| Age | Commit message (Collapse) | Author |
|---|
|
Whoops, missed this one. Reported/submitted by
<joshua.g.lock@linux.intel.com>.
Signed-off-by: Seebs <seebs@seebs.net>
|
|
Patch was submitted by <dan.dedrick@gmail.com>, revised to make it
a subport in case someone cares about a Linux system which doesn't
have this function. (Which is probably unlikely, but I am a cautious
sort.)
Signed-off-by: Seebs <seebs@seebs.net>
|
|
This allows the pseudo /etc/group to contain extremely long lines,
e.g. when a group has a lot of members. Without this, chown and
chgrp fail for group names that occur after such long lines.
Signed-off-by: Zoltán Böszörményi <zboszor@pr.hu>
Signed-off-by: Seebs <seebs@seebs.net>
---
ports/darwin/guts/getgrouplist.c | 54 +++++++++++++++++++++++++++-----------
ports/linux/guts/getgrouplist.c | 54 +++++++++++++++++++++++++++-----------
ports/uids_generic/guts/getgrent.c | 26 +++++++++++++++---
ports/uids_generic/guts/getgrgid.c | 26 +++++++++++++++---
ports/uids_generic/guts/getgrnam.c | 25 +++++++++++++++---
5 files changed, 146 insertions(+), 39 deletions(-)
|
|
This is a rework which replaces a previous patch. In this version,
files created with O_TMPFILE don't get recorded in the database
at all, but if we get a link request for /proc/self/fd/N, and the
corresponding file is not in the database, we send a CREAT request
for it instead of a LINK, and that appears to work with a MUCH
reduced chance of database leakage.
Also the O_TMPFILE won't be creating bogus database entries
anymore.
Signed-off-by: Seebs <seebs@seebs.net>
linkat fix
|
|
Based on a submission from Anton Gerasimov <anton@advancedtelematic.com>
On some systems, with some kernel configs, "cp -a" apparently tries to
set an empty ACL list, with a valid header but no contents, which causes
strange and mysterious behavior later if we actually create such an entry.
So filter that out, also sanity-check a couple of other things.
Signed-off-by: Seebs <seebs@seebs.net>
|
|
file. Before setting a file's capabilities with cap_set_file() (which uses
setxattr()) it calls cap_set_flag(mycaps, CAP_EFFECTIVE, 1, &capflag,
CAP_SET). cap_set_flag() uses the capset syscall to raise the process'
effective capability. In most cases if the process isn't running as root
this will fail and setcap will exit with an error. Because setxattr is
intercepted by pseudo it's unnecessary for setcap to call capset().
Override capset with a pseudo function that does nothing and always
returns 0.
Signed-off-by: George McCollister <george.mccollister at gmail.com>
Signed-off-by: Seebs <seebs@seebs.net>
|
|
x32 compilation fails because x32 defines __amd64__ and thus pseudo tries
to grab a version of memcpy that's useful for amd64, and this isn't
available. Try disabling that, see what happens.
Signed-off-by: Seebs <seebs@seebs.net>
|
|
There was a bug in rename(), which was duplicated when renameat() was
implemented, and which got fixed two years ago for rename(), but no
one ever uses renameat() so it didn't get fixed there. Thanks
to Anton Gerasimov <anton@advancedtelematic.com> for the bug report
and patch.
Signed-off-by: Seebs <seebs@seebs.net>
|
|
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
|
|
So a recent change to ld.so behavior revealed that pseudo was not
always correctly detecting that a function hadn't been found by the
RTLD_NEXT search. This only happened for functions which genuinely
didn't exist and wouldn't get called (like mknod on Linux, which
is actually always done as an inline function that calls __xmknod),
but when the diagnostics started showing up, it broke things. Fix it
so the diagnostics would have shown up when things were originally
broken, also fix the resulting diagnostics.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
Since the pseudo socket is actually created by a call to bind, the
bind call could create a file, which means it needs to record a
database entry.
|
|
So we had this really strange problem where, sometimes but not always,
pseudo would have strange problems on startup, where the pseudo server
would end up running under pseudo. And this produced the most fascinating
thing, which was:
unsetenv("LD_PRELOAD");
assert(getenv("LD_PRELOAD") == NULL);
for (int i = 0; environ[i]; ++i) {
assert(strncmp(environ[i], "LD_PRELOAD=", 11));
}
(pseudocode untested)
This would crash on the environ search. Because getenv() was not searching
environ.
WHAT.
