Message ID | 20240209140939.186588-1-michalwsieron@gmail.com |
---|---|
State | Superseded, archived |
Headers | show |
Series | sanity.bbclass: raise_sanity_error if /tmp is noexec | expand |
On 9 Feb 2024, at 14:09, Michal Sieron via lists.openembedded.org <michalwsieron=gmail.com@lists.openembedded.org> wrote: > + # Ensure /tmp is NOT mounted with noexec > + with open("/proc/mounts", "r") as f: > + for line in f: > + # format is described in fstab(5) > + _, fs_file, _, fs_mntops, *_ = line.split() > + > + # we only want to check /tmp > + if fs_file != "/tmp": > + continue > + > + # iterate through the options from the end > + for opt in reversed(fs_mntops.split(",")): > + if opt == "noexec": > + raise_sanity_error("/tmp shouldn't be mounted with noexec.", d) > + Alternatively, this is neater: os.statvfs("/tmp").f_flag & os.ST_NOEXEC Ross
Hi Michal, I just noticed the change. I can't find the V2 in my mailbox, so I'm going to reply here. I'm a little concerned about forcing such requirement here. It does not seem *necessary*. As far as I know, the whole oe-core does not need /tmp to be exec. The commit message says 'old meson', this means the current version of meson works well, right? Also, why is there 'no simple way to workaround'? Is the recipe hardcoding '/tmp' instead of using API or command? Does exporting TMPDIR work? e.g., export TMPDIR="${B}/tmp" Regards, Qi On 2/9/24 23:57, Ross Burton wrote: > On 9 Feb 2024, at 14:09, Michal Sieron via lists.openembedded.org <michalwsieron=gmail.com@lists.openembedded.org> wrote: >> + # Ensure /tmp is NOT mounted with noexec >> + with open("/proc/mounts", "r") as f: >> + for line in f: >> + # format is described in fstab(5) >> + _, fs_file, _, fs_mntops, *_ = line.split() >> + >> + # we only want to check /tmp >> + if fs_file != "/tmp": >> + continue >> + >> + # iterate through the options from the end >> + for opt in reversed(fs_mntops.split(",")): >> + if opt == "noexec": >> + raise_sanity_error("/tmp shouldn't be mounted with noexec.", d) >> + > Alternatively, this is neater: > > os.statvfs("/tmp").f_flag & os.ST_NOEXEC > > Ross > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#195233): https://lists.openembedded.org/g/openembedded-core/message/195233 > Mute This Topic: https://lists.openembedded.org/mt/104258828/7304865 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [Qi.Chen@eng.windriver.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On 21 Feb 2024, at 07:18, ChenQi <Qi.Chen@windriver.com> wrote: > I just noticed the change. I can't find the V2 in my mailbox, so I'm going to reply here. > I'm a little concerned about forcing such requirement here. It does not seem *necessary*. > As far as I know, the whole oe-core does not need /tmp to be exec. The commit message says 'old meson', this means the current version of meson works well, right? > Also, why is there 'no simple way to workaround'? Is the recipe hardcoding '/tmp' instead of using API or command? Does exporting TMPDIR work? > e.g., > export TMPDIR="${B}/tmp” You _can_ export TMPDIR but that has to be done on a per-recipe/class basis very carefully as TMPDIR means something else to Bitbake. The problem is recipes that use mktemp to write files and execute them (be it shell scripts, or as a place to write C and then compile in the same directory). These will be in /tmp (again, we can’t set TMPDIR because for foolish historical reasons, TMPDIR is used by bitbake). We first noticed this with Meson where noexec /tmp meant the configure tests failed. We worked around it at the time by assigning TMPDIR when calling Meson, but since them Meson writes to its own build tree now. This has been seen before though, but luckily noexec /tmp is fairly unusual so I doubt this will break many builds. Ross
On Wed, 21 Feb 2024 at 10:48, Ross Burton <ross.burton@arm.com> wrote: > You _can_ export TMPDIR but that has to be done on a per-recipe/class basis very carefully as TMPDIR means something else to Bitbake. > > The problem is recipes that use mktemp to write files and execute them (be it shell scripts, or as a place to write C and then compile in the same directory). These will be in /tmp (again, we can’t set TMPDIR because for foolish historical reasons, TMPDIR is used by bitbake). > > We first noticed this with Meson where noexec /tmp meant the configure tests failed. We worked around it at the time by assigning TMPDIR when calling Meson, but since them Meson writes to its own build tree now. This has been seen before though, but luckily noexec /tmp is fairly unusual so I doubt this will break many builds. I'm actually curious where noexec /tmp can be observed. It does seem rare, because I think it's the first time someone came up with a sanity check for it. Perhaps it should be treated as a bug in that respective environment/OS/container? Alex
