exec: remove support for transparently unbzip2ing executables

Remove support for transparently unbzip2ing executables from the exec
server. The code in question makes the exec server unnecessarily
complex and since the exec server is an essential process, crashing it
makes /hurd/init crash the whole system.

Since the bzip2 code is not thread-safe, all access to it is
serialized, so there is a trivial way for one user to delay another
users bzip2ed executables for some unspecified time.

This can be accomplished by padding any program with easily compressed
data, zipping it and executing it. Using such a program as an passive
translator and then triggering its execution by the filesystem
translator also stalls any requests to that filesystem (observed using
the libdiskfs-based ext2fs).

Since compressed executables cannot be mapped into the memory, they
have to be uncompressed into allocated memory first. This is slower
and any user with access to the exec server can make it allocate
arbitrary amounts of memory. If the Hurd had proper memory accounting,
this would probably be a way around it.

So the compression support in exec seemingly creates various issues
for little value, at least with the abundance of nonvolatile memory
available today.

* exec/Makefile: Remove bzip2 related files.
* exec/exec.c: Remove anything #ifdef BZIP2ed.
* exec/do-bunzip2.c: Move to libstore.

3 files changed, 3 insertions, 129 deletions

diff --git a/exec/Makefile b/exec/Makefile
index eb883612..11d28752 100644
--- a/exec/Makefile
+++ b/exec/Makefile
@@ -21,14 +21,12 @@ dir := exec
 makemode := server
 
 SRCS = exec.c main.c hashexec.c hostarch.c
-#       $(gzip-sources) $(bzip2-sources)
+#       $(gzip-sources)
 OBJS = main.o hostarch.o exec.o hashexec.o \
        execServer.o exec_startupServer.o
-#       $(gzip-objects) $(bzip2-objects)
+#       $(gzip-objects)
 gzip-sources = unzip.c util.c inflate.c
 gzip-objects = $(gzip-sources:%.c=%.o)
-bzip2-sources = do-bunzip2.c
-bzip2-objects = $(bzip2-sources:%.c=%.o)
 
 target = exec
 #targets = exec exec.static
@@ -40,6 +38,6 @@ exec-MIGSFLAGS = -imacros $(srcdir)/execmutations.h
 
 include ../Makeconf
 
-CPPFLAGS += # -DGZIP -DBZIP2 -DBFD
+CPPFLAGS += # -DGZIP -DBFD
 
 exec.static exec: $(OBJS) $(library_deps)
diff --git a/exec/exec.c b/exec/exec.c
index 6eb81c8a..201e629a 100644
--- a/exec/exec.c
+++ b/exec/exec.c
@@ -7,9 +7,6 @@
    #ifdef GZIP
    Can gunzip executables into core on the fly.
    #endif
-   #ifdef BZIP2
-   Can bunzip2 executables into core on the fly.
-   #endif
 
 This file is part of the GNU Hurd.
 
@@ -52,10 +49,6 @@ pthread_rwlock_t std_lock = PTHREAD_RWLOCK_INITIALIZER;
 static void check_gzip (struct execdata *);
 #endif
 
-#ifdef BZIP2
-static void check_bzip2 (struct execdata *);
-#endif
-
 /* Zero the specified region but don't crash the server if it faults.  */
 
 #include <hurd/sigpreempt.h>
@@ -838,105 +831,6 @@ check_gzip (struct execdata *earg)
   prepare_in_memory (e);
 }
 #endif
-
-#ifdef BZIP2
-/* Check the file for being a bzip2'd image.  Return with ENOEXEC means not
-   a valid bzip2 file; return with another error means lossage in decoding;
-   return with zero means the file was uncompressed into memory which E now
-   points to, and `check' can be run again.  */
-
-static void
-check_bzip2 (struct execdata *earg)
-{
-  struct execdata *e = earg;
-  /* Entry points to bunzip2 engine.  */
-  void do_bunzip2 (void);
-  /* Callbacks from unzip for I/O and error interface.  */
-  extern int (*unzip_read) (char *buf, size_t maxread);
-  extern void (*unzip_write) (const char *buf, size_t nwrite);
-  extern void (*unzip_read_error) (void);
-  extern void (*unzip_error) (const char *msg);
-
-  char *zipdata = NULL;
-  size_t zipdatasz = 0;
-  FILE *zipout = NULL;
-  jmp_buf ziperr;
-  off_t zipread_pos = 0;
-  int zipread (char *buf, size_t maxread)
-    {
-      char *contents = map (e, zipread_pos, 1);
-      size_t n;
-      if (contents == NULL)
-	{
-	  errno = e->error;
-	  return -1;
-	}
-      n = MIN (maxread, map_buffer (e) + map_fsize (e) - contents);
-      errno = hurd_safe_copyin (buf, contents, n); /* XXX/fault */
-      if (errno)
-        longjmp (ziperr, 2);
-
-      zipread_pos += n;
-      return n;
-    }
-  void zipwrite (const char *buf, size_t nwrite)
-    {
-      if (fwrite (buf, nwrite, 1, zipout) != 1)
-	longjmp (ziperr, 1);
-    }
-  void ziprderr (void)
-    {
-      errno = ENOEXEC;
-      longjmp (ziperr, 2);
-    }
-  void ziperror (const char *msg)
-    {
-      errno = ENOEXEC;
-      longjmp (ziperr, 2);
-    }
-
-  unzip_read = zipread;
-  unzip_write = zipwrite;
-  unzip_read_error = ziprderr;
-  unzip_error = ziperror;
-
-  if (setjmp (ziperr))
-    {
-      /* Error in unzipping jumped out.  */
-      if (zipout)
-	{
-	  fclose (zipout);
-	  free (zipdata);
-	}
-      e->error = errno;
-      return;
-    }
-
-  zipout = open_memstream (&zipdata, &zipdatasz);
-  if (! zipout)
-    {
-      e->error = errno;
-      return;
-    }
-
-  /* Call the bunzip2 engine.  */
-  do_bunzip2 ();
-
-  /* The output is complete.  Clean up the stream and store its resultant
-     buffer and size in the execdata as the file contents.  */
-  fclose (zipout);
-
-  /* Clean up the old exec file stream's state.
-     Now that we have the contents all in memory (in E->file_data),
-     nothing will in fact ever try to use E->stream again.  */
-  finish (e, 0);
-
-  /* Prepare the stream state to use the file contents already in memory.  */
-  e->file_data = zipdata;
-  e->file_size = zipdatasz;
-  prepare_in_memory (e);
-}
-#endif
 
 
 static inline void *
@@ -1014,24 +908,6 @@ do_exec (file_t file,
 	    check (e);
 	}
 #endif
-#ifdef BZIP2
-      if (e->error == ENOEXEC)
-	{
-	  /* See if it is a compressed image.  */
-	  static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER;
-	  /* The bzip2 code is really cheesy, not even close to thread-safe.
-	     So we serialize all uses of it.  */
-	  pthread_mutex_lock (&lock);
-	  e->error = 0;
-	  check_bzip2 (e);
-	  pthread_mutex_unlock (&lock);
-	  if (e->error == 0)
-	    /* The file was uncompressed into memory, and now E describes the
-	       uncompressed image rather than the actual file.  Check it again
-	       for a valid magic number.  */
-	    check (e);
-	}
-#endif
     }
 
 
diff --git a/exec/do-bunzip2.c b/libstore/do-bunzip2.c
index 716a0cde..716a0cde 100644
--- a/exec/do-bunzip2.c
+++ b/libstore/do-bunzip2.c