[OE-core] [yocto] [PATCH 1/2] package.bbclass: add prohibited-path qa test
Christopher Larson
kergoth at gmail.com
Tue Nov 14 02:11:56 UTC 2017
On Mon, Nov 13, 2017 at 7:10 PM, Christopher Larson <kergoth at gmail.com>
wrote:
>
>
> On Mon, Nov 13, 2017 at 11:17 AM, Martyn Welch <martyn at welchs.me.uk>
> wrote:
>
>> From: Fabien Lahoudere <fabien.lahoudere at collabora.co.uk>
>>
>> Sometimes we wish to ensure that packages don't install files or
>> directories somewhere that may prove detrimental to the operation of the
>> system. For example, this may be the case if files are placed in a
>> directory that is utilised as a mount point at run time, thus making them
>> inaccessible once when the mount point is being utilised.
>>
>> Implement the prohibited-path QA test, which enables such locations to be
>> specified in a "PROHIBITED_PATH" variable. This implementation allows for
>> exact matches and simple wildcards (paths ending with an asterisk. An
>> error will be raised should a match be found, or in the case of a
>> wildcard, for any files added below the specificed location(s).
>>
>> Signed-off-by: Fabien Lahoudere <fabien.lahoudere at collabora.co.uk>
>> Signed-off-by: Martyn Welch <martyn at welchs.me.uk>
>> ---
>> meta/classes/insane.bbclass | 2 +-
>> meta/classes/package.bbclass | 11 +++++++++++
>> 2 files changed, 12 insertions(+), 1 deletion(-)
>>
>> diff --git a/meta/classes/insane.bbclass b/meta/classes/insane.bbclass
>> index def9c70..fb10681 100644
>> --- a/meta/classes/insane.bbclass
>> +++ b/meta/classes/insane.bbclass
>> @@ -33,7 +33,7 @@ ERROR_QA ?= "dev-so debug-deps dev-deps debug-files
>> arch pkgconfig la \
>> perms dep-cmp pkgvarcheck perm-config perm-line perm-link \
>> split-strip packages-list pkgv-undefined var-undefined \
>> version-going-backwards expanded-d invalid-chars \
>> - license-checksum dev-elf file-rdeps \
>> + license-checksum dev-elf file-rdeps prohibited-path \
>> "
>> # Add usrmerge QA check based on distro feature
>> ERROR_QA_append = "${@bb.utils.contains('DISTRO_FEATURES', 'usrmerge',
>> ' usrmerge', '', d)}"
>> diff --git a/meta/classes/package.bbclass b/meta/classes/package.bbclass
>> index 2053d46..721ca1e 100644
>> --- a/meta/classes/package.bbclass
>> +++ b/meta/classes/package.bbclass
>> @@ -1162,6 +1162,17 @@ python populate_packages () {
>> continue
>> seen.append(file)
>>
>> + prohibited_path = d.getVar('PROHIBITED_PATH')
>> + if prohibited_path is not None:
>> + for p in prohibited_path.split():
>> + exactmatch = True
>> + if p.endswith("*"):
>> + p = p[:len(p)-1]
>> + exactmatch = False
>> + if file[1:].startswith(p) and ((file[1:] != p) or
>> exactmatch) :
>> + msg = "%s is in a prohibited path.\n" % file[1:]
>> + package_qa_handle_error("prohibited-path", msg,
>> d)
>>
>
> Unless I’m missing something, you aren’t checking for startswith(p +
> os.sep), so a file in libexec would match a prohibited path of lib, as it’d
> still start with that, no?
>
You might also consider some form of path normalization if you’re comparing
directly like this, otherwise i.e. //foo wouldn’t match /foo, even though
it’s the same path.
--
Christopher Larson
kergoth at gmail dot com
Founder - BitBake, OpenEmbedded, OpenZaurus
Senior Software Engineer, Mentor Graphics
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20171113/063704db/attachment-0002.html>
More information about the Openembedded-core
mailing list