rpms / java-1.6.0-openjdk

Clone
Source Code
GIT

Blame SOURCES/add-final-location-rpaths.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta
  1.   1f3f4df79a1ab70b827f17a6628bb0294ec9e6a4
  2.   SOURCES
  3.   add-final-location-rpaths.patch
Blob History Raw
1f3f4d 
Work in the presence of capabilities
1f3f4d
1f3f4d 
Include a hardcoded install path in RPATH in binaries. This is used
1f3f4d 
as fallback when $ORIGIN is ignored. $ORIGIN is ignored for when
1f3f4d 
linux capabilities are added to the binary.
1f3f4d
1f3f4d 
Fix launcher to treat the case where capabilities are set as
1f3f4d 
identical to a setuid binary: don't expect LD_LIBRARY_PATH to be
1f3f4d 
set.
1f3f4d 
diff -r b85872bd06da Makefile.am
1f3f4d 
--- a/Makefile.am	Thu Apr 09 20:20:00 2015 +0100
1f3f4d 
+++ b/Makefile.am	Thu Apr 09 20:41:52 2015 +0100
1f3f4d 
@@ -815,7 +815,8 @@
1f3f4d 
 	BUILD_GCC=gcc$(GCC_SUFFIX) \
1f3f4d 
 	BUILD_CXX=g++$(GCC_SUFFIX) \
1f3f4d 
 	COMPILER_WARNINGS_FATAL="$(WERROR_STATUS)" \
1f3f4d 
-	UNLIMITED_CRYPTO="true"
1f3f4d 
+	UNLIMITED_CRYPTO="true" \
1f3f4d 
+	INSTALL_LOCATION="${INSTALL_LOCATION}"
1f3f4d
1f3f4d 
 if ENABLE_CACAO
1f3f4d 
 ICEDTEA_ENV += \
1f3f4d 
diff -r b85872bd06da patches/add-final-location-rpaths.patch
1f3f4d 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
1f3f4d 
+++ b/patches/add-final-location-rpaths.patch	Thu Apr 09 20:41:52 2015 +0100
1f3f4d 
@@ -0,0 +1,121 @@
1f3f4d 
+diff -Nru openjdk.orig/corba/make/common/Defs-linux.gmk openjdk/corba/make/common/Defs-linux.gmk
1f3f4d 
+--- openjdk.orig/corba/make/common/Defs-linux.gmk	2015-04-09 20:37:21.682577260 +0100
1f3f4d 
++++ openjdk/corba/make/common/Defs-linux.gmk	2015-04-09 20:38:35.115295051 +0100
1f3f4d 
+@@ -209,8 +209,8 @@
1f3f4d 
+   #   The environment variable LD_LIBRARY_PATH will over-ride these runpaths.
1f3f4d 
+   #   Try: 'readelf -d lib*.so' to see these settings in a library.
1f3f4d 
+   #
1f3f4d 
+-  LDFLAGS_COMMON += -Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN
1f3f4d 
+-  LDFLAGS_COMMON += $(LD_RUNPATH_EXTRAS:%=-Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN/%)
1f3f4d 
++  LDFLAGS_COMMON += -Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN:$(INSTALL_LOCATION)/jre/lib/$(LIBARCH)
1f3f4d 
++  LDFLAGS_COMMON += $(LD_RUNPATH_EXTRAS:%=-Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN/:$(INSTALL_LOCATION)/jre/lib/$(LIBARCH)%)
1f3f4d 
+ endif
1f3f4d 
+
1f3f4d 
+ EXTRA_LIBS += -lc
1f3f4d 
+diff -Nru openjdk.orig/jdk/make/common/Defs-linux.gmk openjdk/jdk/make/common/Defs-linux.gmk
1f3f4d 
+--- openjdk.orig/jdk/make/common/Defs-linux.gmk	2015-04-09 20:37:21.962579996 +0100
1f3f4d 
++++ openjdk/jdk/make/common/Defs-linux.gmk	2015-04-09 20:38:35.115295051 +0100
1f3f4d 
+@@ -233,8 +233,8 @@
1f3f4d 
+   #   The environment variable LD_LIBRARY_PATH will over-ride these runpaths.
1f3f4d 
+   #   Try: 'readelf -d lib*.so' to see these settings in a library.
1f3f4d 
+   #
1f3f4d 
+-  LDFLAGS_COMMON += -Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN
1f3f4d 
+-  LDFLAGS_COMMON += $(LD_RUNPATH_EXTRAS:%=-Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN/%)
1f3f4d 
++  LDFLAGS_COMMON += -Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN:$(INSTALL_LOCATION)/jre/lib/$(LIBARCH)
1f3f4d 
++  LDFLAGS_COMMON += $(LD_RUNPATH_EXTRAS:%=-Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN/:$(INSTALL_LOCATION)/jre/lib/$(LIBARCH)%)
1f3f4d 
+ endif
1f3f4d 
+
1f3f4d 
+ EXTRA_LIBS += -lc
1f3f4d 
+diff -Nru openjdk.orig/jdk/make/common/Program.gmk openjdk/jdk/make/common/Program.gmk
1f3f4d 
+--- openjdk.orig/jdk/make/common/Program.gmk	2015-04-09 20:37:28.862647438 +0100
1f3f4d 
++++ openjdk/jdk/make/common/Program.gmk	2015-04-09 20:39:08.779624149 +0100
1f3f4d 
+@@ -83,9 +83,10 @@
1f3f4d 
+ 	endif
1f3f4d 
+     endif
1f3f4d 
+     ifeq ($(PLATFORM), linux)
1f3f4d 
++	LDFLAGS += -lcap
1f3f4d 
+ 	LDFLAGS += $(ZLIB_LIBS) -Wl,-z -Wl,origin
1f3f4d 
+ 	LDFLAGS += -Wl,--allow-shlib-undefined
1f3f4d 
+-	LDFLAGS += -Wl,-rpath -Wl,\$$ORIGIN/../lib/$(LIBARCH)/jli
1f3f4d 
++	LDFLAGS += -Wl,-rpath -Wl,\$$ORIGIN/../lib/$(LIBARCH)/jli:$(INSTALL_LOCATION)/jre/lib/$(LIBARCH)/jli
1f3f4d 
+     endif
1f3f4d 
+ endif
1f3f4d 
+ ifeq ($(PLATFORM), windows)
1f3f4d 
+diff -Nru openjdk.orig/jdk/make/java/instrument/Makefile openjdk/jdk/make/java/instrument/Makefile
1f3f4d 
+--- openjdk.orig/jdk/make/java/instrument/Makefile	2015-04-09 02:19:17.000000000 +0100
1f3f4d 
++++ openjdk/jdk/make/java/instrument/Makefile	2015-04-09 20:38:35.115295051 +0100
1f3f4d 
+@@ -111,7 +111,7 @@
1f3f4d 
+   ifeq ($(PLATFORM), linux)
1f3f4d 
+     LDFLAGS += -Wl,-z -Wl,origin
1f3f4d 
+     LDFLAGS += -Wl,--allow-shlib-undefined
1f3f4d 
+-    LDFLAGS += -Wl,-rpath -Wl,\$$ORIGIN/jli
1f3f4d 
++    LDFLAGS += -Wl,-rpath -Wl,\$$ORIGIN/jli:$(INSTALL_LOCATION)/jre/lib/$(LIBARCH)/jli
1f3f4d 
+   endif
1f3f4d 
+ endif
1f3f4d 
+
1f3f4d 
+diff -Nru openjdk.orig/jdk/src/solaris/bin/java_md.c openjdk/jdk/src/solaris/bin/java_md.c
1f3f4d 
+--- openjdk.orig/jdk/src/solaris/bin/java_md.c	2015-04-09 02:19:52.000000000 +0100
1f3f4d 
++++ openjdk/jdk/src/solaris/bin/java_md.c	2015-04-09 20:38:35.115295051 +0100
1f3f4d 
+@@ -39,6 +39,7 @@
1f3f4d 
+
1f3f4d 
+ #ifdef __linux__
1f3f4d 
+ #include <pthread.h>
1f3f4d 
++#include <sys/capability.h>
1f3f4d 
+ #else
1f3f4d 
+ #include <thread.h>
1f3f4d 
+ #endif
1f3f4d 
+@@ -169,6 +170,19 @@
1f3f4d 
+     return LIBARCHNAME;
1f3f4d 
+ }
1f3f4d 
+
1f3f4d 
