| Age | Commit message (Collapse) | Author |
|---|
|
Newer versions of glibc have a lchmod function which we need to wrap.
Add this, and tweak fchmodat to be able to handle the "no symlink
resolution" case rather than duplicate code.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Similar to mkstemp64 when oflags=0, therefore move the wrapper and call
from mkstemp64. Note that some glibc versions would have one but not the other
so ensure fall back to the real function is correct on those versions.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
There is magic in the posts where specific variable names have specific
magic. For that magic to work, "path" needs to be used not "pathname" as
is currently there. Fix this, which fixes path issues on systems using
statx (Ubuntu 20.04 in particular).
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
In the xattr handling functions, if result is NULL, which it can be
with the path ignore code, there is a NULL pointer dereference and
segfault. Everywhere else checks result first, this appears to just
be an omission.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Currently, pseudo considers any path accessed whist its running to be
a valid entry to track in its database. The way OpenEmbedded uses pseudo,
there are paths we care about accesses to from a pseudo perspective and paths
which we simply don't care about.
This patch adds a PSEUDO_IGNORE_PATHS environment variable which is a comma
separated list of path prefixes to ignore accesses to.
To do this, we add some functions which can check a path argument or a file
descriptor argument and use these in the pseudo wrappers where path or fd
arguments are present. Where paths are being ignored, we skip straight to
the underlying real function.
Psuedo needs to keep track of the open fd mappings to files so we still need
to allow those cases into the pseudo_op function. Specficially this means
OP_CLOSE, OP_OPEN, OP_DUP and OP_CHDIR.
Apart from OP_OPEN which could call the server, the other operations are client
side only so passed through. We 'tag' the functions using these operations so
that the path ignore code isn't triggered. For OP_OPEN we exit early and skip
the server op. We also have a catch all in client_op to ensure any operatings
we didn't manage to skip early still get skipped correctly.
OP_CHROOT is a special case. Where ignored path prefixes are used as a chroot,
for the lifetime of the chroot, the path is effectively dropped from the
PSEUDO_IGNORE_PATHS list. Whilst slightly counter intuaitive, this turned out
to be the most effective way to do things due to commands like useradd and
their use of chroots.
For sqlite3 and appropriate path filtering in OE, this took the database from
45,000 entries to about 180. For dbus this was 88,000 down to 760. Given the
number of client to server trips these numbers of paths involves, the win
is seemingly worthwhile.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Linux 3.15 and newer introduced new open file description locks.
Currently pseudo prints a warning if fcntl is used with OFD locks:
unknown fcntl argument 37, assuming long argument.
However, calls to fcntl with a OFC lock set need a struct flock
pointer. Treat F_OFD_GETLK (and friends) like F_GETLK (and friends).
This issue has been observed with ostree. Comparing strace output
between two runs with/without this patch shows the same fcntl calls,
hence it seems not to matter in practice.
Signed-off-by: Stefan Agner <stefan@agner.ch>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The file mode was accidentally overwritten with only the permission
bits, causing the server to falsely assume that the database was
corrupted (because the msg_header.mode did not contain S_IFDIR
anymore) even though it was the client doing the corruption.
In practice that had the effect of leaking the UID of the user, into
the pseudo environment.
This fixes Bug 13959 -- https://bugzilla.yoctoproject.org/show_bug.cgi?id=13959
Signed-off-by: Johannes Beisswenger <johannes.beisswenger@cetitec.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
pseudo: ENOSYS for 'fsetxattr'.
which was being caused by dlsym() for that function returning NULL. This
appears to be due to it finding an unresolved symbol in libacl for this
symbol in libattr. It hasn't been resolved so its NULL. dlerror() returns
nothing since this is a valid symbol entry, its just not the one we want.
We can add the glibc version string for the symbol we actually want so we get
that version rather than the libattr/libacl one.
To quote libattr:
"""
These dumb wrappers are for backwards compatibility only.
