[gentoo-commits] proj/portage:master commit in: bin/ - gentoo-commits

From:	Zac Medico <zmedico@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/portage:master commit in: bin/
Date:	Sat, 30 Apr 2011 00:25:42
Message-Id:	`e483cb18fde536893270e87aa39157da9ebda406.zmedico@gentoo`

1

commit:     e483cb18fde536893270e87aa39157da9ebda406

2

Author:     David James <davidjames <AT> google <DOT> com>

3

AuthorDate: Sat Apr 30 00:21:58 2011 +0000

4

Commit:     Zac Medico <zmedico <AT> gentoo <DOT> org>

5

CommitDate: Sat Apr 30 00:21:58 2011 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=e483cb18

7

8

Check for references to ${ROOT} in install_qa_checks.

9

10

When ROOT != /, binaries that reference ROOT will load their

11

dependencies from ROOT first rather than from the system-configured

12

path. This is a problem because the ROOT will be / on the target

13

system.

14

15

Besides the above, this patch also fixes incorrect parsing of scanelf

16

output, where we would treat the RPATHs returned by scanelf as the

17

names of binaries.

18

19

TEST=When "stricter" FEATURE is enabled, verify that emerge

20

fails when an ebuild references broken rpaths referencing

21

ROOT. When "stricter" FEATURE is not enabled, verify that such

22

references are automatically fixed. Also verify that ebuilds

23

with non-broken RPATHs (e.g. RPATHs referencing $ORIGIN/../lib)

24

are not touched by the change.

25

26

BUG=chromium-os:14271

27

28

Change-Id: I4f29cc4ea9195a1255f080284da1f676e4a2c26b

29

30

Review URL: http://codereview.chromium.org/6903153

31

32

---

33

 bin/misc-functions.sh |   34 ++++++++++++++++++++++++++--------

34

 1 files changed, 26 insertions(+), 8 deletions(-)

35

36

diff --git a/bin/misc-functions.sh b/bin/misc-functions.sh

37

index af0cc27..c310998 100755

38

--- a/bin/misc-functions.sh

39

+++ b/bin/misc-functions.sh

40

@@ -184,16 +184,37 @@ install_qa_check() {

41

 			unset PORTAGE_QUIET

42

fi

43

44

-		# Make sure we disallow insecure RUNPATH/RPATHs

45

-		# Don't want paths that point to the tree where the package was built

46

-		# (older, broken libtools would do this).  Also check for null paths

47

-		# because the loader will search $PWD when it finds null paths.

48

-		f=$(scanelf -qyRF '%r %p' "${D}" | grep -E "(${PORTAGE_BUILDDIR}|: |::|^:|^ )")

49

+		# Make sure we disallow insecure RUNPATH/RPATHs.

50

+		#   1) References to PORTAGE_BUILDDIR are banned because it's a

51

+		#      security risk. We don't want to load files from a

52

+		#      temporary directory.

53

+		#   2) If ROOT != "/", references to ROOT are banned because

54

+		#      that directory won't exist on the target system.

55

+		#   3) Null paths are banned because the loader will search $PWD when

56

+		#      it finds null paths.

57

+		local forbidden_dirs="${PORTAGE_BUILDDIR}"

58

+		if [[ -n "$ROOT" ]] && [[ "$ROOT" != "/" ]]; then

59

+			forbidden_dirs="${forbidden_dirs} ${ROOT}"

60

+		fi

61

+		local dir="" rpath_files=$(scanelf -F '%F:%r' -qBR "${D}")

62

+		f=""

63

+		for dir in ${forbidden_dirs}; do

64

+			for l in $(echo "${rpath_files}" | grep -E ":${dir}|::|: "); do

65

+				f+="  ${l%%:*}\n"

66

+				if ! has stricter ${FEATURES}; then

67

+					vecho "Auto fixing rpaths for ${l%%:*}"

68

+					TMPDIR="${dir}" scanelf -BXr "${l%%:*}" -o /dev/null

69

+				fi

70

+			done

71

+		done

72

+

73

 		# Reject set*id binaries with $ORIGIN in RPATH #260331

74

 		x=$(

75

 			find "${D}" -type f \( -perm -u+s -o -perm -g+s \) -print0 | \

76

 			xargs -0 scanelf -qyRF '%r %p' | grep '$ORIGIN'

77

)

78

+

79

+		# Print QA notice.

