong, and I have no idea
how it survived this long unnoticed.
Now, if a plain flags variable is set and not overruled by a
comment like /* flags=... */, it's masked with AT_SYMLINK_NOFOLLOW,
as there are other values fstatat() and friends can take, and the
openat() flags are just overridden with 0. (The only meaningful case
would be O_NOFOLLOW, but O_NOFOLLOW instructs us to *fail* in the
open if the path is a symlink, so we don't care.)
Signed-off-by: Seebs <seebs@seebs.net>
|
|
But what if syscall(2) was the *first* function with a wrapper
that you called?
Also reduced amount of argument-copying in syscall(2), on further
study, anything with off_t arguments has less than 6 arguments
by enough to keep the total argument count down.
Signed-off-by: Seebs <seebs@seebs.net>
|
|
is followed by setxattr(); previously it was the other way around. This
broke pseudo when a copied directory has one of the special
bits (setuid, setgid, sticky) set; the special bit wound up getting
removed.
Root cause is that ACLs never included special bits in the first place,
so we need to merge them back in ourselves.
[YOCTO #12379]
Signed-off-by: Richard Tollerton <rich.tollerton@ni.com>
|
|
This wrapper should allow us to reject renameat2 attempts by
coreutils, letting us regain functionality on FC27 and related
systems.
This is not safe/portable/etc even by pseudo's standards, and
arguably it should be a separate and optional port.
[Amended commit: Don't include the dodgy renameat2 wrapper
which it turns out we'd never hit anyway.]
Signed-off-by: Seebs <seebs@seebs.net>
|
|
The mkostemps() family are all bad but people use them so here we
are. Since mkstemp(), mkstemps(), and mkostemp() can all be
implemented by calling mkostemps() with additional zeroes passed
in, do it that way.
Signed-off-by: Seebs <seebs@seebs.net>
|
|
O_TMPFILE is, on at least one system, (__O_TMPFILE | O_DIRECTORY),
so (flags & O_TMPFILE) can be non-zero even when O_TMPFILE was not set.
Signed-off-by: Seebs <seebs@seebs.net>
|
|
Whoops, missed this one. Reported/submitted by
<joshua.g.lock@linux.intel.com>.
Signed-off-by: Seebs <seebs@seebs.net>
|
|
Patch was submitted by <dan.dedrick@gmail.com>, revised to make it
a subport in case someone cares about a Linux system which doesn't
have this function. (Which is probably unlikely, but I am a cautious
sort.)
Signed-off-by: Seebs <seebs@seebs.net>
|
|
This allows the pseudo /etc/group to contain extremely long lines,
e.g. when a group has a lot of members. Without this, chown and
chgrp fail for group names that occur after such long lines.
Signed-off-by: Zoltán Böszörményi <zboszor@pr.hu>
Signed-off-by: Seebs <seebs@seebs.net>
---
ports/darwin/guts/getgrouplist.c | 54 +++++++++++++++++++++++++++-----------
ports/linux/guts/getgrouplist.c | 54 +++++++++++++++++++++++++++-----------
ports/uids_generic/guts/getgrent.c | 26 +++++++++++++++---
ports/uids_generic/guts/getgrgid.c | 26 +++++++++++++++---
ports/uids_generic/guts/getgrnam.c | 25 +++++++++++++++---
5 files changed, 146 insertions(+), 39 deletions(-)
|
|
This is a rework which replaces a previous patch. In this version,
files created with O_TMPFILE don't get recorded in the database
at all, but if we get a link request for /proc/self/fd/N, and the
corresponding file is not in the database, we send a CREAT request
for it instead of a LINK, and that appears to work with a MUCH
reduced chance of database leakage.
Also the O_TMPFILE won't be creating bogus database entries
anymore.
Signed-off-by: Seebs <seebs@seebs.net>
linkat fix
|
|
Based on a submission from Anton Gerasimov <anton@advancedtelematic.com>
On some systems, with some kernel configs, "cp -a" apparently tries to
set an empty ACL list, with a valid header but no contents, which causes
strange and mysterious behavior later if we actually create such an entry.
So filter that out, also sanity-check a couple of other things.
Signed-off-by: Seebs <seebs@seebs.net>
|
|
file. Before setting a file's capabilities with cap_set_file() (which uses
setxattr()) it calls cap_set_flag(mycaps, CAP_EFFECTIVE, 1, &capflag,
CAP_SET). cap_set_flag() uses the capset syscall to raise the process'
effective capability. In most cases if the process isn't running as root
this will fail and setcap will exit with an error. Because setxattr is
intercepted by pseudo it's unnecessary for setcap to call capset().
Override capset with a pseudo function that does nothing and always
returns 0.
Signed-off-by: George McCollister <george.mccollister at gmail.com>
Signed-off-by: Seebs <seebs@seebs.net>
|
|
x32 compilation fails because x32 defines __amd64__ and thus pseudo tries
to grab a version of memcpy that's useful for amd64, and this isn't
available. Try disabling that, see what happens.
Signed-off-by: Seebs <seebs@seebs.net>
|
|
There was a bug in rename(), which was duplicated when renameat() was
implemented, and which got fixed two years ago for rename(), but no
one ever uses renameat() so it didn't get fixed there. Thanks
to Anton Gerasimov <anton@advancedtelematic.com> for the bug report
and patch.
Signed-off-by: Seebs <seebs@seebs.net>
|
Richard Purdie
Matt Madison
Eilís 'pidge' Ní Fhlannagáin
Tomi Belan
Mike Crowe
Philip Lorenz
Ross Burton
Joe Slater
Stefan Agner
Johannes Beisswenger
Alexander Kanavin
Robert Yang
Seebs