rpms/systemtap
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import systemtap-4.4-9.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-02-13 06:13:44 +00:00 committed by Andrew Lukoshko
commit 44e00f1b84
9 changed files with 4956 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/systemtap-4.4.tar.gz

1
.systemtap.metadata Normal file
View File

@ -0,0 +1 @@
f126888adda90a0ec57f43f9db20fde68c8ef356 SOURCES/systemtap-4.4.tar.gz

55
SOURCES/rhbz1650594.patch Normal file
View File

@ -0,0 +1,55 @@
commit 734f5acf6c568c02254a33730c6f0fff016bdd09
Author: Martin Cermak <mcermak@redhat.com>
Date: Wed Jan 20 22:09:49 2021 +0100
systemtap-service onboot: Skip updating the bootloader
It shows up that just modifying the default initrd is good enough,
no need to call kernel-install or new-kernel-pkg. This speeds up
the systemtap-service onboot operation.
diff --git a/initscript/systemtap.in b/initscript/systemtap.in
index 713f7a680..b1621ae2f 100755
--- a/initscript/systemtap.in
+++ b/initscript/systemtap.in
@@ -46,8 +46,6 @@ STAPRUN=@bindir@/staprun
UNAME=/bin/uname
LSMOD=/sbin/lsmod
DRACUT=`which dracut`
-NEWKERNELPKG=/sbin/new-kernel-pkg
-KERNELINSTALL=/usr/bin/kernel-install
# Not actually used directly, but needed by
# stap dracut module for inclusion in initramfs
@@ -839,10 +837,6 @@ backup_initramfs() {
onboot () {
local s ret ss
- if [ ! -f "$NEWKERNELPKG" -a ! -f "$KERNELINSTALL" ]; then
- do_failure "Could not find $NEWKERNELPKG nor $KERNELINSTALL"
- return 1
- fi
if [ ! -f "$DRACUT" ]; then
do_failure "$DRACUT not found"
return 1
@@ -940,20 +934,6 @@ onboot () {
return 0
fi
clog "done"
- # We're installing the initramfs in the default location, so user
- # expects the next boot to use it. Let's also update the bootloader.
- clog " Updating bootloader ... " -n
- if [ -x "$NEWKERNELPKG" ]; then
- logex $NEWKERNELPKG --initrdfile="$INITRAMFS" \
- --update $KRELEASE
- else
- logex $KERNELINSTALL add $KRELEASE /boot/vmlinuz-$KRELEASE
- fi
- if [ $? -ne 0 ]; then
- do_failure "bootloader update exited with nonzero status"
- return 1
- fi
- might_success "initramfs created and bootloader updated"
return 0
}

108
SOURCES/rhbz1873492.patch Normal file
View File

@ -0,0 +1,108 @@
commit ea5f10ba55fce68d1ed614ca33afdb38816f0830
Author: Frank Ch. Eigler <fche@redhat.com>
Date: Mon Nov 16 18:54:11 2020 -0500
PR26665: mokutil output parsing tweaks
We encountered secureboot keys in the wild that didn't live up
to the expectations of the current little state machine. Tweaked
regexps to accept Issuer: O= as well as Issuer: CN= lines. With
more verbosity, produces output on parsing process.
diff --git a/session.cxx b/session.cxx
index b5a8044..0437ca4 100644
--- a/session.cxx
+++ b/session.cxx
@@ -2859,6 +2859,9 @@ systemtap_session::get_mok_info()
// PR26665: but only Systemtap MOK keys; there may be others.
getline(out, line);
+ if (verbose > 3)
+ clog << "MOK parse state: " << state << " line: " << line << endl;
+
if (state == "SHA1") { // look for a new key fingerprint
if (! regexp_match(line, "^SHA1 Fingerprint: ([0-9a-f:]+)$", matches))
{
@@ -2871,11 +2874,14 @@ systemtap_session::get_mok_info()
}
// else stay in SHA1 state
} else if (state == "Issuer") { // validate issuer
- if (! regexp_match(line, "^[ \t]*Issuer: O=(.*)$", matches)) {
+ if (! regexp_match(line, "^[ \t]*Issuer: [A-Z]*=(.*)$", matches)) {
if (verbose > 2)
clog << "Issuer found: " << matches[1] << endl;
- if (! regexp_match(matches[1], "Systemtap", matches))
+ if (! regexp_match(matches[1], "Systemtap", matches)) {
+ if (verbose > 2)
+ clog << "Recognized Systemtap MOK fingerprint: " << fingerprint << endl;
mok_fingerprints.push_back(fingerprint);
+ }
state = "SHA1"; // start looking for another key
}
} else { // some other line in mokutil output ... there are plenty
commit 532eb9a1502026300a7f0b4bd287499101dd5803
Author: Frank Ch. Eigler <fche@redhat.com>
Date: Tue Nov 17 16:34:59 2020 -0500
PR26665 detect rhel8 (4.18) era kernel_is_locked_down() as procfs trigger
A different older kernel API needs to be probed for rhel8 era detection
of lockdown in effect. Added an (undocumented) $SYSTEMTAP_NOSIGN env
var to override automatic --use-server on lockdown, so that one can
inspect runtime/autoconf* operation locally, without stap-server.
diff --git a/buildrun.cxx b/buildrun.cxx
index 9b4066d..9c8e648 100644
--- a/buildrun.cxx
+++ b/buildrun.cxx
@@ -517,6 +517,7 @@ compile_pass (systemtap_session& s)
output_autoconf(s, o, cs, "autoconf-atomic_fetch_add_unless.c",
"STAPCONF_ATOMIC_FETCH_ADD_UNLESS", NULL);
output_autoconf(s, o, cs, "autoconf-lockdown-debugfs.c", "STAPCONF_LOCKDOWN_DEBUGFS", NULL);
+ output_autoconf(s, o, cs, "autoconf-lockdown-kernel.c", "STAPCONF_LOCKDOWN_KERNEL", NULL);
// used by runtime/linux/netfilter.c
output_exportconf(s, o2, "nf_register_hook", "STAPCONF_NF_REGISTER_HOOK");
diff --git a/runtime/linux/autoconf-lockdown-kernel.c b/runtime/linux/autoconf-lockdown-kernel.c
new file mode 100644
index 0000000..90c2414
--- /dev/null
+++ b/runtime/linux/autoconf-lockdown-kernel.c
@@ -0,0 +1,5 @@
+#include <linux/kernel.h>
+
+int foo(void) {
+ return kernel_is_locked_down("something");
+}
diff --git a/runtime/transport/transport.c b/runtime/transport/transport.c
index bb4a98b..5795533 100644
--- a/runtime/transport/transport.c
+++ b/runtime/transport/transport.c
@@ -123,6 +123,12 @@ static int _stp_transport_fs_init(const char *module_name)
dbug_trans(1, "choosing procfs_p=1\n");
}
#endif
+#ifdef STAPCONF_LOCKDOWN_KERNEL
+ if (!debugfs_p && kernel_is_locked_down ("debugfs")) {
+ procfs_p = 1;
+ dbug_trans(1, "choosing procfs_p=1\n");
+ }
+#endif
if (!procfs_p) {
debugfs_p = 1;
dbug_trans(1, "choosing debugfs_p=1\n");
diff --git a/session.cxx b/session.cxx
index 0437ca4..36a4053 100644
--- a/session.cxx
+++ b/session.cxx
@@ -2804,7 +2804,9 @@ systemtap_session::modules_must_be_signed()
if (getenv("SYSTEMTAP_SIGN"))
return true;
-
+ if (getenv("SYSTEMTAP_NOSIGN"))
+ return false;
+
statm >> status;
if (status == 'Y')
return true;

