Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

audit-tmpdir hook: use abspath matching on RPATH entries #51317

Merged
merged 2 commits into from Dec 3, 2018

Conversation

bjornfor
Copy link
Contributor

@bjornfor bjornfor commented Dec 1, 2018

Motivation for this change

This ensures that RPATH entries like "/foo/build" doesn't trigger a match when TMPDIR is "/build. (I've had this problem with a prebuilt package.)

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@symphorien
Copy link
Member

Is this correct ? the RPATH is a colon separated list so the regexp should probably be something like (^|:)/build ?

@bjornfor
Copy link
Contributor Author

bjornfor commented Dec 1, 2018

Doh. Right.

Hm, grep is invoked with -F to disable regex. Not sure how to do regexp like search while still treating the $TMPDIR pattern as literal.

@bjornfor
Copy link
Contributor Author

bjornfor commented Dec 1, 2018

Multiple patterns can be added with -e. But with the -F option the only way I found (yet) to lock to start of string is the --line-regex option. But that fails to allow trailing chars after the match, since it matches whole lines.

$ echo "/build:/build/:/build/bar:/buildbar:/foo/build" | tr : '\n' | grep -F --line-regex -e "/build" -e "/build/"
/build
/build/

(Fails to match "/build/bar".)

@bjornfor
Copy link
Contributor Author

bjornfor commented Dec 1, 2018

Although it'd be interesting to match start-of-string (which is the correct thing to do), I think actually the package that I had problems with get solved by 551aecf (added just two weeks ago).

@bjornfor bjornfor closed this Dec 1, 2018
@symphorien
Copy link
Member

Here is one possibility:

$  { sed "s/^/:/" | grep -F ":/build" ; }<<EOF 
/build:/build/:/build/bar:/buildbar:/foo/build
/foo/build:/build
/build:/foo
/foo/build
EOF  
:/build:/build/:/build/bar:/buildbar:/foo/build
:/foo/build:/build
:/build:/foo

that is

patchelf --print-rpath "$i" | sed 's/^/:/' | grep -q -F ":$TMPDIR/";

@bjornfor bjornfor reopened this Dec 2, 2018
@bjornfor bjornfor force-pushed the audit-tmpdir branch 2 times, most recently from 337f078 to 47d21a8 Compare December 2, 2018 10:41
@bjornfor
Copy link
Contributor Author

bjornfor commented Dec 2, 2018

@symphorien: Good idea! I replaced sed with printf for performance (now negligeble) and force-pushed.

This ensures that RPATH entries like "/foo/build/bar" doesn't trigger a
match when TMPDIR is "/build/bar". (I've had this problem with a
prebuilt package.)
@bjornfor bjornfor changed the title audit-tmpdir hook: lock pattern matching to start-of-string audit-tmpdir hook: use abspath matching on RPATH entries Dec 2, 2018
Copy link
Member

@Ericson2314 Ericson2314 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great idea!

@Ericson2314 Ericson2314 merged commit 617c2a3 into NixOS:staging Dec 3, 2018
@bjornfor
Copy link
Contributor Author

bjornfor commented Dec 3, 2018

@Ericson2314: Thanks!

@bjornfor bjornfor deleted the audit-tmpdir branch December 3, 2018 13:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants