| Age | Commit message (Collapse) | Author |
|---|
|
lstat can fail on XFS if the inode number won't fit in a 32-bit value.
Use base_lstat. Also, just in case, don't call it if it's not initialized
yet (which should never happen).
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
This is a moderately experimental feature which stores values in an
extended attribute called 'user.pseudo_data' instead of in the database.
Still missing: Database<->filesystem synchronization for this.
For at least some workloads, this can dramatically improve performance.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
Instead of allocating (and then freeing) these paths all the time,
use a rotating selection of buffers of fixed but probably large enough
size (the same size that would have been the maximum anyway in
general). With the exception of fts_open, there's no likely way to
end up needing more than two or three such paths at a time. fts_open
dups the paths since it could have a large number and need them for
a while. This dramatically reduces (in principle) the amount of allocation
and especially reallocation going on.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
A partially-implemented profiler for client time, which basically just
inserts (optional) gettimeofday calls in various places and stashes data
in a flat file containing one data block per pid.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
Having the same logic twice was sorta bugging me. Now the
function-like-macro is sorta bugging me, and I'll just let
it.
|
|
This is derived in significant part from contributions to oe-core
by Peter A. Bigot. I reworked the path routine a bit to use an
already duplicated string instead of allocating copies of parts of
it.
The first issue was just that there was a missing antimagic() around
some of the path operations. The second is that we wanted to have
a way to provide a fallback password file which isn't the host's,
but which can be used in the case where the target filesystem hasn't
got a password yet, for bootstrapping purposes. (So there's a minimal
password file that just has root, basically.)
Also, I noticed a design flaw, which is that if you ended up
calling pseudo_pwd_lck_open() twice in a row, the second time
through, pseudo would first check whether it had a path name
for the file (it does), and thus not allocate one, then call
the close routine (which frees it and nulls the pointer), then
open a new one... and not have a file name, so the next attempt
to close it wouldn't unlink the file. This shouldn't ever
come up in real code, but it was bugging me.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
It turns out that "a/" is equivalent to "a/.", and that in particular
it should fail when a is not a directory. Pseudo's been silently stripping
them and this breaks things. Attempt to fix that, lightly tested.
|
|
strlen(array) isn't a constant expression, even though gcc can sometimes
figure it out at compile time.
|
|
Various wrappers checked for a non-null pseudo_get_value("PSEUDO_UNLOAD") to
determine whether the environment should include the pseudo variables. None
of those checks freed the returned value when it was not null. The new
check function does.
The new check function also sees whether PSEUDO_UNLOAD was defined in the
environment that should be used in the wrapped system call. This allows
pkg_postinst scripts to strip out the LD_PRELOAD setting, for example before
invoking qemu to execute commands in an environment that does not have
libpseudo.so.
[YOCTO #4843]
Signed-off-by: Peter A. Bigot <pab@pabigot.com>
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
The xattr first-pass implementation was allocating a buffer to
hold the name and value for a set operation, then pseudo_client was
allocating *another* buffer to hold the path and those two values.
pseudo_client_op develops more nuanced argument handling, and also
uses a static buffer for the extended paths it sometimes needs. So
for the typical use case, only occasional operations will need to
reallocate/expand the buffer, and we'll be down to copying things
into that buffer once per operation, instead of having two alloc/free
pairs and two copies.
And of course, that wasn't two alloc/free pairs, it was one alloc/free
pair and one alloc without a free. Whoops.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
Initial, incomplete, support for extended attributes. Extended
attributes are implemented fairly naively, using a second table
in the file database using the primary file table's id as a
foreign key. The ON DELETE CASCADE behavior requires sqlite 3.6.19
or later with foreign key and trigger support compiled in.
To reduce round-trips, the client does not check for existing
attributes, but rather, sends three distinct set messages;
OP_SET_XATTR, OP_CREATE_XATTR, OP_REPLACE_XATTR. A SET message
always succeeds, a CREATE fails if the attribute already
exists, and a REPLACE fails if the attribute does not already
exist.
The /* flags */ feature of makewrappers is used to correct
path names appropriately, so all functions are already working
with complete paths, and can always use functions that work
on links; if they were supposed to dereference, the path
fixup code got that.
The xattr support is enabled, for now, conditional on
whether getfattr --help succeeds.
