Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

audit-tmpdir hook: use abspath matching on RPATH entries #51317

Merged
merged 2 commits into from Dec 3, 2018

Conversation

Projects
None yet
4 participants
@bjornfor
Copy link
Contributor

bjornfor commented Dec 1, 2018

Motivation for this change

This ensures that RPATH entries like "/foo/build" doesn't trigger a match when TMPDIR is "/build. (I've had this problem with a prebuilt package.)

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@bjornfor bjornfor requested a review from Ericson2314 as a code owner Dec 1, 2018

@bjornfor bjornfor force-pushed the bjornfor:audit-tmpdir branch Dec 1, 2018

@symphorien

This comment has been minimized.

Copy link
Contributor

symphorien commented Dec 1, 2018

Is this correct ? the RPATH is a colon separated list so the regexp should probably be something like (^|:)/build ?

@bjornfor

This comment has been minimized.

Copy link
Contributor Author

bjornfor commented Dec 1, 2018

Doh. Right.

Hm, grep is invoked with -F to disable regex. Not sure how to do regexp like search while still treating the $TMPDIR pattern as literal.

@bjornfor

This comment has been minimized.

Copy link
Contributor Author

bjornfor commented Dec 1, 2018

Multiple patterns can be added with -e. But with the -F option the only way I found (yet) to lock to start of string is the --line-regex option. But that fails to allow trailing chars after the match, since it matches whole lines.

$ echo "/build:/build/:/build/bar:/buildbar:/foo/build" | tr : '\n' | grep -F --line-regex -e "/build" -e "/build/"
/build
/build/

(Fails to match "/build/bar".)

@bjornfor

This comment has been minimized.

Copy link
Contributor Author

bjornfor commented Dec 1, 2018

Although it'd be interesting to match start-of-string (which is the correct thing to do), I think actually the package that I had problems with get solved by 551aecf (added just two weeks ago).

@bjornfor bjornfor closed this Dec 1, 2018

@symphorien

This comment has been minimized.

Copy link
Contributor

symphorien commented Dec 1, 2018

Here is one possibility:

$  { sed "s/^/:/" | grep -F ":/build" ; }<<EOF 
/build:/build/:/build/bar:/buildbar:/foo/build
/foo/build:/build
/build:/foo
/foo/build
EOF  
:/build:/build/:/build/bar:/buildbar:/foo/build
:/foo/build:/build
:/build:/foo

that is

patchelf --print-rpath "$i" | sed 's/^/:/' | grep -q -F ":$TMPDIR/";

@bjornfor bjornfor reopened this Dec 2, 2018

@bjornfor bjornfor force-pushed the bjornfor:audit-tmpdir branch 2 times, most recently Dec 2, 2018

@bjornfor

This comment has been minimized.

Copy link
Contributor Author

bjornfor commented Dec 2, 2018

@symphorien: Good idea! I replaced sed with printf for performance (now negligeble) and force-pushed.

bjornfor added some commits Dec 1, 2018

audit-tmpdir hook: use abspath matching on RPATH entries
This ensures that RPATH entries like "/foo/build/bar" doesn't trigger a
match when TMPDIR is "/build/bar". (I've had this problem with a
prebuilt package.)

@bjornfor bjornfor force-pushed the bjornfor:audit-tmpdir branch to ad28261 Dec 2, 2018

@bjornfor bjornfor changed the title audit-tmpdir hook: lock pattern matching to start-of-string audit-tmpdir hook: use abspath matching on RPATH entries Dec 2, 2018

@Ericson2314
Copy link
Member

Ericson2314 left a comment

Great idea!

@Ericson2314 Ericson2314 merged commit 617c2a3 into NixOS:staging Dec 3, 2018

9 checks passed

grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A manual
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A options
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A manual
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A tarball
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A unstable
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
@bjornfor

This comment has been minimized.

Copy link
Contributor Author

bjornfor commented Dec 3, 2018

@Ericson2314: Thanks!

@bjornfor bjornfor deleted the bjornfor:audit-tmpdir branch Dec 3, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.