Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(4954)

Unified Diff: bin/misc-functions.sh

Issue 6903153: Check for references to ${ROOT} in install_qa_checks. (Closed) Base URL: git://git.overlays.gentoo.org/proj/portage.git@master
Patch Set: Same patch, rebased against cros-2.1.9 branch Created 9 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: bin/misc-functions.sh
diff --git a/bin/misc-functions.sh b/bin/misc-functions.sh
index ae4cc9e71e8509e8f4d7654ab836637cdf4a3b1e..22afd93868bfe451fef6c8dd89689b0cc463a8a4 100755
--- a/bin/misc-functions.sh
+++ b/bin/misc-functions.sh
@@ -184,16 +184,37 @@ install_qa_check() {
unset PORTAGE_QUIET
fi
- # Make sure we disallow insecure RUNPATH/RPATHs
- # Don't want paths that point to the tree where the package was built
- # (older, broken libtools would do this). Also check for null paths
- # because the loader will search $PWD when it finds null paths.
- f=$(scanelf -qyRF '%r %p' "${D}" | grep -E "(${PORTAGE_BUILDDIR}|: |::|^:|^ )")
+ # Make sure we disallow insecure RUNPATH/RPATHs.
+ # 1) References to PORTAGE_BUILDDIR are banned because it's a
+ # security risk. We don't want to load files from a
+ # temporary directory.
+ # 2) If ROOT != "/", references to ROOT are banned because
+ # that directory won't exist on the target system.
+ # 3) Null paths are banned because the loader will search $PWD when
+ # it finds null paths.
+ local forbidden_dirs="${PORTAGE_BUILDDIR}"
+ if [[ -n "$ROOT" ]] && [[ "$ROOT" != "/" ]]; then
+ forbidden_dirs="${forbidden_dirs} ${ROOT}"
+ fi
+ local dir="" rpath_files=$(scanelf -F '%F:%r' -qBR "${D}")
+ f=""
+ for dir in ${forbidden_dirs}; do
+ for l in $(echo "${rpath_files}" | grep -E ":${dir}|::|: "); do
+ f+=" ${l%%:*}\n"
+ if ! has stricter ${FEATURES}; then
+ vecho "Auto fixing rpaths for ${l%%:*}"
+ TMPDIR="${dir}" scanelf -BXr "${l%%:*}" -o /dev/null
+ fi
+ done
+ done
+
# Reject set*id binaries with $ORIGIN in RPATH #260331
x=$(
find "${D}" -type f \( -perm -u+s -o -perm -g+s \) -print0 | \
xargs -0 scanelf -qyRF '%r %p' | grep '$ORIGIN'
)
+
+ # Print QA notice.
if [[ -n ${f}${x} ]] ; then
vecho -ne '\n'
eqawarn "QA Notice: The following files contain insecure RUNPATHs"
@@ -203,9 +224,6 @@ install_qa_check() {
vecho -ne '\n'
if [[ -n ${x} ]] || has stricter ${FEATURES} ; then
insecure_rpath=1
- else
- vecho "Auto fixing rpaths for ${f}"
- TMPDIR=${PORTAGE_BUILDDIR} scanelf -BXr ${f} -o /dev/null
fi
fi
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698