Fixed mapping of relative paths.

- Relative paths are (again) mapped to relative paths whenever possible.
- SB2 used to be able to map to relative paths until the "fdpathdb" was
  added (fdpathdb must get absolute mapping results). The previous solution
  for relative results was disabled in mid-january, because it was clear that
  some refactoring was needed to be able to use both the fdpathdb functionality
  and relative mapping results.
- This commit now introduces a proper fix: Path mapping results are returned
  in a structure, where an absolute and a relative result can co-exist.
- Also, the lower levels of path mapping logic (parts that are implemented
  in C) were re-organized and cleaned; the code should be easier to follow
  and more efficient now.

9 files changed, 430 insertions, 358 deletions

diff --git a/include/mapping.h b/include/mapping.h
index ee8a883..46fd41c 100644
--- a/include/mapping.h
+++ b/include/mapping.h
@@ -13,14 +13,49 @@
 #define enable_mapping(a) ((a)->mapping_disabled--)
 #define disable_mapping(a) ((a)->mapping_disabled++)
 
-extern char *scratchbox_path(const char *func_name, const char *path,
-	int *ro_flagp, int dont_resolve_final_symlink);
-extern char *scratchbox_path_at(const char *func_name, int dirfd,
-	const char *path, int *ro_flagp, int dont_resolve_final_symlink);
-extern char *scratchbox_path3(const char *binary_name, const char *func_name,
-	const char *path, int *ro_flagp, int dont_resolve_final_symlink);
-char *scratchbox_path_for_exec(const char *func_name, const char *path,
-	int *ro_flagp, int dont_resolve_final_symlink);
+/* Mapping results are returned in a structure: */
+typedef struct mapping_results_s {
+
+	/* mapping result buffer: This is usually an absolute path.
+	 * Note that a fixed-sized array can NOT be used, because the
+	 * path mapping engine may produce results that are longer than
+	 * PATH_MAX. And this is not just theory, it does happen (some
+	 * "configure" scripts create really deep directory structures)
+	 * Also note that this may be an empty string, or relative path
+	 * after all in some situations.
+	*/
+	char	*mres_result_buf;
+
+	/* "normalized result", either absolute path or relative.
+	 * if the result is absolute, then
+	 *	mres_result_path == mres_result_buf
+	 * for most of relative results, 
+	 *	mres_result_path == mres_result_buf+N
+	 * but sometimes this may be separately allocated.
+	*/
+	char	*mres_result_path;
+	int	mres_result_path_was_allocated;
+
+	/* Flag: set if the result has been marked read only */
+	int	mres_readonly;
+
+} mapping_results_t;
+
+extern void clear_mapping_results_struct(mapping_results_t *res);
+extern void free_mapping_results(mapping_results_t *res);
+
+extern void sbox_map_path(const char *func_name, const char *path,
+	int dont_resolve_final_symlink, mapping_results_t *res);
+
+extern void sbox_map_path_at(const char *func_name, int dirfd,
+	const char *path, int dont_resolve_final_symlink,
+	mapping_results_t *res);
+
+extern void sbox_map_path_for_sb2show(const char *binary_name,
+	const char *func_name, const char *path, mapping_results_t *res);
+
+extern void sbox_map_path_for_exec(const char *func_name, const char *path,
+	mapping_results_t *res);
 
 extern int sb_execve_preprocess(char **file, char ***argv, char ***envp);
 extern char *emumode_map(const char *path);
diff --git a/include/sb2.h b/include/sb2.h
index e41ee80..119a2d0 100644
--- a/include/sb2.h
+++ b/include/sb2.h
@@ -26,6 +26,10 @@ struct lua_instance {
 	lua_State *lua;
 	int mapping_disabled;
 	int lua_instance_in_use; /* used only if debug messages are active */
+
+	/* for path mapping logic: */
+	char *real_cwd;
+	char *reversed_cwd;
 };
 
 /* This version string is used to check that the lua scripts offer 
diff --git a/luaif/argvenvp.c b/luaif/argvenvp.c
index 45467aa..6120c15 100644
--- a/luaif/argvenvp.c
+++ b/luaif/argvenvp.c
@@ -381,14 +381,23 @@ char *sb_execve_map_script_interpreter(
 
 	case 2:
 		SB_LOG(SB_LOGLEVEL_DEBUG,
-			"sb_execve_map_script_interpreter: use scratchbox_path_for_exec");
+			"sb_execve_map_script_interpreter: use sbox_map_path_for_exec");
 		/* remove all return values from the stack. */
 		lua_pop(luaif->lua, 8);
 		if (mapped_interpreter) free(mapped_interpreter);
 		mapped_interpreter = NULL;
-		mapped_interpreter = scratchbox_path_for_exec("script_interp",
-			interpreter, NULL/*RO-flag addr.*/,
-			0/*dont_resolve_final_symlink*/);
+		{
+			mapping_results_t	mapping_result;
+
+			clear_mapping_results_struct(&mapping_result);
+			sbox_map_path_for_exec("script_interp",
+				interpreter, &mapping_result);
+			if (mapping_result.mres_result_buf) {
+				mapped_interpreter =
+					strdup(mapping_result.mres_result_buf);
+			}
+			free_mapping_results(&mapping_result);
+		}
 		SB_LOG(SB_LOGLEVEL_DEBUG, "sb_execve_map_script_interpreter: "
 			"interpreter=%s mapped_interpreter=%s",
 			interpreter, mapped_interpreter);
diff --git a/luaif/paths.c b/luaif/paths.c
index 0276aed..a91185e 100644
--- a/luaif/paths.c
+++ b/luaif/paths.c
@@ -273,73 +273,10 @@ static void remove_dots_and_dotdots_from_path_entries(
 	}
 }
 
-static char *sb_reversing_getcwd(const char *fn_name, char *buf, size_t bufsize)
-{
-	char	*rev_path = NULL;
-
-	if (!getcwd_nomap_nolog(buf, bufsize)) {
-		return(NULL);
-	}
-	
-	rev_path = scratchbox_reverse_path(fn_name, buf);
-
-	if (rev_path) {
-		SB_LOG(SB_LOGLEVEL_DEBUG, "REV: '%s' => '%s'", buf, rev_path);
-		snprintf(buf, bufsize, "%s", rev_path);
-	} else {
-		SB_LOG(SB_LOGLEVEL_DEBUG, "REV failed.");
-	}
-	free(rev_path);
-
-	return(buf);
-}
-
-static char *absolute_path(const char *fn_name, const char *path)
-{
-	char *cpath = NULL;
-
-	if (path[0] == '/') {
-		/* already absolute path */
-		if (!(cpath = strdup(path)))
-			abort();
-	} else {
-		/* not an absolute path */
-		char cwd[PATH_MAX + 1];
-
-		memset(cwd, '\0', sizeof(cwd));
-		if (!sb_reversing_getcwd(fn_name, cwd, sizeof(cwd))) {
-			/* getcwd() returns NULL if the path is really long.
-			 * In this case this really won't be able to do all 
-			 * path mapping steps, but sb_decolonize_path()
-			 * must not fail!
-			 *
-			 * Added 2009-01-16: This actually happens sometimes;
-			 * there are configure scripts that find out MAX_PATH 
-			 * the hard way. So, if this process has already
-			 * logged this error, well suppress further messages.
-			 * [decided to add this check after I had seen 3686
-			 * error messages from "conftest" :-) /LTA]
-			*/
-			static int absolute_path_failed_message_logged = 0;
-
-			if (!absolute_path_failed_message_logged) {
-				absolute_path_failed_message_logged = 1;
-				SB_LOG(SB_LOGLEVEL_ERROR,
-				    "absolute_path failed to get current dir");
-			}
-			return(NULL);
-		}
-		if ((asprintf(&cpath, "%s/%s", cwd, path) < 0) || !cpath)
-			abort();
-		SB_LOG(SB_LOGLEVEL_NOISE, "absolute_path done, '%s'", cpath);
-	}
-	return(cpath);
-}
-
-/* returns an allocated buffer containing absolute,
- * decolonized version of "path"
+/* returns an allocated buffer containing a cleaned ("decolonized")
+ * version of "path" (double slashes, dots and dotdots etc. have been removed)
 */
-static char *sb_decolonize_path(const char *fn_name, const char *path)
+static char *sb_clean_path(const char *path)
 {
 	char *cpath;
 	struct path_entry_list list;
@@ -347,54 +284,48 @@ static char *sb_decolonize_path(const char *fn_name, const char *path)
 
 	if (!path) {
 		SB_LOG(SB_LOGLEVEL_ERROR,
-			"sb_decolonize_path called with NULL path");
+			"sb_clean_path called with NULL path");
 		return NULL;
 	}
-	SB_LOG(SB_LOGLEVEL_NOISE, "sb_decolonize_path '%s'", path);
 
-	list.pl_first = NULL;
+	cpath = strdup(path);
+	split_path_to_path_entries(cpath, &list);
+	free(cpath);
+	remove_dots_and_dotdots_from_path_entries(&list);
 
-	cpath = absolute_path(fn_name, path);
-	if (!cpath) {
-		SB_LOG(SB_LOGLEVEL_NOTICE,
-			"sb_decolonize_path forced to use relative path '%s'",
-			path);
-		buf = strdup(path);
-	} else {
-		split_path_to_path_entries(cpath, &list);
-		remove_dots_and_dotdots_from_path_entries(&list);
+	buf = path_entries_to_string(list.pl_first);
+	free_path_entries(&list);
 
-		buf = path_entries_to_string(list.pl_first);
-		free_path_entries(&list);
-	}
-	SB_LOG(SB_LOGLEVEL_NOISE, "sb_decolonize_path returns '%s'", buf);
+	SB_LOG(SB_LOGLEVEL_NOISE, "sb_clean_path returns '%s'", buf);
 	return buf;
 }
 
 /* dirname() is not thread safe (may return pointer to static buffer),
- * so we'll have our own version, which always returns absolute dirnames:
+ * so we'll have our own version. This requires that the parameter
+ * is an absolute path, always:
 */
-static char *sb_abs_dirname(const char *fn_name, const char *path)
+static char *sb_abs_dirname(const char *abs_path)
 {
 	char *cpath;
 	struct path_entry_list list;
 	char *buf = NULL;
 
-	if (!path) return strdup(".");
-	SB_LOG(SB_LOGLEVEL_NOISE, "sb_abs_dirname '%s'", path);
-
-	list.pl_first = NULL;
-
-	cpath = absolute_path(fn_name, path);
-	if (!cpath) return(NULL);
+	if (!abs_path || (*abs_path != '/')) {
+		SB_LOG(SB_LOGLEVEL_ERROR,
+			"FATAL internal error: sb_abs_dirname called with"
+			" illegal parameter (%s)", abs_path);
+		assert(0);
+	}
 
+	cpath = strdup(abs_path);
 	split_path_to_path_entries(cpath, &list);
+	free(cpath);
 	remove_last_path_entry(&list);
 
 	buf = path_entries_to_string(list.pl_first);
 	free_path_entries(&list);
 
-	SB_LOG(SB_LOGLEVEL_NOISE, "sb_abs_dirname returns '%s'", buf);
+	SB_LOG(SB_LOGLEVEL_NOISE, "sb_abs_dirname '%s' => '%s'", abs_path, buf);
 	return buf;
 }
 
@@ -446,7 +377,12 @@ static char *call_lua_function_sbox_translate_path(
 	lua_call(luaif->lua, 4, 4);
 
 	translate_result = (char *)lua_tostring(luaif->lua, -2);
-	if (translate_result) {
+	if (translate_result && (*translate_result != '/')) {
+		SB_LOG(SB_LOGLEVEL_ERROR,
+			"Mapping failed: Result is not absolute ('%s'->'%s')",
+			decolon_path, translate_result);
+		translate_result = NULL;
+	} else if (translate_result) {
 		translate_result = strdup(translate_result);
 	}
 	ro_flag = lua_toboolean(luaif->lua, -1);
@@ -460,7 +396,8 @@ static char *call_lua_function_sbox_translate_path(
 		*/
 		char *cleaned_path;
 
-		cleaned_path = sb_decolonize_path(func_name, translate_result);
+		cleaned_path = sb_clean_path(translate_result);
+
 		if (*cleaned_path != '/') {
 			/* oops, got a relative path. CWD is too long. */
 			SB_LOG(SB_LOGLEVEL_DEBUG,
@@ -622,7 +559,7 @@ static char *sb_path_resolution(
 	struct lua_instance *luaif,
 	const char *binary_name,
 	const char *func_name,
-	const char *abs_path,
+	const char *abs_path,		/* MUST be an absolute path! */
 	int dont_resolve_final_symlink)
 {
 	struct path_entry_list orig_path_list;
@@ -654,11 +591,16 @@ static char *sb_path_resolution(
 		return NULL;
 	}
 
-	if (!abs_path) {
+	if (!abs_path || !*abs_path) {
 		SB_LOG(SB_LOGLEVEL_ERROR,
 			"sb_path_resolution called with NULL path");
 		return NULL;
 	}
+	if (*abs_path != '/') {
+		SB_LOG(SB_LOGLEVEL_ERROR,
+			"FATAL: sb_path_resolution called with relative path");
+		assert(0);
+	}
 
 	SB_LOG(SB_LOGLEVEL_NOISE,
 		"sb_path_resolution %d '%s'", nest_count, abs_path);
@@ -793,21 +735,9 @@ static char *sb_path_resolution(
 				char *dirnam;
 				int last_in_dirnam_is_slash;
 
-				dirnam = sb_abs_dirname(func_name, work->pe_full_path);
-				if (!dirnam) {
-					/* this should not happen.
-					 * work->pe_full_path is supposed to
-					 * be absolute path.
-					*/
-					char *cp;
-					SB_LOG(SB_LOGLEVEL_ERROR,
-						"relative symlink forced to"
-						" use relative path '%s'",
-						work->pe_full_path);
-					dirnam = strdup(work->pe_full_path);
-					cp = strrchr(dirnam,'/');
-					if (cp) *cp = '\0';
-				}
+				/* work->pe_full_path is an absolute path */
+				dirnam = sb_abs_dirname(work->pe_full_path);
+
 				last_in_dirnam_is_slash =
 					(last_char_in_str(dirnam) == '/');
 
@@ -850,6 +780,17 @@ static char *sb_path_resolution(
 			free(rest_of_path);
 			free_path_entries(&orig_path_list);
 
+			/* double-check the result. We MUST use absolute
+			 * paths here.
+			*/
+			if (*new_path != '/') {
+				/* this should never happen */
+				SB_LOG(SB_LOGLEVEL_ERROR,
+					"FATAL: symlink resolved to "
+					"a relative path (internal error)");
+				assert(0);
+			}
+
 			/* recursively call myself to perform path
 			 * resolution steps for the symlink target.
 			*/
@@ -936,18 +877,21 @@ static char *sb_path_resolution(
  * to prevent recursive calls to this function.
  * Returns a pointer to an allocated buffer which contains the result.
  */
-static char *scratchbox_path_internal(
+static void sbox_map_path_internal(
 	const char *binary_name,
 	const char *func_name,
-	const char *path,
-	int *ro_flagp,
+	const char *orig_path,
 	int dont_resolve_final_symlink,
-	int process_path_for_exec)
+	int process_path_for_exec,
+	mapping_results_t *res)
 {
 	struct lua_instance *luaif = NULL;
 	char *mapping_result;
+	const char *abs_path = NULL;
+	char *abs_path_buffer = NULL;
+	char real_cwd[PATH_MAX + 1]; /* used only if orig_path is relative */
 
-	SB_LOG(SB_LOGLEVEL_DEBUG, "scratchbox_path_internal: %s(%s)", func_name, path);
+	SB_LOG(SB_LOGLEVEL_DEBUG, "sbox_map_path_internal: %s(%s)", func_name, orig_path);
 
 #ifdef EXTREME_DEBUGGING
 	#define SIZE 100
@@ -960,23 +904,10 @@ static char *scratchbox_path_internal(
 	for (i = 0; i < nptrs; i++)
 		SB_LOG(SB_LOGLEVEL_DEBUG, "%s\n", strings[i]);
 #endif
-	if (!path || !*path) {
+	if (!orig_path || !*orig_path) {
 		/* an empty path shall always remain empty */
-		return strdup("");
-	}
-
-	luaif = get_lua();
-	if (!luaif) {
-		/* init in progress? */
-		return strdup(path);
-	}
-
-	if (!path) {
-		SB_LOG(SB_LOGLEVEL_ERROR,
-			"ERROR: scratchbox_path_internal: path==NULL [%s]",
-			func_name);
-		release_lua(luaif);
-		return NULL;
+		res->mres_result_buf = res->mres_result_path = strdup("");
+		return;
 	}
 
 	if (getenv("SBOX_DISABLE_MAPPING")) {
@@ -985,9 +916,14 @@ static char *scratchbox_path_internal(
 		 *       without making a corresponding change to the script!
 		*/
 		SB_LOG(SB_LOGLEVEL_INFO, "disabled(E): %s '%s'",
-			func_name, path);
-		release_lua(luaif);
-		return strdup(path);
+			func_name, orig_path);
+		goto use_orig_path_as_result_and_exit;
+	}
+
+	luaif = get_lua();
+	if (!luaif) {
+		/* init in progress? */
+		goto use_orig_path_as_result_and_exit;
 	}
 	if (luaif->mapping_disabled) {
 		/* NOTE: Following SB_LOG() call is used by the log
@@ -995,9 +931,74 @@ static char *scratchbox_path_internal(
 		 *       without making a corresponding change to the script!
 		*/
 		SB_LOG(SB_LOGLEVEL_INFO, "disabled(%d): %s '%s'",
-			luaif->mapping_disabled, func_name, path);
-		release_lua(luaif);
-		return strdup(path);
+			luaif->mapping_disabled, func_name, orig_path);
+		goto use_orig_path_as_result_and_exit;
+	}
+
+	/* Going to map it. The mapping logic must get absolute paths: */
+	if (*orig_path == '/') {
+		abs_path = orig_path;
+	} else {
+		/* convert to absolute path. */
+		char *reversed_cwd = NULL;
+
+		if (!getcwd_nomap_nolog(real_cwd, sizeof(real_cwd))) {
+			/* getcwd() returns NULL if the path is really long.
+			 * In this case the path can not be mapped.
+			 *
+			 * Added 2009-01-16: This actually happens sometimes;
+			 * there are configure scripts that find out MAX_PATH 
+			 * the hard way. So, if this process has already
+			 * logged this error, we'll suppress further messages.
+			 * [decided to add this check after I had seen 3686
+			 * error messages from "conftest" :-) /LTA]
+			*/
+			static int absolute_path_failed_message_logged = 0;
+
+			if (!absolute_path_failed_message_logged) {
+				absolute_path_failed_message_logged = 1;
+				SB_LOG(SB_LOGLEVEL_ERROR,
+				    "absolute_path failed to get current dir");
+			}
+			goto use_orig_path_as_result_and_exit;
+		}
+		SB_LOG(SB_LOGLEVEL_DEBUG,
+			"sbox_map_path_internal: converting to abs.path cwd=%s",
+			real_cwd);
+		
+		/* reversing of paths is expensive...try if a previous
+		 * result can be used, and call the reversing logic only if
+		 * CWD has been changed.
+		*/
+		if (luaif->real_cwd && luaif->reversed_cwd &&
+		    !strcmp(real_cwd, luaif->real_cwd)) {
+			/* "cache hit" */
+			reversed_cwd = luaif->reversed_cwd;
+			SB_LOG(SB_LOGLEVEL_DEBUG,
+				"sbox_map_path_internal: using cached rev_cwd=%s",
+				reversed_cwd);
+		} else {
+			/* "cache miss" */
+			SB_LOG(SB_LOGLEVEL_DEBUG,
+				"sbox_map_path_internal: reversing cwd:");
+			reversed_cwd = call_lua_function_sbox_reverse_path(
+				luaif,
+				(sbox_binary_name?sbox_binary_name:"UNKNOWN"),
+				func_name, real_cwd);
+			/* put the reversed CWD to our one-slot cache: */
+			if (luaif->real_cwd) free(luaif->real_cwd);
+			if (luaif->reversed_cwd) free(luaif->reversed_cwd);
+			luaif->real_cwd = strdup(real_cwd);
+			luaif->reversed_cwd = reversed_cwd;
+		}
+		if (asprintf(&abs_path_buffer, "%s/%s", reversed_cwd, orig_path) < 0) {
+			/* asprintf failed */
+			abort();
+		}
+		abs_path = abs_path_buffer;
+		SB_LOG(SB_LOGLEVEL_DEBUG,
+			"sbox_map_path_internal: abs.path is '%s'",
+			abs_path);
 	}
 
 	disable_mapping(luaif);
@@ -1006,19 +1007,15 @@ static char *scratchbox_path_internal(
 		char *decolon_path = NULL;
 		char *full_path_for_rule_selection = NULL;
 
+		full_path_for_rule_selection = sb_clean_path(abs_path);
 
-		/* FIXME: following call to sb_decolonize_path() will lead to
-		 * another call to get_lua()...it would be more efficient to just
-		 * pass luaif pointer from here.
-		*/
-		full_path_for_rule_selection = sb_decolonize_path(func_name, path);
-
-		if (*full_path_for_rule_selection != '/') {
-			SB_LOG(SB_LOGLEVEL_DEBUG,
-				"scratchbox_path_internal: sb_decolonize_path"
+		if (!full_path_for_rule_selection ||
+		    (*full_path_for_rule_selection != '/')) {
+			SB_LOG(SB_LOGLEVEL_ERROR,
+				"sbox_map_path_internal: sb_clean_path()"
 				" failed to return absolute path (can't"
 				" map this)");
-			mapping_result = strdup(path);
+			mapping_result = strdup(abs_path);
 			if (process_path_for_exec) {
 				/* can't map, but still need to leave "rule"
 				 * (string) and "policy" (nil) to the stack */
@@ -1030,8 +1027,8 @@ static char *scratchbox_path_internal(
 		}
 
 		SB_LOG(SB_LOGLEVEL_DEBUG,
-			"scratchbox_path_internal: process '%s', n='%s'",
-			path, full_path_for_rule_selection);
+			"sbox_map_path_internal: process '%s', n='%s'",
+			orig_path, full_path_for_rule_selection);
 
 		/* sb_path_resolution() leaves the rule to the stack... */
 		decolon_path = sb_path_resolution(0,
@@ -1041,7 +1038,7 @@ static char *scratchbox_path_internal(
 
 		if (!decolon_path) {
 			SB_LOG(SB_LOGLEVEL_ERROR,
-				"scratchbox_path_internal: "
+				"sbox_map_path_internal: "
 				"decolon_path failed [%s]",
 				func_name);
 			mapping_result = NULL;
@@ -1054,15 +1051,15 @@ static char *scratchbox_path_internal(
 			}
 		} else {
 			SB_LOG(SB_LOGLEVEL_NOISE2,
-				"scratchbox_path_internal: decolon_path='%s'",
+				"sbox_map_path_internal: decolon_path='%s'",
 				decolon_path);
 
 			mapping_result = call_lua_function_sbox_translate_path(
 				SB_LOGLEVEL_INFO,
 				luaif, binary_name, func_name,
-				decolon_path, ro_flagp);
-			/* ...and remove the rule from stack */
+				decolon_path, &(res->mres_readonly));
 			if (process_path_for_exec == 0) {
+				/* ...and remove rule and policy from stack */
 				drop_policy_from_lua_stack(luaif);
 				drop_rule_from_lua_stack(luaif);
 			}
@@ -1073,104 +1070,115 @@ static char *scratchbox_path_internal(
 	}
 	enable_mapping(luaif);
 
-#if defined(path_registration_has_not_yet_been_fixed_so_this_is_disabled)
-	/* This piece of code has been disabled temporarily 2009-01-16 / LTA
-	 *
-	 * (relative paths can not be used before the registration of
-	 * paths to fdpathdb.c can always get absolute paths, even if the
-	 * mapping result can be relative otherwise...this requires some
-	 * refactoring)
-	*/
+	res->mres_result_buf = res->mres_result_path = mapping_result;
 
-	/* now "mapping_result" is (should be) an absolute path.
-	 * sb2's exec logic needs absolute paths, but otherwise,
-	 * try to return a relative path if the original path was relative.
+	/* now "mapping_result" is an absolute path.
+	 * sb2's exec logic needs absolute paths, and absolute paths are also
+	 * needed when registering paths to the "fdpathdb".  but otherwise,
+	 * we'll try to return a relative path if the original path was
+	 * relative (abs.path is still available in mres_result_buf).
 	*/
 	if ((process_path_for_exec == 0) &&
-	    (path[0] != '/') &&
+	    (orig_path[0] != '/') &&
 	    mapping_result &&
 	    (*mapping_result == '/')) {
-		char cwd[PATH_MAX + 1];
-
-		/* here we want the real CWD, not a reversed one: */
-		if (getcwd_nomap_nolog(cwd, sizeof(cwd))) {
-			int	cwd_len = strlen(cwd);
-			int	result_len = strlen(mapping_result);
-
-			if ((result_len == cwd_len) &&
-			    !strcmp(cwd, mapping_result)) {
-				SB_LOG(SB_LOGLEVEL_DEBUG,
-					"scratchbox_path_internal: result==CWD");
-				free(mapping_result);
-				mapping_result = strdup(".");
-			} else if ((result_len > cwd_len) &&
-			           (mapping_result[cwd_len] == '/') &&
-			           (mapping_result[cwd_len+1] != '/') &&
-			           (mapping_result[cwd_len+1] != '\0') &&
-			           !strncmp(cwd, mapping_result, cwd_len)) {
-				/* cwd is a prefix of result; convert result
-				 * back to a relative path
-				*/
-				char *relative_result = strdup(mapping_result+cwd_len+1);
-				SB_LOG(SB_LOGLEVEL_DEBUG,
-					"scratchbox_path_internal: result==relative (%s) (%s)",
-					relative_result, mapping_result);
-				free(mapping_result);
-				mapping_result = relative_result;
-			}
+		/* orig_path was relative. real_cwd has been filled above */
+		int	real_cwd_len = strlen(real_cwd);
+		int	result_len = strlen(mapping_result);
+
+		if ((result_len == real_cwd_len) &&
+		    !strcmp(real_cwd, mapping_result)) {
+			SB_LOG(SB_LOGLEVEL_DEBUG,
+				"sbox_map_path_internal: result==CWD");
+			res->mres_result_path = strdup(".");
+			res->mres_result_path_was_allocated = 1;
+		} else if ((result_len > real_cwd_len) &&
+			   (mapping_result[real_cwd_len] == '/') &&
+			   (mapping_result[real_cwd_len+1] != '/') &&
+			   (mapping_result[real_cwd_len+1] != '\0') &&
+			   !strncmp(real_cwd, mapping_result, real_cwd_len)) {
+			/* real_cwd is a prefix of result; convert result
+			 * back to a relative path
+			*/
+			char *relative_result = mapping_result+real_cwd_len+1;
+			res->mres_result_path = relative_result;
+			SB_LOG(SB_LOGLEVEL_DEBUG,
+				"sbox_map_path_internal: result==relative (%s) (%s)",
+				relative_result, mapping_result);
 		}
 	}
-#endif
 
-	SB_LOG(SB_LOGLEVEL_NOISE, "scratchbox_path_internal: mapping_result='%s'",
+	SB_LOG(SB_LOGLEVEL_NOISE, "sbox_map_path_internal: mapping_result='%s'",
 		mapping_result ? mapping_result : "<No result>");
 	release_lua(luaif);
-	return(mapping_result);
+	if (abs_path_buffer) free(abs_path_buffer);
+	return;
+
+    use_orig_path_as_result_and_exit:
+	if(luaif) release_lua(luaif);
+	res->mres_result_buf = res->mres_result_path = strdup(orig_path);
+	return;
 }
 
 /* ========== Public interfaces to the mapping & resolution code: ========== */
 
-char *scratchbox_path3(
+void sbox_map_path_for_sb2show(
 	const char *binary_name,
 	const char *func_name,
 	const char *path,
-	int *ro_flagp,
-	int dont_resolve_final_symlink)
+	mapping_results_t *res)
 {
-	return(scratchbox_path_internal(binary_name, func_name, path,
-		ro_flagp, dont_resolve_final_symlink, 0));
+	if (!path) {
+		res->mres_result_buf = res->mres_result_path = NULL;
+		res->mres_readonly = 1;
+	} else {
+		sbox_map_path_internal(binary_name, func_name, path,
+			0/*dont_resolve_final_symlink*/, 0, res);
+	}
 }
 
-char *scratchbox_path(
+void sbox_map_path(
 	const char *func_name,
 	const char *path,
-	int *ro_flagp,
-	int dont_resolve_final_symlink)
+	int dont_resolve_final_symlink,
+	mapping_results_t *res)
 {
-	return (scratchbox_path_internal(
-		(sbox_binary_name ? sbox_binary_name : "UNKNOWN"), func_name,
-		path, ro_flagp, dont_resolve_final_symlink, 0));
+	if (!path) {
+		res->mres_result_buf = res->mres_result_path = NULL;
+		res->mres_readonly = 1;
+	} else {
+		sbox_map_path_internal(
+			(sbox_binary_name ? sbox_binary_name : "UNKNOWN"),
+			func_name, path, dont_resolve_final_symlink, 0, res);
+	}
 }
 
-char *scratchbox_path_at(
+void sbox_map_path_at(
 	const char *func_name,
 	int dirfd,
 	const char *path,
-	int *ro_flagp,
-	int dont_resolve_final_symlink)
+	int dont_resolve_final_symlink,
+	mapping_results_t *res)
 {
 	const char *dirfd_path;
 
+	if (!path) {
+		res->mres_result_buf = res->mres_result_path = NULL;
+		res->mres_readonly = 1;
+		return;
+	}
+
 	if ((*path == '/')
 #ifdef AT_FDCWD
 	    || (dirfd == AT_FDCWD)
 #endif
 	   ) {
-		/* same as scratchbox_path() */
-		return (scratchbox_path_internal(
+		/* same as sbox_map_path() */
+		sbox_map_path_internal(
 			(sbox_binary_name ? sbox_binary_name : "UNKNOWN"),
 			func_name,
-			path, ro_flagp, dont_resolve_final_symlink, 0));
+			path, dont_resolve_final_symlink, 0, res);
+		return;
 	}
 
 	/* relative to something else than CWD */
@@ -1178,7 +1186,6 @@ char *scratchbox_path_at(
 
 	if (dirfd_path) {
 		/* pathname found */
-		char *ret;
 		char *at_full_path = NULL;
 
 		if (asprintf(&at_full_path, "%s/%s", dirfd_path, path) < 0) {
@@ -1189,12 +1196,13 @@ char *scratchbox_path_at(
 			"Synthetic path for %s(%d,'%s') => '%s'",
 			func_name, dirfd, path, at_full_path);
 
-		ret = scratchbox_path_internal(
+		sbox_map_path_internal(
 			(sbox_binary_name ? sbox_binary_name : "UNKNOWN"),
 			func_name,
-			at_full_path, ro_flagp, dont_resolve_final_symlink, 0);
+			at_full_path, dont_resolve_final_symlink, 0, res);
 		free(at_full_path);
-		return(ret);
+
+		return;
 	}
 
 	/* name not found. Can't do much here, log a warning and return
@@ -1202,22 +1210,21 @@ char *scratchbox_path_at(
 	 * not always..  */
 	SB_LOG(SB_LOGLEVEL_WARNING, "Path not found for FD %d, for %s(%s)",
 		dirfd, func_name, path);
-
-	return (strdup(path));
+	res->mres_result_buf = res->mres_result_path = strdup(path);
+	res->mres_readonly = 0;
 }
 
 /* this maps the path and then leaves "rule" and "exec_policy" to the stack, 
  * because exec post-processing needs them
 */
-char *scratchbox_path_for_exec(
+void sbox_map_path_for_exec(
 	const char *func_name,
 	const char *path,
-	int *ro_flagp,
-	int dont_resolve_final_symlink)
+	mapping_results_t *res)
 {
-	return (scratchbox_path_internal(
+	sbox_map_path_internal(
 		(sbox_binary_name ? sbox_binary_name : "UNKNOWN"), func_name,
-		path, ro_flagp, dont_resolve_final_symlink, 1));
+		path, 0/*dont_resolve_final_symlink*/, 1/*exec mode*/, res);
 }
 
 char *scratchbox_reverse_path(
@@ -1234,3 +1241,18 @@ char *scratchbox_reverse_path(
 	return(result);
 }
 
+void	clear_mapping_results_struct(mapping_results_t *res)
+{
+	res->mres_result_buf = res->mres_result_path = NULL;
+	res->mres_readonly = 0;
+	res->mres_result_path_was_allocated = 0;
+}
+
+void	free_mapping_results(mapping_results_t *res)
+{
+	if (res->mres_result_buf) free(res->mres_result_buf);
+	if (res->mres_result_path_was_allocated && res->mres_result_path)
+		free(res->mres_result_path);
+	clear_mapping_results_struct(res);
+}
+
diff --git a/preload/fdpathdb.c b/preload/fdpathdb.c
index f60bf9a..bbbbc18 100644
--- a/preload/fdpathdb.c
+++ b/preload/fdpathdb.c
@@ -168,74 +168,73 @@ static void fdpathdb_register_mapped_path(
 	fdpathdb_mutex_unlock();
 }
 
+static void fdpathdb_register_mapping_result(const char *realfnname,
+	int ret_fd, mapping_results_t *res, const char *pathname)
+{
+	/* "mres_result_buf" is supposed to be an absolute path,
+	 * while "mres_result_path" may be relative or absolute.
+	 * (the path DB can not use relative paths)
+	*/
+	fdpathdb_register_mapped_path(realfnname, ret_fd,
+		res->mres_result_buf, pathname);
+}
+
 /* Wrappers' postprocessors: these register paths to this DB */
 
 extern void __open_postprocess_pathname(
-	const char *realfnname, int ret_fd, const char *mapped__pathname,
+	const char *realfnname, int ret_fd, mapping_results_t *res,
 	const char *pathname, int flags, int mode)
 {
-	(void)pathname;
 	(void)flags;
 	(void)mode;
-	fdpathdb_register_mapped_path(realfnname, ret_fd,
-		mapped__pathname, pathname);
+	fdpathdb_register_mapping_result(realfnname, ret_fd, res, pathname);
 }
 
