diff --git a/toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch b/toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch new file mode 100644 index 0000000..9dda641 --- /dev/null +++ b/toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch @@ -0,0 +1,262 @@ +From 452dc797f7ef12235e4ede83735f5d554f54b012 Mon Sep 17 00:00:00 2001 +From: Debarshi Ray +Date: Thu, 21 Oct 2021 18:59:45 +0200 +Subject: [PATCH 1/2] tmpfiles.d: Style fix + +The subsequent commit will add an entry to create a /run/host symbolic +link on the host that points to /, and it will require explicitly +skipping some of the columns. Doing the same for the existing entry +will make the file more readable. + +https://github.com/containers/toolbox/issues/821 +--- + data/tmpfiles.d/toolbox.conf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/data/tmpfiles.d/toolbox.conf b/data/tmpfiles.d/toolbox.conf +index f22b64a0f97c..bdffe7c09639 100644 +--- a/data/tmpfiles.d/toolbox.conf ++++ b/data/tmpfiles.d/toolbox.conf +@@ -1 +1 @@ +-d /run/media 0755 root root ++d /run/media 0755 root root - - +-- +2.31.1 + + +From 6063eb27b98939942e316771224c5653a9b2e59b Mon Sep 17 00:00:00 2001 +From: Debarshi Ray +Date: Thu, 21 Oct 2021 20:22:11 +0200 +Subject: [PATCH 2/2] build: Ensure that binaries are run against their + build-time ABI + +The /usr/bin/toolbox binary is not only used to interact with toolbox +containers and images from the host. It's also used as the entry point +of the containers by bind mounting the binary from the host into the +container. This means that the /usr/bin/toolbox binary on the host must +also work inside the container, even if they have different operating +systems. + +In the past, this worked perfectly well with the POSIX shell +implementation because it got intepreted by whichever /bin/sh was +available. However, the Go implementation, can run into ABI +compatibility issues because binaries built on newer toolchains aren't +meant to be run against older runtimes. + +The previous approach [1] of restricting the versions of the glibc +symbols that are linked against isn't actually supported by glibc, and +breaks if the early process start-up code changes. This is seen in +glibc-2.34, which is used by Fedora 35 onwards, where a new version of +the __libc_start_main symbol [2] was added as part of some security +hardening: + $ objdump -T ./usr/bin/toolbox | grep GLIBC_2.34 + 0000000000000000 DF *UND* 0000000000000000 GLIBC_2.34 + __libc_start_main + 0000000000000000 DF *UND* 0000000000000000 GLIBC_2.34 + pthread_detach + 0000000000000000 DF *UND* 0000000000000000 GLIBC_2.34 + pthread_create + 0000000000000000 DF *UND* 0000000000000000 GLIBC_2.34 + pthread_attr_getstacksize + +This means that /usr/bin/toolbox binaries built against glibc-2.34 on +newer Fedoras fail to run against older glibcs in older Fedoras. + +Another option is to make the host's runtime available inside the +toolbox container and ensure that the binary always runs against it. + +Luckily, almost all supported containers have the host's /usr available +at /run/host/usr. This is exploited by embedding RPATHs or RUNPATHs to +/run/host/usr/lib and /run/host/usr/lib64 in the binary, and changing +the path of the dynamic linker (ie., PT_INTERP) to the one inside +/run/host. + +Unfortunately, there can only be one PT_INTERP entry inside the +binary, so there must be a /run/host on the host too. Therefore, a +/run/host symbolic link is created on the host that points to the +host's /. + +Based on ideas from Alexander Larsson and Ray Strode. + +[1] Commit 