diff options
38 files changed, 1294 insertions, 396 deletions
diff --git a/Makefile.am b/Makefile.am index 9681381d..c58323f0 100644 --- a/Makefile.am +++ b/Makefile.am @@ -7,7 +7,7 @@ AUTOMAKE_OPTIONS = no-dist foreign pkglibexecdir = ${libexecdir}/${PACKAGE} oldincludedir = ${includedir}/sys -AM_CPPFLAGS = -DBINDIR='"$(bindir)"' -DPKGDATADIR='"${pkgdatadir}"' -DPKGLIBDIR='"$(pkglibexecdir)"' +AM_CPPFLAGS = -DBINDIR='"$(bindir)"' -DSYSCONFDIR='"$(sysconfdir)"' -DPKGDATADIR='"${pkgdatadir}"' -DPKGLIBDIR='"$(pkglibexecdir)"' AM_CFLAGS = -D_GNU_SOURCE -fexceptions -Wall -Werror -Wunused -Wformat=2 -W AM_CXXFLAGS = -Wall -Werror @@ -16,14 +16,14 @@ man_MANS = stap.1 stapprobes.5 stapfuncs.5 stapvars.5 stapex.5 staprun.8 man/st # see also configure.ac bin_PROGRAMS = stap staprun -bin_SCRIPTS = stap-report +bin_SCRIPTS = stap-report stap-env stap-gen-cert stap-authorize-cert stap-authorize-signing-cert oldinclude_HEADERS = includes/sys/sdt.h if BUILD_SERVER man_MANS += stap-server.8 bin_PROGRAMS += stap-client-connect stap-server-connect bin_SCRIPTS += stap-client stap-serverd stap-server stap-find-servers \ stap-start-server stap-find-or-start-server stap-stop-server \ - stap-gen-server-cert stap-add-server-cert + stap-authorize-server-cert endif bin_SCRIPTS += dtrace stap_SOURCES = main.cxx \ @@ -78,7 +78,11 @@ stap_CXXFLAGS = $(AM_CXXFLAGS) @PIECXXFLAGS@ stap_CPPFLAGS = $(AM_CPPFLAGS) stap_LDFLAGS = $(AM_LDFLAGS) @PIELDFLAGS@ -if BUILD_SERVER +if HAVE_NSS +stap_SOURCES += modsign.cxx nsscommon.c +stap_CPPFLAGS += $(nss_CFLAGS) $(nspr_CFLAGS) +stap_LDADD += -lnss3 + stap_client_connect_LDFLAGS = $(AM_LDFLAGS) stap_server_connect_LDFLAGS = $(AM_LDFLAGS) endif @@ -128,6 +132,12 @@ staprun_CFLAGS = @PROCFLAGS@ $(AM_CFLAGS) @PIECFLAGS@ -DSINGLE_THREADED -fno-str staprun_LDFLAGS = $(AM_LDFLAGS) @PIELDFLAGS@ staprun_LDADD = @PROCFLAGS@ +if HAVE_NSS +staprun_SOURCES += runtime/staprun/modverify.c nsscommon.c +staprun_CFLAGS += $(nss_CFLAGS) $(nspr_CFLAGS) +staprun_LDADD += -lnss3 +endif + stapio_SOURCES = runtime/staprun/stapio.c \ runtime/staprun/mainloop.c runtime/staprun/common.c \ runtime/staprun/ctl.c \ diff --git a/Makefile.in b/Makefile.in index 12a5e6ea..c228d957 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,8 +1,8 @@ -# Makefile.in generated by automake 1.10.1 from Makefile.am. +# Makefile.in generated by automake 1.10 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -39,17 +39,23 @@ bin_PROGRAMS = stap$(EXEEXT) staprun$(EXEEXT) $(am__EXEEXT_1) @BUILD_SERVER_TRUE@am__append_2 = stap-client-connect stap-server-connect @BUILD_SERVER_TRUE@am__append_3 = stap-client stap-serverd stap-server stap-find-servers \ @BUILD_SERVER_TRUE@ stap-start-server stap-find-or-start-server stap-stop-server \ -@BUILD_SERVER_TRUE@ stap-gen-server-cert stap-add-server-cert +@BUILD_SERVER_TRUE@ stap-authorize-server-cert -@BUILD_ELFUTILS_TRUE@am__append_4 = -Iinclude-elfutils -@BUILD_ELFUTILS_TRUE@am__append_5 = -Llib-elfutils -Wl,-rpath-link,lib-elfutils \ +@HAVE_NSS_TRUE@am__append_4 = modsign.cxx nsscommon.c +@HAVE_NSS_TRUE@am__append_5 = $(nss_CFLAGS) $(nspr_CFLAGS) +@HAVE_NSS_TRUE@am__append_6 = -lnss3 +@BUILD_ELFUTILS_TRUE@am__append_7 = -Iinclude-elfutils +@BUILD_ELFUTILS_TRUE@am__append_8 = -Llib-elfutils -Wl,-rpath-link,lib-elfutils \ @BUILD_ELFUTILS_TRUE@ -Wl,--enable-new-dtags,-rpath,$(pkglibdir) -@BUILD_ELFUTILS_TRUE@am__append_6 = stamp-elfutils -@BUILD_ELFUTILS_TRUE@am__append_7 = stamp-elfutils -@BUILD_ELFUTILS_TRUE@am__append_8 = lib-elfutils/libdw.so -@BUILD_ELFUTILS_TRUE@am__append_9 = install-elfutils -@BUILD_SERVER_TRUE@am__append_10 = install-scripts +@BUILD_ELFUTILS_TRUE@am__append_9 = stamp-elfutils +@BUILD_ELFUTILS_TRUE@am__append_10 = stamp-elfutils +@BUILD_ELFUTILS_TRUE@am__append_11 = lib-elfutils/libdw.so +@BUILD_ELFUTILS_TRUE@am__append_12 = install-elfutils +@BUILD_SERVER_TRUE@am__append_13 = install-scripts +@HAVE_NSS_TRUE@am__append_14 = runtime/staprun/modverify.c nsscommon.c +@HAVE_NSS_TRUE@am__append_15 = $(nss_CFLAGS) $(nspr_CFLAGS) +@HAVE_NSS_TRUE@am__append_16 = -lnss3 pkglibexec_PROGRAMS = stapio$(EXEEXT) noinst_PROGRAMS = loc2c-test$(EXEEXT) subdir = . @@ -102,16 +108,19 @@ am_loc2c_test_OBJECTS = loc2c_test-loc2c-test.$(OBJEXT) \ loc2c_test-loc2c.$(OBJEXT) loc2c_test_OBJECTS = $(am_loc2c_test_OBJECTS) am__DEPENDENCIES_1 = -loc2c_test_DEPENDENCIES = $(am__DEPENDENCIES_1) +am__DEPENDENCIES_2 = $(am__DEPENDENCIES_1) +loc2c_test_DEPENDENCIES = $(am__DEPENDENCIES_2) loc2c_test_LINK = $(CCLD) $(loc2c_test_CFLAGS) $(CFLAGS) \ $(loc2c_test_LDFLAGS) $(LDFLAGS) -o $@ +@HAVE_NSS_TRUE@am__objects_1 = stap-modsign.$(OBJEXT) \ +@HAVE_NSS_TRUE@ stap-nsscommon.$(OBJEXT) am_stap_OBJECTS = stap-main.$(OBJEXT) stap-parse.$(OBJEXT) \ stap-staptree.$(OBJEXT) stap-elaborate.$(OBJEXT) \ stap-translate.$(OBJEXT) stap-tapsets.$(OBJEXT) \ stap-buildrun.$(OBJEXT) stap-loc2c.$(OBJEXT) \ stap-hash.$(OBJEXT) stap-mdfour.$(OBJEXT) stap-cache.$(OBJEXT) \ stap-util.$(OBJEXT) stap-coveragedb.$(OBJEXT) \ - stap-dwarf_wrappers.$(OBJEXT) + stap-dwarf_wrappers.$(OBJEXT) $(am__objects_1) stap_OBJECTS = $(am_stap_OBJECTS) stap_LINK = $(CXXLD) $(stap_CXXFLAGS) $(CXXFLAGS) $(stap_LDFLAGS) \ $(LDFLAGS) -o $@ @@ -132,11 +141,13 @@ stapio_OBJECTS = $(am_stapio_OBJECTS) stapio_DEPENDENCIES = stapio_LINK = $(CCLD) $(stapio_CFLAGS) $(CFLAGS) $(stapio_LDFLAGS) \ $(LDFLAGS) -o $@ +@HAVE_NSS_TRUE@am__objects_2 = staprun-modverify.$(OBJEXT) \ +@HAVE_NSS_TRUE@ staprun-nsscommon.$(OBJEXT) am_staprun_OBJECTS = staprun-staprun.$(OBJEXT) \ staprun-staprun_funcs.$(OBJEXT) staprun-ctl.$(OBJEXT) \ - staprun-common.$(OBJEXT) + staprun-common.$(OBJEXT) $(am__objects_2) staprun_OBJECTS = $(am_staprun_OBJECTS) -staprun_DEPENDENCIES = +staprun_DEPENDENCIES = $(am__DEPENDENCIES_1) staprun_LINK = $(CCLD) $(staprun_CFLAGS) $(CFLAGS) $(staprun_LDFLAGS) \ $(LDFLAGS) -o $@ binSCRIPT_INSTALL = $(INSTALL_SCRIPT) @@ -295,7 +306,7 @@ top_srcdir = @top_srcdir@ # we don't maintain a ChangeLog, which makes us non-GNU -> foreign AUTOMAKE_OPTIONS = no-dist foreign pkglibexecdir = ${libexecdir}/${PACKAGE} -AM_CPPFLAGS = -DBINDIR='"$(bindir)"' -DPKGDATADIR='"${pkgdatadir}"' -DPKGLIBDIR='"$(pkglibexecdir)"' +AM_CPPFLAGS = -DBINDIR='"$(bindir)"' -DSYSCONFDIR='"$(sysconfdir)"' -DPKGDATADIR='"${pkgdatadir}"' -DPKGLIBDIR='"$(pkglibexecdir)"' AM_CFLAGS = -D_GNU_SOURCE -fexceptions -Wall -Werror -Wunused -Wformat=2 -W AM_CXXFLAGS = -Wall -Werror man_MANS = stap.1 stapprobes.5 stapfuncs.5 stapvars.5 stapex.5 \ @@ -305,14 +316,14 @@ man_MANS = stap.1 stapprobes.5 stapfuncs.5 stapvars.5 stapex.5 \ man/stapprobes.rpc.5 man/stapprobes.scsi.5 \ man/stapprobes.signal.5 man/stapprobes.socket.5 \ man/stapprobes.tcp.5 man/stapprobes.udp.5 $(am__append_1) -bin_SCRIPTS = stap-report $(am__append_3) dtrace +bin_SCRIPTS = stap-report stap-env stap-gen-cert stap-authorize-cert \ + stap-authorize-signing-cert $(am__append_3) dtrace oldinclude_HEADERS = includes/sys/sdt.h -stap_SOURCES = main.cxx \ - parse.cxx staptree.cxx elaborate.cxx translate.cxx \ - tapsets.cxx buildrun.cxx loc2c.c hash.cxx mdfour.c \ - cache.cxx util.cxx coveragedb.cxx dwarf_wrappers.cxx - -stap_LDADD = @stap_LIBS@ @sqlite3_LIBS@ +stap_SOURCES = main.cxx parse.cxx staptree.cxx elaborate.cxx \ + translate.cxx tapsets.cxx buildrun.cxx loc2c.c hash.cxx \ + mdfour.c cache.cxx util.cxx coveragedb.cxx dwarf_wrappers.cxx \ + $(am__append_4) +stap_LDADD = @stap_LIBS@ @sqlite3_LIBS@ $(am__append_6) # Arrange for git_version.h to be regenerated at every "make". # Code fragment is based upon RadeonHD.am. @@ -322,24 +333,25 @@ stap_LDADD = @stap_LIBS@ @sqlite3_LIBS@ # of foo-bar.c if it is newer than the foo-bar.o file. Using noinst_foo_SOURCES # instead of foo_SOURCES prevents shipping git_version.h in dist tarballs, # which may cause false GIT_FOO readings. -BUILT_SOURCES = git_version.stamp $(am__append_6) -CLEANFILES = git_version.h $(am__append_7) $(pkglibexec_PROGRAMS) -stap_DEPENDENCIES = $(am__append_8) +BUILT_SOURCES = git_version.stamp $(am__append_9) +CLEANFILES = git_version.h $(am__append_10) $(pkglibexec_PROGRAMS) +stap_DEPENDENCIES = $(am__append_11) GIT_VERSION_CMD = $(SHELL) $(top_srcdir)/git_version.sh stap_CFLAGS = $(AM_CFLAGS) @PIECFLAGS@ stap_CXXFLAGS = $(AM_CXXFLAGS) @PIECXXFLAGS@ -stap_CPPFLAGS = $(AM_CPPFLAGS) $(am__append_4) -stap_LDFLAGS = $(AM_LDFLAGS) @PIELDFLAGS@ $(am__append_5) -@BUILD_SERVER_TRUE@stap_client_connect_LDFLAGS = $(AM_LDFLAGS) -@BUILD_SERVER_TRUE@stap_server_connect_LDFLAGS = $(AM_LDFLAGS) -PHONIES = $(am__append_9) $(am__append_10) dist-gzip -staprun_SOURCES = runtime/staprun/staprun.c runtime/staprun/staprun_funcs.c\ - runtime/staprun/ctl.c runtime/staprun/common.c - +stap_CPPFLAGS = $(AM_CPPFLAGS) $(am__append_5) $(am__append_7) +stap_LDFLAGS = $(AM_LDFLAGS) @PIELDFLAGS@ $(am__append_8) +@HAVE_NSS_TRUE@stap_client_connect_LDFLAGS = $(AM_LDFLAGS) +@HAVE_NSS_TRUE@stap_server_connect_LDFLAGS = $(AM_LDFLAGS) +PHONIES = $(am__append_12) $(am__append_13) dist-gzip +staprun_SOURCES = runtime/staprun/staprun.c \ + runtime/staprun/staprun_funcs.c runtime/staprun/ctl.c \ + runtime/staprun/common.c $(am__append_14) staprun_CPPFLAGS = $(AM_CPPFLAGS) -staprun_CFLAGS = @PROCFLAGS@ $(AM_CFLAGS) @PIECFLAGS@ -DSINGLE_THREADED -fno-strict-aliasing +staprun_CFLAGS = @PROCFLAGS@ $(AM_CFLAGS) @PIECFLAGS@ \ + -DSINGLE_THREADED -fno-strict-aliasing $(am__append_15) staprun_LDFLAGS = $(AM_LDFLAGS) @PIELDFLAGS@ -staprun_LDADD = @PROCFLAGS@ +staprun_LDADD = @PROCFLAGS@ $(am__append_16) stapio_SOURCES = runtime/staprun/stapio.c \ runtime/staprun/mainloop.c runtime/staprun/common.c \ runtime/staprun/ctl.c \ @@ -577,6 +589,8 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stap-loc2c.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stap-main.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stap-mdfour.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stap-modsign.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stap-nsscommon.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stap-parse.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stap-staptree.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stap-tapsets.Po@am__quote@ @@ -592,6 +606,8 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stapio-stapio.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/staprun-common.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/staprun-ctl.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/staprun-modverify.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/staprun-nsscommon.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/staprun-staprun.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/staprun-staprun_funcs.Po@am__quote@ @@ -665,6 +681,20 @@ stap-mdfour.obj: mdfour.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stap_CPPFLAGS) $(CPPFLAGS) $(stap_CFLAGS) $(CFLAGS) -c -o stap-mdfour.obj `if test -f 'mdfour.c'; then $(CYGPATH_W) 'mdfour.c'; else $(CYGPATH_W) '$(srcdir)/mdfour.c'; fi` +stap-nsscommon.o: nsscommon.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stap_CPPFLAGS) $(CPPFLAGS) $(stap_CFLAGS) $(CFLAGS) -MT stap-nsscommon.o -MD -MP -MF $(DEPDIR)/stap-nsscommon.Tpo -c -o stap-nsscommon.o `test -f 'nsscommon.c' || echo '$(srcdir)/'`nsscommon.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/stap-nsscommon.Tpo $(DEPDIR)/stap-nsscommon.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='nsscommon.c' object='stap-nsscommon.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stap_CPPFLAGS) $(CPPFLAGS) $(stap_CFLAGS) $(CFLAGS) -c -o stap-nsscommon.o `test -f 'nsscommon.c' || echo '$(srcdir)/'`nsscommon.c + +stap-nsscommon.obj: nsscommon.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stap_CPPFLAGS) $(CPPFLAGS) $(stap_CFLAGS) $(CFLAGS) -MT stap-nsscommon.obj -MD -MP -MF $(DEPDIR)/stap-nsscommon.Tpo -c -o stap-nsscommon.obj `if test -f 'nsscommon.c'; then $(CYGPATH_W) 'nsscommon.c'; else $(CYGPATH_W) '$(srcdir)/nsscommon.c'; fi` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/stap-nsscommon.Tpo $(DEPDIR)/stap-nsscommon.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='nsscommon.c' object='stap-nsscommon.