This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

"module privilege check" breaks (cross-)compilation due to libelf dependency

From: "Turgis, Frederic" <f-turgis at ti dot com>
To: SystemTap <systemtap at sourceware dot org>
Date: Mon, 5 Dec 2011 13:36:01 +0000
Subject: "module privilege check" breaks (cross-)compilation due to libelf dependency

Hi,

Commit "bb4470cacb3f7ce5161f9e8a1b7c37a87516a6c3 PR 13128: Implement module privilege check in staprun." has broken my cross-compilation environment to build "staprun" tool for ARM android (I do 4 first steps on host, staprun step on target), see end of mail.
Having a deeper look, there is in fact code in staprun_funcs.c that requires libelf like find_section_in_module() and get_module_required_credentials() (Elf_Scn for example) and that is not surrounded by HAVE_LIBELF_H or HAVE_ELF_GETSHDRSTRNDX

I never had libelf in my ARM filesystem, I am using --with-elfutils but configure.ac in runtime/staprun states that "We link only against the system elfutils.  Connecting to a bundled elfutils build (stap/configure --with-elfutils=PATH) is too tricky to bother with"

I have then removed some code in a very hackish way to make it work (see below, basically the analysis of section STAP_PRIVILEGE_SECTION of module) but I am not sure if this is aligned with the goal of the author.
Script executes fine on target but I am "root" so this can hide some other issue



BUILD FAILURE:
  CC     staprun-staprun_funcs.o
staprun_funcs.c:237: error: expected '=', ',', ';', 'asm' or '__attribute__' before '*' token
staprun_funcs.c: In function 'get_module_required_credentials':
staprun_funcs.c:587: error: 'Elf_Scn' undeclared (first use in this function)
staprun_funcs.c:587: error: (Each undeclared identifier is reported only once
staprun_funcs.c:587: error: for each function it appears in.)
staprun_funcs.c:587: error: 'scn' undeclared (first use in this function)
staprun_funcs.c:588: error: 'Elf_Data' undeclared (first use in this function)
staprun_funcs.c:588: error: 'data' undeclared (first use in this function)
staprun_funcs.c:589: error: 'GElf_Shdr' undeclared (first use in this function)
staprun_funcs.c:589: error: expected ';' before 'shdr'

Hackish patch:
diff --git a/runtime/staprun/staprun_funcs.c b/runtime/staprun/staprun_funcs.c
index 163a0ce..17265f3 100644
--- a/runtime/staprun/staprun_funcs.c
+++ b/runtime/staprun/staprun_funcs.c
@@ -233,14 +233,14 @@ find_section_in_module(const void* module_file, const __off_t st_size, const cha
        }
        return scn;
 }
-#else /* no elf */
-static Elf_Scn *
-find_section_in_module(const void* v __attribute__((unused)),
-                       const __off_t o __attribute__((unused)),
-                       const char *c __attribute__((unused)))
-{
-       return NULL;
-}
+//#else /* no elf */
+//static Elf_Scn *
+//find_section_in_module(const void* v __attribute__((unused)),
+//                       const __off_t o __attribute__((unused)),
+//                       const char *c __attribute__((unused)))
+//{
+//     return NULL;
+//}
 #endif

 int
@@ -582,6 +582,7 @@ check_uprobes_module_path (
  * Returns the required credentials if they can be determined or the default safe required
  * credentials otherwise.
  */
+#if 0
 static privilege_t get_module_required_credentials (const void* module_file, const __off_t st_size)
 {
   Elf_Scn *scn = 0;
@@ -645,7 +646,7 @@ static privilege_t get_module_required_credentials (const void* module_file, con
   /* ALl is ok. Return the extrated privilege data. */
   return privilege;
 }
-
+#endif
 /*
  * Check the user's group membership.
  *
@@ -668,8 +669,9 @@ check_groups (
   off_t module_size
 )
 {
-  privilege_t user_credentials, module_required_credentials;
-
+  privilege_t user_credentials;//, module_required_credentials;
+module_data = NULL;
+module_size = 0;
   /* Lookup the user's privilege credentials. */
   user_credentials = get_privilege_credentials ();

@@ -684,6 +686,7 @@ check_groups (
     if (pr_contains (user_credentials, pr_stapsys))
       return 1;

+#ifdef HAVE_LIBELF_H
     /* For stapusr users, we must verify that the module was compiled for that privilege level. */
     module_required_credentials = get_module_required_credentials (module_data, module_size);
     if (pr_contains (user_credentials, pr_stapusr)) {
@@ -700,8 +703,8 @@ check_groups (

     if (user_credentials == pr_none)
       return -2;
-
     return 0;
+#endif
   }

   /* Not fatal. The module could still be on a blessed path. */


Regards
Fred

Frederic Turgis
OMAP Platform Business Unit - OMAP System Engineering - Platform Enablement - System Multimedia


Texas Instruments France SA, 821 Avenue Jack Kilby, 06270 Villeneuve Loubet. 036 420 040 R.C.S Antibes. Capital de EUR 753.920

Follow-Ups:
- Re: "module privilege check" breaks (cross-)compilation due to libelf dependency
  - From: Mark Wielaard

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]