parent
23d00c2c94
commit
70fe5c372d
@ -1 +1 @@
|
||||
SOURCES/pcp-5.3.7.src.tar.gz
|
||||
SOURCES/pcp-6.0.1.src.tar.gz
|
||||
|
@ -1 +1 @@
|
||||
a0a05bf501b016cb859fb211ae60ce18be2bbd99 SOURCES/pcp-5.3.7.src.tar.gz
|
||||
4f405e26a6c651b2f094134e0648cd5fd201d310 SOURCES/pcp-6.0.1.src.tar.gz
|
||||
|
@ -1,459 +0,0 @@
|
||||
diff --git a/qa/1927 b/qa/1927
|
||||
new file mode 100755
|
||||
index 000000000..46afa9509
|
||||
--- /dev/null
|
||||
+++ b/qa/1927
|
||||
@@ -0,0 +1,88 @@
|
||||
+#!/bin/sh
|
||||
+# PCP QA Test No. 1927
|
||||
+# Exercise the sockets PMDA Install/Remove and string metric bug.
|
||||
+#
|
||||
+# Copyright (c) 2022 Red Hat. All Rights Reserved.
|
||||
+#
|
||||
+
|
||||
+seq=`basename $0`
|
||||
+echo "QA output created by $seq"
|
||||
+
|
||||
+# get standard environment, filters and checks
|
||||
+. ./common.product
|
||||
+. ./common.filter
|
||||
+. ./common.check
|
||||
+
|
||||
+[ -f $PCP_PMDAS_DIR/sockets/pmdasockets ] || _notrun "sockets pmda not installed"
|
||||
+
|
||||
+_cleanup()
|
||||
+{
|
||||
+ cd $here
|
||||
+ $sudo rm -rf $tmp $tmp.*
|
||||
+}
|
||||
+
|
||||
+status=0 # success is the default!
|
||||
+$sudo rm -rf $tmp $tmp.* $seq.full
|
||||
+
|
||||
+_filter_sockets()
|
||||
+{
|
||||
+ grep -v 'No value(s) available'
|
||||
+}
|
||||
+
|
||||
+pmdasockets_remove()
|
||||
+{
|
||||
+ echo
|
||||
+ echo "=== remove sockets agent ==="
|
||||
+ $sudo ./Remove >$tmp.out 2>&1
|
||||
+ _filter_pmda_remove <$tmp.out
|
||||
+}
|
||||
+
|
||||
+pmdasockets_install()
|
||||
+{
|
||||
+ # start from known starting points
|
||||
+ cd $PCP_PMDAS_DIR/sockets
|
||||
+ $sudo ./Remove >/dev/null 2>&1
|
||||
+
|
||||
+ echo
|
||||
+ echo "=== sockets agent installation ==="
|
||||
+ $sudo ./Install </dev/null >$tmp.out 2>&1
|
||||
+ cat $tmp.out >>$here/$seq.full
|
||||
+ # Check sockets metrics have appeared ... X metrics and Y values
|
||||
+ _filter_pmda_install <$tmp.out \
|
||||
+ | sed \
|
||||
+ -e 's/[0-9][0-9]* warnings, //' \
|
||||
+ | $PCP_AWK_PROG '
|
||||
+/Check network.persocket metrics have appeared/ {
|
||||
+ if ($7 >= 50 && $7 <= 99) $7 = "X"
|
||||
+ if ($10 >= 0) $10 = "Y"
|
||||
+ }
|
||||
+ { print }'
|
||||
+}
|
||||
+
|
||||
+_prepare_pmda sockets
|
||||
+# note: _restore_auto_restart pmcd done in _cleanup_pmda()
|
||||
+trap "_cleanup_pmda sockets; exit \$status" 0 1 2 3 15
|
||||
+
|
||||
+_stop_auto_restart pmcd
|
||||
+
|
||||
+# real QA test starts here
|
||||
+pmdasockets_install
|
||||
+
|
||||
+# pmcd should have been started by the Install process - check
|
||||
+if pminfo -v network.persocket > $tmp.info 2> $tmp.err
|
||||
+then
|
||||
+ :
|
||||
+else
|
||||
+ echo "... failed! ... here is the Install log ..."
|
||||
+ cat $tmp.out
|
||||
+fi
|
||||
+cat $tmp.info $tmp.err | _filter_sockets
|
||||
+
|
||||
+echo "Check the values for v6only metric are 0 or 1 ..."
|
||||
+pminfo -f network.persocket.v6only | egrep -v 'value [01]$' | sed -e '/^$/d'
|
||||
+
|
||||
+pmdasockets_remove
|
||||
+status=0
|
||||
+
|
||||
+# success, all done
|
||||
+exit
|
||||
diff --git a/qa/1927.out b/qa/1927.out
|
||||
new file mode 100644
|
||||
index 000000000..2ae4385fd
|
||||
--- /dev/null
|
||||
+++ b/qa/1927.out
|
||||
@@ -0,0 +1,17 @@
|
||||
+QA output created by 1927
|
||||
+
|
||||
+=== sockets agent installation ===
|
||||
+Updating the Performance Metrics Name Space (PMNS) ...
|
||||
+Terminate PMDA if already installed ...
|
||||
+[...install files, make output...]
|
||||
+Updating the PMCD control file, and notifying PMCD ...
|
||||
+Check network.persocket metrics have appeared ... X metrics and Y values
|
||||
+Check the values for v6only metric are 0 or 1 ...
|
||||
+network.persocket.v6only
|
||||
+
|
||||
+=== remove sockets agent ===
|
||||
+Culling the Performance Metrics Name Space ...
|
||||
+network.persocket ... done
|
||||
+Updating the PMCD control file, and notifying PMCD ...
|
||||
+[...removing files...]
|
||||
+Check network.persocket metrics have gone away ... OK
|
||||
diff --git a/qa/group b/qa/group
|
||||
index acfc5d208..846c0c4bd 100644
|
||||
--- a/qa/group
|
||||
+++ b/qa/group
|
||||
@@ -1967,6 +1967,7 @@ x11
|
||||
1901 pmlogger local
|
||||
1902 help local
|
||||
1914 atop local
|
||||
+1927 pmda.sockets local
|
||||
1937 pmlogrewrite pmda.xfs local
|
||||
1955 libpcp pmda pmda.pmcd local
|
||||
1956 pmda.linux pmcd local
|
||||
diff --git a/src/pmdas/linux_sockets/pmda.c b/src/pmdas/linux_sockets/pmda.c
|
||||
index d10eacf29..5a3018d8a 100644
|
||||
--- a/src/pmdas/linux_sockets/pmda.c
|
||||
+++ b/src/pmdas/linux_sockets/pmda.c
|
||||
@@ -1,7 +1,7 @@
|
||||
/*
|
||||
* Sockets PMDA
|
||||
*
|
||||
- * Copyright (c) 2021 Red Hat.
|
||||
+ * Copyright (c) 2021-2022 Red Hat.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
@@ -14,6 +14,7 @@
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
+#include <ctype.h>
|
||||
#include "pmapi.h"
|
||||
#include "pmda.h"
|
||||
|
||||
@@ -147,6 +148,31 @@ sockets_fetchCallBack(pmdaMetric *metric, unsigned int inst, pmAtomValue *atom)
|
||||
return PMDA_FETCH_STATIC;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Restrict the allowed filter strings to only limited special
|
||||
+ * characters (open and close brackets - everthing else can be
|
||||
+ * done with alphanumerics) to limit any attack surface here.
|
||||
+ * The ss filtering language is more complex than we ever want
|
||||
+ * to be attempting to parse ourself, so we leave that side of
|
||||
+ * things to the ss command itself.
|
||||
+ */
|
||||
+int
|
||||
+sockets_check_filter(const char *string)
|
||||
+{
|
||||
+ const char *p;
|
||||
+
|
||||
+ for (p = string; *p; p++) {
|
||||
+ if (isspace(*p))
|
||||
+ continue;
|
||||
+ if (isalnum(*p))
|
||||
+ continue;
|
||||
+ if (*p == '(' || *p == ')')
|
||||
+ continue;
|
||||
+ return 0; /* disallow */
|
||||
+ }
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
static int
|
||||
sockets_store(pmResult *result, pmdaExt *pmda)
|
||||
{
|
||||
@@ -165,9 +191,14 @@ sockets_store(pmResult *result, pmdaExt *pmda)
|
||||
case 0: /* network.persocket.filter */
|
||||
if ((sts = pmExtractValue(vsp->valfmt, &vsp->vlist[0],
|
||||
PM_TYPE_STRING, &av, PM_TYPE_STRING)) >= 0) {
|
||||
+ if (sockets_check_filter(av.cp)) {
|
||||
+ sts = PM_ERR_BADSTORE;
|
||||
+ free(av.cp);
|
||||
+ break;
|
||||
+ }
|
||||
if (ss_filter)
|
||||
free(ss_filter);
|
||||
- ss_filter = av.cp; /* TODO filter syntax check */
|
||||
+ ss_filter = av.cp;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
diff --git a/src/pmdas/linux_sockets/ss_parse.c b/src/pmdas/linux_sockets/ss_parse.c
|
||||
index 94c5e16e9..9f3afc691 100644
|
||||
--- a/src/pmdas/linux_sockets/ss_parse.c
|
||||
+++ b/src/pmdas/linux_sockets/ss_parse.c
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (c) 2021 Red Hat.
|
||||
+ * Copyright (c) 2021-2022 Red Hat.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
@@ -21,65 +21,70 @@ static ss_stats_t ss_p;
|
||||
/* boolean value with no separate value, default 0 */
|
||||
#define PM_TYPE_BOOL (PM_TYPE_UNKNOWN-1)
|
||||
|
||||
+/* helper macros to extract field address and size */
|
||||
+#define SSFIELD(str,type,f) {(str), (sizeof(str)-1), type, (&(f)), (sizeof(f))}
|
||||
+#define SSNULLFIELD(str) {(str), (sizeof(str)-1), PM_TYPE_UNKNOWN, NULL}
|
||||
+
|
||||
static struct {
|
||||
char *field;
|
||||
int len;
|
||||
int type;
|
||||
void *addr;
|
||||
+ int size;
|
||||
int found;
|
||||
} parse_table[] = {
|
||||
- { "timer:", 6, PM_TYPE_STRING, &ss_p.timer_str },
|
||||
- { "uid:", 4, PM_TYPE_U32, &ss_p.uid },
|
||||
- { "ino:", 4, PM_TYPE_64, &ss_p.inode },
|
||||
- { "sk:", 3, PM_TYPE_U64, &ss_p.sk },
|
||||
- { "cgroup:", 7, PM_TYPE_STRING, &ss_p.cgroup },
|
||||
- { "v6only:", 7, PM_TYPE_32, &ss_p.v6only },
|
||||
- { "--- ", 4, PM_TYPE_UNKNOWN, NULL },
|
||||
- { "<-> ", 4, PM_TYPE_UNKNOWN, NULL },
|
||||
- { "--> ", 4, PM_TYPE_UNKNOWN, NULL },
|
||||
- { "skmem:", 6, PM_TYPE_STRING, &ss_p.skmem_str, },
|
||||
- { "ts ", 3, PM_TYPE_BOOL, &ss_p.ts },
|
||||
- { "sack ", 5, PM_TYPE_BOOL, &ss_p.sack },
|
||||
- { "cubic ", 6, PM_TYPE_BOOL, &ss_p.cubic },
|
||||
- { "wscale:", 7, PM_TYPE_STRING, &ss_p.wscale_str },
|
||||
- { "rto:", 4, PM_TYPE_DOUBLE, &ss_p.rto },
|
||||
- { "rtt:", 4, PM_TYPE_STRING, &ss_p.round_trip_str },
|
||||
- { "ato:", 4, PM_TYPE_DOUBLE, &ss_p.ato },
|
||||
- { "backoff:", 8, PM_TYPE_32, &ss_p.backoff },
|
||||
- { "mss:", 4, PM_TYPE_U32, &ss_p.mss },
|
||||
- { "pmtu:", 5, PM_TYPE_U32, &ss_p.pmtu },
|
||||
- { "rcvmss:", 7, PM_TYPE_U32, &ss_p.rcvmss },
|
||||
- { "advmss:", 7, PM_TYPE_U32, &ss_p.advmss },
|
||||
- { "cwnd:", 5, PM_TYPE_U32, &ss_p.cwnd },
|
||||
- { "lost:", 5, PM_TYPE_32, &ss_p.lost },
|
||||
- { "ssthresh:", 9, PM_TYPE_U32, &ss_p.ssthresh },
|
||||
- { "bytes_sent:", 11, PM_TYPE_U64, &ss_p.bytes_sent },
|
||||
- { "bytes_retrans:", 14, PM_TYPE_U64, &ss_p.bytes_retrans },
|
||||
- { "bytes_acked:", 12, PM_TYPE_U64, &ss_p.bytes_acked },
|
||||
- { "bytes_received:", 15, PM_TYPE_U64, &ss_p.bytes_received },
|
||||
- { "segs_out:", 9, PM_TYPE_U32, &ss_p.segs_out },
|
||||
- { "segs_in:", 8, PM_TYPE_U32, &ss_p.segs_in },
|
||||
- { "data_segs_out:", 14, PM_TYPE_U32, &ss_p.data_segs_out },
|
||||
- { "data_segs_in:", 13, PM_TYPE_U32, &ss_p.data_segs_in },
|
||||
- { "send ", 5, PM_TYPE_DOUBLE, &ss_p.send }, /* no ':' */
|
||||
- { "lastsnd:", 8, PM_TYPE_U32, &ss_p.lastsnd },
|
||||
- { "lastrcv:", 8, PM_TYPE_U32, &ss_p.lastrcv },
|
||||
- { "lastack:", 8, PM_TYPE_U32, &ss_p.lastack },
|
||||
- { "pacing_rate ", 12, PM_TYPE_DOUBLE, &ss_p.pacing_rate }, /* no ':' */
|
||||
- { "delivery_rate ", 14, PM_TYPE_DOUBLE, &ss_p.delivery_rate }, /* no ':' */
|
||||
- { "delivered:", 10, PM_TYPE_U32, &ss_p.delivered },
|
||||
- { "app_limited ", 12, PM_TYPE_BOOL, &ss_p.app_limited },
|
||||
- { "reord_seen:", 11, PM_TYPE_32, &ss_p.reord_seen },
|
||||
- { "busy:", 5, PM_TYPE_U64, &ss_p.busy },
|
||||
- { "unacked:", 8, PM_TYPE_32, &ss_p.unacked },
|
||||
- { "rwnd_limited:", 13, PM_TYPE_U64, &ss_p.rwnd_limited },
|
||||
- { "retrans:", 8, PM_TYPE_STRING, &ss_p.retrans_str },
|
||||
- { "dsack_dups:", 11, PM_TYPE_U32, &ss_p.dsack_dups },
|
||||
- { "rcv_rtt:", 8, PM_TYPE_DOUBLE, &ss_p.rcv_rtt },
|
||||
- { "rcv_space:", 10, PM_TYPE_32, &ss_p.rcv_space },
|
||||
- { "rcv_ssthresh:", 13, PM_TYPE_32, &ss_p.rcv_ssthresh },
|
||||
- { "minrtt:", 7, PM_TYPE_DOUBLE, &ss_p.minrtt },
|
||||
- { "notsent:", 8, PM_TYPE_U32, &ss_p.notsent },
|
||||
+ SSFIELD("timer:", PM_TYPE_STRING, ss_p.timer_str),
|
||||
+ SSFIELD("uid:", PM_TYPE_U32, ss_p.uid),
|
||||
+ SSFIELD("ino:", PM_TYPE_64, ss_p.inode),
|
||||
+ SSFIELD("sk:", PM_TYPE_U64, ss_p.sk),
|
||||
+ SSFIELD("cgroup:", PM_TYPE_STRING, ss_p.cgroup),
|
||||
+ SSFIELD("v6only:", PM_TYPE_32, ss_p.v6only),
|
||||
+ SSNULLFIELD("--- "),
|
||||
+ SSNULLFIELD("<-> "),
|
||||
+ SSNULLFIELD("--> "),
|
||||
+ SSFIELD("skmem:", PM_TYPE_STRING, ss_p.skmem_str),
|
||||
+ SSFIELD("ts ", PM_TYPE_BOOL, ss_p.ts),
|
||||
+ SSFIELD("sack ", PM_TYPE_BOOL, ss_p.sack),
|
||||
+ SSFIELD("cubic ", PM_TYPE_BOOL, ss_p.cubic),
|
||||
+ SSFIELD("wscale:", PM_TYPE_STRING, ss_p.wscale_str),
|
||||
+ SSFIELD("rto:", PM_TYPE_DOUBLE, ss_p.rto),
|
||||
+ SSFIELD("rtt:", PM_TYPE_STRING, ss_p.round_trip_str),
|
||||
+ SSFIELD("ato:", PM_TYPE_DOUBLE, ss_p.ato),
|
||||
+ SSFIELD("backoff:", PM_TYPE_32, ss_p.backoff),
|
||||
+ SSFIELD("mss:", PM_TYPE_U32, ss_p.mss),
|
||||
+ SSFIELD("pmtu:", PM_TYPE_U32, ss_p.pmtu),
|
||||
+ SSFIELD("rcvmss:", PM_TYPE_U32, ss_p.rcvmss),
|
||||
+ SSFIELD("advmss:", PM_TYPE_U32, ss_p.advmss),
|
||||
+ SSFIELD("cwnd:", PM_TYPE_U32, ss_p.cwnd),
|
||||
+ SSFIELD("lost:", PM_TYPE_32, ss_p.lost),
|
||||
+ SSFIELD("ssthresh:", PM_TYPE_U32, ss_p.ssthresh),
|
||||
+ SSFIELD("bytes_sent:", PM_TYPE_U64, ss_p.bytes_sent),
|
||||
+ SSFIELD("bytes_retrans:", PM_TYPE_U64, ss_p.bytes_retrans),
|
||||
+ SSFIELD("bytes_acked:", PM_TYPE_U64, ss_p.bytes_acked),
|
||||
+ SSFIELD("bytes_received:", PM_TYPE_U64, ss_p.bytes_received),
|
||||
+ SSFIELD("segs_out:", PM_TYPE_U32, ss_p.segs_out),
|
||||
+ SSFIELD("segs_in:", PM_TYPE_U32, ss_p.segs_in),
|
||||
+ SSFIELD("data_segs_out:", PM_TYPE_U32, ss_p.data_segs_out),
|
||||
+ SSFIELD("data_segs_in:", PM_TYPE_U32, ss_p.data_segs_in),
|
||||
+ SSFIELD("send ", PM_TYPE_DOUBLE, ss_p.send), /* no ':' */
|
||||
+ SSFIELD("lastsnd:", PM_TYPE_U32, ss_p.lastsnd),
|
||||
+ SSFIELD("lastrcv:", PM_TYPE_U32, ss_p.lastrcv),
|
||||
+ SSFIELD("lastack:", PM_TYPE_U32, ss_p.lastack),
|
||||
+ SSFIELD("pacing_rate ", PM_TYPE_DOUBLE, ss_p.pacing_rate), /* no ':' */
|
||||
+ SSFIELD("delivery_rate ", PM_TYPE_DOUBLE, ss_p.delivery_rate), /* no ':' */
|
||||
+ SSFIELD("delivered:", PM_TYPE_U32, ss_p.delivered),
|
||||
+ SSFIELD("app_limited ", PM_TYPE_BOOL, ss_p.app_limited),
|
||||
+ SSFIELD("reord_seen:", PM_TYPE_32, ss_p.reord_seen),
|
||||
+ SSFIELD("busy:", PM_TYPE_U64, ss_p.busy),
|
||||
+ SSFIELD("unacked:", PM_TYPE_32, ss_p.unacked),
|
||||
+ SSFIELD("rwnd_limited:", PM_TYPE_U64, ss_p.rwnd_limited),
|
||||
+ SSFIELD("retrans:", PM_TYPE_STRING, ss_p.retrans_str),
|
||||
+ SSFIELD("dsack_dups:", PM_TYPE_U32, ss_p.dsack_dups),
|
||||
+ SSFIELD("rcv_rtt:", PM_TYPE_DOUBLE, ss_p.rcv_rtt),
|
||||
+ SSFIELD("rcv_space:", PM_TYPE_32, ss_p.rcv_space),
|
||||
+ SSFIELD("rcv_ssthresh:", PM_TYPE_32, ss_p.rcv_ssthresh),
|
||||
+ SSFIELD("minrtt:", PM_TYPE_DOUBLE, ss_p.minrtt),
|
||||
+ SSFIELD("notsent:", PM_TYPE_U32, ss_p.notsent),
|
||||
|
||||
{ NULL }
|
||||
};
|
||||
@@ -225,8 +230,11 @@ ss_parse(char *line, int has_state_field, ss_stats_t *ss)
|
||||
if (*p == '(')
|
||||
p++;
|
||||
r = (char *)parse_table[i].addr;
|
||||
- for (s=p; *s && *s != ' ' && *s != '\n' && *s != ')'; s++)
|
||||
- *r++ = *s; /* TODO check r len */
|
||||
+ for (s=p; *s && *s != ' ' && *s != '\n' && *s != ')'; s++) {
|
||||
+ *r++ = *s;
|
||||
+ if (r - (char *)parse_table[i].addr >= parse_table[i].size - 1)
|
||||
+ break;
|
||||
+ }
|
||||
*r = '\0';
|
||||
break;
|
||||
case PM_TYPE_32:
|
||||
diff --git a/src/pmdas/linux_sockets/ss_stats.h b/src/pmdas/linux_sockets/ss_stats.h
|
||||
index 183db5afa..009a00cd9 100644
|
||||
--- a/src/pmdas/linux_sockets/ss_stats.h
|
||||
+++ b/src/pmdas/linux_sockets/ss_stats.h
|
||||
@@ -1,11 +1,11 @@
|
||||
/*
|
||||
- * Copyright (c) 2021 Red Hat.
|
||||
- *
|
||||
+ * Copyright (c) 2021-2022 Red Hat.
|
||||
+ *
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version.
|
||||
- *
|
||||
+ *
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
@@ -26,7 +26,7 @@ typedef struct ss_stats {
|
||||
__int32_t timer_retrans;
|
||||
__uint32_t uid;
|
||||
__uint64_t sk;
|
||||
- char cgroup[64];
|
||||
+ char cgroup[128];
|
||||
__int32_t v6only;
|
||||
char skmem_str[64];
|
||||
__int32_t skmem_rmem_alloc;
|
||||
commit 77ba20d5e76ada83283a262dd2083b2fc284b5f8
|
||||
Author: Nathan Scott <nathans@redhat.com>
|
||||
Date: Thu May 5 09:33:46 2022 +1000
|
||||
|
||||
selinux: policy updates needed for the pmdasockets metrics
|
||||
|
||||
Thanks to Jan Kurík and Miloš Malík we have the additional
|
||||
selinux policy requirements - without these we see QE test
|
||||
failures for this agent with pcp-ss(1) on RHEL.
|
||||
|
||||
Related to Red Hat BZ #1981886.
|
||||
|
||||
diff --git a/qa/917.out.in b/qa/917.out.in
|
||||
index 3bd1dc15e..6a4356a12 100644
|
||||
--- a/qa/917.out.in
|
||||
+++ b/qa/917.out.in
|
||||
@@ -154,9 +154,9 @@ Checking policies.
|
||||
# -- end logging_watch_journal_dirs(pcp_domain) expansion
|
||||
allow [pcp_pmcd_t] [cluster_tmpfs_t] : [file] { write };
|
||||
allow [pcp_pmcd_t] [drbd_exec_t] : [file] { execute execute_no_trans };
|
||||
- allow [pcp_pmcd_t] self : [netlink_generic_socket] { bind create getattr setopt write read };
|
||||
- allow [pcp_pmcd_t] [sbd_exec_t] : [file] { execute execute_no_trans };
|
||||
- allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { bind create getattr nlmsg_read setopt };
|
||||
+! allow [pcp_pmcd_t] self : [netlink_generic_socket] { bind create getattr setopt write read };
|
||||
+! allow [pcp_pmcd_t] [sbd_exec_t] : [file] { execute execute_no_trans };
|
||||
+! allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
|
||||
allow [syslogd_t] [pcp_log_t] : [fifo_file] { open read write };
|
||||
allow [pcp_pmcd_t] [etc_t] : [dir] { open read search getattr lock ioctl };
|
||||
allow [pcp_pmcd_t] [shadow_t] : [file] { getattr ioctl lock open read };
|
||||
diff --git a/src/selinux/GNUlocaldefs b/src/selinux/GNUlocaldefs
|
||||
index 1a1b1428c..1462c5ccb 100644
|
||||
--- a/src/selinux/GNUlocaldefs
|
||||
+++ b/src/selinux/GNUlocaldefs
|
||||
@@ -138,8 +138,8 @@ PCP_NETLINK_GENERIC_SOCKET_RULE="allow pcp_pmcd_t self:netlink_generic_socket {
|
||||
endif
|
||||
|
||||
ifeq "$(PCP_SELINUX_NETLINK_TCPDIAG_SOCKET_CLASS)" "true"
|
||||
-PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { bind create getattr nlmsg_read setopt };"
|
||||
-PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { bind create getattr nlmsg_read setopt };"
|
||||
+PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };"
|
||||
+PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };"
|
||||
endif
|
||||
|
||||
ifeq "$(PCP_SELINUX_LOCKDOWN_CLASS)" "true"
|
||||
commit a6222992fe5f97f94bdddd928ce9557be1918bfd
|
||||
Author: Jan Kurik <jkurik@redhat.com>
|
||||
Date: Fri May 6 08:04:46 2022 +1000
|
||||
|
||||
selinux: fine-tune netlink_tcpdiag_socket policy for all platforms
|
||||
|
||||
Previous policy set did not apply correctly on ppc64le and aarch64
|
||||
architectures. After some tweaking the following set of permissions
|
||||
was found to work on all the supported architectures and fixes the
|
||||
behavior of the sockets PMDA.
|
||||
|
||||
Related to Red Hat BZ #1981886.
|
||||
|
||||
diff --git a/qa/917.out.in b/qa/917.out.in
|
||||
index 6a4356a12..723193aa2 100644
|
||||
--- a/qa/917.out.in
|
||||
+++ b/qa/917.out.in
|
||||
@@ -156,7 +156,7 @@ Checking policies.
|
||||
allow [pcp_pmcd_t] [drbd_exec_t] : [file] { execute execute_no_trans };
|
||||
! allow [pcp_pmcd_t] self : [netlink_generic_socket] { bind create getattr setopt write read };
|
||||
! allow [pcp_pmcd_t] [sbd_exec_t] : [file] { execute execute_no_trans };
|
||||
-! allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
|
||||
+! allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { append bind connect create getattr getopt ioctl lock nlmsg_read nlmsg_write read setattr setopt shutdown write };
|
||||
allow [syslogd_t] [pcp_log_t] : [fifo_file] { open read write };
|
||||
allow [pcp_pmcd_t] [etc_t] : [dir] { open read search getattr lock ioctl };
|
||||
allow [pcp_pmcd_t] [shadow_t] : [file] { getattr ioctl lock open read };
|
||||
diff --git a/src/selinux/GNUlocaldefs b/src/selinux/GNUlocaldefs
|
||||
index 1462c5ccb..9733aead9 100644
|
||||
--- a/src/selinux/GNUlocaldefs
|
||||
+++ b/src/selinux/GNUlocaldefs
|
||||
@@ -138,8 +138,8 @@ PCP_NETLINK_GENERIC_SOCKET_RULE="allow pcp_pmcd_t self:netlink_generic_socket {
|
||||
endif
|
||||
|
||||
ifeq "$(PCP_SELINUX_NETLINK_TCPDIAG_SOCKET_CLASS)" "true"
|
||||
-PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };"
|
||||
-PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };"
|
||||
+PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock nlmsg_read nlmsg_write read setattr setopt shutdown write };"
|
||||
+PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock nlmsg_read nlmsg_write read setattr setopt shutdown write };"
|
||||
endif
|
||||
|
||||
ifeq "$(PCP_SELINUX_LOCKDOWN_CLASS)" "true"
|
@ -1,11 +0,0 @@
|
||||
diff -Naurp pcp-5.3.7.orig/src/pmie/GNUmakefile pcp-5.3.7/src/pmie/GNUmakefile
|
||||
--- pcp-5.3.7.orig/src/pmie/GNUmakefile 2022-02-02 11:53:05.000000000 +1100
|
||||
+++ pcp-5.3.7/src/pmie/GNUmakefile 2022-05-03 11:45:12.108743480 +1000
|
||||
@@ -80,6 +80,7 @@ pmie.service : pmie.service.in
|
||||
$(SED) <$< >$@ \
|
||||
-e 's;@PCP_RC_DIR@;'$(PCP_RC_DIR)';' \
|
||||
-e 's;@PCP_RUN_DIR@;'$(PCP_RUN_DIR)';' \
|
||||
+ -e 's;@PCP_SYSCONFIG_DIR@;'$(PCP_SYSCONFIG_DIR)';' \
|
||||
# END
|
||||
|
||||
pmie_farm.service : pmie_farm.service.in
|
@ -1,146 +0,0 @@
|
||||
commit f54eddf494e474531e5af609bcc376037a918977
|
||||
Author: Nathan Scott <nathans@redhat.com>
|
||||
Date: Tue Apr 26 14:32:59 2022 +1000
|
||||
|
||||
pmdapostfix: harden against a not-yet-running postfix
|
||||
|
||||
Ensure the postfix PMDA can start and service requests even
|
||||
if postfix is not yet started.
|
||||
|
||||
diff --git a/src/perl/PMDA/local.c b/src/perl/PMDA/local.c
|
||||
index e223bde7a..33130bc5d 100644
|
||||
--- a/src/perl/PMDA/local.c
|
||||
+++ b/src/perl/PMDA/local.c
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (c) 2012-2017 Red Hat.
|
||||
+ * Copyright (c) 2012-2017,2022 Red Hat.
|
||||
* Copyright (c) 2008-2011 Aconex. All Rights Reserved.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
@@ -139,18 +139,15 @@ int
|
||||
local_tail(char *file, scalar_t *callback, int cookie)
|
||||
{
|
||||
int fd = open(file, O_RDONLY | O_NDELAY);
|
||||
- struct stat stats;
|
||||
+ struct stat stats = {0};
|
||||
int me;
|
||||
|
||||
- if (fd < 0) {
|
||||
- pmNotifyErr(LOG_ERR, "open failed (%s): %s", file, osstrerror());
|
||||
- exit(1);
|
||||
- }
|
||||
- if (fstat(fd, &stats) < 0) {
|
||||
- pmNotifyErr(LOG_ERR, "fstat failed (%s): %s", file, osstrerror());
|
||||
- exit(1);
|
||||
- }
|
||||
- lseek(fd, 0L, SEEK_END);
|
||||
+ if (fd < 0)
|
||||
+ pmNotifyErr(LOG_INFO, "open failed (%s): %s", file, osstrerror());
|
||||
+ else if (fstat(fd, &stats) < 0)
|
||||
+ pmNotifyErr(LOG_INFO, "fstat failed (%s): %s", file, osstrerror());
|
||||
+ else
|
||||
+ lseek(fd, 0L, SEEK_END);
|
||||
me = local_file(FILE_TAIL, fd, callback, cookie);
|
||||
files[me].me.tail.path = strdup(file);
|
||||
files[me].me.tail.dev = stats.st_dev;
|
||||
@@ -416,10 +413,11 @@ local_pmdaMain(pmdaInterface *self)
|
||||
}
|
||||
|
||||
for (i = 0; i < nfiles; i++) {
|
||||
- fd = files[i].fd;
|
||||
/* check for log rotation or host reconnection needed */
|
||||
if ((count % 10) == 0) /* but only once every 10 */
|
||||
local_connection(&files[i]);
|
||||
+ if ((fd = files[i].fd) < 0)
|
||||
+ continue;
|
||||
if (files[i].type != FILE_TAIL && !(__pmFD_ISSET(fd, &readyfds)))
|
||||
continue;
|
||||
offset = 0;
|
||||
@@ -431,21 +429,16 @@ multiread:
|
||||
(oserror() == EAGAIN) ||
|
||||
(oserror() == EWOULDBLOCK)))
|
||||
continue;
|
||||
- if (files[i].type == FILE_SOCK) {
|
||||
- close(files[i].fd);
|
||||
- files[i].fd = -1;
|
||||
- continue;
|
||||
- }
|
||||
- pmNotifyErr(LOG_ERR, "Data read error on %s: %s\n",
|
||||
- local_filetype(files[i].type), osstrerror());
|
||||
- exit(1);
|
||||
+ close(files[i].fd);
|
||||
+ files[i].fd = -1;
|
||||
+ continue;
|
||||
}
|
||||
if (bytes == 0) {
|
||||
if (files[i].type == FILE_TAIL)
|
||||
continue;
|
||||
- pmNotifyErr(LOG_ERR, "No data to read - %s may be closed\n",
|
||||
- local_filetype(files[i].type));
|
||||
- exit(1);
|
||||
+ close(files[i].fd);
|
||||
+ files[i].fd = -1;
|
||||
+ continue;
|
||||
}
|
||||
/*
|
||||
* good read ... data up to buffer + offset + bytes is all OK
|
||||
diff --git a/src/pmdas/postfix/pmdapostfix.pl b/src/pmdas/postfix/pmdapostfix.pl
|
||||
index ac46816bc..d6d3f4d3a 100644
|
||||
--- a/src/pmdas/postfix/pmdapostfix.pl
|
||||
+++ b/src/pmdas/postfix/pmdapostfix.pl
|
||||
@@ -1,5 +1,5 @@
|
||||
#
|
||||
-# Copyright (c) 2012-2015 Red Hat.
|
||||
+# Copyright (c) 2012-2015,2022 Red Hat.
|
||||
# Copyright (c) 2009-2010 Josef 'Jeff' Sipek <jeffpc@josefsipek.net>
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify it
|
||||
@@ -56,8 +56,6 @@ my @postfix_received_dom = (
|
||||
1 => 'smtp',
|
||||
);
|
||||
|
||||
-my $setup = defined($ENV{'PCP_PERL_PMNS'}) || defined($ENV{'PCP_PERL_DOMAIN'});
|
||||
-
|
||||
sub postfix_do_refresh
|
||||
{
|
||||
QUEUE:
|
||||
@@ -212,7 +210,7 @@ $logstats{"received"}{1} = 0;
|
||||
|
||||
# Note:
|
||||
# Environment variables.
|
||||
-# $PMDA_POSTFIX_QSHAPE: alternative executable qshape scrpipt (for QA)
|
||||
+# $PMDA_POSTFIX_QSHAPE: alternative executable qshape script (for QA)
|
||||
# ... over-rides default and command line argument.
|
||||
# ... over-rides default arguments -b 10 -t $refresh
|
||||
# $PMDA_POSTFIX_REFRESH: alternative refresh rate (for QA)
|
||||
@@ -228,7 +226,7 @@ if (defined($ENV{'PMDA_POSTFIX_QSHAPE'})) {
|
||||
$qshape = $ENV{'PMDA_POSTFIX_QSHAPE'};
|
||||
$qshape_args = '';
|
||||
}
|
||||
-if (!$setup) { $pmda->log("qshape cmd: $qshape $qshape_args <qname>"); }
|
||||
+unless (pmda_install()) { $pmda->log("qshape cmd: $qshape $qshape_args <qname>"); }
|
||||
|
||||
if (defined($ENV{'PMDA_POSTFIX_REFRESH'})) { $refresh = $ENV{'PMDA_POSTFIX_REFRESH'}; }
|
||||
|
||||
@@ -238,12 +236,15 @@ foreach my $file ( @logfiles ) {
|
||||
}
|
||||
}
|
||||
if (defined($ENV{'PMDA_POSTFIX_LOG'})) { $logfile = $ENV{'PMDA_POSTFIX_LOG'}; }
|
||||
-unless(defined($logfile))
|
||||
-{
|
||||
- $pmda->log("Fatal: No Postfix log file found in: @logfiles");
|
||||
- die 'No Postfix log file found';
|
||||
+unless (pmda_install()) {
|
||||
+ if (defined($logfile)) {
|
||||
+ $pmda->log("logfile: $logfile");
|
||||
+ } else {
|
||||
+ $pmda->log("Warning: assuming logfile: $logfiles[0] as no Postfix log found yet from: @logfiles");
|
||||
+ }
|
||||
}
|
||||
-if (!$setup) { $pmda->log("logfile: $logfile"); }
|
||||
+# set a good default if none found, before continuing
|
||||
+unless (defined($logfile)) { $logfile = $logfiles[0]; }
|
||||
|
||||
$pmda->add_indom($postfix_queues_indom, \@postfix_queues_dom, '', '');
|
||||
$pmda->add_indom($postfix_sent_indom, \@postfix_sent_dom, '', '');
|
@ -1,44 +0,0 @@
|
||||
commit d874d2e486c8a64fa9945ed7aa0048cccbd46f77
|
||||
Author: Nathan Scott <nathans@redhat.com>
|
||||
Date: Wed May 4 17:11:19 2022 +1000
|
||||
|
||||
pmdaproc: fix cgroup cpu metrics refresh structures
|
||||
|
||||
Jan Kurik encountered this issue when running the regression
|
||||
testsuite (especially qa/359) on non-x86_64 architectures.
|
||||
|
||||
Something must've changed in the toolchain recently on these
|
||||
platforms since we've not seen this before, but this bug has
|
||||
been in our code for some time. It works everywhere else by
|
||||
good fortune, when there just happen to be NULLs after these
|
||||
cgroups CPU parsing data structures.
|
||||
|
||||
Resolves Red Hat BZ #2081262.
|
||||
|
||||
diff --git a/src/pmdas/linux_proc/cgroups.c b/src/pmdas/linux_proc/cgroups.c
|
||||
index 413a72343..26d59863a 100644
|
||||
--- a/src/pmdas/linux_proc/cgroups.c
|
||||
+++ b/src/pmdas/linux_proc/cgroups.c
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (c) 2012-2019 Red Hat.
|
||||
+ * Copyright (c) 2012-2019,2022 Red Hat.