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stap_CPPFLAGS) $(CPPFLAGS) $(stap_CFLAGS) $(CFLAGS) -c -o stap-nsscommon.obj `if test -f 'nsscommon.c'; then $(CYGPATH_W) 'nsscommon.c'; else $(CYGPATH_W) '$(srcdir)/nsscommon.c'; fi` + stap_client_connect-stap-client-connect.o: stap-client-connect.c @am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(stap_client_connect_CFLAGS) $(CFLAGS) -MT stap_client_connect-stap-client-connect.o -MD -MP -MF $(DEPDIR)/stap_client_connect-stap-client-connect.Tpo -c -o stap_client_connect-stap-client-connect.o `test -f 'stap-client-connect.c' || echo '$(srcdir)/'`stap-client-connect.c @am__fastdepCC_TRUE@ mv -f $(DEPDIR)/stap_client_connect-stap-client-connect.Tpo $(DEPDIR)/stap_client_connect-stap-client-connect.Po @@ -833,6 +863,34 @@ staprun-common.obj: runtime/staprun/common.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(staprun_CPPFLAGS) $(CPPFLAGS) $(staprun_CFLAGS) $(CFLAGS) -c -o staprun-common.obj `if test -f 'runtime/staprun/common.c'; then $(CYGPATH_W) 'runtime/staprun/common.c'; else $(CYGPATH_W) '$(srcdir)/runtime/staprun/common.c'; fi` +staprun-modverify.o: runtime/staprun/modverify.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(staprun_CPPFLAGS) $(CPPFLAGS) $(staprun_CFLAGS) $(CFLAGS) -MT staprun-modverify.o -MD -MP -MF $(DEPDIR)/staprun-modverify.Tpo -c -o staprun-modverify.o `test -f 'runtime/staprun/modverify.c' || echo '$(srcdir)/'`runtime/staprun/modverify.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/staprun-modverify.Tpo $(DEPDIR)/staprun-modverify.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='runtime/staprun/modverify.c' object='staprun-modverify.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(staprun_CPPFLAGS) $(CPPFLAGS) $(staprun_CFLAGS) $(CFLAGS) -c -o staprun-modverify.o `test -f 'runtime/staprun/modverify.c' || echo '$(srcdir)/'`runtime/staprun/modverify.c + +staprun-modverify.obj: runtime/staprun/modverify.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(staprun_CPPFLAGS) $(CPPFLAGS) $(staprun_CFLAGS) $(CFLAGS) -MT staprun-modverify.obj -MD -MP -MF $(DEPDIR)/staprun-modverify.Tpo -c -o staprun-modverify.obj `if test -f 'runtime/staprun/modverify.c'; then $(CYGPATH_W) 'runtime/staprun/modverify.c'; else $(CYGPATH_W) '$(srcdir)/runtime/staprun/modverify.c'; fi` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/staprun-modverify.Tpo $(DEPDIR)/staprun-modverify.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='runtime/staprun/modverify.c' object='staprun-modverify.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(staprun_CPPFLAGS) $(CPPFLAGS) $(staprun_CFLAGS) $(CFLAGS) -c -o staprun-modverify.obj `if test -f 'runtime/staprun/modverify.c'; then $(CYGPATH_W) 'runtime/staprun/modverify.c'; else $(CYGPATH_W) '$(srcdir)/runtime/staprun/modverify.c'; fi` + +staprun-nsscommon.o: nsscommon.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(staprun_CPPFLAGS) $(CPPFLAGS) $(staprun_CFLAGS) $(CFLAGS) -MT staprun-nsscommon.o -MD -MP -MF $(DEPDIR)/staprun-nsscommon.Tpo -c -o staprun-nsscommon.o `test -f 'nsscommon.c' || echo '$(srcdir)/'`nsscommon.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/staprun-nsscommon.Tpo $(DEPDIR)/staprun-nsscommon.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='nsscommon.c' object='staprun-nsscommon.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(staprun_CPPFLAGS) $(CPPFLAGS) $(staprun_CFLAGS) $(CFLAGS) -c -o staprun-nsscommon.o `test -f 'nsscommon.c' || echo '$(srcdir)/'`nsscommon.c + +staprun-nsscommon.obj: nsscommon.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(staprun_CPPFLAGS) $(CPPFLAGS) $(staprun_CFLAGS) $(CFLAGS) -MT staprun-nsscommon.obj -MD -MP -MF $(DEPDIR)/staprun-nsscommon.Tpo -c -o staprun-nsscommon.obj `if test -f 'nsscommon.c'; then $(CYGPATH_W) 'nsscommon.c'; else $(CYGPATH_W) '$(srcdir)/nsscommon.c'; fi` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/staprun-nsscommon.Tpo $(DEPDIR)/staprun-nsscommon.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='nsscommon.c' object='staprun-nsscommon.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(staprun_CPPFLAGS) $(CPPFLAGS) $(staprun_CFLAGS) $(CFLAGS) -c -o staprun-nsscommon.obj `if test -f 'nsscommon.c'; then $(CYGPATH_W) 'nsscommon.c'; else $(CYGPATH_W) '$(srcdir)/nsscommon.c'; fi` + .cxx.o: @am__fastdepCXX_TRUE@ $(CXXCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCXX_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @@ -1014,6 +1072,20 @@ stap-dwarf_wrappers.obj: dwarf_wrappers.cxx @AMDEP_TRUE@@am__fastdepCXX_FALSE@ source='dwarf_wrappers.cxx' object='stap-dwarf_wrappers.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCXX_FALSE@ DEPDIR=$(DEPDIR) $(CXXDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCXX_FALSE@ $(CXX) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stap_CPPFLAGS) $(CPPFLAGS) $(stap_CXXFLAGS) $(CXXFLAGS) -c -o stap-dwarf_wrappers.obj `if test -f 'dwarf_wrappers.cxx'; then $(CYGPATH_W) 'dwarf_wrappers.cxx'; else $(CYGPATH_W) '$(srcdir)/dwarf_wrappers.cxx'; fi` + +stap-modsign.o: modsign.cxx +@am__fastdepCXX_TRUE@ $(CXX) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stap_CPPFLAGS) $(CPPFLAGS) $(stap_CXXFLAGS) $(CXXFLAGS) -MT stap-modsign.o -MD -MP -MF $(DEPDIR)/stap-modsign.Tpo -c -o stap-modsign.o `test -f 'modsign.cxx' || echo '$(srcdir)/'`modsign.cxx +@am__fastdepCXX_TRUE@ mv -f $(DEPDIR)/stap-modsign.Tpo $(DEPDIR)/stap-modsign.Po +@AMDEP_TRUE@@am__fastdepCXX_FALSE@ source='modsign.cxx' object='stap-modsign.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCXX_FALSE@ DEPDIR=$(DEPDIR) $(CXXDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCXX_FALSE@ $(CXX) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stap_CPPFLAGS) $(CPPFLAGS) $(stap_CXXFLAGS) $(CXXFLAGS) -c -o stap-modsign.o `test -f 'modsign.cxx' || echo '$(srcdir)/'`modsign.cxx + +stap-modsign.obj: modsign.cxx +@am__fastdepCXX_TRUE@ $(CXX) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stap_CPPFLAGS) $(CPPFLAGS) $(stap_CXXFLAGS) $(CXXFLAGS) -MT stap-modsign.obj -MD -MP -MF $(DEPDIR)/stap-modsign.Tpo -c -o stap-modsign.obj `if test -f 'modsign.cxx'; then $(CYGPATH_W) 'modsign.cxx'; else $(CYGPATH_W) '$(srcdir)/modsign.cxx'; fi` +@am__fastdepCXX_TRUE@ mv -f $(DEPDIR)/stap-modsign.Tpo $(DEPDIR)/stap-modsign.Po +@AMDEP_TRUE@@am__fastdepCXX_FALSE@ source='modsign.cxx' object='stap-modsign.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCXX_FALSE@ DEPDIR=$(DEPDIR) $(CXXDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCXX_FALSE@ $(CXX) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stap_CPPFLAGS) $(CPPFLAGS) $(stap_CXXFLAGS) $(CXXFLAGS) -c -o stap-modsign.obj `if test -f 'modsign.cxx'; then $(CYGPATH_W) 'modsign.cxx'; else $(CYGPATH_W) '$(srcdir)/modsign.cxx'; fi` install-man1: $(man1_MANS) $(man_MANS) @$(NORMAL_INSTALL) test -z "$(man1dir)" || $(MKDIR_P) "$(DESTDIR)$(man1dir)" @@ -1242,8 +1314,8 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ mkid -fID $$unique tags: TAGS @@ -1268,8 +1340,8 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES) config.in $(TAGS_DEPENDENCIES) \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ @@ -1279,12 +1351,13 @@ ctags: CTAGS CTAGS: ctags-recursive $(HEADERS) $(SOURCES) config.in $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) tags=; \ + here=`pwd`; \ list='$(SOURCES) $(HEADERS) config.in $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ test -z "$(CTAGS_ARGS)$$tags$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$tags $$unique @@ -1,7 +1,7 @@ -# generated automatically by aclocal 1.10.1 -*- Autoconf -*- +# generated automatically by aclocal 1.10 -*- Autoconf -*- # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, -# 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +# 2005, 2006 Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -11,15 +11,12 @@ # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. -m4_ifndef([AC_AUTOCONF_VERSION], - [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl -m4_if(AC_AUTOCONF_VERSION, [2.61],, -[m4_warning([this file was generated for autoconf 2.61. -You have another version of autoconf. It may work, but is not guaranteed to. -If you have problems, you may need to regenerate the build system entirely. -To do so, use the procedure documented by the package, typically `autoreconf'.])]) +m4_if(m4_PACKAGE_VERSION, [2.61],, +[m4_fatal([this file was generated for autoconf 2.61. +You have another version of autoconf. If you want to use that, +you should regenerate the build system entirely.], [63])]) -# Copyright (C) 2002, 2003, 2005, 2006, 2007 Free Software Foundation, Inc. +# Copyright (C) 2002, 2003, 2005, 2006 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -34,7 +31,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION], [am__api_version='1.10' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. -m4_if([$1], [1.10.1], [], +m4_if([$1], [1.10], [], [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl ]) @@ -50,10 +47,8 @@ m4_define([_AM_AUTOCONF_VERSION], []) # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AC_INIT_AUTOMAKE. AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], -[AM_AUTOMAKE_VERSION([1.10.1])dnl -m4_ifndef([AC_AUTOCONF_VERSION], - [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl -_AM_AUTOCONF_VERSION(AC_AUTOCONF_VERSION)]) +[AM_AUTOMAKE_VERSION([1.10])dnl +_AM_AUTOCONF_VERSION(m4_PACKAGE_VERSION)]) # AM_AUX_DIR_EXPAND -*- Autoconf -*- @@ -348,7 +343,7 @@ AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS], # each Makefile.in and add a new line on top of each file to say so. # Grep'ing the whole file is not good either: AIX grep has a line # limit of 2048, but all sed's we know have understand at least 4000. - if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then + if sed 10q "$mf" | grep '^#.*generated by automake' > /dev/null 2>&1; then dirpart=`AS_DIRNAME("$mf")` else continue @@ -396,13 +391,13 @@ AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS], # Do all the work for Automake. -*- Autoconf -*- # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, -# 2005, 2006, 2008 Free Software Foundation, Inc. +# 2005, 2006 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 13 +# serial 12 # This macro actually does too much. Some checks are only needed if # your package does certain things. But this isn't really a big deal. @@ -507,17 +502,16 @@ AC_PROVIDE_IFELSE([AC_PROG_OBJC], # our stamp files there. AC_DEFUN([_AC_AM_CONFIG_HEADER_HOOK], [# Compute $1's index in $config_headers. -_am_arg=$1 _am_stamp_count=1 for _am_header in $config_headers :; do case $_am_header in - $_am_arg | $_am_arg:* ) + $1 | $1:* ) break ;; * ) _am_stamp_count=`expr $_am_stamp_count + 1` ;; esac done -echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count]) +echo "timestamp for $1" >`AS_DIRNAME([$1])`/stamp-h[]$_am_stamp_count]) # Copyright (C) 2001, 2003, 2005 Free Software Foundation, Inc. # @@ -878,7 +872,7 @@ AC_SUBST([INSTALL_STRIP_PROGRAM])]) # _AM_SUBST_NOTMAKE(VARIABLE) # --------------------------- -# Prevent Automake from outputting VARIABLE = @VARIABLE@ in Makefile.in. +# Prevent Automake from outputing VARIABLE = @VARIABLE@ in Makefile.in. # This macro is traced by Automake. AC_DEFUN([_AM_SUBST_NOTMAKE]) diff --git a/buildrun.cxx b/buildrun.cxx index 6a266bd2..48d4ea50 100644 --- a/buildrun.cxx +++ b/buildrun.cxx @@ -10,6 +10,9 @@ #include "buildrun.h" #include "session.h" #include "util.h" +#if HAVE_NSS +#include "modsign.h" +#endif #include <cstdlib> #include <fstream> @@ -209,6 +212,14 @@ compile_pass (systemtap_session& s) rc = run_make_cmd(s, make_cmd); +#if HAVE_NSS + // If a certificate database was specified, then try to sign the module. + // Failure to do so is not a fatal error. If the signature is actually needed, + // staprun will complain at that time. + if (!s.cert_db_path.empty()) + sign_module (s); +#endif + return rc; } @@ -1,12 +1,12 @@ // systemtap cache manager -// Copyright (C) 2006-2008 Red Hat Inc. +// Copyright (C) 2006-2009 Red Hat Inc. // // This file is part of systemtap, and is free software. You can // redistribute it and/or modify it under the terms of the GNU General // Public License (GPL); either version 2, or (at your option) any // later version. - +#include "config.h" #include "session.h" #include "cache.h" #include "util.h" @@ -68,6 +68,41 @@ add_to_cache(systemtap_session& s) return; } +#if HAVE_NSS + // This is the name of the cached