diff options
Diffstat (limited to 'runtime')
| -rw-r--r-- | runtime/staprun/staprun_funcs.c | 22 | ||||
| -rw-r--r-- | runtime/uprobes/Makefile | 32 |
2 files changed, 36 insertions, 18 deletions
diff --git a/runtime/staprun/staprun_funcs.c b/runtime/staprun/staprun_funcs.c index b92067fb..75d56b50 100644 --- a/runtime/staprun/staprun_funcs.c +++ b/runtime/staprun/staprun_funcs.c @@ -287,7 +287,7 @@ check_stap_module_path(const char *module_path) /* Validate /lib/modules/KVER/systemtap. */ if (stat(staplib_dir_path, &sb) < 0) { perr("Unable to verify the signature for the module %s.\n" - " Members of the \"stapusr\" group can only use untrusted modules within\n" + " Members of the \"stapusr\" group can only use unsigned modules within\n" " the \"%s\" directory.\n" " Error getting information on that directory", module_path, staplib_dir_path); @@ -296,7 +296,7 @@ check_stap_module_path(const char *module_path) /* Make sure it is a directory. */ if (! S_ISDIR(sb.st_mode)) { err("ERROR: Unable to verify the signature for the module %s.\n" - " Members of the \"stapusr\" group can only use untrusted modules within\n" + " Members of the \"stapusr\" group can only use unsigned modules within\n" " the \"%s\" directory.\n" " That path must refer to a directory.\n", module_path, staplib_dir_path); @@ -305,7 +305,7 @@ check_stap_module_path(const char *module_path) /* Make sure it is owned by root. */ if (sb.st_uid != 0) { err("ERROR: Unable to verify the signature for the module %s.\n" - " Members of the \"stapusr\" group can only use untrusted modules within\n" + " Members of the \"stapusr\" group can only use unsigned modules within\n" " the \"%s\" directory.\n" " That directory should be owned by root.\n", module_path, staplib_dir_path); @@ -314,7 +314,7 @@ check_stap_module_path(const char *module_path) /* Make sure it isn't world writable. */ if (sb.st_mode & S_IWOTH) { err("ERROR: Unable to verify the signature for the module %s.\n" - " Members of the \"stapusr\" group can only use untrusted modules within\n" + " Members of the \"stapusr\" group can only use unsigned modules within\n" " the \"%s\" directory.\n" " That directory should not be world writable.\n", module_path, staplib_dir_path); @@ -325,7 +325,7 @@ check_stap_module_path(const char *module_path) * path. */ if (realpath(staplib_dir_path, staplib_dir_realpath) == NULL) { perr("Unable to verify the signature for the module %s.\n" - " Members of the \"stapusr\" group can only use untrusted modules within\n" + " Members of the \"stapusr\" group can only use unsigned modules within\n" " the \"%s\" directory.\n" " Unable to canonicalize that directory", module_path, staplib_dir_path); @@ -347,7 +347,7 @@ check_stap_module_path(const char *module_path) if (strncmp(staplib_dir_realpath, module_path, strlen(staplib_dir_realpath)) != 0) { err("ERROR: Unable to verify the signature for the module %s.\n" - " Members of the \"stapusr\" group can only use untrusted modules within\n" + " Members of the \"stapusr\" group can only use unsigned modules within\n" " the \"%s\" directory.\n" " Module \"%s\" does not exist within that directory.\n", module_path, staplib_dir_path, module_path); @@ -476,7 +476,7 @@ check_groups ( * 1) root can do anything * 2) members of stapdev can do anything * 3) members of stapusr can load a module which has been signed by a trusted signer - * 4) members of stapusr can load untrusted modules from /lib/modules/KVER/systemtap + * 4) members of stapusr can load unsigned modules from /lib/modules/KVER/systemtap * * It is only an error if all 4 levels of checking fail */ @@ -528,10 +528,6 @@ void assert_stap_module_permissions( "group \"stapdev\" or group \"stapusr\".\n"); if (check_groups_rc == -2) err("Your system doesn't seem to have either group.\n"); -#if HAVE_NSS - err("If you are part of the group \"stapusr\", the module must be " - "signed by a trusted signer.\n"); -#endif } exit(-1); @@ -586,10 +582,6 @@ void assert_uprobes_module_permissions( "group \"stapdev\" or group \"stapusr\".\n", module_path); if (check_groups_rc == -2) err("Your system doesn't seem to have either group.\n"); -#if HAVE_NSS - err("If you are part of the group \"stapusr\", the module must be " - "signed by a trusted signer.\n"); -#endif } exit(-1); diff --git a/runtime/uprobes/Makefile b/runtime/uprobes/Makefile index bc0fd6a9..4e1280ef 100644 --- a/runtime/uprobes/Makefile +++ b/runtime/uprobes/Makefile @@ -5,6 +5,14 @@ DEPENDENCIES := $(shell echo uprobes.[ch] uprobes_*.[ch]) DEPENDENCIES += $(shell echo ../uprobes2/uprobes.[ch] ../uprobes2/uprobes_*.[ch]) DEPENDENCIES += Makefile +CLEAN_FILES := $(shell echo *.mod.c *.ko *.o .*.cmd *~ *.sgn) +CLEAN_FILES += Module.markers modules.order Module.symvers +CLEAN_DIRS := .tmp_versions + +# Build the module and sign it. +# Ensure that the generated files are writeable by the group which +# owns this build directory. This is so that the stap-server service +# can rebuild the module, if necessary. default: $(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules if test -f ../../../../bin/stap-sign-module; then \ @@ -14,12 +22,30 @@ default: fi \ done \ fi + group=`stat -c %G $(PWD)`; \ + for f in $(CLEAN_FILES); do \ + test ! -f $$f && continue; \ + chgrp -f $$group $$f; \ + chmod -f 664 $$f; \ + done; \ + for d in $(CLEAN_DIRS); do \ + test ! -d $$d && continue; \ + chgrp -f $$group $$d; \ + chmod -f 775 $$d; \ + for dd in `find $$d -type d`; do \ + chgrp -f $$group $$dd; \ + chmod -f 775 $$dd; \ + done; \ + for f in `find $$d -type f`; do \ + chgrp -f $$group $$f; \ + chmod -f 664 $$f; \ + done; \ + done # This target is used with "make -q" to see whether a "real" build is needed. uprobes.ko: $(DEPENDENCIES) @echo uprobes.ko is not a valid target. See Makefile. clean: - rm -f *.mod.c *.ko *.o .*.cmd *~ *.sgn - rm -f Module.markers modules.order Module.symvers - rm -rf .tmp_versions + rm -f $(CLEAN_FILES) + rm -rf $(CLEAN_DIRS) |