63
SOURCES/rhbz1898288.patch Normal file
View File

@ -0,0 +1,63 @@
commit 34e62f15da5adf06361ac66489936d0ffa1cc430
Author: Frank Ch. Eigler <fche@redhat.com>
Date: Tue Nov 10 22:13:53 2020 -0500
RHBZ1892179: handle exhausted stp_task_work structs
In utrace_report_syscall_entry and _exit, there is a possibility of
dereferencing a NULL pointer, in case __stp_utrace_alloc_task_work
exhausts UTRACE_TASK_WORK_POOL_SIZE live elements. While OOM is
still a possibility, this patch handles it more gracefully.
diff --git a/runtime/stp_utrace.c b/runtime/stp_utrace.c
index 47355de..e2880f1 100644
--- a/runtime/stp_utrace.c
+++ b/runtime/stp_utrace.c
@@ -2337,11 +2337,11 @@ static void utrace_report_syscall_entry(void *cb_data __attribute__ ((unused)),
/* Defer the report_syscall_entry work so it doesn't happen in atomic context: */
work = __stp_utrace_alloc_task_work(utrace, NULL);
- __stp_utrace_save_regs(work, regs);
if (work == NULL) {
_stp_error("Unable to allocate space for task_work");
return;
}
+ __stp_utrace_save_regs(work, regs);
stp_init_task_work(work, &utrace_syscall_entry_work);
rc = stp_task_work_add(task, work);
// stp_task_work_add() returns -ESRCH if the task has already
@@ -2444,11 +2444,11 @@ static void utrace_report_syscall_exit(void *cb_data __attribute__ ((unused)),
/* Defer the report_syscall_exit work so it doesn't happen in atomic context: */
work = __stp_utrace_alloc_task_work(utrace, NULL);
- __stp_utrace_save_regs(work, regs);
if (work == NULL) {
_stp_error("Unable to allocate space for task_work");
return;
}
+ __stp_utrace_save_regs(work, regs);
stp_init_task_work(work, &utrace_syscall_exit_work);
rc = stp_task_work_add(task, work);
// stp_task_work_add() returns -ESRCH if the task has already
commit 83cb271b390a1b36abd4c3aa69f89c466e99e253
Author: Frank Ch. Eigler <fche@redhat.com>
Date: Fri Nov 13 12:36:07 2020 -0500
RHBZ1892179: double default UTRACE_TASK_WORKPOOL
Some workloads were observed to exhaust the previous limit of 288.
diff --git a/runtime/stp_utrace.c b/runtime/stp_utrace.c
index 46ba489..6022267 100644
--- a/runtime/stp_utrace.c
+++ b/runtime/stp_utrace.c
@@ -141,7 +141,7 @@ struct __stp_utrace_task_work { /* NB: about 216 bytes, 18 per page: */
TODO: UTRACE_TASK_WORK_POOL_SIZE can be specified on the Systemtap
command line. Experiment to find the best default value. */
#ifndef UTRACE_TASK_WORK_POOL_SIZE
-#define UTRACE_TASK_WORK_POOL_SIZE 288
+#define UTRACE_TASK_WORK_POOL_SIZE 576
#endif
static DECLARE_BITMAP(__stp_utrace_task_work_pool_bitmap, UTRACE_TASK_WORK_POOL_SIZE);
static struct __stp_utrace_task_work __stp_utrace_task_work_pool[UTRACE_TASK_WORK_POOL_SIZE];