On 2024-02-21 5:08 a.m., Alexander Kanavin via lists.openembedded.org wrote: > On Wed, 21 Feb 2024 at 10:48, Ross Burton<ross.burton@arm.com> wrote: >> You _can_ export TMPDIR but that has to be done on a per-recipe/class basis very carefully as TMPDIR means something else to Bitbake. >> >> The problem is recipes that use mktemp to write files and execute them (be it shell scripts, or as a place to write C and then compile in the same directory). These will be in /tmp (again, we can’t set TMPDIR because for foolish historical reasons, TMPDIR is used by bitbake). >> >> We first noticed this with Meson where noexec /tmp meant the configure tests failed. We worked around it at the time by assigning TMPDIR when calling Meson, but since them Meson writes to its own build tree now. This has been seen before though, but luckily noexec /tmp is fairly unusual so I doubt this will break many builds. > I'm actually curious where noexec /tmp can be observed. It does seem > rare, because I think it's the first time someone came up with a > sanity check for it. Perhaps it should be treated as a bug in that > respective environment/OS/container? We've been using noexec /tmp since 2019 with few if any problems using: meta-anaconda meta-aws meta-browser meta-clang meta-cloud-services meta-dpdk meta-imx meta-intel meta-intel-qat meta-iot-cloud meta-lat meta-mingw meta-openembedded meta-qt6 meta-raspberrypi meta-realtime meta-secure-core meta-security meta-selinux meta-tensorflow meta-virtualization meta-xilinx meta-xilinx-tools meta-yocto Michal, what problem are you seeing? ../Randy > > Alex > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#195965):https://lists.openembedded.org/g/openembedded-core/message/195965 > Mute This Topic:https://lists.openembedded.org/mt/104258828/3616765 > Group Owner:openembedded-core+owner@lists.openembedded.org > Unsubscribe:https://lists.openembedded.org/g/openembedded-core/unsub [randy.macleod@windriver.com] > -=-=-=-=-=-=-=-=-=-=-=- >
> Michal, what problem are you seeing?
So originally I encountered this issue when building sbsigntool. Now I
see that I was simply using a modified version of an older recipe
revision.
If I were to use a somewhat recent one, I would have this change in
place
https://github.com/Wind-River/meta-secure-core/commit/f341b8653c65460d03a652a4af39fc876ea8a992
Anyway, when I talked about this on IRC, I suggested making this a
warning, but Ross and Richard wanted to hard error on this instead. I
guess we could make it a warning after all if that would break your
setup.
Michał
diff --git a/meta/classes-global/sanity.bbclass b/meta/classes-global/sanity.bbclass index 1bd74e1935..205516bf6a 100644 --- a/meta/classes-global/sanity.bbclass +++ b/meta/classes-global/sanity.bbclass @@ -840,6 +840,21 @@ def check_sanity_everybuild(status, d): status.addresult("Please use a umask which allows a+rx and u+rwx\n") os.umask(omask) + # Ensure /tmp is NOT mounted with noexec + with open("/proc/mounts", "r") as f: + for line in f: + # format is described in fstab(5) + _, fs_file, _, fs_mntops, *_ = line.split() + + # we only want to check /tmp + if fs_file != "/tmp": + continue + + # iterate through the options from the end + for opt in reversed(fs_mntops.split(",")): + if opt == "noexec": + raise_sanity_error("/tmp shouldn't be mounted with noexec.", d) + if d.getVar('TARGET_ARCH') == "arm": # This path is no longer user-readable in modern (very recent) Linux try:
meson saves its temporary scripts in /tmp. Similarly some recipies also do that (e.g. ccan in sbsigntool). As this can lead to unexpected build failures with no simple way to workaround, make such setup a fatal error. Signed-off-by: Michal Sieron <michalwsieron@gmail.com> --- meta/classes-global/sanity.bbclass | 15 +++++++++++++++ 1 file changed, 15 insertions(+)