Actual syscall wrappers are long gone to libc.
"""
and they are simply wrappers around the libc version so our attaching
to the libc versions should intercept any accesses via these too.
RP 2020/06/22
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org
Upstream-Status: Pending [discussed with seebs on irc and appears the correct fix]
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
seccomp. Therefore intercept the seccomp syscall and alter it, pretending that
seccomp was setup when in fact we do nothing. If we error as unsupported,
utilities like file will exit with errors so we can't just disable it.
Also, it fails to compile pseudo-native on centos 7:
| ports/linux/pseudo_wrappers.c: In function ‘prctl’:
| ports/linux/pseudo_wrappers.c:129:14: error: ‘SECCOMP_SET_MODE_FILTER’ undeclared (first use in this function)
| if (cmd == SECCOMP_SET_MODE_FILTER) {
| ^
Add macro guard for seccomp to avoid the failure.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Latest versions of attr have removed the xattr.h header,
with the rationale that libc is providing the same wrappers.
attr/attributes.h is providing the ENOATTR definition.
Upstream-Status: Pending
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Modern distros (e.g. fedora30) are starting to use the new statx() syscall through
the newly exposed glibc wrapper function in software like coreutils (e.g. the ls
command). Add support to intercept this to pseudo.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upstream-Status: Submitted [Emailed to seebs]
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
When statting a file that we may or may not be opening with O_NOFOLLOW,
we should use lstat (or AT_SYMLINK_NOFOLLOW) to try to get information
about the right file.
Also when we want to check whether a bit is set, we should use & rather
than |. I am an experienced programmer and know the difference between
those.
|
|
Did you know that, similar to AT_SYMLINK_NOFOLLOW, there's
an O_NOFOLLOW available in flags for open/openat?
I didn't.
|
|
This adds SPDX license headers to all source files in pseudo so license
identification models current best practise.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Clean up the "unused parameter" warnings in renameat2.
|
|
This is a heck of a special case: If you call open on a FIFO/pipe,
and you didn't have O_NONBLOCK, and you used O_RDONLY or O_WRONLY,
but not O_RDWR, the open can block forever. Unfortunately, pseudo
assumes syscalls complete. We attempt to drop the lock and restore
our state, then recover it later.
Why? Because the .NET runtime does this for a debug hook.
|
|
So renameat2 now has a glibc wrapper in some recent glibc, which
means that mv can use it, and thus bypass all our clever testing,
and since we can't intercept the actual syscall (gnulib's implementation
apparently doesn't hit the glibc syscall() wrapper?), this results
in files being moved without pseudo knowing about them.
Implementing the semantics properly is Very Hard, but possibly we
can just fail politely for now.
We'll be back to this later.
|
|
openat() was passing its flags unaltered to pseudo_root_path(), which
assumes that a flags argument other than 0 means "don't follow symlinks
in last path component". This is completely wrong, and I have no idea
how it survived this long unnoticed.
Now, if a plain flags variable is set and not overruled by a
comment like /* flags=... */, it's masked with AT_SYMLINK_NOFOLLOW,
as there are other values fstatat() and friends can take, and the
openat() flags are just overridden with 0. (The only meaningful case
would be O_NOFOLLOW, but O_NOFOLLOW instructs us to *fail* in the
open if the path is a symlink, so we don't care.)
Signed-off-by: Seebs <seebs@seebs.net>
|
|
But what if syscall(2) was the *first* function with a wrapper
that you called?
Also reduced amount of argument-copying in syscall(2), on further
study, anything with off_t arguments has less than 6 arguments
by enough to keep the total argument count down.
Signed-off-by: Seebs <seebs@seebs.net>
|
|
is followed by setxattr(); previously it was the other way around. This
broke pseudo when a copied directory has one of the special
bits (setuid, setgid, sticky) set; the special bit wound up getting
removed.