80

 		if [[ -n ${f}${x} ]] ; then

81

 			vecho -ne '\n'

82

 			eqawarn "QA Notice: The following files contain insecure RUNPATHs"

83

@@ -203,9 +224,6 @@ install_qa_check() {

84

 			vecho -ne '\n'

85

 			if [[ -n ${x} ]] || has stricter ${FEATURES} ; then

86

 				insecure_rpath=1

87

-			else

88

-				vecho "Auto fixing rpaths for ${f}"

89

-				TMPDIR=${PORTAGE_BUILDDIR} scanelf -BXr ${f} -o /dev/null

90

fi

91

fi

1	commit: e483cb18fde536893270e87aa39157da9ebda406
2	Author: David James <davidjames <AT> google <DOT> com>
3	AuthorDate: Sat Apr 30 00:21:58 2011 +0000
4	Commit: Zac Medico <zmedico <AT> gentoo <DOT> org>
5	CommitDate: Sat Apr 30 00:21:58 2011 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=e483cb18
7
8	Check for references to ${ROOT} in install_qa_checks.
9
10	When ROOT != /, binaries that reference ROOT will load their
11	dependencies from ROOT first rather than from the system-configured
12	path. This is a problem because the ROOT will be / on the target
13	system.
14
15	Besides the above, this patch also fixes incorrect parsing of scanelf
16	output, where we would treat the RPATHs returned by scanelf as the
17	names of binaries.
18
19	TEST=When "stricter" FEATURE is enabled, verify that emerge
20	fails when an ebuild references broken rpaths referencing
21	ROOT. When "stricter" FEATURE is not enabled, verify that such
22	references are automatically fixed. Also verify that ebuilds
23	with non-broken RPATHs (e.g. RPATHs referencing $ORIGIN/../lib)
24	are not touched by the change.
25
26	BUG=chromium-os:14271
27
28	Change-Id: I4f29cc4ea9195a1255f080284da1f676e4a2c26b
29
30	Review URL: http://codereview.chromium.org/6903153
31
32	---
33	bin/misc-functions.sh \| 34 ++++++++++++++++++++++++++--------
34	1 files changed, 26 insertions(+), 8 deletions(-)
35
36	diff --git a/bin/misc-functions.sh b/bin/misc-functions.sh
37	index af0cc27..c310998 100755
38	--- a/bin/misc-functions.sh
39	+++ b/bin/misc-functions.sh
40	@@ -184,16 +184,37 @@ install_qa_check() {
41	unset PORTAGE_QUIET
42	fi
43
44	- # Make sure we disallow insecure RUNPATH/RPATHs
45	- # Don't want paths that point to the tree where the package was built
46	- # (older, broken libtools would do this). Also check for null paths
47	- # because the loader will search $PWD when it finds null paths.
48	- f=$(scanelf -qyRF '%r %p' "${D}" \| grep -E "(${PORTAGE_BUILDDIR}\|: \|::\|^:\|^ )")
49	+ # Make sure we disallow insecure RUNPATH/RPATHs.
50	+ # 1) References to PORTAGE_BUILDDIR are banned because it's a
51	+ # security risk. We don't want to load files from a
52	+ # temporary directory.
53	+ # 2) If ROOT != "/", references to ROOT are banned because
54	+ # that directory won't exist on the target system.
55	+ # 3) Null paths are banned because the loader will search $PWD when
56	+ # it finds null paths.
57	+ local forbidden_dirs="${PORTAGE_BUILDDIR}"
58	+ if [[ -n "$ROOT" ]] && [[ "$ROOT" != "/" ]]; then
59	+ forbidden_dirs="${forbidden_dirs} ${ROOT}"
60	+ fi
61	+ local dir="" rpath_files=$(scanelf -F '%F:%r' -qBR "${D}")
62	+ f=""
63	+ for dir in ${forbidden_dirs}; do
64	+ for l in $(echo "${rpath_files}" \| grep -E ":${dir}\|::\|: "); do
65	+ f+=" ${l%%:*}\n"
66	+ if ! has stricter ${FEATURES}; then
67	+ vecho "Auto fixing rpaths for ${l%%:*}"
68	+ TMPDIR="${dir}" scanelf -BXr "${l%%:*}" -o /dev/null
69	+ fi
70	+ done
71	+ done
72	+
73	# Reject set*id binaries with $ORIGIN in RPATH #260331
74	x=$(
75	find "${D}" -type f \( -perm -u+s -o -perm -g+s \) -print0 \| \
76	xargs -0 scanelf -qyRF '%r %p' \| grep '$ORIGIN'
77	)
78	+
79	+ # Print QA notice.
80	if [[ -n ${f}${x} ]] ; then
81	vecho -ne '\n'
82	eqawarn "QA Notice: The following files contain insecure RUNPATHs"
83	@@ -203,9 +224,6 @@ install_qa_check() {
84	vecho -ne '\n'
85	if [[ -n ${x} ]] \|\| has stricter ${FEATURES} ; then
86	insecure_rpath=1
87	- else
88	- vecho "Auto fixing rpaths for ${f}"
89	- TMPDIR=${PORTAGE_BUILDDIR} scanelf -BXr ${f} -o /dev/null
90	fi
91	fi

Gentoo Archives: gentoo-commits