Two (possibly related) issue w/ 4.18.x rpmbuild

Panu Matilainen pmatilai at redhat.com
Mon Mar 20 09:37:16 UTC 2023


On 3/20/23 11:13, Florian Weimer wrote:
> * Panu Matilainen:
> 
>> Most shared libraries are NOT executable, and should not be packaged
>> as such. Which is why rpm automatically strips the executable flags
>> from those deemed only shared libraries via brp-elfperms script after
>> the install stage. glibc (ld*.so rather) being the special case of
>> course.
> 
> Huh.  We need to install all shared objects as executable, otherwise
> Linux security modules (e.g., SELinux with certain policies) will not
> allow mapping them as PROT_EXEC, and nothing will work.
> 
> The ELF backend i binutils ld had a long-standing bug where it did not
> set the ELF entrypoint to 0 on shared objects by default (marking them
> as not directly executable).  This bug has been fixed.  However, the
> kernel does not yet refuse to execute ELF shared objects which have no
> ELF interpreter and entry point 0.  That bug remains to be fixed.
> 
> These are the issues that need to be fixed to avoid confusing crashes.
> Removing the executable bit is not the right approach.

Huh indeed. This is the first I ever hear about *any* of that. I've only 
seen and heard various attemps by distros to avoid having to 
unnecessarily set executable bits on libraries.

It's not a bad day when you learn something new...

So this would largely be Linux specific, and I guess LSM specific at 
that. Seems the executable stripping is a "build root policy" for a 
reason... and I realize now why none of the big distros have seen this 
before: they all override rpm's default brp set and presumably haven't 
been updated to run brp-elfperms at all.

I was just looking at this and found no way to persuade eu-elfclassify 
to consider ld-*.so as an executable, which breaks it for what I thought 
was the primary usecase. But clearly I'm missing more than a little in 
the big picture here...

	- Panu -



More information about the Rpm-list mailing list