rpms / java-1.6.0-openjdk

Clone
Source Code
GIT

Files

c4 c5 c5-plus c6 c6-plus c7 c7-beta
  1.   c7
  2.   SOURCES
  3.   add-final-location-rpaths.patch
Blob Blame History Raw 
Work in the presence of capabilities

Include a hardcoded install path in RPATH in binaries. This is used
as fallback when $ORIGIN is ignored. $ORIGIN is ignored for when
linux capabilities are added to the binary.

Fix launcher to treat the case where capabilities are set as
identical to a setuid binary: don't expect LD_LIBRARY_PATH to be
set.
--- a/Makefile.am.orig	2017-01-03 02:21:55.611333388 -0500
+++ b/Makefile.am	2017-01-03 02:22:48.670489697 -0500
@@ -837,7 +837,8 @@
 	CXX=$(CXX)$(GCC_SUFFIX) \
 	COMPILER_WARNINGS_FATAL="$(WERROR_STATUS)" \
 	UNLIMITED_CRYPTO="true" \
-	ARM32JIT="${ARM32JIT_STATUS}"
+	ARM32JIT="${ARM32JIT_STATUS}" \
+	INSTALL_LOCATION="${INSTALL_LOCATION}"
 
 if ENABLE_CACAO
 ICEDTEA_ENV += \
diff -r b85872bd06da patches/add-final-location-rpaths.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/add-final-location-rpaths.patch	Thu Apr 09 20:41:52 2015 +0100
@@ -0,0 +1,121 @@
+diff -Nru openjdk.orig/corba/make/common/Defs-linux.gmk openjdk/corba/make/common/Defs-linux.gmk
+--- openjdk.orig/corba/make/common/Defs-linux.gmk	2015-04-09 20:37:21.682577260 +0100
++++ openjdk/corba/make/common/Defs-linux.gmk	2015-04-09 20:38:35.115295051 +0100
+@@ -209,8 +209,8 @@
+   #   The environment variable LD_LIBRARY_PATH will over-ride these runpaths.
+   #   Try: 'readelf -d lib*.so' to see these settings in a library.
+   #
+-  LDFLAGS_COMMON += -Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN
+-  LDFLAGS_COMMON += $(LD_RUNPATH_EXTRAS:%=-Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN/%)
++  LDFLAGS_COMMON += -Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN:$(INSTALL_LOCATION)/jre/lib/$(LIBARCH)
++  LDFLAGS_COMMON += $(LD_RUNPATH_EXTRAS:%=-Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN/:$(INSTALL_LOCATION)/jre/lib/$(LIBARCH)%)
+ endif
+ 
+ EXTRA_LIBS += -lc
+diff -Nru openjdk.orig/jdk/make/common/Defs-linux.gmk openjdk/jdk/make/common/Defs-linux.gmk
+--- openjdk.orig/jdk/make/common/Defs-linux.gmk	2015-04-09 20:37:21.962579996 +0100
++++ openjdk/jdk/make/common/Defs-linux.gmk	2015-04-09 20:38:35.115295051 +0100
+@@ -233,8 +233,8 @@
+   #   The environment variable LD_LIBRARY_PATH will over-ride these runpaths.
+   #   Try: 'readelf -d lib*.so' to see these settings in a library.
+   #
+-  LDFLAGS_COMMON += -Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN
+-  LDFLAGS_COMMON += $(LD_RUNPATH_EXTRAS:%=-Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN/%)
++  LDFLAGS_COMMON += -Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN:$(INSTALL_LOCATION)/jre/lib/$(LIBARCH)
++  LDFLAGS_COMMON += $(LD_RUNPATH_EXTRAS:%=-Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN/:$(INSTALL_LOCATION)/jre/lib/$(LIBARCH)%)
+ endif
+ 
+ EXTRA_LIBS += -lc
+diff -Nru openjdk.orig/jdk/make/common/Program.gmk openjdk/jdk/make/common/Program.gmk
+--- openjdk.orig/jdk/make/common/Program.gmk	2015-04-09 20:37:28.862647438 +0100
++++ openjdk/jdk/make/common/Program.gmk	2015-04-09 20:39:08.779624149 +0100
+@@ -83,9 +83,10 @@
+ 	endif
+     endif
+     ifeq ($(PLATFORM), linux)
++	LDFLAGS += -lcap
+ 	LDFLAGS += $(ZLIB_LIBS) -Wl,-z -Wl,origin
+ 	LDFLAGS += -Wl,--allow-shlib-undefined
+-	LDFLAGS += -Wl,-rpath -Wl,\$$ORIGIN/../lib/$(LIBARCH)/jli
++	LDFLAGS += -Wl,-rpath -Wl,\$$ORIGIN/../lib/$(LIBARCH)/jli:$(INSTALL_LOCATION)/jre/lib/$(LIBARCH)/jli
+     endif
+ endif
+ ifeq ($(PLATFORM), windows)
+diff -Nru openjdk.orig/jdk/make/java/instrument/Makefile openjdk/jdk/make/java/instrument/Makefile
+--- openjdk.orig/jdk/make/java/instrument/Makefile	2015-04-09 02:19:17.000000000 +0100
++++ openjdk/jdk/make/java/instrument/Makefile	2015-04-09 20:38:35.115295051 +0100
+@@ -111,7 +111,7 @@
+   ifeq ($(PLATFORM), linux)
+     LDFLAGS += -Wl,-z -Wl,origin
+     LDFLAGS += -Wl,--allow-shlib-undefined
+-    LDFLAGS += -Wl,-rpath -Wl,\$$ORIGIN/jli
++    LDFLAGS += -Wl,-rpath -Wl,\$$ORIGIN/jli:$(INSTALL_LOCATION)/jre/lib/$(LIBARCH)/jli
+   endif
+ endif
+ 
+diff -Nru openjdk.orig/jdk/src/solaris/bin/java_md.c openjdk/jdk/src/solaris/bin/java_md.c
+--- openjdk.orig/jdk/src/solaris/bin/java_md.c	2015-04-09 02:19:52.000000000 +0100
++++ openjdk/jdk/src/solaris/bin/java_md.c	2015-04-09 20:38:35.115295051 +0100
+@@ -39,6 +39,7 @@
+ 
+ #ifdef __linux__
+ #include <pthread.h>
++#include <sys/capability.h>
+ #else
+ #include <thread.h>
+ #endif
+@@ -169,6 +170,19 @@
+     return LIBARCHNAME;
+ }
+ 
++#ifdef __linux
++static int
++have_caps() {
++    int have_cap = 0;
++    cap_t no_caps = cap_init();
++    cap_t my_caps = cap_get_proc();
++    have_cap = cap_compare(no_caps, my_caps);
++    cap_free(my_caps);
++    cap_free(no_caps);
++    return have_cap;
++}
++#endif
++
+ void
+ CreateExecutionEnvironment(int *_argcp,
+                            char ***_argvp,
+@@ -413,20 +427,24 @@
+ 
+ #ifdef __linux
+       /*
+-       * On linux, if a binary is running as sgid or suid, glibc sets
+-       * LD_LIBRARY_PATH to the empty string for security purposes.  (In
+-       * contrast, on Solaris the LD_LIBRARY_PATH variable for a
+-       * privileged binary does not lose its settings; but the dynamic
+-       * linker does apply more scrutiny to the path.) The launcher uses
+-       * the value of LD_LIBRARY_PATH to prevent an exec loop.
+-       * Therefore, if we are running sgid or suid, this function's
+-       * setting of LD_LIBRARY_PATH will be ineffective and we should
+-       * return from the function now.  Getting the right libraries to
+-       * be found must be handled through other mechanisms.
++       * On linux, if a binary is running as sgid or suid, or has
++       * capabilities set, glibc sets LD_LIBRARY_PATH to the empty
++       * string for security purposes. (In contrast, on Solaris the
++       * LD_LIBRARY_PATH variable for a privileged binary does not lose
++       * its settings; but the dynamic linker does apply more scrutiny
++       * to the path.) The launcher uses the value of LD_LIBRARY_PATH to
++       * prevent an exec loop.  Therefore, if we are running sgid or
++       * suid, or have linux capabilities set,  this function's setting
++       * of LD_LIBRARY_PATH will be ineffective and we should return
++       * from the function now. Getting the right libraries to be found
++       * must be handled through other mechanisms.
+        */
+       if((getgid() != getegid()) || (getuid() != geteuid()) ) {
+         return;
+       }
++      if (have_caps()) {
++        return;
++      }
+ #endif
+ 
+       /* runpath contains current effective LD_LIBRARY_PATH setting */

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation