plash (1.17-1) unstable; urgency=low * Debian packaging changes: * Improve Debian build scripts for building with pbuilder under etch. * Use debhelper more. * Add branches of "debian" for building under Debian sarge and Ubuntu edgy. * Put glibc source in a separate package, so that glibc tarball is put under /usr/src. * Add Python bindings. Add Python implementation of pola-run. * glibc version: * Switch to using glibc 2.3.6 for Debian etch. * Also allow building with glibc 2.4 and 2.5. This is only partial support. The *at() functions are not properly implemented yet. * Refactored libc linking trickery. Use macros instead of special EXPORT comments to declare functions to export from libc. * Implement lchmod() in libc and fs_op. * Add partial implementation of chown()/lchown(): Succeeds when no owner/group change is requested. * Intercept getsockopt() so that uid/gids can be faked for SO_PEERCRED case. * Fix getcwd() to pass glibc's io/tst-getcwd test case. getcwd(NULL, size) when size>0 now returns an error if size is not large enough. * libpthread.so's close() function is now intercepted correctly. * pola-run: Logging: * Add --log-file option. * Changes to logging format. * Bug fix: change mk_printf() to use vasprintf() instead of vsnprintf() (fixes segfault on long filenames to exec). * pola-run: Add --server-as-parent option. * pola-run: Now looks up executable name in PATH, unless --no-search-path (a new option) is given. * pola-run, pola-shell: Add environment variables for changing the jail program from run-as-anonymous. This is used for running the test suite without installing Plash. * pola-run: Bug fix: Ensure that -t grants read-only access when "w" flag is not given * pola-run: Add -e option. * In source, use integer #define'd methods IDs instead of 4 character strings. * Change return message ID for some methods. Only use METHOD_OKAY for results containing no arguments. * fs_op: Remove now-unused FD slot argument from "exec" method. (ld-linux.so.2 takes the filename of the executable not a FD.) * Fix building Plash with gcc 4.0. Fixed use of weak symbols. Fixed some warnings. Now default to building Plash with gcc 4.0. * exec-object.c: Sets cwd instead of leaving it undefined. * shell.c: For executable objects, use debug message "sending cwd argument" instead of "cwd set successfully". * Add cow_dir object. Only usable via Python bindings so far. -- Mark Seaborn Fri, 22 Dec 2006 11:39:57 +0000 plash (1.16) unstable; urgency=low * Overhaul documentation, combining the Web site and docs into one. Now only use DocBook for the man pages. Add examples, screenshots, etc. * Added autoconf script (configure.in). This is used for locating gcc and for setting the glibc object files directory. Note that we do not use automake. * tests: new directory, containing test cases. * libc-comms.c, libc-misc.c: add PLASH_LIBC_DEBUG environment variable. * pola-shell.c: Command lists don't have to end with ';'. Command line now accepts command lists as well as individual commands. * Fix bug found by Thomas Leonard: exec-object was failing to change the namespace used by the processes it launched. * exec-object.c: Fix to check for error code from install_fds(). Since previous libc changes, dup2() can fail (refusing to clobber connection socket FD), so install_fds() could fail too. * libc-comms.c: plash_libc_reset_connection() now allows close() and dup2() to clobber connection socket FD. * powerbox.c, gtk-powerbox.c: Add support for WM_TRANSIENT_FOR hint. * gtk-powerbox.c, gtk-powerbox-noninherit.c: Fix handling of cancel case. * gtk-powerbox.c, gtk-powerbox-noninherit.c: Created new version of our GtkFileChooserDialog class that inherits from GtkDialog and suppresses the opening of a window by implementing the "map" method. New version is in gtk-powerbox.c; old version has been renamed to gtk-powerbox-noninherit.c. * filesysobj-real.c: Added code to fix symlink-related race conditions. However, it cannot be used in all cases. * real_file_socket_connect(): Added case that works by hard linking the Unix domain socket into a directory in /tmp. This only works if the socket is on the same device as /tmp. This new code has been #if'd out since it can't be used in all cases. * Wrote a test case for exploiting the race condition. * real_file_chmod(): Added case that uses open() and fchmod() instead of chmod(). Unfortunately, this will not work if read permission is not already enabled for the file. New code is therefore #if'd out. * real_file_utimes(): Now use open() and futimes() instead of utimes(). (This new code *is* enabled.) * Transforms.pm: new file. * XXMLParse.pm: Add >> quoting syntax. * pola-run.c: Set up the PLASH_FAKE_{E,}[UG]ID environment variables (as shell.c does). * pola-run.c: Executable filename is now resolved in callee's namespace. This makes sense since ld-linux.so.2 will interpret the filename in the callee's namespace (since removal of "--fd" option in 1.13). No cwd is used for resolving this. -- Mark Seaborn Wed, 15 Mar 2006 20:27:40 +0000 plash (1.15) unstable; urgency=low * Add gtk-powerbox.c: an LD_PRELOADed patch to Gtk to replace the GtkFileChooserDialog interface so that it calls Plash's powerbox. * Rename "plash" executable to "pola-shell". * fs-operations.c: Add log method. Add an "end" log message when the fs_op object is dropped. * gettextization * make.sh: Add "-Wl,-z,relro" when linking ld.so. Fixes obscure problem when dlopen()ing libraries that might require an executable stack. * Intercept getsockname() so that it returns the correct pathname for Unix domain sockets. Extended the g_fds array in libc so that it can contain these pathnames. It is now an array of "struct libc_fd"s, rather than an array of "cap_t"s. libc-fds.h: New file. libc-misc.c: Introduced fds_resize(), fds_slot_clear(). Changed open(), close(), dup2(), etc. libc-connect.c: Add getsockname() and change connect() and bind(). * Reason: I discovered that gconfd2 (or possibly Orbit) was relying on getsockname() returning the pathname that it earlier passed to bind(). This meant that Gnumeric was unable to spawn a gconf process itself, and it produced loads of errors. * fs-operations.c, libc-misc.c: Fixed fstat() to return the correct information on directory FDs. Added the fsop_dir_fstat method to implement this. * build-fs-dynamic.c: Implement link() and rename() methods. This is needed for when GNOME and KDE apps hard link files inside $HOME. * filesysobj-real.c: Changes to allow rename and hard link calls of the form rename("dir/foo1", "dir/foo2") to work. * The problem: The real_dir_rename and real_dir_link methods only work in the same-directory case; their test was a pointer comparison on real_dir objects. However, resolving a directory pathname like "dir" always returns a new real_dir object. This meant that the rename() call wouldn't work when you use full pathnames. * This was causing some failures. eg. Konqueror wouldn't start: some code relied on creating "$HOME/.ICEauthority-l" as a hard link to "$HOME/.ICEauthority-c". * The partial solution: Change the same-directory check to compare inode and device number of directory, after trying a pointer comparison. -- Mark Seaborn Tue, 6 Dec 2005 21:21:55 +0000 plash (1.14) unstable; urgency=low * Add powerbox: powerbox.[ch], powerbox-req.c, powerbox.el. Changed pola-run.c to add --powerbox option etc. * cap-protocol.c: Add support for using glib, so that its event loop can be subsumed into glib's event loop, and we can use Gtk. * libc-misc.c: Now intercept the dup2() call. * I was going to handle close() and dup2() on the comm socket FD by relocating the comm socket to another FD number, but this turned out not to be a good idea (so the code is #if'd out). cap-protocol.c: Add cap_relocate_fd(). * That's because libc.so cannot relocate the FD by itself. It would need to be able to tell ld.so (but it has no way to). Really, the application should have control over which FD number is used, and I make use of that elsewhere. * So instead, dup2() and close() now just refuse the clobber the socket FD. * Replace use of ld-linux.so.2's --library-path argument with use of the LD_LIBRARY_PATH environment variable. Change run-as-anonymous to take extra arguments for setting environment variables. This is needed because run-as-anonymous runs setuid, and this causes the dynamic linker to unset LD_LIBRARY_PATH, so this needs to be restored. Changed shell.c, pola-run.c, fs-operations.c. * shell.c: Change some cases to use format strings -- the beginnings of gettext support. * pola-run.c: Now export fs_op_maker object to the application. * libc-misc.c: Change statfs(). Provide a way to fake the amount of free space by setting the PLASH_FAKE_STATFS_AVAIL environment variable. This was needed to make the Firefox installer run. -- Mark Seaborn Wed, 9 Nov 2005 21:07:41 +0000 plash (1.13) unstable; urgency=low * Big changes to build process, so that I can distribute pre-built glibc object files to make Plash easier to built from source. Changes to build with glibc 2.3.5 (instead of 2.3.3). Use libc_pic.a instead of individual object files. * Remove glibc patch for getting ld.so to accept a "--fd" option. fs-operations.c: Change exec_for_scripts() to return a filename, not an FD. shell.c: Change command_invocation_sec(); uses new function, args_to_exec_elf_program(). pola-run.c Change the fsop_exec method so that it doesn't have to return an FD. * fs-operations.c: change handling of METHOD_FSOP_EXEC. (FD case removed.) * libc-fork-exec.c: changed to handle no-FD-returned case. (I'll leave the FD case in for now.) * pola-run.c: Bug fixes. Add the "--log" option. -- Mark Seaborn Thu, 6 Oct 2005 22:00:00 +0100 plash (1.12) unstable; urgency=low * Added pola-run.c. * libc.map, libc-fork-exec.c: Add plash_libc_kernel_execve. Remove the version PLASH_GLIBC: this causes problems now that I want to have weak links to plash_libc_* symbols. In this case, the linker still puts the symbol PLASH_GLIBC into the executable, which is no good. * Install a statically-linked copy of run-as-anonymous inside the chroot jail. This uses a different path for "plash-uid-locks" and doesn't call chroot(). This is compiled using dietlibc (with a glibc fallback). * make.sh: Corrected the build of libc.so and ld.so to link Plash's libc-getuid.os with the real gete[ug]id.os. Before, they were mapping geteuid() to new_geteuid(), causing an infinite loop when PLASH_FAKE_EUID wasn't defined, exhausting the stack. Discovered this when writing plash-exec, which was not setting PLASH_FAKE_EUID. * run-as-anonymous.c and gc-uid-locks.c: Fixed race conditions. They now use flock() on a lock file. In addition, gc-uid-locks re-checks the process list that it gets by listing the contents of /proc (a non-atomic operation) to ensure that it is consistent. There is still a small possibility that it could get an inconsistent list, which could cause it to miss a process. * The following libraries are now included. I discovered this problem when upgrading Debian to glibc 2.3.5: its libm.so was getting used by programs under Plash, but it's not compatible with Plash's 2.3.3 glibc. math/libm.so hesiod/libnss_hesiod.so resolv/libanl.so locale/libBrokenLocale.so linuxthreads_db/libthread_db.so malloc/libmemusage.so debug/libSegFault.so debug/libpcprofile.so -- Mark Seaborn Mon, 19 Sep 2005 21:32:37 +0100 plash (1.11) unstable; urgency=low * Add run-emacs.c and plash-gnuserv.el: major new feature. * Converted man pages and other documentation to DocBook format. Created new surface syntax for XML. * shell.c: Fixed bugs in non-interactive mode (which is used when plash is invoked with the "-c" option) so that it works. * Add socket-connect.c * Add socket-publish.c. Changed cap-protocol.[ch] to add a new interface for listening on connections, which allows you to call select() in your own code so that you can wait for events on other file descriptors. * fs-operations.c: Disable the warning about open()ing directories. Now that fchdir() works it's less relevant. It generates too many warnings with XEmacs and it gets annoying. * build-fs.c: Changed the `create' argument of fs_resolve_populate() into a `flags' argument. * You can now control whether to attach the destination as a read-write-create slot, as a read-write object, or as read-only. The second choice was not available before: this is useful for devices (eg. /dev/null) and sockets (eg. /tmp/.X11-unix/X0) when you want to grant write or connect access, but not unlink/create access. * Following symlinks: When attaching a read-write-create slot, if the slot contains a symlink it will be followed. Note, however, that symlinks are dangerous and so there is now a flag for choosing whether to follow symlinks. (However, the shell doesn't give you a choice yet -- it follows symlinks.) * build-fs-dynamic.c: Changed dir_list method to include dt_ino (inode) and dt_type fields. XEmacs won't display directory listings for filename completion without these. * shell.c: Added checks for errors to calls to fs_resolve_populate(). * shell.c: When invoking an executable object, it will now set the cwd argument appropriately (previously, it was always unset). -- Mark Seaborn Sat, 13 Aug 2005 19:43:19 +0100 plash (1.10) unstable; urgency=low * Implemented fchdir(): * Convert `struct dir_stack' to be a `struct filesys_obj'; ie. added a dummy vtable. Add the function dir_stack_make(). * For the case when open() returns a dummy FD, changed it so that the fs_op object (in the server) opens /dev/null, rather than the libc client requesting /dev/null. This removes the need for the client's file namespace to contain /dev/null, and it removes the risk of an infinite loop if /dev/null should be mapped to a directory. * libc-misc.c: Added fchdir(). Added a file descriptor table which maps file descriptor slot numbers to objects. For directory FDs, these objects will be dir_stacks. Added close(), not previously intercepted by Plash, which will now remove an entry from the table as well as closing the real kernel FD. * fs-operations.c: Added fchdir() case. * libc-misc.c: Moved duplicated error handling code into one function. -- Mark Seaborn Tue, 19 Jul 2005 22:46:31 +0100 plash (1.9) unstable; urgency=low * Use /var/lib/plash-chroot-jail rather than /usr/lib/plash-chroot-jail. It contains plash-uid-locks which needs to be writable. For FHS compliance, this needs to go into /var. * fs-operations.c: Convert main dispatch function to use a switch statement rather than a long series of tests. List method IDs in make-marshal.pl and use macros to refer to them. * chroot.c, exec-object.c: simplify by making them use get_process_caps() (which was introduced for plash-opts) * build-fs.c: New code: having constructed the node filesystem structure, there is a new way of turning it into a usable directory structure. The old way was to copy it to create fabricated directories. Now there is a new kind of fabricated directory which references the original node structure. This has two useful properties over the old way: * New stuff can be added into the directory tree dynamically. * There are "combined" fabricated directories, which are like a union with a real directory. Hence you can attach objects below other attached directories. This provides functionality similar to mount points in Linux or Plan 9. (The difference is that Linux mount points are implemented in terms of the identity of directories -- their inode numbers -- whereas combined fab dirs follow the structure. And mount points only work with directories and can only replace existing directories. Combined fab dirs can provide their own structure.) Split code out into build-fs-static.c (old) and build-fs-dynamic.c (new). Merge attach_ro_obj and attach_rw_slot fields of node. Fix potential leak when symlink_dest is overwritten (similar fix for the attach_slot field). * libc-getuid.c: Add no-ops: set{,e,re,res}{u,g}id, which always return a success result. This is necessary to run programs like `mkisofs' and `make' which do pointless UID operations. * comms.c: Fixed bug in comm_resize that could lead to buffer overruns. * shell.c: Add default installation endowment to namespace first, so that it can be overridden. -- Mark Seaborn Sat, 09 Jul 2005 19:37:09 -0400 plash (1.8) unstable; urgency=low * Add man pages (using Perl's POD format). * Swapped the precedences of "+" and "=>" arglist operators. "=>" now binds more tightly than "+". * Changed packaging and build system so that glibc can be built fully automatically. * fs-operations.c, libc-misc.c: open() now has limited functionality for opening directories. It will return a dummy FD (actually for /dev/null). This means you can call close() on it; this is sufficient to run XEmacs. * Added the "Gobj" method to fs-operations.c. Changed resolve_obj() in resolve-filename.c so that it treats objects as files as a fallback, even if they don't return OBJT_FILE. This enables us to attach things like the options object into the filesystem tree, so that we can pass them as arguments with the shell's "/x=EXPR" syntax. * Moved shell.c's Gtk code into shell-options.c, which is for a separate executable. Added an object to the shell for getting and setting options; it is bound to the variable "options". * The shell will now give a warning about running setuid/gid executables, just as the server does (the code is now shared). Also, if opening an executable fails because its read permission was not set, it gives a warning (to explain this difference from Unix). * Added a warning message, printed by the server, when a process tries to use open() on a directory. XEmacs does this. -- Mark Seaborn Sun, 15 May 2005 14:44:56 -0400 plash (1.7) unstable; urgency=low * Added `Pgid' parameter to exec object invocation. * Changed cap_run_server() so that it exits when there are no exports, not when the connection list is empty. If imports remain, gives a warning. * Added vtable_name to filesys_obj vtable for debugging purposes. * Added environment to the shell state and implemented variable expressions and finished `def' bindings. * Added `mkfs' expression. * Added d_conn to shell.c and change the code to use it. This is a more general way of starting a server, but the generalisation turned out not to be necessary. * shell.c runs gc-uid-locks on startup. * shell.c now creates a single server process on startup. * Add reconnectable-obj.[ch] * Merged filesys_slot objects into filesys_obj. The purpose of this was to allow slots to be passed between processes in order to construct filesystems on another server, but this turned out not to be immediately necessary. * Add methods: make_conn * Add log-proxy.[ch] * Add make-vtables.pl * Add make-marshall.pl * filesys_obj_free() now changes the vtable to one whose functions do assert(0) before freeing the object, to catch uses of freed objects. -- Mark Seaborn Sun, 01 May 2005 16:45:28 -0400 plash (1.6) unstable; urgency=low * Added the "pathname=expr" syntax to the shell. Added "F pathname" expression syntax for resolving pathnames. Binding a pathname uses an addition to build-fs.c, attach_at_pathname(). * shell.c: factored a lot of code into separate functions. Added "def x = EXPR" binding command, and added a "capcmd" expression. Extended `server_desc' so that the server can import capabilities from one connection, and export the imported capabilities on another connection. This is used for the return continuation that cap_cmd passes from the shell to the client (via the forked server). * Added marshalling for the `type' and `stat' methods. * Added gcc-object.c/exec-object.c. * Added filesysobj-union.c: provides recursive union directories. * Change the directory `list' method to return number of entries. Change `list' in filesysobj-real.c to use cbuf to return data (much more space efficient). * Fixed fork() so that libc's connection info is properly reinitialised. * Add object version of `exec': modified fs-operations.c and libc-fork-exec.c. * Add serialise.[ch]. The exec call has been partially changed to use these. * Change cap_invoke and cap_call so that they take (and return) values in `struct cap_args', rather than taking loads of arguments. Added cap-utils.c. * fs-operations.c: add warning to exec call about setuid bit not being honoured. -- Mark Seaborn Tue, 18 Jan 2005 13:45:18 +0000 plash (1.5) unstable; urgency=low * Updated protocols.txt to cover object-capability protocol, conn_maker and fs_op_maker. * Created `chroot' program as a test and example. * Introduced conn_maker and fs_ops_maker objects. Change the shell to start processes with references to these. Rename COMM_FD to PLASH_COMM_FD and introduce PLASH_CAPS; libc now reads these to find the indexes of its capabilities, rather than just using index 0. Introduce `copy' method to fs_ops. Change fork() to use this instead of fs_op's fork method. * build-fs.c: now uses read-only proxies. Changed the resolver so that `.' and `/' can be attached as writable. * Added filesysobj-readonly.c: provides read-only proxies for filesystem objects. One proxy type is sufficient to handle files, directories and symlinks. * cap-protocol.c: Fix uses of stale connection references. remote_obj_invoke() now correctly frees its arguments for broken connections, so calls to broken connections will return an error. -- Mark Seaborn Fri, 7 Jan 2005 15:32:16 +0000 plash (1.4) unstable; urgency=low * Implemented an object-capability protocol for use over sockets. This is another layer that I have put between the existing filesystem requests and the comms.c layer. It allows references to objects to be transferred. It's symmetric: the core protocol does not distinguish between the client and the server. The ability to transfer references is not used yet, but in the future it will provide a way for applications to construct filesystem structures on the server. A C API will be provided to do this. -- Mark Seaborn Mon, 3 Jan 2005 22:42:21 +0000 plash (1.3) unstable; urgency=low * Implemented FD redirection in the shell. * Implemented rename() and link() for the same-directory case. (The cross-directory case is trickier, 1. because it's hard to do under Unix without race conditions in the presence of symlinks, and 2. it's complicated by directory proxy objects.) * Improved one-line logging in the server. Every call to the server now produces a log line (though some are not fully filled out). * Implemented bind(). * Implemented symlink() and utime()/utimes(). * Changed getuid() and getgid() so that they can take the uid/gid from the environment variables PLASH_FAKE_UID/GID. Some programs cannot cope when they have a uid that does not have an entry in /etc/passwd. * Added run-as-anonymous. * Implemented globbing in the shell. Pathnames now have structure in the grammar; their components are separated by the parser. When a pathname doesn't contain any wildcards, it is converted back into a string. It is canonicalised in the process; duplicate '/'s are collapsed. * Fixed FD leak: the fabricated directory structure is now freed. -- Mark Seaborn Wed, 29 Dec 2004 17:10:41 +0000 plash (1.2) unstable; urgency=low * Added support for `#!' scripts (to both the shell and the server). * Add the ability to run programs conventionally with the `!!' prefix. * Add pipes. * Fix bug in server that caused it to ignore processes when there are multiple processes. * Added options window that can be used to turn debugging output on. Can be opened using the "opts" command. * Build libpthread.so so that it doesn't contain filesystem syscalls. The relevant functions are now forwarded to libc.so. * Remove glibc's io/open64.os from the link. This includes a syscall, but didn't in an earlier glibc. This is a rather embarrassing bug because it shows I didn't do much testing -- even cat uses open64(). -- Mark Seaborn Fri, 17 Dec 2004 04:15:08 +0000 plash (1.1) unstable; urgency=low * Added job control. -- Mark Seaborn Fri, 10 Dec 2004 04:15:08 +0000 plash (1.0) unstable; urgency=low * Initial release. -- Mark Seaborn Thu, 2 Dec 2004 04:15:08 +0000