Root cause is that ACLs never included special bits in the first place,
so we need to merge them back in ourselves.
[YOCTO #12379]
Signed-off-by: Richard Tollerton <rich.tollerton@ni.com>
|
|
This wrapper should allow us to reject renameat2 attempts by
coreutils, letting us regain functionality on FC27 and related
systems.
This is not safe/portable/etc even by pseudo's standards, and
arguably it should be a separate and optional port.
[Amended commit: Don't include the dodgy renameat2 wrapper
which it turns out we'd never hit anyway.]
Signed-off-by: Seebs <seebs@seebs.net>
|
|
O_TMPFILE is, on at least one system, (__O_TMPFILE | O_DIRECTORY),
so (flags & O_TMPFILE) can be non-zero even when O_TMPFILE was not set.
Signed-off-by: Seebs <seebs@seebs.net>
|
|
Whoops, missed this one. Reported/submitted by
<joshua.g.lock@linux.intel.com>.
Signed-off-by: Seebs <seebs@seebs.net>
|
|
Patch was submitted by <dan.dedrick@gmail.com>, revised to make it
a subport in case someone cares about a Linux system which doesn't
have this function. (Which is probably unlikely, but I am a cautious
sort.)
Signed-off-by: Seebs <seebs@seebs.net>
|
|
This allows the pseudo /etc/group to contain extremely long lines,
e.g. when a group has a lot of members. Without this, chown and
chgrp fail for group names that occur after such long lines.
Signed-off-by: Zoltán Böszörményi <zboszor@pr.hu>
Signed-off-by: Seebs <seebs@seebs.net>
---
ports/darwin/guts/getgrouplist.c | 54 +++++++++++++++++++++++++++-----------
ports/linux/guts/getgrouplist.c | 54 +++++++++++++++++++++++++++-----------
ports/uids_generic/guts/getgrent.c | 26 +++++++++++++++---
ports/uids_generic/guts/getgrgid.c | 26 +++++++++++++++---
ports/uids_generic/guts/getgrnam.c | 25 +++++++++++++++---
5 files changed, 146 insertions(+), 39 deletions(-)
|
|
This is a rework which replaces a previous patch. In this version,
files created with O_TMPFILE don't get recorded in the database
at all, but if we get a link request for /proc/self/fd/N, and the
corresponding file is not in the database, we send a CREAT request
for it instead of a LINK, and that appears to work with a MUCH
reduced chance of database leakage.
Also the O_TMPFILE won't be creating bogus database entries
anymore.
Signed-off-by: Seebs <seebs@seebs.net>
linkat fix
|
|
Based on a submission from Anton Gerasimov <anton@advancedtelematic.com>
On some systems, with some kernel configs, "cp -a" apparently tries to
set an empty ACL list, with a valid header but no contents, which causes
strange and mysterious behavior later if we actually create such an entry.
So filter that out, also sanity-check a couple of other things.
Signed-off-by: Seebs <seebs@seebs.net>
|
|
file. Before setting a file's capabilities with cap_set_file() (which uses
setxattr()) it calls cap_set_flag(mycaps, CAP_EFFECTIVE, 1, &capflag,
CAP_SET). cap_set_flag() uses the capset syscall to raise the process'
effective capability. In most cases if the process isn't running as root
this will fail and setcap will exit with an error. Because setxattr is
intercepted by pseudo it's unnecessary for setcap to call capset().
Override capset with a pseudo function that does nothing and always
returns 0.
Signed-off-by: George McCollister <george.mccollister at gmail.com>
Signed-off-by: Seebs <seebs@seebs.net>
|
|
x32 compilation fails because x32 defines __amd64__ and thus pseudo tries
to grab a version of memcpy that's useful for amd64, and this isn't
available. Try disabling that, see what happens.