 extern void __open64_postprocess_pathname(
-	const char *realfnname, int ret_fd, const char *mapped__pathname,
+	const char *realfnname, int ret_fd, mapping_results_t *res,
 	const char *pathname, int flags, int mode)
 {
-	(void)pathname;
 	(void)flags;
 	(void)mode;
-	fdpathdb_register_mapped_path(realfnname, ret_fd,
-		mapped__pathname, pathname);
+	fdpathdb_register_mapping_result(realfnname, ret_fd, res, pathname);
 }
 
 extern void open_postprocess_pathname(
-	const char *realfnname, int ret_fd, const char *mapped__pathname,
+	const char *realfnname, int ret_fd, mapping_results_t *res,
 	const char *pathname, int flags, int mode)
 {
-	(void)pathname;
 	(void)flags;
 	(void)mode;
-	fdpathdb_register_mapped_path(realfnname, ret_fd,
-		mapped__pathname, pathname);
+	fdpathdb_register_mapping_result(realfnname, ret_fd, res, pathname);
 }
 
 extern void open64_postprocess_pathname(
-	const char *realfnname, int ret_fd, const char *mapped__pathname,
+	const char *realfnname, int ret_fd, mapping_results_t *res,
 	const char *pathname, int flags, int mode)
 {
-	(void)pathname;
 	(void)flags;
 	(void)mode;
-	fdpathdb_register_mapped_path(realfnname, ret_fd,
-		mapped__pathname, pathname);
+	fdpathdb_register_mapping_result(realfnname, ret_fd, res, pathname);
 }
 
 extern void openat_postprocess_pathname(
-	const char *realfnname, int ret_fd, const char *mapped__pathname,
+	const char *realfnname, int ret_fd, mapping_results_t *res,
 	int dirfd, const char *pathname, int flags, int mode)
 {
 	(void)dirfd;
-	(void)pathname;
 	(void)flags;
 	(void)mode;
-	fdpathdb_register_mapped_path(realfnname, ret_fd,
-		mapped__pathname, pathname);
+	fdpathdb_register_mapping_result(realfnname, ret_fd, res, pathname);
 }
 
 extern void openat64_postprocess_pathname(
-	const char *realfnname, int ret_fd, const char *mapped__pathname,
+	const char *realfnname, int ret_fd, mapping_results_t *res,
 	int dirfd, const char *pathname, int flags, int mode)
 {
 	(void)dirfd;
-	(void)pathname;
 	(void)flags;
 	(void)mode;
-	fdpathdb_register_mapped_path(realfnname, ret_fd,
-		mapped__pathname, pathname);
+	fdpathdb_register_mapping_result(realfnname, ret_fd, res, pathname);
 }
 
 void dup_postprocess_(const char *realfnname, int ret, int fd)
diff --git a/preload/gen-interface.pl b/preload/gen-interface.pl
index 0c417d6..58e109f 100755
--- a/preload/gen-interface.pl
+++ b/preload/gen-interface.pl
@@ -35,9 +35,9 @@
 #
 # Following modifiers are available for "WRAP" and "GATE":
 #   - "map(varname)" will map function's parameter "varname" using
-#     the SBOX_MAP_PATH macro
+#     the sbox_map_path() function
 #   - "map_at(fdname,varname)" will map function's parameter "varname" using
-#     the SBOX_MAP_PATH_AT macro
+#     the sbox_map_path_at() function
 #   - "hardcode_param(N,name)" will hardcode name of the Nth parameter
 #     to "name" (this is typically needed only if the function definition uses
 #     macros to build the parameter list, instead of specifying names of
@@ -371,20 +371,6 @@ sub minimal_function_declarator_parser {
 # End of the minimal C declarator parser.
 #============================================
 
-sub find_type_of_parameter {
-	my $fn = shift;
-	my $param_name = shift;
-	my $r_param_names = $fn->{'parameter_names'};
-
-	my $i;
-	for ($i = 0; $i < @{$r_param_names}; $i++) {
-		if ($r_param_names->[$i] eq $param_name) {
-			return($fn->{'parameter_types'}->[$i]);
-		}
-	}
-	return(undef);
-}
-
 sub create_code_for_va_list_get_mode {
 	my $condition = shift;
 	my $last_named_var = shift;
@@ -418,8 +404,14 @@ sub process_readonly_check_modifier {
 	my $return_value = shift;
 	my $error_code = shift;
 
-	my $new_name = "mapped__".$param_to_be_mapped;
-	my $ro_flag = $param_to_be_mapped."_is_readonly";
+	my $new_name = "res_mapped__".$param_to_be_mapped.".mres_result_path";
+	my $ro_flag = "res_mapped__".$param_to_be_mapped.".mres_readonly";
+
+	if (!defined($mods->{'mapping_results_by_orig_name'}->{$param_to_be_mapped})) {
+		printf "ERROR: mapping_results_by_orig_name not found for '%s'\n",
+			$param_to_be_mapped;
+		$num_errors++;
+	}
 
 	if (defined($extra_check)) {
 		$extra_check = " && ($extra_check)";
@@ -473,6 +465,7 @@ sub process_wrap_or_gate_modifiers {
 		'va_list_handler_code' => "",
 		'va_list_end_code' => "",
 		'mapped_params_by_orig_name' => {},
+		'mapping_results_by_orig_name' => {},
 		'dont_resolve_final_symlink' => 0,
 
 		'postprocess_vars' => [],
@@ -503,19 +496,20 @@ sub process_wrap_or_gate_modifiers {
 			my $param_to_be_mapped = $1;
 
 			my $new_name = "mapped__".$param_to_be_mapped;
-			my $ro_flag = $param_to_be_mapped."_is_readonly";
 			my $no_symlink_resolve = $mods->{'dont_resolve_final_symlink'};
 
-			$mods->{'mapped_params_by_orig_name'}->{$param_to_be_mapped} = $new_name;
+			$mods->{'mapped_params_by_orig_name'}->{$param_to_be_mapped} = "res_$new_name.mres_result_path";
+			$mods->{'mapping_results_by_orig_name'}->{$param_to_be_mapped} = "res_$new_name";
 			$mods->{'path_mapping_vars'} .= 
-				"\tchar *$new_name = NULL;\n".
-				"\tint $ro_flag = 0;\n";
+				"\tmapping_results_t res_$new_name;\n";
 			$mods->{'path_mapping_code'} .=
-				"\tSBOX_MAP_PATH($param_to_be_mapped, ".
-					"$new_name, &$ro_flag, ".
-					"$no_symlink_resolve);\n";
+				"\tclear_mapping_results_struct(&res_$new_name);\n".
+				"\tsbox_map_path(__func__, ".
+					"$param_to_be_mapped, ".
+					"$no_symlink_resolve, ".
+					"&res_$new_name);\n";
 			$mods->{'free_path_mapping_vars_code'} .=
-				"\tif($new_name) free($new_name);\n";
+				"\tfree_mapping_results(&res_$new_name);\n";
 
 			# Make a "..._nomap" version, because the main
 			# wrapper has mappings.
@@ -543,16 +537,19 @@ sub process_wrap_or_gate_modifiers {
 			my $ro_flag = $param_to_be_mapped."_is_readonly";
 			my $no_symlink_resolve = $mods->{'dont_resolve_final_symlink'};
 
