| Message ID | 20260604101028.3347485-2-bin.cao.cn@windriver.com |
|---|---|
| State | Under Review |
| Headers | show |
| Series | [v2,1/2] python3: sanitize userbase in _sysconfig_vars JSON to avoid host path leak | expand |
Thanks, much appreciated! Alex On Thu, 4 Jun 2026 at 12:10, Bin Cao via lists.openembedded.org <bin.cao.cn=windriver.com@lists.openembedded.org> wrote: > > Extend package_qa_check_buildpaths to also detect the build host's > HOME directory path in target packages. This catches cases where > \$HOME-derived paths (such as userbase in Python's sysconfig) leak > into the rootfs. > > Signed-off-by: Bin Cao <bin.cao.cn@windriver.com> > --- > meta/classes-global/insane.bbclass | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/meta/classes-global/insane.bbclass b/meta/classes-global/insane.bbclass > index 04700be71c..4250331af1 100644 > --- a/meta/classes-global/insane.bbclass > +++ b/meta/classes-global/insane.bbclass > @@ -439,11 +439,15 @@ def package_qa_check_buildpaths(path, name, d, elf): > return > > tmpdir = bytes(d.getVar('TMPDIR'), encoding="utf-8") > + homedir = bytes(os.environ.get('HOME', ''), encoding="utf-8") > with open(path, 'rb') as f: > file_content = f.read() > if tmpdir in file_content: > path = package_qa_clean_path(path, d, name) > oe.qa.handle_error("buildpaths", "File %s in package %s contains reference to TMPDIR" % (path, name), d) > + if homedir and homedir in file_content: > + path = package_qa_clean_path(path, d, name) > + oe.qa.handle_error("buildpaths", "File %s in package %s contains reference to the build host HOME directory" % (path, name), d) > > > QAPATHTEST[xorg-driver-abi] = "package_qa_check_xorg_driver_abi" > -- > 2.43.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#238120): https://lists.openembedded.org/g/openembedded-core/message/238120 > Mute This Topic: https://lists.openembedded.org/mt/119643013/1686489 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/classes-global/insane.bbclass b/meta/classes-global/insane.bbclass index 04700be71c..4250331af1 100644 --- a/meta/classes-global/insane.bbclass +++ b/meta/classes-global/insane.bbclass @@ -439,11 +439,15 @@ def package_qa_check_buildpaths(path, name, d, elf): return tmpdir = bytes(d.getVar('TMPDIR'), encoding="utf-8") + homedir = bytes(os.environ.get('HOME', ''), encoding="utf-8") with open(path, 'rb') as f: file_content = f.read() if tmpdir in file_content: path = package_qa_clean_path(path, d, name) oe.qa.handle_error("buildpaths", "File %s in package %s contains reference to TMPDIR" % (path, name), d) + if homedir and homedir in file_content: + path = package_qa_clean_path(path, d, name) + oe.qa.handle_error("buildpaths", "File %s in package %s contains reference to the build host HOME directory" % (path, name), d) QAPATHTEST[xorg-driver-abi] = "package_qa_check_xorg_driver_abi"
Extend package_qa_check_buildpaths to also detect the build host's HOME directory path in target packages. This catches cases where \$HOME-derived paths (such as userbase in Python's sysconfig) leak into the rootfs. Signed-off-by: Bin Cao <bin.cao.cn@windriver.com> --- meta/classes-global/insane.bbclass | 4 ++++ 1 file changed, 4 insertions(+)