diff options
| author | Mx Kookie <kookie@spacekookie.de> | 2020-10-31 19:35:09 +0100 |
|---|---|---|
| committer | Mx Kookie <kookie@spacekookie.de> | 2020-10-31 19:35:09 +0100 |
| commit | c4625b175f8200f643fd6e11010932ea44c78433 (patch) | |
| tree | bce3f89888c8ac3991fa5569a878a9eab6801ccc /infra/libkookie/nixpkgs/pkgs/build-support/setup-hooks/audit-tmpdir.sh | |
| parent | 49f735974dd103039ddc4cb576bb76555164a9e7 (diff) | |
| parent | d661aa56a8843e991261510c1bb28fdc2f6975ae (diff) | |
Add 'infra/libkookie/' from commit 'd661aa56a8843e991261510c1bb28fdc2f6975ae'
git-subtree-dir: infra/libkookie
git-subtree-mainline: 49f735974dd103039ddc4cb576bb76555164a9e7
git-subtree-split: d661aa56a8843e991261510c1bb28fdc2f6975ae
Diffstat (limited to 'infra/libkookie/nixpkgs/pkgs/build-support/setup-hooks/audit-tmpdir.sh')
| -rw-r--r-- | infra/libkookie/nixpkgs/pkgs/build-support/setup-hooks/audit-tmpdir.sh | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/infra/libkookie/nixpkgs/pkgs/build-support/setup-hooks/audit-tmpdir.sh b/infra/libkookie/nixpkgs/pkgs/build-support/setup-hooks/audit-tmpdir.sh new file mode 100644 index 000000000000..c9dd32d1dd22 --- /dev/null +++ b/infra/libkookie/nixpkgs/pkgs/build-support/setup-hooks/audit-tmpdir.sh @@ -0,0 +1,41 @@ +# Check whether RPATHs or wrapper scripts contain references to +# $TMPDIR. This is a serious security bug because it allows any user +# to inject files into search paths of other users' processes. +# +# It might be better to have Nix scan build output for any occurrence +# of $TMPDIR (which would also be good for reproducibility), but at +# the moment that would produce too many spurious errors (e.g. debug +# info or assertion messages that refer to $TMPDIR). + +fixupOutputHooks+=('if [[ -z "${noAuditTmpdir-}" && -e "$prefix" ]]; then auditTmpdir "$prefix"; fi') + +auditTmpdir() { + local dir="$1" + [ -e "$dir" ] || return 0 + + header "checking for references to $TMPDIR/ in $dir..." + + local i + while IFS= read -r -d $'\0' i; do + if [[ "$i" =~ .build-id ]]; then continue; fi + + if isELF "$i"; then + if { printf :; patchelf --print-rpath "$i"; } | grep -q -F ":$TMPDIR/"; then + echo "RPATH of binary $i contains a forbidden reference to $TMPDIR/" + exit 1 + fi + fi + + if isScript "$i"; then + if [ -e "$(dirname "$i")/.$(basename "$i")-wrapped" ]; then + if grep -q -F "$TMPDIR/" "$i"; then + echo "wrapper script $i contains a forbidden reference to $TMPDIR/" + exit 1 + fi + fi + fi + + done < <(find "$dir" -type f -print0) + + stopNest +} |