Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit libraries to check for problematic RPATH/RUNPATH when building #173

Merged
merged 17 commits into from
Oct 4, 2021
Merged

Audit libraries to check for problematic RPATH/RUNPATH when building #173

merged 17 commits into from
Oct 4, 2021

Conversation

JonathonReinhart
Copy link
Owner

@JonathonReinhart JonathonReinhart commented Apr 18, 2021
edited
Loading

This PR audits all libraries included (directly by staticx or indirectly as part of a PyInstaller archive) for use of DT_RPATH/DT_RUNPATH which is problematic as described in #169.

RPATH/RUNPATH are removed from the libraries when possible, which does not apply to libraries already part of a PyInstaller archive:

RPATH RUNPATH
In a library being added as a dependency 🧹 Removed 🧹 Removed
In a library already part of PyInstaller archive ⚠️ ... ❌ Forbidden

Those libraries are examined to determine is the RPATH/RUNPATH is problematic. RUNPATH is always forbidden, as detailed in #169. RPATH is allowed unless it is deemed "dangerous":

RPATH in a library already part of PyInstaller archive...
Absolute path ❌ Forbidden
Path relative to working dir ❌ Forbidden
Path relative to $ORIGIN (below) ✔️
Path relative to $ORIGIN (above) ❌ Forbidden

Problematic uses which cannot be corrected will point the user at #188.

Closes #172.
See #169.

@JonathonReinhart JonathonReinhart mentioned this pull request Oct 3, 2021
Merged
@JonathonReinhart JonathonReinhart marked this pull request as ready for review October 3, 2021 07:27
@JonathonReinhart JonathonReinhart mentioned this pull request Oct 3, 2021
Open
JonathonReinhart
JonathonReinhart commented Oct 3, 2021
View reviewed changes
staticx/api.py Outdated Show resolved Hide resolved
@JonathonReinhart JonathonReinhart mentioned this pull request Oct 3, 2021
Open
@JonathonReinhart
Copy link
Owner Author

Based on this conversation with myself, I went ahead and started treating RPATH and RUNPATH exactly the same.

Because this is more likely and wide-reaching that I initially thought, I also went ahead and added patchelf --remove-rpath in StaticxGenerator.add_library() to "fix" the problematic libraries. Note that we cannot (easily) do this for libraries already in the PyInstaller archive.

Now, an existing test (test/pyinstall-cffi/) is failing, as it should:

staticx.errors.UnsupportedRpathError: /tmp/staticx-pyi-znqc4zfi/_cffi_backend.cpython-39-x86_64-linux-gnu.so uses unsupported DT_RPATH ('$ORIGIN/cffi.libs').

Confirmed with readelf:

$ readelf -d ./venv/lib/python3.9/site-packages/_cffi_backend.cpython-39-x86_64-linux-gnu.so

Dynamic section at offset 0xd2000 contains 28 entries:
  Tag        Type                         Name/Value
 0x000000000000000f (RPATH)              Library rpath: [$ORIGIN/cffi.libs]
 0x0000000000000001 (NEEDED)             Shared library: [libffi-c643fa1a.so.6.0.4]
 ...

$ ls -l venv/lib/python3.9/site-packages/cffi.libs/
total 48K
-rwxr-xr-x 1 jreinhart jreinhart 46K Oct  3 03:14 libffi-c643fa1a.so.6.0.4

This RPATH is harmless because it is relative (down) from $ORIGIN, so it won't break out of our extracted "jail". (It's also unnecessary, as noted in #61 (comment)).

So I think I'll also have to implement the second part of this self-suggestion which is to check for "dangerous" rpaths. Otherwise, staticx will fail on a bunch of stuff unnecessarily.

@JonathonReinhart
staticx: Add elf.get_runpath()
5d1cc54
@JonathonReinhart
staticx: Add StaticxGenerator.audit_library() to check for DT_RUNPATH
1668b5a 
staticx cannot currently handle any libraries that have DT_RUNPATH set as
it interferes with our ability to fully control the library paths.

See #169
@JonathonReinhart
staticx: Check dynamic library in pyinstaller hook
c7dbd82 
This will let us do other things prior to get_shobj_deps() which assume
the file is a shared library
@JonathonReinhart
staticx: Check for un-fixable RUNPATH in pyinstaller hook
c882a07
@JonathonReinhart
test: Ensure rpath-origin test uses RPATH and not RUNPATH
30e36ad
@JonathonReinhart
test: add runpath test to ensure staticx detects unacceptable libraries
9b33906
@JonathonReinhart
test: Combine rpath/runpath tests
6dd5b9d
@JonathonReinhart
test: Combine SConstruct.{rpath,runpath}
1f02461
@JonathonReinhart
staticx: Add get_rpath()
1033463
@JonathonReinhart
staticx: Check both RPATH and RUNPATH
853cfa3 
RPATH is also problematic. While RUNPATH will immediately kill the
top-level RPATH with set, RPATH on a library can defeat our "jail" and
cause target-system libraries to be loaded.
@JonathonReinhart
staticx: Add elf.remove_rpath()
2687156
@JonathonReinhart
staticx: Handle rpath/runpath in add_library by removing it
79b2af2 
Since staticx has already discovered dependencies of the library
(because ldd is effectively recursive), and (like Pyinstaller) will
flatten all dependencies when they're tar-ed up and extracted, there's
no reason we can't just drop the RPATH/RUNPATH entry.

This also renames audit_library to check_library_rpath. I don't want
this function to sound too generic, since we're catching exceptions and
carrying on. Otherwise, we might "fix" an initial problem but then miss
the remaining problems.
@JonathonReinhart
test: Change runpath test to expected success
085ec88 
We now treat RPATH and RUNPATH (in added dependent libraries) the same by
fixing (removing) them.

It's the RPATH/RUNPATH in PyInstaller bundled libraries that is an
unfixable problem, so we'll have to add another test, sigh.
@JonathonReinhart
staticx: Allow harmless RPATH (only) in pyinstaller archive
9cb9798 
A primary example of this is _cffi_backend.cpython-39-x86_64-linux-gnu.so
which has RPATH = "$ORIGIN/cffi.libs" which doesn't matter because
PyInstaller flattens the dependencies anyway. But we allow it because it
is relative to $ORIGIN.
@JonathonReinhart
test: Add funcs.sh with verify_uses_r[un]path
d2dec78
@JonathonReinhart
test: Add test to verify staticx catches pyinstalled libs with RUNPATH
7ff113d
@JonathonReinhart
Add change log entry for #173
8450bc2
@JonathonReinhart JonathonReinhart changed the title Audit libraries to check for problematic RUNPATH when building Audit libraries to check for problematic RPATH/RUNPATH when building Oct 4, 2021
@JonathonReinhart JonathonReinhart merged commit 2ba0f8a into master Oct 4, 2021
@JonathonReinhart JonathonReinhart deleted the 172-audit-libs-for-RUNPATH branch October 4, 2021 02:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Audit libraries to check for problematic RUNPATH when building
1 participant
@JonathonReinhart