module signatire. + string module_signature_dest_path = s.hash_path; + module_signature_dest_path += ".sgn"; + + if (!s.cert_db_path.empty()) + { + // Copy the module signature, if it was signed. + string module_signature_src_path = module_src_path; + module_signature_src_path += ".sgn"; + + if (s.verbose > 1) + clog << "Copying " << module_signature_src_path << " to " << module_signature_dest_path << endl; + if (copy_file(module_signature_src_path.c_str(), module_signature_dest_path.c_str()) != 0) + { + cerr << "Copy failed (\"" << module_signature_src_path << "\" to \"" + << module_signature_dest_path << "\"): " << strerror(errno) << endl; + // NB: this is not so severe as to prevent reuse of the .ko + // already copied. + // + // s.use_cache = false; + } + } + else + { + // If this module was not signed, then delete any existing signature from the cache. + // This is not a fatal error. Even if the existing signature happens to match a + // new module later, it still means that the module is identical to one generated by a + // trusted server. + if (remove_file_or_dir (module_signature_dest_path.c_str()) != 0) + cerr << "Failed to remove \"" << module_signature_dest_path << "\" from the cache: " + << strerror(errno) << endl; + } +#endif /* HAVE_NSS */ + string c_dest_path = s.hash_path; if (c_dest_path.rfind(".ko") == (c_dest_path.size() - 3)) c_dest_path.resize(c_dest_path.size() - 3); @@ -27,6 +27,9 @@ /* Define to 1 if you have the <memory.h> header file. */ #undef HAVE_MEMORY_H +/* Define to 1 if you have the nss libraries. */ +#undef HAVE_NSS + /* Define to 1 if you have the <stdint.h> header file. */ #undef HAVE_STDINT_H @@ -726,6 +726,8 @@ nss_CFLAGS nspr_CFLAGS BUILD_SERVER_TRUE BUILD_SERVER_FALSE +HAVE_NSS_TRUE +HAVE_NSS_FALSE BUILD_ELFUTILS_TRUE BUILD_ELFUTILS_FALSE elfutils_abs_srcdir @@ -6911,6 +6913,12 @@ echo "$as_me: error: cannot find all libraries for stap-server" >&2;} { echo "$as_me:$LINENO: WARNING: will not build stap-server, cannot find all libraries" >&5 echo "$as_me: WARNING: will not build stap-server, cannot find all libraries" >&2;} fi +else + +cat >>confdefs.h <<\_ACEOF +#define HAVE_NSS 1 +_ACEOF + fi if test "x${have_nss_includes}${have_nss_libs}" == "xyesyes" -a "$enable_server" != "no"; then BUILD_SERVER_TRUE= @@ -6920,6 +6928,14 @@ else BUILD_SERVER_FALSE= fi + if test "x${have_nss_includes}${have_nss_libs}" == "xyesyes"; then + HAVE_NSS_TRUE= + HAVE_NSS_FALSE='#' +else + HAVE_NSS_TRUE='#' + HAVE_NSS_FALSE= +fi + build_elfutils=no @@ -8024,6 +8040,13 @@ echo "$as_me: error: conditional \"BUILD_SERVER\" was never defined. Usually this means the macro was only invoked conditionally." >&2;} { (exit 1); exit 1; }; } fi +if test -z "${HAVE_NSS_TRUE}" && test -z "${HAVE_NSS_FALSE}"; then + { { echo "$as_me:$LINENO: error: conditional \"HAVE_NSS\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +echo "$as_me: error: conditional \"HAVE_NSS\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi if test -z "${BUILD_ELFUTILS_TRUE}" && test -z "${BUILD_ELFUTILS_FALSE}"; then { { echo "$as_me:$LINENO: error: conditional \"BUILD_ELFUTILS\" was never defined. Usually this means the macro was only invoked conditionally." >&5 @@ -8739,6 +8762,8 @@ nss_CFLAGS!$nss_CFLAGS$ac_delim nspr_CFLAGS!$nspr_CFLAGS$ac_delim BUILD_SERVER_TRUE!$BUILD_SERVER_TRUE$ac_delim BUILD_SERVER_FALSE!$BUILD_SERVER_FALSE$ac_delim +HAVE_NSS_TRUE!$HAVE_NSS_TRUE$ac_delim +HAVE_NSS_FALSE!$HAVE_NSS_FALSE$ac_delim BUILD_ELFUTILS_TRUE!$BUILD_ELFUTILS_TRUE$ac_delim BUILD_ELFUTILS_FALSE!$BUILD_ELFUTILS_FALSE$ac_delim elfutils_abs_srcdir!$elfutils_abs_srcdir$ac_delim @@ -8751,7 +8776,7 @@ LIBOBJS!$LIBOBJS$ac_delim LTLIBOBJS!$LTLIBOBJS$ac_delim _ACEOF - if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 25; then + if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 27; then break elif $ac_last_try; then { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 @@ -9152,22 +9177,21 @@ echo "$as_me: $ac_file is unchanged" >&6;} fi rm -f "$tmp/out12" # Compute $ac_file's index in $config_headers. -_am_arg=$ac_file _am_stamp_count=1 for _am_header in $config_headers :; do case $_am_header in - $_am_arg | $_am_arg:* ) + $ac_file | $ac_file:* ) break ;; * ) _am_stamp_count=`expr $_am_stamp_count + 1` ;; esac done -echo "timestamp for $_am_arg" >`$as_dirname -- "$_am_arg" || -$as_expr X"$_am_arg" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$_am_arg" : 'X\(//\)[^/]' \| \ - X"$_am_arg" : 'X\(//\)$' \| \ - X"$_am_arg" : 'X\(/\)' \| . 2>/dev/null || -echo X"$_am_arg" | +echo "timestamp for $ac_file" >`$as_dirname -- $ac_file || +$as_expr X$ac_file : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X$ac_file : 'X\(//\)[^/]' \| \ + X$ac_file : 'X\(//\)$' \| \ + X$ac_file : 'X\(/\)' \| . 2>/dev/null || +echo X$ac_file | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q @@ -9204,7 +9228,7 @@ echo "$as_me: executing $ac_file commands" >&6;} # each Makefile.in and add a new line on top of each file to say so. # Grep'ing the whole file is not good either: AIX grep has a line # limit of 2048, but all sed's we know have understand at least 4000. - if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then + if sed 10q "$mf" | grep '^#.*generated by automake' > /dev/null 2>&1; then dirpart=`$as_dirname -- "$mf" || $as_expr X"$mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$mf" : 'X\(//\)[^/]' \| \ diff --git a/configure.ac b/configure.ac index f74d8d99..ec5a5085 100644 --- a/configure.ac +++ b/configure.ac @@ -249,8 +249,11 @@ if test "x${have_nss_includes}${have_nss_libs}" != "xyesyes"; then if test "$enable_server" == "check"; then AC_MSG_WARN([will not build stap-server, cannot find all libraries]) fi +else + AC_DEFINE([HAVE_NSS], [1], [Define to 1 if you have the nss libraries.]) fi AM_CONDITIONAL([BUILD_SERVER], [test "x${have_nss_includes}${have_nss_libs}" == "xyesyes" -a "$enable_server" != "no"]) +AM_CONDITIONAL([HAVE_NSS], [test "x${have_nss_includes}${have_nss_libs}" == "xyesyes"]) dnl Handle elfutils. If '--with-elfutils=DIR' wasn't specified, used dnl the system's elfutils. diff --git a/doc/Makefile.in b/doc/Makefile.in index e23a6699..e04852f4 100644 --- a/doc/Makefile.in +++ b/doc/Makefile.in @@ -1,8 +1,8 @@ -# Makefile.in generated by automake 1.10.1 from Makefile.am. +# Makefile.in generated by automake 1.10 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -279,8 +279,8 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ mkid -fID $$unique tags: TAGS @@ -305,8 +305,8 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ @@ -316,12 +316,13 @@ ctags: CTAGS CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) tags=; \ + here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ test -z "$(CTAGS_ARGS)$$tags$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$tags $$unique diff --git a/doc/SystemTap_Tapset_Reference/Makefile.in b/doc/SystemTap_Tapset_Reference/Makefile.in index 2f8a5294..22b27a3e 100644 --- a/doc/SystemTap_Tapset_Reference/Makefile.in +++ b/doc/SystemTap_Tapset_Reference/Makefile.in @@ -1,8 +1,8 @@ -# Makefile.in generated by automake 1.10.1 from Makefile.am. +# Makefile.in generated by automake 1.10 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -46,7 +46,7 @@ PROGRAMS = $(noinst_PROGRAMS) docproc_SOURCES = docproc.c docproc_OBJECTS = docproc.$(OBJEXT) docproc_LDADD = $(LDADD) -DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ @@ -241,8 +241,8 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ mkid -fID $$unique tags: TAGS @@ -254,8 +254,8 @@ TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ @@ -265,12 +265,13 @@ ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) tags=; \ + here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ test -z "$(CTAGS_ARGS)$$tags$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$tags $$unique @@ -368,6 +368,7 @@ main (int argc, char * const argv []) s.output_file = ""; // -o FILE s.keep_tmpdir = false; s.cmd = ""; + s.cert_db_path = ""; s.target_pid = 0; s.merge=true; s.perfmon=0; @@ -438,6 +439,7 @@ main (int argc, char * const argv []) #define LONG_OPT_IGNORE_DWARF 4 #define LONG_OPT_VERBOSE_PASS 5 #define LONG_OPT_SKIP_BADVARS 6 +#define LONG_OPT_SIGN_MODULE 7 // NB: also see find_hash(), usage(), switch stmt below, stap.1 man page static struct option long_options[] = { { "kelf", 0, &long_opt, LONG_OPT_KELF }, @@ -446,6 +448,7 @@ main (int argc, char * const argv []) { "ignore-dwarf", 0, &long_opt, LONG_OPT_IGNORE_DWARF }, { "skip-badvars", 0, &long_opt, LONG_OPT_SKIP_BADVARS }, { "vp", 1, &long_opt, LONG_OPT_VERBOSE_PASS }, + { "sign-module", 2, &long_opt, LONG_OPT_SIGN_MODULE }, { NULL, 0, NULL, 0 } }; int grc = getopt_long (argc, argv, "hVMvtp:I:e:o:R:r:m:kgPc:x:D:bs:uqwl:d:L:FS:", @@ -713,6 +716,42 @@ main (int argc, char * const argv []) case LONG_OPT_SKIP_BADVARS: s.skip_badvars = true; break; + case LONG_OPT_SIGN_MODULE: + if (!s.cert_db_path.empty()) + { + cerr << "You can't specify multiple --sign-module options." << endl; + usage(s, 1); + } +#if HAVE_NSS + if (optarg) + { + s.cert_db_path = optarg; + string::size_type len = s.cert_db_path.length(); + + // Make sure the name is not empty (i.e. --sign-module= ) + if (len == 0) + { + cerr << "Certificate database directory name can not be empty." << endl; + usage (s, 1); + } + + // Chop off any trailing '/'. + if (len > 1 && s.cert_db_path.substr(len - 1, 1) == "/") + s.cert_db_path.erase(len - 1); + } + else + { + /* If we're root, use the database in SYSCONFDIR, otherwise + use the one in our $HOME directory. */ + if (getuid() == 0) + s.cert_db_path = SYSCONFDIR "/systemtap/ssl/server"; + else + s.cert_db_path = getenv("HOME") + string ("/.systemtap/ssl/server"); + } +#else + cerr << "WARNING: Module signing is disabled. The required nss libraries are not available." << endl; +#endif + break; default: cerr << "Internal error parsing command arguments." << endl; usage(s, 1); @@ -1129,6 +1168,22 @@ main (int argc, char * const argv []) if (copy_file(module_src_path.c_str(), module_dest_path.c_str()) != 0) cerr << "Copy failed (\"" << module_src_path << "\" to \"" << module_dest_path << "\"): " << strerror(errno) << endl; + +#if HAVE_NSS + // Save the signature as well, if the module was signed. + if (!s.cert_db_path.empty()) + { + module_src_path += ".sgn"; + module_dest_path += ".sgn"; + + if (s.verbose > 1) + clog << "Copying " << module_src_path << " to " + << module_dest_path << endl; + if (copy_file(module_src_path.c_str(), module_dest_path.c_str()) != 0) + cerr << "Copy failed (\"" << module_src_path << "\" to \"" + << module_dest_path << "\"): " << strerror(errno) << endl; + } +#endif } } diff --git a/modsign.cxx b/modsign.cxx new file mode 100644 index 00000000..2154cdbb --- /dev/null +++ b/modsign.cxx @@ -0,0 +1,261 @@ +/* + This program signs the given file using the named certificate and private + key in the given certificate database and places the signature in the named + output file. + + Copyright (C) 2009 Red Hat Inc. + + This file is part of systemtap, and is free software. You can + redistribute it and/or modify it under the terms of the GNU General Public + License as published by the Free Software Foundation; either version 2 of the + License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +*/ + +#include "session.h" +#include <iostream> +#include <string> + +extern "C" { +#include "nsscommon.h" + +#include <nspr.h> +#include <nss.h> +#include <pk11pub.h> +#include <cryptohi.h> + +#include <stdio.h> +} + +using namespace std; + +/* Function: char * password_callback() + * + * Purpose: This function is our custom password handler that is called by + * NSS when retrieving private certs and keys from the database. Returns a + * pointer to a string that with a password for the database. Password pointer + * should point to dynamically allocated memory that will be freed later. + */ +static char * +password_callback (PK11SlotInfo *info, PRBool retry, void *arg) +{ + char *passwd = NULL; + + if (! retry && arg) + passwd = PORT_Strdup((char *)arg); + + return passwd; +} + +/* Obtain the certificate and key database password from the given file. */ +static char * +get_password (const string &fileName) +{ + PRFileDesc *local_file_fd; + PRFileInfo fileInfo; + PRInt32 numBytesRead; + PRStatus prStatus; + PRInt32 i; + char *password; + + prStatus = PR_GetFileInfo (fileName.c_str(), &fileInfo); + if (prStatus != PR_SUCCESS || fileInfo.type != PR_FILE_FILE || fileInfo.size < 0) + { + cerr << "Could not obtain information on password file " << fileName << "." << endl; + nssError (); + return NULL; + } + + local_file_fd = PR_Open (fileName.c_str(), PR_RDONLY, 0); + if (local_file_fd == NULL) + { + cerr << "Could not open password file " << fileName << "." << endl; + nssError (); + return NULL; + } + + password = (char*)PORT_Alloc (fileInfo.size + 1); + if (! password) + { + cerr << "Unable to allocate " << (fileInfo.size + 1) << " bytes." << endl; + nssError (); + return NULL; + } + + numBytesRead = PR_Read (local_file_fd, password, fileInfo.size); + if (numBytesRead <= 0) + { + cerr << "Error reading password file " << fileName << "." << endl; + nssError (); + return 0; + } + + PR_Close (local_file_fd); + + /* Keep only the first line of data. */ + for (i = 0; i < numBytesRead; ++i) + { + if (password[i] == '\n' || password[i] == '\r' || password[i] == '\0') + break; + } + password[i] = '\0'; + + return password; +} + +static void +sign_it (const string &inputName, const string &outputName, SECKEYPrivateKey *privKey) +{ + unsigned char buffer[4096]; + PRFileDesc *local_file_fd; + PRUint32 numBytes; + SECStatus secStatus; + SGNContext *sgn; + SECItem signedData; + + /* Set up the signing context. */ + sgn = SGN_NewContext (SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION, privKey); + if (! sgn) + { + cerr << "Could not create signing context." << endl; + nssError (); + return; + } + secStatus = SGN_Begin (sgn); + if (secStatus != SECSuccess) + { + cerr << "Could not initialize signing context." << endl; + nssError (); + return; + } + + /* Now read the data and add it to the signature. */ + local_file_fd = PR_Open (inputName.c_str(), PR_RDONLY, 0); + if (local_file_fd == NULL) + { + cerr << "Could not open module file " << inputName << "." << endl; + nssError (); + return; + } + + for (;;) + { + numBytes = PR_Read (local_file_fd, buffer, sizeof (buffer)); + if (numBytes == 0) + break; /* EOF */ + + if (numBytes < 0) + { + cerr << "Error reading module file " << inputName << "." << endl; + nssError (); + return; + } + + /* Add the data to the signature. */ + secStatus = SGN_Update (sgn, buffer, numBytes); + if (secStatus != SECSuccess) + { + cerr << "Error while signing module file " << inputName << "." << endl; + nssError (); + return; + } + } + + PR_Close (local_file_fd); + + /* Complete the signature. */ + secStatus = SGN_End (sgn, & signedData); + if (secStatus != SECSuccess) + { + cerr << "Could not complete signature of module file " << inputName << "." << endl; + nssError (); + return; + } + + SGN_DestroyContext (sgn, PR_TRUE); + + /* Now write the signed data to the output file. */ + local_file_fd = PR_Open (outputName.c_str(), PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, + PR_IRUSR | PR_IWUSR | PR_IRGRP | PR_IWGRP | PR_IROTH); + if (local_file_fd == NULL) + { + cerr << "Could not open signature file " << outputName << "." << endl; + nssError (); + return; + } + + numBytes = PR_Write (local_file_fd, signedData.data, signedData.len); + if (numBytes < 0 || numBytes != signedData.len) + { + cerr << "Error writing to signature file " << outputName << "." << endl; + nssError (); + return; + } + + PR_Close (local_file_fd); +} + +void +sign_module (systemtap_session& s) +{ + const char *nickName = "stap-server"; + char *password; + CERTCertificate *cert; + SECKEYPrivateKey *privKey; + SECStatus secStatus; + + password = get_password (s.cert_db_path + "/pw"); + if (! password) + { + cerr << "Unable to obtain certificate database password." << endl; + return; + } + + /* Call the NSPR initialization routines. */ + PR_Init (PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); + + /* Set the cert database password callback. */ + PK11_SetPasswordFunc (password_callback); + + /* Initialize NSS. */ + secStatus = NSS_Init (s.cert_db_path.c_str()); + if (secStatus != SECSuccess) + { + cerr << "Unable to initialize nss library." << endl; + nssError (); + return; + } + + /* Get own certificate and private key. */ + cert = PK11_FindCertFromNickname (nickName, password); + if (cert == NULL) + { + cerr << "Unable to find certificate with nickname " << nickName + << " in " << s.cert_db_path << "." << endl; + nssError (); + return; + } + + privKey = PK11_FindKeyByAnyCert (cert, password); + if (privKey == NULL) + { + cerr << "Unable to obtain private key from the certificate with nickname " << nickName + << " in " << s.cert_db_path << "." << endl; + nssError (); + return; + } + + /* Sign the file. */ + sign_it (s.tmpdir + "/" + s.module_name + ".ko", s.tmpdir + "/" + s.module_name + ".ko.sgn", privKey); + + /* Shutdown NSS and exit NSPR gracefully. */ + nssCleanup (); +} diff --git a/modsign.h b/modsign.h new file mode 100644 index 00000000..12b32765 --- /dev/null +++ b/modsign.h @@ -0,0 +1 @@ +void sign_module (systemtap_session& s); diff --git a/nsscommon.c b/nsscommon.c new file mode 100644 index 00000000..1837969f --- /dev/null +++ b/nsscommon.c @@ -0,0 +1,80 @@ +/* + Common functions used by the NSS-aware code in systemtap. + + Copyright (C) 2009 Red Hat Inc. + + This file is part of systemtap, and is free software. You can + redistribute it and/or modify it under the terms of the GNU General Public + License as published by the Free Software Foundation; either version 2 of the + License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +*/ + +#include <stdio.h> + +#include <nss.h> +#include <nspr.h> +#include <prerror.h> +#include <secerr.h> +#include <sslerr.h> + +void +nssError (void) +{ + PRErrorCode errorNumber; + PRInt32 errorTextLength; + PRInt32 rc; + char *errorText; + + /* See if PR_GetErrorText can tell us what the error is. */ + errorNumber = PR_GetError (); + if (errorNumber >= PR_NSPR_ERROR_BASE && errorNumber <= PR_MAX_ERROR) + { + errorTextLength = PR_GetErrorTextLength (); + if (errorTextLength != 0) { + errorText = PORT_Alloc (errorTextLength); + rc = PR_GetErrorText (errorText); + if (rc != 0) + fprintf (stderr, "%s\n", errorText); + PR_Free (errorText); + if (rc != 0) + return; + } + } + + /* Otherwise handle common errors ourselves. */ + switch (errorNumber) + { + case SEC_ERROR_CA_CERT_INVALID: + fputs ("The issuer's certificate is invalid.\n", stderr); + break; + case SEC_ERROR_BAD_DATABASE: + fputs ("The specified certificate database does not exist or is not valid.\n", stderr); + break; + case SSL_ERROR_BAD_CERT_DOMAIN: + fputs ("The requested domain name does not match the server's certificate.\n", stderr); + break; + case PR_CONNECT_RESET_ERROR: + fputs ("Connection reset by peer.\n", stderr); + break; + default: + fputs ("Unknown NSS error.\n", stderr); + break; + } +} + +void +nssCleanup (void) +{ + /* Shutdown NSS and exit NSPR gracefully. */ + NSS_Shutdown (); + PR_Cleanup (); +} diff --git a/nsscommon.h b/nsscommon.h new file mode 100644 index 00000000..7f4097e1 --- /dev/null +++ b/nsscommon.h @@ -0,0 +1,2 @@ +void nssError (void); +void nssCleanup (void); diff --git a/runtime/staprun/mainloop.c b/runtime/staprun/mainloop.c index c80bbba4..205fdf37 100644 --- a/runtime/staprun/mainloop.c +++ b/runtime/staprun/mainloop.c @@ -7,7 +7,7 @@ * Public License (GPL); either version 2, or (at your option) any * later version. * - * Copyright (C) 2005-2008 Red Hat Inc. + * Copyright (C) 2005-2009 Red Hat Inc. */ #include "staprun.h" @@ -395,10 +395,10 @@ void cleanup_and_exit(int detach) #define BUG9788_WORKAROUND #ifndef BUG9788_WORKAROUND dbug(2, "removing %s\n", modname); - if (execlp(staprun, basename (staprun), "-d", modname, NULL) < 0) { + if (execlp(staprun, basename (staprun), "-d", modpath, NULL) < 0) { if (errno == ENOEXEC) { char *cmd; - if (asprintf(&cmd, "%s -d '%s'", staprun, modname) > 0) + if (asprintf(&cmd, "%s -d '%s'", staprun, modpath) > 0) execl("/bin/sh", "sh", "-c", cmd, NULL); free(cmd); } @@ -427,10 +427,10 @@ void cleanup_and_exit(int detach) if (pid == 0) { /* child process */ /* Run the command. */ - if (execlp(staprun, basename (staprun), "-d", modname, NULL) < 0) { + if (execlp(staprun, basename (staprun), "-d", modpath, NULL) < 0) { if (errno == ENOEXEC) { char *cmd; - if (asprintf(&cmd, "%s -d '%s'", staprun, modname) > 0) + if (asprintf(&cmd, "%s -d '%s'", staprun, modpath) > 0) execl("/bin/sh", "sh", "-c", cmd, NULL); free(cmd); } diff --git a/runtime/staprun/modverify.c b/runtime/staprun/modverify.c new file mode 100644 index 00000000..b897d266 --- /dev/null +++ b/runtime/staprun/modverify.c @@ -0,0 +1,216 @@ +/* + This program verifies the given file using the given signature, the named + certificate and public key in the given certificate database. + + Copyright (C) 2009 Red Hat Inc. + + This file is part of systemtap, and is free software. You can + redistribute it and/or modify it under the terms of the GNU General Public + License as published by the Free Software Foundation; either version 2 of the + License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +*/ + +#include <stdio.h> + +#include <nspr.h> +#include <nss.h> +#include <pk11pub.h> +#include <cryptohi.h> +#include <cert.h> +#include <certt.h> + +#include "nsscommon.h" + +static int +verify_it (const char *inputName, const char *signatureName, SECKEYPublicKey *pubKey) +{ + unsigned char buffer[4096]; + PRFileInfo info; + PRStatus prStatus; + PRInt32 numBytes; + PRFileDesc *local_file_fd; + VFYContext *vfy; + SECItem signature; + SECStatus secStatus; + + /* Get the size of the signature file. */ + prStatus = PR_GetFileInfo (signatureName, &info); + if (prStatus != PR_SUCCESS || info.type != PR_FILE_FILE || info.size < 0) + { + fprintf (stderr, "Unable to obtain information on the signature file %s.\n", signatureName); + nssError (); + return -1; + } + + /* Open the signature file. */ + local_file_fd = PR_Open (signatureName, PR_RDONLY, 0); + if (local_file_fd == NULL) + { + fprintf (stderr, "Could not open the signature file %s\n.", signatureName); + nssError (); + return -1; + } + + /* Allocate space to read the signature file. */ + signature.data = PORT_Alloc (info.size); + if (! signature.data) + { + fprintf (stderr, "Unable to allocate memory for the signature in %s.\n", signatureName); + nssError (); + return -1; + } + + /* Read the signature. */ + numBytes = PR_Read (local_file_fd, signature.data, info.size); + if (numBytes == 0) /* EOF */ + { + fprintf (stderr, "EOF reading signature file %s.\n", signatureName); + return -1; + } + if (numBytes < 0) + { + fprintf (stderr, "Error reading signature file %s.\n", signatureName); + nssError (); + return -1; + } + if (numBytes != info.size) + { + fprintf (stderr, "Incomplete data while reading signature file %s.\n", signatureName); + return -1; + } + signature.len = info.size; + + /* Done with the signature file. */ + PR_Close (local_file_fd); + + /* Create a verification context. */ + vfy = VFY_CreateContextDirect (pubKey, & signature, SEC_OID_PKCS1_RSA_ENCRYPTION, + SEC_OID_UNKNOWN, NULL, NULL); + if (! vfy) + { + fprintf (stderr, "Unable to create verification context while verifying %s using the signature in %s.\n", + inputName, signatureName); + nssError (); + return -1; + } + + /* Begin the verification process. */ + secStatus = VFY_Begin(vfy); + if (secStatus != SECSuccess) + { + fprintf (stderr, "Unable to initialize verification context while verifying %s using the signature in %s.\n", + inputName, signatureName); + nssError (); + return -1; + } + + /* Now read the data and add it to the signature. */ + local_file_fd = PR_Open (inputName, PR_RDONLY, 0); + if (local_file_fd == NULL) + { + fprintf (stderr, "Could not open module file %s.\n", inputName); + nssError (); + return -1; + } + + for (;;) + { + numBytes = PR_Read (local_file_fd, buffer, sizeof (buffer)); + if (numBytes == 0) + break; /* EOF */ + + if (numBytes < 0) + { + fprintf (stderr, "Error reading module file %s.\n", inputName); + nssError (); + return -1; + } + + /* Add the data to the signature. */ + secStatus = VFY_Update (vfy, buffer, numBytes); + if (secStatus != SECSuccess) + { + fprintf (stderr, "Error while verifying module file %s.