Not yet implemented: Translation for system.posix_acl_access,
which is used by "cp -a" (or "cp --preserve-all") on some
systems to try to copy modes.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
In some cases, we'd rather pseudo fail than fall back to using
/etc/passwd or /etc/group. Make the determination of what to fall
back to when neither PSEUDO_PASSWD nor a chroot directory contains
passwd/group files controllable by a configure-time flag, controlled
by --with-passwd-fallback= or --without-passwd-fallback.
|
|
This is a moderately intrusive change. The basic overall effect:
Debugging messages are now controlled, not by a numeric "level",
but by a series of flags, which are expressed as a string of
letters. Each flag has a single-letter form used for string
specifications, a name, a description, a numeric value (1 through N),
and a flag value (which is 1 << the numeric value). (This does mean
that no flag has the value 1, so we only have 31 bits available.
Tiny violins play.)
The other significant change is that the pseudo_debug calls
are now implemented with a do/while macro containing a conditional,
so that computationally-expensive arguments are never evaluated
if the corresponding debug flags weren't set. The assumption is
that in the vast majority of cases (specifically, all of them
so far) the debug flags for a given call are a compile-time constant,
so the nested conditional will never actually show up in code
when compiled with optimization; we'll just see the appropriate
conditional test.
The VERBOSE flag is magical, in that if the VERBOSE flag is
used in a message, the debug flags have to have both VERBOSE and
at least one other flag for the call to be made.
This should dramatically improve performance for a lot of cases
without as much need for PSEUDO_NDEBUG, and improve the ability of
users to get coherent debugging output that means something and is
relevant to a given case.
It's also intended to set the stage for future development work
involving improving the clarity and legibility of pseudo's diagnostic
messages in general.
Old things which used numeric values for PSEUDO_DEBUG will sort
of continue to work, though they will almost always be less verbose
than they used to. There should probably be a pass through adding
"| PDBGF_CONSISTENCY" to a lot of the messages that are specific
to some other type.
|
|
Some filesystems have buggy semantics where stat(2) will return incorrect
sizes for files for a while after some changes, sometimes, unless they've
been fsync'd. We still want to disable fsync most of the time, but enabling
it for specific programs can be useful.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
There were a couple of cases where pseudo built against GLIBC_2.7 or
newer was ending up with dependencies on symbols which required
GLIBC_2.7. With these gone, it appears that a libpseudo.so can be
used on an older host in some cases. None were particularly important
or intentional:
1. pseudo_util was conditionally calling open() with only two arguments,
which can invoke a new __open2() function in some systems. Don't care,
and the docs specifically state that the mode argument is "ignored" when
O_CREAT is absent, so it's not necessary to omit it.
2. The calls to sscanf/fscanf in pseudo_client.c were getting translated
into a special new iso_c99 sscanf/fscanf, and we don't care because we're
not using those features; #define _GNU_SOURCE suppresses the extra-compliant
behavior.
Signed-off-by: seebs <peter.seebach@windriver.com>
|
|
The logic for whether to allocate space for the "base" path
in pseudo_fix_path recognized that you don't need it when the
path you're evaluating starts with a slash.
This is great, except:
1. It's not actually true, if rootlen isn't 0.
2. The decision of whether or not to copy over the base
path didn't check for this, so it would happen anyway.
The net result is, if you had a path in excess of 256 characters as
a base (say, a chroot directory), and you tried to evaluate a path
starting with a slash (say, /etc/shadow), pseudo would allocate enough
space for the path, but not for the base path, and then copy the
base path into it anyway. The rounding up to multiples of 256 isn't
enough to save us in this case.
Solution:
1. Make the logic for the base path copy match the allocation logic.
2. Use (path[0] != '/' || rootlen) as the second part of the test,
because if there's a non-zero rootlen, we're in a chroot and MUST
preserve at least some of the path.
This could maybe be smarter (what if we only allocated space for
rootlen in that case?) except that in reality, it's very very
often the case that baselen == rootlen, and it's not as though we
want MORE complexity.
|
|
Spotted a couple of things during the last batch of fixes; fixing these
up so things are more consistent or clearer.
|
|
Change from internal PSEUDO_RELOADED to external PSEUDO_UNLOAD environment
variable. Enable external programs to have a safe and reliable way to unload
pseudo on the next exec*. PSEUDO_UNLOAD also will disable pseudo if we're in a
fork/clone situation in the same way PSEUDO_DISABLED=1 would.
Rename the PSEUDO_DISABLED tests, and create a similar set for the new
PSEUDO_UNLOAD.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
debugger messages from going to the wrong place. No longer fclose(stderr)
after grabbing log file, because stderr is likely still using fd 2.
|
|
This is a spiffied-up rebase of a bunch of intermediate changes, presented
as a whole because it is, surprisingly, less confusing that way. The basic
idea is to separate the guts code into categories ranging from generic
stuff that can be the same everywhere and specific variants. The big scary
one is the Darwin support, which actually seems to run okay on 64-bit OS X
10.6. (No other variants were tested.) The other example given is support
for the old clone() syscall on RHEL 4, which affects some wrlinux use cases.
There's a few minor cleanup bits here, such as a function with inconsistent
calling conventions, but nothing really exciting.
|
|
This is fussy, because we have to actually do the path search ourselves
as best we can to handle unqualified paths. The result, though, is
more meaningful logs.
Along the way, fix some bitrot in the comments in pseudo_fix_path and
friends.
|
|
2010-12-09:
* (mhatle) Add doc/program_flow to attempt to explain startup/running
* (mhatle) guts/* minor cleanup
* (mhatle) Reorganize into a new constructor for libpseudo ONLY
pseudo main() now manually calls the util init
new / revised init for client, wrappers and utils
* (mhatle) Add central "reinit" function
* (mhatle) Add manul execv* functions
* (mhatle) rename pseudo_populate_wrappers to pseudo_check_wrappers
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
be out of sync in a very inconvenient way.
Changes include:
* Some whitespace fixes, also move the pseudo_variables definition
into pseudo_util.c since it's not used anywhere else.
* Further improvements in the fork() support:
We now recognize both positive and negative forms of PSEUDO_DISABLED,
so we can distinguish between "it was removed from the environment
by env -i" (restore the old value) and "it was intentionally turned
off" (the new value wins).
* clone(2) support. This is a little primitive, and programs might still
fail horribly due to clone's semantics, but at least it's there and
passes easy test cases.
Plus a big patch from Mark Hatle:
Cleanup fork/clone and PSEUDO_DISABLED
guts/fork.c:
* cleanup function and make it more robust
* be sure to call pseudo_setupenv prior to pseudo_client_reset
to match exec behavior
pseudo_wrappers.c:
* fix mismatched type in execl_to_v call via typecast
* Simplify fork call via single call to wrap_fork()
* be sure to save pseudo_disabled
* be sure to call pseudo_setupenv prior to pseudo_client_reset
to match exec behavior
tests:
* Add a test of whether pseudo can be disabled/enabled on a fork.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
|
|
that for a macro that does it correctly. Why not just use strcmp,
you ask? Because we aren't doing a string compare, we're looking
for a prefix.
|
|
an LD_LIBRARY_PATH that included the pseudo library directory
and some other directories, the other directories would get
wiped out. Also a couple of whitespace rationalizatoins.
|
|
For reasons that may never be known, the /usr/bin/find on
RHEL5 contains its own local copies of regcomp() and
regexec(). Thus, when pseudo makes calls to these functions,
it gets the local copies in the binary instead of the ones in
libc.
But wait! That's not all. There's also the fascinating
detail that, for reasons unknown, these local copies have
an incompatible API, such that:
regexec(pattern, list, 1, pmatch, 0);
can write to more than one element of pmatch, and since
that's a local array of one member, that means that they
can crush something on the stack, such that a couple of
function calls later you get a segfault in Nothing In
Particular.
So. We try to grab the real regcomp/regexec from libc,
using dlsym, and if we can't, we fall back on whatever the
defaults were.
Inexplicably, this code actually made pseudo crash less often
on at least one target. This is madness within madness, and
I really have no idea why on earth /usr/bin/find, on a Linux
system, would have its own local copies of regcomp/regexec,
let alone why it would have copies that had substantially
different semantics.
|
|
Fixed a couple of allocation issues, corrected an off-by-one
error in environment setup.
|
|
Fix an obvious ld_preload/ld_library_path mixup in pseudo_util.c
Signed-off-by: Richard Purdie <richard.purdie@intel.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
|
|
Add local variable cache via get_value and set_value. The local cache
is setup at constructor time (or soon after).
Rewrite the pseudo_setupenv and pseudo_dropenv routines, add a new
pseudo_setupenvp and pseudo_dropenvp as well to handle the execve
cases.
