From: "Turgis, Frederic" <f-turgis@ti.com>
To: SystemTap <systemtap@sourceware.org>
Subject: "module privilege check" breaks (cross-)compilation due to libelf dependency
Date: Mon, 05 Dec 2011 13:58:00 -0000 [thread overview]
Message-ID: <28BE1A38672C8B4481BB423D0FD1F22E01BC1426@DNCE03.ent.ti.com> (raw)
Hi,
Commit "bb4470cacb3f7ce5161f9e8a1b7c37a87516a6c3 PR 13128: Implement module privilege check in staprun." has broken my cross-compilation environment to build "staprun" tool for ARM android (I do 4 first steps on host, staprun step on target), see end of mail.
Having a deeper look, there is in fact code in staprun_funcs.c that requires libelf like find_section_in_module() and get_module_required_credentials() (Elf_Scn for example) and that is not surrounded by HAVE_LIBELF_H or HAVE_ELF_GETSHDRSTRNDX
I never had libelf in my ARM filesystem, I am using --with-elfutils but configure.ac in runtime/staprun states that "We link only against the system elfutils. Connecting to a bundled elfutils build (stap/configure --with-elfutils=PATH) is too tricky to bother with"
I have then removed some code in a very hackish way to make it work (see below, basically the analysis of section STAP_PRIVILEGE_SECTION of module) but I am not sure if this is aligned with the goal of the author.
Script executes fine on target but I am "root" so this can hide some other issue
BUILD FAILURE:
CC staprun-staprun_funcs.o
staprun_funcs.c:237: error: expected '=', ',', ';', 'asm' or '__attribute__' before '*' token
staprun_funcs.c: In function 'get_module_required_credentials':
staprun_funcs.c:587: error: 'Elf_Scn' undeclared (first use in this function)
staprun_funcs.c:587: error: (Each undeclared identifier is reported only once
staprun_funcs.c:587: error: for each function it appears in.)
staprun_funcs.c:587: error: 'scn' undeclared (first use in this function)
staprun_funcs.c:588: error: 'Elf_Data' undeclared (first use in this function)
staprun_funcs.c:588: error: 'data' undeclared (first use in this function)
staprun_funcs.c:589: error: 'GElf_Shdr' undeclared (first use in this function)
staprun_funcs.c:589: error: expected ';' before 'shdr'
Hackish patch:
diff --git a/runtime/staprun/staprun_funcs.c b/runtime/staprun/staprun_funcs.c
index 163a0ce..17265f3 100644
--- a/runtime/staprun/staprun_funcs.c
+++ b/runtime/staprun/staprun_funcs.c
@@ -233,14 +233,14 @@ find_section_in_module(const void* module_file, const __off_t st_size, const cha
}
return scn;
}
-#else /* no elf */
-static Elf_Scn *
-find_section_in_module(const void* v __attribute__((unused)),
- const __off_t o __attribute__((unused)),
- const char *c __attribute__((unused)))
-{
- return NULL;
-}
+//#else /* no elf */
+//static Elf_Scn *
+//find_section_in_module(const void* v __attribute__((unused)),
+// const __off_t o __attribute__((unused)),
+// const char *c __attribute__((unused)))
+//{
+// return NULL;
+//}
#endif
int
@@ -582,6 +582,7 @@ check_uprobes_module_path (
* Returns the required credentials if they can be determined or the default safe required
* credentials otherwise.
*/
+#if 0
static privilege_t get_module_required_credentials (const void* module_file, const __off_t st_size)
{
Elf_Scn *scn = 0;
@@ -645,7 +646,7 @@ static privilege_t get_module_required_credentials (const void* module_file, con
/* ALl is ok. Return the extrated privilege data. */
return privilege;
}
-
+#endif
/*
* Check the user's group membership.
*
@@ -668,8 +669,9 @@ check_groups (
off_t module_size
)
{
- privilege_t user_credentials, module_required_credentials;
-
+ privilege_t user_credentials;//, module_required_credentials;
+module_data = NULL;
+module_size = 0;
/* Lookup the user's privilege credentials. */
user_credentials = get_privilege_credentials ();
@@ -684,6 +686,7 @@ check_groups (
if (pr_contains (user_credentials, pr_stapsys))
return 1;
+#ifdef HAVE_LIBELF_H
/* For stapusr users, we must verify that the module was compiled for that privilege level. */
module_required_credentials = get_module_required_credentials (module_data, module_size);
if (pr_contains (user_credentials, pr_stapusr)) {
@@ -700,8 +703,8 @@ check_groups (
if (user_credentials == pr_none)
return -2;
-
return 0;
+#endif
}
/* Not fatal. The module could still be on a blessed path. */
Regards
Fred
Frederic Turgis
OMAP Platform Business Unit - OMAP System Engineering - Platform Enablement - System Multimedia
Texas Instruments France SA, 821 Avenue Jack Kilby, 06270 Villeneuve Loubet. 036 420 040 R.C.S Antibes. Capital de EUR 753.920
next reply other threads:[~2011-12-05 13:36 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-05 13:58 Turgis, Frederic [this message]
2011-12-05 14:09 ` Mark Wielaard
2011-12-05 16:13 ` Turgis, Frederic
2011-12-05 17:38 ` Dave Brolley
2011-12-06 8:40 ` Turgis, Frederic
2011-12-07 9:30 ` Dave Brolley
2011-12-07 11:20 ` Turgis, Frederic
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=28BE1A38672C8B4481BB423D0FD1F22E01BC1426@DNCE03.ent.ti.com \
--to=f-turgis@ti.com \
--cc=systemtap@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).