rpms
/
systemtap
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

upstream release 1.1

This commit is contained in:
drsmith2 2010-01-15 22:36:55 +00:00
parent 2fb7820ee4
commit fbc37f47a1
6 changed files with 170 additions and 440 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.cvsignore
View File

@ -1 +1 @@
systemtap-1.0.tar.gz
systemtap-1.1.tar.gz

123
SystemTap-1.0-limit-dwarf-expression-stack-size.patch
View File

@ -1,123 +0,0 @@
diff --git a/dwflpp.cxx b/dwflpp.cxx
index 636cd38..c31548d 100644
--- a/dwflpp.cxx
+++ b/dwflpp.cxx
@@ -2272,7 +2272,15 @@ dwflpp::express_as_string (string prelude,
fprintf(memstream, "{\n");
fprintf(memstream, "%s", prelude.c_str());
- bool deref = c_emit_location (memstream, head, 1);
+
+ unsigned int stack_depth;
+ bool deref = c_emit_location (memstream, head, 1, &stack_depth);
+
+ // Ensure that DWARF keeps loc2c to a "reasonable" stack size
+ // 32 intptr_t leads to max 256 bytes on the stack
+ if (stack_depth > 32)
+ throw semantic_error("oversized DWARF stack");
+
fprintf(memstream, "%s", postlude.c_str());
fprintf(memstream, " goto out;\n");
diff --git a/loc2c-test.c b/loc2c-test.c
index 495a95f..ed7aa4b 100644
--- a/loc2c-test.c
+++ b/loc2c-test.c
@@ -329,11 +329,14 @@ handle_variable (Dwarf_Die *lscopes, int lnscopes, int out,
"{\n"
" intptr_t value;");
- bool deref = c_emit_location (stdout, head, 1);
+ unsigned int stack_depth;
+ bool deref = c_emit_location (stdout, head, 1, &stack_depth);
obstack_free (&pool, NULL);
- puts (store ? " return;" :
+ printf (" /* max expression stack depth %u */\n", stack_depth);
+
+ puts (store ? " return;" :
" printk (\" ---> %ld\\n\", (unsigned long) value);\n"
" return;");
diff --git a/loc2c.c b/loc2c.c
index 5d6b549..0716c7d 100644
--- a/loc2c.c
+++ b/loc2c.c
@@ -2071,7 +2071,8 @@ emit_loc_address (FILE *out, struct location *loc, unsigned int indent,
assign it to an address-sized value. */
static void
emit_loc_value (FILE *out, struct location *loc, unsigned int indent,
- const char *target, bool declare)
+ const char *target, bool declare,
+ bool *used_deref, unsigned int *max_stack)
{
if (declare)
emit ("%*s%s %s;\n", indent * 2, "", STACK_TYPE, target);
@@ -2091,6 +2092,9 @@ emit_loc_value (FILE *out, struct location *loc, unsigned int indent,
case loc_address:
case loc_value:
emit_loc_address (out, loc, indent, target);
+ *used_deref = *used_deref || loc->address.used_deref;
+ if (loc->address.stack_depth > *max_stack)
+ *max_stack = loc->address.stack_depth;
break;
}
@@ -2098,7 +2102,8 @@ emit_loc_value (FILE *out, struct location *loc, unsigned int indent,
}
bool
-c_emit_location (FILE *out, struct location *loc, int indent)
+c_emit_location (FILE *out, struct location *loc, int indent,
+ unsigned int *max_stack)
{
emit ("%*s{\n", indent * 2, "");
@@ -2134,9 +2139,11 @@ c_emit_location (FILE *out, struct location *loc, int indent)
}
bool deref = false;
+ *max_stack = 0;
if (loc->frame_base != NULL)
- emit_loc_value (out, loc->frame_base, indent, "frame_base", true);
+ emit_loc_value (out, loc->frame_base, indent, "frame_base", true,
+ &deref, max_stack);
for (; loc->next != NULL; loc = loc->next)
switch (loc->type)
@@ -2144,8 +2151,7 @@ c_emit_location (FILE *out, struct location *loc, int indent)
case loc_address:
case loc_value:
/* Emit the program fragment to calculate the address. */
- emit_loc_value (out, loc, indent + 1, "addr", false);
- deref = deref || loc->address.used_deref;
+ emit_loc_value (out, loc, indent + 1, "addr", false, &deref, max_stack);
break;
case loc_fragment:
@@ -2172,6 +2178,9 @@ c_emit_location (FILE *out, struct location *loc, int indent)
emit ("%s%*s}\n", loc->address.program, indent * 2, "");
+ if (loc->address.stack_depth > *max_stack)
+ *max_stack = loc->address.stack_depth;
+
return deref || loc->address.used_deref;
}
diff --git a/loc2c.h b/loc2c.h
index becf2d8..45d9382 100644
--- a/loc2c.h
+++ b/loc2c.h
@@ -112,6 +112,7 @@ struct location *c_translate_argument (struct obstack *,
Writes complete lines of C99, code forming a complete C block, to STREAM.
Return value is true iff that code uses the `deref' runtime macros. */
-bool c_emit_location (FILE *stream, struct location *loc, int indent);
+bool c_emit_location (FILE *stream, struct location *loc, int indent,
+ unsigned int *max_stack);
/* vim: set sw=2 ts=8 cino=>4,n-2,{2,^-2,t0,(0,u0,w1,M1 : */

62
SystemTap-1.0-limit-printf-arguments.patch
View File

@ -1,62 +0,0 @@
diff --git a/buildrun.cxx b/buildrun.cxx
index 100cbc4..c86a442 100644
--- a/buildrun.cxx
+++ b/buildrun.cxx
@@ -200,6 +200,9 @@ compile_pass (systemtap_session& s)
// o << "CFLAGS += -fno-unit-at-a-time" << endl;
+ // 600 bytes should be enough for anybody
+ o << "EXTRA_CFLAGS += $(call cc-option,-Wframe-larger-than=600)" << endl;
+
// Assumes linux 2.6 kbuild
o << "EXTRA_CFLAGS += -Wno-unused -Werror" << endl;
#if CHECK_POINTER_ARITH_PR5947
diff --git a/testsuite/transko/varargs.stp b/testsuite/transko/varargs.stp
new file mode 100755
index 0000000..f38309a
--- /dev/null
+++ b/testsuite/transko/varargs.stp
@@ -0,0 +1,10 @@
+#! stap -p3
+
+probe begin {
+ // PR10750 enforces at most 32 print args
+ println(1, 2, 3, 4, 5, 6, 7, 8,
+ 9, 10, 11, 12, 13, 14, 15, 16,
+ 17, 18, 19, 20, 21, 22, 23, 24,
+ 25, 26, 27, 28, 29, 30, 31, 32,
+ 33)
+}
diff --git a/testsuite/transok/varargs.stp b/testsuite/transok/varargs.stp
new file mode 100755
index 0000000..216166f
--- /dev/null
+++ b/testsuite/transok/varargs.stp
@@ -0,0 +1,9 @@
+#! stap -p3
+
+probe begin {
+ // PR10750 enforces at most 32 print args
+ println(1, 2, 3, 4, 5, 6, 7, 8,
+ 9, 10, 11, 12, 13, 14, 15, 16,
+ 17, 18, 19, 20, 21, 22, 23, 24,
+ 25, 26, 27, 28, 29, 30, 31, 32)
+}
diff --git a/translate.cxx b/translate.cxx
index 04a9247..c73a5bd 100644
--- a/translate.cxx
+++ b/translate.cxx
@@ -4151,6 +4151,11 @@ c_unparser::visit_print_format (print_format* e)
{
stmt_expr block(*this);
+ // PR10750: Enforce a reasonable limit on # of varargs
+ // 32 varargs leads to max 256 bytes on the stack
+ if (e->args.size() > 32)
+ throw semantic_error("too many arguments to print", e->tok);
+
// Compute actual arguments
vector<tmpvar> tmp;

180
SystemTap-1.0-unwind-table-size-checks.patch
View File

@ -1,180 +0,0 @@
diff --git a/runtime/unwind.c b/runtime/unwind.c
index 00108a3..7607770 100644
--- a/runtime/unwind.c
+++ b/runtime/unwind.c
@@ -88,7 +88,7 @@ static sleb128_t get_sleb128(const u8 **pcur, const u8 *end)
/* given an FDE, find its CIE */
static const u32 *cie_for_fde(const u32 *fde, void *unwind_data,
- int is_ehframe)
+ uint32_t table_len, int is_ehframe)
{
const u32 *cie;
@@ -118,6 +118,11 @@ static const u32 *cie_for_fde(const u32 *fde, void *unwind_data,
else
cie = unwind_data + fde[1];
+ /* Make sure address falls in the table */
+ if (((void *)cie) < ((void*)unwind_data)
+ || ((void*)cie) > ((void*)(unwind_data + table_len)))
+ return NULL;
+
if (*cie <= sizeof(*cie) + 4 || *cie >= fde[1] - sizeof(*fde)
|| (*cie & (sizeof(*cie) - 1))
|| (cie[1] != 0xffffffff && cie[1] != 0)) {
@@ -200,7 +205,8 @@ static unsigned long read_pointer(const u8 **pLoc, const void *end, signed ptrTy
return value;
}
-static signed fde_pointer_type(const u32 *cie)
+static signed fde_pointer_type(const u32 *cie, void *unwind_data,
+ uint32_t table_len)
{
const u8 *ptr = (const u8 *)(cie + 2);
unsigned version = *ptr;
@@ -212,11 +218,16 @@ static signed fde_pointer_type(const u32 *cie)
const u8 *end = (const u8 *)(cie + 1) + *cie;
uleb128_t len;
+ /* end of cie should fall within unwind table. */
+ if (((void*)end) < ((void *)unwind_data)
+ || ((void *)end) > ((void *)(unwind_data + table_len)))
+ return -1;
+
/* check if augmentation size is first (and thus present) */
if (*ptr != 'z')
return -1;
/* check if augmentation string is nul-terminated */
- if ((ptr = memchr(aug = (const void *)ptr, 0, end - ptr)) == NULL)
+ if ((ptr = memchr(aug = (const void *)ptr, 0, end - ptr)) == NULL)
return -1;
++ptr; /* skip terminator */
get_uleb128(&ptr, end); /* skip code alignment */
@@ -267,6 +278,10 @@ static void set_rule(uleb128_t reg, enum item_location where, uleb128_t value, s
}
}
+/* Limit the number of instructions we process. Arbitrary limit.
+ 512 should be enough for anybody... */
+#define MAX_CFI 512
+
static int processCFI(const u8 *start, const u8 *end, unsigned long targetLoc, signed ptrType, struct unwind_state *state)
{
union {
@@ -276,6 +291,9 @@ static int processCFI(const u8 *start, const u8 *end, unsigned long targetLoc, s
} ptr;
int result = 1;
+ if (end - start > MAX_CFI)
+ return 0;
+
dbug_unwind(1, "targetLoc=%lx state->loc=%lx\n", targetLoc, state->loc);
if (start != state->cieStart) {
state->loc = state->org;
@@ -606,10 +624,10 @@ static int unwind_frame(struct unwind_frame_info *frame,
/* found the fde, now set startLoc and endLoc */
if (fde != NULL) {
- cie = cie_for_fde(fde, table, is_ehframe);
+ cie = cie_for_fde(fde, table, table_len, is_ehframe);
if (likely(cie != NULL && cie != &bad_cie && cie != &not_fde)) {
ptr = (const u8 *)(fde + 2);
- ptrType = fde_pointer_type(cie);
+ ptrType = fde_pointer_type(cie, table, table_len);
startLoc = read_pointer(&ptr, (const u8 *)(fde + 1) + *fde, ptrType);
startLoc = adjustStartLoc(startLoc, m, s, ptrType, is_ehframe);
@@ -632,12 +650,12 @@ static int unwind_frame(struct unwind_frame_info *frame,
for (fde = table, tableSize = table_len; cie = NULL, tableSize > sizeof(*fde)
&& tableSize - sizeof(*fde) >= *fde; tableSize -= sizeof(*fde) + *fde, fde += 1 + *fde / sizeof(*fde)) {
dbug_unwind(3, "fde=%lx tableSize=%d\n", (long)*fde, (int)tableSize);
- cie = cie_for_fde(fde, table, is_ehframe);
+ cie = cie_for_fde(fde, table, table_len, is_ehframe);
if (cie == &bad_cie) {
cie = NULL;
break;
}
- if (cie == NULL || cie == &not_fde || (ptrType = fde_pointer_type(cie)) < 0)
+ if (cie == NULL || cie == &not_fde || (ptrType = fde_pointer_type(cie, table, table_len)) < 0)
continue;
ptr = (const u8 *)(fde + 2);
@@ -666,6 +684,12 @@ static int unwind_frame(struct unwind_frame_info *frame,
state.cieEnd = ptr; /* keep here temporarily */
ptr = (const u8 *)(cie + 2);
end = (const u8 *)(cie + 1) + *cie;
+
+ /* end should fall within unwind table. */
+ if (((void *)end) < table
+ || ((void *)end) > ((void *)(table + table_len)))
+ goto err;
+
frame->call_frame = 1;
if ((state.version = *ptr) != 1) {
dbug_unwind(1, "CIE version number is %d. 1 is supported.\n", state.version);
@@ -723,6 +747,11 @@ static int unwind_frame(struct unwind_frame_info *frame,
state.cieEnd = end;
end = (const u8 *)(fde + 1) + *fde;
+ /* end should fall within unwind table. */
+ if (((void*)end) < table
+ || ((void *)end) > ((void *)(table + table_len)))
+ goto err;
+
/* skip augmentation */
if (((const char *)(cie + 2))[1] == 'z') {
uleb128_t augSize = get_uleb128(&ptr, end);
diff --git a/runtime/unwind/unwind.h b/runtime/unwind/unwind.h
index 285a3a3..023ea60 100644
--- a/runtime/unwind/unwind.h
+++ b/runtime/unwind/unwind.h
@@ -143,8 +143,10 @@ static unsigned long read_pointer(const u8 **pLoc,
const void *end,
signed ptrType);
static const u32 bad_cie, not_fde;
-static const u32 *cie_for_fde(const u32 *fde, void *table, int is_ehframe);
-static signed fde_pointer_type(const u32 *cie);
+static const u32 *cie_for_fde(const u32 *fde, void *table,
+ uint32_t table_len, int is_ehframe);
+static signed fde_pointer_type(const u32 *cie,
+ void *table, uint32_t table_len);
#endif /* STP_USE_DWARF_UNWINDER */
diff --git a/translate.cxx b/translate.cxx
index bc5d615..9d456bc 100644
--- a/translate.cxx
+++ b/translate.cxx
@@ -29,6 +29,11 @@ extern "C" {
#include <elfutils/libdwfl.h>
}
+// Max unwind table size (debug or eh) per module. Somewhat arbitrary
+// limit (a bit more than twice the .debug_frame size of my local
+// vmlinux for 2.6.31.4-83.fc12.x86_64)
+#define MAX_UNWIND_TABLE_SIZE (3 * 1024 * 1024)
+
using namespace std;
struct var;
@@ -4785,6 +4790,9 @@ dump_unwindsyms (Dwfl_Module *m,
get_unwind_data (m, &debug_frame, &eh_frame, &debug_len, &eh_len, &eh_addr);
if (debug_frame != NULL && debug_len > 0)
{
+ if (debug_len > MAX_UNWIND_TABLE_SIZE)
+ throw semantic_error ("module debug unwind table size too big");
+
c->output << "#if defined(STP_USE_DWARF_UNWINDER) && defined(STP_NEED_UNWIND_DATA)\n";
c->output << "static uint8_t _stp_module_" << stpmod_idx
<< "_debug_frame[] = \n";
@@ -4802,6 +4810,9 @@ dump_unwindsyms (Dwfl_Module *m,
if (eh_frame != NULL && eh_len > 0)
{
+ if (eh_len > MAX_UNWIND_TABLE_SIZE)
+ throw semantic_error ("module eh unwind table size too big");
+
c->output << "#if defined(STP_USE_DWARF_UNWINDER) && defined(STP_NEED_UNWIND_DATA)\n";
c->output << "static uint8_t _stp_module_" << stpmod_idx
<< "_eh_frame[] = \n";

2
sources
View File

@ -1 +1 @@
e11c9ec18f3b269b846054e9ca33011a systemtap-1.0.tar.gz
bb760f76ecc400ed4d44a1399a06ca33 systemtap-1.1.tar.gz

241
systemtap.spec
View File

@ -1,15 +1,18 @@
%{!?with_sqlite: %define with_sqlite 1}
%{!?with_docs: %define with_docs 1}
%{!?with_crash: %define with_crash 0}
%{!?with_rpm: %define with_rpm 1}
%{!?with_bundled_elfutils: %define with_bundled_elfutils 0}
%{!?elfutils_version: %define elfutils_version 0.127}
%{!?pie_supported: %define pie_supported 1}
%{!?with_grapher: %define with_grapher 1}
%{!?with_sqlite: %global with_sqlite 1}
%{!?with_docs: %global with_docs 1}
%{!?with_crash: %global with_crash 0}
%{!?with_rpm: %global with_rpm 1}
%{!?with_bundled_elfutils: %global with_bundled_elfutils 0}
%{!?elfutils_version: %global elfutils_version 0.127}
%{!?pie_supported: %global pie_supported 1}
%{!?with_grapher: %global with_grapher 1}
%{!?with_boost: %global with_boost 0}
%{!?with_publican: %global with_publican 1}
%{!?publican_brand: %global publican_brand fedora}
Name: systemtap
Version: 1.0
Release: 2%{?dist}
Version: 1.1
Release: 1%{?dist}
# for version, see also configure.ac
Summary: Instrumentation System
Group: Development/System
@ -23,6 +26,10 @@ Requires: kernel >= 2.6.9-11
%if %{with_sqlite}
BuildRequires: sqlite-devel
%endif
# Needed for libstd++ < 4.0, without <tr1/memory>
%if %{with_boost}
BuildRequires: boost-devel
%endif
%if %{with_crash}
BuildRequires: crash-devel zlib-devel
%endif
@ -41,7 +48,7 @@ BuildRequires: nss-devel nss-tools pkgconfig
Source1: elfutils-%{elfutils_version}.tar.gz
Patch1: elfutils-portability.patch
BuildRequires: m4
%define setup_elfutils -a1
%global setup_elfutils -a1
%else
BuildRequires: elfutils-devel >= %{elfutils_version}
%endif
@ -55,16 +62,21 @@ BuildRequires: /usr/bin/latex /usr/bin/dvips /usr/bin/ps2pdf latex2html
# called 'xmlto-tex'. To avoid a specific F10 BuildReq, we'll do a
# file-based buildreq on '/usr/share/xmlto/format/fo/pdf'.
BuildRequires: xmlto /usr/share/xmlto/format/fo/pdf
%if %{with_publican}
BuildRequires: publican
BuildRequires: publican-%{publican_brand}
%endif
%endif
%if %{with_grapher}
BuildRequires: gtkmm24-devel >= 2.8
BuildRequires: libglademm24-devel >= 2.6.7
# If 'with_boost' isn't set, the boost-devel build requirement hasn't
# been specified yet.
%if ! %{with_boost}
BuildRequires: boost-devel
%endif
%endif
# Fix three --unprivileged DOS issues (CVE-2009-2911)
Patch10: SystemTap-1.0-limit-printf-arguments.patch
Patch11: SystemTap-1.0-limit-dwarf-expression-stack-size.patch
Patch12: SystemTap-1.0-unwind-table-size-checks.patch
%description
SystemTap is an instrumentation system for systems running Linux 2.6.
@ -118,6 +130,10 @@ URL: http://sourceware.org/systemtap/
Requires: systemtap
Requires: avahi avahi-tools nss nss-tools mktemp
Requires: zip unzip
Requires(post): chkconfig
Requires(preun): chkconfig
Requires(preun): initscripts
Requires(postun): initscripts
%description server
This is the remote script compilation server component of systemtap.
@ -134,14 +150,18 @@ URL: http://sourceware.org/systemtap/
Support tools to allow applications to use static probes.
%package initscript
Summary: Systemtap Initscript
Summary: Systemtap Initscripts
Group: Development/System
License: GPLv2+
URL: http://sourceware.org/systemtap/
Requires: systemtap-runtime, initscripts
Requires: systemtap-runtime
Requires(post): chkconfig
Requires(preun): chkconfig
Requires(preun): initscripts
Requires(postun): initscripts
%description initscript
Initscript for Systemtap scripts.
Initscript for Systemtap scripts
%if %{with_grapher}
%package grapher
@ -169,70 +189,71 @@ find . \( -name configure -o -name config.h.in \) -print | xargs touch
cd ..
%endif
# Fix three --unprivileged DOS issues (CVE-2009-2911)
%patch10 -p1
%patch11 -p1
%patch12 -p1
%build
%if %{with_bundled_elfutils}
# Build our own copy of elfutils.
%define elfutils_config --with-elfutils=elfutils-%{elfutils_version}
%global elfutils_config --with-elfutils=elfutils-%{elfutils_version}
# We have to prevent the standard dependency generation from identifying
# our private elfutils libraries in our provides and requires.
%define _use_internal_dependency_generator 0
%define filter_eulibs() /bin/sh -c "%{1} | sed '/libelf/d;/libdw/d;/libebl/d'"
%define __find_provides %{filter_eulibs /usr/lib/rpm/find-provides}
%define __find_requires %{filter_eulibs /usr/lib/rpm/find-requires}
%global _use_internal_dependency_generator 0
%global filter_eulibs() /bin/sh -c "%{1} | sed '/libelf/d;/libdw/d;/libebl/d'"
%global __find_provides %{filter_eulibs /usr/lib/rpm/find-provides}
%global __find_requires %{filter_eulibs /usr/lib/rpm/find-requires}
# This will be needed for running stap when not installed, for the test suite.
%define elfutils_mflags LD_LIBRARY_PATH=`pwd`/lib-elfutils
%global elfutils_mflags LD_LIBRARY_PATH=`pwd`/lib-elfutils
%endif
# Enable/disable the sqlite coverage testing support
%if %{with_sqlite}
%define sqlite_config --enable-sqlite
%global sqlite_config --enable-sqlite
%else
%define sqlite_config --disable-sqlite
%global sqlite_config --disable-sqlite
%endif
# Enable/disable the crash extension
%if %{with_crash}
%define crash_config --enable-crash
%global crash_config --enable-crash
%else
%define crash_config --disable-crash
%global crash_config --disable-crash
%endif
# Enable/disable the code to find and suggest needed rpms
%if %{with_rpm}
%define rpm_config --with-rpm
%global rpm_config --with-rpm
%else
%define rpm_config --without-rpm
%global rpm_config --without-rpm
%endif
%if %{with_docs}
%define docs_config --enable-docs
%global docs_config --enable-docs
%else
%define docs_config --disable-docs
%global docs_config --disable-docs
%endif
# Enable pie as configure defaults to disabling it
%if %{pie_supported}
%define pie_config --enable-pie
%global pie_config --enable-pie
%else
%define pie_config --disable-pie
%global pie_config --disable-pie
%endif
%if %{with_grapher}
%define grapher_config --enable-grapher
%global grapher_config --enable-grapher
%else
%define grapher_config --disable-grapher
%global grapher_config --disable-grapher
%endif
%if %{with_publican}
%global publican_config --enable-publican --with-publican-brand=%{publican_brand}
%else
%global publican_config --disable-publican
%endif
%configure %{?elfutils_config} %{sqlite_config} %{crash_config} %{docs_config} %{pie_config} %{grapher_config} %{rpm_config}
%configure %{?elfutils_config} %{sqlite_config} %{crash_config} %{docs_config} %{pie_config} %{grapher_config} %{publican_config} %{rpm_config} --disable-silent-rules
make %{?_smp_mflags}
%install
