author April Chin <>
Tue, 04 Mar 2014 10:19:09 -0800
changeset 1742 1bfc3321abb4
parent 1512 f57514e19ede
child 1756 3579365335ef
permissions -rw-r--r--
18202547 memcached lib comes with erroneous RPATH and RUNPATH 18253985 pkglint should check for non-existent RUNPATH directories
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or
# See the License for the specific language governing permissions
# and limitations under the License.
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]

# Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved.

# Some userland consolidation specific lint checks

import pkg.lint.base as base
from pkg.lint.engine import lint_fmri_successor
import pkg.elf as elf
import re
import os.path
import subprocess

class UserlandActionChecker(base.ActionChecker):
        """An class to check actions."""

        name = "userland.action"

        def __init__(self, config):
                self.description = _(
                    "checks Userland packages for common content errors")
		path = os.getenv('PROTO_PATH')
		if path != None:
			self.proto_path = path.split()
			self.proto_path = None
		# These lists are used to check if a 32/64-bit binary
		# is in a proper 32/64-bit directory.
		self.pathlist32 = [
			"i86pc-solaris-64int",  # perl path
			"sun4-solaris-64int"    # perl path
		self.pathlist64 = [
			"i86pc-solaris-64",     # perl path
			"sun4-solaris-64"       # perl path
		self.runpath_re = [
		self.runpath_64_re = [
			re.compile('^.*/i86pc-solaris-64(/.*)?$'), # perl path
			re.compile('^.*/sun4-solaris-64(/.*)?$')   # perl path
		self.initscript_re = re.compile("^etc/(rc.|init)\.d")

                self.lint_paths = {}
                self.ref_paths = {}

                super(UserlandActionChecker, self).__init__(config)

        def startup(self, engine):
                """Initialize the checker with a dictionary of paths, so that we
                can do link resolution.

                This is copied from the core pkglint code, but should eventually
                be made common.

                def seed_dict(mf, attr, dic, atype=None, verbose=False):
                        """Updates a dictionary of { attr: [(fmri, action), ..]}
                        where attr is the value of that attribute from
                        actions of a given type atype, in the given

                        pkg_vars = mf.get_all_variants()

                        if atype:
                                mfg = (a for a in mf.gen_actions_by_type(atype))
                                mfg = (a for a in mf.gen_actions())

                        for action in mfg:
                                if atype and != atype:
                                if attr not in action.attrs:

                                variants = action.get_variant_template()

                                p = action.attrs[attr]
                                dic.setdefault(p, []).append((mf.fmri, action))

                # construct a set of FMRIs being presented for linting, and
                # avoid seeding the reference dictionary with any for which
                # we're delivering new packages.
                lint_fmris = {}
                for m in engine.gen_manifests(engine.lint_api_inst,
                    release=engine.release, pattern=engine.pattern):
                        lint_fmris.setdefault(m.fmri.get_name(), []).append(m.fmri)
                for m in engine.lint_manifests:
                        lint_fmris.setdefault(m.fmri.get_name(), []).append(m.fmri)

                    _("Seeding reference action path dictionaries."))

                for manifest in engine.gen_manifests(engine.ref_api_inst,
                        # Only put this manifest into the reference dictionary
                        # if it's not an older version of the same package.
                        if not any(
                            lint_fmri_successor(fmri, manifest.fmri)
                            for fmri
                            in lint_fmris.get(manifest.fmri.get_name(), [])
                                seed_dict(manifest, "path", self.ref_paths)

                    _("Seeding lint action path dictionaries."))

                # we provide a search pattern, to allow users to lint a
                # subset of the packages in the lint_repository
                for manifest in engine.gen_manifests(engine.lint_api_inst,
                    release=engine.release, pattern=engine.pattern):
                        seed_dict(manifest, "path", self.lint_paths)

                    _("Seeding local action path dictionaries."))

                for manifest in engine.lint_manifests:
                        seed_dict(manifest, "path", self.lint_paths)

                self.__merge_dict(self.lint_paths, self.ref_paths,

        def __merge_dict(self, src, target, ignore_pubs=True):
                """Merges the given src dictionary into the target
                dictionary, giving us the target content as it would appear,
                were the packages in src to get published to the
                repositories that made up target.

                We need to only merge packages at the same or successive
                version from the src dictionary into the target dictionary.
                If the src dictionary contains a package with no version
                information, it is assumed to be more recent than the same
                package with no version in the target."""

                for p in src:
                        if p not in target:
                                target[p] = src[p]

                        def build_dic(arr):
                                """Builds a dictionary of fmri:action entries"""
                                dic = {}
                                for (pfmri, action) in arr:
                                        if pfmri in dic:
                                                dic[pfmri] = [action]
                                return dic

                        src_dic = build_dic(src[p])
                        targ_dic = build_dic(target[p])

                        for src_pfmri in src_dic:
                                # we want to remove entries deemed older than
                                # src_pfmri from targ_dic.
                                for targ_pfmri in targ_dic.copy():
                                        sname = src_pfmri.get_name()
                                        tname = targ_pfmri.get_name()
                                        if lint_fmri_successor(src_pfmri,
                        l = []
                        for pfmri in targ_dic:
                                for action in targ_dic[pfmri]:
                                        l.append((pfmri, action))
                        target[p] = l

        def __realpath(self, path, target):
		"""Combine path and target to get the real path."""

		result = os.path.dirname(path)

		for frag in target.split(os.sep):
			if frag == '..':
				result = os.path.dirname(result)
			elif frag == '.':
				result = os.path.join(result, frag)

		return result

	def __elf_aslr_check(self, path, engine):
		result = None

		ei = elf.get_info(path)
		type = ei.get("type");
		if type != "exe":
			return result

		# get the ASLR tag string for this binary
		aslr_tag_process = subprocess.Popen(
			"/usr/bin/elfedit -r -e 'dyn:sunw_aslr' "
			+ path, shell=True,
			stdout=subprocess.PIPE, stderr=subprocess.PIPE)

		# aslr_tag_string will get stdout; err will get stderr
		aslr_tag_string, err = aslr_tag_process.communicate()

		# No ASLR tag was found; everything must be tagged
		if aslr_tag_process.returncode != 0:
				_("'%s' is not tagged for aslr") % (path),
				msgid="%s%s.5" % (, "001"))
			return result

		# look for "ENABLE" anywhere in the string;
		# warn about binaries which are not ASLR enabled
		if"ENABLE", aslr_tag_string) is not None:
			return result
			_("'%s' does not have aslr enabled") % (path),
			msgid="%s%s.6" % (, "001"))
		return result

	def __elf_runpath_check(self, path, engine):
		result = None
		list = []

		ed = elf.get_dynamic(path)
		ei = elf.get_info(path)
		bits = ei.get("bits")
		for dir in ed.get("runpath", "").split(":"):
			if dir == None or dir == '':

			match = False
			for expr in self.runpath_re:
				if expr.match(dir):
					match = True

			if match == False:
			# Make sure RUNPATH matches against a packaged path.
			# Don't check runpaths starting with $ORIGIN, which
			# is specially handled by the linker.

			elif not dir.startswith('$ORIGIN/'):

			# Strip out leading and trailing '/' in the 
			# runpath, since the reference paths don't start 
			# with '/' and trailing '/' could cause mismatches.
			# Check first if there is an exact match, then check
			# if any reference path starts with this runpath
			# plus a trailing slash, since it may still be a link
			# to a directory that has no action because it uses
			# the default attributes.

				relative_dir = dir.strip('/')
				if not relative_dir in self.ref_paths and \
				    not any(key.startswith(relative_dir + '/')
				        for key in self.ref_paths):

			# If still no match, if the runpath contains
			# an embedded symlink, emit a warning; it may or may
			# not resolve to a legitimate path.
			# E.g., for usr/openwin/lib, usr/openwin->X11 and
			# usr/X11/lib are packaged, but usr/openwin/lib is not.
			# Otherwise, runpath is bad; add it to list.
					embedded_link = False
					pdir = os.path.dirname(relative_dir)
					while pdir != '':
						if (pdir in self.ref_paths and 
						    self.ref_paths[pdir][0][1].name == "link"):
							embedded_link = True
								_("runpath '%s' in '%s' not found in reference paths but contains symlink at '%s'") % (dir, path, pdir),
								msgid="%s%s.3" % (, "001"))
						pdir = os.path.dirname(pdir)
					if not embedded_link:

			if bits == 32:
				for expr in self.runpath_64_re:
							_("64-bit runpath in 32-bit binary, '%s' includes '%s'") % (path, dir),
							msgid="%s%s.3" % (, "001"))
				match = False
				for expr in self.runpath_64_re:
						match = True
				if match == False:
						_("32-bit runpath in 64-bit binary, '%s' includes '%s'") % (path, dir),
						msgid="%s%s.3" % (, "001"))
		if len(list) > 0:
			result = _("bad RUNPATH, '%%s' includes '%s'" %

		return result

	def __elf_wrong_location_check(self, path, inspath):
		result = None

		ei = elf.get_info(path)
		bits = ei.get("bits")
		type = ei.get("type");
                elems = os.path.dirname(inspath).split("/")

                path64 = False
		for p in self.pathlist64:
		    if (p in elems):
		    	path64 = True

		path32 = False
		for p in self.pathlist32:
		    if (p in elems):
		    	path32 = True

		# ignore 64-bit executables in normal (non-32-bit-specific)
		# locations, that's ok now.
		if (type == "exe" and bits == 64 and path32 == False and path64 == False):
			return result

		if bits == 32 and path64:
			result = _("32-bit object '%s' in 64-bit path")
		elif bits == 64 and not path64:
			result = _("64-bit object '%s' in 32-bit path")
		return result

	def file_action(self, action, manifest, engine, pkglint_id="001"):
		"""Checks for existence in the proto area."""

		if not in ["file"]:


		path = action.hash
		if path == None or path == 'NOHASH':
			path = inspath

		# check for writable files without a preserve attribute
		if "mode" in action.attrs:
			mode = action.attrs["mode"]

			if (int(mode, 8) & 0222) != 0 and "preserve" not in action.attrs:
				_("%(path)s is writable (%(mode)s), but missing a preserve"
				  " attribute") %  {"path": path, "mode": mode},
				msgid="%s%s.0" % (, pkglint_id))
		elif "preserve" in action.attrs:
			if "mode" in action.attrs:
				mode = action.attrs["mode"]
				if (int(mode, 8) & 0222) == 0:
					_("%(path)s has a preserve action, but is not writable (%(mode)s)") %  {"path": path, "mode": mode},
				msgid="%s%s.4" % (, pkglint_id))
				_("%(path)s has a preserve action, but no mode") %  {"path": path, "mode": mode},
				msgid="%s%s.3" % (, pkglint_id))

		# checks that require a physical file to look at
		if self.proto_path is not None:
			for directory in self.proto_path:
				fullpath = directory + "/" + path

				if os.path.exists(fullpath):

			if not os.path.exists(fullpath):
					_("%s missing from proto area, skipping"
					  " content checks") % path, 
					msgid="%s%s.1" % (, pkglint_id))
			elif elf.is_elf_object(fullpath):
				# 32/64 bit in wrong place
				result = self.__elf_wrong_location_check(fullpath, inspath)
				if result != None:
					engine.error(result % inspath, 
						msgid="%s%s.2" % (, pkglint_id))
				result = self.__elf_runpath_check(fullpath, engine)
				if result != None:
					engine.error(result % path, 
						msgid="%s%s.3" % (, pkglint_id))
				result = self.__elf_aslr_check(fullpath, engine)

	file_action.pkglint_desc = _("Paths should exist in the proto area.")

	def link_resolves(self, action, manifest, engine, pkglint_id="002"):
		"""Checks for link resolution."""

		if not in ["link", "hardlink"]:

		path = action.attrs["path"]
		target = action.attrs["target"]
		realtarget = self.__realpath(path, target)

		# Check against the target image (ref_paths), since links might
		# resolve outside the packages delivering a particular
		# component.

		# links to files should directly match a patch in the reference
		# repo.
		if self.ref_paths.get(realtarget, None):

		# If it didn't match a path in the reference repo, it may still
		# be a link to a directory that has no action because it uses
		# the default attributes.  Look for a path that starts with
		# this value plus a trailing slash to be sure this it will be
		# resolvable on a fully installed system.
		realtarget += '/'
		for key in self.ref_paths:
			if key.startswith(realtarget):

		engine.error(_("%s %s has unresolvable target '%s'") %
				(, path, target),
			msgid="%s%s.0" % (, pkglint_id))

	link_resolves.pkglint_desc = _("links should resolve.")

	def init_script(self, action, manifest, engine, pkglint_id="003"):
		"""Checks for SVR4 startup scripts."""

		if not in ["file", "dir", "link", "hardlink"]:

		path = action.attrs["path"]
		if self.initscript_re.match(path):
				_("SVR4 startup '%s', deliver SMF"
				  " service instead") % path,
				msgid="%s%s.0" % (, pkglint_id))

	init_script.pkglint_desc = _(
		"SVR4 startup scripts should not be delivered.")

class UserlandManifestChecker(base.ManifestChecker):
        """An class to check manifests."""

        name = "userland.manifest"

	def __init__(self, config):
		super(UserlandManifestChecker, self).__init__(config)

	def component_check(self, manifest, engine, pkglint_id="001"):
		manifest_paths = []
		files = False
		license = False

		for action in manifest.gen_actions_by_type("file"):
			files = True

		if files == False:

		for action in manifest.gen_actions_by_type("license"):
			license = True

		if license == False:
			engine.error( _("missing license action"),
				msgid="%s%s.0" % (, pkglint_id))

		if 'org.opensolaris.arc-caseid' not in manifest:
			engine.error( _("missing ARC data (org.opensolaris.arc-caseid)"),
				msgid="%s%s.0" % (, pkglint_id))

	component_check.pkglint_dest = _(
		"license actions and ARC information are required if you deliver files.")

        def publisher_in_fmri(self, manifest, engine, pkglint_id="002"):
                lint_id = "%s%s" % (, pkglint_id)
                allowed_pubs = engine.get_param(
                    "%s.allowed_pubs" % lint_id).split(" ") 

                fmri = manifest.fmri
                if fmri.publisher and fmri.publisher not in allowed_pubs:
                        engine.error(_("package %s has a publisher set!") %
                            msgid="%s%s.2" % (, pkglint_id))