Commit graph

152 commits

Author SHA1 Message Date
Caolán McNamara
9e2504b0d0 use a separate mount namespace for each jail process
create mount namespace with local uid 0 just before we need to do the
mounts and create another with the original uid when done.

The inner orig-uid probably doesn't amount to a whole lot in practice,
but its more reassuring to run as not-0.

Disconnect namespace config option from experimental, but continue to
default off.

Signed-off-by: Caolán McNamara <caolan.mcnamara@collabora.com>
Change-Id: Ia68c1c1c0bc7a91eb158f5d189453b683fea0ef0
2024-07-12 09:14:33 +01:00
Michael Meeks
0e4a64d179 bgsave: add a thread hook tracker.
This can dump a backgrace every time we spawn a new thread,
useful for trying to find the lingering save torture test
thread that makes tests fail with:

WRN  Failed to ensure we have just one, we have: 2| kit/Kit.cpp:1409

And stops background save happening for some reason.

Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
Change-Id: I887d39cbda0888675f1a88d57474351495fd8330
2024-07-05 20:36:02 +01:00
Caolán McNamara
85eaec2311 add 'mount_namespaces' option to use linux mount namespaces
if experimental_features and mount_namespaces is enabled and it is
possible to "unshare" then instead of coolforkit exec coolforkitns which
doesn't have any capabilities set and inprocess mount inside a namespace
instead of calling coolmount

Signed-off-by: Caolán McNamara <caolan.mcnamara@collabora.com>
Change-Id: I48bef12b9156f41c78221e750a30aacee8a737a9
2024-07-02 13:31:38 +01:00
Ashod Nakashian
6ed575f6af wsd: test: unit-test validation in debug only
Unit-tests are only ever run in debug builds by
desing (there is check in test/run_unit.sh to
build with --enable-debug to run the tests).

In our release buids, we have seen cases where
the process exists with an error code because
the unit-test logic thinks it ran a test and failed.
It also generates error log and other log entries
when initializing and uninitializing the unit-
test logic.

This excludes unit-test logs and the failure
check in non-debug builds to avoid such errors
and reduce noise.

Change-Id: I9f472172b72770551a491ff6e19ab9b997fcf365
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
2024-06-12 09:15:40 +01:00
Michael Meeks
b95e4d8424 Logging: annotate WebSocket, Admin and cleanup Forkit.
Significantly calmer and less frenzied logging output.

Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
Change-Id: I0f1782c0b8f10ac3427bac479ded2862f2b40b7a
2024-05-14 18:37:52 +02:00
Michael Meeks
9b6ab4c601 Logging: add Area parameter and new LOGA_ macros to annotate areas.
Add logging.disabled_areas setting to coolwsd.xml with some sensible
things to ignore unless they are warnings/errors.

Kit code duplication around logging is grim; but not fixed in this
commit.

Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
Change-Id: I36bebb2b3c8d64a814d7b10c167d582de0baf4e5
2024-05-14 18:37:52 +02:00
Michael Meeks
72bbc375be Add more comment warnings around security critical code.
Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
Change-Id: I1ca4a54d076a8f95850f329168c941806bc56b16
2024-05-07 13:11:30 +01:00
Michael Meeks
31624e869c test: cleanup logging accounting post fork, for more helpful tests.
coolforkit: common/Log.cpp:677: void Log::shutdown(): Assertion
`ThreadLocalBufferCount <= 1 && "Unstopped threads may have unflushed
buffered log entries"' failed.

Was caused by mis-accounting. Also join document threads on 'exit'
which happens during unit tests to ensure we don't hit the above.

Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
Change-Id: I523e723e54e4252ae0d65de36af086e97dd79f04
2024-04-29 10:56:54 +02:00
Michael Meeks
12310c7dec test: allow an exitTest to work in Kit and propagate its result.
Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
Change-Id: I0d32d46e81eb3ed42d8531860ef2d8e06bdca591
2024-04-29 10:56:54 +02:00
Michael Meeks
884a841cde Logging: wrap poco and simplify logging.
Centralize more logging functionality in Log.cpp, simplify and
wrap underlying logging APIs better.

Code is much more generic, and hides implementation details
much more thoroughly, while keeping the same API / wrappers.

