Re: [Rpm-maint] Getting make check to work

[Mark Wielaard]

On Wed, 2013-03-06 at 15:28 +0200, Panu Matilainen wrote:
 ./configure CPPFLAGS=`pkg-config --cflags nss` --with-external-db
 make
 make check
 [...]
 And finally, thanks for complaining about this, really. One can only 
 explain known bugs so many times before it gets so irritating as to 
 mandate a fix, which was the case here :)

Thank you! All 266 tests were successful.

Awesome,

Mark

___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Re: [Rpm-maint] FSM hooks for rpm plugin

[Reshetova, Elena]

On 03/06/2013 05:01 PM, Reshetova, Elena wrote:
 What's missing is that another call to the hook is needed in
 fsmMkdirs() for the unowned directories, and there we should perhaps pass 
 in the unowned
 aspect somehow. Having a separate argument for that seems like an
 overkill though... maybe we could pass that piece of info in the
 action argument instead. One possibility could be adding a new
 action, eg FA_CREATEUNOWNED that could be used for unowned
 directories (and files, but there aren't any currently). Or we could
 define the action as a partial bitfield: leave the existing actions
 alone but reserve the upper byte for special bits, such as
 unknown. I had some other use-case for turning it into (partial) bitfield 
 but can't remember what it was right now.

 I think bitfield would be better in this case: if one start introduce
 actions FA_CREATEUNOWNED, then why not have FA_CREATELINK and etc. I
 will add hook calling for mkdirs, but I think it is better that you do
 a change of actions in a separate commit.

Sure, and I agree bitfield seems like the better option as it'll allow 
cramming a whole lot more information in there. There's a whole lot of 
redundancy in the current actions (all the skip cases for example) and some 
of the values are totally unused as well.

As the file actions aren't really exported in the API in a way that somebody 
could actually be using them, we might be able to get away with just 
redefining the whole thing as a bitfield and add the old symbols as defines 
or'ed together from the bits. But I'll need to think about it some more, in 
any case such a total conversion is not required in order to add a handful 
of bits right now.

Ok, I think if you can add an unowned bit to it for a start, this can be a 
good beginning and then even the existing pre/post hooks can get one less 
argument, which is great.

 Continue on bit field idea, it would be great for plugins to get the
 basic info about  the file acted upon from action also: so , if we are
 adding unowned bit, should the basic bits indicating hard or sym link
 be also supplied in action? Like action could point that it is
 creation of symlink or removal of hard link. Is it too bad idea?

Hmm, but we already pass the mode (and planning to pass the whole stat
struct) around, so you can tell whether its a symlink, directory or something 
else. Hardlinks are the more special case but you can tell them apart from 
others by st_nlinks from the stat struct. Except that you dont necessarily 
know which one is real file without extra tracking... unless st_nlinks is 1 
for real files (including the first
hardlink) and more for the actual links. I'm not sure if that's the case even 
already, but should be possible to arrange at least.

I am quite sure you can't tell it from stat struct which is real file and 
which is hard link: the value for st_nlinks is stored in inode and not in 
dentry in my understanding, that's why it isn't really easy for plugin to 
detect the hard links, so indicator would be a plus...

Best Regards,
Elena.



smime.p7s
Description: S/MIME cryptographic signature
___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Re: [Rpm-maint] FSM hooks for rpm plugin

[Panu Matilainen]

On 03/07/2013 03:59 PM, Reshetova, Elena wrote:

On 03/06/2013 05:01 PM, Reshetova, Elena wrote:

What's missing is that another call to the hook is needed in
fsmMkdirs() for the unowned directories, and there we should perhaps pass
in the unowned
aspect somehow. Having a separate argument for that seems like an
overkill though... maybe we could pass that piece of info in the
action argument instead. One possibility could be adding a new
action, eg FA_CREATEUNOWNED that could be used for unowned
directories (and files, but there aren't any currently). Or we could
define the action as a partial bitfield: leave the existing actions
alone but reserve the upper byte for special bits, such as
unknown. I had some other use-case for turning it into (partial) bitfield
but can't remember what it was right now.


I think bitfield would be better in this case: if one start introduce
actions FA_CREATEUNOWNED, then why not have FA_CREATELINK and etc. I
will add hook calling for mkdirs, but I think it is better that you do
a change of actions in a separate commit.



Sure, and I agree bitfield seems like the better option as it'll allow
cramming a whole lot more information in there. There's a whole lot of
redundancy in the current actions (all the skip cases for example) and some
of the values are totally unused as well.



As the file actions aren't really exported in the API in a way that somebody
could actually be using them, we might be able to get away with just
redefining the whole thing as a bitfield and add the old symbols as defines
or'ed together from the bits. But I'll need to think about it some more, in
any case such a total conversion is not required in order to add a handful
of bits right now.


Ok, I think if you can add an unowned bit to it for a start, this can be a
good beginning and then even the existing pre/post hooks can get one less
argument, which is great.


Sure, will do.




Continue on bit field idea, it would be great for plugins to get the
basic info about  the file acted upon from action also: so , if we are
adding unowned bit, should the basic bits indicating hard or sym link
be also supplied in action? Like action could point that it is
creation of symlink or removal of hard link. Is it too bad idea?