Signed-off-by: Seebs <seebs@seebs.net>
|
|
So a recent change to ld.so behavior revealed that pseudo was not
always correctly detecting that a function hadn't been found by the
RTLD_NEXT search. This only happened for functions which genuinely
didn't exist and wouldn't get called (like mknod on Linux, which
is actually always done as an inline function that calls __xmknod),
but when the diagnostics started showing up, it broke things. Fix it
so the diagnostics would have shown up when things were originally
broken, also fix the resulting diagnostics.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
mknod(2) automatically defaults to S_IFREG if not given an explicit
file type, so pseudo should too. Otherwise, GNU tar can (for some
reason, it mostly does this when extracting xattrs?) invoke mknod
instead of open with O_CREAT to create a file, and just provide the
permission bits, and pseudo creates a "weird file" with no type bits
in the database, which is unhelpful.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
The f{re,}open{64,} functions use a default mode of 0666 & ~umask,
and defaulting to 0600 for the post-open chmod was breaking some use
cases. Problem and solution identified by Ross Burton, I just made the
local copy of the patch.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
There's some changes to allow things to work even if umask is 0700;
originally this was just regarded as a broken state, but it became
necessary to fix it in order for the xattrdb code to work, only the
fix could result in files having a raw filesystem mode that lacked
execute bits it should have had.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
When xattr emulation is used to store extended attributes, dummy
entries get made in the db using whatever UID/GID were in the real
stat buffer if no entry already existed. Change these to -1, and
treat -1 uid/gid as a missing entry for stat purposes.
xattrdb was not merging existing uid/gid values. Change this by
loading existing values to merge them in when executing chown/chmod
commands.
Newly-created files could end up with a filesystem mode of 0 if
you used umask, but this breaks xattrdb.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
Instead of allocating (and then freeing) these paths all the time,
use a rotating selection of buffers of fixed but probably large enough
size (the same size that would have been the maximum anyway in
general). With the exception of fts_open, there's no likely way to
end up needing more than two or three such paths at a time. fts_open
dups the paths since it could have a large number and need them for
a while. This dramatically reduces (in principle) the amount of allocation
and especially reallocation going on.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
A partially-implemented profiler for client time, which basically just
inserts (optional) gettimeofday calls in various places and stashes data
in a flat file containing one data block per pid.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
The assumption that a host is either x86_64 or x86_32 does not
hold well on target systems.
|
|
We don't want to pick up newer memcpy because pseudo sometimes has to
run host binaries even when built against a newer libc.
|
|
More complicated, because we actually need to make com.apple stuff work
probably.
|
|
Also for lstat, but that probably never matters because in Linux
you will never actually call lstat without working really hard at
it, because you end up calling __lxstat anyway. (Was already
doing the right thing for Darwin.)
|
|
We used to rely on filesystem operations to apply the umask when
appropriate, but when we started masking out 022, that stopped working.
Start watching umask.
|
|
Various wrappers checked for a non-null pseudo_get_value("PSEUDO_UNLOAD") to
determine whether the environment should include the pseudo variables. None
of those checks freed the returned value when it was not null. The new
check function does.
The new check function also sees whether PSEUDO_UNLOAD was defined in the
environment that should be used in the wrapped system call. This allows
pkg_postinst scripts to strip out the LD_PRELOAD setting, for example before
invoking qemu to execute commands in an environment that does not have
libpseudo.so.
[YOCTO #4843]
Signed-off-by: Peter A. Bigot <pab@pabigot.com>
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
Turns out the checks for feature support were using plain cc,
not ${CC}, which could break tests. Also add a sanity check to the
xattr support to confirm that <attr/xattr.h> is available.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
Clean-up: Allow specification of environment hints for subports
scripts, such as whether xattr support is available. Also make
configure guess at a bit width if none is specified.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
The "/* flags = AT_SYMLINK_NOFOLLOW */" comment only works if
it comes AFTER the semicolon in wrapfuncs.in. Who knew? Fix
those. Also rename the "flags" arguments for *setxattr() to
"xflags" to avoid any confusion about the flags variable.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
The xattr first-pass implementation was allocating a buffer to
hold the name and value for a set operation, then pseudo_client was
allocating *another* buffer to hold the path and those two values.
pseudo_client_op develops more nuanced argument handling, and also
uses a static buffer for the extended paths it sometimes needs. So
for the typical use case, only occasional operations will need to
reallocate/expand the buffer, and we'll be down to copying things
into that buffer once per operation, instead of having two alloc/free
pairs and two copies.