To do this we have to sub-class Poco::Logger to get access to
its generic 'log' method instead of a mess of in-line wrappers,
this lets us avoid lots of code.

Change-Id: I541d3aef49f99ce582655c5102a0041bf84cd56a
Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
2024-04-24 10:59:51 +01:00
Michael Meeks
030acb1a85 bgsave: Add SLEEPBACKGROUNDFORDEBUGGER environment variable.
Change-Id: I7284d03ddcd79a0848d1cca9b219e2ef96548511
Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
2024-04-17 08:35:30 +01:00
Caolán McNamara
bae0a91082 use SigUtil::setUserSignals before creating SocketPoll
The SocketPoll ctor which may, depending on COOL_WATCHDOG env variable,
want to override the SIG2 handler so set user signal handlers before
that otherwise tthat choice is overwritten

Signed-off-by: Caolán McNamara <caolan.mcnamara@collabora.com>
Change-Id: I305570ab8becb41f0696e60908c1ca26fd9ba14a
2024-04-13 20:07:16 +01:00
Michael Meeks
144b701453 cool#8703 - Drop random node creation and rely on inherited fd.
Re-using an inherited file descriptor to /dev/urandom frees us
from problems with mount options including 'nodev' and removes a
capability from the set we need.

Change-Id: I70337e923f802d7efbd3159c11a4e39f6529b6e6
Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
2024-04-07 12:11:48 +02:00
Caolán McNamara
bb7cd9f357 After fork we don't have a watchdog thread
So watchdog won't fire for a stalling kit.

After a fork the child has only one thread, but a copy of the watchdog
object.

Stop the watchdog thread before fork, let the child discard its copy of
the watchdog that is now in a discardable state.

And allow it to create a new one on the next SocketPoll ctor.

Signed-off-by: Caolán McNamara <caolan.mcnamara@collabora.com>
Change-Id: I7dc166dca3996401fbdc20cd7643f944662454c8
2024-04-05 10:50:33 +01:00
Michael Meeks
40f4977792 forkit: quicker zombie reaping by handling SIGCHLD.
Should launch new children more quickly on child death,
as well as getting to a waitpid and cleaning the zombies
faster too.

Change-Id: I06c36f63ac7ff52c407f739f1ce10d5e680fb82f
Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
2024-03-26 20:16:08 +00:00
Michael Meeks
fd77301ebb polls: switch compiled in delays to 60 seconds.
Forkit forking children is done in response to socket messages,
and parent process death should kill us too.

In general if we are relying on a poll to spin to achieve
something, we have a performance bug; this should exacerbate them
to flush them out.

Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
Change-Id: I60d1c3b3c2532bbd686a3d3cfdea10f2a541a19a
2024-03-25 08:18:35 +00:00
Jaume Pujantell
8921e19d84 reduce uses of MOBILEAPP on some files
Reduce the uses of MOBILEAPP conditionals by using the isMobileApp
function.

Signed-off-by: Jaume Pujantell <jaume.pujantell@collabora.com>
Change-Id: If541307fbc457b342674cc560b6c53454f3904cf
2024-03-20 09:13:00 +01:00
Michael Meeks
d6c49d4183 Cleanup ForKit's SocketPoll after forking.
Don't leave the wake-pipes lying around; it can't do any good
to have these cloned, and shared between child processes.

Change-Id: Ieb6c5c8fdd1285bc514116a1e00de76bcc5a1773
Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
2024-03-15 11:41:23 +00:00
Michael Meeks
e9ef062eee Set thread name early & cleanup thread_locals.
On fork a thread_local variable simply inherits the parents'
value - so clearing the cached thread_id helps to make
logging more accurate.

Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
Change-Id: Ib03d2605489291589854caa10940fd7c11caea36
2024-03-15 11:41:23 +00:00
Michael Meeks
a702d29244 Re-factor thread counting into a ThreadCounter class.
This can rewinddir on a persistently open file descriptor
pointed at /proc/self/task opened before dropping privileges.

Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
Change-Id: Ie5a5948300c46c8c6a65f7f7eda3a60a9d5cf9c3
2024-03-07 09:36:00 +00:00
Michael Meeks
c117d87bb4 nearly pure re-factor: split out code into its own modules.
StateRecorder.hpp split from ChildSession.cpp
KitWebSocketHandler.[ch]pp split from Kit.cpp.
ThreadPool.hpp split from RenderTiles.hpp

Expose headers for KitSocketPoll and Document
at the same time.

Not clear we need the DocumentManagerInterface anymore.

Conditionally compile out Document::createSession for unittest
dependency breaking, and avoid Rlimit::handleSetrlimitCommand
likewise.

Make makePropertyValue a private method of Kit.cpp.

clang-format new files.

Change-Id: I47a1d6afe20165f156b477a931b94c916cff4b9d
Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
2024-03-06 20:56:55 -05:00
Jaume Pujantell
35d6e2925f use isKitInProcess() instead of KIT_IN_PROCESS
Removed all uses of KIT_IN_PROCESS, used Utils::isKitInProcess()
when necessary. Also removed the now unused parameter 'limit' from
forkLibreOfficeKit.

Signed-off-by: Jaume Pujantell <jaume.pujantell@collabora.com>
Change-Id: I068d3f55ab49076590f111847c87b3188f4d25d0
2023-12-18 10:34:10 +00:00
Jaume Pujantell
eca990920a add logic to sapwn threads intead of processes
Added code that spawns forkit and lokit in threads instead of new processes.

Signed-off-by: Jaume Pujantell <jaume.pujantell@collabora.com>
Change-Id: I6b6ad6dccfedaf28ebd0d68851205c540b9a0317
2023-12-18 10:34:10 +00:00
Jaume Pujantell
8f178ef6cd extract some functions to extra files for in process mode
Extract some functions from ForKit.cpp and COOLWSD.cpp to new files
so we can do a kit in process mode without using ifdef directives.

Signed-off-by: Jaume Pujantell <jaume.pujantell@collabora.com>
Change-Id: I7529f8f46a8026318244666b27d1ce72ed5ad4ca
2023-12-18 10:34:10 +00:00
Darshan-upadhyay1110
3f46c1db44 kit-in-process: pure re-factor to a run-time function to flag this.
Avoids a number of compile time conditionals and adds flexibility.

Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
Change-Id: Iff6b294b504526e70715e436ad33d47c8df4752c
2023-11-22 17:06:29 +00:00
Michael Meeks
7183a3d3de spdx: improve machine and human readability of headers.
Change-Id: Ice934380029bf27054e830fffc07a5d037d1430f
Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
2023-11-14 19:36:31 +00:00
Caolán McNamara
e95489864b keep quarantine files on SIGABRT too
AdminModel::cleanupResourceConsumingDocs uses SIGABRT as first
attept to kill misbehaving documents, we should give
DocumentBroker a chance to quarantine documents killed off by
SIGABRT as we do SIGSEGV/SIGBUS

Signed-off-by: Caolán McNamara <caolan.mcnamara@collabora.com>
Change-Id: Ic3a703572393050379b5a1444a5380bbeafcf2d3
2023-10-16 14:27:27 +02:00
Caolán McNamara
14d4d18701 don't immediately delete jails where there was a crash
skip deleting those jails for a few minutes to allow
the DocumentBroker to quarantine the document

Signed-off-by: Caolán McNamara <caolan.mcnamara@collabora.com>
Change-Id: I781eeb77d491fe82a0bfe42eb09439c88f2454b7
2023-10-04 17:29:25 +01:00
Caolán McNamara
0f5c171433 do init_gather_lut at start if simd::init succeeds
and avoid local static in simd_initPixRowSimd

Signed-off-by: Caolán McNamara <caolan.mcnamara@collabora.com>
Change-Id: Idb89d5069da5ff10b346b5e4d767374d4529a96f
2023-09-26 08:39:20 +01:00
Michael Meeks
cce3767ba8 First cut SIMD wrappers / separation to accelerate RLE code.
Split it out as a C file, to avoid accidental C++ header inclusion,
and C is a cross-platform assembler anyway so a good match.

Change-Id: I6c042781713aecaf143b9663af8377659a7deaf1
Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
2023-09-25 16:55:04 +01:00
Ashod Nakashian
efe874f89c wsd: simplify shutdown and termination flagging
With the use of a single flag for both, the
logic is now less ambiguous, as we cannot have
termination flagged without also implying
shutting down.
The assertions are no longer needed.

