Work in the presence of capabilities Include a hardcoded install path in RPATH in binaries. This is used as fallback when $ORIGIN is ignored. $ORIGIN is ignored for when linux capabilities are added to the binary. Fix launcher to treat the case where capabilities are set as identical to a setuid binary: don't expect LD_LIBRARY_PATH to be set. diff -r b85872bd06da Makefile.am --- a/Makefile.am Thu Apr 09 20:20:00 2015 +0100 +++ b/Makefile.am Thu Apr 09 20:41:52 2015 +0100 @@ -815,7 +815,8 @@ BUILD_GCC=gcc$(GCC_SUFFIX) \ BUILD_CXX=g++$(GCC_SUFFIX) \ COMPILER_WARNINGS_FATAL="$(WERROR_STATUS)" \ - UNLIMITED_CRYPTO="true" + UNLIMITED_CRYPTO="true" \ + INSTALL_LOCATION="${INSTALL_LOCATION}" if ENABLE_CACAO ICEDTEA_ENV += \ diff -r b85872bd06da patches/add-final-location-rpaths.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/add-final-location-rpaths.patch Thu Apr 09 20:41:52 2015 +0100 @@ -0,0 +1,121 @@ +diff -Nru openjdk.orig/corba/make/common/Defs-linux.gmk openjdk/corba/make/common/Defs-linux.gmk +--- openjdk.orig/corba/make/common/Defs-linux.gmk 2015-04-09 20:37:21.682577260 +0100 ++++ openjdk/corba/make/common/Defs-linux.gmk 2015-04-09 20:38:35.115295051 +0100 +@@ -209,8 +209,8 @@ + # The environment variable LD_LIBRARY_PATH will over-ride these runpaths. + # Try: 'readelf -d lib*.so' to see these settings in a library. + # +- LDFLAGS_COMMON += -Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN +- LDFLAGS_COMMON += $(LD_RUNPATH_EXTRAS:%=-Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN/%) ++ LDFLAGS_COMMON += -Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN:$(INSTALL_LOCATION)/jre/lib/$(LIBARCH) ++ LDFLAGS_COMMON += $(LD_RUNPATH_EXTRAS:%=-Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN/:$(INSTALL_LOCATION)/jre/lib/$(LIBARCH)%) + endif + + EXTRA_LIBS += -lc +diff -Nru openjdk.orig/jdk/make/common/Defs-linux.gmk openjdk/jdk/make/common/Defs-linux.gmk +--- openjdk.orig/jdk/make/common/Defs-linux.gmk 2015-04-09 20:37:21.962579996 +0100 ++++ openjdk/jdk/make/common/Defs-linux.gmk 2015-04-09 20:38:35.115295051 +0100 +@@ -233,8 +233,8 @@ + # The environment variable LD_LIBRARY_PATH will over-ride these runpaths. + # Try: 'readelf -d lib*.so' to see these settings in a library. + # +- LDFLAGS_COMMON += -Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN +- LDFLAGS_COMMON += $(LD_RUNPATH_EXTRAS:%=-Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN/%) ++ LDFLAGS_COMMON += -Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN:$(INSTALL_LOCATION)/jre/lib/$(LIBARCH) ++ LDFLAGS_COMMON += $(LD_RUNPATH_EXTRAS:%=-Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$$ORIGIN/:$(INSTALL_LOCATION)/jre/lib/$(LIBARCH)%) + endif + + EXTRA_LIBS += -lc +diff -Nru openjdk.orig/jdk/make/common/Program.gmk openjdk/jdk/make/common/Program.gmk +--- openjdk.orig/jdk/make/common/Program.gmk 2015-04-09 20:37:28.862647438 +0100 ++++ openjdk/jdk/make/common/Program.gmk 2015-04-09 20:39:08.779624149 +0100 +@@ -83,9 +83,10 @@ + endif + endif + ifeq ($(PLATFORM), linux) ++ LDFLAGS += -lcap + LDFLAGS += $(ZLIB_LIBS) -Wl,-z -Wl,origin + LDFLAGS += -Wl,--allow-shlib-undefined +- LDFLAGS += -Wl,-rpath -Wl,\$$ORIGIN/../lib/$(LIBARCH)/jli ++ LDFLAGS += -Wl,-rpath -Wl,\$$ORIGIN/../lib/$(LIBARCH)/jli:$(INSTALL_LOCATION)/jre/lib/$(LIBARCH)/jli + endif + endif + ifeq ($(PLATFORM), windows) +diff -Nru openjdk.orig/jdk/make/java/instrument/Makefile openjdk/jdk/make/java/instrument/Makefile +--- openjdk.orig/jdk/make/java/instrument/Makefile 2015-04-09 02:19:17.000000000 +0100 ++++ openjdk/jdk/make/java/instrument/Makefile 2015-04-09 20:38:35.115295051 +0100 +@@ -111,7 +111,7 @@ + ifeq ($(PLATFORM), linux) + LDFLAGS += -Wl,-z -Wl,origin + LDFLAGS += -Wl,--allow-shlib-undefined +- LDFLAGS += -Wl,-rpath -Wl,\$$ORIGIN/jli ++ LDFLAGS += -Wl,-rpath -Wl,\$$ORIGIN/jli:$(INSTALL_LOCATION)/jre/lib/$(LIBARCH)/jli + endif + endif + +diff -Nru openjdk.orig/jdk/src/solaris/bin/java_md.c openjdk/jdk/src/solaris/bin/java_md.c +--- openjdk.orig/jdk/src/solaris/bin/java_md.c 2015-04-09 02:19:52.000000000 +0100 ++++ openjdk/jdk/src/solaris/bin/java_md.c 2015-04-09 20:38:35.115295051 +0100 +@@ -39,6 +39,7 @@ + + #ifdef __linux__ + #include ++#include + #else + #include + #endif +@@ -169,6 +170,19 @@ + return LIBARCHNAME; + } + ++#ifdef __linux ++static int ++have_caps() { ++ int have_cap = 0; ++ cap_t no_caps = cap_init(); ++ cap_t my_caps = cap_get_proc(); ++ have_cap = cap_compare(no_caps, my_caps); ++ cap_free(my_caps); ++ cap_free(no_caps); ++ return have_cap; ++} ++#endif ++ + void + CreateExecutionEnvironment(int *_argcp, + char ***_argvp, +@@ -413,20 +427,24 @@ + + #ifdef __linux + /* +- * On linux, if a binary is running as sgid or suid, glibc sets +- * LD_LIBRARY_PATH to the empty string for security purposes. (In +- * contrast, on Solaris the LD_LIBRARY_PATH variable for a +- * privileged binary does not lose its settings; but the dynamic +- * linker does apply more scrutiny to the path.) The launcher uses +- * the value of LD_LIBRARY_PATH to prevent an exec loop. +- * Therefore, if we are running sgid or suid, this function's +- * setting of LD_LIBRARY_PATH will be ineffective and we should +- * return from the function now. Getting the right libraries to +- * be found must be handled through other mechanisms. ++ * On linux, if a binary is running as sgid or suid, or has ++ * capabilities set, glibc sets LD_LIBRARY_PATH to the empty ++ * string for security purposes. (In contrast, on Solaris the ++ * LD_LIBRARY_PATH variable for a privileged binary does not lose ++ * its settings; but the dynamic linker does apply more scrutiny ++ * to the path.) The launcher uses the value of LD_LIBRARY_PATH to ++ * prevent an exec loop. Therefore, if we are running sgid or ++ * suid, or have linux capabilities set, this function's setting ++ * of LD_LIBRARY_PATH will be ineffective and we should return ++ * from the function now. Getting the right libraries to be found ++ * must be handled through other mechanisms. + */ + if((getgid() != getegid()) || (getuid() != geteuid()) ) { + return; + } ++ if (have_caps()) { ++ return; ++ } + #endif + + /* runpath contains current effective LD_LIBRARY_PATH setting */