Work in the presence of capabilities
Include a hardcoded install path in RPATH in binaries. This is used
as fallback when $ORIGIN is ignored. $ORIGIN is ignored for when
linux capabilities are added to the binary.
Fix launcher to treat the case where capabilities are set as
identical to a setuid binary: don't expect LD_LIBRARY_PATH to be
set.
diff -r b85872bd06da Makefile.am
--- a/Makefile.am Thu Apr 09 20:20:00 2015 +0100
+++ b/Makefile.am Thu Apr 09 20:41:52 2015 +0100
@@ -815,7 +815,8 @@
CC=$(CC)$(GCC_SUFFIX) \
CXX=$(CXX)$(GCC_SUFFIX) \
COMPILER_WARNINGS_FATAL="$(WERROR_STATUS)" \
- UNLIMITED_CRYPTO="true"
+ UNLIMITED_CRYPTO="true" \
+ INSTALL_LOCATION="${INSTALL_LOCATION}"
if ENABLE_CACAO
ICEDTEA_ENV += \
diff -r b85872bd06da patches/add-final-location-rpaths.patch
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/add-final-location-rpaths.patch Thu Apr 09 20:41:52 2015 +0100
@@ -0,0 +1,121 @@
+diff -Nru openjdk.orig/corba/make/common/Defs-linux.gmk openjdk/corba/make/common/Defs-linux.gmk
+--- openjdk.orig/corba/make/common/Defs-linux.gmk 2015-04-09 20:37:21.682577260 +0100
++++ openjdk/corba/make/common/Defs-linux.gmk 2015-04-09 20:38:35.115295051 +0100
+@@ -209,8 +209,8 @@
+ # The environment variable LD_LIBRARY_PATH will over-ride these runpaths.
+ # Try: 'readelf -d lib*.so' to see these settings in a library.
+ #
+- LDFLAGS_COMMON += -Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN
+- LDFLAGS_COMMON += $(LD_RUNPATH_EXTRAS:%=-Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN/%)
++ LDFLAGS_COMMON += -Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN:$(INSTALL_LOCATION)/jre/lib/$(LIBARCH)
++ LDFLAGS_COMMON += $(LD_RUNPATH_EXTRAS:%=-Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN/:$(INSTALL_LOCATION)/jre/lib/$(LIBARCH)%)
+ endif
+
+ EXTRA_LIBS += -lc
+diff -Nru openjdk.orig/jdk/make/common/Defs-linux.gmk openjdk/jdk/make/common/Defs-linux.gmk
+--- openjdk.orig/jdk/make/common/Defs-linux.gmk 2015-04-09 20:37:21.962579996 +0100
++++ openjdk/jdk/make/common/Defs-linux.gmk 2015-04-09 20:38:35.115295051 +0100
+@@ -233,8 +233,8 @@
+ # The environment variable LD_LIBRARY_PATH will over-ride these runpaths.
+ # Try: 'readelf -d lib*.so' to see these settings in a library.
