commit: efa5c5e7b7a5ef7b4533dfe3bd6befc767b7b34a
Author: Mike Frysinger <vapier <AT> chromium <DOT> org>
AuthorDate: Tue May 26 03:42:27 2015 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Tue May 26 03:46:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/portage.git/commit/?id=efa5c5e7
install-qa-check.d: tweak scanelf checks
Rather than have a function whose entire body is indented by a scanelf
existence check, do the check at the top and return early. This keeps
the indentation from getting too out of hand.
(Use `git log -p -1 -w` to see actual changed lines.)
bin/install-qa-check.d/10executable-issues | 248 +++++++++++++++--------------
bin/install-qa-check.d/80libraries | 130 +++++++--------
2 files changed, 193 insertions(+), 185 deletions(-)
diff --git a/bin/install-qa-check.d/10executable-issues
b/bin/install-qa-check.d/10executable-issues
index 5c80660..10d3c71 100644
--- a/bin/install-qa-check.d/10executable-issues
+++ b/bin/install-qa-check.d/10executable-issues
@@ -2,141 +2,143 @@
# text relocations, executable stacks
elf_check() {
- if type -P scanelf > /dev/null && ! has binchecks ${RESTRICT}; then
- local insecure_rpath=0 tmp_quiet=${PORTAGE_QUIET}
- local f x
+ if ! type -P scanelf >/dev/null || has binchecks ${RESTRICT}; then
+ return
+ fi
- # display warnings when using stricter because we die afterwards
- if has stricter ${FEATURES} ; then
- local PORTAGE_QUIET
- fi
+ local insecure_rpath=0 tmp_quiet=${PORTAGE_QUIET}
+ local f x
- # Make sure we disallow insecure RUNPATH/RPATHs.
- # 1) References to PORTAGE_BUILDDIR are banned because it's a
- # security risk. We don't want to load files from a
- # temporary directory.
- # 2) If ROOT != "/", references to ROOT are banned because
- # that directory won't exist on the target system.
- # 3) Null paths are banned because the loader will search
$PWD when
- # it finds null paths.
- local forbidden_dirs="${PORTAGE_BUILDDIR}"
- if [[ -n "${ROOT}" && "${ROOT}" != "/" ]]; then
- forbidden_dirs+=" ${ROOT}"
- fi
- local dir l rpath_files=$(scanelf -F '%F:%r' -qBR "${ED}")
- f=""
- for dir in ${forbidden_dirs}; do
- for l in $(echo "${rpath_files}" | grep -E
":${dir}|::|: "); do
- f+=" ${l%%:*}\n"
- if ! has stricter ${FEATURES}; then
- __vecho "Auto fixing rpaths for
${l%%:*}"
- TMPDIR="${dir}" scanelf -BXr "${l%%:*}"
-o /dev/null
- fi
- done
+ # display warnings when using stricter because we die afterwards
+ if has stricter ${FEATURES} ; then
+ local PORTAGE_QUIET
+ fi
+
+ # Make sure we disallow insecure RUNPATH/RPATHs.
+ # 1) References to PORTAGE_BUILDDIR are banned because it's a
+ # security risk. We don't want to load files from a
+ # temporary directory.
+ # 2) If ROOT != "/", references to ROOT are banned because
+ # that directory won't exist on the target system.
+ # 3) Null paths are banned because the loader will search $PWD when
+ # it finds null paths.
+ local forbidden_dirs="${PORTAGE_BUILDDIR}"
+ if [[ -n "${ROOT}" && "${ROOT}" != "/" ]]; then
+ forbidden_dirs+=" ${ROOT}"
+ fi
+ local dir l rpath_files=$(scanelf -F '%F:%r' -qBR "${ED}")
+ f=""
+ for dir in ${forbidden_dirs}; do
+ for l in $(echo "${rpath_files}" | grep -E ":${dir}|::|: "); do
+ f+=" ${l%%:*}\n"
+ if ! has stricter ${FEATURES}; then
+ __vecho "Auto fixing rpaths for ${l%%:*}"
+ TMPDIR="${dir}" scanelf -BXr "${l%%:*}" -o
/dev/null
+ fi
done
+ done
- # Reject set*id binaries with $ORIGIN in RPATH #260331
- x=$(
- find "${ED}" -type f \( -perm -u+s -o -perm -g+s \)
-print0 | \
- xargs -0 scanelf -qyRF '%r %p' | grep '$ORIGIN'
- )
+ # Reject set*id binaries with $ORIGIN in RPATH #260331
+ x=$(
+ find "${ED}" -type f \( -perm -u+s -o -perm -g+s \) -print0 | \
+ xargs -0 scanelf -qyRF '%r %p' | grep '$ORIGIN'
+ )
- # Print QA notice.
- if [[ -n ${f}${x} ]] ; then
- __vecho -ne '\n'
- eqawarn "QA Notice: The following files contain
insecure RUNPATHs"
- eqawarn " Please file a bug about this at
http://bugs.gentoo.org/";
- eqawarn " with the maintaining herd of the package."
- eqawarn "${f}${f:+${x:+\n}}${x}"
- __vecho -ne '\n'
- if [[ -n ${x} ]] || has stricter ${FEATURES} ; then
- insecure_rpath=1
- fi
+ # Print QA notice.
+ if [[ -n ${f}${x} ]] ; then
+ __vecho -ne '\n'
+ eqawarn "QA Notice: The following files contain insecure
RUNPATHs"
+ eqawarn " Please file a bug about this at
http://bugs.gentoo.org/";
+ eqawarn " with the maintaining herd of the package."
+ eqawarn "${f}${f:+${x:+\n}}${x}"
+ __vecho -ne '\n'
+ if [[ -n ${x} ]] || has stricter ${FEATURES} ; then
+ insecure_rpath=1
fi
+ fi
- # TEXTRELs are baaaaaaaad
- # Allow devs to mark things as ignorable ... e.g. things that
are
- # binary-only and upstream isn't cooperating (nvidia-glx) ... we
- # allow ebuild authors to set QA_TEXTRELS_arch and QA_TEXTRELS
...
- # the former overrides the latter ... regexes allowed ! :)
- local qa_var="QA_TEXTRELS_${ARCH/-/_}"
- [[ -n ${!qa_var} ]] && QA_TEXTRELS=${!qa_var}
- [[ -n ${QA_STRICT_TEXTRELS} ]] && QA_TEXTRELS=""
- export QA_TEXTRELS="${QA_TEXTRELS} lib*/modules/*.ko"
- f=$(scanelf -qyRF '%t %p' "${ED}" | grep -v 'usr/lib/debug/')
- if [[ -n ${f} ]] ; then
- scanelf -qyRAF '%T %p' "${PORTAGE_BUILDDIR}"/ &>
"${T}"/scanelf-textrel.log
- __vecho -ne '\n'
- eqawarn "QA Notice: The following files contain runtime
text relocations"
- eqawarn " Text relocations force the dynamic linker to
perform extra"
- eqawarn " work at startup, waste system resources, and
may pose a security"
- eqawarn " risk. On some architectures, the code may
not even function"
- eqawarn " properly, if at all."
- eqawarn " For more information, see:"
- eqawarn
- eqawarn "
https://wiki.gentoo.org/wiki/Hardened/HOWTO_locate_and_fix_textrels";
- eqawarn
- eqawarn " Please include the following list of files in
your report:"
- eqawarn "${f}"
- __vecho -ne '\n'
- die_msg="${die_msg} textrels,"
- sleep 1
- fi
+ # TEXTRELs are baaaaaaaad
+ # Allow devs to mark things as ignorable ... e.g. things that are
+ # binary-only and upstream isn't cooperating (nvidia-glx) ... we
+ # allow ebuild authors to set QA_TEXTRELS_arch and QA_TEXTRELS ...
+ # the former overrides the latter ... regexes allowed ! :)
+ local qa_var="QA_TEXTRELS_${ARCH/-/_}"
+ [[ -n ${!qa_var} ]] && QA_TEXTRELS=${!qa_var}
+ [[ -n ${QA_STRICT_TEXTRELS} ]] && QA_TEXTRELS=""
+ export QA_TEXTRELS="${QA_TEXTRELS} lib*/modules/*.ko"
+ f=$(scanelf -qyRF '%t %p' "${ED}" | grep -v 'usr/lib/debug/')
+ if [[ -n ${f} ]] ; then
+ scanelf -qyRAF '%T %p' "${PORTAGE_BUILDDIR}"/ &>
"${T}"/scanelf-textrel.log
+ __vecho -ne '\n'
+ eqawarn "QA Notice: The following files contain runtime text
relocations"
+ eqawarn " Text relocations force the dynamic linker to perform
extra"
+ eqawarn " work at startup, waste system resources, and may pose
a security"
+ eqawarn " risk. On some architectures, the code may not even
function"
+ eqawarn " properly, if at all."