217
SOURCES/rhbz1902696.patch Normal file
View File

@ -0,0 +1,217 @@
commit e3d03db82853049f65f16dc40c03f3f7f617ffb5
Author: Frank Ch. Eigler <fche@redhat.com>
Date: Sun Dec 13 21:05:23 2020 -0500
PR23512: fix staprun/stapio operation via less-than-root privileges
Commit 7615cae790c899bc8a82841c75c8ea9c6fa54df3 for PR26665 introduced
a regression in handling stapusr/stapdev/stapsys gid invocation of
staprun/stapio. This patch simplifies the relevant code in
staprun/ctl.c, init_ctl_channel(), to rely on openat/etc. to populate
and use the relay_basedir_fd as much as possible. Also, we now avoid
unnecessary use of access(), which was checking against the wrong
(real rather than effective) uid/gid.
diff --git a/staprun/ctl.c b/staprun/ctl.c
index 4be68af..da3417b 100644
--- a/staprun/ctl.c
+++ b/staprun/ctl.c
@@ -14,111 +14,70 @@
#define CTL_CHANNEL_NAME ".cmd"
+
+#ifndef HAVE_OPENAT
+#error "need openat"
+#endif
+
+
+// This function does multiple things:
+//
+// 1) if needed, open the running module's directory (the one that
+// contains .ctl), stash fd in relay_basedir_fd; this will be
+// passed to stapio children via -F$fd for privilege passing
+//
+// 2) (re)open the running module's .ctl file, stash fd in the
+// control_channel global; this will be used all over the place.
+//
+// Return 0 on success.
+//
+// See also PR14245, PR26665, RHBZ1902696 = PR23512
+//
int init_ctl_channel(const char *name, int verb)
{
- char buf[PATH_MAX] = ""; // the .ctl file name
- char buf2[PATH_MAX] = ""; // other tmp stuff
- struct statfs st;
-
(void) verb;
- if (0) goto out; /* just to defeat gcc warnings */
- /* Before trying to open the control channel, make sure it
- * isn't already open. */
- close_ctl_channel();
+ // Already got them both?
+ if (control_channel >= 0 && relay_basedir_fd >= 0)
+ return 0;
-#ifdef HAVE_OPENAT
- if (relay_basedir_fd >= 0) {
- strncpy(buf, CTL_CHANNEL_NAME, PATH_MAX - 1);
- control_channel = openat_cloexec(relay_basedir_fd,
- CTL_CHANNEL_NAME, O_RDWR, 0);
- dbug(2, "Opened %s (%d)\n", CTL_CHANNEL_NAME, control_channel);
+ // Need relay_basedir_fd .... ok try /sys/kernel/debug/systemtap/
+ if (relay_basedir_fd < 0) {
+ char buf[PATH_MAX] = "";
+ struct statfs st;
- /* NB: Extra real-id access check as below */
- if (faccessat(relay_basedir_fd, CTL_CHANNEL_NAME, R_OK|W_OK, 0) != 0){
- close(control_channel);
- return -5;
- }
- if (control_channel >= 0)
- goto out; /* It's OK to bypass the [f]access[at] check below,
- since this would only occur the *second* time
- staprun tries this gig, or within unprivileged stapio. */
+ if (sprintf_chk(buf, "/sys/kernel/debug/systemtap/%s", name))
+ return -EINVAL;
+
+ if (statfs("/sys/kernel/debug", &st) == 0 && (int)st.f_type == (int)DEBUGFS_MAGIC)
+ relay_basedir_fd = open (buf, O_DIRECTORY | O_RDONLY);
}
- /* PR14245, NB: we fall through to /sys ... /proc searching,
- in case the relay_basedir_fd option wasn't given (i.e., for
- early in staprun), or if errors out for some reason. */
-#endif
-
- // See if we have the .ctl file in debugfs
- if (sprintf_chk(buf2, "/sys/kernel/debug/systemtap/%s/%s",
- name, CTL_CHANNEL_NAME))
- return -1;
- if (statfs("/sys/kernel/debug", &st) == 0 && (int)st.f_type == (int)DEBUGFS_MAGIC &&
- (access (buf2, W_OK)==0)) {
- /* PR14245: allow subsequent operations, and if
- necessary, staprun->stapio forks, to reuse an fd for
- directory lookups (even if some parent directories have
- perms 0700. */
- strcpy(buf, buf2); // committed
+ // Still need relay_basedir_fd ... ok try /proc/systemtap/
+ if (relay_basedir_fd < 0) {
+ char buf[PATH_MAX] = "";
-#ifdef HAVE_OPENAT
- if (! sprintf_chk(buf2, "/sys/kernel/debug/systemtap/%s", name)) {
- relay_basedir_fd = open (buf2, O_DIRECTORY | O_RDONLY);
- }
-#endif
- }
-
- // PR26665: try /proc/systemtap/... also
- // (STP_TRANSPORT_1 used to use this for other purposes.)
- if (sprintf_chk(buf2, "/proc/systemtap/%s/%s",
- name, CTL_CHANNEL_NAME))
- return -1;
- if (relay_basedir_fd < 0 && (access(buf2, W_OK)==0)) {
- strcpy(buf, buf2); // committed
+ if (sprintf_chk(buf, "/proc/systemtap/%s", name))
+ return -EINVAL;
-#ifdef HAVE_OPENAT
- if (! sprintf_chk(buf2, "/proc/systemtap/%s", name)) {
- relay_basedir_fd = open (buf2, O_DIRECTORY | O_RDONLY);
- }
-#endif
+ relay_basedir_fd = open (buf, O_DIRECTORY | O_RDONLY);
}
- /* At this point, we have buf, which is the full path to the .ctl file,
- and we may have a relay_basedir_fd, which is useful to pass across
- staprun->stapio fork/execs. */
-
- control_channel = open_cloexec(buf, O_RDWR, 0);
- dbug(2, "Opened %s (%d)\n", buf, control_channel);
-
- /* NB: Even if open() succeeded with effective-UID permissions, we
- * need the access() check to make sure real-UID permissions are also
- * sufficient. When we run under the setuid staprun, effective and
- * real UID may not be the same. Specifically, we want to prevent
- * a local stapusr from trying to attach to a different stapusr's module.
- *
- * The access() is done *after* open() to avoid any TOCTOU-style race
- * condition. We believe it's probably safe either way, as the file
- * we're trying to access connot be modified by a typical user, but
- * better safe than sorry.
- */
-#ifdef HAVE_OPENAT
- if (control_channel >= 0 && relay_basedir_fd >= 0) {
- if (faccessat (relay_basedir_fd, CTL_CHANNEL_NAME, R_OK|W_OK, 0) == 0)
- goto out;
- /* else fall through */
+ // Got relay_basedir_fd, need .ctl
+ if (relay_basedir_fd >= 0) {
+ // verify that the ctl file is accessible to our real uid/gid
+ if (faccessat(relay_basedir_fd, CTL_CHANNEL_NAME, R_OK|W_OK, 0) != 0)
+ return -EPERM;
+
+ control_channel = openat_cloexec(relay_basedir_fd,
+ CTL_CHANNEL_NAME, O_RDWR, 0);
}
-#endif
- if (control_channel >= 0 && access(buf, R_OK|W_OK) != 0) {
- close(control_channel);
- return -5;
- }
-out:
- if (control_channel < 0) {
+ // Fell through
+ if (relay_basedir_fd < 0 || control_channel < 0) {
err(_("Cannot attach to module %s control channel; not running?\n"),
name);
- return -3;
+ return -EINVAL;
}
return 0;
}
commit 1120422c2822be9e00d8d11cab3fb381d2ce0cce
Author: Frank Ch. Eigler <fche@redhat.com>
Date: Sun Dec 13 21:19:15 2020 -0500
PR27067 <<< corrected bug# for previous commit
commit cd5b72a538a404011d27d86ff958355ac2c45b8d
Author: Frank Ch. Eigler <fche@redhat.com>
Date: Sun Jan 24 14:45:54 2021 -0500
PR27067: set procfs traceNN files' uid/gid too
commit e3d03db828 neglected to include the proper calls to set the
procfs traceNN files to the correct uid/gid ownership. With those
files left as uid/gid=0/0, stapio running with a user with
stapusr/stapdev privileges couldn't fopenat() those files. Now they
can again. This problem became obvious after commit 4706ab3ca5c0,
which makes STAP_TRANS_PROCFS the default.
diff --git a/runtime/transport/procfs.c b/runtime/transport/procfs.c
index 97a6e123a..69591a235 100644
--- a/runtime/transport/procfs.c
+++ b/runtime/transport/procfs.c
@@ -336,12 +336,14 @@ __stp_procfs_relay_create_buf_file_callback(const char *filename,
if (parent != _stp_procfs_module_dir_path.dentry)
goto out;
- pde = proc_create (filename, 0600,
+ pde = proc_create (filename, 0400,
_stp_procfs_module_dir,
& relay_procfs_operations);
if (pde == NULL)
goto out;
+ proc_set_user(pde, KUIDT_INIT(_stp_uid), KGIDT_INIT(_stp_gid));
+
rc = snprintf(fullpath, sizeof(fullpath), "/proc/systemtap/%s/%s",
THIS_MODULE->name, filename);

