path: root/ports
AgeCommit message (Collapse)AuthorFilesLines
2019-08-02use *correct* flags for open/openat, also apply them for related statHEADmasterSeebs2-12/+26
When statting a file that we may or may not be opening with O_NOFOLLOW, we should use lstat (or AT_SYMLINK_NOFOLLOW) to try to get information about the right file. Also when we want to check whether a bit is set, we should use & rather than |. I am an experienced programmer and know the difference between those.
2019-08-01handle O_NOFOLLOW in flags for open/openatSeebs1-6/+6
Did you know that, similar to AT_SYMLINK_NOFOLLOW, there's an O_NOFOLLOW available in flags for open/openat? I didn't.
2019-05-15Add SPDX-License-Identifier: LGPL-2.1-only to filesRichard Purdie220-60/+457
This adds SPDX license headers to all source files in pseudo so license identification models current best practise. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2019-04-10fix warnings in renameat2Seebs1-0/+5
Clean up the "unused parameter" warnings in renameat2.
2019-04-10Try to handle blocking open.Seebs1-0/+37
This is a heck of a special case: If you call open on a FIFO/pipe, and you didn't have O_NONBLOCK, and you used O_RDONLY or O_WRONLY, but not O_RDWR, the open can block forever. Unfortunately, pseudo assumes syscalls complete. We attempt to drop the lock and restore our state, then recover it later. Why? Because the .NET runtime does this for a debug hook.
2019-04-09don't renameat2 pleaseSeebs2-0/+21
So renameat2 now has a glibc wrapper in some recent glibc, which means that mv can use it, and thus bypass all our clever testing, and since we can't intercept the actual syscall (gnulib's implementation apparently doesn't hit the glibc syscall() wrapper?), this results in files being moved without pseudo knowing about them. Implementing the semantics properly is Very Hard, but possibly we can just fail politely for now. We'll be back to this later.
2018-04-13Fix symlink following errorsSeebs1-2/+2
openat() was passing its flags unaltered to pseudo_root_path(), which assumes that a flags argument other than 0 means "don't follow symlinks in last path component". This is completely wrong, and I have no idea how it survived this long unnoticed. Now, if a plain flags variable is set and not overruled by a comment like /* flags=... */, it's masked with AT_SYMLINK_NOFOLLOW, as there are other values fstatat() and friends can take, and the openat() flags are just overridden with 0. (The only meaningful case would be O_NOFOLLOW, but O_NOFOLLOW instructs us to *fail* in the open if the path is a symlink, so we don't care.) Signed-off-by: Seebs <seebs@seebs.net>
2018-03-31initialize wrappers in syscall wrapperSeebs1-9/+8
But what if syscall(2) was the *first* function with a wrapper that you called? Also reduced amount of argument-copying in syscall(2), on further study, anything with off_t arguments has less than 6 arguments by enough to keep the total argument count down. Signed-off-by: Seebs <seebs@seebs.net>
2018-03-30Recently (2015) coreutils cp -Rp changed its behavior such that chmod()Seebs1-0/+19
is followed by setxattr(); previously it was the other way around. This broke pseudo when a copied directory has one of the special bits (setuid, setgid, sticky) set; the special bit wound up getting removed. Root cause is that ACLs never included special bits in the first place, so we need to merge them back in ourselves. [YOCTO #12379] Signed-off-by: Richard Tollerton <rich.tollerton@ni.com>
2018-03-29Experimental syscall(2) wrapper.Seebs4-0/+57
This wrapper should allow us to reject renameat2 attempts by coreutils, letting us regain functionality on FC27 and related systems. This is not safe/portable/etc even by pseudo's standards, and arguably it should be a separate and optional port. [Amended commit: Don't include the dodgy renameat2 wrapper which it turns out we'd never hit anyway.] Signed-off-by: Seebs <seebs@seebs.net>
2018-02-26Handle more mk*stemp* functions.Seebs5-35/+88
The mkostemps() family are all bad but people use them so here we are. Since mkstemp(), mkstemps(), and mkostemp() can all be implemented by calling mkostemps() with additional zeroes passed in, do it that way. Signed-off-by: Seebs <seebs@seebs.net>
2018-02-15Handle O_TMPFILE more betterSeebs1-2/+2
O_TMPFILE is, on at least one system, (__O_TMPFILE | O_DIRECTORY), so (flags & O_TMPFILE) can be non-zero even when O_TMPFILE was not set. Signed-off-by: Seebs <seebs@seebs.net>
2018-01-20Fix openat flag #ifdef typopseudo-1.9.0PSEUDO_1_9_0Seebs2-2/+2