+ #
+- LDFLAGS_COMMON += -Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN
+- LDFLAGS_COMMON += $(LD_RUNPATH_EXTRAS:%=-Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN/%)
++ LDFLAGS_COMMON += -Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN:$(INSTALL_LOCATION)/jre/lib/$(LIBARCH)
++ LDFLAGS_COMMON += $(LD_RUNPATH_EXTRAS:%=-Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN/:$(INSTALL_LOCATION)/jre/lib/$(LIBARCH)%)
+ endif
+
+ EXTRA_LIBS += -lc
+diff -Nru openjdk.orig/jdk/make/common/Program.gmk openjdk/jdk/make/common/Program.gmk
+--- openjdk.orig/jdk/make/common/Program.gmk 2015-04-09 20:37:28.862647438 +0100
++++ openjdk/jdk/make/common/Program.gmk 2015-04-09 20:39:08.779624149 +0100
+@@ -83,9 +83,10 @@
+ endif
+ endif
+ ifeq ($(PLATFORM), linux)
++ LDFLAGS += -lcap
+ LDFLAGS += $(ZLIB_LIBS) -Wl,-z -Wl,origin
+ LDFLAGS += -Wl,--allow-shlib-undefined
+- LDFLAGS += -Wl,-rpath -Wl,\$$ORIGIN/../lib/$(LIBARCH)/jli
++ LDFLAGS += -Wl,-rpath -Wl,\$$ORIGIN/../lib/$(LIBARCH)/jli:$(INSTALL_LOCATION)/jre/lib/$(LIBARCH)/jli
+ endif
+ endif
+ ifeq ($(PLATFORM), windows)
+diff -Nru openjdk.orig/jdk/make/java/instrument/Makefile openjdk/jdk/make/java/instrument/Makefile
+--- openjdk.orig/jdk/make/java/instrument/Makefile 2015-04-09 02:19:17.000000000 +0100
++++ openjdk/jdk/make/java/instrument/Makefile 2015-04-09 20:38:35.115295051 +0100
+@@ -111,7 +111,7 @@
+ ifeq ($(PLATFORM), linux)
+ LDFLAGS += -Wl,-z -Wl,origin
+ LDFLAGS += -Wl,--allow-shlib-undefined
+- LDFLAGS += -Wl,-rpath -Wl,\$$ORIGIN/jli
++ LDFLAGS += -Wl,-rpath -Wl,\$$ORIGIN/jli:$(INSTALL_LOCATION)/jre/lib/$(LIBARCH)/jli
+ endif
+ endif
+
+diff -Nru openjdk.orig/jdk/src/solaris/bin/java_md.c openjdk/jdk/src/solaris/bin/java_md.c
+--- openjdk.orig/jdk/src/solaris/bin/java_md.c 2015-04-09 02:19:52.000000000 +0100
++++ openjdk/jdk/src/solaris/bin/java_md.c 2015-04-09 20:38:35.115295051 +0100
+@@ -39,6 +39,7 @@
+
+ #ifdef __linux__
+ #include <pthread.h>
++#include <sys/capability.h>
+ #else
+ #include <thread.h>
+ #endif
+@@ -169,6 +170,19 @@
+ return LIBARCHNAME;
+ }
+
++#ifdef __linux
++static int
++have_caps() {
++ int have_cap = 0;
++ cap_t no_caps = cap_init();
++ cap_t my_caps = cap_get_proc();
++ have_cap = cap_compare(no_caps, my_caps);
++ cap_free(my_caps);
++ cap_free(no_caps);
++ return have_cap;
++}
++#endif
++
+ void
+ CreateExecutionEnvironment(int *_argcp,
+ char ***_argvp,
+@@ -413,20 +427,24 @@
+
+ #ifdef __linux
+ /*
+- * On linux, if a binary is running as sgid or suid, glibc sets
+- * LD_LIBRARY_PATH to the empty string for security purposes. (In
+- * contrast, on Solaris the LD_LIBRARY_PATH variable for a
+- * privileged binary does not lose its settings; but the dynamic
+- * linker does apply more scrutiny to the path.) The launcher uses
+- * the value of LD_LIBRARY_PATH to prevent an exec loop.
+- * Therefore, if we are running sgid or suid, this function's
+- * setting of LD_LIBRARY_PATH will be ineffective and we should
+- * return from the function now. Getting the right libraries to
+- * be found must be handled through other mechanisms.
++ * On linux, if a binary is running as sgid or suid, or has
++ * capabilities set, glibc sets LD_LIBRARY_PATH to the empty
++ * string for security purposes. (In contrast, on Solaris the
++ * LD_LIBRARY_PATH variable for a privileged binary does not lose
++ * its settings; but the dynamic linker does apply more scrutiny
++ * to the path.) The launcher uses the value of LD_LIBRARY_PATH to
++ * prevent an exec loop. Therefore, if we are running sgid or
++ * suid, or have linux capabilities set, this function's setting
++ * of LD_LIBRARY_PATH will be ineffective and we should return
++ * from the function now. Getting the right libraries to be found
++ * must be handled through other mechanisms.
+ */
+ if((getgid() != getegid()) || (getuid() != geteuid()) ) {
+ return;
+ }
++ if (have_caps()) {
++ return;
++ }
+ #endif
+
+ /* runpath contains current effective LD_LIBRARY_PATH setting */