coolwsd_fuzzer predates actual fuzzing
with libfuzzer and is currently unsused.
Change-Id: Id095b165943ba14dbf525ddc607ad329f5d952d4
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
The coolwsd.xml file can now contain a URI of a JSON file on some
server that contains URIs of fonts. These fonts are downloaded to the
coolwsd server. Just like the remote configuration thing, the URIs are
checked once a minute and the JSON or the fonts mentioned in it are
re-downloaded if their contents has changed.
If a font has been removed from the JSON file then the corresponding
downloaded could be removed, too. But there is no way to remove it
from core without restarting the whole COOL server, so we don't
bother.
We need to put the font in such a place so that its pathname is the
same both in the ForKit process (outside any chroot jail) and in a Kit
process (inside its own jail(), because even if it is in the ForKit
process that we call the LO core vcl API to load a "temporary" font,
code elsewhere in LO core re-opens the font file later, naturally
using the same pathname, when it is needed (see
FreetypeFontFile::Map() in vcl/unx/generic/glyphs/freetype_glyphcache.cxx).
Signed-off-by: Tor Lillqvist <tml@collabora.com>
Change-Id: If78058ddff5ed05c7a82d7ea465a7a414fd0d861
In an attempt to reduce the size of Util.{c,h}pp
which has grown to contain all sorts of unrelated
helpers, we move StringVector helpers into
the StringVector.{c,h}pp files.
This makes the code better organized.
Change-Id: I152f341606807ae66253415b951bc9f89b09df57
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
This adds a new config option to enable/disable
experimental features and behavior. The default
value can be controlled at build time by
--enable-experimental.
Change-Id: Iffcb4c71d9e0933a646251b63033b6dadcd3b809
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
And avoid pid of 0 in getKitPids().
Change-Id: I68743a55aed080ed54d7d8576f269974c644e1b2
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
This prevents the kit from becoming a zombie
when it has an early failure to connect to WSD.
Change-Id: I4e8203b2cc3d80822308236e5b47be0c0c96e9ae
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
This may happen due to various reasons and
is most commonly observed during heavy testing.
We now detect when our parent has exited and
we exit forkit as well, since otherwise it
would be a zombie consuming resources.
Change-Id: I71de0315fe7bee419a9e7d0b564630ff75ae15eb
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
With --unattended, do not wait for a debugger
upon seg-faulting. This avoids the unnecessary wait
that prolongs failed unit-tests in automated runs.
Now run_unit.sh and Cypress Makefile set this flag.
Note that the wait only happens when in debug
builds, or when envar COOL_DEBUG is set. This
prevents us from waiting when running a debug
build where we can't see the output, or indeed
the run is on a CI build machine.
This flag can also be used by devs when reproducing
failures where there is no interest in attaching
a debugger. The logs are shorter and more
readable, too. At least in trace level.
Change-Id: Ice15482c6724abc47f5955402295198eb7f671ee
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
Core needs "notebookbar" ui mode string to activate
notebookbar widgets. If we pass "default" notebookbar
is not activated and style previews widget doesn't work.
followup for b4f588ea3c
Signed-off-by: Szymon Kłos <szymon.klos@collabora.com>
Change-Id: I758dee279c6da8b3fd41e5121f2eb2336539f327
Move the generic dummy implementation of
TraceEvent::emitOneRecording() to a source file of its own. (That is
the one which is used in test and tool executables.)
Signed-off-by: Tor Lillqvist <tml@collabora.com>
Change-Id: I81cab07e5a6852b42d278a5446c13c3825cf546e
That is our convention, and this also avoids a global variable in the
kit process.
Change-Id: I37d2d53aa7eb24f9848fa8ef98bc57d75db90d13
Signed-off-by: Tor Lillqvist <tml@collabora.com>
It enables turning Trace Event recording on (and off again). The
option is passed down to the client through loleaflet.html, and to the
KIT processes. If the option is not used, the new JS functions that
send trace events to the server turn into no-ops to avoid wasting
bandwidth.
It is always on in a "make run".
Change-Id: Iafe1919ccba7c376137d3e0568b857e20780bbc8
Signed-off-by: Tor Lillqvist <tml@collabora.com>
By defining NoCapsForKit and NoSeccomp
as const values for the KIT_IN_PROCESS
case, we have a more consistent and
simpler call-site.
Change-Id: Ife553eab9eaffd96560d4cfb4b8fdcdf26a1b9db
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
* and fix error reporting: we do not abort every time when loolforkit
is invoked with incorrect user name
* and better readability of the conditions
Signed-off-by: Andras Timar <andras.timar@collabora.com>
Change-Id: Idc9db40c00d41c95160db130eb324c487f14de17
In some cases we cannot do a fast bind-mount of the files we want
in our jail since we don't have cap_sys_admin for loolmount inside
eg. docker.
Thus we need to fallback to hard-linking, however various security
systems namespace parts of our tree, such that link() fails with
EXDEV even across the (apparently) same file-system.
As such we need to assemble a copy of what we want to hard-link
close to our jails. However, this needs to be owned by root / the
system to avoid having writable files shared between jails. Hence
we need cap_chown in addition to cap_fowner, to get ownership right
and then hard-link.
Change-Id: Iba0ef46ddbc1c03f3dc7177bc1ec1755624135db
Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
Most C and Posix API clobber errno. By failing to save
it immediately after invoking an API we risk simply
reporting the result of an arbitrary subsequent API call.
This adds LOG_SYS_ERRNO to take errno explicitly.
This is necessary because sometimes logging is not done
immediately after calling the function for which we
want to report errno. Similarly, log macros that log
errno need to save errno before calling any functions.