Whoops, missed this one. Reported/submitted by <joshua.g.lock@linux.intel.com>. Signed-off-by: Seebs <seebs@seebs.net>
2018-01-16Add statvfs wrapperSeebs3-0/+27
Patch was submitted by <dan.dedrick@gmail.com>, revised to make it a subport in case someone cares about a Linux system which doesn't have this function. (Which is probably unlikely, but I am a cautious sort.) Signed-off-by: Seebs <seebs@seebs.net>
2018-01-16Handle long lines in /etc/groupSeebs5-39/+146
This allows the pseudo /etc/group to contain extremely long lines, e.g. when a group has a lot of members. Without this, chown and chgrp fail for group names that occur after such long lines. Signed-off-by: Zoltán Böszörményi <zboszor@pr.hu> Signed-off-by: Seebs <seebs@seebs.net> --- ports/darwin/guts/getgrouplist.c | 54 +++++++++++++++++++++++++++----------- ports/linux/guts/getgrouplist.c | 54 +++++++++++++++++++++++++++----------- ports/uids_generic/guts/getgrent.c | 26 +++++++++++++++--- ports/uids_generic/guts/getgrgid.c | 26 +++++++++++++++--- ports/uids_generic/guts/getgrnam.c | 25 +++++++++++++++--- 5 files changed, 146 insertions(+), 39 deletions(-)
2018-01-16handle O_TMPFILE and linkat()Seebs2-48/+121
This is a rework which replaces a previous patch. In this version, files created with O_TMPFILE don't get recorded in the database at all, but if we get a link request for /proc/self/fd/N, and the corresponding file is not in the database, we send a CREAT request for it instead of a LINK, and that appears to work with a MUCH reduced chance of database leakage. Also the O_TMPFILE won't be creating bogus database entries anymore. Signed-off-by: Seebs <seebs@seebs.net> linkat fix
2017-02-24Don't try to record 0-length posix_acl_default xattrsSeebs1-3/+33
Based on a submission from Anton Gerasimov <anton@advancedtelematic.com> On some systems, with some kernel configs, "cp -a" apparently tries to set an empty ACL list, with a valid header but no contents, which causes strange and mysterious behavior later if we actually create such an entry. So filter that out, also sanity-check a couple of other things. Signed-off-by: Seebs <seebs@seebs.net>
2016-12-12The setcap utility supplied by libcap is used to set capabilities on aSeebs4-0/+23
file. Before setting a file's capabilities with cap_set_file() (which uses setxattr()) it calls cap_set_flag(mycaps, CAP_EFFECTIVE, 1, &capflag, CAP_SET). cap_set_flag() uses the capset syscall to raise the process' effective capability. In most cases if the process isn't running as root this will fail and setcap will exit with an error. Because setxattr is intercepted by pseudo it's unnecessary for setcap to call capset(). Override capset with a pseudo function that does nothing and always returns 0. Signed-off-by: George McCollister <george.mccollister at gmail.com> Signed-off-by: Seebs <seebs@seebs.net>
2016-10-29Experimentally try to make x32 workSeebs1-1/+1
x32 compilation fails because x32 defines __amd64__ and thus pseudo tries to grab a version of memcpy that's useful for amd64, and this isn't available. Try disabling that, see what happens. Signed-off-by: Seebs <seebs@seebs.net>
2016-09-30Fix renameat (parallel to previous fix to rename)Seebs1-1/+6
There was a bug in rename(), which was duplicated when renameat() was implemented, and which got fixed two years ago for rename(), but no one ever uses renameat() so it didn't get fixed there. Thanks to Anton Gerasimov <anton@advancedtelematic.com> for the bug report and patch. Signed-off-by: Seebs <seebs@seebs.net>
2016-07-05Mark ports/unix/subports executableJoshua Lock1-0/+0
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
2016-05-18better handling of missing real_foo functionsPeter Seebach8-1/+53
So a recent change to ld.so behavior revealed that pseudo was not always correctly detecting that a function hadn't been found by the RTLD_NEXT search. This only happened for functions which genuinely didn't exist and wouldn't get called (like mknod on Linux, which is actually always done as an inline function that calls __xmknod), but when the diagnostics started showing up, it broke things. Fix it so the diagnostics would have shown up when things were originally broken, also fix the resulting diagnostics. Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
2016-03-10add wrapper for bindPeter Seebach2-0/+37
Since the pseudo socket is actually created by a call to bind, the bind call could create a file, which means it needs to record a database entry.
