Github messages for voidlinux
 help / color / mirror / Atom feed
From: tornaria <tornaria@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: [ISSUE] [RFC] lint for invalid/insecure rpath in binaries and libraries
Date: Tue, 31 Aug 2021 01:11:06 +0200	[thread overview]
Message-ID: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-32769@inbox.vuxu.org> (raw)

[-- Attachment #1: Type: text/plain, Size: 2019 bytes --]

New issue by tornaria on void-packages repository

https://github.com/void-linux/void-packages/issues/32769

Description:
I'm compling a library that will "leak" the install directories in rpaths. I mean `/destdir/*`.

I catched it just by chance, so I wonder if it would make sense to check for that and warn/error for bad rpaths like those.

Here's a quick hack. I put this in `common/hooks/post-install/07-pkglint-rpath.sh`. I'm not sure it belongs there or in `pre-pkg`, but seems to work ok there.

```bash
# check rpath
# see: https://github.com/allanmcrae/pkglint/blob/master/lint_package/rpath.sh

hook() {
        find ${PKGDESTDIR} -type f | while read f; do
        read -n4 elfmagic < "$f"
        if [ "$elfmagic" = $'\177ELF' ]; then
                        for rpath in $($OBJDUMP -p "$f"|awk '/RPATH/{print $2}'); do
                                lf=${f#${PKGDESTDIR}}
                                case $rpath in
                                        /builddir/*|/destdir/*)
                                                msg_warn "invalid RPATH=$rpath in $lf\n"
                                                ;;
                                        *)
                                                msg_normal "RPATH=$rpath in $lf\n"
                                                ;;
                                esac
                        done
                fi
        done
}
```

Have a look at https://github.com/allanmcrae/pkglint/blob/master/lint_package/rpath.sh for a stricter approach, namely:
 - allow only rpaths not starting with /lib, /usr/lib,  $ORIGIN, etc.
 - for those, check that the actual path exists in the package.
 - everything else: warn (could be error, maybe with some way to skip)

Maybe some explanation in the manual would also be helpful, and a suggestion on how to fix it if it can't be disabled in configure/make. What I did was add `chrpath` to `hostmakedepends`, and run `chrpath -d FILES` from `post_install()`.

             reply	other threads:[~2021-08-30 23:11 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-30 23:11 tornaria [this message]
2021-08-30 23:17 ` ericonr
2022-06-04  2:09 ` github-actions
2022-06-18  2:12 ` [ISSUE] [CLOSED] " github-actions

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-32769@inbox.vuxu.org \
    --to=tornaria@users.noreply.github.com \
    --cc=ml@inbox.vuxu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).