From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 28 May 2021 16:21:52 +0000 (+0000)
Subject: scripts: Check for illegal rpaths
X-Git-Tag: 0.9.28~1285^2~53
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1604383183e9b72a516075b883a9a3e1dd1bf34b;p=pakfire.git

scripts: Check for illegal rpaths

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/Makefile.am b/Makefile.am
index 57da33e37..3dc8ca15a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -558,6 +558,7 @@ dist_scripts_SCRIPTS = \
 	src/scripts/check-hardening \
 	src/scripts/check-include \
 	src/scripts/check-libraries \
+	src/scripts/check-rpaths \
 	src/scripts/check-symlinks \
 	src/scripts/check-unsafe-files \
 	src/scripts/cleanup \
diff --git a/src/libpakfire/build.c b/src/libpakfire/build.c
index 3940b1861..212d57ec6 100644
--- a/src/libpakfire/build.c
+++ b/src/libpakfire/build.c
@@ -342,6 +342,7 @@ static const char* post_build_scripts[] = {
 	"check-symlinks",
 	"check-unsafe-files",
 	"check-libraries",
+	"check-rpaths",
 	"check-buildroot",
 	"check-include",
 	"check-hardening",
diff --git a/src/scripts/check-rpaths b/src/scripts/check-rpaths
new file mode 100644
index 000000000..be0e3cbaa
--- /dev/null
+++ b/src/scripts/check-rpaths
@@ -0,0 +1,77 @@
+#!/bin/bash
+###############################################################################
+#                                                                             #
+# Pakfire - The IPFire package management system                              #
+# Copyright (C) 2021 Pakfire development team                                 #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
+
+error() {
+	echo "${0#/}: $@" >&2
+}
+
+main() {
+	local buildroot="${1}"
+	shift
+
+	# Check if BUILDROOT exists
+	if [ ! -d "${buildroot}" ]; then
+		error "BUILDROOT does not exist"
+		return 1
+	fi
+
+	local -A files=()
+
+	local file
+	for file in $(find "${buildroot}" -type f); do
+		# Skip any non-ELF files
+		if ! file "${file}" | grep -q "ELF"; then
+			continue
+		fi
+
+		# Fetch RPATH
+		local rpath="$(readelf -d "${file}" 2>/dev/null | grep RPATH | \
+			tr -d "[]" | awk '{ print $NF }')"
+
+		case "${rpath}" in
+			# No RPATH set
+			"")
+				continue
+				;;
+
+			# Ignore anything pointing at /lib(64) and /usr/lib(64)
+			/lib|/lib64|/usr/lib|/usr/lib64)
+				continue
+				;;
+		esac
+
+		files["${file}"]="${rpath}"
+	done
+
+	if [ "${#files[@]}" -gt 0 ]; then
+		error "The following files have unacceptable RPATHs set:"
+		local file
+		for file in ${!files[@]}; do
+			error "  ${file/${buildroot}/} (${files[${file}]})"
+		done
+
+		return 1
+	fi
+
+	return 0
+}
+
+main "$@" || exit $?