summary refs log tree commit diff
path: root/gnu
diff options
context:
space:
mode:
authorLudovic Courtès <ludovic.courtes@inria.fr>2020-07-28 10:48:50 +0200
committerLudovic Courtès <ludo@gnu.org>2020-07-28 14:41:04 +0200
commitc6c0d5a22c2ee3d7164dab0129b2e4852a4ae76c (patch)
tree366c2a3fccf91bc032e50692bf1dcf62ffa9ad1b /gnu
parent8b221b64a552d31e241701aa5c6d339287a7a15b (diff)
downloadguix-c6c0d5a22c2ee3d7164dab0129b2e4852a4ae76c.tar.gz
pack: "fakechroot" execution engine can load its audit module.
Fixes <https://bugs.gnu.org/42558>.

Until now, loading 'pack-audit.so' in a truly non-Guix environment would
usually fail because 'pack-audit.so' depends on 'libgcc_s.so' and
'libc.so', none of which could be found.

Furthermore, the test was not working as expected: the trick

  unshare -mrf sh -c 'mount -t tmpfs none /gnu ; ...'

would allow the fakechroot engine to make its store available as
/gnu/store as a result of another bug.

* gnu/packages/aux-files/run-in-namespace.c (relocated_search_path): New
function.
(exec_with_loader): Pass "--library-path" to the loader.
* guix/scripts/pack.scm (wrapped-package)[build](runpath): New procedure.
(elf-loader-compile-flags): Pass "-DLOADER_AUDIT_RUNPATH".
* tests/guix-pack-relocatable.sh: Remove 'STORE_PARENT'.
(run_without_store): New function.  Erase $NIX_STORE_DIR instead of
$STORE_PARENT.
Use 'run_without_store' throughout.
Diffstat (limited to 'gnu')
-rw-r--r--gnu/packages/aux-files/run-in-namespace.c48
1 files changed, 44 insertions, 4 deletions
diff --git a/gnu/packages/aux-files/run-in-namespace.c b/gnu/packages/aux-files/run-in-namespace.c
index 5a6b932b87..7f7e5c6885 100644
--- a/gnu/packages/aux-files/run-in-namespace.c
+++ b/gnu/packages/aux-files/run-in-namespace.c
@@ -371,24 +371,64 @@ exec_with_proot (const char *store, int argc, char *argv[])
 
 #if HAVE_EXEC_WITH_LOADER
 
+/* Traverse PATH, a NULL-terminated string array, and return a colon-separated
+   search path where each item of PATH has been relocated to STORE.  The
+   result is malloc'd.  */
+static char *
+relocated_search_path (const char *path[], const char *store)
+{
+  char *new_path;
+  size_t size = 0;
+
+  for (size_t i = 0; path[i] != NULL; i++)
+    size += strlen (store) + strlen (path[i]) + 1;  /* upper bound */
+
+  new_path = xmalloc (size + 1);
+  new_path[0] = '\0';
+
+  for (size_t i = 0; path[i] != NULL; i++)
+    {
+      if (strncmp (path[i], original_store,
+		   sizeof original_store - 1) == 0)
+	{
+	  strcat (new_path, store);
+	  strcat (new_path, path[i] + sizeof original_store - 1);
+	}
+      else
+	strcat (new_path, path[i]);	  /* possibly $ORIGIN */
+
+      strcat (new_path, ":");
+    }
+
+  new_path[strlen (new_path) - 1] = '\0'; /* Remove trailing colon.  */
+
+  return new_path;
+}
+
 /* Execute the wrapped program by invoking the loader (ld.so) directly,
    passing it the audit module and preloading libfakechroot.so.  */
 static void
 exec_with_loader (const char *store, int argc, char *argv[])
 {
+  static const char *audit_library_path[] = LOADER_AUDIT_RUNPATH;
   char *loader = concat (store,
 			 PROGRAM_INTERPRETER + sizeof original_store);
-  size_t loader_specific_argc = 6;
+  size_t loader_specific_argc = 8;
   size_t loader_argc = argc + loader_specific_argc;
   char *loader_argv[loader_argc + 1];
   loader_argv[0] = argv[0];
   loader_argv[1] = "--audit";
   loader_argv[2] = concat (store,
 			   LOADER_AUDIT_MODULE + sizeof original_store);
-  loader_argv[3] = "--preload";
-  loader_argv[4] = concat (store,
+
+  /* The audit module depends on libc.so and libgcc_s.so.  */
+  loader_argv[3] = "--library-path";
+  loader_argv[4] = relocated_search_path (audit_library_path, store);
+
+  loader_argv[5] = "--preload";
+  loader_argv[6] = concat (store,
 			   FAKECHROOT_LIBRARY + sizeof original_store);
-  loader_argv[5] = concat (store,
+  loader_argv[7] = concat (store,
 			   "@WRAPPED_PROGRAM@" + sizeof original_store);
 
   for (size_t i = 0; i < argc; i++)