I have been working on the 'runpath' inspection in rpminspect. This work has involved unraveling what rpmdiff used to do and then working with the tools team to determine the preferred way rpminspect should evaluate DT_RPATH and DT_RUNPATH values.
First, the past: rpmdiff checked for the presence of DT_RPATH in ELF shared objects. If one was found, it would break it up in to path elements splitting on ':'. Then evaluate each of those. Path elements beginning with $ORIGIN are handled a bit differently, including resolving relative links and allowing a root prefix to appear after $ORIGIN and trim that if necessary. However, regardless of what the path elements looked like, the fundamental check was to ensure they began with a string prefix from an allowed list. The allowed list included "/usr/lib" which meant it allowed through /usr/lib, /usr/lib64, and /usr/libexec. This was ok, but not great.
Second, what rpminspect is going to do: Starting with rpminspect-1.3, there will be a runpath inspection to check DT_RPATH (and DT_RUNPATH) values. It breaks up the values the same way, but now path elements have to exactly match a string from the allowed list. Explicit paths and $ORIGIN paths have different allowed lists in the configuration file and $ORIGIN paths still allow a root prefix trim if necessary. The key difference is the explicit matching of path elements. The tools team and I agreed that this is better because:
This work was coordinated at the same time they were working on an improved check-rpaths script in rpm for use by rpmbuild.
To make things less of a surprise for package maintainers, I wanted to go through and find what path elements we currently have and populate the allowed lists in the rpminspect configuration file in rpminspect-data-fedora. I took a snapshot of built packages for x86_64 (57520 packages) and scanned each for ELF shared objects and then dumped any DT_RPATH and DT_RUNPATH values. The sorted and unique list gave me close to 400 runpath values. That's way too much for a distribution-wide configuration file. This information is better stored in per-package rpminspect configuration files.
I have prepared a list of values I found and I want to email the devel list explaining the above and what package maintainers can do to either fix their runpath values -or- modify rpminspect for their package to allow the ones they need.
WHAT AM I ASKING OF THE PACKAGING COMMITTEE?
Mostly I want to go over this with the packaging committee first. I also think possibly expanding the Beware of Rpath section is in order because we now have DT_RUNPATH to consider as well. Mentioning how to configure rpminspect to allow necessary runpath values might also be helpful in the guide.
Here is the list of runpath values I found in my Fedora snapshot from last week: https://dcantrell.fedorapeople.org/runpaths/runpaths.txt
One thing I thought about was reformatting those findings in to a wiki page and we can whittle that down as package maintainers take care of things. Personally I would rather do that first vs. going through and filing a bunch of bugs or doing a provenpackager operation.
Thoughts?
I wonder how this fits into the work being done in #886. RPM already has rpath checking that might actually get turned on, which would make builds to fail if the resulting binaries have improper rpaths. Could that checking be enhanced to do the kind of checks you are considering?
Edit: that's https://pagure.io/packaging-committee/issue/886. I don't know why pagure didn't expand it.
The checks I added were done in conjunction with the checks going in to rpm. They are more complementary rather than one or the other. The functionality is now present in rpminspect and rpminspect is running in fedora-ci.
Where rpminspect offers a little more functionality is enforcing distribution policies. rpm's check can be disabled, which some packages have to do because some things do require DT_RPATH based on how we build and distribute the software. This is where rpminspect has the opportunity to check the resulting build for correctness per distribution policy. That is, if a DT_RPATH or DT_RUNPATH value is found, is it permitted?
I think there's value is having the packaging policy both list allowed RPATH/RUNPATH values or prefixes as well as document the process to add to that list.
Happy to join a packaging committe meeting for further discussion too.
Thanks.
Login to comment on this ticket.