Force at most partial RELRO for rump_server and related libraries

rump_server with -l uses lazy resolution by default and thus cannot be
used with full RELRO/BIND_NOW.

Stop passing -D_INCOMPLETE_XOPEN_C063 (obsolete define)

compile hijack.c with -D_INCOMPLETE_XOPEN_C063 so that AT_FDCWD is alwasy
defined for rumpkernels.

branches: 1.20.10;
With the removal of HAVE_REGISTER_T from rumpuser_port.h, _KERNTYPES does not
need to be defined. This allows register_t to be typedef'd to RUMP_REGISTER_T
without conflict, as highlighted in PR kern/52206.

Revert previous change so builds can resume.
_KERNTYPES needs to be defined for NetBSD builds to succeed.
_KERNTYPES must not be defined for buildrum.sh builds to succeed.

Do not define _KERNTYPES as this breaks build with buildrump.sh due to
conflicting types for register_t.
Closes PR kern/52206
Steered in the right direction by christos.

branches: 1.17.6;
Define _KERNTYPES for things that need it.

Make sure that "_FORTIFY_SOURCE" really gets undefined even if "USE_SSP"
is set to "yes" to fix build problems caused by the recent change to
this makefile.

don't need to include anything before bsd.lib.mk since we don't use any
variables

ACTIVE_CC can only be used after include of bsd.own.mk

use <rump/rumpuser_port.h>

Override ssp also in case where it doesn't come intrinsically
from the compiler.

Extend #undef _FORTIFY_SOURCE to both files to avoid compiler
warning for -O0 and fortify combination.

from Alessio Sergi via github

branches: 1.10.2;
Make librumphijack compile and work on Linux. Do not try to hijack
calls which are not supported on Linux and therefore cannot be
handled by the rump kernel side syscall emulation (not that they'd
be present in the calling binaries anyway).

These directories default to WARNS?=5

branches: 1.8.4;
Ok, for reasons I can't begin to understand, the binaries I tested
yesterday on powerpc broke overnight. Apparently adding one more
function before the call to dlsym() fixes things again. I hope
I don't have to add another one tomorrow ....

Put the dlsym-from-this-object trampoline into a separate source
module which is compiled -fno-optimize-sibling-calls instead of
trying to fool the optimizer in various ways in the trampoline.

thanks to yamt for the tip

Use NEEDED for librumpclient instead of loading it manually.

enable WARNS=4

manual page for rumphijack

branches: 1.3.2;
comment out DBG and NOGCCERROR, use proper LIBDPLIBS form

use -D_REENTRANT (should currently have no effect, but better safe
than sorry if someone adds uses of stdio macros)

Begin work on a syscall hijacking library which can be LD_PRELOADed
to convince non-rumped applications to communicate with a rump
kernel instead of the host kernel. The precision of what goes
where is not exactly surgical, but for example when wanting to
debug a web server's TCP/IP stack interaction, it might be enough.
When all you have is a hand grenade, all problems look like a ....
hmm?

There's still plenty to figure out. For example, I'm not sure what
the user interface will be like. Now it just attempts to hijack
network communication. It also needs to sync with symbol renaming
in libc, and maybe autogenerate the non-schizophrenic wrappers
where the communication is heading to exactly one destination, lest
I'll be a mummmy by the time I finish writing them all. As a fun
example of a non-non-schizophrenic one, consider poll().

Work in progress, but I managed to get two non-rumped netcats
talking to each other or fetching the index from a non-rumped
thttpd. telnet works in one direction (i can read the data from
netcat, but anything i send back is not printed). bozohttpd uses
dup2() which i haven't bothered to address yet, etcetc.

(not hooking this up the build for now)

branches: 1.1.2;
file Version.map was initially added on branch agc-symver.

dup2() must (except when there's an error) return the new fd. Not 0
unless that happens to be the new fd.

Fixes tests/lib/librumphijack/t_sh/redirect

librumphijack: support flock

The original author is k-goda@IIJ.

branches: 1.139.2;
fix simple mis-matched function prototype and definitions.

most of these are like, eg

void foo(int[2]);

with either of these

void foo(int*) { ... }
void foo(int[]) { ... }

in some cases (such as stat or utimes* calls found in our header files),
we now match standard definition from opengroup.

found by GCC 12.

librump*: Require 10.99.7 or higher for __kevent100

Add epoll(2) from Theodore Preduta as part of GSoC 2023

branches: 1.136.2;
fix various typos in comments and log messages.

remove fake closefrom()

librumphijack: fix typo for NetBSD < 5.99.7

Ignore closefrom(3) for now; too complicated to descern between regular
and rump fds.

- implement pselect so that the ssh test has a chance to work
- 1 -> EXIT_FAILURE
- more info about fds

Add pathconf and lpathconf (fixes lib/librumphijack/nfs test which uses ls
which now uses lpathconf)

Change types of DUP2ALIAS and DUP2FDMASK bit masks to unsigned

This is for consistency with the DUP2BIT change.

Avoid unportable bit shift semantics

hijack.c:451:52, left shift of 1 by 31 places cannot be represented in type 'int

teach hijack about the new vfs syscalls

Linux doesn't have paccept().

Add an option "modctl" to capture modctl().

branches: 1.125.2;
rumphijack: don't modify a cmsg on just validating it

Pointed out by k-goda@IIJ

branches: 1.124.2;
Provide better debug messages for ioctl

since ln(1) now uses linkat(2) provide a dumb wrapper.

branches: 1.122.4;
Support paccept for nc

branches: 1.121.2;
fix test lib/librumphijack/t_sh/runscript
(handle F_DUPFD_CLOEXEC that the shell is now using)

Object to dup2() if target fd is in the range of fd's that
librumphijack reserves for rump to use.

This is not normally a problem, as most applications don't attempt
to use very high fds - but /bin/sh does.

This fix is something of a kludge - really the apparent fd resource limit
ought to be lowered as well, but this is sufficient to allow the shell
to work (when its dup2() gets rejected, it just tries again with a smaller
target fd until it eventually succeeds.) This fixes the librumphijack
shell ATF tests.

A better, more comprehensive, fix would be good...

branches: 1.119.2;
Remember that dlsym() tends to fail on PowerPC during init (or at least
tended), so call rumphijack_dlsym() instead to be safe.

allow mmap() to be called before init runs

Define the expansion of the VFORK macro, not the symbol `VFORK'.

Fixes hijacking processes that vfork and exec. Symptom was the child
would spin with read/EAGAIN <-> kevent/EBADF because the inheritance
mechanism relied on setting the holyfd to -1 on fork...which didn't
happen if we didn't hijack vfork.

ok pooka@

Wrap utimensat() only if present on host

fixes buildrump.sh on NetBSD 6.1.5

Make ATCALL() behave for absolute paths too.

Define a generic ATCALL() and use it to implement utimensat()

Also hijack futimens(2) so that t_sh test passes.

Hijack utimensat(2) so that t_vfs test passes after cp(1)/mv(1) are
changed to use the system call. Linux also has this system call, but
not tested this on linux.

Use autoconf for rump kernel posix hypercall layer.

This gets rid of homegrown hacks and puts all probes in one place.

Tested for NetBSD (build.sh + anita) and Linux (buildrump.sh)

In case of no dup2'd fd's, make sure that F_CLOSEM for the
rump kernel starts from 0.

Fixes rumphijack fdoff test (notably, this bug had nothing to do with
fdoff, and was exposed >3 years after writing the test when rump kernels
started providing fd's 0/1/2)

branches: 1.109.2;
Ignore the contents of revents when poll() returns failure.
This is one more part to the fix for PR kern/46464. Patch
from pooka.

Do not assert that the two threads do not simultanously notify each
other, because sometimes they do. Should fix PR kern/46464. OK pooka.

branches: 1.107.2;
Add Android support for rump kernel.

Reviewed by pooka@

use <rump/rumpuser_port.h>

remove unnecessary <sys/poll.h> -- musl whines when it's included

Extend #undef _FORTIFY_SOURCE to both files to avoid compiler
warning for -O0 and fortify combination.

from Alessio Sergi via github

Support Linuxen where libc ioctl has cmd as int unstead of unsigned long.

Fixes when compiling against musl libc.

from Justin Cormack via private email

sys/cdefs.h should come from rumpuser_port.h

Noticed by Justin Cormack while building against musl libc.

branches: 1.100.2;
* avoid problems if the platform calls readlink() from dlsym()
* alias __read_chk() to read() on Linux (technically, though,
it should call host __read_chk() instead of read())

When emulating poll/select better tell the events of the host kernel
apart from those received from the rump kernel. Also handle timeout.
Patch from pooka.

branches: 1.98.2;
one more patch for supporting linux-based networking clients

More fixes for Linux (or glibc, really).

Make librumphijack compile and work on Linux. Do not try to hijack
calls which are not supported on Linux and therefore cannot be
handled by the rump kernel side syscall emulation (not that they'd
be present in the calling binaries anyway).

Implement link(2) in rumphijack. Add a couple trivial test cases.

implement descriptor passing.

Update old-style definitions to ANSI, remove a couple of register
definitions along the way. Fixed gcc 4.1 build (thank you vax)

poll(), pollts() and select() all return int values, but in the hijack
emulation of them these get passed as exit values from a pthread as
a void* (c.f. pthread_join(), pthread_exit()).
Do not use the address of an int variable for these, but provide the address
of a void* and assign the value afterwards.
Fixes hijacking of pollts/select on 64bit big endian hosts.
Spotted by and fix from pooka.

branches: 1.91.2;
Change the syscall API for quotas over to the new non-proplib one.

- struct vfs_quotactl_args -> struct quotactl_args
- add sys/stdint.h to sys/quotactl.h for clean userland build
- install sys/quotactl.h in /usr/include
- update set lists for same
- add new marshalling code in libquota
- add new unmarshalling code in vfs_syscalls.c
- discard proplib interpreter code in vfs_quotactl.c
- add dispatching code for the 14 quotactl ops in vfs_quotactl.c
- mark the proplib quotactl syscall obsolete
- add a new syscall number for the new quotactl syscall
- change the name of the syscall to __quotactl()
- remove the decl of the old quotactl from quota/quotaprop.h
- add a decl of the new quotactl to sys/quotactl.h
- update the libc build
- update ktruss
- remove proplib marshalling code from libquota
- update copy of syscall table in gdb ppc sources
- hack rumphijack to accomodate new quotactl name (as I recall,
pooka wanted such a name change to simplify something, but I
don't really see what/how)

This change appears to require a kernel version bump for rumpish
reasons.

branches: 1.90.4;
Disable Fortification for pthread and rump stubs.

Backout previous, it breaks lots of tests (tests/lib/librumphijack for
example).

Move the forward declaration of _sys_readlink() outside of the #if,
so that the build succeeds even if _FORTIFY_SOURCE isn't > 0.

Fix SSP builds (Vladimir Kirillov)

fdoff is descriptive enough

Make fdoffset configurable. Also, enforce that host descriptors
are smaller than the offset.

Use rumphijack_dlsym() to figure out where __sysctl() is during
init. Otherwise powerpc dlsym() DTWT and returns NULL.
(now i have no idea why dlsym() it works from rcinit(), but i'll
opt to not care)

Hah, only took 15min to debug that crap this time around. I'm
quickly approaching zero-time with it.

Revert 1.81 and do it in a saner way with an ifdef. Later, when
the naming crisis is resolved, we can probably support rump kernel
quotas from nb5 also.

Make getfh() a pathcall instead of a fhcall. while it does pertain
to file handles, it still gets passed a path and we can DTRT based
on that.

Make this compile/work on NetBSD 5 once again.

Add quotactl(2)

Fix last entries, make it work again.

Add a bunch of process-wide hijack calls. Among other things, it's
now possible to use unmodified userspace binaries (rpcbind, mountd,
nfsd) to start a rump nfs service and mount file systems from it.

pain-rustique:42:~> mount
rumpfs on / type rumpfs (local)
10.1.1.1:/export on /mnt type nfs

g/c unused global

Enforce that the path=/rump specifier specifies and actual path
prefix and doesn't accept e.g. /rumpdev (only /rump/dev).

Add ``blanket''. It acts like path, except that the prefix does
_not_ get removed if the call goes to the rump namespace.

So, now it's possible to use e.g. tcpdump (and most other utilities
which hardcore a /dev pathname) on a rump kernel:

golem> setenv RUMPHIJACK blanket=/dev/bpf
golem> tcpdump -n -i virt0
tcpdump: WARNING: SIOCGIFADDR: virt0: Device not configured
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on virt0, link-type EN10MB (Ethernet), capture size 96 bytes
21:55:38.925596 IP 192.168.2.101 > 204.152.190.12: ICMP echo request, id 47811, seq 0, length 64
21:55:39.095596 IP 204.152.190.12 > 192.168.2.101: ICMP echo reply, id 47811, seq 0, length 64

(if you additionally set socket=all in RUMPHIJACK, tcpdump doesn't
whine about the "not configured" interface)

another comment

comment

make compiler sign-happy

A simple dup2-enforced affine transformation isn't enough when
dealing with dup2() from a rump kernel fd to a host kernel fd.
Consider:

s1 = socket();
s2 = socket();
dup2(s2, 0);

Instead, maintain a real mapping table (and get on my knees and
pray i don't have to touch this hair-splitting code ever again).

Apparently bourne shell scripts from a rump kernel fs work now
(sh script.sh; ./script.sh doesn't work for obvious "IT'S THE WRONG
FS NAMESPACE" reasons). No test regressions either, so I'm a
happy camper.

make error messages sensible. from uwe

whoops, didn't mean to delete futimes in previous. also from riz

support mknod. from riz

Make the rumphijack dlsym trampoline call from rumpclient a "real"
function call instead of a call through a function pointer.
Apparently powerpc ld.elf_so gets __hackish_return_address() wrong
if the call is done through a function pointer (digging deeper into
that stuff is beyond my interest).

Thanks to riz for providing access to a macppc for debugging.
Unthanks to the broken toolchain in the default installation which
wasted approximately 4 hours of time last night.

Return value audit: properly set errno and return -1.
Fixes at least cross-kernel mv(1).

+access(2)

Put the dlsym-from-this-object trampoline into a separate source
module which is compiled -fno-optimize-sibling-calls instead of
trying to fool the optimizer in various ways in the trampoline.

thanks to yamt for the tip

If minfd for F_DUPFD is >= hijackoff, assume it means a minimum
value in the rump kernel and adjust accordingly.

disallow mmap(MAP_FILE) from a rump kernel fd

Actually, we need both lseek and _lseek so that out-of-libc references
go to the right place instead of directly to __lseek. Seeking in
mplayer works now.

hijack:
1) {,f,l}chflags (used e.g. by cp(1))
2) p{read,write}{,v} (used by many)

fix tests/lib/librumphijack/t_asyncio:invafd -- dual poll on invalid fd

fix symlink pathname examination (rationale-to-joerg: so that it works)

hijack __getcwd()

and now with less crazy whitespace

support PF_OROUTE and PF_MPLS where available

hijack libc-internal name for lseek so that libc-internal callers
go to the right kernel too.

block cross-kernel rename in the other direction also

fix rename

uhm, put PF_LOCAL on the socketlist

give the signmonkey a banana

Use the env variable RUMPHIJACK to specify what facilities should
be hijacked. If it's not specified, the default is
"path=/rump,socket=all:nolocal".

So, if you're moof and want to relive your domain/os days (??),
you can do this:

pain-rustique:51:~> setenv RUMPHIJACK 'path=//'
pain-rustique:52:~> df //dev
Filesystem 1K-blocks Used Avail %Cap Mounted on
rumpfs 1 1 0 100% /
pain-rustique:53:~> df /dev
Filesystem 1K-blocks Used Avail %Cap Mounted on
/dev/wd0a 1019864 280640 688232 28% /

Support mount/unmount too. So, things are now generally at a stage
where you can mount a file system with a userspace server *without*
it having to go through puffs.

Say, you first start a server with ffs capability and map a host
ffs image into it:

rump_server -lrumpvfs -lrumpfs_ffs \
-d key=/ffsimg,hostpath=ffs2.img,size=e unix:///tmp/ffsserv

Then, configure your shell to talk to the rump server:

setenv RUMP_SERVER unix:///tmp/ffsserv
setenv LD_PRELOAD /usr/lib/librumphijack.so

Create a mountpoint and mount the file system:

pain-rustique:60:~> sh
$ cd /rump
$ ls
dev
$ ls -l
total 1
drwxr-xr-x 2 root wheel 512 Feb 17 18:00 dev
$ mkdir mnt
$ mount_ffs /ffsimg /rump/mnt
mount_ffs: Warning: realpath /ffsimg: No such file or directory
$ df -h mnt
Filesystem Size Used Avail %Cap Mounted on
/ffsimg 496M 380M 91M 80% /mnt
$ du -sckh *
192K dev
380M mnt
381M total
$ umount -R mnt
$ df -h mnt
Filesystem Size Used Avail %Cap Mounted on
rumpfs 1.0K 1.0K 0B 100% /
$

(note, you need -R to umount due to various degrees of unsuccesful
magic it attempts to perform without it)

In case dup2(n, n+FDOFF) is done, the caller thinks there are two
distinct file descriptors, but the rump kernel thinks they are both
the same. Now, if either one is closed by the application, "both"
will be closed in the rump kernel. To fix this, maintain an
alias-mask. It's not a perfect solution, though (consider e.g.
F_SETFL). Maybe we should actually dup the fd and maintain a
mapping table?

Also, prevent the host from opening file descriptors onto the places
in the fd namespace that have been dupped.

These together fix "cat < /rump/foo" in a hijacked /bin/sh.
(the first one makes sure stdin is open in cat and the second one
makes sure it doesn't try to cat something from /usr/share/locale
instead of stdin)

fix signature. from pgoyette

Hijack pathname-based system calls. Now all paths starting with
/rump are hijacked to go to the rump server. So you can e.g. start
a hijacked shell and cd to /rump:

$ cd /rump
$ pwd
/rump
$ ls -l dev/null
crwxr-xr-x 1 root wheel 2, 2 Feb 17 12:35 dev/null
$ ls -l /dev/null
crw-rw-rw- 1 root wheel 2, 2 Dec 22 2009 /dev/null
$ chmod 0 /dev/null
chmod: /dev/null: Operation not permitted
$ chmod 0 dev/null
$ ls -l /rump/dev/null
c--------- 1 root wheel 2, 2 Feb 17 12:35 /rump/dev/null

(of course the rump server must have vfs loaded for that to work)

* set default server connection retry to 0 (no reconnection attempts).
while for some cases attempting retry after server restart works
brilliantly (e.g. firefox), in other cases it's quite disasterous
(sshd doesn't like its file descriptors going missing and does not
attempt to reopen them, leading to a quite catastophic loop of
EBADF once the server does come back)
* rename RUMPHIJACK_RETRY to the slightly more sensible
RUMPHIJACK_RETRYCONNECT

Support vfork. Add rumpclient wrapper for daemon(3).

Push the fiddly tasks for exec and fork from rumphijack to rumpclient.
This makes it possible easily execute those operations also from
non-hijacked rump clients (plus fixes one memory leak in an error
branch).

dup() is now implemented using fcntl()

Properly implement fcntl commands: F_DUPFD, F_CLOSEM, F_MAXFD

A bunch of changes which essentially make sshd work with a hijacked
rump tcp/ip stack:

* sshd likes to fork and then re-exec itself
==> trap execve() and augment the env with the current parameters
essential to a rump kernel (kernel communication fd, information
about dup2'd file descriptors)

* sshd likes to play lots of games with pipes, socketpairs and dup{,2}()
==> make sure we do not close essential rump client descriptors:
dup() them to a safe place, except for F_CLOSEM where we
simply leave them alone. also, partially solved by the above,
make sure the process's set of rump kernel descriptors persists
over exec()

* sshd likes to chdir() before exec
==> for unix-style rump_sp(7) sockets save the full path on the
initial exec and use it afterwards. thread the path through
the environment in execve()

Fix select() if no fds are set.

patch from Alexander Nasonov, PR lib/44552

play the important typecast game

ssh mostly ignores the return value of select(), so if the timeout
expired it would assume that all input set descriptors had activity.

In case we get rv == 0 from the poll backend, zero out the fd sets
to signal that in fact no descriptors have activity.

Before this commit ssh was "jittery" when run through a rump tcp/ip
stack (interactive sessions kept blocking on stdin and you had to
"peddle" the connection). Now it works smoothly ... or at least
smoothly enough so that this commit could be done through a rump
tcp/ip stack:
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root ssh 125 0 tcp localhost.65517 cvs.netbsd.org.22

Fix pasto, use GETSYSCALLS() where possible

Make sure we can do host kevent since the -current (and recent nb5)
libc resolver uses it. Error out in case of rump fd kevent (TODO).
Fixes one more problem pointed out by Alexander Nasonov.