So it turns out, *bash overrides getenv, setenv, and so on*. Under those
names. Hiding the glibc ones. And this creates horrible problems if you
assumed that your code could call those functions and expect them to work.
So as a workaround, pseudo now uses dlsym to find getenv, etc., from
glibc, and invokes those directly if possible. Also the client now uses
unwrapped fork/exec for spawning the server, which cleans up the
behavior of that code quite a bit.
|
|
Server process now waits for its forked child when daemonizing, allowing
us to yield meaningful exit status. Lock is now taken by the child, since
it has a way to tell the parent about the exit status. (We send SIGUSR1 to
the server to cause the wait loop to stop when the client is ready to go.)
This allows us to switch to fcntl locking, which should in theory allow us
to run with the pseudo directory NFS-mounted. Woot!
Also mark a couple of overly spammy messages as PDBGF_VERBOSE to reduce the
volume of uninteresting dup spam when looking at client behaviors.
Client now uses execve to spawn server to work around a very strange behavior
of unsetenv.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
mknod(2) automatically defaults to S_IFREG if not given an explicit
file type, so pseudo should too. Otherwise, GNU tar can (for some
reason, it mostly does this when extracting xattrs?) invoke mknod
instead of open with O_CREAT to create a file, and just provide the
permission bits, and pseudo creates a "weird file" with no type bits
in the database, which is unhelpful.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
The f{re,}open{64,} functions use a default mode of 0666 & ~umask,
and defaulting to 0600 for the post-open chmod was breaking some use
cases. Problem and solution identified by Ross Burton, I just made the
local copy of the patch.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
mkdirat() was calling real_fchmodat with invalid arguments (it turns
out that AT_SYMLINK_NOFOLLOW is both irrelevant and forbidden by Linux),
and the wrapper function did not restore errno to its previous value.
This breaks localedef, because localedef is unconditionally storing
the value of errno after a mkdir *whether or not the mkdir failed*,
which is almost certainly wrong. Similar issue with mkfifoat.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
There's some changes to allow things to work even if umask is 0700;
originally this was just regarded as a broken state, but it became
necessary to fix it in order for the xattrdb code to work, only the
fix could result in files having a raw filesystem mode that lacked
execute bits it should have had.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
When I trimmed the spurious free()s for the new lower-allocation
path strategy, I forgot to look for cases where I was relying on
the allocation, such as realpath(path, NULL).
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
gcc is better about warnings and spotted variables being assigned but
not used. Clever gcc. Cleaned up the old bits.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
When xattr emulation is used to store extended attributes, dummy
entries get made in the db using whatever UID/GID were in the real
stat buffer if no entry already existed. Change these to -1, and
treat -1 uid/gid as a missing entry for stat purposes.
xattrdb was not merging existing uid/gid values. Change this by
loading existing values to merge them in when executing chown/chmod
commands.
Newly-created files could end up with a filesystem mode of 0 if
you used umask, but this breaks xattrdb.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
Dropping the alloc from file paths meant that pseudo_exec_path
could end up just returning its original argument, which was
const-qualified, meaning its return should also be const-qualified.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
This is a moderately experimental feature which stores values in an
extended attribute called 'user.pseudo_data' instead of in the database.
Still missing: Database<->filesystem synchronization for this.
For at least some workloads, this can dramatically improve performance.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
Instead of allocating (and then freeing) these paths all the time,
use a rotating selection of buffers of fixed but probably large enough
size (the same size that would have been the maximum anyway in
general). With the exception of fts_open, there's no likely way to
end up needing more than two or three such paths at a time. fts_open
dups the paths since it could have a large number and need them for
a while. This dramatically reduces (in principle) the amount of allocation
and especially reallocation going on.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
A partially-implemented profiler for client time, which basically just
inserts (optional) gettimeofday calls in various places and stashes data
in a flat file containing one data block per pid.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
Worked for trivial cases, but spuriously closed fd 0 and had
other issues. Separated implementations out.
|
|
Some years back, there was a historical reason (lost to the mists of
time) for which we had problems if we allowed actual creation of fifos,
but so far as we know we don't expect any problems with them now,
and there's a bitbake change which would like to be able to use fifos
for logging, so let's try enabling them and see what happens.
|
|
Trying to track down problems which sometimes result in files showing
up as nameless files, producing clashes later. Looks like there were two
issues; one is we were creating links for files that we'd already
found by inode. The other is that rename was sending bogus LINK messages
in some cases. Also simplified the find_file_dev path to extract the
path as part of the initial operation, since there wasn't any case where
that wasn't being done immediately afterwards.
|
|
The assumption that a host is either x86_64 or x86_32 does not
hold well on target systems.
|
|
We don't want to pick up newer memcpy because pseudo sometimes has to
run host binaries even when built against a newer libc.
|
|
More complicated, because we actually need to make com.apple stuff work
probably.
|
|
Also for lstat, but that probably never matters because in Linux
you will never actually call lstat without working really hard at
it, because you end up calling __lxstat anyway. (Was already
doing the right thing for Darwin.)
|
|
So it turns out that if you fix a bug inside an #ifdef that hasn't
applied to anything in years, it doesn't actually fix the bug.
|
|
We used to rely on filesystem operations to apply the umask when
appropriate, but when we started masking out 022, that stopped working.
Start watching umask.
|
|
Various wrappers checked for a non-null pseudo_get_value("PSEUDO_UNLOAD") to
determine whether the environment should include the pseudo variables. None
of those checks freed the returned value when it was not null. The new
check function does.
The new check function also sees whether PSEUDO_UNLOAD was defined in the
environment that should be used in the wrapped system call. This allows
pkg_postinst scripts to strip out the LD_PRELOAD setting, for example before
invoking qemu to execute commands in an environment that does not have
libpseudo.so.
[YOCTO #4843]
Signed-off-by: Peter A. Bigot <pab@pabigot.com>
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
Change the handling of fchmodat(AT_SYMLINK_NOFOLLOW) to reject it
if the host system does, so we preserve host system behavior.
Mask out group/other write bits when actually creating files to
reduce risks to filesystem integrity.
|
|
underlying fchmodat() will just fail, but GNU tar calls it that way
anyway, figuring it'll just retry on failure, but we don't report
the failure. Nor do we want to, because that's expensive and slow
and will result in additional database round trips. But I don't want
to fail out right away, so for now, just strip the flag.
|
|
Turns out the checks for feature support were using plain cc,
not ${CC}, which could break tests. Also add a sanity check to the
xattr support to confirm that <attr/xattr.h> is available.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
Clean-up: Allow specification of environment hints for subports
scripts, such as whether xattr support is available. Also make
configure guess at a bit width if none is specified.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
The "/* flags = AT_SYMLINK_NOFOLLOW */" comment only works if
it comes AFTER the semicolon in wrapfuncs.in. Who knew? Fix
those. Also rename the "flags" arguments for *setxattr() to
"xflags" to avoid any confusion about the flags variable.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
The xattr first-pass implementation was allocating a buffer to
hold the name and value for a set operation, then pseudo_client was
allocating *another* buffer to hold the path and those two values.
pseudo_client_op develops more nuanced argument handling, and also
uses a static buffer for the extended paths it sometimes needs. So
for the typical use case, only occasional operations will need to
reallocate/expand the buffer, and we'll be down to copying things
into that buffer once per operation, instead of having two alloc/free
pairs and two copies.
And of course, that wasn't two alloc/free pairs, it was one alloc/free
pair and one alloc without a free. Whoops.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
In the fairly common case where someone is using
setxattr() to specify the "posix_acl_access" attribute, but in fact
the ACL list specified can be fully represented in a plain old mode,
we intercept the request and just do a chmod. Even if the request
can't be fully represented, we try to represent any aspects of it that
we can in the plain old mode.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
Initial, incomplete, support for extended attributes. Extended
attributes are implemented fairly naively, using a second table
in the file database using the primary file table's id as a
foreign key. The ON DELETE CASCADE behavior requires sqlite 3.6.19
or later with foreign key and trigger support compiled in.
To reduce round-trips, the client does not check for existing
attributes, but rather, sends three distinct set messages;
OP_SET_XATTR, OP_CREATE_XATTR, OP_REPLACE_XATTR. A SET message
always succeeds, a CREATE fails if the attribute already
exists, and a REPLACE fails if the attribute does not already
exist.
The /* flags */ feature of makewrappers is used to correct
path names appropriately, so all functions are already working
with complete paths, and can always use functions that work
on links; if they were supposed to dereference, the path
fixup code got that.
The xattr support is enabled, for now, conditional on
whether getfattr --help succeeds.
Not yet implemented: Translation for system.posix_acl_access,
which is used by "cp -a" (or "cp --preserve-all") on some
systems to try to copy modes.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
|
|
|
|
This is a moderately intrusive change. The basic overall effect:
Debugging messages are now controlled, not by a numeric "level",
but by a series of flags, which are expressed as a string of
letters. Each flag has a single-letter form used for string
specifications, a name, a description, a numeric value (1 through N),
and a flag value (which is 1 << the numeric value). (This does mean
that no flag has the value 1, so we only have 31 bits available.
Tiny violins play.)
The other significant change is that the pseudo_debug calls
are now implemented with a do/while macro containing a conditional,
so that computationally-expensive arguments are never evaluated
if the corresponding debug flags weren't set. The assumption is
that in the vast majority of cases (specifically, all of them
so far) the debug flags for a given call are a compile-time constant,
so the nested conditional will never actually show up in code
when compiled with optimization; we'll just see the appropriate
conditional test.
The VERBOSE flag is magical, in that if the VERBOSE flag is
used in a message, the debug flags have to have both VERBOSE and
at least one other flag for the call to be made.
This should dramatically improve performance for a lot of cases
without as much need for PSEUDO_NDEBUG, and improve the ability of
users to get coherent debugging output that means something and is
relevant to a given case.
It's also intended to set the stage for future development work
involving improving the clarity and legibility of pseudo's diagnostic
messages in general.
Old things which used numeric values for PSEUDO_DEBUG will sort
of continue to work, though they will almost always be less verbose
than they used to. There should probably be a pass through adding
"| PDBGF_CONSISTENCY" to a lot of the messages that are specific
to some other type.
|
|
No idea how this survived so long, but the clone() syscall
prototype on RHEL 4.7 doesn't have the "..." for additional
arguments, so we can't pass them. Also had unused variables
that would otherwise have been being filled in from va_args
and passed. But there's no extra args to pass.
Interestingly, this contradicts the clone() man page in
RHEL 4.7. If you have problems with clone() there, that's
probably why.
|
|
Darwin's off_t is a 64-bit type, so there's no off64_t. Also,
there's an uninitialized variable usage in unlinkat which LLVM
catches.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
Most pseudo operations don't actually USE the server's response. So
why wait for a response?
This patch introduces a new message type, PSEUDO_MSG_FASTOP. It
also tags pseudo operation types with whether or not they need to
give a response. This requires updates to maketables to allow non-string
types for additional columns, and the addition of some quotes to the
SQL query enums/query_type.in table.
A few routines are altered to change their behavior and whether or not
they perform a stat operation. The only operations that do wait are
OP_FSTAT and OP_STAT, OP_MKNOD, and OP_MAY_UNLINK. Rationale:
You can't query the server for replacement information and not wait for
it. Makes no sense.
There's extra checking in mknod, because we really do want to fail out
if we couldn't do that -- that implies that we haven't created a thing
that will look like a node.
The result from OP_MAY_UNLINK is checked because it's used to determine
whether we need to send a DID_UNLINK or CANCEL_UNLINK. It might be cheaper
to send two messages without waiting than to send one, wait, and maybe
send another, but I don't want to send invalid messages.
This is highly experimental.
|
|
The openembedded build, at least with RPM or SMART, is heavily affected
by the cost of calling fsync or fdatasync on package databases all the
time. Gosh, wouldn't it be nice if we could suppress that without making
dozens of highly intrusive and risky changes into RPM, various database
packages, and so on?
Yes, yes it would. If only there were a program which could intercept
system calls and change their behavior!
Enter --enable-force-async. There are now wrappers for fsync, fdatasync,
and a few related functions. If --enable-force-async is set, these wrappers
instantly return 0, even if PSEUDO_DISABLED is set. And with any luck,
bitbake will now perform a bit better.
Credit for this insight goes to Richard Purdie. I've reimplemented
this to add the configure option, and make the fsync suppression work
even when PSEUDO_DISABLED is set.
|
|
wrap_linkat() was trying to avoid "redundantly" expanding paths before
calling real_linkat(). Which is fine when you're not using an absolute
path in a chroot environment, but if you are, it ends up calling the
real syscall with the absolute path and no chroot prefix.
General observation: All the *at() implementations are expanding paths
into absolute paths, then dutifully calling real_*at() functions with
them anyway. This is silly. Added a note to Futures.txt to fix it some
day. In the mean time, linkat() is fixed correctly; it always expands
paths, does so exactly once, and then uses the underlying link()
call because it doesn't need special processing of directory fds
anymore. Also fixed errno stashing to reduce the risk that link()
will change errno in a circumstance where it doesn't actually fail.
|
Seebs
Joshua Lock
Peter Seebach