1 files changed, 115 insertions, 39 deletions

diff --git a/main.cxx b/main.cxx
index 2c1b1c68..daf64561 100644
--- a/main.cxx
+++ b/main.cxx
@@ -45,6 +45,7 @@ extern "C" {
 
 using namespace std;
 
+#define PATH_TBD string("__TBD__")
 
 void
 version ()
@@ -132,6 +133,8 @@ usage (systemtap_session& s, int exitcode)
 #ifdef HAVE_LIBSQLITE3
     << "   -q         generate information on tapset coverage" << endl
 #endif /* HAVE_LIBSQLITE3 */
+    << "   --unprivileged" << endl
+    << "              restrict usage to features available to unprivileged users" << endl
 #if 0 /* PR6864: disable temporarily; should merge with -d somehow */
     << "   --kelf     make do with symbol table from vmlinux" << endl
     << "   --kmap[=FILE]" << endl
@@ -356,6 +359,90 @@ setup_kernel_release (systemtap_session &s, const char* kstr) {
       }
 }
 
+static void
+checkOptions (systemtap_session &s)
+{
+  bool optionsConflict = false;
+
+  if(!s.bulk_mode && !s.merge)
+    {
+      cerr << "-M option is valid only for bulk (relayfs) mode." <<endl;
+      optionsConflict = true;
+    }
+
+  if(!s.output_file.empty() && s.bulk_mode && !s.merge)
+    {
+      cerr << "You can't specify -M, -b and -o options together." <<endl;
+      optionsConflict = true;
+    }
+
+  if((s.cmd != "") && (s.target_pid))
+    {
+      cerr << "You can't specify -c and -x options together." <<endl;
+      optionsConflict = true;
+    }
+
+  if (s.unprivileged)
+    {
+      if (s.guru_mode)
+	{
+	  cerr << "You can't specify -g and --unprivileged together." << endl;
+	  optionsConflict = true;
+	}
+      if (s.include_path.size () > 1)
+	{
+	  cerr << "You can't specify -I and --unprivileged together." << endl;
+	  optionsConflict = true;
+	}
+      if (s.runtime_path != string(PKGDATADIR) + "/runtime")
+	{
+	  cerr << "You can't use -R to specify an alternate runtime path when --unprivileged is specified." << endl;
+	  optionsConflict = true;
+	}
+      if (s.kernel_build_tree.substr(0, 13) != "/lib/modules/")
+	{
+	  cerr << "You can't use -r to specify a kernel release which is not installed when --unprivileged is specified." << endl;
+	  optionsConflict = true;
+	}
+      if (! s.macros.empty ())
+	{
+	  cerr << "You can't specify -D and --unprivileged together." << endl;
+	  optionsConflict = true;
+	}
+
+      if (getenv ("SYSTEMTAP_TAPSET"))
+	{
+	  cerr << "The environment variable SYSTEMTAP_TAPSET can not be defined when --unprivileged is specified." << endl;
+	  optionsConflict = true;
+	}
+      if (getenv ("SYSTEMTAP_RUNTIME"))
+	{
+	  cerr << "The environment variable SYSTEMTAP_RUNTIME can not be defined when --unprivileged is specified." << endl;
+	  optionsConflict = true;
+	}
+      if (getenv ("SYSTEMTAP_DEBUGINFO_PATH"))
+	{
+	  cerr << "The environment variable SYSTEMTAP_DEBUGINFO_PATH can not be defined when --unprivileged is specified." << endl;
+	  optionsConflict = true;
+	}
+    }
+
+  if (!s.kernel_symtab_path.empty())
+    {
+      if (s.consult_symtab)
+      {
+        cerr << "You can't specify --kelf and --kmap together." << endl;
+	optionsConflict = true;
+      }
+      s.consult_symtab = true;
+      if (s.kernel_symtab_path == PATH_TBD)
+        s.kernel_symtab_path = string("/boot/System.map-") + s.kernel_release;
+    }
+
+  if (optionsConflict)
+    usage (s, 1);
+}
+
 int
 main (int argc, char * const argv [])
 {
@@ -406,11 +493,12 @@ main (int argc, char * const argv [])
   s.ignore_dwarf = false;
   s.load_only = false;
   s.skip_badvars = false;
+  s.unprivileged = false;
 
   // Location of our signing certificate.
   // If we're root, use the database in SYSCONFDIR, otherwise
   // use the one in our $HOME directory.  */
-  if (geteuid() == 0)
+  if (getuid() == 0)
     s.cert_db_path = SYSCONFDIR "/systemtap/ssl/server";
   else
     s.cert_db_path = getenv("HOME") + string ("/.systemtap/ssl/server");
@@ -460,6 +548,14 @@ main (int argc, char * const argv [])
 	}
     }
 
+  // Location of our signing certificate.
+  // If we're root, use the database in SYSCONFDIR, otherwise
+  // use the one in s.data_path.  */
+  if (geteuid() == 0)
+    s.cert_db_path = SYSCONFDIR "/systemtap/ssl/server";
+  else
+    s.cert_db_path = s.data_path + "/ssl/server";
+
   const char* s_tc = getenv ("SYSTEMTAP_COVERAGE");
   if (s_tc != NULL)
     s.tapset_compile_coverage = true;
@@ -480,6 +576,7 @@ main (int argc, char * const argv [])
 #define LONG_OPT_IGNORE_DWARF 4
 #define LONG_OPT_VERBOSE_PASS 5
 #define LONG_OPT_SKIP_BADVARS 6
+#define LONG_OPT_UNPRIVILEGED 7
       // NB: also see find_hash(), usage(), switch stmt below, stap.1 man page
       static struct option long_options[] = {
         { "kelf", 0, &long_opt, LONG_OPT_KELF },
@@ -488,6 +585,7 @@ main (int argc, char * const argv [])
         { "ignore-dwarf", 0, &long_opt, LONG_OPT_IGNORE_DWARF },
 	{ "skip-badvars", 0, &long_opt, LONG_OPT_SKIP_BADVARS },
         { "vp", 1, &long_opt, LONG_OPT_VERBOSE_PASS },
+        { "unprivileged", 0, &long_opt, LONG_OPT_UNPRIVILEGED },
         { NULL, 0, NULL, 0 }
       };
       int grc = getopt_long (argc, argv, "hVMvtp:I:e:o:R:r:m:kgPc:x:D:bs:uqwl:d:L:FS:",
@@ -705,7 +803,6 @@ main (int argc, char * const argv [])
               if (optarg)
                 s.kernel_symtab_path = optarg;
               else
-#define PATH_TBD string("__TBD__")
                 s.kernel_symtab_path = PATH_TBD;
 	      break;
 	    case LONG_OPT_IGNORE_VMLINUX:
@@ -737,6 +834,9 @@ main (int argc, char * const argv [])
 	    case LONG_OPT_SKIP_BADVARS:
 	      s.skip_badvars = true;
 	      break;
+	    case LONG_OPT_UNPRIVILEGED:
+	      s.unprivileged = true;
+	      break;
             default:
               cerr << "Internal error parsing command arguments." << endl;
               usage(s, 1);
@@ -749,35 +849,8 @@ main (int argc, char * const argv [])
         }
     }
 
-  if(!s.bulk_mode && !s.merge)
-    {
-      cerr << "-M option is valid only for bulk (relayfs) mode." <<endl;
-      usage (s, 1);
-    }
-
-  if(!s.output_file.empty() && s.bulk_mode && !s.merge)
-    {
-      cerr << "You can't specify -M, -b and -o options together." <<endl;
-      usage (s, 1);
-    }
-
-  if((s.cmd != "") && (s.target_pid))
-    {
-      cerr << "You can't specify -c and -x options together." <<endl;
-      usage (s, 1);
-    }
-
-  if (!s.kernel_symtab_path.empty())
-    {
-      if (s.consult_symtab)
-      {
-        cerr << "You can't specify --kelf and --kmap together." << endl;
-	usage (s, 1);
-      }
-      s.consult_symtab = true;
-      if (s.kernel_symtab_path == PATH_TBD)
-        s.kernel_symtab_path = string("/boot/System.map-") + s.kernel_release;
-    }
+  // Check for options conflicts.
+  checkOptions (s);
 
   // Warn in case the target kernel release doesn't match the running one.
   if (s.last_pass > 4 &&
@@ -1177,14 +1250,17 @@ main (int argc, char * const argv [])
 	  // Save the signature as well.
 	  assert (! s.cert_db_path.empty());
 	  module_src_path += ".sgn";
-	  module_dest_path += ".sgn";
-
-	  if (s.verbose > 1)
-	    clog << "Copying " << module_src_path << " to "
-		 << module_dest_path << endl;
-	  if (copy_file(module_src_path.c_str(), module_dest_path.c_str()) != 0)
-	    cerr << "Copy failed (\"" << module_src_path << "\" to \""
-		 << module_dest_path << "\"): " << strerror(errno) << endl;
+	  if (file_exists (module_src_path))
+	    {
+	      module_dest_path += ".sgn";
+
+	      if (s.verbose > 1)
+		clog << "Copying " << module_src_path << " to "
+		     << module_dest_path << endl;
+	      if (copy_file(module_src_path.c_str(), module_dest_path.c_str()) != 0)
+		cerr << "Copy failed (\"" << module_src_path << "\" to \""
+		     << module_dest_path << "\"): " << strerror(errno) << endl;
+	    }
 #endif
 	}
     }