Add macro %isu_package to generate ISU Package

[platform/upstream/rpm.git] / scripts / check-rpaths-worker

#! /bin/bash

# Copyright (C) 2004 Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de>
#  
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#  
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#  
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA


fail=
already_shown=0

# effect of this expression is obviously:
# * match paths beginning with:
#   - $SOMETHING/<something>/..
#   - /<something>/..
# * but not paths beginning with
#   - $SOMETHING/..
#   - $SOMETHING/../../../.....
BADNESS_EXPR_32='\(\(\$[^/]\+\)\?\(/.*\)\?/\(\([^.][^/]*\)\|\(\.[^./][^/]*\)\|\(\.\.[^/]\+\)\)\)/\.\.\(/.*\)\?$'

function showHint()
{
    test "$already_shown" -eq 0 || return
    already_shown=1
    
    cat <<EOF >&2
*******************************************************************************
*
* WARNING: 'check-rpaths' detected a broken RPATH and will cause 'rpmbuild'
*          to fail. To ignore these errors, you can set the '\$QA_RPATHS'
*          environment variable which is a bitmask allowing the values
*          below. The current value of QA_RPATHS is $(printf '0x%04x' $QA_RPATHS).
*
*    0x0001 ... standard RPATHs (e.g. /usr/lib); such RPATHs are a minor
*               issue but are introducing redundant searchpaths without
*               providing a benefit. They can also cause errors in multilib
*               environments.
*    0x0002 ... invalid RPATHs; these are RPATHs which are neither absolute
*               nor relative filenames and can therefore be a SECURITY risk
*    0x0004 ... insecure RPATHs; these are relative RPATHs which are a
*               SECURITY risk
*    0x0008 ... the special '\$ORIGIN' RPATHs are appearing after other
*               RPATHs; this is just a minor issue but usually unwanted
*    0x0010 ... the RPATH is empty; there is no reason for such RPATHs
*               and they cause unneeded work while loading libraries
*    0x0020 ... an RPATH references '..' of an absolute path; this will break
*               the functionality when the path before '..' is a symlink
*          
*
* Examples:
* - to ignore standard and empty RPATHs, execute 'rpmbuild' like
*   \$ QA_RPATHS=\$(( 0x0001|0x0010 )) rpmbuild my-package.src.rpm
* - to check existing files, set \$RPM_BUILD_ROOT and execute check-rpaths like
*   \$ RPM_BUILD_ROOT=<top-dir> /usr/lib/rpm/check-rpaths
*  
*******************************************************************************
EOF
}

function msg()
{
    local val=$1
    local cmp=$2
    local msg=
    local fail=
    local code

    test $[ $val & $cmp ] -ne 0 || return 0

    code=$(printf '%04x' $cmp)
    if test $[ $val & ~$QA_RPATHS ] -eq 0; then
        msg="WARNING"
    else
        showHint
        msg="ERROR  "
        fail=1
    fi

    shift 2
    echo "$msg $code: $@" >&2

    test -z "$fail"
}

: ${QA_RPATHS:=0}
old_IFS=$IFS

for i; do
    pos=0
    rpath=$(readelf -d "$i" 2>/dev/null | LANG=C grep '(RPATH).*:') || continue
    rpath=$(echo "$rpath" | LANG=C sed -e 's!.*(RPATH).*: \[\(.*\)\]!\1!p;d')
    tmp=aux:$rpath:/lib/aux || :
    IFS=:
    set -- $tmp
    IFS=$old_IFS
    shift

    allow_ORIGIN=1
    for j; do
        new_allow_ORIGIN=0

        if test -z "$j"; then
            badness=16
        elif expr match "$j" "$BADNESS_EXPR_32" >/dev/null; then
            badness=32
        else
            case "$j" in
                (/lib/*|/usr/lib/*|/usr/X11R6/lib/*|/usr/local/lib/*)
                    badness=0;;
                (/lib64/*|/usr/lib64/*|/usr/X11R6/lib64/*|/usr/local/lib64/*)
                    badness=0;;

                (\$ORIGIN|\${ORIGINX}|\$ORIGIN/*|\${ORIGINX}/*)
                    test $allow_ORIGIN -eq 0 && badness=8 || {
                        badness=0
                        new_allow_ORIGIN=1
                    }
                    ;;
                (/*\$PLATFORM*|/*\${PLATFORM}*|/*\$LIB*|/*\${LIB}*)
                    badness=0;;
                
                (/lib|/usr/lib|/usr/X11R6/lib)
                    badness=1;;
                (/lib64|/usr/lib64|/usr/X11R6/lib64)
                    badness=1;;
                
                (.*)
                    badness=4;;
                (*) badness=2;;
            esac
        fi

        allow_ORIGIN=$new_allow_ORIGIN

        base=${i##$RPM_BUILD_ROOT}
        msg "$badness"  1 "file '$base' contains a standard rpath '$j' in [$rpath]"  || fail=1
        msg "$badness"  2 "file '$base' contains an invalid rpath '$j' in [$rpath]"  || fail=1
        msg "$badness"  4 "file '$base' contains an insecure rpath '$j' in [$rpath]" || fail=1
        msg "$badness"  8 "file '$base' contains the \$ORIGIN rpath specifier at the wrong position in [$rpath]" || fail=1
        msg "$badness" 16 "file '$base' contains an empty rpath in [$rpath]"         || fail=1
        msg "$badness" 32 "file '$base' contains an rpath referencing '..' of an absolute path [$rpath]" || fail=2
        let ++pos
    done
done

test -z "$fail"