Age | Commit message (Collapse) | Author |
|
So we had this really strange problem where, sometimes but not always,
pseudo would have strange problems on startup, where the pseudo server
would end up running under pseudo. And this produced the most fascinating
thing, which was:
unsetenv("LD_PRELOAD");
assert(getenv("LD_PRELOAD") == NULL);
for (int i = 0; environ[i]; ++i) {
assert(strncmp(environ[i], "LD_PRELOAD=", 11));
}
(pseudocode untested)
This would crash on the environ search. Because getenv() was not searching
environ.
WHAT.
So it turns out, *bash overrides getenv, setenv, and so on*. Under those
names. Hiding the glibc ones. And this creates horrible problems if you
assumed that your code could call those functions and expect them to work.
So as a workaround, pseudo now uses dlsym to find getenv, etc., from
glibc, and invokes those directly if possible. Also the client now uses
unwrapped fork/exec for spawning the server, which cleans up the
behavior of that code quite a bit.
|
|
There's some changes to allow things to work even if umask is 0700;
originally this was just regarded as a broken state, but it became
necessary to fix it in order for the xattrdb code to work, only the
fix could result in files having a raw filesystem mode that lacked
execute bits it should have had.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
Dropping the alloc from file paths meant that pseudo_exec_path
could end up just returning its original argument, which was
const-qualified, meaning its return should also be const-qualified.
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
|
|
We used to rely on filesystem operations to apply the umask when
appropriate, but when we started masking out 022, that stopped working.
Start watching umask.
|
|
PSEUDO_DB_MODE restores a proposed mode's 0700 bits, but now that we're
masking 022 out, it should also restore those. Change it to restore
0722 from a proposed mode before sending to database.
|
|
Change the handling of fchmodat(AT_SYMLINK_NOFOLLOW) to reject it
if the host system does, so we preserve host system behavior.
Mask out group/other write bits when actually creating files to
reduce risks to filesystem integrity.
|
|
The PSEUDO_STATBUF change (allowing operations on files over
2GB even on 32-bit systems) introduced a subtle bug; by calling
stat64() rather than real_stat(), pseudo stopped handling
chrooted paths well. In most cases, this was fine, but in the
specific case of a rename, where the stat buffers for the various
parts were actually used, it wasn't. Of particular note, pseudo
could end up creating links which had stack garbage for their
stat buffs, because it assumed that if the rename operation
succeeded, the stat operations must have succeeded.
Of course, there is no real_stat64 in the Linux port, because
there's no need for it; most code is calling __xstat64 or some
relative thereof, and even if you did really call stat64, it'd
end up routed there anyway. So we add that so that it can be
used for calls and we don't have to encode Linux-specific
magic about __xstat into the generic header.
|
|
The _plain thing was added because of clashes between Linux
("struct stat64 for 64-bit file sizes") and Darwin ("struct stat
is already 64 bits"). But it turns out not to be enough,
because stat will *fail* if it cannot represent a file size,
so when something like unlinkat() calls a non-64-bit stat in
order to determine whether a file exists, it gets the wrong
answer if the file is over 2GB in size.
Solution: Continue using PSEUDO_STATBUF, and also provide
defines for base_stat() which can be either real_stat() or
real_stat64(), etcetera.
This eliminates any reason to need the _plain functions. It
also suggests that the other real___fxstatat() calls should
someday go away because that is an ugly, ugly, implementation
detail.
As part of testing this, fix up some bitrot which affected
Darwin (such as the continue outside of a loop, but inside
an #ifdef; that was left over from the conversion of
init_one_wrapper to a separate function).
|
|
the 0100 bit for directories. The reason is that otherwise we create
plain files which are 0700 on disk, which means they're non-zero &0111,
which breaks euidaccess(X_OK).
|
|
|
|
This is a spiffied-up rebase of a bunch of intermediate changes, presented
as a whole because it is, surprisingly, less confusing that way. The basic
idea is to separate the guts code into categories ranging from generic
stuff that can be the same everywhere and specific variants. The big scary
one is the Darwin support, which actually seems to run okay on 64-bit OS X
10.6. (No other variants were tested.) The other example given is support
for the old clone() syscall on RHEL 4, which affects some wrlinux use cases.
There's a few minor cleanup bits here, such as a function with inconsistent
calling conventions, but nothing really exciting.
|
|
This is fussy, because we have to actually do the path search ourselves
as best we can to handle unqualified paths. The result, though, is
more meaningful logs.
Along the way, fix some bitrot in the comments in pseudo_fix_path and
friends.
|
|
2010-12-09:
* (mhatle) Add doc/program_flow to attempt to explain startup/running
* (mhatle) guts/* minor cleanup
* (mhatle) Reorganize into a new constructor for libpseudo ONLY
pseudo main() now manually calls the util init
new / revised init for client, wrappers and utils
* (mhatle) Add central "reinit" function
* (mhatle) Add manul execv* functions
* (mhatle) rename pseudo_populate_wrappers to pseudo_check_wrappers
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
* (mhatle) Add guts/clone.c to cleanup the clone support
* (mhatle) guts/clone.c only run setupenv and reinit when NOT PSEUDO_RELOADED
* (mhatle) guts/execve.c whitespace fixe
* (mhatle) guts/fork.c similar to guts/clone.c change
* (mhatle) pseudo_client.c add reinit function
* (mhatle) pseudo_client.c revise client reset, include code from pseudo_wrappers.c
* (mhatle) pseudo_server.c move the pid writing to the parent
* (mhatle) pseudo_wrappers.c clone cleanup and populate cleanup
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
are generated from text files and templates, making it now (we hope)
impossible for the list of strings to get out of sync with the
enum.
|
|
Add PSEUDO_BINDIR, PSEUDO_LIBDIR, and PSEUDO_LOCALSTATEDIR to allow for more
easy customization of PSEUDO components at run-time. If these are not set
they will be automatically generated based on the existing PSEUDO_PREFIX path.
PSEUDO_BINDIR = PSEUDO_PREFIX /bin
PSEUDO_LIBDIR = PSEUDO_PREFIX /lib
PSEUDO_LOCALSTATEDIR = PSEUDO_PREFIX /var/pseudo
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
In fakechroot, which pseudo tries to match the functionality of,
the default behavior when creating a symlink with an absolute target
is to prepend the chroot path, so that underlying syscalls will
get the right file.
It is necessary to be able to disable this behavior to create target
filesystems in some cases. To that end, support a new environment
variable, PSEUDO_NOSYMLINKEXP, which disables that behavior.
|
|
It's not enough to rely on the usual chroot() stuff affecting the
file open, not least because these use the glibc-internal __open
which is not currently intercepted, but also because we want to
use the PSEUDO_PASSWD path when that's set but there's no chroot().
There's some extra magic in pseudo_etc_file to support these
operations, since they can legitimately create a file rather
than opening an existing one.
|
|
This is a first pass at handling password/group calls, allowing
the use of custom password/group files. In particular, when
chroot()ed to a particular directory, pseudo picks files in
that directory by default, to improve support for the typical
use case where pseudo uses chroot() only to jump into a virtual
target filesystem.
|
|
This patch adds support for checking whether a file was opened for
reading, writing, or both, as well as tracking append flags. It is
not very well tested. This is preparation for improved host
contamination checking.
|
|
None of them seem to have been genuine problems, but it's prettier now,
and some were questionable.
|
|
Add chroot() and a large number of things needed to make it work.
The list of intercepted calls is large but not exhaustive.
|
|
* Improve makewrappers handling of function pointer arguments.
* Regenerate wrappers when makewrappers is touched.
* Move path resolution from pseudo_client_op into wrapper
functions.
* Eliminate dependency on PATH_MAX.
* Related cleanup, such as tracking CWD better, and using
the tracked value for getcwd().
|
|
|