2016-03-09make bash stop bullying mePeter Seebach1-0/+1
So we had this really strange problem where, sometimes but not always, pseudo would have strange problems on startup, where the pseudo server would end up running under pseudo. And this produced the most fascinating thing, which was: unsetenv("LD_PRELOAD"); assert(getenv("LD_PRELOAD") == NULL); for (int i = 0; environ[i]; ++i) { assert(strncmp(environ[i], "LD_PRELOAD=", 11)); } (pseudocode untested) This would crash on the environ search. Because getenv() was not searching environ. WHAT. So it turns out, *bash overrides getenv, setenv, and so on*. Under those names. Hiding the glibc ones. And this creates horrible problems if you assumed that your code could call those functions and expect them to work. So as a workaround, pseudo now uses dlsym to find getenv, etc., from glibc, and invokes those directly if possible. Also the client now uses unwrapped fork/exec for spawning the server, which cleans up the behavior of that code quite a bit.
2016-03-02Server launch rework continued, probably finishedPeter Seebach3-4/+4
Server process now waits for its forked child when daemonizing, allowing us to yield meaningful exit status. Lock is now taken by the child, since it has a way to tell the parent about the exit status. (We send SIGUSR1 to the server to cause the wait loop to stop when the client is ready to go.) This allows us to switch to fcntl locking, which should in theory allow us to run with the pseudo directory NFS-mounted. Woot! Also mark a couple of overly spammy messages as PDBGF_VERBOSE to reduce the volume of uninteresting dup spam when looking at client behaviors. Client now uses execve to spawn server to work around a very strange behavior of unsetenv. Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
2016-01-22Fix mknod(...) with no file type bitsPeter Seebach2-0/+12
mknod(2) automatically defaults to S_IFREG if not given an explicit file type, so pseudo should too. Otherwise, GNU tar can (for some reason, it mostly does this when extracting xattrs?) invoke mknod instead of open with O_CREAT to create a file, and just provide the permission bits, and pseudo creates a "weird file" with no type bits in the database, which is unhelpful. Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
2015-09-22f*open*: Use more-correct mode.pseudo-1.7.4PSEUDO_1_7_4Peter Seebach4-4/+4
The f{re,}open{64,} functions use a default mode of 0666 & ~umask, and defaulting to 0600 for the post-open chmod was breaking some use cases. Problem and solution identified by Ross Burton, I just made the local copy of the patch. Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
2015-09-04Don't have mkdirat set errno unintentionallyPeter Seebach2-2/+6
mkdirat() was calling real_fchmodat with invalid arguments (it turns out that AT_SYMLINK_NOFOLLOW is both irrelevant and forbidden by Linux), and the wrapper function did not restore errno to its previous value. This breaks localedef, because localedef is unconditionally storing the value of errno after a mkdir *whether or not the mkdir failed*, which is almost certainly wrong. Similar issue with mkfifoat. Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
2015-09-03Finish (I hope) working around 0700 umasks.Peter Seebach6-2/+11
There's some changes to allow things to work even if umask is 0700; originally this was just regarded as a broken state, but it became necessary to fix it in order for the xattrdb code to work, only the fix could result in files having a raw filesystem mode that lacked execute bits it should have had. Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
2015-09-01realpath: allocate memory when null pointer givenPeter Seebach1-1/+1
When I trimmed the spurious free()s for the new lower-allocation path strategy, I forgot to look for cases where I was relying on the allocation, such as realpath(path, NULL). Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
2015-08-24Small cleanups in passingPeter Seebach2-40/+15
gcc is better about warnings and spotted variables being assigned but not used. Clever gcc. Cleaned up the old bits. Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
2015-08-24xattrdb bug fixesPeter Seebach8-0/+8
When xattr emulation is used to store extended attributes, dummy entries get made in the db using whatever UID/GID were in the real stat buffer if no entry already existed. Change these to -1, and treat -1 uid/gid as a missing entry for stat purposes. xattrdb was not merging existing uid/gid values. Change this by loading existing values to merge them in when executing chown/chmod commands. Newly-created files could end up with a filesystem mode of 0 if you used umask, but this breaks xattrdb. Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
2015-08-21Clean up some const stuffPeter Seebach3-3/+3
Dropping the alloc from file paths meant that pseudo_exec_path could end up just returning its original argument, which was const-qualified, meaning its return should also be const-qualified. Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
2015-08-21New option: Use extended attributes to store db values.Peter Seebach4-18/+11
This is a moderately experimental feature which stores values in an extended attribute called 'user.pseudo_data' instead of in the database. Still missing: Database<->filesystem synchronization for this. For at least some workloads, this can dramatically improve performance. Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
2015-08-20Drop the allocation in pseudo_fix_path/pseudo_root_path/etc.Peter Seebach10-15/+2
Instead of allocating (and then freeing) these paths all the time, use a rotating selection of buffers of fixed but probably large enough size (the same size that would have been the maximum anyway in general). With the exception of fts_open, there's no likely way to end up needing more than two or three such paths at a time. fts_open dups the paths since it could have a large number and need them for a while. This dramatically reduces (in principle) the amount of allocation and especially reallocation going on. Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
2015-08-20Initial profiling implementation.Peter Seebach4-2/+39
A partially-implemented profiler for client time, which basically just inserts (optional) gettimeofday calls in various places and stashes data in a flat file containing one data block per pid. Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
2015-07-171.6.7: fix mkfifopseudo-1.6.7PSEUDO_1_6_7Peter Seebach2-15/+67
Worked for trivial cases, but spuriously closed fd 0 and had other issues. Separated implementations out.
