Bugfix: script execution failed to find correct exec policy

- happened because C->Lua interface left trash to Lua's stack => script
  execution failed to find corect exec_policy for the script interpreter

- Also included:
- added new debugging level NOISE3
- added dump_lua_stack() (luaif/argvenvp.c), name says it all..

8 files changed, 105 insertions, 19 deletions

diff --git a/include/sb2.h b/include/sb2.h
index 7177adf..e41ee80 100644
--- a/include/sb2.h
+++ b/include/sb2.h
@@ -70,6 +70,8 @@ extern time_t get_sb2_timestamp(void);
 
 extern char *procfs_mapping_request(char *path);
 
+extern void dump_lua_stack(const char *msg, lua_State *L);
+
 /* ------ debug/trace logging system for sb2: */
 #define SB_LOGLEVEL_uninitialized (-1)
 #define SB_LOGLEVEL_NONE	0
@@ -80,6 +82,7 @@ extern char *procfs_mapping_request(char *path);
 #define SB_LOGLEVEL_DEBUG	8
 #define SB_LOGLEVEL_NOISE	9
 #define SB_LOGLEVEL_NOISE2	10
+#define SB_LOGLEVEL_NOISE3	11
 
 extern void sblog_init(void);
 extern void sblog_vprintf_line_to_logfile(const char *file, int line,
diff --git a/lua_scripts/argvenvp.lua b/lua_scripts/argvenvp.lua
index 52d5535..5bb5c80 100644
--- a/lua_scripts/argvenvp.lua
+++ b/lua_scripts/argvenvp.lua
@@ -242,7 +242,7 @@ function check_rule_and_policy(rule, exec_policy, filename, mapped_file)
 			eps = exec_policy
 		end
 
-		sb.log("debug", "check_rule_and_policy: "..rs..";"..eps);
+		sb.log("debug", "check_rule_and_policy:Fail: "..rs..";"..eps);
 		return false, rule, exec_policy
 	end
 
diff --git a/lua_scripts/pathmaps/devel/00_default.lua b/lua_scripts/pathmaps/devel/00_default.lua
index 80b63e7..1426520 100644
--- a/lua_scripts/pathmaps/devel/00_default.lua
+++ b/lua_scripts/pathmaps/devel/00_default.lua
@@ -162,7 +162,8 @@ perl_bin_test = {
 	{ if_redirect_ignore_is_active = "/usr/bin/perl",
 	  map_to = target_root, readonly = true },
 	{ if_redirect_force_is_active = "/usr/bin/perl",
-	  map_to = tools, readonly = true },
+	  map_to = tools, readonly = true,
+	  exec_policy = exec_policy_tools_perl },
 	{ if_active_exec_policy_is = "Rootstrap",
 	  map_to = target_root, readonly = true },
 	{ if_active_exec_policy_is = "Tools-perl",
@@ -174,7 +175,8 @@ python_bin_test = {
 	{ if_redirect_ignore_is_active = "/usr/bin/python",
 	  map_to = target_root, readonly = true },
 	{ if_redirect_force_is_active = "/usr/bin/python",
-	  map_to = tools, readonly = true },
+	  map_to = tools, readonly = true,
+	  exec_policy = exec_policy_tools_python },
 	{ if_active_exec_policy_is = "Rootstrap",
 	  map_to = target_root, readonly = true },
 	{ if_active_exec_policy_is = "Tools-python",
diff --git a/luaif/argvenvp.c b/luaif/argvenvp.c
index dd5e8be..45467aa 100644
--- a/luaif/argvenvp.c
+++ b/luaif/argvenvp.c
@@ -15,6 +15,46 @@
 #include <lualib.h>
 #include <lauxlib.h>
 
+/* This stack dump routine is based on an example from the
+ * book "Programming in Lua"
+ *
+ * - This uses logging level DEBUG, but the calls are usually
+ *   enabled only at NOISE3.
+*/
+void dump_lua_stack(const char *msg, lua_State *L)
+{
+	int i;
+	int top = lua_gettop(L);
+
+	SB_LOG(SB_LOGLEVEL_DEBUG, "Stack dump/%s (gettop=%d):", msg, top);
+
+	for (i = 1; i <= top; i++) {
+		int t = lua_type(L, i);
+		switch (t) {
+		case LUA_TSTRING: /* strings */
+			SB_LOG(SB_LOGLEVEL_DEBUG,
+				"%d: '%s'", i, lua_tostring(L, i));
+			break;
+
+		case LUA_TBOOLEAN:  /* booleans */
+			SB_LOG(SB_LOGLEVEL_DEBUG,
+				"%d: %s", i,
+				(lua_toboolean(L, i) ? "true" : "false"));
+			break;
+
+		case LUA_TNUMBER:  /* numbers */
+			SB_LOG(SB_LOGLEVEL_DEBUG,
+				"%d: %g", i, lua_tonumber(L, i));
+			break;
+
+		default:
+			SB_LOG(SB_LOGLEVEL_DEBUG,
+				"%d: %s", i, lua_typename(L, t));
+			break;
+		}
+	}
+}
+
 /* Convert a vector of strings to a lua table, leaves that table to
  * lua's stack.
 */
@@ -147,6 +187,10 @@ int sb_execve_postprocess(char *exec_type,
 	luaif = get_lua();
 	if (!luaif) return(0);
 