\n", inputName); + nssError (); + return -1; + } + } + + PR_Close(local_file_fd); + + /* Complete the verification. */ + secStatus = VFY_End (vfy); + if (secStatus != SECSuccess) + return 0; + + return 1; +} + +int verify_module (const char *module_name, const char *signature_name) +{ + const char *dbdir = SYSCONFDIR "/systemtap/staprun"; + SECKEYPublicKey *pubKey; + SECStatus secStatus; + CERTCertList *certList; + CERTCertListNode *certListNode; + CERTCertificate *cert; + int rc = 0; + + /* Call the NSPR initialization routines. */ + PR_Init (PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); + + /* Initialize NSS. */ + secStatus = NSS_Init (dbdir); + if (secStatus != SECSuccess) + { + fprintf (stderr, "Unable to initialize nss library using the database in %s.\n", + dbdir); + nssError (); + return -1; + } + + certList = PK11_ListCerts (PK11CertListAll, NULL); + if (certList == NULL) + { + fprintf (stderr, "Unable to find certificates in the certificate database in %s.\n", + dbdir); + nssError (); + return -1; + } + + /* We need to look at each certificate in the database. */ + for (certListNode = CERT_LIST_HEAD (certList); + ! CERT_LIST_END (certListNode, certList); + certListNode = CERT_LIST_NEXT (certListNode)) + { + cert = certListNode->cert; + + pubKey = CERT_ExtractPublicKey (cert); + if (pubKey == NULL) + { + fprintf (stderr, "Unable to extract public key from the certificate with nickname %s from the certificate database in %s.\n", + cert->nickname, dbdir); + nssError (); + return -1; + } + + /* Verify the file. */ + rc = verify_it (module_name, signature_name, pubKey); + if (rc == 1) + break; /* Verified! */ + } + + /* Shutdown NSS and exit NSPR gracefully. */ + nssCleanup (); + + return rc; +} diff --git a/runtime/staprun/modverify.h b/runtime/staprun/modverify.h new file mode 100644 index 00000000..ad212e2b --- /dev/null +++ b/runtime/staprun/modverify.h @@ -0,0 +1 @@ +int verify_module (const char *module_name, const char *signature_name); diff --git a/runtime/staprun/staprun_funcs.c b/runtime/staprun/staprun_funcs.c index 5e7fa102..48d82d01 100644 --- a/runtime/staprun/staprun_funcs.c +++ b/runtime/staprun/staprun_funcs.c @@ -7,10 +7,15 @@ * Public License (GPL); either version 2, or (at your option) any * later version. * - * Copyright (C) 2007-2008 Red Hat Inc. + * Copyright (C) 2007-2009 Red Hat Inc. */ +#include "config.h" #include "staprun.h" +#if HAVE_NSS +#include "modverify.h" +#endif + #include <sys/mount.h> #include <sys/utsname.h> #include <grp.h> @@ -199,6 +204,44 @@ int mountfs(void) return 0; } +#if HAVE_NSS +/* + * Modules which have been signed using a certificate and private key + * corresponding to a certificate and public key in the database in + * the '$sysconfdir/systemtap/staprun' directory may be loaded by + * anyone. + * + * Returns: -1 on errors, 0 on failure, 1 on success. + */ +static int +check_signature(void) +{ + char module_realpath[PATH_MAX]; + char signature_realpath[PATH_MAX]; + int rc; + + dbug(2, "checking signature for %s\n", modpath); + + /* Use realpath() to canonicalize the module path. */ + if (realpath(modpath, module_realpath) == NULL) { + perr("Unable to canonicalize signature path \"%s\"", modpath); + return -1; + } + + /* Now add the .sgn suffix to get the signature file name. */ + if (strlen (module_realpath) > PATH_MAX - 4) { + err("Path \"%s\" is too long.", modpath); + return -1; + } + sprintf (signature_realpath, "%s.sgn", module_realpath); + + dbug(2, "verify_module (%s, %s)\n", module_realpath, signature_realpath); + rc = verify_module (module_realpath, signature_realpath); + dbug(2, "verify_module returns %d\n", rc); + + return rc; +} +#endif /* HAVE_NSS */ /* * Members of the 'stapusr' group can only use "blessed" modules - @@ -293,22 +336,23 @@ check_path(void) } /* - * Check the user's permissions. Is he allowed to run staprun (or is - * he limited to "blessed" modules)? + * Check the user's group membership. Is he allowed to run staprun (or is * - * Returns: -1 on errors, 0 on failure, 1 on success. + * o members of stapdev can do anything + * o members of stapusr can load modules from /lib/modules/KVER/systemtap + * + * Returns: -2 if neither group exists + * -1 for other errors + * 0 on failure + * 1 on success */ -int check_permissions(void) +static int +check_groups (void) { gid_t gid, gidlist[NGROUPS_MAX]; gid_t stapdev_gid, stapusr_gid; int i, ngids; struct group *stgr; - int path_check = 0; - - /* If we're root, we can do anything. */ - if (getuid() == 0) - return 1; /* Lookup the gid for group "stapdev" */ errno = 0; @@ -332,55 +376,42 @@ int check_permissions(void) else stapusr_gid = stgr->gr_gid; - /* If neither group was found, just return an error. */ - if (stapdev_gid == (gid_t)-1 && stapusr_gid == (gid_t)-1) { - err("ERROR: You are trying to run stap as a normal user.\n" - "You should either be root, or be part of either " - "group \"stapdev\" or group \"stapusr\".\n" - "Your system doesn't seem to have either group.\n" - "For more information, please consult the \"SAFETY AND SECURITY\" section of the \"stap(1)\" manpage\n"); - return -1; - } + /* If neither group was found, then return -2. */ + if (stapdev_gid == (gid_t)-1 && stapusr_gid == (gid_t)-1) + return -2; /* According to the getgroups() man page, getgroups() may not * return the effective gid, so try to match it first. */ gid = getegid(); if (gid == stapdev_gid) return 1; - else if (gid == stapusr_gid) - path_check = 1; - /* Get the list of the user's groups. */ - ngids = getgroups(NGROUPS_MAX, gidlist); - if (ngids < 0) { - perr("Unable to retrieve group list"); - return -1; - } + if (gid != stapusr_gid) { + /* Get the list of the user's groups. */ + ngids = getgroups(NGROUPS_MAX, gidlist); + if (ngids < 0) { + perr("Unable to retrieve group list"); + return -1; + } - for (i = 0; i < ngids; i++) { - /* If the user is a member of 'stapdev', then we're - * done, since he can use staprun without any - * restrictions. */ - if (gidlist[i] == stapdev_gid) - return 1; - - /* If the user is a member of 'stapusr', then we'll - * need to check the module path. However, we'll keep - * checking groups since it is possible the user is a - * member of both groups and we haven't seen the - * 'stapdev' group yet. */ - if (gidlist[i] == stapusr_gid) - path_check = 1; - } + for (i = 0; i < ngids; i++) { + /* If the user is a member of 'stapdev', then we're + * done, since he can use staprun without any + * restrictions. */ + if (gidlist[i] == stapdev_gid) + return 1; + + /* If the user is a member of 'stapusr', then we'll + * need to check the module path. However, we'll keep + * checking groups since it is possible the user is a + * member of both groups and we haven't seen the + * 'stapdev' group yet. */ + if (gidlist[i] == stapusr_gid) + gid = stapusr_gid; + } - /* If path_check is 0, then the user isn't a member of either - * group. Error out. */ - if (path_check == 0) { - err("ERROR: You are trying to run stap as a normal user.\n" - "You must be a member of either group \"stapdev\" or group \"stapusr\".\n" - "Please contact your system administrator to get yourself membership to either of those groups.\n" - "For more information, please consult the \"SAFETY AND SECURITY\" section of the \"stap(1)\" manpage.\n"); - return 0; + if (gid != stapusr_gid) + return 0; } /* At this point the user is only a member of the 'stapusr' @@ -389,3 +420,57 @@ int check_permissions(void) * is in that directory. */ return check_path(); } + +/* + * Check the user's permissions. Is he allowed to run staprun (or is + * he limited to "blessed" modules)? + * + * There are several levels of possible permission: + * + * 1) root can do anything + * 2) members of stapdev can do anything + * 3) members of stapusr can load modules from /lib/modules/KVER/systemtap + * 4) anyone can load a module which has been signed by a trusted signer + * + * It is only an error if all 4 levels of checking fail + * + * Returns: -1 on errors, 0 on failure, 1 on success. + */ +int check_permissions(void) +{ + int check_groups_rc; + int check_signature_rc = 0; + + /* If we're root, we can do anything. */ + if (getuid() == 0) + return 1; + + /* Check permissions for group membership. */ + check_groups_rc = check_groups (); + if (check_groups_rc == 1) + return 1; + +#if HAVE_NSS + /* The user is an ordinary user. If the module has been signed with + * a "blessed" certificate and private key, then we will load it for + * anyone. */ + check_signature_rc = check_signature (); + if (check_signature_rc == 1) + return 1; +#endif + + err("ERROR: You are trying to run stap as a normal user.\n" + "You should either be root, or be part of either " + "group \"stapdev\" or group \"stapusr\".\n"); + if (check_groups_rc == -2) { + err("Your system doesn't seem to have either group.\n"); + check_groups_rc = -1; + } +#if HAVE_NSS + err("Alternatively, your module must be signed by a trusted signer.\n" + "For more information, please consult the \"SAFETY AND SECURITY\" section of the \"stap(1)\" manpage\n"); +#endif + + /* Combine the return codes. They are either 0 or -1. */ + return check_groups_rc | check_signature_rc; +} @@ -87,6 +87,7 @@ struct systemtap_session std::string architecture; std::string runtime_path; std::string data_path; + std::string cert_db_path; std::string module_name; std::string stapconf_name; std::string output_file; diff --git a/stap-add-server-cert b/stap-authorize-cert index a94c5955..21af2ce0 100755 --- a/stap-add-server-cert +++ b/stap-authorize-cert @@ -1,6 +1,6 @@ #!/bin/bash -# Add an existing server certificate to the +# Add an existing server certificate to a # database of trusted servers for the client. # # Copyright (C) 2008, 2009 Red Hat Inc. @@ -10,37 +10,40 @@ # Public License (GPL); either version 2, or (at your option) any # later version. +certfile=$1 +certdb=$2 + # Obtain the filename of the certificate -if test "X$1" = "X"; then +if test "X$certfile" = "X"; then echo "Certificate file must be specified" >&2 exit 1 fi -if ! test -f $1; then - echo "Cannot find certificate file $1" >&2 +if ! test -f $certfile; then + echo "Cannot find certificate file $certfile" >&2 exit 1 fi # Obtain the certificate database directory name. -if test "X$2" = "X"; then +if test "X$certdb" = "X"; then echo "Certificate database directory must be specified" >&2 exit 1 fi -if ! test -d $2; then - if ! mkdir -p -m 755 $2; then - echo "Unable to find or create the client certificate database directory: $2" >&2 +if ! test -d $certdb; then + if ! mkdir -p -m 755 $certdb; then + echo "Unable to find or create the client certificate database directory: $certdb" >&2 exit 1 fi fi # Add the certificate -if ! certutil -A -n stap-server -d $2 -i $1 -t "P,P,P" > /dev/null; then - echo "Unable to add $1 to the client certificate database $2" >&2 +if ! certutil -A -n stap-server -d $certdb -i $certfile -t "P,P,P" > /dev/null; then + echo "Unable to add $certfile to the client certificate database $certdb" >&2 exit 1 fi # Ensure that the database is readable by others -if ! chmod +r $2/*.db; then - echo "Warning: unable to make the client certificate database $2 readable by others" >&2 +if ! chmod +r $certdb/*.db; then + echo "Warning: unable to make the client certificate database $certdb readable by others" >&2 fi exit 0 diff --git a/stap-authorize-server-cert b/stap-authorize-server-cert new file mode 100755 index 00000000..058e7ebb --- /dev/null +++ b/stap-authorize-server-cert @@ -0,0 +1,30 @@ +#!/bin/bash + +# Add an existing server certificate to the +# database of trusted SSL servers for the client. +# +# Copyright (C) 2009 Red Hat Inc. +# +# This file is part of systemtap, and is free software. You can +# redistribute it and/or modify it under the terms of the GNU General +# Public License (GPL); either version 2, or (at your option) any +# later version. + +# Initialize the environment +. stap-env + +certfile=$1 +certdb=$2 + +# Obtain the filename of the certificate +if test "X$certfile" = "X"; then + echo "Certificate file must be specified" >&2 + exit 1 +fi + +# Obtain the certificate database directory name. +if test "X$certdb" = "X"; then + certdb=$stap_ssl_db/client +fi + +stap-authorize-cert $certfile $certdb diff --git a/stap-authorize-signing-cert b/stap-authorize-signing-cert new file mode 100755 index 00000000..dfcf1a94 --- /dev/null +++ b/stap-authorize-signing-cert @@ -0,0 +1,30 @@ +#!