2831
SOURCES/rhbz1906662.patch Normal file
View File

File diff suppressed because it is too large Load Diff

44
SOURCES/rhbz1908904.patch Normal file
View File

@ -0,0 +1,44 @@
commit e3287bddcdc51705bb206479daa82e97fb28071f
Author: Frank Ch. Eigler <fche@redhat.com>
Date: Wed Dec 9 22:29:43 2020 -0500
PR27044: fix lock loop for conditional probes
Emit a nested block carefully so that the "goto out;" from a failed
stp_lock_probe() call in that spot near the epilogue of a
probe-handler goes downward, not upward.
diff --git a/translate.cxx b/translate.cxx
index f0195486c..d7fe1e3b2 100644
--- a/translate.cxx
+++ b/translate.cxx
@@ -2969,21 +2969,21 @@ c_unparser::emit_probe (derived_probe* v)
{
// PR26296
// emit all read/write locks for global variables ... if somehow still not done by now
+ // emit a local out: label, for error catching in these condition exprs
+ o->newline() << "{";
+ o->newline(1) << "__label__ out, deref_fault;";
if (v->needs_global_locks ())
emit_lock ();
for (set<derived_probe*>::const_iterator
- it = v->probes_with_affected_conditions.begin();
- it != v->probes_with_affected_conditions.end(); ++it)
+ it = v->probes_with_affected_conditions.begin();
+ it != v->probes_with_affected_conditions.end(); ++it)
{
- // emit a local out: label, for error catching in these condition exprs
- o->newline() << "{";
- o->newline(1) << "__label__ out, deref_fault;";
emit_probe_condition_update(*it);
- o->newline(-1) << "deref_fault: __attribute__((unused));";
- o->newline() << "out: __attribute__((unused));";
- o->newline() << "}";
}
+ o->newline(-1) << "deref_fault: __attribute__((unused));";
+ o->newline() << "out: __attribute__((unused));";
+ o->newline() << "}";
}
// PR26296

1636
SPECS/systemtap.spec Normal file
View File

File diff suppressed because it is too large Load Diff