|
||||
* Copyright (c) 2010 Aconex. All Rights Reserved.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
@@ -863,6 +863,7 @@ read_cpu_time(const char *file, cgroup_cputime_t *ccp)
|
||||
{ "usage_usec", &cputime.usage },
|
||||
{ "user_usec", &cputime.user },
|
||||
{ "system_usec", &cputime.system },
|
||||
+ { NULL, NULL }
|
||||
};
|
||||
char buffer[4096], name[64];
|
||||
unsigned long long value;
|
||||
@@ -903,6 +904,7 @@ read_cpu_stats(const char *file, cgroup_cpustat_t *ccp)
|
||||
{ "nr_periods", &cpustat.nr_periods },
|
||||
{ "nr_throttled", &cpustat.nr_throttled },
|
||||
{ "throttled_time", &cpustat.throttled_time },
|
||||
+ { NULL, NULL }
|
||||
};
|
||||
char buffer[4096], name[64];
|
||||
unsigned long long value;
|
@ -0,0 +1,88 @@
|
||||
diff --git a/vendor/github.com/iovisor/bcc/libbpf-tools/arm64/vmlinux_510.h b/vendor/github.com/iovisor/bcc/libbpf-tools/arm64/vmlinux_510.h
|
||||
index f84b1347bf..3c032f5230 100644
|
||||
--- a/vendor/github.com/iovisor/bcc/libbpf-tools/arm64/vmlinux_510.h
|
||||
+++ b/vendor/github.com/iovisor/bcc/libbpf-tools/arm64/vmlinux_510.h
|
||||
@@ -1678,6 +1678,7 @@ struct perf_event {
|
||||
int pending_wakeup;
|
||||
int pending_kill;
|
||||
int pending_disable;
|
||||
+ long unsigned int pending_addr;
|
||||
struct irq_work pending;
|
||||
atomic_t event_limit;
|
||||
struct perf_addr_filters_head addr_filters;
|
||||
@@ -1693,6 +1694,7 @@ struct perf_event {
|
||||
void *overflow_handler_context;
|
||||
perf_overflow_handler_t orig_overflow_handler;
|
||||
struct bpf_prog *prog;
|
||||
+ u64 bpf_cookie;
|
||||
struct trace_event_call *tp_event;
|
||||
struct event_filter *filter;
|
||||
struct ftrace_ops ftrace_ops;
|
||||
@@ -26070,7 +26072,10 @@ enum bpf_link_type {
|
||||
BPF_LINK_TYPE_ITER = 4,
|
||||
BPF_LINK_TYPE_NETNS = 5,
|
||||
BPF_LINK_TYPE_XDP = 6,
|
||||
- MAX_BPF_LINK_TYPE = 7,
|
||||
+ BPF_LINK_TYPE_PERF_EVENT = 7,
|
||||
+ BPF_LINK_TYPE_KPROBE_MULTI = 8,
|
||||
+ BPF_LINK_TYPE_STRUCT_OPS = 9,
|
||||
+ MAX_BPF_LINK_TYPE = 10,
|
||||
};
|
||||
|
||||
struct bpf_link_info {
|
||||
@@ -30363,6 +30368,11 @@ struct bpf_raw_tp_link {
|
||||
struct bpf_raw_event_map *btp;
|
||||
};
|
||||
|
||||
+struct bpf_perf_link {
|
||||
+ struct bpf_link link;
|
||||
+ struct file *perf_file;
|
||||
+};
|
||||
+
|
||||
struct btf_member {
|
||||
__u32 name_off;
|
||||
__u32 type;
|
||||
diff --git a/vendor/github.com/iovisor/bcc/libbpf-tools/powerpc/vmlinux_510.h b/vendor/github.com/iovisor/bcc/libbpf-tools/powerpc/vmlinux_510.h
|
||||
index 3b1b0127d1..052db391d4 100644
|
||||
--- a/vendor/github.com/iovisor/bcc/libbpf-tools/powerpc/vmlinux_510.h
|
||||
+++ b/vendor/github.com/iovisor/bcc/libbpf-tools/powerpc/vmlinux_510.h
|
||||
@@ -4345,6 +4345,7 @@ struct perf_event {
|
||||
int pending_wakeup;
|
||||
int pending_kill;
|
||||
int pending_disable;
|
||||
+ long unsigned int pending_addr;
|
||||
struct irq_work pending;
|
||||
atomic_t event_limit;
|
||||
struct perf_addr_filters_head addr_filters;
|
||||
@@ -4360,6 +4361,7 @@ struct perf_event {
|
||||
void *overflow_handler_context;
|
||||
perf_overflow_handler_t orig_overflow_handler;
|
||||
struct bpf_prog *prog;
|
||||
+ u64 bpf_cookie;
|
||||
struct trace_event_call *tp_event;
|
||||
struct event_filter *filter;
|
||||
struct ftrace_ops ftrace_ops;
|
||||
@@ -36449,7 +36451,10 @@ enum bpf_link_type {
|
||||
BPF_LINK_TYPE_ITER = 4,
|
||||
BPF_LINK_TYPE_NETNS = 5,
|
||||
BPF_LINK_TYPE_XDP = 6,
|
||||
- MAX_BPF_LINK_TYPE = 7,
|
||||
+ BPF_LINK_TYPE_PERF_EVENT = 7,
|
||||
+ BPF_LINK_TYPE_KPROBE_MULTI = 8,
|
||||
+ BPF_LINK_TYPE_STRUCT_OPS = 9,
|
||||
+ MAX_BPF_LINK_TYPE = 10,
|
||||
};
|
||||
|
||||
struct bpf_link_info {
|
||||
@@ -40756,6 +40761,11 @@ struct bpf_raw_tp_link {
|
||||
struct bpf_raw_event_map *btp;
|
||||
};
|
||||
|
||||
+struct bpf_perf_link {
|
||||
+ struct bpf_link link;
|
||||
+ struct file *perf_file;
|
||||
+};
|
||||
+
|
||||
struct btf_member {
|
||||
__u32 name_off;
|
||||
__u32 type;
|
@ -0,0 +1,19 @@
|
||||
commit 23bfdcbac0b0fb7bd33f092c6f2ad56889480335
|
||||
Author: Andreas Gerstmayr <agerstmayr@redhat.com>
|
||||
Date: Thu Oct 27 14:22:37 2022 +0200
|
||||
|
||||
build: use vendored vmlinux.h when compiling bpftool
|
||||
|
||||
diff --git a/vendor/GNUmakefile b/vendor/GNUmakefile
|
||||
index a0c29d4b45..57151e4671 100644
|
||||
--- a/vendor/GNUmakefile
|
||||
+++ b/vendor/GNUmakefile
|
||||
@@ -3,7 +3,7 @@ include $(TOPDIR)/src/include/builddefs
|
||||
|
||||
default_pcp default:
|
||||
ifeq "$(PMDA_BPF)" "true"
|
||||
- $(MAKE) -C github.com/libbpf/bpftool/src
|
||||
+ $(MAKE) -C github.com/libbpf/bpftool/src VMLINUX_H=$(PMDABPF_VMLINUXH)
|
||||
endif
|
||||
|
||||
install_pcp install:
|
Loading…
Reference in new issue