/bin/bash + +# Add an existing server certificate to the +# database of trusted SSL servers for the client. +# +# Copyright (C) 2009 Red Hat Inc. +# +# This file is part of systemtap, and is free software. You can +# redistribute it and/or modify it under the terms of the GNU General +# Public License (GPL); either version 2, or (at your option) any +# later version. + +# Initialize the environment +. stap-env + +certfile=$1 +certdb=$2 + +# Obtain the filename of the certificate +if test "X$certfile" = "X"; then + echo "Certificate file must be specified" >&2 + exit 1 +fi + +# Obtain the certificate database directory name. +if test "X$certdb" = "X"; then + certdb=$stap_signing_db +fi + +stap-authorize-cert $certfile $certdb diff --git a/stap-client b/stap-client index 70271b9a..c8664852 100755 --- a/stap-client +++ b/stap-client @@ -21,23 +21,12 @@ trap 'terminate' SIGTERM trap 'interrupt' SIGINT trap 'ignore_signal' SIGHUP SIGPIPE +# Initialize the environment +. stap-env + #----------------------------------------------------------------------------- # Helper functions. #----------------------------------------------------------------------------- -# function: configuration -function configuration { - # INSTALL-HOOK These settings work for running the client from the source tree - # INSTALL-HOOK using the dejagnu test harness and will be overridden at install - # INSTALL-HOOK time. - exec_prefix= - sysconfdir=`pwd`/net - - # General configuration - tmpdir_prefix_client=stap.client - tmpdir_prefix_server=stap.server - avahi_service_tag=_stap._tcp -} - # function: initialization function initialization { our_host_name=`expr "$HOSTNAME" : "\\\([a-zA-Z0-9-]*\\\).*"` @@ -46,24 +35,21 @@ function initialization { rc=0 wd=`pwd` umask 0 - staprun_running=0 # Default location for server certificates if we're not root # Must be owned by us. local uid uname if test $EUID != 0; then - if test -e $HOME/.systemtap/ssl/client; then - if check_db $HOME/.systemtap/ssl/client $EUID $USER; then - local_ssl_dbs=$HOME/.systemtap/ssl/client + if test -e $stap_user_ssl_db/client; then + if check_db $stap_user_ssl_db/client $EUID $USER; then + local_ssl_dbs=$stap_user_ssl_db/client fi fi fi # Additional location for all users. Must be owned by root. - if test "X$sysconfdir" != "X"; then - if test -e $sysconfdir/systemtap/ssl/client; then - if check_db $sysconfdir/systemtap/ssl/client 0 root; then - public_ssl_dbs=$sysconfdir/systemtap/ssl/client - fi + if test -e $stap_root_ssl_db/client; then + if check_db $stap_root_ssl_db/client 0 root; then + public_ssl_dbs=$stap_root_ssl_db/client fi fi @@ -79,7 +65,7 @@ function initialization { # Create a temporary directory to package things in # Do this before parsing the command line so that there is a place # to put -I and -R directories. - tmpdir_client=`mktemp -dt $tmpdir_prefix_client.XXXXXX` || \ + tmpdir_client=`mktemp -dt $stap_tmpdir_prefix_client.XXXXXX` || \ fatal "Cannot create temporary directory " $tmpdir_client tmpdir_env=`dirname $tmpdir_client` } @@ -469,7 +455,7 @@ function package_request { # Unpack the zip file received from the server and make the contents available # for printing the results and/or running 'staprun'. function unpack_response { - tmpdir_server=`mktemp -dt $tmpdir_prefix_client.server.XXXXXX` || \ + tmpdir_server=`mktemp -dt $stap_tmpdir_prefix_client.server.XXXXXX` || \ fatal "Cannot create temporary file " $tmpdir_server # Unpack the server output directory @@ -477,15 +463,15 @@ function unpack_response { fatal "Cannot unpack server response, $zip_server" # Check the contents of the expanded directory. It should contain a - # single directory whose name matches stap.server.?????? + # single directory whose name matches $stap_tmpdir_prefix_server.?????? local num_files=`ls $tmpdir_server | wc -l` test $num_files = 1 || \ fatal "Wrong number of files in server's temp directory" - test -d $tmpdir_server/stap.server.?????? || \ + test -d $tmpdir_server/$stap_tmpdir_prefix_server.?????? || \ fatal "`ls $tmpdir_server` does not match the expected name or is not a directory" # Move the contents of the directory down one level. - mv $tmpdir_server/stap.server.??????/* $tmpdir_server - rm -fr $tmpdir_server/stap.server.?????? + mv $tmpdir_server/$stap_tmpdir_prefix_server.??????/* $tmpdir_server + rm -fr $tmpdir_server/$stap_tmpdir_prefix_server.?????? # Check the contents of the directory. It should contain: # 1) a file called stdout @@ -533,7 +519,7 @@ function find_and_connect_to_server { local num_servers=0 # Make a place to receive the response file. - zip_server=`mktemp -t $tmpdir_prefix_client.server.zip.XXXXXX` || \ + zip_server=`mktemp -t $stap_tmpdir_prefix_client.server.zip.XXXXXX` || \ fatal "Cannot create temporary file " $zip_server # Make a place to record connection errors @@ -596,22 +582,22 @@ function find_and_connect_to_server { fi fi - if test `${exec_prefix}stap-find-servers $find_all | grep $address | wc -l` = "0"; then + if test `${stap_exec_prefix}stap-find-servers $find_all | grep $address | wc -l` = "0"; then warning "No server is available on $server" 2>> $tmpdir_client/connect continue fi - ssl_db=`${exec_prefix}stap-find-servers $find_all | grep $address | choose_server` + ssl_db=`${stap_exec_prefix}stap-find-servers $find_all | grep $address | choose_server` test "X$ssl_db" != "X" && return done else # No servers specified. Find available servers and choose one of them. # Remember which ssl certificate database was used to authenticate the chosen # server. - ssl_db=`${exec_prefix}stap-find-servers $find_all | choose_server` + ssl_db=`${stap_exec_prefix}stap-find-servers $find_all | choose_server` test "X$ssl_db" != "X" && return - num_servers=`${exec_prefix}stap-find-servers $find_all | wc -l` + num_servers=`${stap_exec_prefix}stap-find-servers $find_all | wc -l` fi if test $num_servers = 0; then @@ -681,8 +667,8 @@ function send_receive { do # Send the request and receive the response using stap-client-connect echo "Attempting connection with $server:$port using certificate database in '$db'" >> $tmpdir_client/connect - ${exec_prefix}stap-client-connect -i $zip_client -o $zip_server -d $db -p $port -h $server >> $tmpdir_client/connect 2>&1 & - wait '%${exec_prefix}stap-client-connect' + ${stap_exec_prefix}stap-client-connect -i $zip_client -o $zip_server -d $db -p $port -h $server >> $tmpdir_client/connect 2>&1 & + wait '%${stap_exec_prefix}stap-client-connect' test $? = 0 && echo $db && return sleep 1 done @@ -692,8 +678,8 @@ function send_receive { do # Send the request and receive the response using stap-client-connect echo "Attempting connection with $server:$port using certificate database in '$db'" >> $tmpdir_client/connect - ${exec_prefix}stap-client-connect -i $zip_client -o $zip_server -d $db -p $port -h $server >> $tmpdir_client/connect 2>&1 & - wait '%${exec_prefix}stap-client-connect' + ${stap_exec_prefix}stap-client-connect -i $zip_client -o $zip_server -d $db -p $port -h $server >> $tmpdir_client/connect 2>&1 & + wait '%${stap_exec_prefix}stap-client-connect' test $? = 0 && echo $db && return sleep 1 done @@ -779,18 +765,13 @@ function maybe_call_staprun { fi # Run it in the background and wait for it. This - # way any signals send to us can be caught. + # way any signals sent to us can be caught. if test $v_level -ge 2; then echo "running `which staprun` $staprun_opts $tmpdir_stap/`ls $tmpdir_stap | grep '.ko$'`" >&2 fi eval `staprun_PATH` "$staprun_opts" \ $tmpdir_stap/`ls $tmpdir_stap | grep '.ko$'` - staprun_running=1 - wait '%?staprun' > /dev/null 2>&1 rc=$? - staprun_running=0 - # 127 from wait means that the job was already finished. - test $rc=127 && rc=0 # Wait until the job actually disappears so that its output is complete. while jobs '%?staprun' >/dev/null 2>&1 @@ -814,8 +795,8 @@ function staprun_PATH { fi # Otherwise, if there is an exec_prefix, then use it. - if test "X$exec_prefix" != "X"; then - echo ${exec_prefix}staprun + if test "X$stap_exec_prefix" != "X"; then + echo ${stap_exec_prefix}staprun return fi @@ -1020,7 +1001,7 @@ function terminate { kill -s SIGTERM '%?staprun' 2>/dev/null # Kill any stap-client-connect job - kill -s SIGTERM '%${exec_prefix}stap-client-connect' 2>/dev/null + kill -s SIGTERM '%${stap_exec_prefix}stap-client-connect' 2>/dev/null exit 1 } @@ -1029,15 +1010,9 @@ function terminate { # # Pass an interrupt (ctrl-C) to staprun function interrupt { - # Pass the signal on to any running staprun job - if test $staprun_running = 1; then - kill -s SIGINT '%?staprun' 2>/dev/null - return - fi - # Kill any stap-client-connect job # SIGINT won't do it. - kill -s SIGTERM '%${exec_prefix}stap-client-connect' 2>/dev/null + kill -s SIGTERM '%${stap_exec_prefix}stap-client-connect' 2>/dev/null # If staprun was not running, then exit. cleanup @@ -1054,7 +1029,6 @@ function ignore_signal { #----------------------------------------------------------------------------- # Beginning of main line execution. #----------------------------------------------------------------------------- -configuration initialization parse_options "$@" create_request diff --git a/stap-env b/stap-env new file mode 100755 index 00000000..5cd4d119 --- /dev/null +++ b/stap-env @@ -0,0 +1,36 @@ +#!/bin/bash + +# Generate a certificate for the systemtap server and add it to the +# database of trusted servers for the client. +# +# Copyright (C) 2009 Red Hat Inc. +# +# This file is part of systemtap, and is free software. You can +# redistribute it and/or modify it under the terms of the GNU General +# Public License (GPL); either version 2, or (at your option) any +# later version. + +# Common environment setup for stap scripts + +# INSTALL-HOOK These settings work for running the server from the source tree +# INSTALL-HOOK using the dejagnu test harness and will be overridden at install +# INSTALL-HOOK time. +stap_exec_prefix= +stap_sysconfdir=`pwd`/net + +# General configuration +stap_tmpdir_prefix_client=stap.client +stap_tmpdir_prefix_server=stap.server +stap_avahi_service_tag=_stap._tcp + +# NSS certificate databases +stap_root_ssl_db=$stap_sysconfdir/systemtap/ssl +stap_user_ssl_db=$HOME/.systemtap/ssl + +if test $EUID = 0; then + stap_ssl_db=$stap_root_ssl_db +else + stap_ssl_db=$stap_user_ssl_db +fi + +stap_signing_db=$stap_sysconfdir/systemtap/staprun diff --git a/stap-find-or-start-server b/stap-find-or-start-server index 97e7caca..28fcfa8c 100755 --- a/stap-find-or-start-server +++ b/stap-find-or-start-server @@ -10,20 +10,18 @@ # later version. # This script attempts to find a systemtap server. If one is found, it -# echoes 0 and exits with 0. +# echoes 0. # # Otherwise, it attempts to start a server. If succesful, it echoes the -# process id and exits with 0. +# process id. # -# Otherwise, it echoes -1 and exits with 1 +# Otherwise, it echoes -1 -# INSTALL-HOOK These settings work for running the client from the source tree -# INSTALL-HOOK using the dejagnu test harness and will be overridden at install -# INSTALL-HOOK time. -exec_prefix= +# Initialize the environment +. stap-env # Is there a server available? -${exec_prefix}stap-find-servers >/dev/null 2>&1 && echo 0 && exit 0 +${stap_exec_prefix}stap-find-servers >/dev/null 2>&1 && echo 0 && exit 0 # No server available, try to start one. pid=`${exec_prefix}stap-start-server "$@"` @@ -34,4 +32,4 @@ fi # Could not find or start a server echo "-1" -exit 1 +exit 0 diff --git a/stap-find-servers b/stap-find-servers index fde7d9ef..e0838708 100755 --- a/stap-find-servers +++ b/stap-find-servers @@ -12,15 +12,12 @@ # This script uses avahi to find systemtap compile servers on the local # network. Information about each server found is printed to stdout. +# Initialize the environment +. stap-env + #----------------------------------------------------------------------------- # Helper functions. #----------------------------------------------------------------------------- -# function: configuration -function configuration { - avahi_service_tag=_stap._tcp - timeout=10 # seconds -} - # function: initialization function initialization { rc=1 # not found yet @@ -29,6 +26,7 @@ function initialization { else find_all=0 fi + timeout=10 # seconds } # function: find_servers @@ -37,12 +35,12 @@ function initialization { function find_servers { # Create a temp file for the list of servers. We do this instead # of using a pipe so that we can kill avahi-browse if it - # takes more than a minute. + # takes too long. tmpfile=`mktemp -t stap-serversXXXXXX` || \ fatal "Cannot create temporary file " $tmpfile # Find servers - avahi-browse $avahi_service_tag --terminate -r 2>/dev/null > $tmpfile & + avahi-browse $stap_avahi_service_tag --terminate -r 2>/dev/null > $tmpfile & for ((attempt=0; $attempt < $timeout; ++attempt)) do @@ -97,7 +95,7 @@ function match_server { ;; address ) # Sometimes (seems random), avahi-resolve-host-name resolves a local server to its - # hardware address rather its ip address. Keep trying until we get + # hardware address rather than its ip address. Keep trying until we get # an ip address. server_ip=`expr "$service_data" : '\[\([^]]*\)\]'` local attempt @@ -125,7 +123,7 @@ function match_server { esac done - # It is a stap server, but is it compatible? + # It's an stap server, but is it compatible? if test $find_all = 0 -a "$server_sysinfo" != "`client_sysinfo`"; then continue fi @@ -159,7 +157,6 @@ function fatal { #----------------------------------------------------------------------------- # Beginning of main line execution. #----------------------------------------------------------------------------- -configuration initialization "$@" find_servers diff --git a/stap-gen-server-cert b/stap-gen-cert index 9b4a776b..bf87b572 100755 --- a/stap-gen-server-cert +++ b/stap-gen-cert @@ -10,6 +10,9 @@ # Public License (GPL); either version 2, or (at your option) any # later version. +# Initialize the environment +. stap-env + # Obtain a password from stdin and echo it. function user_enter_password { @@ -35,14 +38,13 @@ function user_enter_password } # Obtain the certificate database directory name. -if test "X$1" = "X"; then - echo "Certificate database directory must be specified" >&2 - exit 1 +serverdb=$1 +if test "X$serverdb" = "X"; then + serverdb=$stap_ssl_db/server fi -rm -fr $1 +rm -fr $serverdb # Create the server's certificate database directory. -serverdb=$1/server if ! mkdir -p -m 755 $serverdb; then echo "Unable to create the server certificate database directory: $serverdb" >&2 exit 1 @@ -67,11 +69,11 @@ if ! certutil -N -d $serverdb -f $serverdb/pw > /dev/null; then fi # We need some random noise for generating keys -dd bs=123 count=1 < /dev/urandom > $1/noise 2> /dev/null +dd bs=123 count=1 < /dev/urandom > $serverdb/noise 2> /dev/null # Generate a request for the server's certificate. -certutil -R -d $serverdb -f $serverdb/pw -s "CN=Systemtap Compile Server, OU=Systemtap, O=Red Hat, C=US" -o $1/stap-server.req -z $1/noise 2> /dev/null -rm -fr $1/noise +certutil -R -d $serverdb -f $serverdb/pw -s "CN=Systemtap Compile Server, OU=Systemtap, O=Red Hat, C=US" -o $serverdb/stap-server.req -z $serverdb/noise 2> /dev/null +rm -fr $serverdb/noise # Create the certificate file first so that it always has the proper access permissions. if ! (touch $serverdb/stap-server.cert && chmod 644 $serverdb/stap-server.cert); then @@ -80,14 +82,14 @@ if ! (touch $serverdb/stap-server.cert && chmod 644 $serverdb/stap-server.cert); fi # Now generate the actual certificate. -certutil -C -i $1/stap-server.req -o $serverdb/stap-server.cert -x -d $serverdb -f $serverdb/pw -5 -8 "$HOSTNAME,localhost" >/dev/null <<-EOF +certutil -C -i $serverdb/stap-server.req -o $serverdb/stap-server.cert -x -d $serverdb -f $serverdb/pw -5 -8 "$HOSTNAME,localhost" >/dev/null <<-EOF 1 3 7 8 y EOF -rm -fr $1/stap-server.req +rm -fr $serverdb/stap-server.req # Add the certificate to the server's certificate/key database as a trusted peer, ssl server and object signer certutil -A -n stap-server -t "PCu,,PCu" -i $serverdb/stap-server.cert -d $serverdb -f $serverdb/pw diff --git a/stap-server b/stap-server index ec827a09..d26eaff9 100755 --- a/stap-server +++ b/stap-server @@ -16,22 +16,12 @@ # Catch ctrl-c and other termination signals trap 'terminate' SIGTERM SIGINT +# Initialize the environment +. stap-env + #----------------------------------------------------------------------------- # Helper functions. #----------------------------------------------------------------------------- -# function: configuration -function configuration { - # INSTALL-HOOK These settings work for running the client from the source tree - # INSTALL-HOOK using the dejagnu test harness and will be overridden at install - # INSTALL-HOOK time. - exec_prefix= - sysconfdir=`pwd`/net - - # Configuration - tmpdir_prefix_client=stap.client - tmpdir_prefix_server=stap.server -} - # function: initialization function initialization { # Initialization @@ -92,18 +82,18 @@ function unpack_request { fatal "Cannot unpack zip archive $zip_client" # Identify the client's request tree. The zip file should have expanded - # into a single directory named to match $tmpdir_prefix_client.?????? + # into a single directory named to match $stap_tmpdir_prefix_client.?????? # which should now be the only item in the current directory. test "`ls | wc -l`" = 3 || \ fatal "Wrong number of files after expansion of client's zip file" - tmpdir_client=`ls | grep $tmpdir_prefix_client.......\$` + tmpdir_client=`ls | grep $stap_tmpdir_prefix_client.......\$` test "X$tmpdir_client" != "X" || \ fatal "Client zip file did not expand as expected" # Move the client's temp directory to a local temp location - local local_tmpdir_client=`mktemp -dt $tmpdir_prefix_server.client.XXXXXX` || \ + local local_tmpdir_client=`mktemp -dt $stap_tmpdir_prefix_server.client.XXXXXX` || \ fatal "Cannot create temporary client request directory " $local_tmpdir_client mv $tmpdir_client/* $local_tmpdir_client rm -fr $tmpdir_client @@ -340,7 +330,7 @@ function call_stap { server_p_phase=$p_phase fi - eval ${exec_prefix}stap "$cmdline" -k -p $server_p_phase \ + eval ${stap_exec_prefix}stap "$cmdline" --sign-module -k -p $server_p_phase \ >> $tmpdir_server/stdout \ 2>> $tmpdir_server/stderr @@ -433,7 +423,6 @@ function terminate { #----------------------------------------------------------------------------- # Beginning of main line execution. #----------------------------------------------------------------------------- -configuration initialization "$@" unpack_request check_request diff --git a/stap-server-connect.c b/stap-server-connect.c index 8263a3d5..31fbefca 100644 --- a/stap-server-connect.c +++ b/stap-server-connect.c @@ -94,7 +94,7 @@ readDataFromSocket(PRFileDesc *sslSocket) return SECFailure; } - /* Read the number fo bytes to be received. */ + /* Read the number of bytes to be received. */ numBytesRead = PR_Read(sslSocket, & info.size, sizeof (info.size)); if (numBytesRead == 0) /* EOF */ { diff --git a/stap-server.8.in b/stap-server.8.in index 1976b6ea..2df70f97 100644 --- a/stap-server.8.in +++ b/stap-server.8.in @@ -18,7 +18,7 @@ stap-server \- systemtap server and related utilities .B stap\-stop\-server .I PID .br -.B stap\-add\-server\-cert \fICERTFILE\fR \fIDIRNAME\fR +.B stap\-authorize\-server\-cert \fICERTFILE\fR [ \fIDIRNAME\fR ] .br .B stap\-client [ @@ -66,13 +66,13 @@ using .IR stap\-find\-servers . If a compatible server is found, .I stap\-find\-or\-start\-server -echoes \[aq]0\[aq] to stdout and the exit code is 0. Otherwise +echoes \[aq]0\[aq] to stdout. Otherwise .I stap\-find\-or\-start\-server attempts to start a server on the local network using .IR stap\-start\-server . -If successful, the process id of the new server is echoed to stdout and the -exit code is 0. If no server can be found or started, \[aq]-1\[aq] is echoed -to stdout and the exit code is 1. +If successful, the process id of the new server is echoed to stdout. +If no server can be found or started, \[aq]-1\[aq] is echoed +to stdout. The exit code is 0 in all cases. .PP The @@ -86,7 +86,7 @@ does not verify that the server actually shuts down. .PP The -.I stap\-add\-server\-cert +.I stap\-authorize\-server\-cert program adds the given server certificate to the given client\-side certificate database, making that server a trusted server for clients using that database. @@ -168,7 +168,7 @@ program requires a process id argument which identifies the server to be stopped .PP The -.I stap\-add\-server\-cert +.I stap\-authorize\-cert program accepts two arguments: .TP @@ -179,8 +179,12 @@ server\[aq]s certificate database. .TP .B DIRNAME -This is the name of the directory containing the client\-side certificate database to which -the certificate is to be added. +This optional argument is the name of the directory containing the client\-side +certificate database to which the certificate is to be added. If not specified, the +default, for non\-root users,is +.I $HOME/.systemtap/ssl/server\fP. +For root users (EUID=0), the default is +.I $sysconfdir/systemtap/ssl/server\fP. .PP The @@ -249,7 +253,7 @@ will be considered to be trusted for that invocation of the client. .IP \(bu 4 A user may add the certificate of a new trusted server to his own local client\-side certificate database using -\[aq]\fBstap-add-server-cert \fICERTFILE\fR \fIDIRNAME\fR\[aq] +\[aq]\fBstap\-authorize\-server\-cert \fICERTFILE\fR\[aq] (see above), where \fICERTFILE\fP is the server\[aq]s certificate file (\fIstap\-server.cert\fP) from the servers certificate database directory and \fIDIRNAME\fP is the @@ -312,11 +316,11 @@ simple example .PP To permanently trust a given server for your own use .PP -.B \& $ stap\-add\-server\-cert \fICERTFILE\fP $HOME/.systemtap/ssl/client +.B \& $ stap\-authorize\-cert \fICERTFILE\fP .PP As root, to permanently trust a given server for all users on your host .PP -.B \& $ stap\-add\-server\-cert \fICERTFILE\fP $sysconfdir/systemtap/ssl/client +.B \& $ stap\-authorize\-cert \fICERTFILE\fP .PP If a process id was echoed by .I stap\-start\-server diff --git a/stap-serverd b/stap-serverd index 6467ec55..9b1dfd43 100755 --- a/stap-serverd +++ b/stap-serverd @@ -16,20 +16,14 @@ # Catch ctrl-c and other termination signals trap 'terminate' SIGTERM SIGINT +# Initialize the environment +. stap-env + #----------------------------------------------------------------------------- # Helper functions. #----------------------------------------------------------------------------- # function: initialization PORT function initialization { - # INSTALL-HOOK These settings work for running the server from the source tree - # INSTALL-HOOK using the dejagnu test harness and will be overridden at install - # INSTALL-HOOK time. - exec_prefix= - sysconfdir=`pwd`/net - - # Default settings. - avahi_type=_stap._tcp - # What port will we listen on? port=$1 test "X$port" = "X" && port=65000 @@ -45,17 +39,13 @@ function initialization { if test "X$ssl_db" = "X"; then # If no certificate/key database has been specified, then find/create # a local one. - if test $EUID = 0; then - ssl_db=$sysconfdir/systemtap/ssl/server - else - ssl_db=$HOME/.systemtap/ssl/server - fi + ssl_db=$stap_ssl_db/server if ! test -f $ssl_db/stap-server.cert; then - ${exec_prefix}stap-gen-server-cert `dirname $ssl_db` || exit 1 + ${stap_exec_prefix}stap-gen-cert $ssl_db || exit 1 # Now add the server's certificate to the client's database, # making it a trusted peer. Do this only if the client has been installed. - if test -f `which ${exec_prefix}stap-add-server-cert` -a -x `which ${exec_prefix}stap-add-server-cert`; then - ${exec_prefix}stap-add-server-cert $ssl_db/stap-server.cert `dirname $ssl_db`/client + if test -f `which ${stap_exec_prefix}stap-add-server-cert` -a -x `which ${stap_exec_prefix}stap-add-server-cert`; then + ${stap_exec_prefix}stap-authorize-server-cert $ssl_db/stap-server.cert fi fi fi @@ -78,7 +68,7 @@ function advertise_presence { # Call avahi-publish-service to advertise our presence. avahi-publish-service "Systemtap Compile Server on `uname -n`" \ - $avahi_type $port "$txt" > /dev/null 2>&1 & + $stap_avahi_service_tag $port "$txt" > /dev/null 2>&1 & echo "Systemtap Compile Server on `uname -n` listening on port $port" } @@ -89,8 +79,8 @@ function advertise_presence { function listen { # The stap-server-connect program will listen forever # accepting requests. - ${exec_prefix}stap-server-connect -p $port -n $nss_cert -d $ssl_db -w $nss_pw 2>&1 & - wait '%${exec_prefix}stap-server-connect' >/dev/null 2>&1 + ${stap_exec_prefix}stap-server-connect -p $port -n $nss_cert -d $ssl_db -w $nss_pw 2>&1 & + wait '%${stap_exec_prefix}stap-server-connect' >/dev/null 2>&1 } # function: check_db DBNAME @@ -328,8 +318,8 @@ function terminate { wait '%avahi-publish-service' >/dev/null 2>&1 # Kill any running 'stap-server-connect' job. - kill -s SIGTERM '%${exec_prefix}stap-server-connect' 2> /dev/null - wait '%${exec_prefix}stap-server-connect' >/dev/null 2>&1 + kill -s SIGTERM '%${stap_exec_prefix}stap-server-connect' 2> /dev/null + wait '%${stap_exec_prefix}stap-server-connect' >/dev/null 2>&1 exit } diff --git a/stap-start-server b/stap-start-server index d718ed30..bc441545 100755 --- a/stap-start-server +++ b/stap-start-server @@ -12,14 +12,11 @@ # This script attempts to start a systemtap server and echoes the # process id, if successful. -# INSTALL-HOOK These settings work for running the client from the source tree -# INSTALL-HOOK using the dejagnu test harness and will be overridden at install -# INSTALL-HOOK time. -exec_prefix= -sysconfdir=`pwd`/net +# Initialize the environment +. stap-env # start the server -${exec_prefix}stap-serverd "$@" </dev/null >/dev/null 2>&1 & +${stap_exec_prefix}stap-serverd "$@" </dev/null >/dev/null 2>&1 & server_pid=$! # Make sure the server is started @@ -30,6 +27,7 @@ do sleep 1 continue fi + # Is avahi advertizing the server? if ! (ps -fa | grep avahi-publish-service | grep $server_pid) > /dev/null 2>&1; then sleep 1 diff --git a/systemtap.spec b/systemtap.spec index 540a9d93..95aba116 100644 --- a/systemtap.spec +++ b/systemtap.spec @@ -250,6 +250,10 @@ exit 0 %{_bindir}/stap %{_bindir}/stap-report +%{_bindir}/stap-env +%{_bindir}/stap-gen-cert +%{_bindir}/stap-authorize-cert +%{_bindir}/stap-authorize-signing-cert %{_mandir}/man1/* %{_mandir}/man5/* @@ -284,8 +288,7 @@ exit 0 %defattr(-,root,root) %{_bindir}/stap-client %{_bindir}/stap-find-servers -%{_bindir}/stap-find-or-start-server -%{_bindir}/stap-add-server-cert +%{_bindir}/stap-authorize-server-cert %{_bindir}/stap-client-connect %{_mandir}/man8/stap-server.8* @@ -294,8 +297,10 @@ exit 0 %{_bindir}/stap-server %{_bindir}/stap-serverd %{_bindir}/stap-start-server +%{_bindir}/stap-find-servers +%{_bindir}/stap-find-or-start-server %{_bindir}/stap-stop-server -%{_bindir}/stap-gen-server-cert +%{_bindir}/stap-authorize-server-cert %{_bindir}/stap-server-connect %{_mandir}/man8/stap-server.8* diff --git a/testsuite/Makefile.in b/testsuite/Makefile.in index 9547479b..c0f0b19c 100644 --- a/testsuite/Makefile.in +++ b/testsuite/Makefile.in @@ -1,8 +1,8 @@ -# Makefile.in generated by automake 1.10.1 from Makefile.am. +# Makefile.in generated by automake 1.10 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -31,14 +31,16 @@ POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : -subdir = testsuite -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am +subdir = . +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(top_srcdir)/configure $(am__configure_deps) ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \ + configure.lineno config.status.lineno mkinstalldirs = $(install_sh) -d -CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = SOURCES = DEJATOOL = $(PACKAGE) @@ -48,39 +50,22 @@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ -CC = @CC@ -CCDEPMODE = @CCDEPMODE@ -CFLAGS = @CFLAGS@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ -DATE = @DATE@ DEFS = @DEFS@ -DEPDIR = @DEPDIR@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -GREP = @GREP@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ -LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ -OBJEXT = @OBJEXT@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -88,25 +73,15 @@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIECFLAGS = @PIECFLAGS@ -PIECXXFLAGS = @PIECXXFLAGS@ -PIELDFLAGS = @PIELDFLAGS@ -PROCFLAGS = @PROCFLAGS@ -RANLIB = @RANLIB@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ -U = @U@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -am__include = @am__include@ am__leading_dot = @am__leading_dot@ -am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ @@ -114,15 +89,10 @@ build_alias = @build_alias@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ +dejazilla = @dejazilla@ docdir = @docdir@ dvidir = @dvidir@ -elfutils_abs_srcdir = @elfutils_abs_srcdir@ exec_prefix = @exec_prefix@ -have_dvips = @have_dvips@ -have_latex = @have_latex@ -have_latex2html = @have_latex2html@ -have_ps2pdf = @have_ps2pdf@ -have_xmlto = @have_xmlto@ host_alias = @host_alias@ htmldir = @htmldir@ includedir = @includedir@ @@ -134,8 +104,6 @@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ -nspr_CFLAGS = @nspr_CFLAGS@ -nss_CFLAGS = @nss_CFLAGS@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -143,14 +111,9 @@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ -sqlite3_LIBS = @sqlite3_LIBS@ srcdir = @srcdir@ -stap_LIBS = @stap_LIBS@ -staplog_CPPFLAGS = @staplog_CPPFLAGS@ -subdirs = @subdirs@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ -top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = dejagnu no-dist @@ -171,35 +134,39 @@ RUNTEST = "env SYSTEMTAP_RUNTIME=$(SYSTEMTAP_RUNTIME) SYSTEMTAP_TAPSET=$(SYSTEMT all: all-am .SUFFIXES: +am--refresh: + @: $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + echo ' cd $(srcdir) && $(AUTOMAKE) --foreign '; \ + cd $(srcdir) && $(AUTOMAKE) --foreign \ && exit 0; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu testsuite/Makefile'; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign Makefile'; \ cd $(top_srcdir) && \ - $(AUTOMAKE) --gnu testsuite/Makefile + $(AUTOMAKE) --foreign Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + echo ' $(SHELL) ./config.status'; \ + $(SHELL) ./config.status;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + $(SHELL) ./config.status --recheck $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + cd $(srcdir) && $(AUTOCONF) $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + cd $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS) tags: TAGS TAGS: @@ -270,6 +237,7 @@ clean: clean-am clean-am: clean-generic clean-local mostlyclean-am distclean: distclean-am + -rm -f $(am__CONFIG_DISTCLEAN_FILES) -rm -f Makefile distclean-am: clean-am distclean-DEJAGNU distclean-generic @@ -302,6 +270,8 @@ install-ps: install-ps-am installcheck-am: maintainer-clean: maintainer-clean-am + -rm -f $(am__CONFIG_DISTCLEAN_FILES) + -rm -rf $(top_srcdir)/autom4te.cache -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -321,16 +291,17 @@ uninstall-am: .MAKE: install-am install-strip -.PHONY: all all-am all-local check check-DEJAGNU check-am check-local \ - clean clean-generic clean-local distclean distclean-DEJAGNU \ - distclean-generic dvi dvi-am html html-am info info-am install \ - install-am install-data install-data-am install-dvi \ - install-dvi-am install-exec install-exec-am install-html \ - install-html-am install-info install-info-am install-man \ - install-pdf install-pdf-am install-ps install-ps-am \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-generic pdf pdf-am ps ps-am uninstall uninstall-am +.PHONY: all all-am all-local am--refresh check check-DEJAGNU check-am \ + check-local clean clean-generic clean-local distclean \ + distclean-DEJAGNU distclean-generic dvi dvi-am html html-am \ + info info-am install install-am install-data install-data-am \ + install-dvi install-dvi-am install-exec install-exec-am \ + install-html install-html-am install-info install-info-am \ + install-man install-pdf install-pdf-am install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-generic pdf pdf-am ps ps-am uninstall \ + uninstall-am all-local: diff --git a/testsuite/aclocal.m4 b/testsuite/aclocal.m4 index c9daa488..5aee677e 100644 --- a/testsuite/aclocal.m4 +++ b/testsuite/aclocal.m4 @@ -1,7 +1,7 @@ -# generated automatically by aclocal 1.10.1 -*- Autoconf -*- +# generated automatically by aclocal 1.10 -*- Autoconf -*- # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, -# 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +# 2005, 2006 Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -11,15 +11,12 @@ # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. -m4_ifndef([AC_AUTOCONF_VERSION], - [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl -m4_if(AC_AUTOCONF_VERSION, [2.61],, -[m4_warning([this file was generated for autoconf 2.61. -You have another version of autoconf. It may work, but is not guaranteed to. -If you have problems, you may need to regenerate the build system entirely. -To do so, use the procedure documented by the package, typically `autoreconf'.])]) +m4_if(m4_PACKAGE_VERSION, [2.61],, +[m4_fatal([this file was generated for autoconf 2.61. +You have another version of autoconf. If you want to use that, +you should regenerate the build system entirely.], [63])]) -# Copyright (C) 2002, 2003, 2005, 2006, 2007 Free Software Foundation, Inc. +# Copyright (C) 2002, 2003, 2005, 2006 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -34,7 +31,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION], [am__api_version='1.10' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. -m4_if([$1], [1.10.1], [], +m4_if([$1], [1.10], [], [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl ]) @@ -50,10 +47,8 @@ m4_define([_AM_AUTOCONF_VERSION], []) # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AC_INIT_AUTOMAKE. AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], -[AM_AUTOMAKE_VERSION([1.10.1])dnl -m4_ifndef([AC_AUTOCONF_VERSION], - [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl -_AM_AUTOCONF_VERSION(AC_AUTOCONF_VERSION)]) +[AM_AUTOMAKE_VERSION([1.10])dnl +_AM_AUTOCONF_VERSION(m4_PACKAGE_VERSION)]) # AM_AUX_DIR_EXPAND -*- Autoconf -*- @@ -146,13 +141,13 @@ fi])]) # Do all the work for Automake. -*- Autoconf -*- # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, -# 2005, 2006, 2008 Free Software Foundation, Inc. +# 2005, 2006 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 13 +# serial 12 # This macro actually does too much. Some checks are only needed if # your package does certain things. But this isn't really a big deal. @@ -257,17 +252,16 @@ AC_PROVIDE_IFELSE([AC_PROG_OBJC], # our stamp files there. AC_DEFUN([_AC_AM_CONFIG_HEADER_HOOK], [# Compute $1's index in $config_headers. -_am_arg=$1 _am_stamp_count=1 for _am_header in $config_headers :; do case $_am_header in - $_am_arg | $_am_arg:* ) + $1 | $1:* ) break ;; * ) _am_stamp_count=`expr $_am_stamp_count + 1` ;; esac done -echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count]) +echo "timestamp for $1" >`AS_DIRNAME([$1])`/stamp-h[]$_am_stamp_count]) # Copyright (C) 2001, 2003, 2005 Free Software Foundation, Inc. # @@ -516,7 +510,7 @@ AC_SUBST([INSTALL_STRIP_PROGRAM])]) # _AM_SUBST_NOTMAKE(VARIABLE) # --------------------------- -# Prevent Automake from outputting VARIABLE = @VARIABLE@ in Makefile.in. +# Prevent Automake from outputing VARIABLE = @VARIABLE@ in Makefile.in. # This macro is traced by Automake. AC_DEFUN([_AM_SUBST_NOTMAKE]) @@ -1,5 +1,5 @@ // Copyright (C) Andrew Tridgell 2002 (original file) -// Copyright (C) 2006 Red Hat Inc. (systemtap changes) +// Copyright (C) 2006, 2009 Red Hat Inc. (systemtap changes) // // This program is free software; you can redistribute it and/or // modify it under the terms of the GNU General Public License as @@ -133,6 +133,25 @@ create_dir(const char *dir) return 0; } +// Remove a file or directory +int +remove_file_or_dir (const char *name) +{ + int rc; + struct stat st; + + if ((rc = stat(name, &st)) != 0) + { + if (errno == ENOENT) + return 0; + return 1; + } + + if (remove (name) != 0) + return 1; + cerr << "remove returned 0" << endl; + return 0; +} void tokenize(const string& str, vector<string>& tokens, @@ -8,6 +8,7 @@ const char *get_home_directory(void); int copy_file(const char *src, const char *dest); int create_dir(const char *dir); +int remove_file_or_dir(const char *dir); void tokenize(const std::string& str, std::vector<std::string>& tokens, const std::string& delimiters); std::string find_executable(const std::string& name); |