Check for references to ${ROOT} in install_qa_checks.

bin/misc-functions.sh

 #!/bin/bash
 # Copyright 1999-2011 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 #
 # Miscellaneous shell functions that make use of the ebuild env but don't need
 # to be included directly in ebuild.sh.
 #
 # We're sourcing ebuild.sh here so that we inherit all of it's goodness,
 # including bashrc trickery.  This approach allows us to do our miscellaneous
 # shell work withing the same env that ebuild.sh has, but without polluting
@@ skipping 166 matching lines @@
 
         if type -P scanelf > /dev/null && ! hasq binchecks ${RESTRICT}; then
                 local qa_var insecure_rpath=0 tmp_quiet=${PORTAGE_QUIET}
                 local x
 
                 # display warnings when using stricter because we die afterwards
                 if has stricter ${FEATURES} ; then
                         unset PORTAGE_QUIET
                 fi
 
-                # Make sure we disallow insecure RUNPATH/RPATHs
-                # Don't want paths that point to the tree where the package was built
-                # (older, broken libtools would do this).  Also check for null paths
-                # because the loader will search $PWD when it finds null paths.
-                f=$(scanelf -qyRF '%r %p' "${D}" | grep -E "(${PORTAGE_BUILDDIR}|: |::|^:|^ )")
+                # Make sure we disallow insecure RUNPATH/RPATHs.
+                #   1) References to PORTAGE_BUILDDIR are banned because it's a
+                #      security risk. We don't want to load files from a
+                #      temporary directory.
+                #   2) If ROOT != "/", references to ROOT are banned because
+                #      that directory won't exist on the target system.
+                #   3) Null paths are banned because the loader will search $PWD when
+                #      it finds null paths.
+                local forbidden_dirs="${PORTAGE_BUILDDIR}"
+                if [[ -n "$ROOT" ]] && [[ "$ROOT" != "/" ]]; then
+                        forbidden_dirs="${forbidden_dirs} ${ROOT}"
+                fi
+                local dir="" rpath_files=$(scanelf -F '%F:%r' -qBR "${D}")
+                f=""
+                for dir in ${forbidden_dirs}; do
+                        for l in $(echo "${rpath_files}" | grep -E ":${dir}|::|: "); do
+                                f+="  ${l%%:*}\n"
+                                if ! has stricter ${FEATURES}; then
+                                        vecho "Auto fixing rpaths for ${l%%:*}"
+                                        TMPDIR="${dir}" scanelf -BXr "${l%%:*}" -o /dev/null
+                                fi
+                        done
+                done
+
                 # Reject set*id binaries with $ORIGIN in RPATH #260331
                 x=$(
                         find "${D}" -type f \( -perm -u+s -o -perm -g+s \) -print0 | \
                         xargs -0 scanelf -qyRF '%r %p' | grep '$ORIGIN'
                 )
+
+                # Print QA notice.
                 if [[ -n ${f}${x} ]] ; then
                         vecho -ne '\n'
                         eqawarn "QA Notice: The following files contain insecure RUNPATHs"
                         eqawarn " Please file a bug about this at http://bugs.gentoo.org/"
                         eqawarn " with the maintaining herd of the package."
                         eqawarn "${f}${f:+${x:+\n}}${x}"
                         vecho -ne '\n'
                         if [[ -n ${x} ]] || has stricter ${FEATURES} ; then
                                 insecure_rpath=1
-                        else
-                                vecho "Auto fixing rpaths for ${f}"
-                                TMPDIR=${PORTAGE_BUILDDIR} scanelf -BXr ${f} -o /dev/null
                         fi
                 fi
 
                 # TEXTRELs are baaaaaaaad
                 # Allow devs to mark things as ignorable ... e.g. things that are
                 # binary-only and upstream isn't cooperating (nvidia-glx) ... we
                 # allow ebuild authors to set QA_TEXTRELS_arch and QA_TEXTRELS ...
                 # the former overrides the latter ... regexes allowed ! :)
                 qa_var="QA_TEXTRELS_${ARCH/-/_}"
                 [[ -n ${!qa_var} ]] && QA_TEXTRELS=${!qa_var}
@@ skipping 761 matching lines @@
         done
         unset x
         [[ -n $PORTAGE_EBUILD_EXIT_FILE ]] && > "$PORTAGE_EBUILD_EXIT_FILE"
         if [[ -n $PORTAGE_IPC_DAEMON ]] ; then
                 [[ ! -s $SANDBOX_LOG ]]
                 "$PORTAGE_BIN_PATH"/ebuild-ipc exit $?
         fi
 fi
 
 :