2015-07-16Allow fifosPeter Seebach1-5/+13
Some years back, there was a historical reason (lost to the mists of time) for which we had problems if we allowed actual creation of fifos, but so far as we know we don't expect any problems with them now, and there's a bitbake change which would like to be able to use fifos for logging, so let's try enabling them and see what happens.
2014-10-03Possibly fix strange corruptionsPeter Seebach1-1/+5
Trying to track down problems which sometimes result in files showing up as nameless files, producing clashes later. Looks like there were two issues; one is we were creating links for files that we'd already found by inode. The other is that rename was sending bogus LINK messages in some cases. Also simplified the find_file_dev path to extract the path as part of the initial operation, since there wasn't any case where that wasn't being done immediately afterwards.
2014-07-17linux/portdefs.h: fix non-x86 buildPeter Seebach1-1/+1
The assumption that a host is either x86_64 or x86_32 does not hold well on target systems.
2014-07-11symbol version tweakspseudo-1.6.0PSEUDO_1_6_0Peter Seebach1-0/+14
We don't want to pick up newer memcpy because pseudo sometimes has to run host binaries even when built against a newer libc.
2014-07-10make xattr work on DarwinSeebs11-40/+356
More complicated, because we actually need to make com.apple stuff work probably.
2014-06-13Don't follow symlinks for lutimes()Peter Seebach2-3/+3
Also for lstat, but that probably never matters because in Linux you will never actually call lstat without working really hard at it, because you end up calling __lxstat anyway. (Was already doing the right thing for Darwin.)
2014-05-27Typo fixPeter Seebach1-2/+2
So it turns out that if you fix a bug inside an #ifdef that hasn't applied to anything in years, it doesn't actually fix the bug.
2014-05-27Honor umaskPeter Seebach7-0/+30
We used to rely on filesystem operations to apply the umask when appropriate, but when we started masking out 022, that stopped working. Start watching umask.
2014-05-16pseudo_has_unload: add functionPeter Seebach8-8/+8
Various wrappers checked for a non-null pseudo_get_value("PSEUDO_UNLOAD") to determine whether the environment should include the pseudo variables. None of those checks freed the returned value when it was not null. The new check function does. The new check function also sees whether PSEUDO_UNLOAD was defined in the environment that should be used in the wrapped system call. This allows pkg_postinst scripts to strip out the LD_PRELOAD setting, for example before invoking qemu to execute commands in an environment that does not have libpseudo.so. [YOCTO #4843] Signed-off-by: Peter A. Bigot <pab@pabigot.com> Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
2014-05-16Permissions handling tweaks (fchmodat, mask out write bits)Peter Seebach1-5/+20
Change the handling of fchmodat(AT_SYMLINK_NOFOLLOW) to reject it if the host system does, so we preserve host system behavior. Mask out group/other write bits when actually creating files to reduce risks to filesystem integrity.
2014-05-15fchmodat: don't pass AT_SYMLINK_NOFOLLOWseebs/xattrPeter Seebach1-1/+6
underlying fchmodat() will just fail, but GNU tar calls it that way anyway, figuring it'll just retry on failure, but we don't report the failure. Nor do we want to, because that's expensive and slow and will result in additional database round trips. But I don't want to fail out right away, so for now, just strip the flag.
2014-04-24subports: Use right compilerPeter Seebach1-3/+13
Turns out the checks for feature support were using plain cc, not ${CC}, which could break tests. Also add a sanity check to the xattr support to confirm that <attr/xattr.h> is available. Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
2014-04-24Make configure handle xattr guessing (or specifying)Peter Seebach1-1/+2
Clean-up: Allow specification of environment hints for subports scripts, such as whether xattr support is available. Also make configure guess at a bit width if none is specified. Signed-off-by: Peter Seebach <peter.seebach@windriver.com>