@ -265,17 +286,28 @@ cp -rp testsuite $RPM_BUILD_ROOT%{_datadir}/systemtap
mkdir docs.installed
mv $RPM_BUILD_ROOT%{_datadir}/doc/systemtap/*.pdf docs.installed/
mv $RPM_BUILD_ROOT%{_datadir}/doc/systemtap/tapsets docs.installed/
%if %{with_publican}
mv $RPM_BUILD_ROOT%{_datadir}/doc/systemtap/SystemTap_Beginners_Guide docs.installed/
%endif
%endif
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/init.d/
install -m 755 initscript/systemtap $RPM_BUILD_ROOT%{_sysconfdir}/init.d/
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d/
install -m 755 initscript/systemtap $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d/
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/systemtap
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/systemtap/conf.d
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/systemtap/script.d
install -m 644 initscript/config $RPM_BUILD_ROOT%{_sysconfdir}/systemtap
install -m 644 initscript/config.systemtap $RPM_BUILD_ROOT%{_sysconfdir}/systemtap/config
mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/systemtap
mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/run/systemtap
install -m 755 initscript/stap-server $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d/
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/stap-server
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/stap-server/conf.d
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig
install -m 644 initscript/config.stap-server $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/stap-server
mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log
touch $RPM_BUILD_ROOT%{_localstatedir}/log/stap-server.log
%clean
rm -rf ${RPM_BUILD_ROOT}
@ -284,12 +316,67 @@ getent group stapdev >/dev/null || groupadd -r stapdev
getent group stapusr >/dev/null || groupadd -r stapusr
exit 0
%pre server
getent group stap-server >/dev/null || groupadd -r stap-server
getent passwd stap-server >/dev/null || useradd -c "Systemtap Compile Server" -g stap-server -d %{_localstatedir}/lib/stap-server -m -r -s /sbin/nologin stap-server
chmod 755 %{_localstatedir}/lib/stap-server
exit 0
%post server
chmod 664 %{_localstatedir}/log/stap-server.log
chown stap-server %{_localstatedir}/log/stap-server.log
chgrp stap-server %{_localstatedir}/log/stap-server.log
# Make sure that the uprobes module can be built by the server
test -e /usr/share/systemtap/runtime/uprobes || mkdir -p /usr/share/systemtap/runtime/uprobes
chgrp stap-server /usr/share/systemtap/runtime/uprobes
chmod 775 /usr/share/systemtap/runtime/uprobes
# As stap-server, generate the certificate used for signing and for ssl.
runuser -s /bin/sh - stap-server -c %{_libexecdir}/%{name}/stap-gen-cert >/dev/null
# Authorize the certificate as a trusted ssl peer and as a trusted signer
# local host.
%{_bindir}/stap-authorize-server-cert %{_localstatedir}/lib/stap-server/.systemtap/ssl/server/stap.cert
%{_bindir}/stap-authorize-signing-cert %{_localstatedir}/lib/stap-server/.systemtap/ssl/server/stap.cert
# Activate the service
/sbin/chkconfig --add stap-server
exit 0
%preun server
# Check that this is the actual deinstallation of the package, as opposed to
# just removing the old package on upgrade.
if [ $1 = 0 ] ; then
/sbin/service stap-server stop >/dev/null 2>&1
/sbin/chkconfig --del stap-server
fi
exit 0
%postun server
# Check whether this is an upgrade of the package.
# If so, restart the service if it's running
if [ "$1" -ge "1" ] ; then
/sbin/service stap-server condrestart >/dev/null 2>&1 || :
fi
exit 0
%post initscript
chkconfig --add systemtap
/sbin/chkconfig --add systemtap
exit 0
%preun initscript
chkconfig --del systemtap
# Check that this is the actual deinstallation of the package, as opposed to
# just removing the old package on upgrade.
if [ $1 = 0 ] ; then
/sbin/service systemtap stop >/dev/null 2>&1
/sbin/chkconfig --del systemtap
fi
exit 0
%postun initscript
# Check whether this is an upgrade of the package.
# If so, restart the service if it's running
if [ "$1" -ge "1" ] ; then
/sbin/service systemtap condrestart >/dev/null 2>&1 || :
fi
exit 0
%post
@ -309,14 +396,13 @@ exit 0
%if %{with_docs}
%doc docs.installed/*.pdf
%doc docs.installed/tapsets
%if %{with_publican}
%doc docs.installed/SystemTap_Beginners_Guide
%endif
%endif
%{_bindir}/stap
%{_bindir}/stap-report
%{_bindir}/stap-env
%{_bindir}/stap-gen-cert
%{_bindir}/stap-authorize-cert
%{_bindir}/stap-authorize-signing-cert
%{_mandir}/man1/*
%{_mandir}/man3/*
@ -338,8 +424,12 @@ exit 0
%defattr(-,root,root)
%attr(4111,root,root) %{_bindir}/staprun
%{_bindir}/stap-report
%{_libexecdir}/%{name}
%{_bindir}/stap-authorize-signing-cert
%{_libexecdir}/%{name}/stapio
%{_libexecdir}/%{name}/stap-env
%{_libexecdir}/%{name}/stap-authorize-cert
%{_mandir}/man8/staprun.8*
%{_mandir}/man8/stap-authorize-signing-cert.8*
%doc README AUTHORS NEWS COPYING
@ -350,28 +440,32 @@ exit 0
%files client
%defattr(-,root,root)
%{_bindir}/stap-client
%{_bindir}/stap-env
%{_bindir}/stap-find-servers
%{_bindir}/stap-authorize-cert
%{_bindir}/stap-authorize-server-cert
%{_bindir}/stap-client-connect
%{_mandir}/man8/stap-server.8*
%{_libexecdir}/%{name}/stap-find-servers
%{_libexecdir}/%{name}/stap-client-connect
%{_mandir}/man8/stap-client.8*
%{_mandir}/man8/stap-authorize-server-cert.8*
%files server
%defattr(-,root,root)
%{_bindir}/stap-server
%{_bindir}/stap-serverd
%{_bindir}/stap-env
%{_bindir}/stap-start-server
%{_bindir}/stap-find-servers
%{_bindir}/stap-find-or-start-server
%{_bindir}/stap-stop-server
%{_bindir}/stap-gen-cert
%{_bindir}/stap-authorize-cert
%{_bindir}/stap-authorize-server-cert
%{_bindir}/stap-server-connect
%{_bindir}/stap-sign-module
%{_bindir}/stap-server
%{_libexecdir}/%{name}/stap-serverd
%{_libexecdir}/%{name}/stap-start-server
%{_libexecdir}/%{name}/stap-find-servers
%{_libexecdir}/%{name}/stap-find-or-start-server
%{_libexecdir}/%{name}/stap-stop-server
%{_libexecdir}/%{name}/stap-gen-cert
%{_libexecdir}/%{name}/stap-server-connect
%{_libexecdir}/%{name}/stap-sign-module
%{_mandir}/man8/stap-server.8*
%{_mandir}/man8/stap-authorize-server-cert.8*
%{_sysconfdir}/rc.d/init.d/stap-server
%dir %{_sysconfdir}/stap-server
%dir %{_sysconfdir}/stap-server/conf.d
%config(noreplace) %{_sysconfdir}/sysconfig/stap-server
%{_localstatedir}/log/stap-server.log
%doc initscript/README.stap-server
%files sdt-devel
%defattr(-,root,root)
@ -380,25 +474,26 @@ exit 0
%files initscript
%defattr(-,root,root)
%{_sysconfdir}/init.d/systemtap
%{_sysconfdir}/rc.d/init.d/systemtap
%dir %{_sysconfdir}/systemtap
%dir %{_sysconfdir}/systemtap/conf.d
%dir %{_sysconfdir}/systemtap/script.d
%config(noreplace) %{_sysconfdir}/systemtap/config
%dir %{_localstatedir}/cache/systemtap
%dir %{_localstatedir}/run/systemtap
%doc initscript/README.initscript
%doc initscript/README.systemtap
%if %{with_grapher}
%files grapher
%defattr(-,root,root)
%{_bindir}/stapgraph
%{_datadir}/%{name}/*.glade
%endif
%changelog
* Wed Oct 21 2009 Josh Stone <jistone@redhat.com> - 1.0-2
- Fix three --unprivileged DOS issues (CVE-2009-2911)
* Mon Dec 21 2009 David Smith <dsmith@redhat.com> - 1.1-1
- Upstream release.
* Tue Sep 22 2009 Josh Stone <jistone@redhat.com> - 1.0-1
- Upstream release.