+ eqawarn " For more information, see:"
+ eqawarn
+ eqawarn "
https://wiki.gentoo.org/wiki/Hardened/HOWTO_locate_and_fix_textrels";
+ eqawarn
+ eqawarn " Please include the following list of files in your
report:"
+ eqawarn "${f}"
+ __vecho -ne '\n'
+ die_msg="${die_msg} textrels,"
+ sleep 1
+ fi
- # Also, executable stacks only matter on linux (and just glibc
atm ...)
- f=""
+ # Also, executable stacks only matter on linux (and just glibc atm ...)
+ f=""
+ case ${CTARGET:-${CHOST}} in
+ *-linux-gnu*)
+ # Check for files with executable stacks, but only on arches
which
+ # are supported at the moment. Keep this list in sync with
+ #
https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart#Arch_Status
case ${CTARGET:-${CHOST}} in
- *-linux-gnu*)
- # Check for files with executable stacks, but only on
arches which
- # are supported at the moment. Keep this list in sync
with
- #
https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart#Arch_Status
- case ${CTARGET:-${CHOST}} in
- arm*|i?86*|ia64*|m68k*|s390*|sh*|x86_64*)
- # Allow devs to mark things as
ignorable ... e.g. things
- # that are binary-only and upstream
isn't cooperating ...
- # we allow ebuild authors to set
QA_EXECSTACK_arch and
- # QA_EXECSTACK ... the former overrides
the latter ...
- # regexes allowed ! :)
+ arm*|i?86*|ia64*|m68k*|s390*|sh*|x86_64*)
+ # Allow devs to mark things as ignorable ...
e.g. things
+ # that are binary-only and upstream isn't
cooperating ...
+ # we allow ebuild authors to set
QA_EXECSTACK_arch and
+ # QA_EXECSTACK ... the former overrides the
latter ...
+ # regexes allowed ! :)
- qa_var="QA_EXECSTACK_${ARCH/-/_}"
- [[ -n ${!qa_var} ]] &&
QA_EXECSTACK=${!qa_var}
- [[ -n ${QA_STRICT_EXECSTACK} ]] &&
QA_EXECSTACK=""
- qa_var="QA_WX_LOAD_${ARCH/-/_}"
- [[ -n ${!qa_var} ]] &&
QA_WX_LOAD=${!qa_var}
- [[ -n ${QA_STRICT_WX_LOAD} ]] &&
QA_WX_LOAD=""
- export QA_EXECSTACK="${QA_EXECSTACK}
lib*/modules/*.ko"
- export QA_WX_LOAD="${QA_WX_LOAD}
lib*/modules/*.ko"
- f=$(scanelf -qyRAF '%e %p' "${ED}" |
grep -v 'usr/lib/debug/')
- ;;
- esac
- ;;
+ qa_var="QA_EXECSTACK_${ARCH/-/_}"
+ [[ -n ${!qa_var} ]] && QA_EXECSTACK=${!qa_var}
+ [[ -n ${QA_STRICT_EXECSTACK} ]] &&
QA_EXECSTACK=""
+ qa_var="QA_WX_LOAD_${ARCH/-/_}"
+ [[ -n ${!qa_var} ]] && QA_WX_LOAD=${!qa_var}
+ [[ -n ${QA_STRICT_WX_LOAD} ]] && QA_WX_LOAD=""
+ export QA_EXECSTACK="${QA_EXECSTACK}
lib*/modules/*.ko"
+ export QA_WX_LOAD="${QA_WX_LOAD}
lib*/modules/*.ko"
+ f=$(scanelf -qyRAF '%e %p' "${ED}" | grep -v
'usr/lib/debug/')
+ ;;
esac
- if [[ -n ${f} ]] ; then
- # One more pass to help devs track down the source
- scanelf -qyRAF '%e %p' "${PORTAGE_BUILDDIR}"/ &>
"${T}"/scanelf-execstack.log
- __vecho -ne '\n'
- eqawarn "QA Notice: The following files contain
writable and executable sections"
- eqawarn " Files with such sections will not work
properly (or at all!) on some"
- eqawarn " architectures/operating systems. A bug
should be filed at"
- eqawarn " http://bugs.gentoo.org/ to make sure the
issue is fixed."
- eqawarn " For more information, see:"
- eqawarn
- eqawarn "
https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart";
- eqawarn
- eqawarn " Please include the following list of files in
your report:"
- eqawarn " Note: Bugs should be filed for the respective
maintainers"
- eqawarn " of the package in question and not
[email protected]."
- eqawarn "${f}"
- __vecho -ne '\n'
- die_msg="${die_msg} execstacks"
- sleep 1
- fi
+ ;;
+ esac
+ if [[ -n ${f} ]] ; then
+ # One more pass to help devs track down the source
+ scanelf -qyRAF '%e %p' "${PORTAGE_BUILDDIR}"/ &>
"${T}"/scanelf-execstack.log
+ __vecho -ne '\n'
+ eqawarn "QA Notice: The following files contain writable and
executable sections"
+ eqawarn " Files with such sections will not work properly (or
at all!) on some"
+ eqawarn " architectures/operating systems. A bug should be
filed at"
+ eqawarn " http://bugs.gentoo.org/ to make sure the issue is
fixed."
+ eqawarn " For more information, see:"
+ eqawarn
+ eqawarn "
https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart";
+ eqawarn
+ eqawarn " Please include the following list of files in your
report:"
+ eqawarn " Note: Bugs should be filed for the respective
maintainers"
+ eqawarn " of the package in question and not [email protected]."
+ eqawarn "${f}"
+ __vecho -ne '\n'
+ die_msg="${die_msg} execstacks"
+ sleep 1
+ fi
- if [[ ${insecure_rpath} -eq 1 ]] ; then
- die "Aborting due to serious QA concerns with
RUNPATH/RPATH"
- elif [[ -n ${die_msg} ]] && has stricter ${FEATURES} ; then
- die "Aborting due to QA concerns: ${die_msg}"
- fi
+ if [[ ${insecure_rpath} -eq 1 ]] ; then
+ die "Aborting due to serious QA concerns with RUNPATH/RPATH"
+ elif [[ -n ${die_msg} ]] && has stricter ${FEATURES} ; then
+ die "Aborting due to QA concerns: ${die_msg}"
fi
}
diff --git a/bin/install-qa-check.d/80libraries
b/bin/install-qa-check.d/80libraries
index 3977bae..8257e5b 100644
--- a/bin/install-qa-check.d/80libraries
+++ b/bin/install-qa-check.d/80libraries
@@ -1,76 +1,82 @@
# Check for issues with installed libraries
-lib_check() {
+scanelf_lib_check() {
local f x i j
- if type -P scanelf > /dev/null && ! has binchecks ${RESTRICT}; then
- # Check for shared libraries lacking SONAMEs
- local qa_var="QA_SONAME_${ARCH/-/_}"
- eval "[[ -n \${!qa_var} ]] && QA_SONAME=(\"\${${qa_var}[@]}\")"
- f=$(scanelf -ByF '%S %p' "${ED}"{,usr/}lib*/lib*.so* | awk '$2
== "" { print }' | sed -e "s:^[[:space:]]${ED}:/:")
- if [[ -n ${f} ]] ; then
- echo "${f}" > "${T}"/scanelf-missing-SONAME.log
- if [[ "${QA_STRICT_SONAME-unset}" == unset ]] ; then
- if [[ ${#QA_SONAME[@]} -gt 1 ]] ; then
- for x in "${QA_SONAME[@]}" ; do
- sed -e "s#^/${x#/}\$##" -i
"${T}"/scanelf-missing-SONAME.log
- done
- else
- local shopts=$-
- set -o noglob
- for x in ${QA_SONAME} ; do
- sed -e "s#^/${x#/}\$##" -i
"${T}"/scanelf-missing-SONAME.log
- done
- set +o noglob
- set -${shopts}
- fi
- fi
- sed -e "/^\$/d" -i "${T}"/scanelf-missing-SONAME.log
- f=$(<"${T}"/scanelf-missing-SONAME.log)
- if [[ -n ${f} ]] ; then
- __vecho -ne '\n'
- eqawarn "QA Notice: The following shared
libraries lack a SONAME"
- eqawarn "${f}"
- __vecho -ne '\n'
- sleep 1
+ # Check for shared libraries lacking SONAMEs
+ local qa_var="QA_SONAME_${ARCH/-/_}"
+ eval "[[ -n \${!qa_var} ]] && QA_SONAME=(\"\${${qa_var}[@]}\")"
+ f=$(scanelf -ByF '%S %p' "${ED}"{,usr/}lib*/lib*.so* | awk '$2 == "" {
print }' | sed -e "s:^[[:space:]]${ED}:/:")
+ if [[ -n ${f} ]] ; then
+ echo "${f}" > "${T}"/scanelf-missing-SONAME.log
+ if [[ "${QA_STRICT_SONAME-unset}" == unset ]] ; then
+ if [[ ${#QA_SONAME[@]} -gt 1 ]] ; then
+ for x in "${QA_SONAME[@]}" ; do
+ sed -e "s#^/${x#/}\$##" -i
"${T}"/scanelf-missing-SONAME.log
+ done
else
- rm -f "${T}"/scanelf-missing-SONAME.log
+ local shopts=$-
+ set -o noglob
+ for x in ${QA_SONAME} ; do
+ sed -e "s#^/${x#/}\$##" -i
"${T}"/scanelf-missing-SONAME.log
+ done
+ set +o noglob
+ set -${shopts}
fi
fi
-
- # Check for shared libraries lacking NEEDED entries
- qa_var="QA_DT_NEEDED_${ARCH/-/_}"
- eval "[[ -n \${!qa_var} ]] &&
QA_DT_NEEDED=(\"\${${qa_var}[@]}\")"
- f=$(scanelf -ByF '%n %p' "${ED}"{,usr/}lib*/lib*.so* | awk '$2
== "" { print }' | sed -e "s:^[[:space:]]${ED}:/:")
+ sed -e "/^\$/d" -i "${T}"/scanelf-missing-SONAME.log
+ f=$(<"${T}"/scanelf-missing-SONAME.log)
if [[ -n ${f} ]] ; then
- echo "${f}" > "${T}"/scanelf-missing-NEEDED.log
- if [[ "${QA_STRICT_DT_NEEDED-unset}" == unset ]] ; then
- if [[ ${#QA_DT_NEEDED[@]} -gt 1 ]] ; then
- for x in "${QA_DT_NEEDED[@]}" ; do
- sed -e "s#^/${x#/}\$##" -i
"${T}"/scanelf-missing-NEEDED.log
- done
- else
- local shopts=$-
- set -o noglob
- for x in ${QA_DT_NEEDED} ; do
- sed -e "s#^/${x#/}\$##" -i
"${T}"/scanelf-missing-NEEDED.log
- done
- set +o noglob
- set -${shopts}
- fi
- fi
- sed -e "/^\$/d" -i "${T}"/scanelf-missing-NEEDED.log
- f=$(<"${T}"/scanelf-missing-NEEDED.log)
- if [[ -n ${f} ]] ; then
- __vecho -ne '\n'
- eqawarn "QA Notice: The following shared
libraries lack NEEDED entries"
- eqawarn "${f}"
- __vecho -ne '\n'
- sleep 1
+ __vecho -ne '\n'
+ eqawarn "QA Notice: The following shared libraries lack
a SONAME"
+ eqawarn "${f}"
+ __vecho -ne '\n'
+ sleep 1
+ else
+ rm -f "${T}"/scanelf-missing-SONAME.log
+ fi
+ fi
+
+ # Check for shared libraries lacking NEEDED entries
+ qa_var="QA_DT_NEEDED_${ARCH/-/_}"
+ eval "[[ -n \${!qa_var} ]] && QA_DT_NEEDED=(\"\${${qa_var}[@]}\")"
+ f=$(scanelf -ByF '%n %p' "${ED}"{,usr/}lib*/lib*.so* | awk '$2 == "" {
print }' | sed -e "s:^[[:space:]]${ED}:/:")
+ if [[ -n ${f} ]] ; then
+ echo "${f}" > "${T}"/scanelf-missing-NEEDED.log
+ if [[ "${QA_STRICT_DT_NEEDED-unset}" == unset ]] ; then
+ if [[ ${#QA_DT_NEEDED[@]} -gt 1 ]] ; then
+ for x in "${QA_DT_NEEDED[@]}" ; do
+ sed -e "s#^/${x#/}\$##" -i
"${T}"/scanelf-missing-NEEDED.log
+ done
else
- rm -f "${T}"/scanelf-missing-NEEDED.log
+ local shopts=$-
+ set -o noglob
+ for x in ${QA_DT_NEEDED} ; do
+ sed -e "s#^/${x#/}\$##" -i
"${T}"/scanelf-missing-NEEDED.log
+ done
+ set +o noglob
+ set -${shopts}
fi
fi
+ sed -e "/^\$/d" -i "${T}"/scanelf-missing-NEEDED.log
+ f=$(<"${T}"/scanelf-missing-NEEDED.log)
+ if [[ -n ${f} ]] ; then
+ __vecho -ne '\n'
+ eqawarn "QA Notice: The following shared libraries lack
NEEDED entries"
+ eqawarn "${f}"
+ __vecho -ne '\n'
+ sleep 1
+ else
+ rm -f "${T}"/scanelf-missing-NEEDED.log
+ fi
+ fi
+}
+
+lib_check() {
+ local f x i j
+
+ if type -P scanelf >/dev/null && ! has binchecks ${RESTRICT}; then
+ scanelf_lib_check
fi
# this should help to ensure that all (most?) shared libraries are
executable
