| Message ID | 20260604101028.3347485-1-bin.cao.cn@windriver.com |
|---|---|
| State | Under Review |
| Headers | show |
| Series | [v2,1/2] python3: sanitize userbase in _sysconfig_vars JSON to avoid host path leak | expand |
diff --git a/meta/recipes-devtools/python/python3_3.14.5.bb b/meta/recipes-devtools/python/python3_3.14.5.bb index 2f821b130f..cc18e13747 100644 --- a/meta/recipes-devtools/python/python3_3.14.5.bb +++ b/meta/recipes-devtools/python/python3_3.14.5.bb @@ -390,6 +390,7 @@ py_package_preprocess () { -e 's:${RECIPE_SYSROOT_NATIVE}::g' \ -e 's:${RECIPE_SYSROOT}::g' \ -e 's:${BASE_WORKDIR}/${MULTIMACH_TARGET_SYS}::g' \ + -e 's|"userbase": ".*"|"userbase": ""|g' \ ${PKGD}/${libdir}/python${PYTHON_MAJMIN}/_sysconfig_vars*.json }
The _sysconfig_vars__linux_x86_64-linux-gnu.json file contains a "userbase" field that is populated from the build host user's $HOME at build time. This leaks the build host user's home directory path into the target rootfs. The existing py_package_preprocess() cleanup for this JSON file only strips known OE build path prefixes (STAGING_DIR_TARGET, RECIPE_SYSROOT, etc.), but the userbase value comes from the build user's $HOME environment variable which doesn't match any of those patterns. Set userbase to an empty string in the packaged JSON. This is safe because at runtime, sysconfig.get_config_vars() always recomputes userbase by calling _getuserbase(), which resolves the actual target user's ~/.local path dynamically. The static value in the JSON is never used for runtime path resolution. Signed-off-by: Bin Cao <bin.cao.cn@windriver.com> --- meta/recipes-devtools/python/python3_3.14.5.bb | 1 + 1 file changed, 1 insertion(+)