Hmm, but we already pass the mode (and planning to pass the whole stat
struct) around, so you can tell whether its a symlink, directory or something
else. Hardlinks are the more special case but you can tell them apart from
others by st_nlinks from the stat struct. Except that you dont necessarily
know which one is real file without extra tracking... unless st_nlinks is 1
for real files (including the first
hardlink) and more for the actual links. I'm not sure if that's the case even
already, but should be possible to arrange at least.


I am quite sure you can't tell it from stat struct which is real file and
which is hard link: the value for st_nlinks is stored in inode and not in
dentry in my understanding, that's why it isn't really easy for plugin to
detect the hard links, so indicator would be a plus...


A file is a hard-link if (S_ISREG(st-st_mode)  st-st_nlink  1) is 
true. When erasing, we get this info from filesystem so that remains 
accurate (the last one would be seen as the real file). On 
installation the stat struct of a file is made up by rpm, so we can pass 
whatever we want in there. Currently st_nlink for hardlinks equals the 
total number of links a file will have, but we can easily change that to 
the number of *current* links so that it better matches reality. Ie the 
first one will have st_nlink == 1 so it will be seen as the real file, 
the rest will st_nlink++ each. See attached patch for a quick 
implementation of this.


- Panu -





diff --git a/lib/fsm.c b/lib/fsm.c
index f28010c..5bd5bfa 100644
--- a/lib/fsm.c
+++ b/lib/fsm.c
@@ -1052,7 +1052,7 @@ static int fsmMakeLinks(FSM_t fsm, hardLink_t li)
 return ec;
 }
 
-static int fsmCommit(FSM_t fsm, int ix, int setmeta);
+static int fsmCommit(FSM_t fsm, int ix, const struct stat * st);
 
 /** \ingroup payload
  * Commit hard linked file set atomically.
@@ -1065,8 +1065,7 @@ static int fsmCommitLinks(FSM_t fsm)
 const char * nsuffix = fsm-nsuffix;
 struct stat * st = fsm-sb;
 int rc = 0;
-int setmeta = 1;
-nlink_t i;
+nlink_t i, link_count = 1;
 hardLink_t li;
 
 fsm-path = NULL;
@@ -1081,10 +1080,10 @@ static int fsmCommitLinks(FSM_t fsm)
 	if (li-filex[i]  0) continue;
 	rc = fsmMapPath(fsm, li-filex[i]);
 	if (!XFA_SKIPPING(fsm-action)) {
-	rc = fsmCommit(fsm, li-filex[i], setmeta);
-	/* only the first created link needs permissions etc to be set */
+	st-st_nlink = link_count;
+	rc = fsmCommit(fsm, li-filex[i], st);
 	if (!rc)
-		setmeta = 0;
+		link_count++;
 	}
 	fsm-path = _free(fsm-path);
 	li-filex[i] = -1;
@@ -1542,10 +1541,9 @@ static int fsmBackup(FSM_t fsm)
 return rc;
 }
 
-static int fsmCommit(FSM_t fsm, int ix, int setmeta)

Re: [Rpm-maint] FSM hooks for rpm plugin

[Panu Matilainen]

On 03/07/2013 04:27 PM, Reshetova, Elena wrote:




If we now see a proper use case: like pre-commit can be used for
content checking or even checksum calculation (I would still probably
prefer to calculate it when it is read from archive: feels a bit safer
that way, while I understand logically that if file is in tmp location
and properly protected, nothing should happen to it anyway).



Yup, if you get it directly from the source then nothing can be tampering
with it, and certainly for at least checksum calculation is going to be more
efficient if you can do it on the fly (but then rpm can do multiple checksums
already, what's missing is exporting that functionality in a sane way). OTOH
if something can tamper with the file that we're creating then it can do
nasty stuff anyway, so its perhaps a bit academic.


Yes, I agree, I guess I went too paranoid on this, which I guess happens if
you work related to security :)


Yeah, occupational hazards. Each job has their own :)




Another concrete use-case could be a plugin to put %config files into a
version control of some kind. While this too would mostly be interested in
actually created/erased files, it might actually want to know about %ghosts
and such to be able to snapshot changes made by admin that might've
occurred outside of the package. Guess this needs further thought, or
better yet, actually trying to do it, but this might be a use-case for the
current hooks as they are now, getting called for all files of a package
  whether actually touched or not.


This almost drives us to have this set of hooks:

1) pre/post where they are now
2) metadata hook (both install and remove)
3) pre fsm commit hook for checking on a file content ()

Indeed needs more thinking 



Naah, we just need more hooks! :P


Until we get so many of them that we can't manage them anymore and they are
going to live on their own ;)


Seriously though, I've started thinking of that very same set of hooks so
we're probably not too far off-target here. But now I find myself wondering
whether 2) is actually necessary afterall: if we have pre- (and perhaps post
too) commit hook, and can pass in some additional information as file action
flag bits... we could have something like FA_SETMETA bit for the entries
where its appropriate (ie non-hardlinks I guess), and if there's a
post-commit hook as well, the plugins can decide whether to set permissions
before or after rpm.


