build: bundle-libraries.sh: patch bundled ld.so

Remove references to /etc/, /lib/ and /usr/ from the bundled ld.so interpreter using simple binary patching. This is needed to prevent loading host system libraries such as libnss_compat.so.2 on foreign systems, which may result in ld.so inconsistency assertions. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
lede-project · Feb 2, 2018 · a9a43f3 · a9a43f3
1 parent ab44f8f
commit a9a43f3
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/scripts/bundle-libraries.sh b/scripts/bundle-libraries.sh
@@ -97,6 +97,18 @@ _runas_so() {
 	}
 }
 
+_patch_ldso() {
+	_cp "$1" "$1.patched"
+	sed -i -e 's,/\(usr\|lib\|etc\)/,/###/,g' "$1.patched"
+
+	if "$1.patched" 2>&1 | grep -q -- --library-path; then
+		_mv "$1.patched" "$1"
+	else
+		echo "binary patched ${1##*/} not executable, using original" >&2
+		rm -f "$1.patched"
+	fi
+}
+
 for LDD in ${PATH//://ldd }/ldd; do
 	"$LDD" --version >/dev/null 2>/dev/null && break
 	LDD=""
@@ -135,6 +147,7 @@ for BIN in "$@"; do
 				[ -f "$token" -a ! -f "$dest" ] && {
 					_md "$ddir"
 					_cp "$token" "$dest"
+					[ -n "$LDSO" ] && _patch_ldso "$dest"
 				}
 			;; esac
 		done