Now that setting the termination flag
explicitly implies having the shut down flag
as well, the checks are simpler. We only
need to check that the shutdown is not set
to continue running as normal, since having
the termination flag must perfoce mean shut
down is also set, there is no need to check
both.

Change-Id: I99e22f5668385182b0594040a8e3354b55e74642
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
2023-08-14 16:32:50 +02:00
Ashod Nakashian
cec4cf087a wsd: test: initialize logs before unit-tests
Make sure that the logging subsystem is
already initialized before starting
unit-tests.

Change-Id: I2ce3ffdb2d3b0094ae7ed496d7cacfc02af89c21
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
2023-05-31 07:40:11 -04:00
Ashod Nakashian
ff1657934a wsd: simplify log streaming
Change-Id: Id22de0bc06680f957e7475f142bcaf1131fdbdb9
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
2023-05-10 08:46:11 -04:00
Michael Meeks
f6bd976f00 Jail cleanup - include coolwsd pid + hash into a jails sub-directory.
This avoids removing the jails of other running coolwsd that share
the same jails/ directory, such as unit-tests, cypress tests etc.

Assert on fatal system error to help catch this during test builds.

Remove old unit-test specific approach, and generalize it, since
apparently we did a recursive cleanup of other people's jails anyway.

Remove over-complicated recursive approach, for a rather simpler
one-level scheme. Avoid following symlinks too for safety.

Remove obsolete lo_jail_subpath setting.

Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
Change-Id: I371f8c0e22f64fb2befb4b58f72cefa39567f3b5
2023-04-25 10:41:57 +01:00
Ashod Nakashian
74d6739f0d wsd: time the duration of fork
Change-Id: I92f624139f274df95a47f430802a29d33d587689
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
2023-03-06 08:43:37 -05:00
Michael Meeks
dadfbf0579 allow more verbose log-level during startup to be configured.
Previously this defaulted to 'trace' - now it can be configured, but
still defaults to 'trace'.

Change-Id: I0ecf2f0b991cd8cc29dbde866dd4589be4ca7957
Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
2022-11-21 21:44:05 +01:00
Ashod Nakashian
956f37c7a7 wsd: test: merge the results of all tests
Since we can have multiple tests in a single
unit-test .so, we need to merge the results
of each test into a single result that is
used when we exit the process and flag for
failure or success.

Change-Id: Ia49f5542efd6dd998b61c17965fd3fe3245159ba
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
2022-11-15 07:04:58 -05:00
Ashod Nakashian
cc222a708c wsd: test: make dlhandle static and properly cleanup
We now properly cleanup unit-tests .so libs.

This helps having multiple tests by making
the dlhandle an independent variable of
all the tests.

Change-Id: Ifc8db400aebfe8ea41dcc4df2d11856c25b36074
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
2022-11-15 07:04:58 -05:00
Ashod Nakashian
0c6413bf87 wsd: fix multi-part logging
This was a regression introduced in
14d96957cd.

The result was that multi-part logs were
not flushed and therefore not written to
the output.

Change-Id: Ib22a1da83209b00872d91ca05a940226cbb4552d
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
2022-09-13 09:45:43 +02:00
Aron Budea
c4975d01e5 Split config.h into separate headers to avoid extensive rebuild
Eg. if only the version was changed, config.h was updated, and
everything was recompiled.

New structure, maintain these manually:
config.h.in - for configured variables that are stable if
              configuration parameters are unchanged
config_version.h.in - for version/hash related variables

----
config_unused.h.in - still generated by autoheader with all
                     variables, don't use it

Signed-off-by: Aron Budea <aron.budea@collabora.com>
Change-Id: Id9a50a9f1e798a3b3814778d8683b7d7cb57bb29
2022-09-05 12:32:49 +01:00
Ashod Nakashian
5c6516e4e4 wsd: support code-coverage report via --with-coverage
This adds support for code-coverage HTML reporting.
To achieve this, we must use file-linking in jails
so that we can update the coverage data (.gcda files)
from the jails. This means that creating jails is
slower than with bind-mounting and we need to
account for that in our timeouts.

We also can't kill child processes with SIGKILL,
which is un-catchable. Instead, we use SIGTERM
and dump the profile data before exiting.

Change-Id: I16fa534f6ed42f7133014d841bb024423315e0a4
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
2022-08-02 14:45:12 -04:00
Ashod Nakashian
4e9b836ea6 wsd: always use Util::forcedExit to properly cleanup
We need to flush and shutdown logging before exiting,
so we can't use _exit/_Exit directly.

In addition, with profiling (e.g. code-coverage) we
must flush the profile data, lest it's all for naught.

Change-Id: I726c5a2f4e699c17dd0d7d5b1c86d856e0118b3c
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
2022-08-02 07:51:52 -04:00
Ashod Nakashian
fc3b4ab717 wsd: sig: merge setTerminationSignals with setFatalSignals
This simplifies the signal handling setup.

Change-Id: Id121a9df45fc11bfdea627f9828e0b624b1b2284
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
2022-07-12 13:43:43 +01:00
Ashod Nakashian
8004653c63 wsd: jail: no need to pass loSubPath between processes
Since the value of the loSubPath (i.e. the directory
name of lo within the jail) is a compile-time constant,
there is no reason to pass it around at runtime.

Change-Id: If7457ea7f3e3fe5c42215eed3ce1ce4c8f328f16
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
2022-07-12 13:43:43 +01:00
Ashod Nakashian
14d96957cd wsd: log macro cleanup
* Simplify log macros.
* Reduce expanded lines (faster compilation).
* Avoid flushing (since we always use ostringstream).

Change-Id: Id10c1a75b5af5d8cdba62d768192ab0a6a9e0aca
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
2022-04-26 11:13:44 +03:00
Ashod Nakashian
96adaa15d1 wsd: kill coolwsd_fuzzer
coolwsd_fuzzer predates actual fuzzing
with libfuzzer and is currently unsused.

Change-Id: Id095b165943ba14dbf525ddc607ad329f5d952d4
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
2022-04-20 07:12:03 -04:00
Tor Lillqvist
f98900c73c Add a remote font download feature
The coolwsd.xml file can now contain a URI of a JSON file on some
server that contains URIs of fonts. These fonts are downloaded to the
coolwsd server. Just like the remote configuration thing, the URIs are
checked once a minute and the JSON or the fonts mentioned in it are
re-downloaded if their contents has changed.

If a font has been removed from the JSON file then the corresponding
downloaded could be removed, too. But there is no way to remove it
from core without restarting the whole COOL server, so we don't
bother.

We need to put the font in such a place so that its pathname is the
same both in the ForKit process (outside any chroot jail) and in a Kit
process (inside its own jail(), because even if it is in the ForKit
process that we call the LO core vcl API to load a "temporary" font,
code elsewhere in LO core re-opens the font file later, naturally
using the same pathname, when it is needed (see
FreetypeFontFile::Map() in vcl/unx/generic/glyphs/freetype_glyphcache.cxx).

Signed-off-by: Tor Lillqvist <tml@collabora.com>
Change-Id: If78058ddff5ed05c7a82d7ea465a7a414fd0d861
2022-04-15 17:32:41 +03:00
Ashod Nakashian
480fb7b931 wsd: move tokenizer helpers into StringVector
In an attempt to reduce the size of Util.{c,h}pp
which has grown to contain all sorts of unrelated
helpers, we move StringVector helpers into
the StringVector.{c,h}pp files.

This makes the code better organized.

Change-Id: I152f341606807ae66253415b951bc9f89b09df57
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
2022-04-12 07:39:07 -04:00
Ashod Nakashian
97a6d1cd98 wsd: support experimental features
This adds a new config option to enable/disable
experimental features and behavior. The default
value can be controlled at build time by
--enable-experimental.

Change-Id: Iffcb4c71d9e0933a646251b63033b6dadcd3b809
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
2022-03-17 18:46:46 -04:00
Ashod Nakashian
4322f87d92 wsd: improved forkit logs
And avoid pid of 0 in getKitPids().

Change-Id: I68743a55aed080ed54d7d8576f269974c644e1b2
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
2022-03-09 19:24:40 -05:00