This is necessary as the argements might contain calls
that clobber errno.
This also converts some LOG_SYS entries to LOG_ERR
because there can be no relevant errno in that context
(f.e. in a catch clause).
A couple of LOG_ macros have been folded into others,
reducing redundancy.
Finally, both of these log macros append errno to the
log message, so there is little point in ending the
messages with a period.
Change-Id: Iecc656f67115fec78b65cad4e7c17a17623ecf43
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
Cleans up some of the conversions and implicity
unit in integral types.
Change-Id: I79f35b92f8f631894e55bdb39851b050870fce96
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
Now chosen log level is propagated to forkit and kits.
Also, admin console users can filter logs according to their channel names on client side.
Change-Id: Ife15a6148ed87533b81e9d63da252c633e74e559
Signed-off-by: Gökay Şatır <gokaysatir@collabora.com>
It is possible for the jail directory cleanup
to fail, if there are still references to at
least one file in the jail. In those cases we
keep the jail path around so we can retry the
next time we cleanup a jail. This reduces
the chance of leaking jails until restarting
the service.
Change-Id: If6116ef598afc91063de71c66870bd6426a971ba
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
We now gracefully fallback to copying when/if systemplate
is readonly.
The bulk of the change is to support proper cleanup in
both cases.
First, we had to move as much of the jail bootstrapping
into the loolwsd-systemplate-setup script, so systemplate
will be as complete as possible before it is locked down.
Next, we needed to update the jail with graceful fallback
to linking/copying upon failure. For that, the jail setup
logic in Kit.cpp has been reworked to support not just
update failures, but also more comprehensive mounting
failures as well.
Finally, jail cleanup now is seamless. To support proper
cleanup when we had mounting enabled but had to fallback,
we mark jails that aren't mounted so we can 'rm -rf' the
contents safely and without fear or causing undue damage
(as unlikely as that is, technically we wouldn't want to
rm systemplate files, if mounting read-only had failed).
There are a few minor refactorings of JailUtil to make
it cleaner and more robust.
Change-Id: Iac34869cb84f45acf64fbbc46d46898367b496d2
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/101260
Tested-by: Jenkins
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Andras Timar <andras.timar@collabora.com>
A small re-factoring to help planned re-plumbing of the iOS app.
Change-Id: I21f09216a7c5adf965179765a75f5a0d521cd7f3
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/97771
Tested-by: Jenkins
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Tor Lillqvist <tml@collabora.com>
loolmount now works and supports mounting and
unmounting, plus numerous improvements,
refactoring, logging, etc.. When enabled,
binding improves the jail setup time by anywhere
from 2x to orders of magnitude (in docker, f.e.).
A new config entry mount_jail_tree controls
whether mounting is used or the old method of
linking/copying of jail contents. It is set to
true by default and falls back to linking/copying.
A test mount is done when the setting is enabled,
and if mounting fails, it's disabled to avoid noise.
Temporarily disabled for unit-tests until we can
cleanup lingering mounts after Jenkins aborts our
build job. In a future patch we will have mount/jail
cleanup as part of make.
The network/system files in /etc that need frequent
refreshing are now updated in systemplate to make
their most recent version available in the jails.
These files can change during the course of loolwsd
lifetime, and are unlikely to be updated in
systemplate after installation at all. We link to
them in the systemplate/etc directory, and if that
fails, we copy them before forking each kit
instance to have the latest.
This reworks the approach used to bind-mount the
jails and the templates such that the total is
now down to only three mounts: systemplate, lo, tmp.
As now systemplate and lotemplate are shared, they
must be mounted as readonly, this means that user/
must now be moved into tmp/user/ which is writable.
The mount-points must be recursive, because we mount
lo/ within the mount-point of systemplate (which is
the root of the jail). But because we (re)bind
recursively, and because both systemplate and
lotemplate are mounted for each jails, we need to
make them unbindable, so they wouldn't multiply the
mount-points for each jails (an explosive growth!)
Contrarywise, we don't want the mount-points to
be shared, because we don't expect to add/remove
mounts after a jail is created.
The random temp directory is now created and set
correctly, plus many logging and other improvements.
Change-Id: Iae3fda5e876cf47d2cae6669a87b5b826a8748df
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/92829
Tested-by: Jenkins
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Ashod Nakashian <ashnakash@gmail.com>
- read settings from loolwsd.xml
- in case of notebookbar activated send :notebookbar parameter
- for mobile apps I left empty parameter in setupKitEnvironment calls
Change-Id: I5813589564b37eecc1e77c5d0eb737eca5f92f04
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/97233
Tested-by: Jenkins
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Szymon Kłos <szymon.klos@collabora.com>
The tokenizer(s) are more generic than the protocol
logic, and are used from contexts that don't involve
the protocol as such.
Change-Id: Ie8c256bf11a91e466bff794021f41603c9596a7f
More readable and typically more efficient.
Change-Id: I9bd5bfc91f4ac255bb8ae0987708fb8b56b398f8
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/95285
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
Tested-by: Jenkins
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
But it is insecure, so warn about that.
Change-Id: I151be64f53521e217a5498c0531c9ef2ff8db818
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/92822
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Jan Holesovsky <kendy@collabora.com>
LibreOffice core uses that, too, and we support an even more
restricted set of compilers.
Change-Id: I0d0e2c8608e323eb5ef0f35ee8c46d02ab49a745
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/92467
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Tor Lillqvist <tml@collabora.com>
The switch away from LOOLWebSocket and the use of a websocket
for talking to forkit removes the need for the pipe code.
Change-Id: Ifb0c6c88681289e7a1709d9bc3281532935c7be4
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/92033
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
