Makefile.am | 16 +++++++------- kit/Kit.cpp | 52 +++++++++++++++++++++++----------------------- loolwsd-systemplate-setup | 6 ++--- wsd/LOOLWSD.cpp | 23 ++++++++++++-------- 4 files changed, 52 insertions(+), 45 deletions(-)
New commits: commit 1f5d779ef859733b75a8f93780ad88da58a4effc Author: Jan Holesovsky <[email protected]> AuthorDate: Fri Aug 3 05:29:27 2018 +0200 Commit: Jan Holesovsky <[email protected]> CommitDate: Fri Aug 3 05:29:27 2018 +0200 Fix systemplate creation when running make with -j. Change-Id: Ifcf45b01fdba9b502b1a88190d6a0d4cb316c566 diff --git a/Makefile.am b/Makefile.am index 5b1767bcd..a40bc999a 100644 --- a/Makefile.am +++ b/Makefile.am @@ -254,7 +254,7 @@ clean-local: if test "z@SYSTEMPLATE_PATH@" != "z"; then rm -rf "@SYSTEMPLATE_PATH@"; fi if test "z@TILECACHE_PATH@" != "z"; then rm -rf "@TILECACHE_PATH@"; fi -run: all @TILECACHE_PATH@ @JAILS_PATH@ @SYSTEMPLATE_PATH@/system_stamp +run: all @TILECACHE_PATH@ @JAILS_PATH@ @echo "Launching loolwsd" @fc-cache "@LO_PATH@"/share/fonts/truetype @cp $(abs_top_srcdir)/test/data/hello.odt $(abs_top_srcdir)/test/data/hello-world.odt @@ -268,7 +268,7 @@ run: all @TILECACHE_PATH@ @JAILS_PATH@ @SYSTEMPLATE_PATH@/system_stamp --o:admin_console.username=admin --o:admin_console.password=admin \ --o:logging.file[@enable]=true --o:logging.level=trace -run-valgrind: all @TILECACHE_PATH@ @JAILS_PATH@ @SYSTEMPLATE_PATH@/system_stamp +run-valgrind: all @TILECACHE_PATH@ @JAILS_PATH@ @echo "Launching loolwsd under valgrind (but not forkit/loolkit, yet)" @fc-cache "@LO_PATH@"/share/fonts/truetype @cp $(abs_top_srcdir)/test/data/hello.odt $(abs_top_srcdir)/test/data/hello-world.odt @@ -282,7 +282,7 @@ run-valgrind: all @TILECACHE_PATH@ @JAILS_PATH@ @SYSTEMPLATE_PATH@/system_stamp --o:admin_console.username=admin --o:admin_console.password=admin \ --o:logging.file[@enable]=false --o:logging.level=trace -run-gdb: all @TILECACHE_PATH@ @JAILS_PATH@ @SYSTEMPLATE_PATH@/system_stamp +run-gdb: all @TILECACHE_PATH@ @JAILS_PATH@ @echo "Launching loolwsd under valgrind's callgrind" @fc-cache "@LO_PATH@"/share/fonts/truetype @cp $(abs_top_srcdir)/test/data/hello.odt $(abs_top_srcdir)/test/data/hello-world.odt @@ -297,7 +297,7 @@ run-gdb: all @TILECACHE_PATH@ @JAILS_PATH@ @SYSTEMPLATE_PATH@/system_stamp --o:admin_console.username=admin --o:admin_console.password=admin \ --o:logging.file[@enable]=false --o:logging.level=error -run-callgrind: all @TILECACHE_PATH@ @JAILS_PATH@ @SYSTEMPLATE_PATH@/system_stamp +run-callgrind: all @TILECACHE_PATH@ @JAILS_PATH@ @echo "Launching loolwsd under valgrind's callgrind" @fc-cache "@LO_PATH@"/share/fonts/truetype @cp $(abs_top_srcdir)/test/data/hello.odt $(abs_top_srcdir)/test/data/hello-world.odt @@ -312,7 +312,7 @@ run-callgrind: all @TILECACHE_PATH@ @JAILS_PATH@ @SYSTEMPLATE_PATH@/system_stamp --o:admin_console.username=admin --o:admin_console.password=admin \ --o:logging.file[@enable]=false --o:logging.level=error -run-strace: all @TILECACHE_PATH@ @JAILS_PATH@ @SYSTEMPLATE_PATH@/system_stamp +run-strace: all @TILECACHE_PATH@ @JAILS_PATH@ @echo "Launching loolwsd under strace" @fc-cache "@LO_PATH@"/share/fonts/truetype @cp $(abs_top_srcdir)/test/data/hello.odt $(abs_top_srcdir)/test/data/hello-world.odt commit ac7d67f43e2b82dcc841ca2ecae91e668eb90613 Author: Jan Holesovsky <[email protected]> AuthorDate: Fri Aug 3 05:12:14 2018 +0200 Commit: Jan Holesovsky <[email protected]> CommitDate: Fri Aug 3 05:22:03 2018 +0200 Fix networking in the chroot. The needed files were not copied, and consequently the hostname resolution did not work in the chroot. Change-Id: Id3dccc4f70cd1deeddb83c8e672f240e06748e34 diff --git a/kit/Kit.cpp b/kit/Kit.cpp index a6e386243..5a2148afa 100644 --- a/kit/Kit.cpp +++ b/kit/Kit.cpp @@ -190,6 +190,27 @@ namespace } } + void linkOrCopyFile(const char *fpath, Path newPath) + { + if (linkOrCopyVerboseLogging) + LOG_INF("Linking file \"" << fpath << "\" to \"" << newPath.toString() << "\""); + if (link(fpath, newPath.toString().c_str()) == -1) + { + LOG_INF("link(\"" << fpath << "\", \"" << + newPath.toString() << "\") failed. Will copy."); + try + { + File(fpath).copyTo(newPath.toString()); + } + catch (const std::exception& exc) + { + LOG_ERR("Copying of '" << fpath << "' to " << newPath.toString() << + " failed: " << exc.what() << ". Exiting."); + std::_Exit(Application::EXIT_SOFTWARE); + } + } + } + int linkOrCopyFunction(const char *fpath, const struct stat* /*sb*/, int typeflag, @@ -221,25 +242,7 @@ namespace File(newPath.parent()).createDirectories(); if (shouldLinkFile(relativeOldPath)) - { - if (linkOrCopyVerboseLogging) - LOG_INF("Linking file \"" << fpath << "\" to \"" << newPath.toString() << "\""); - if (link(fpath, newPath.toString().c_str()) == -1) - { - LOG_INF("link(\"" << fpath << "\", \"" << - newPath.toString() << "\") failed. Will copy."); - try - { - File(fpath).copyTo(newPath.toString()); - } - catch (const std::exception& exc) - { - LOG_ERR("Copying of '" << fpath << "' to " << newPath.toString() << - " failed: " << exc.what() << ". Exiting."); - std::_Exit(Application::EXIT_SOFTWARE); - } - } - } + linkOrCopyFile(fpath, newPath); break; case FTW_D: { @@ -2208,16 +2211,15 @@ void lokit_main(const std::string& childRoot, bLoopMounted ? LinkOrCopyType::NoUsr : LinkOrCopyType::All); linkOrCopy(loTemplate, jailLOInstallation, LinkOrCopyType::LO); - // We need this because sometimes the hostname is not resolved - const std::initializer_list<const char*> networkFiles = {"/etc/host.conf", "/etc/hosts", "/etc/nsswitch.conf", "/etc/resolv.conf"}; - for (const auto& filename : networkFiles) + // Copy some needed files - makes the networking work in the + // chroot + const std::initializer_list<const char*> files = {"/etc/passwd", "/etc/group", "/etc/host.conf", "/etc/hosts", "/etc/nsswitch.conf", "/etc/resolv.conf"}; + for (const auto& filename : files) { const Poco::Path etcPath = Path(jailPath, filename); const std::string etcPathString = etcPath.toString(); if (File(filename).exists() && !File(etcPathString).exists() ) - { - linkOrCopy( filename, etcPath, LinkOrCopyType::All ); - } + linkOrCopyFile(filename, etcPath); } LOG_DBG("Initialized jail files."); diff --git a/loolwsd-systemplate-setup b/loolwsd-systemplate-setup index 3eed41ae6..986a83aee 100755 --- a/loolwsd-systemplate-setup +++ b/loolwsd-systemplate-setup @@ -21,10 +21,9 @@ cd / || exit 1 # into the template tree of system files for the chroot jails. # First essential files and shared objects -find etc/passwd etc/group etc/hosts \ - etc/resolv.conf \ - etc/ld.so.* \ +find etc/ld.so.* \ lib/ld-* lib64/ld-* \ + lib64/libnss_* \ var/cache/fontconfig \ etc/fonts \ etc/localtime \ @@ -38,6 +37,7 @@ find etc/passwd etc/group etc/hosts \ find etc/fonts \ lib/ld-* lib64/ld-* \ + lib64/libnss_* \ -type l 2>/dev/null # Go through the LO shared objects and check what system libraries commit 521afe2e982378f821f01a81c265bc6b0ce4600a Author: Jan Holesovsky <[email protected]> AuthorDate: Fri Aug 3 04:57:04 2018 +0200 Commit: Jan Holesovsky <[email protected]> CommitDate: Fri Aug 3 05:21:25 2018 +0200 Add possibility to strace loolforkit if necessary for debugging. Needs a rebuild with STRACE_LOOLFORKIT defined, and setting the appropriate capabilities for the strace binary. Change-Id: I43d45fbafa3868f6ae42f740a773ad9ed7add668 diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp index 1ddc041c1..fc1f83013 100644 --- a/wsd/LOOLWSD.cpp +++ b/wsd/LOOLWSD.cpp @@ -1354,6 +1354,16 @@ bool LOOLWSD::createForKit() std::unique_lock<std::mutex> newChildrenLock(NewChildrenMutex); std::vector<std::string> args; +#ifdef STRACE_LOOLFORKIT + // if you want to use this, you need to setcap cap_fowner,cap_mknod,cap_sys_chroot=ep /usr/bin/strace + args.push_back("-o"); + args.push_back("strace.log"); + args.push_back("-f"); + args.push_back("-tt"); + args.push_back("-s"); + args.push_back("256"); + args.push_back(Path(Application::instance().commandPath()).parent().toString() + "loolforkit"); +#endif args.push_back("--losubpath=" + std::string(LO_JAIL_SUBPATH)); args.push_back("--systemplate=" + SysTemplate); args.push_back("--lotemplate=" + LoTemplate); @@ -1381,8 +1391,11 @@ bool LOOLWSD::createForKit() if (NoSeccomp) args.push_back("--noseccomp"); +#ifdef STRACE_LOOLFORKIT + std::string forKitPath = "strace"; +#else std::string forKitPath = Path(Application::instance().commandPath()).parent().toString() + "loolforkit"; - +#endif // Always reap first, in case we haven't done so yet. if (ForKitProcId != -1) commit 6ab7acc6d6b28f2e33858fd9ff64f578a821384b Author: Jan Holesovsky <[email protected]> AuthorDate: Wed Aug 1 19:20:05 2018 +0200 Commit: Jan Holesovsky <[email protected]> CommitDate: Fri Aug 3 05:20:56 2018 +0200 wsd: Kill --nocaps, and use --o:security.capabilities="false" instead. The --nocaps apparently stopped working when the security.capabilities was introduced. Change-Id: Ieee173e97b62eb4e254667bd105826486e6bdbcb diff --git a/Makefile.am b/Makefile.am index d12a8f24f..5b1767bcd 100644 --- a/Makefile.am +++ b/Makefile.am @@ -287,7 +287,7 @@ run-gdb: all @TILECACHE_PATH@ @JAILS_PATH@ @SYSTEMPLATE_PATH@/system_stamp @fc-cache "@LO_PATH@"/share/fonts/truetype @cp $(abs_top_srcdir)/test/data/hello.odt $(abs_top_srcdir)/test/data/hello-world.odt gdb --tui --args \ - ./loolwsd --nocaps \ + ./loolwsd --o:security.capabilities="false" \ --o:sys_template_path="@SYSTEMPLATE_PATH@" --o:lo_template_path="@LO_PATH@" \ --o:child_root_path="@JAILS_PATH@" --o:storage.filesystem[@allow]=true \ --o:tile_cache_path="@TILECACHE_PATH@" \ @@ -302,7 +302,7 @@ run-callgrind: all @TILECACHE_PATH@ @JAILS_PATH@ @SYSTEMPLATE_PATH@/system_stamp @fc-cache "@LO_PATH@"/share/fonts/truetype @cp $(abs_top_srcdir)/test/data/hello.odt $(abs_top_srcdir)/test/data/hello-world.odt valgrind --tool=callgrind --simulate-cache=yes --dump-instr=yes --num-callers=50 --error-limit=no --trace-children=yes \ - ./loolwsd --nocaps \ + ./loolwsd --o:security.capabilities="false" \ --o:sys_template_path="@SYSTEMPLATE_PATH@" --o:lo_template_path="@LO_PATH@" \ --o:child_root_path="@JAILS_PATH@" --o:storage.filesystem[@allow]=true \ --o:tile_cache_path="@TILECACHE_PATH@" \ @@ -317,7 +317,7 @@ run-strace: all @TILECACHE_PATH@ @JAILS_PATH@ @SYSTEMPLATE_PATH@/system_stamp @fc-cache "@LO_PATH@"/share/fonts/truetype @cp $(abs_top_srcdir)/test/data/hello.odt $(abs_top_srcdir)/test/data/hello-world.odt strace -o strace.log -f -tt -s 256 \ - ./loolwsd --nocaps \ + ./loolwsd --o:security.capabilities="false" \ --o:sys_template_path="@SYSTEMPLATE_PATH@" --o:lo_template_path="@LO_PATH@" \ --o:child_root_path="@JAILS_PATH@" --o:storage.filesystem[@allow]=true \ --o:tile_cache_path="@TILECACHE_PATH@" \ diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp index 3b47fac4e..1ddc041c1 100644 --- a/wsd/LOOLWSD.cpp +++ b/wsd/LOOLWSD.cpp @@ -1113,10 +1113,6 @@ void LOOLWSD::defineOptions(OptionSet& optionSet) .required(false) .repeatable(false) .argument("seconds")); - - optionSet.addOption(Option("nocaps", "", "Use a non-privileged forkit, with increase in security problems.") - .required(false) - .repeatable(false)); #endif #ifdef FUZZER @@ -1162,10 +1158,6 @@ void LOOLWSD::handleOption(const std::string& optionName, UnitTestLibrary = value; else if (optionName == "careerspan") careerSpanMs = std::stoi(value) * 1000; // Convert second to ms -#ifndef KIT_IN_PROCESS - else if (optionName == "nocaps") - NoCapsForKit = true; -#endif static const char* clientPort = std::getenv("LOOL_TEST_CLIENT_PORT"); if (clientPort) _______________________________________________ Libreoffice-commits mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