And of course, that wasn't two alloc/free pairs, it was one alloc/free
pair and one alloc without a free. Whoops.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
In the fairly common case where someone is using
setxattr() to specify the "posix_acl_access" attribute, but in fact
the ACL list specified can be fully represented in a plain old mode,
we intercept the request and just do a chmod. Even if the request
can't be fully represented, we try to represent any aspects of it that
we can in the plain old mode.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
Initial, incomplete, support for extended attributes. Extended
attributes are implemented fairly naively, using a second table
in the file database using the primary file table's id as a
foreign key. The ON DELETE CASCADE behavior requires sqlite 3.6.19
or later with foreign key and trigger support compiled in.
To reduce round-trips, the client does not check for existing
attributes, but rather, sends three distinct set messages;
OP_SET_XATTR, OP_CREATE_XATTR, OP_REPLACE_XATTR. A SET message
always succeeds, a CREATE fails if the attribute already
exists, and a REPLACE fails if the attribute does not already
exist.
The /* flags */ feature of makewrappers is used to correct
path names appropriately, so all functions are already working
with complete paths, and can always use functions that work
on links; if they were supposed to dereference, the path
fixup code got that.
The xattr support is enabled, for now, conditional on
whether getfattr --help succeeds.
Not yet implemented: Translation for system.posix_acl_access,
which is used by "cp -a" (or "cp --preserve-all") on some
systems to try to copy modes.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
This is a moderately intrusive change. The basic overall effect:
Debugging messages are now controlled, not by a numeric "level",
but by a series of flags, which are expressed as a string of
letters. Each flag has a single-letter form used for string
specifications, a name, a description, a numeric value (1 through N),
and a flag value (which is 1 << the numeric value). (This does mean
that no flag has the value 1, so we only have 31 bits available.
Tiny violins play.)
The other significant change is that the pseudo_debug calls
are now implemented with a do/while macro containing a conditional,
so that computationally-expensive arguments are never evaluated
if the corresponding debug flags weren't set. The assumption is
that in the vast majority of cases (specifically, all of them
so far) the debug flags for a given call are a compile-time constant,
so the nested conditional will never actually show up in code
when compiled with optimization; we'll just see the appropriate
conditional test.
The VERBOSE flag is magical, in that if the VERBOSE flag is
used in a message, the debug flags have to have both VERBOSE and
at least one other flag for the call to be made.
This should dramatically improve performance for a lot of cases
without as much need for PSEUDO_NDEBUG, and improve the ability of
users to get coherent debugging output that means something and is
relevant to a given case.
It's also intended to set the stage for future development work
involving improving the clarity and legibility of pseudo's diagnostic
messages in general.
Old things which used numeric values for PSEUDO_DEBUG will sort
of continue to work, though they will almost always be less verbose
than they used to. There should probably be a pass through adding
"| PDBGF_CONSISTENCY" to a lot of the messages that are specific
to some other type.
|
|
No idea how this survived so long, but the clone() syscall
prototype on RHEL 4.7 doesn't have the "..." for additional
arguments, so we can't pass them. Also had unused variables
that would otherwise have been being filled in from va_args
and passed. But there's no extra args to pass.
Interestingly, this contradicts the clone() man page in
RHEL 4.7. If you have problems with clone() there, that's
probably why.
|
Richard Purdie
Stefan Agner
Johannes Beisswenger
Alexander Kanavin
Seebs
Peter Seebach