+	if(SB_LOG_IS_ACTIVE(SB_LOGLEVEL_NOISE3)) {
+		dump_lua_stack("sb_execve_postprocess entry", luaif->lua);
+	}
+
 	if (!argv || !envp) {
 		SB_LOG(SB_LOGLEVEL_ERROR,
 			"ERROR: sb_argvenvp: (argv || envp) == NULL");
@@ -221,7 +265,7 @@ int sb_execve_postprocess(char *exec_type,
 	}
 
 	/* remove sb_execve_postprocess return values from the stack.  */
-	lua_pop(luaif->lua, 6);
+	lua_pop(luaif->lua, 7);
 
 	SB_LOG(SB_LOGLEVEL_NOISE,
 		"sb_execve_postprocess: at exit, gettop=%d", lua_gettop(luaif->lua));
@@ -290,9 +334,19 @@ char *sb_execve_map_script_interpreter(
 	 *  1: argv / envp were not modified; mapped_interpreter was set
 	 * -1: deny exec.
 	*/
-	SB_LOG(SB_LOGLEVEL_NOISE, "sb_execve_map_script_interpreter: call lua");
+	if(SB_LOG_IS_ACTIVE(SB_LOGLEVEL_NOISE3)) {
+		dump_lua_stack("sb_execve_map_script_interpreter M1", luaif->lua);
+	}
+	SB_LOG(SB_LOGLEVEL_NOISE,
+		"sb_execve_map_script_interpreter: call lua, gettop=%d",
+		lua_gettop(luaif->lua));
 	lua_call(luaif->lua, 8, 8);
-	SB_LOG(SB_LOGLEVEL_NOISE, "sb_execve_map_script_interpreter: return from lua");
+	SB_LOG(SB_LOGLEVEL_NOISE,
+		"sb_execve_map_script_interpreter: return from lua, gettop=%d",
+		lua_gettop(luaif->lua));
+	if(SB_LOG_IS_ACTIVE(SB_LOGLEVEL_NOISE3)) {
+		dump_lua_stack("sb_execve_map_script_interpreter M2", luaif->lua);
+	}
 	
 	mapped_interpreter = (char *)lua_tostring(luaif->lua, -5);
 	if (mapped_interpreter) mapped_interpreter = strdup(mapped_interpreter);
@@ -313,17 +367,26 @@ char *sb_execve_map_script_interpreter(
 		new_envc = lua_tointeger(luaif->lua, -2);
 		strvec_free(*envp);
 		lua_string_table_to_strvec(luaif, -1, envp, new_envc);
+
+		/* remove return values from the stack, leave rule & policy.  */
+		lua_pop(luaif->lua, 6);
 		break;
 
 	case 1:
 		SB_LOG(SB_LOGLEVEL_DEBUG,
 			"sb_execve_map_script_interpreter: argv&envp were not modified");
+		/* remove return values from the stack, leave rule & policy.  */
+		lua_pop(luaif->lua, 6);
 		break;
 
 	case 2:
+		SB_LOG(SB_LOGLEVEL_DEBUG,
+			"sb_execve_map_script_interpreter: use scratchbox_path_for_exec");
+		/* remove all return values from the stack. */
+		lua_pop(luaif->lua, 8);
 		if (mapped_interpreter) free(mapped_interpreter);
 		mapped_interpreter = NULL;
-		mapped_interpreter = scratchbox_path("script_interp",
+		mapped_interpreter = scratchbox_path_for_exec("script_interp",
 			interpreter, NULL/*RO-flag addr.*/,
 			0/*dont_resolve_final_symlink*/);
 		SB_LOG(SB_LOGLEVEL_DEBUG, "sb_execve_map_script_interpreter: "
@@ -334,6 +397,8 @@ char *sb_execve_map_script_interpreter(
 	case -1:
 		SB_LOG(SB_LOGLEVEL_DEBUG,
 			"sb_execve_map_script_interpreter: exec denied");
+		/* remove return values from the stack, leave rule & policy.  */
+		lua_pop(luaif->lua, 6);
 		if (mapped_interpreter) free(mapped_interpreter);
 		mapped_interpreter = NULL;
 		break;
@@ -341,11 +406,15 @@ char *sb_execve_map_script_interpreter(
 	default:
 		SB_LOG(SB_LOGLEVEL_ERROR,
 			"sb_execve_map_script_interpreter: Unsupported result %d", res);
+		/* remove return values from the stack, leave rule & policy.  */
+		lua_pop(luaif->lua, 6);
 		break;
 	}
 
-	/* remove return values from the stack, leave rule & policy.  */
-	lua_pop(luaif->lua, 6);
+
+	if(SB_LOG_IS_ACTIVE(SB_LOGLEVEL_NOISE3)) {
+		dump_lua_stack("sb_execve_map_script_interpreter E2", luaif->lua);
+	}
 