-			$mods->{'mapped_params_by_orig_name'}->{$param_to_be_mapped} = $new_name;
+			$mods->{'mapped_params_by_orig_name'}->{$param_to_be_mapped} = "res_$new_name.mres_result_path";
+			$mods->{'mapping_results_by_orig_name'}->{$param_to_be_mapped} = "res_$new_name";
 			$mods->{'path_mapping_vars'} .= 
-				"\tchar *$new_name = NULL;\n".
-				"\tint $ro_flag = 0;\n";
+				"\tmapping_results_t res_$new_name;\n";
 			$mods->{'path_mapping_code'} .=
-				"\tSBOX_MAP_PATH_AT($fd_param, ".
-				"$param_to_be_mapped, $new_name, &$ro_flag, ".
-				"$no_symlink_resolve);\n";
+				"\tclear_mapping_results_struct(&res_$new_name);\n".
+				"\tsbox_map_path_at(__func__, ".
+					"$fd_param, ".
+					"$param_to_be_mapped, ".
+					"$no_symlink_resolve, ".
+					"&res_$new_name);\n";
 			$mods->{'free_path_mapping_vars_code'} .=
-				"\tif($new_name) free($new_name);\n";
+				"\tfree_mapping_results(&res_$new_name);\n";
 
 			# Make a "..._nomap" version, because the main
 			# wrapper has mappings.
@@ -689,18 +686,18 @@ sub create_postprocessors {
 					");\n";
 			} else {
 				# has mapped parameter
-				my $mapped_param = $mods->{'mapped_params_by_orig_name'}->{$ppvar};
-				my $type_of_param = find_type_of_parameter($fn,$ppvar);
+				my $mapping_results = $mods->{'mapping_results_by_orig_name'}->{$ppvar};
+
 				$postprocessor_calls .= "$pp_fn(__func__, ".
 					$return_value_param_in_call.
-					"$mapped_param, ".
+					"&$mapping_results, ".
 					# add orig (unmapped) parameters
 					join(", ", @{$mods->{'parameter_names'}}).
 					"); ";
 				$postprocessor_prototypes .= "extern void ".
 					"$pp_fn(const char *realfnname, ".
 					$return_value_param_in_prototype.
-					"$type_of_param $mapped_param, ".
+					"mapping_results_t *res, ".
 					# orig (unmapped) parameters
 					join(", ", @{$mods->{'parameter_types'}}).
 					");\n";
@@ -848,6 +845,8 @@ my $export_h_buffer =
 #include <sys/xattr.h>
 #endif
 
+#include \"mapping.h\"
+
 ";
 
 # Handle "WRAP" and "GATE" commands.
diff --git a/preload/libsb2.c b/preload/libsb2.c
index 62c6b49..16d47c8 100644
--- a/preload/libsb2.c
+++ b/preload/libsb2.c
@@ -428,7 +428,6 @@ FTS * fts_open_gate(FTS * (*real_fts_open_ptr)(char * const *path_argv,
 	int options,
 	int (*compar)(const FTSENT **,const FTSENT **))
 {
-	SBOX_MAP_PROLOGUE();
 	char *path;
 	char * const *p;
 	char **new_path_argv;
@@ -441,12 +440,23 @@ FTS * fts_open_gate(FTS * (*real_fts_open_ptr)(char * const *path_argv,
 	}
 
 	for (n=0, p=path_argv, np=new_path_argv; *p; n++, p++, np++) {
+		mapping_results_t res;
+
+		clear_mapping_results_struct(&res);
 		path = *p;
-		sbox_path = scratchbox_path(realfnname, path, NULL/*RO-flag*/,
-			0/*dont_resolve_final_symlink*/);
-		*np = sbox_path;
+		sbox_map_path(realfnname, path,
+			0/*dont_resolve_final_symlink*/, &res);
+		if (res.mres_result_path) {
+			/* Mapped OK */
+			*np = strdup(res.mres_result_path);
+		} else {
+			*np = strdup("");
+		}
+		free_mapping_results(&res);
 	}
 
+	/* FIXME: this system causes memory leaks */
+
 	return (*real_fts_open_ptr)(new_path_argv, options, compar);
 }
 #endif
@@ -455,7 +465,7 @@ char * get_current_dir_name_gate(
 	char * (*real_get_current_dir_name_ptr)(void),
 	const char *realfnname)
 {
-	SBOX_MAP_PROLOGUE();
+	char *sbox_path = NULL;
 	char *cwd;
 
 	if ((cwd = (*real_get_current_dir_name_ptr)()) == NULL) {
@@ -520,7 +530,7 @@ char * getwd_gate(
 	const char *realfnname,
 	char *buf)
 {
-	SBOX_MAP_PROLOGUE();
+	char *sbox_path = NULL;
 	char *cwd;
 
 	if ((cwd = (*real_getwd_ptr)(buf)) == NULL) {
@@ -552,7 +562,7 @@ char *realpath_gate(
 	const char *name,	/* name, already mapped */
 	char *resolved)
 {
-	SBOX_MAP_PROLOGUE();
+	char *sbox_path = NULL;
 	char *rp;
 	
 	if ((rp = (*real_realpath_ptr)(name,resolved)) == NULL) {
@@ -594,7 +604,7 @@ static char *check_and_prepare_glob_pattern(
 	 * log the mapped pattern (NOTICE level) if it was mapped
 	*/
 	if (*pattern == '/') { /* if absolute path in pattern.. */
-		mapped__pattern = scratchbox_path(realfnname, pattern,
+		mapped__pattern = sbox_map_path(realfnname, pattern,
 			NULL/*RO-flag*/, 0/*dont_resolve_final_symlink*/);
 		if (!strcmp(mapped__pattern, pattern)) {
 			/* no change */
@@ -761,24 +771,32 @@ static void map_sockaddr_un(
 	struct sockaddr_un *orig_serv_addr_un,
 	struct sockaddr_un *mapped_serv_addr_un)
 {
-	int	pathname_is_readonly = 0;
-	char	*mapped_addr = NULL;
+	mapping_results_t	res;
 
 	SB_LOG(SB_LOGLEVEL_DEBUG, "%s: checking AF_UNIX addr '%s'",
 		realfnname, orig_serv_addr_un->sun_path);
-	SBOX_MAP_PATH(orig_serv_addr_un->sun_path, mapped_addr,
-		&pathname_is_readonly, 0/*dont_resolve_final_symlink*/);
-	/* FIXME: implement if(pathname_is_readonly!=0)... */
 
-	*mapped_serv_addr_un = *orig_serv_addr_un;
-	if (sizeof(mapped_serv_addr_un->sun_path) <= strlen(mapped_addr)) {
+	clear_mapping_results_struct(&res);
+	/* FIXME: implement if(pathname_is_readonly!=0)... */
+	sbox_map_path(realfnname, orig_serv_addr_un->sun_path,
+		0/*dont_resolve_final_symlink*/, &res);
+	if (res.mres_result_path == NULL) {
 		SB_LOG(SB_LOGLEVEL_ERROR,
-			"%s: Mapped AF_UNIX address (%s) is too long",
-			realfnname, mapped_addr);
+			"%s: Failed to map AF_UNIX address '%s'",
+			realfnname, orig_serv_addr_un->sun_path);
 	} else {
-		strcpy(mapped_serv_addr_un->sun_path, mapped_addr);
+		*mapped_serv_addr_un = *orig_serv_addr_un;
+		if (sizeof(mapped_serv_addr_un->sun_path) <=
+		    strlen(res.mres_result_path)) {
+			SB_LOG(SB_LOGLEVEL_ERROR,
+				"%s: Mapped AF_UNIX address (%s) is too long",
+				realfnname, res.mres_result_path);
+		} else {
+			strcpy(mapped_serv_addr_un->sun_path,
+				res.mres_result_path);
+		}
 	}
-	if (mapped_addr) free(mapped_addr);
+	free_mapping_results(&res);
 }
 
 int bind_gate(
@@ -856,15 +874,22 @@ char *sb2show__map_path2__(const char *binary_name, const char *mapping_mode,
         const char *fn_name, const char *pathname, int *readonly)
 {
 	char *mapped__pathname = NULL;
+	mapping_results_t mapping_result;
 
 	(void)mapping_mode;	/* mapping_mode is not used anymore. */
 
 	if (!sb2_global_vars_initialized__) sb2_initialize_global_variables();
 
+	clear_mapping_results_struct(&mapping_result);
 	if (pathname != NULL) {
-		mapped__pathname = scratchbox_path3(binary_name, fn_name,
-			pathname, readonly, 0/*dont_resolve_final_symlink*/);
+		sbox_map_path_for_sb2show(binary_name, fn_name,
+			pathname, &mapping_result);
+		if (mapping_result.mres_result_path)
+			mapped__pathname =
+				strdup(mapping_result.mres_result_path);
+		if (readonly) *readonly = mapping_result.mres_readonly;
 	}
+	free_mapping_results(&mapping_result);
 	SB_LOG(SB_LOGLEVEL_DEBUG, "%s '%s'", __func__, pathname);
 	return(mapped__pathname);
 }
@@ -965,31 +990,31 @@ static void postprocess_tempname_template(const char *realfnname,
 }
 
 void mkstemp_postprocess_template(const char *realfnname,
-	int ret, char *mapped__template, char *template)
+	int ret, mapping_results_t *res, char *template)
 {
 	(void)ret;
-	postprocess_tempname_template(realfnname, mapped__template, template);
+	postprocess_tempname_template(realfnname, res->mres_result_path, template);
 }
 
 void mkstemp64_postprocess_template(const char *realfnname,
-	int ret, char *mapped__template, char *template)
+	int ret, mapping_results_t *res, char *template)
 {
 	(void)ret;
-	postprocess_tempname_template(realfnname, mapped__template, template);
+	postprocess_tempname_template(realfnname, res->mres_result_path, template);
 }
 
 void mkdtemp_postprocess_template(const char *realfnname,
-	char *ret, char *mapped__template, char *template)
+	char *ret, mapping_results_t *res, char *template)
 {
 	(void)ret;
-	postprocess_tempname_template(realfnname, mapped__template, template);
+	postprocess_tempname_template(realfnname, res->mres_result_path, template);
 }
 
 void mktemp_postprocess_template(const char *realfnname,
-	char *ret, char *mapped__template, char *template)
+	char *ret, mapping_results_t *res, char *template)
 {
 	(void)ret;
-	postprocess_tempname_template(realfnname, mapped__template, template);
+	postprocess_tempname_template(realfnname, res->mres_result_path, template);
 }
 
 /* the real tmpnam() can not be used at all, because the generated name must
diff --git a/preload/libsb2.h b/preload/libsb2.h
index f4a6fe2..0360f42 100644
--- a/preload/libsb2.h
+++ b/preload/libsb2.h
@@ -95,33 +95,6 @@
  *      if ( amount /../ > amount /other/ ) ) remove extra /../
  */
 
-#define SBOX_MAP_PROLOGUE() \
-	char *sbox_path = NULL;
-
-#define SBOX_MAP_AT_PROLOGUE() \
-	char *sbox_path = NULL;
-
-#define SBOX_MAP_PATH_NARROW(path, sbox_path, readonly_flag_addr) \
-{ \
-	if ((path) != NULL && *((char *)(path)) != '\0') { \
-		sbox_path = scratchbox_path(__FUNCTION__, path, readonly_flag_addr); \
-	} \
-}
-
-#define SBOX_MAP_PATH(path, sbox_path, readonly_flag_addr, no_symlink_resolve) \
-{ \
-	if ((path) != NULL) { \
-		sbox_path = scratchbox_path(__FUNCTION__, path, readonly_flag_addr, no_symlink_resolve); \
-	} \
-}
-
-#define SBOX_MAP_PATH_AT(dirfd, path, sbox_path, readonly_flag_addr, no_symlink_resolve) \
-{ \
-	if ((path) != NULL) { \
-		sbox_path = scratchbox_path_at(__FUNCTION__, dirfd, path, \
-			readonly_flag_addr, no_symlink_resolve); \
-	} \
-}
 
 extern void *sbox_find_next_symbol(int log_enabled, const char *functname);
 
diff --git a/preload/sb_exec.c b/preload/sb_exec.c
index 40ef414..d96e804 100644
--- a/preload/sb_exec.c
+++ b/preload/sb_exec.c
@@ -960,7 +960,7 @@ static int prepare_exec(const char *exec_fn_name,
 			"do_exec(): mapping disabled, my_file = %s", my_file);
 		mapped_file = strdup(my_file);
 
-		/* we won't call scratchbox_path_for_exec() because mapping
+		/* we won't call sbox_map_path_for_exec() because mapping
 		 * is disabled; instead we must push a string to Lua's stack
 		 * which explains the situation to the Lua code
 		*/
@@ -970,14 +970,20 @@ static int prepare_exec(const char *exec_fn_name,
 		/* now we have to do path mapping for my_file to find exactly
 		 * what is the path we're supposed to deal with
 		 */
+		mapping_results_t	mapping_result;
+
+		clear_mapping_results_struct(&mapping_result);
+		sbox_map_path_for_exec("do_exec", my_file, &mapping_result);
+		if (mapping_result.mres_result_buf) {
+			mapped_file = strdup(mapping_result.mres_result_buf);
+		}
+		free_mapping_results(&mapping_result);
 
-		mapped_file = scratchbox_path_for_exec("do_exec", my_file,
-			NULL/*RO-flag addr.*/, 0/*dont_resolve_final_symlink*/);
 		SB_LOG(SB_LOGLEVEL_DEBUG,
 			"do_exec(): my_file = %s, mapped_file = %s",
 			my_file, mapped_file);
 
-		/* Note: the Lua stack should now have rule and policy objects */
+		/* Note: the Lua stack now contains rule and policy objects */
 	}
 
 	/*