Differential D27236
Retrieve LOCALBASE with getlocalbase() Authored by se on Nov 16 2020, 11:47 AM. Tags None Referenced Files
Subscribers
Details
This is a different implementation of getlocalbase() than the one that has been reverted by Scott Long in SVN rev. r367711 Instead of a user provided buffer and calling conventions that require error checks, this version always returns a pointer to a valid string that is suitable as LOCALBASE path (but not validated). Build libutil with these patches
Diff Detail
Event Timeline
Comment Actions The user.localbase sysctl seems like a poor design, and doesn't exist at the moment. That needs to be resolved before this change is committed.
Comment Actions The advantage of the sysctl design (once you fix the not going to into the kernel for all user. sysctl) is (a) sysctl can get this value for shell scripts and (b) you can have different, per-jail values and (c) you can make it a tunable to avoid the recompile the world to change issue. the disadvantage is that we have to fix libc to not use compiled-in user.* values which effectively negates all the usual advantages of a sysctl. This could be avoided by selecting a different sysctl name space to use, though it's a poor fit to any of the others. The advantage of getconf is that it doesn't require we fix the user namespace in sysctl and there's a program that can be used to retrieve it. However, sysconf() has to get the value from $SOMEWHERE and there's no way to make the value come from a config file to make it per-jail, which gets us back to the 'recompile the world' or at least a part thereof, to change it issue. The advantage of just the env var is that it's simple and direct. However, setuid programs can't trust env values and there's no good central place to set it (though if there were, it would easily generalize into being jail friendly). This poor fit motivated the addition of sysctl in the first place.
Comment Actions The user.localbase sysctl exists in -CURRENT since SVN rev. 367179.
I have updated libc to still support the R/O user variables while supporting additional R/W variables like user.localbase in the kernel.
There is nothing to be fixed - it has been in -CURRENT for more than 2 weeks.
The env variable LOCALBASE has been supported for this purpose by a (small) number of programs. The getlocalbase() function simplifies the access to this env variable, allows to set a system-wide (possibly jail-wide) override and returns a sane default to reduce the number of checks that need to be performed by the caller.
Comment Actions Updated diff with an alternate implementation that does not include a static buffer of length MAXPATHLEN. I want to preserve the non-failing semantics of this functions, to make it safe to use without error checks in the caller. An attempt is made to prevent a memory leak in the case of a parallel execution of this function in multiple threads. I do prefer the version with the static buffer because of its simplicity. It adds 1 KB to the bss of the about 200 programs in base that are linked with libutil (but see below). I do assume (without checking) that the bss of dynamic libraries is allocated independently for each library (not pooled with the bss of the program). Version with static buffer: $ size /usr/lib/libutil.so text data bss dec hex filename 72986 3120 7952 84058 1485a /usr/lib/libutil.so Version with malloc(): $ size /usr/lib/libutil.so text data bss dec hex filename 73082 3120 6944 83146 144ca /usr/lib/libutil.so
Comment Actions Hans Petter Selasky suggested the use of a constructor, something that I had not thought about at all ... This makes us depend on a compiler that supports __attribute ((constructor)), but that has been in GCC for more than a decade and is provided in a compatible way in CLANG, too. The resulting code is quite simple and brings does not require allocation of a static buffer: $ size /usr/lib/libutil.so text data bss dec hex filename 73122 3128 6928 83178 144ea /usr/lib/libutil.so If malloc() fails, the compiled in default value is returned, which should be a safe default even on systems that have a different LOCALBASE (since non-privileged users should not be able to create files in /usr/local). Comment Actions Looks good to me. I hope it does not affect the performance of any apps, that are launched frequently. Comment Actions Yes, I had thought about this but then forgotten to mention it in the comment to that version. This is the only drawback of this approach ... But you cannot have both, an on-demand invocation and guaranteed single invocation in a threaded process. Comment Actions If you ktrace a regular application starting up you already see a lot of system calls, so I think adding one more is fine. Comment Actions MIght be we also need a destructor to free the memory, if any, to make valgrind happy. Comment Actions Except there's many efforts to reduce this. At present, this function is called by a tiny number of binaries, so I'd rather have any overhead be limited to those programs that use it. honestly, I think we're through the looking glass with this discussion... Comment Actions I could add a destructor, but this would complicate the code just to make a test tool happy ... I'd need 2 temporary pointers then, one for getenv() - not to be freed - and one for sysctl. If there is strong demand, I'll add the destructor. Comment Actions +1 We don't want to saddle every program that links libutil with a constructor like this. Instead, construct on demand. This could be relatively trivial: drop the ctor attribute, and instead: getlocalbase(void)
{
static bool inited = false;
if (!inited) {
initlocalbase();
inited = true;
}
return (foo);
}That said, I still think this design is broken and a bad idea. Comment Actions There's no benefit from optimizing this at all. None. This is called once, maybe twice in a few programs. The added complexity isn't worth the maint hassles, nor the added risk from there being an 'oops' in the code leading to some security hole. Comment Actions This affects only programs that link against libutil, some 200 of 1000 programs in base.
There is either a statically allocated 1KB buffer or 2 system calls at start-up, or we go back to the 2nd version I suggested (with malloc, but before the one with the constructor). We could easily change the implementation (given the call signature is kept) without problem for programs converted to use getlocalbase(). Comment Actions I had suggested 2 versions that did not rely on a constructor, before.
This is similar to my 2nd suggested version.
Why is it a bad idea? A version that used a caller-provided buffer has been reverted after a number of iterations to get its details right. This version is trivial to use in programs that already use getenv("LOCALBASE") to retrieve a user-supplied path, and this is a common pattern, see D27237 for the required patches and compare with the reverted once that used the prior function signature of the reverted implementation. Comment Actions Since neither the statically allocated 1024 char buffer nor the version with the constructor has made the reviewers happy, I'm going back to the 2nd proposed version, which does only perform system calls when this function is actually called and allocates a minimally sized buffer only when necessary to hold the sysctl result. Overlapping invocation in multi-threaded programs is possible and will return a correct result, but might leak the heap memory allocated in one of the threads, in the worst case (and only on systems that have a non-default user.localbase sysctl value). Calling this function from within threads is not really useful (the initialization should happen in the main thread) and not relevant for any of the programs that have been prepared to call this function. If there are no strong objections, I'm going to commit this version and its invocations as offered for review in D27237. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||