The 'readelf'-based tests cover a few situations:
1. undefined symbols in shared libraries
2. unexpected exports in shared libraries
Bug #575958 shows that [2.] implementation is too simplistic
in assuming that presence of relocation equals to export presence.
It is incorrect for PLT stubs and local symbols.
Let's just drop these tests.
If one needs to cover [1.] it is better to use LDFLAGS=-Wl,--no-undefined.
This closes#292.
X-Reported-by: Benda Xu
X-Gentoo-Bug: https://bugs.gentoo.org/575958
X-Gentoo-Bug-URL: https://bugs.gentoo.org/575958
The -f option can be used when showing the status of services in
runlevels to allow making the output more easily parsable.
Currently, the .ini format is the only one supported.
readlink(3) does not nul-terminate the result it sticks
into the supplied buffer. Consequently, the code
rc = readlink(path, buf, sizeof(buf));
does not necessarily produce a C string.
The code in rc_find_pid() produces some C strings this way
and passes them to strlen() and strcmp(), which can lead
to an out-of-bounds read.
In this case, since the code already takes care to
zero-initialize the buffers before passing them
to readlink(3), only allow sizeof(buf)-1 bytes to
be returned.
(While fixing this issue, I fixed two other locations that
used the same problematic pattern.)
This fixes#270.
The contents of /proc/<pid>/cmdline are read into
a stack buffer using
bytes = read(fd, buffer, sizeof(buffer));
followed by appending a null terminator to the buffer with
buffer[bytes] = '\0';
If bytes == sizeof(buffer), then this write is out-of-bounds.
Refactor the code to use rc_getfile instead, since PATH_MAX
is not the maximum size of /proc/<pid>/cmdline. (I hit this
issue in practice while compiling Linux; it tripped the
stack-smashing protector.)
This is roughly the same buffer overflow condition
that was fixed by commit 0ddee9b7d2
This fixes#269.
The following will cause a segfault due to NULL being
passed to strcmp(3)
$ RC_SVCNAME=foo supervise-daemon
Fix the bounds check on argc in main. If argc<=1, then
it is not safe to dereference argv[1].
The statement
ll = strlen(applet);
appears twice in the same block without any
intervening assignment to the variables
'll' or 'applet'
Remove the second (duplicate) statement.
In order to run healthcheck() and the unhealthy() function, add an
exec_command call to the supervisor.
Another difference is This function also logs errors instead of
attempting to display them.
This is for #271.
Since the pid file is internal to us, start moving toward deprecating it
by not requiring the user to specify it.
In the next release, I plan on working on code to start phasing out the
use of a pid file if this is possible.
This is needed in preparation for adding support for a fifo to allow us
to communicate with the supervisor to ask it to signal the child it is
supervising.
This reverts commit 2af0cedd59.
After speaking with Luis Ressel on the Gentoo selinux team, I am reverting
this commit for the following reasons:
- Luis told me that he feels this is not the solution we need to address
the concern with checkpath; I will be working with him on another
solution.
- There are concerns about the way the path variable was handled
and the assert() call.
The path variable should be dynamically allocated using xasprintf
instead of defining a length at compile time. This would eliminate the
need for the assert() call.
- It introduces the definition of _GNU_SOURCE which makes it
easier to introduce portability concerns in the future (see #262).
The pidfile of the supervisor doesn't need to be adjustable by the
service script. It is only used so the supervisor can stop itself when
the --stop option is used.
In start-stop-daemon and rc-schedules, we were printing out a warning if
the nanosleep call was interrupted by a signal, but we did not treat
this as an error situation other than displaying the message, so there
is no need for the message.
Health checks are a way to monitor a service and make sure it stays
healthy.
If a service is not healthy, it will be automatically restarted after
running the unhealthy() function to clean up.
You can now schedule a shutdown for a certain time or a cpecific number
of minutes into the future.
When a shutdown is running, you can now cancel it with ^c from the
keyboard or by running "openrc-shutdown -c" from another shell.
Fix the comparison between respawn_count and respawn_max so that
respawn_max = 1 will allow for one respawn. Since respawn_count is
incremented before the comparison, use a 'greater than' comparison
so that respawn will be triggered when respawn_count is equal to
respawn_max.
Fixes: https://github.com/OpenRC/openrc/issues/247
Fixes: https://github.com/OpenRC/openrc/issues/248
Use errno != EACCES to fix false-positive for non-root users
with grsecurity kernels.
Fixes: 37e2944272 ("librc: Add check for crashed state")
This fixes#237
This test to find if we could see pid 1 was being used inconsistently in
rc-status and mark_service_crashed to decide whether we could test to
see if the daemon for the service was crashed, and it was not part of
the librc library.
I am removing it from the executables because of inconsistent usage. I
will add it to the library if it is needed there.
If pidfile does not exist when we are stopping the daemon, assume it is
already stopped, and report success.
hostapd is an example of a daemon which removes its pidfile when it is
exiting. If this daemon terminates prematurely, that is, without s-s-d
involvement, then openrc fails to restart it, because s-s-d "stop"
command fails when pidfile is missing.
X-Gentoo-Bug: 646274
X-Gentoo-Bug-URL: https://bugs.gentoo.org/646274
This is our own version of asprintf(). This original code was written by
Mike Frysinger, and I was able to modify it to use our memory helper
functions.
We need a version of this code because it is not available on glibc at
least without defining _GNU_SOURCE, and I would rather not do that.
This is the first step in improving string handling in OpenRC for #207.
This is related to #195.
This is an attempt to shorten the window for the first two issues
discussed by using a file descriptor which does not follow symbolic
links and using the fchmod and fchown calls instead of chown and chmod.
with.
rc_deptree_update_needed would return early as soon as it found
any file newer than the existing dependency cache. Unfortunately,
the first file found may not be the newest one there; so the
clock skew workaround in rc-misc:_rc_deptree_load would be given
a timestamp that was still too old.
This fix forces a full scan of all relevant files, so as to
ensure that we return a timestamp that will allow the clock skew
fix to operate. The runtime cost is no worse than the case where
the cache is up to date (ie. we must check every possible file).
This fixes#161.
Ignore namespaces if there are errors reading either the pid namespace
for the current process or the process we aare testing.
This fixes https://github.com/openrc/openrc/issues/180.
- Harden against dying by handling all signals that would terminate the
program and adding --reexec support
- factor the supervisor into its own function
- fix test for whether we are already running
Prior to this change, we were logging unexpected terminations of daemons
we were supervising at the info level. This change moves the logs to
warnings.
The service binary was just a synonym for rc-service, so use rc-service
instead of service. If you want a "service" binary, it should be
something that can determine which service manager you are running and
run the appropriate service manager commands.
rc-selinux.c: In function ‘selinux_setup’:
rc-selinux.c:361:9: warning: assignment discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
curr_t = context_type_get(curr_con);
^