  If instead of hook 2) we have a post fsm commit hook that with proper
parameter, I think it can be serving the same purpose. The only thing is that
setting permissions before rpm does it isn't really possible in this case,
because before fsmcommit() file isn't in final location yet. But again, I
guess rpm would always trust its own plugins by a nature of a system setup, so
we can assume that plugins won't try to change permissions that would break
rpm query or they would break their own system in that case.


Yup, rpm pretty much has to trust its plugins. OTOH... this made me 
think of another related issue: it would actually be better to set the 
permissions etc before moving the file to its final location. Currently 
we first move the file and then start setting permissions, which means 
executables and all will for a short period of time have totally 
incorrect permissions, labels and all. So if you happen to execute that 
binary during that period, who knows what will happen: it could fail to 
execute at all, execute with wrong capabilities / labels etc.


Setting the permissions before moving would fix that and also avoid 
replacing a previous file at all in case we fail to in one of the 
metadata steps. For the stock metadata the actual path makes no 
difference, but for security labels you'd want the final path though (to 
avoid having to figure out and strip the temp extension from the file), 
so it'd require passing two paths to the pre-commit hook: current and final.


- Panu -


___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Re: [Rpm-maint] FSM hooks for rpm plugin

[Panu Matilainen]

On 03/07/2013 07:55 PM, Panu Matilainen wrote:

On 03/07/2013 04:27 PM, Reshetova, Elena wrote:

  If instead of hook 2) we have a post fsm commit hook that with proper
parameter, I think it can be serving the same purpose. The only thing
is that
setting permissions before rpm does it isn't really possible in this
case,
because before fsmcommit() file isn't in final location yet. But again, I
guess rpm would always trust its own plugins by a nature of a system
setup, so
we can assume that plugins won't try to change permissions that would
break
rpm query or they would break their own system in that case.


Yup, rpm pretty much has to trust its plugins. OTOH... this made me
think of another related issue: it would actually be better to set the
permissions etc before moving the file to its final location. Currently
we first move the file and then start setting permissions, which means
executables and all will for a short period of time have totally
incorrect permissions, labels and all. So if you happen to execute that
binary during that period, who knows what will happen: it could fail to
execute at all, execute with wrong capabilities / labels etc.

Setting the permissions before moving would fix that and also avoid
replacing a previous file at all in case we fail to in one of the
metadata steps. For the stock metadata the actual path makes no
difference, but for security labels you'd want the final path though (to
avoid having to figure out and strip the temp extension from the file),
so it'd require passing two paths to the pre-commit hook: current and
final.


...or we could open an fd to the temporary file and pass that along with 
the final pathname. At least all the standard metadata + file 
capabilities + selinux labels are settable via file descriptor as well 
as by path so for those the fd approach wouldn't be a problem.


- Panu -

___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Re: [Rpm-maint] FSM hooks for rpm plugin

[Panu Matilainen]

On 03/07/2013 08:05 PM, Panu Matilainen wrote:

On 03/07/2013 07:55 PM, Panu Matilainen wrote:

On 03/07/2013 04:27 PM, Reshetova, Elena wrote:

  If instead of hook 2) we have a post fsm commit hook that with proper
parameter, I think it can be serving the same purpose. The only thing
is that
setting permissions before rpm does it isn't really possible in this
case,
because before fsmcommit() file isn't in final location yet. But
again, I
guess rpm would always trust its own plugins by a nature of a system
setup, so
we can assume that plugins won't try to change permissions that would
break
rpm query or they would break their own system in that case.


Yup, rpm pretty much has to trust its plugins. OTOH... this made me
think of another related issue: it would actually be better to set the
permissions etc before moving the file to its final location. Currently
we first move the file and then start setting permissions, which means
executables and all will for a short period of time have totally
incorrect permissions, labels and all. So if you happen to execute that
binary during that period, who knows what will happen: it could fail to
execute at all, execute with wrong capabilities / labels etc.

Setting the permissions before moving would fix that and also avoid
replacing a previous file at all in case we fail to in one of the
metadata steps. For the stock metadata the actual path makes no
difference, but for security labels you'd want the final path though (to
avoid having to figure out and strip the temp extension from the file),
so it'd require passing two paths to the pre-commit hook: current and
final.


...or we could open an fd to the temporary file and pass that along with
the final pathname. At least all the standard metadata + file
capabilities + selinux labels are settable via file descriptor as well
as by path so for those the fd approach wouldn't be a problem.


...except that doesn't work for symlinks. So scratch that idea.

We need to construct both paths in commit anyway so there's no added 
cost or trouble, just needs changing fsmCommit() a little bit.
If the number of arguments starts growing too long, one option could be 
stuffing them into a struct whose pointer we hand to the hooks.
Actually, taking that a little bit further, we could hand an opaque 
file info handle to the hooks and force the hooks to go through an API 
to get the data, which would allow changing implementation details and 
adding more data without affecting compatibility.


And yes I'm getting ahead of the schedule here, just thinking out loud :)

- Panu -

___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint