remove shared library's RPATH/RUNPATH for security

2022-03-01 15:21:08 +08:00 · 2022-03-01 15:21:08 +08:00 · a95455ac97
commit a95455ac97
parent 15389bf875
1 changed files with 61 additions and 1 deletions
--- a/glibc.spec
+++ b/glibc.spec
@ -65,7 +65,7 @@
 ##############################################################################
 Name: 	 	glibc
 Version: 	2.35
-Release: 	3
+Release: 	4
 Summary: 	The GNU libc libraries
 License:	%{all_license}
 URL: 		http://www.gnu.org/software/glibc/
@ -781,6 +781,63 @@ echo "%{_prefix}/libexec/glibc-benchtests/validate_benchout.py*" >> benchtests.f
        echo "%{_libdir}/libpthread-2.17.so" >> compat-2.17.filelist
 %endif

+reliantlib=""
+
+function findReliantLib()
+{
+        local library=$1
+        reliantlib=$(readelf -d $library | grep "(NEEDED)" | awk -F "Shared library" '{print $2}')$reliantlib
+}
+
+# remove gconv rpath/runpath
+function removeLoadPath()
+{
+        local file=$1
+        local rpathInfo=$(chrpath -l $file | grep "RPATH=")
+        local runpathInfo=$(chrpath -l $file | grep "RUNPATH=")
+
+        local currPath=""
+        if [ x"$rpathInfo" != x"" ]; then
+                currPath=$(echo $rpathInfo | awk -F "RPATH=" '{print $2}')
+        fi
+
+        if [ x"$runpathInfo" != x"" ]; then
+                currPath=$(echo $runpathInfo | awk -F "RUNPATH=" '{print $2}')
+        fi
+
+        if [ x"$currPath" == x"\$ORIGIN" ]; then
+                chrpath -d $file
+
+                findReliantLib $file
+        fi
+}
+
+set +e
+
+# find and remove RPATH/RUNPATH
+for file in $(find $RPM_BUILD_ROOT%{_libdir}/gconv/ -name "*.so" -exec file {} ';' | grep "\<ELF\>" | awk -F ':' '{print $1}')
+do
+        removeLoadPath $file
+done
+
+function createSoftLink()
+{
+        # pick up the dynamic libraries and create softlink for them
+        local tmplib=$(echo $reliantlib | sed 's/://g' | sed 's/ //g' | sed 's/\[//g' | sed 's/]/\n/g' | sort | uniq)
+
+        for temp in $tmplib
+        do
+                if [ -f "$RPM_BUILD_ROOT%{_libdir}/gconv/$temp" ]; then
+                        ln -sf %{_libdir}/gconv/$temp $RPM_BUILD_ROOT%{_libdir}/$temp
+                        echo %{_libdir}/$temp >> glibc.filelist
+                fi
+        done
+}
+
+# create soft link for the reliant libraries
+createSoftLink
+set -e
+
 ##############################################################################
 # Run the glibc testsuite
 ##############################################################################
@ -1107,6 +1164,9 @@ fi
 %endif

 %changelog
+* Tue Mar 1 2022 Qingqing Li <liqingqing3@huawei.com> - 2.35-4
+- remove shared library's RPATH/RUNPATH for security
+
 * Tue Feb 22 2022 Qingqing Li <liqingqing3@huawei.com> - 2.35-3
 - tzselect: use region to select timezone