diff options
author | Ludovic Courtès <ludovic.courtes@inria.fr> | 2020-07-28 10:48:50 +0200 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2020-07-28 14:41:04 +0200 |
commit | c6c0d5a22c2ee3d7164dab0129b2e4852a4ae76c (patch) | |
tree | 366c2a3fccf91bc032e50692bf1dcf62ffa9ad1b /gnu | |
parent | 8b221b64a552d31e241701aa5c6d339287a7a15b (diff) | |
download | guix-c6c0d5a22c2ee3d7164dab0129b2e4852a4ae76c.tar guix-c6c0d5a22c2ee3d7164dab0129b2e4852a4ae76c.tar.gz |
pack: "fakechroot" execution engine can load its audit module.
Fixes <https://bugs.gnu.org/42558>.
Until now, loading 'pack-audit.so' in a truly non-Guix environment would
usually fail because 'pack-audit.so' depends on 'libgcc_s.so' and
'libc.so', none of which could be found.
Furthermore, the test was not working as expected: the trick
unshare -mrf sh -c 'mount -t tmpfs none /gnu ; ...'
would allow the fakechroot engine to make its store available as
/gnu/store as a result of another bug.
* gnu/packages/aux-files/run-in-namespace.c (relocated_search_path): New
function.
(exec_with_loader): Pass "--library-path" to the loader.
* guix/scripts/pack.scm (wrapped-package)[build](runpath): New procedure.
(elf-loader-compile-flags): Pass "-DLOADER_AUDIT_RUNPATH".
* tests/guix-pack-relocatable.sh: Remove 'STORE_PARENT'.
(run_without_store): New function. Erase $NIX_STORE_DIR instead of
$STORE_PARENT.
Use 'run_without_store' throughout.
Diffstat (limited to 'gnu')
-rw-r--r-- | gnu/packages/aux-files/run-in-namespace.c | 48 |
1 files changed, 44 insertions, 4 deletions
diff --git a/gnu/packages/aux-files/run-in-namespace.c b/gnu/packages/aux-files/run-in-namespace.c index 5a6b932b87..7f7e5c6885 100644 --- a/gnu/packages/aux-files/run-in-namespace.c +++ b/gnu/packages/aux-files/run-in-namespace.c @@ -371,24 +371,64 @@ exec_with_proot (const char *store, int argc, char *argv[]) #if HAVE_EXEC_WITH_LOADER +/* Traverse PATH, a NULL-terminated string array, and return a colon-separated + search path where each item of PATH has been relocated to STORE. The + result is malloc'd. */ +static char * +relocated_search_path (const char *path[], const char *store) +{ + char *new_path; + size_t size = 0; + + for (size_t i = 0; path[i] != NULL; i++) + size += strlen (store) + strlen (path[i]) + 1; /* upper bound */ + + new_path = xmalloc (size + 1); + new_path[0] = '\0'; + + for (size_t i = 0; path[i] != NULL; i++) + { + if (strncmp (path[i], original_store, + sizeof original_store - 1) == 0) + { + strcat (new_path, store); + strcat (new_path, path[i] + sizeof original_store - 1); + } + else + strcat (new_path, path[i]); /* possibly $ORIGIN */ + + strcat (new_path, ":"); + } + + new_path[strlen (new_path) - 1] = '\0'; /* Remove trailing colon. */ + + return new_path; +} + /* Execute the wrapped program by invoking the loader (ld.so) directly, passing it the audit module and preloading libfakechroot.so. */ static void exec_with_loader (const char *store, int argc, char *argv[]) { + static const char *audit_library_path[] = LOADER_AUDIT_RUNPATH; char *loader = concat (store, PROGRAM_INTERPRETER + sizeof original_store); - size_t loader_specific_argc = 6; + size_t loader_specific_argc = 8; size_t loader_argc = argc + loader_specific_argc; char *loader_argv[loader_argc + 1]; loader_argv[0] = argv[0]; loader_argv[1] = "--audit"; loader_argv[2] = concat (store, LOADER_AUDIT_MODULE + sizeof original_store); - loader_argv[3] = "--preload"; - loader_argv[4] = concat (store, + + /* The audit module depends on libc.so and libgcc_s.so. */ + loader_argv[3] = "--library-path"; + loader_argv[4] = relocated_search_path (audit_library_path, store); + + loader_argv[5] = "--preload"; + loader_argv[6] = concat (store, FAKECHROOT_LIBRARY + sizeof original_store); - loader_argv[5] = concat (store, + loader_argv[7] = concat (store, "@WRAPPED_PROGRAM@" + sizeof original_store); for (size_t i = 0; i < argc; i++) |