Also, implement dup().
(TODO: implement it along the fcntl path too)

add std dprint to fdcall

Force gcc to generate a stack frame for the call to dlsym(RTLD_NEXT).
Without this hack at least amd64 -O2 just used jmp and The Wrong
Thing happened.

duh, _sys_read, not read. STAY FIXED, DAMNIT!

Unbreak the ssp lossage from the default -current build by removing
it. I still don't have any idea what the ssp stuff is supposed to
do and how it's supposed to even begin to work. If someone wants
to change this now, run tests/lib/librumphijack before commit so
that I can avoid another multihour debugging session!

call the non-compat pollts() from inside the library

make it possible to specify client connection retry model in
RUMPHIJACK_RETRY

be kinder about kqueue()
(but paradoxically omit the surprise)

uncommit part of previous which wasn't supposed to change

Wrap daemon() since it forks. Otherwise we lose the rumpclient kq
descriptor and have multiple processes using the commfd.

Fix some snafus to allow rumphijack to work on -current.

reported by Alexander Nasonov

Use NEEDED for librumpclient instead of loading it manually.

Set server reconnection timeout to infinite. There probably need
to be some toggle eventually, but for now I'm optimizing the default
for my firefox use ;)

make SSP friendly

fix compilation on -current

the usual fun for WARNS=4

signed,
unsigned

dramatic whitespace fix

Rewrite to declare most dual-kernel calls with macros. This helps
with adding new calls and makes all existing fd-accepting hijacked
calls dual-kernel. It would be better to autogenerate the code
from syscalls.master, but this is easier for now.

branches: 1.16.2;
Do the standard dance for sendto/recvfrom since nspluginwrapper
wants to use them. XXX: need to fold the dance sequence into a
common routine.

fix lp64 snafu (hopefully)

from pgoyette

* attempt to match libc non-compat names (XXX: needs work)
* make shutdown() a dual-stack call
* flip the default to use host for PF_UNIX, since that's generally
the desired case (because of X)

pollts:
Since fds[] does not go to both kernels, set revents to 0 when
splitting the vector. Now any stale revents passed by the caller
do not get counted as results for the kernel which did not "win"
the poll.

This fixes a situation where a firefox transfer would occasionally
stall. Now firefox works full speed with a rump networking stack.

Don't count sparse elements in the poll vector for host fds.

Fix conversion: there are 1000*1000 nanoseconds in a millisecond, not 1000.

Fix dup2 mask so that dup2'ing a rump kernel fd to 1 does not cause
stderr to be treated as a rump kernel fd as well. Makes e.g.
bozohttpd work better with stderr logging.

Also, add aborty stubs for kqueue.
(implementing kqueue is even trickier than implementing select/poll
since we need to keep state for two kqueue fd's)

Use host_close() instead of close() where we know it to be the
right interface.

Adapt to rump syscall changes. The correct rump compat syscall is
now automatically picked based on the ABI of the target the library
is compiled for.

(the host libc symbolname to override still needs a little attention
based on the system version)

Networked X11 clients have the annoying property that they need to
contact the X server. Since most of the useful cases these days
are local, add a toggle which forwards PF_LOCAL sockets to the host
and all other protocol families to the rump kernel.

This makes an unmodified firefox work with a rump TCP/IP stack.
I'm sure someone will find applications for being able to run
multiple web browser profiles on one OS with each browser having
a different IP address in the same subnet ...

Don't depend on malloc(0) returning non-NULL.

dprintf to stderr. stop doing it if stderr_fileno gets dup2()'d

Support dual kernel select() by emulating it with pollts(). It
would have been much easier if up to and including 5.0 we wouldn't
silently cap the nfds argument to poll(!!!).

Makes things like socket(1) work out-of-the-box, and pretty much
every other decidedly prehistoric select() user.
(netcat is a slight exception since it sets FD_SETSIZE, a.k.a.
interface-of-the-year, to 16)

support pollts and rewrite poll in terms of pollts

Support fork() and dup2().

This is sufficient to make an unmodified httpd(8) be able to serve
pages via a rump networking stack.

Begin work on a syscall hijacking library which can be LD_PRELOADed
to convince non-rumped applications to communicate with a rump
kernel instead of the host kernel. The precision of what goes
where is not exactly surgical, but for example when wanting to
debug a web server's TCP/IP stack interaction, it might be enough.
When all you have is a hand grenade, all problems look like a ....
hmm?

There's still plenty to figure out. For example, I'm not sure what
the user interface will be like. Now it just attempts to hijack
network communication. It also needs to sync with symbol renaming
in libc, and maybe autogenerate the non-schizophrenic wrappers
where the communication is heading to exactly one destination, lest
I'll be a mummmy by the time I finish writing them all. As a fun
example of a non-non-schizophrenic one, consider poll().

Work in progress, but I managed to get two non-rumped netcats
talking to each other or fetching the index from a non-rumped
thttpd. telnet works in one direction (i can read the data from
netcat, but anything i send back is not printed). bozohttpd uses
dup2() which i haven't bothered to address yet, etcetc.

(not hooking this up the build for now)

branches: 1.1.2;
duh, remember to cvs add hijack.h too...

from pgoyette

use <rump/rumpuser_port.h>

sys/cdefs.h should come from rumpuser_port.h

Noticed by Justin Cormack while building against musl libc.

branches: 1.3.2; 1.3.4;
Make librumphijack compile and work on Linux. Do not try to hijack
calls which are not supported on Linux and therefore cannot be
handled by the rump kernel side syscall emulation (not that they'd
be present in the calling binaries anyway).

branches: 1.2.2; 1.2.6;
Ok, for reasons I can't begin to understand, the binaries I tested
yesterday on powerpc broke overnight. Apparently adding one more
function before the call to dlsym() fixes things again. I hope
I don't have to add another one tomorrow ....

Put the dlsym-from-this-object trampoline into a separate source
module which is compiled -fno-optimize-sibling-calls instead of
trying to fool the optimizer in various ways in the trampoline.

thanks to yamt for the tip

Add an option "modctl" to capture modctl().

branches: 1.12.42; 1.12.44;
document fdoff

Add serial commas.

document vfs and sysctl knobs to RUMPHIJACK

Remove trailing whitespace.

clarify blanket operation a bit more

maybe typo

Add ``blanket''. It acts like path, except that the prefix does
_not_ get removed if the call goes to the rump namespace.

So, now it's possible to use e.g. tcpdump (and most other utilities
which hardcore a /dev pathname) on a rump kernel:

golem> setenv RUMPHIJACK blanket=/dev/bpf
golem> tcpdump -n -i virt0
tcpdump: WARNING: SIOCGIFADDR: virt0: Device not configured
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on virt0, link-type EN10MB (Ethernet), capture size 96 bytes
21:55:38.925596 IP 192.168.2.101 > 204.152.190.12: ICMP echo request, id 47811, seq 0, length 64
21:55:39.095596 IP 204.152.190.12 > 192.168.2.101: ICMP echo reply, id 47811, seq 0, length 64

(if you additionally set socket=all in RUMPHIJACK, tcpdump doesn't
whine about the "not configured" interface)

minor clarification

Document .Ev RUMPHIJACK

document RUMPHIJACK_RETRYCONNECT

branches: 1.2.2;
Use rump_sp consistently in chapter 7

nothing gets past the wizd, nothing.

manual page for rumphijack

Begin work on a syscall hijacking library which can be LD_PRELOADed
to convince non-rumped applications to communicate with a rump
kernel instead of the host kernel. The precision of what goes
where is not exactly surgical, but for example when wanting to
debug a web server's TCP/IP stack interaction, it might be enough.
When all you have is a hand grenade, all problems look like a ....
hmm?

There's still plenty to figure out. For example, I'm not sure what
the user interface will be like. Now it just attempts to hijack
network communication. It also needs to sync with symbol renaming
in libc, and maybe autogenerate the non-schizophrenic wrappers
where the communication is heading to exactly one destination, lest
I'll be a mummmy by the time I finish writing them all. As a fun
example of a non-non-schizophrenic one, consider poll().

Work in progress, but I managed to get two non-rumped netcats
talking to each other or fetching the index from a non-rumped
thttpd. telnet works in one direction (i can read the data from
netcat, but anything i send back is not printed). bozohttpd uses
dup2() which i haven't bothered to address yet, etcetc.

(not hooking this up the build for now)