Age | Commit message (Collapse) | Author |
|
In fakechroot, which pseudo tries to match the functionality of,
the default behavior when creating a symlink with an absolute target
is to prepend the chroot path, so that underlying syscalls will
get the right file.
It is necessary to be able to disable this behavior to create target
filesystems in some cases. To that end, support a new environment
variable, PSEUDO_NOSYMLINKEXP, which disables that behavior.
|
|
fgetxattr, since it doesn't use a path name.
|
|
execve() needs to use -1 for both fd and dirfd; the 0 dirfd was
causing various spurious warnings, as well as misidentifying
"exec" as "execat" in client logs.
|
|
The PSEUDO_DEBUG_FILE feature is enhanced, and is now also used by the
pseudo server.
|
|
Address a couple of compiler warnings, add a couple of signals to the
list of caught signals, etcetera.
|
|
pdb_history was overloaded as a delete function. Separated this
out into a query-builder and a pair of functions to use it, which
makes it cleaner.
|
|
|
|
|
|
Stop vacuuming the logs database under normal usage -- it's expensive
and slow, and not useful.
Make link(2) "correctly" (following Linux, rather than POSIX) link
to a symlink rather than to the file the symlink links to.
|
|
You can't use setenv() to modify the environment that will
be passed to a child process through execve()...
Also, fix the setupenv() to use PSEUDO_SUFFIX if defined.
Use execve() to spawn child processes, so we can use setupenv()
and dropenv().
|
|
This includes allowing %s (program name) and %d (pid).
|
|
|
|
We don't canonicalize OP_EXEC names (because they don't
want to be adapted for the chroot environment -- maybe we
should be doing that anyway, but right now we're not), so
mismatches with them are meaningless. So are mismatches
with the inode 0 reported for something that we never tried
to stat.
|
|
When you rename across devices, inode can change. Until now,
pseudo had no tools for handling a change in inode, but this
is clearly a legitimate case.
|
|
remake(1) can try to close a file from a signal handler. Since
any entrance to a pseudo-emulated function requires the mutex,
this can result in a deadlock. Solution: Suspend SIGCHLD (and
a couple of other signals likely to result in filesystem
operations) for the duration of the lock.
|
|
If multiple clients are active at once, the following could occur:
* Client #1 unlinks file A
* Client #2 creates file B, which reuses A's inode
* Client #2 sends request to server
* Client #1 sends request to server
* Processing client #2's request creates a mismatch warning for
file A/B.
* Processing client #1's request creates a mismatch warning too.
Note that this can happen even if Client #2 sends its request later,
as there's no intrinsic guarantee of the order in which requests
are processed; any SINGLE client is presumably executing operations
in order, but multiple clients aren't.
Fixing this in rmdir, unlink, and rename.
|
|
|
|
The *at() functions take a flags argument which, if set, says not
to follow symlinks. By default, this is passed to pseudo_root_path.
But the open() functions take a flags argument which is unrelated,
and should not be used by default.
|
|
It is possible for the database to get out of sync with the
filesystem. Detecting this after the fact can be hard. Provide a
hook for requesting a check.
Also merge in some LD_LIBRARY_PATH fixes.
|
|
|
|
Send program name (program_invocation_name from glibc) along with the
tag.
Along the way, restructure the fds/pids/tags arrays to be an array
of client structures in pseudo_server, and add the message type
to the set of things logged -- logging that a message was a ping is
more useful than appending the text "ping" to it. Add support
for type and program to pseudolog.
Add deletion to pseudolog.
Handle usage message formatting when there's an odd number of known
specifiers for pseudolog.
Conflicts:
ChangeLog.txt
pseudo_server.c
|
|
* Add lckpwdf/ulckpwdf to guts/README
* Remove arguments from function pointer arguments.
While in theory the compar function pointer has always taken
"const struct dirent **", some systems (many) have declared
it instead as taking "const void *". For now, just omit
the types; a pointer to function taking unknown arguments
is a compatible type, and we never call the functions, we
just pass them to something else.
* Handle readlinkat() on systems without *at functions
* Fix pseudo_etc_file (spotted by "fortify")
When O_CREAT can be a flag, 0600 mode is needed. While we're
at it, remove a bogus dummy open.
* Fix mkdtemp()
Was returning the address of the internal buffer rather than the
user-provided buffer. Also fixed a typo in an error message.
* Don't call fgetgrent_r() with a null FILE *.
* A couple of other typo-type fixes.
|
|
|
|
It's not enough to rely on the usual chroot() stuff affecting the
file open, not least because these use the glibc-internal __open
which is not currently intercepted, but also because we want to
use the PSEUDO_PASSWD path when that's set but there's no chroot().
There's some extra magic in pseudo_etc_file to support these
operations, since they can legitimately create a file rather
than opening an existing one.
|
|
Moved readlink fixup into a general-purpose function for
removing chroot prefixes.
|
|
Migrate the stable part of the wrapper code (not machine-generated)
out of makewrappers, to make it easier to maintain.
|
|
Corporate policy is that each module should have a copyright notice.
|
|
Document some limitations of getgroups()/setgroups().
|
|
Spotted some glibc extensions to file modes, altered fopen logic.
Fix handling for the case where the underlying pseudo_pwd_fd or
pseudo_grp_fd are closed.
|
|
This is a first pass at handling password/group calls, allowing
the use of custom password/group files. In particular, when
chroot()ed to a particular directory, pseudo picks files in
that directory by default, to improve support for the typical
use case where pseudo uses chroot() only to jump into a virtual
target filesystem.
|
|
|
|
unlink and symlink are over 5 characters, so change default format
to %-7o for operation.
|
|
This allows us to track execution, although the tracking for it
requires some additional thought -- the basic assumption is that we
don't want to canonicalize names into the chroot() directory, but
since all the filename canonicalization assumes that we want this,
that will take some sneaking. It's a little useful as is, though,
so I'm running with it.
|
|
This patch adds support for checking whether a file was opened for
reading, writing, or both, as well as tracking append flags. It is
not very well tested. This is preparation for improved host
contamination checking.
|
|
None of them seem to have been genuine problems, but it's prettier now,
and some were questionable.
|
|
Not that it changes anything, but by convention we like to
use NULL, not 0, to express a null pointer.
|
|
|
|
Add chroot() and a large number of things needed to make it work.
The list of intercepted calls is large but not exhaustive.
|
|
* Improve makewrappers handling of function pointer arguments.
* Regenerate wrappers when makewrappers is touched.
* Move path resolution from pseudo_client_op into wrapper
functions.
* Eliminate dependency on PATH_MAX.
* Related cleanup, such as tracking CWD better, and using
the tracked value for getcwd().
|
|
|
|
Add the -h (help) option to pseudo, and document -h for both
pseudo and pseudolog.
|
|
For reasons not clear to me, early iterations of pseudo_client.c
used errno %d instead of calling strerror(). Since I already
called strerror() elsewhere in the file, calling it a few more
times isn't a problem.
|
|
spotting these.) Check for failed calls to pseudo_prefix_path in
a couple of places, handle failed open of pid file, and make
pseudo_prefix_path robust in the case of a zero-length PSEUDO_PREFIX.
Also, don't try to overwrite the contents of an environment
variable anymore. (The amazing part? None of these have ever
caused a failure.)
|
|
|