 	SB_LOG(SB_LOGLEVEL_NOISE,
 		"sb_execve_map_script_interpreter: at exit, gettop=%d",
diff --git a/luaif/luaif.c b/luaif/luaif.c
index 8274323..1d5fd9a 100644
--- a/luaif/luaif.c
+++ b/luaif/luaif.c
@@ -540,6 +540,8 @@ static int lua_sb_log(lua_State *luastate)
 		SB_LOG(SB_LOGLEVEL_NOISE, ">>>>: %s", logmsg);
 	else if(!strcmp(loglevel, "noise2"))
 		SB_LOG(SB_LOGLEVEL_NOISE2, ">>>>>>: %s", logmsg);
+	else if(!strcmp(loglevel, "noise3"))
+		SB_LOG(SB_LOGLEVEL_NOISE3, ">>>>>>>>: %s", logmsg);
 	else /* default to level "error"  */
 		SB_LOG(SB_LOGLEVEL_ERROR, "%s", logmsg);
 
diff --git a/luaif/paths.c b/luaif/paths.c
index b257977..590d69d 100644
--- a/luaif/paths.c
+++ b/luaif/paths.c
@@ -429,6 +429,10 @@ static char *call_lua_function_sbox_translate_path(
 	SB_LOG(SB_LOGLEVEL_NOISE,
 		"call_lua_function_sbox_translate_path: gettop=%d",
 		lua_gettop(luaif->lua));
+	if(SB_LOG_IS_ACTIVE(SB_LOGLEVEL_NOISE3)) {
+		dump_lua_stack("call_lua_function_sbox_translate_path entry",
+			luaif->lua);
+	}
 
 	lua_getfield(luaif->lua, LUA_GLOBALSINDEX, "sbox_translate_path");
 	/* stack now contains the rule object and string "sbox_translate_path",
@@ -486,18 +490,21 @@ static char *call_lua_function_sbox_translate_path(
 				func_name, decolon_path, cleaned_path,
 				(ro_flag ? " (readonly)" : ""));
 		}
-		SB_LOG(SB_LOGLEVEL_NOISE,
-			"call_lua_function_sbox_translate_path: at exit, gettop=%d",
-			lua_gettop(luaif->lua));
-		return cleaned_path;
+		translate_result = cleaned_path;
+	}
+	if (!translate_result) {
+		SB_LOG(SB_LOGLEVEL_ERROR,
+			"No result from sbox_translate_path for: %s '%s'",
+			func_name, decolon_path);
 	}
-	SB_LOG(SB_LOGLEVEL_ERROR,
-		"No result from sbox_translate_path for: %s '%s'",
-		func_name, decolon_path);
 	SB_LOG(SB_LOGLEVEL_NOISE,
 		"call_lua_function_sbox_translate_path: at exit, gettop=%d",
 		lua_gettop(luaif->lua));
-	return(NULL);
+	if(SB_LOG_IS_ACTIVE(SB_LOGLEVEL_NOISE)) {
+		dump_lua_stack("call_lua_function_sbox_translate_path exit",
+			luaif->lua);
+	}
+	return(translate_result);
 }
 
 /* - returns 1 if ok (then *min_path_lenp is valid)
diff --git a/luaif/sb_log.c b/luaif/sb_log.c
index 7fc8d1c..e440eb1 100644
--- a/luaif/sb_log.c
+++ b/luaif/sb_log.c
@@ -155,6 +155,9 @@ void sblog_init(void)
 				} else if (!strcmp(level_str,"noise2")) {
 					sb_loglevel__ = SB_LOGLEVEL_NOISE2;
 					sb_log_state.sbl_print_file_and_line = 1;
+				} else if (!strcmp(level_str,"noise3")) {
+					sb_loglevel__ = SB_LOGLEVEL_NOISE3;
+					sb_log_state.sbl_print_file_and_line = 1;
 				} else {
 					sb_loglevel__ = SB_LOGLEVEL_INFO;
 				}
diff --git a/utils/sb2 b/utils/sb2
index a142544..3c40f69 100755
--- a/utils/sb2
+++ b/utils/sb2
@@ -18,7 +18,7 @@ If no COMMAND is given, a bash shell in scratchbox2 environment is started.
 
 Options:
     -v           display version
-    -L level     enable logging (levels=one of error,warning,notice,info,debug,noise,noise2)
+    -L level     enable logging (levels=one of error,warning,notice,info,debug,noise,noise2,noise3)
     -d           debug mode: log all redirections (logging level=debug)
     -h           print this help
     -t TARGET    target to use, use sb2-config -d TARGET to set a default
@@ -1049,7 +1049,7 @@ fi
 if [ "$SBOX_MAPPING_DEBUG" == "1" ]; then
 	# check that loglevel is valid
 	case $SBOX_MAPPING_LOGLEVEL in
-	(error|warning|notice|info|debug|noise|noise2)	;; # OK
+	(error|warning|notice|info|debug|noise|noise2|noise3)	;; # OK
 	(*) usage ;;
 	esac
 else