We can now successfully use /usr/bin/env -i env and get pseudo values
back!
|
|
We can potentially under allocate memory due.
|
|
If the environment has been cleared (in an execve for instance),
we need to seed the environment with the PSEUDO_PREFIX,
PSEUDO_BINDIR, PSEUDO_LIBDIR, and PSEUDO_LOCALSTATEDIR values.
|
|
Add PSEUDO_BINDIR, PSEUDO_LIBDIR, and PSEUDO_LOCALSTATEDIR to allow for more
easy customization of PSEUDO components at run-time. If these are not set
they will be automatically generated based on the existing PSEUDO_PREFIX path.
PSEUDO_BINDIR = PSEUDO_PREFIX /bin
PSEUDO_LIBDIR = PSEUDO_PREFIX /lib
PSEUDO_LOCALSTATEDIR = PSEUDO_PREFIX /var/pseudo
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
|
|
libpseudo-foo.so.
|
|
The PSEUDO_SUFFIX thing is an installation quirk to allow our
build system to tag libpseudo.so with a checksum of the host libc.
However, we reuse a prebuilt pseudo server with the new pseudo
libraries; this means that encoding the suffix in the environment
hackery is a Bad Idea.
Update version number to 0.3, since this seems to wrap up a
hunk of development effort.
|
|
The PSEUDO_DEBUG_FILE feature is enhanced, and is now also used by the
pseudo server.
|
|
Address a couple of compiler warnings, add a couple of signals to the
list of caught signals, etcetera.
|
|
You can't use setenv() to modify the environment that will
be passed to a child process through execve()...
Also, fix the setupenv() to use PSEUDO_SUFFIX if defined.
Use execve() to spawn child processes, so we can use setupenv()
and dropenv().
|
|
* Add lckpwdf/ulckpwdf to guts/README
* Remove arguments from function pointer arguments.
While in theory the compar function pointer has always taken
"const struct dirent **", some systems (many) have declared
it instead as taking "const void *". For now, just omit
the types; a pointer to function taking unknown arguments
is a compatible type, and we never call the functions, we
just pass them to something else.
* Handle readlinkat() on systems without *at functions
* Fix pseudo_etc_file (spotted by "fortify")
When O_CREAT can be a flag, 0600 mode is needed. While we're
at it, remove a bogus dummy open.
* Fix mkdtemp()
Was returning the address of the internal buffer rather than the
user-provided buffer. Also fixed a typo in an error message.
* Don't call fgetgrent_r() with a null FILE *.
* A couple of other typo-type fixes.
|
|
It's not enough to rely on the usual chroot() stuff affecting the
file open, not least because these use the glibc-internal __open
which is not currently intercepted, but also because we want to
use the PSEUDO_PASSWD path when that's set but there's no chroot().
There's some extra magic in pseudo_etc_file to support these
operations, since they can legitimately create a file rather
than opening an existing one.
|
|
Moved readlink fixup into a general-purpose function for
removing chroot prefixes.
|
|
Spotted some glibc extensions to file modes, altered fopen logic.
Fix handling for the case where the underlying pseudo_pwd_fd or
pseudo_grp_fd are closed.
|
|
This is a first pass at handling password/group calls, allowing
the use of custom password/group files. In particular, when
chroot()ed to a particular directory, pseudo picks files in
that directory by default, to improve support for the typical
use case where pseudo uses chroot() only to jump into a virtual
target filesystem.
|
|
This allows us to track execution, although the tracking for it
requires some additional thought -- the basic assumption is that we
don't want to canonicalize names into the chroot() directory, but
since all the filename canonicalization assumes that we want this,
that will take some sneaking. It's a little useful as is, though,
so I'm running with it.
|
|
This patch adds support for checking whether a file was opened for
reading, writing, or both, as well as tracking append flags. It is
not very well tested. This is preparation for improved host
contamination checking.
|
|
None of them seem to have been genuine problems, but it's prettier now,
and some were questionable.
|
|
Add chroot() and a large number of things needed to make it work.
The list of intercepted calls is large but not exhaustive.
|
|
* Improve makewrappers handling of function pointer arguments.
* Regenerate wrappers when makewrappers is touched.
* Move path resolution from pseudo_client_op into wrapper
functions.
* Eliminate dependency on PATH_MAX.
* Related cleanup, such as tracking CWD better, and using
the tracked value for getcwd().
|
Peter Seebach
Mark Hatle
seebs
Peter Seebach