python3: sanitize userbase in _sysconfig_vars JSON to avoid host path leak

The _sysconfig_vars__linux_x86_64-linux-gnu.json file contains a
"userbase" field that is populated from the build host user's $HOME
at build time. This leaks the build host user's home directory path
into the target rootfs.

The existing py_package_preprocess() cleanup for this JSON file only
strips known OE build path prefixes (STAGING_DIR_TARGET, RECIPE_SYSROOT,
etc.), but the userbase value comes from the build user's $HOME
environment variable which doesn't match any of those patterns.

Set userbase to an empty string in the packaged JSON. This is safe
because at runtime, sysconfig.get_config_vars() always recomputes
userbase by calling _getuserbase(), which resolves the actual target
user's ~/.local path dynamically. The static value in the JSON is
never used for runtime path resolution.

Signed-off-by: Bin Cao <bin.cao.cn@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/recipes-devtools/python/python3_3.14.5.bb b/meta/recipes-devtools/python/python3_3.14.5.bb
index 501de75fb1875c77bb4ad68b64144288ba521747..919cfde9aec18f9578a3f8672d3354d9055c0a3b 100644 (file)
--- a/meta/recipes-devtools/python/python3_3.14.5.bb
+++ b/meta/recipes-devtools/python/python3_3.14.5.bb
@@ -390,6 +390,7 @@ py_package_preprocess () {
                 -e 's:${RECIPE_SYSROOT_NATIVE}::g' \
                 -e 's:${RECIPE_SYSROOT}::g' \
                 -e 's:${BASE_WORKDIR}/${MULTIMACH_TARGET_SYS}::g' \
+                -e 's|"userbase": ".*"|"userbase": ""|g' \
                ${PKGD}/${libdir}/python${PYTHON_MAJMIN}/_sysconfig_vars*.json
 }