6ad9c631806961f3 + https://github.com/containers/toolbox/pull/534 + +[2] glibc commit 035c012e32c11e84 + https://sourceware.org/git/?p=glibc.git;a=commit;h=035c012e32c11e84 + https://sourceware.org/bugzilla/show_bug.cgi?id=23323 + +https://github.com/containers/toolbox/issues/821 +--- + data/tmpfiles.d/toolbox.conf | 1 + + meson.build | 8 ++---- + playbooks/setup-env.yaml | 1 + + src/go-build-wrapper | 17 ++++++++++--- + src/libc-wrappers/libc-wrappers.c | 42 ------------------------------- + src/libc-wrappers/meson.build | 8 ------ + src/meson.build | 4 --- + 7 files changed, 18 insertions(+), 63 deletions(-) + delete mode 100644 src/libc-wrappers/libc-wrappers.c + delete mode 100644 src/libc-wrappers/meson.build + +diff --git a/data/tmpfiles.d/toolbox.conf b/data/tmpfiles.d/toolbox.conf +index bdffe7c09639..0ddb1f08830d 100644 +--- a/data/tmpfiles.d/toolbox.conf ++++ b/data/tmpfiles.d/toolbox.conf +@@ -1 +1,2 @@ + d /run/media 0755 root root - - ++L /run/host - - - - ../ +diff --git a/meson.build b/meson.build +index b580c10fe7d8..ae228ee287d5 100644 +--- a/meson.build ++++ b/meson.build +@@ -1,17 +1,13 @@ + project( + 'toolbox', +- 'c', + version: '0.0.99.2', + license: 'ASL 2.0', +- meson_version: '>= 0.42.0', ++ meson_version: '>= 0.53.0', + ) + +-cc = meson.get_compiler('c') +-add_project_arguments('-pthread', language: 'c') +-add_project_link_arguments('-pthread', language: 'c') +- + go = find_program('go') + go_md2man = find_program('go-md2man') ++patchelf = find_program('patchelf') + shellcheck = find_program('shellcheck', required: false) + skopeo = find_program('skopeo', required: false) + +diff --git a/playbooks/setup-env.yaml b/playbooks/setup-env.yaml +index 5644f1ab01b4..7ac9b46ee3ad 100644 +--- a/playbooks/setup-env.yaml ++++ b/playbooks/setup-env.yaml +@@ -13,6 +13,7 @@ + - golang-github-cpuguy83-md2man + - meson + - ninja-build ++ - patchelf + - podman + - skopeo + - systemd +diff --git a/src/go-build-wrapper b/src/go-build-wrapper +index 0d27120da052..677dca94bd5a 100755 +--- a/src/go-build-wrapper ++++ b/src/go-build-wrapper +@@ -16,9 +16,9 @@ + # + + +-if [ "$#" -ne 4 ]; then ++if [ "$#" -ne 3 ]; then + echo "go-build-wrapper: wrong arguments" >&2 +- echo "Usage: go-build-wrapper [SOURCE DIR] [OUTPUT DIR] [VERSION] [libc-wrappers.a]" >&2 ++ echo "Usage: go-build-wrapper [SOURCE DIR] [OUTPUT DIR] [VERSION]" >&2 + exit 1 + fi + +@@ -27,5 +27,16 @@ if ! cd "$1"; then + exit 1 + fi + +-go build -trimpath -ldflags "-extldflags '-Wl,--wrap,pthread_sigmask $4' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox" ++go build -trimpath -ldflags "-extldflags '-Wl,-rpath,/run/host/usr/lib -Wl,-rpath,/run/host/usr/lib64' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox" ++ ++if ! interpreter=$(patchelf --print-interpreter "$2/toolbox"); then ++ echo "go-build-wrapper: failed to read PT_INTERP from $2/toolbox" >&2 ++ exit 1 ++fi ++ ++if ! patchelf --set-interpreter "/run/host$interpreter" "$2/toolbox"; then ++ echo "go-build-wrapper: failed to change PT_INTERP of $2/toolbox to /run/host$interpreter" >&2 ++ exit 1 ++fi ++ + exit "$?" +diff --git a/src/libc-wrappers/libc-wrappers.c b/src/libc-wrappers/libc-wrappers.c +deleted file mode 100644 +index 7b402bc2fe78..000000000000 +--- a/src/libc-wrappers/libc-wrappers.c ++++ /dev/null +@@ -1,42 +0,0 @@ +-/* +- * Copyright © 2020 – 2021 Red Hat Inc. +- * +- * Licensed under the Apache License, Version 2.0 (the "License"); +- * you may not use this file except in compliance with the License. +- * You may obtain a copy of the License at +- * +- * http://www.apache.org/licenses/LICENSE-2.0 +- * +- * Unless required by applicable law or agreed to in writing, software +- * distributed under the License is distributed on an "AS IS" BASIS, +- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +- * See the License for the specific language governing permissions and +- * limitations under the License. +- */ +- +- +-#include +- +- +-#if defined __aarch64__ +-__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.17"); +-#elif defined __arm__ +-__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.4"); +-#elif defined __i386__ +-__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.0"); +-#elif defined __powerpc64__ && _CALL_ELF == 2 /* ppc64le */ +-__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.17"); +-#elif defined __s390x__ +-__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.2"); +-#elif defined __x86_64__ +-__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.2.5"); +-#else +-#error "Please specify symbol version for pthread_sigmask" +-#endif +- +- +-int +-__wrap_pthread_sigmask (int how, const sigset_t *set, sigset_t *oldset) +-{ +- return pthread_sigmask (how, set, oldset); +-} +diff --git a/src/libc-wrappers/meson.build b/src/libc-wrappers/meson.build +deleted file mode 100644 +index 3984ce449c57..000000000000 +--- a/src/libc-wrappers/meson.build ++++ /dev/null +@@ -1,8 +0,0 @@ +-sources = files( +- 'libc-wrappers.c', +-) +- +-libc_wrappers = static_library( +- 'c-wrappers', +- sources, +-) +diff --git a/src/meson.build b/src/meson.build +index f76606da3271..759db1f1e900 100644 +--- a/src/meson.build ++++ b/src/meson.build +@@ -1,5 +1,3 @@ +-subdir('libc-wrappers') +- + go_build_wrapper_file = files('go-build-wrapper') + go_build_wrapper_program = find_program('go-build-wrapper') + +@@ -28,9 +26,7 @@ custom_target( + meson.current_source_dir(), + meson.current_build_dir(), + meson.project_version(), +- libc_wrappers.full_path(), + ], +- depends: libc_wrappers, + input: sources, + install: true, + install_dir: get_option('bindir'), +-- +2.31.1 + diff --git a/toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch b/toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch index f5511f6..d464eea 100644 --- a/toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch +++ b/toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch @@ -1,4 +1,4 @@ -From 5ec9997c0f11bb9d1f7eee2e5014130cadc70c91 Mon Sep 17 00:00:00 2001 +From df2d42ec5aee27f9f92ce7825d020425c2dac885 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Mon, 29 Jun 2020 17:57:47 +0200 Subject: [PATCH] build: Make the build flags match Fedora's %{gobuild} for @@ -24,17 +24,19 @@ and should be kept updated to match Fedora's Go guidelines. Use 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/go-build-wrapper b/src/go-build-wrapper -index 0d27120da052..03a32bc5af33 100755 +index 677dca94bd5a..e6e9caf1049e 100755 --- a/src/go-build-wrapper +++ b/src/go-build-wrapper -@@ -27,5 +27,6 @@ if ! cd "$1"; then +@@ -27,7 +27,8 @@ if ! cd "$1"; then exit 1 fi --go build -trimpath -ldflags "-extldflags '-Wl,--wrap,pthread_sigmask $4' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox" +-go build -trimpath -ldflags "-extldflags '-Wl,-rpath,/run/host/usr/lib -Wl,-rpath,/run/host/usr/lib64' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox" +unset LDFLAGS -+go build -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--wrap,pthread_sigmask $4' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -a -v -x -o "$2/toolbox" - exit "$?" ++go build -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-rpath,/run/host/usr/lib -Wl,-rpath,/run/host/usr/lib64' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -a -v -x -o "$2/toolbox" + + if ! interpreter=$(patchelf --print-interpreter "$2/toolbox"); then + echo "go-build-wrapper: failed to read PT_INTERP from $2/toolbox" >&2 -- 2.31.1 diff --git a/toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch b/toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch index c97e978..4aa1e11 100644 --- a/toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch +++ b/toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch @@ -1,4 +1,4 @@ -From 64c8066535dacbe37abc35485347c59df553bfbb Mon Sep 17 00:00:00 2001 +From 18cbc514c8b776c855a24cdcf8b326d592322d44 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Mon, 29 Jun 2020 17:57:47 +0200 Subject: [PATCH] build: Make the build flags match Fedora's %{gobuild} @@ -23,17 +23,19 @@ PPC64, and should be kept updated to match Fedora's Go guidelines. Use 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/go-build-wrapper b/src/go-build-wrapper -index 0d27120da052..4793d29a7021 100755 +index 677dca94bd5a..581d5c82cf2f 100755 --- a/src/go-build-wrapper +++ b/src/go-build-wrapper -@@ -27,5 +27,6 @@ if ! cd "$1"; then +@@ -27,7 +27,8 @@ if ! cd "$1"; then exit 1 fi --go build -trimpath -ldflags "-extldflags '-Wl,--wrap,pthread_sigmask $4' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox" +-go build -trimpath -ldflags "-extldflags '-Wl,-rpath,/run/host/usr/lib -Wl,-rpath,/run/host/usr/lib64' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox" +unset LDFLAGS -+go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--wrap,pthread_sigmask $4' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -a -v -x -o "$2/toolbox" - exit "$?" ++go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-rpath,/run/host/usr/lib -Wl,-rpath,/run/host/usr/lib64' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -a -v -x -o "$2/toolbox" + + if ! interpreter=$(patchelf --print-interpreter "$2/toolbox"); then + echo "go-build-wrapper: failed to read PT_INTERP from $2/toolbox" >&2 -- 2.31.1 diff --git a/toolbox.spec b/toolbox.spec index 28f3942..4aac6d1 100644 --- a/toolbox.spec +++ b/toolbox.spec @@ -1,10 +1,12 @@ +%global __brp_check_rpaths %{nil} + Name: toolbox Version: 0.0.99.2^3.git075b9a8d2779 %global goipath github.com/containers/%{name} %gometa -Release: 7%{?dist} +Release: 8%{?dist} Summary: Tool for containerized command line environments on Linux License: ASL 2.0 @@ -14,6 +16,9 @@ URL: https://github.com/containers/%{name} # Snapshot tarball Source0: %{name}-%{version}.tar.xz +# https://bugzilla.redhat.com/show_bug.cgi?id=1995439 +Patch0: toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch + # Fedora specific Patch100: toolbox-Don-t-use-Go-s-semantic-import-versioning.patch Patch101: toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch @@ -34,6 +39,7 @@ BuildRequires: golang(github.com/sirupsen/logrus) >= 1.4.2 BuildRequires: golang(github.com/spf13/cobra) >= 0.0.5 BuildRequires: golang(golang.org/x/sys/unix) BuildRequires: meson +BuildRequires: patchelf BuildRequires: pkgconfig(bash-completion) BuildRequires: systemd @@ -137,6 +143,7 @@ The %{name}-tests package contains system tests for %{name}. %prep %setup -q +%patch0 -p1 %patch100 -p1 %ifnarch ppc64 @@ -186,6 +193,9 @@ ln -s src/pkg pkg %changelog +* Fri Oct 22 2021 Debarshi Ray - 0.0.99.2^3.git075b9a8d2779-8 +- Ensure that binaries are run against their build-time ABI + * Mon Sep 13 2021 Oliver Gutiérrez - 0.0.99.2^3.git075b9a8d2779-7 - Rebuilt for gating tests