++#ifdef __linux
1f3f4d 
++static int
1f3f4d 
++have_caps() {
1f3f4d 
++    int have_cap = 0;
1f3f4d 
++    cap_t no_caps = cap_init();
1f3f4d 
++    cap_t my_caps = cap_get_proc();
1f3f4d 
++    have_cap = cap_compare(no_caps, my_caps);
1f3f4d 
++    cap_free(my_caps);
1f3f4d 
++    cap_free(no_caps);
1f3f4d 
++    return have_cap;
1f3f4d 
++}
1f3f4d 
++#endif
1f3f4d 
++
1f3f4d 
+ void
1f3f4d 
+ CreateExecutionEnvironment(int *_argcp,
1f3f4d 
+                            char ***_argvp,
1f3f4d 
+@@ -413,20 +427,24 @@
1f3f4d 
+
1f3f4d 
+ #ifdef __linux
1f3f4d 
+       /*
1f3f4d 
+-       * On linux, if a binary is running as sgid or suid, glibc sets
1f3f4d 
+-       * LD_LIBRARY_PATH to the empty string for security purposes.  (In
1f3f4d 
+-       * contrast, on Solaris the LD_LIBRARY_PATH variable for a
1f3f4d 
+-       * privileged binary does not lose its settings; but the dynamic
1f3f4d 
+-       * linker does apply more scrutiny to the path.) The launcher uses
1f3f4d 
+-       * the value of LD_LIBRARY_PATH to prevent an exec loop.
1f3f4d 
+-       * Therefore, if we are running sgid or suid, this function's
1f3f4d 
+-       * setting of LD_LIBRARY_PATH will be ineffective and we should
1f3f4d 
+-       * return from the function now.  Getting the right libraries to
1f3f4d 
+-       * be found must be handled through other mechanisms.
1f3f4d 
++       * On linux, if a binary is running as sgid or suid, or has
1f3f4d 
++       * capabilities set, glibc sets LD_LIBRARY_PATH to the empty
1f3f4d 
++       * string for security purposes. (In contrast, on Solaris the
1f3f4d 
++       * LD_LIBRARY_PATH variable for a privileged binary does not lose
1f3f4d 
++       * its settings; but the dynamic linker does apply more scrutiny
1f3f4d 
++       * to the path.) The launcher uses the value of LD_LIBRARY_PATH to
1f3f4d 
++       * prevent an exec loop.  Therefore, if we are running sgid or
1f3f4d 
++       * suid, or have linux capabilities set,  this function's setting
1f3f4d 
++       * of LD_LIBRARY_PATH will be ineffective and we should return
1f3f4d 
++       * from the function now. Getting the right libraries to be found
1f3f4d 
++       * must be handled through other mechanisms.
1f3f4d 
+        */
1f3f4d 
+       if((getgid() != getegid()) || (getuid() != geteuid()) ) {
1f3f4d 
+         return;
1f3f4d 
+       }
1f3f4d 
++      if (have_caps()) {
1f3f4d 
++        return;
1f3f4d 
++      }
1f3f4d 
+ #endif
1f3f4d 
+
1f3f4d 
+       /* runpath contains current effective LD_LIBRARY_PATH setting */

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation