diff options
Diffstat (limited to 'meta')
-rw-r--r-- | meta/classes/insane.bbclass | 151 |
1 files changed, 151 insertions, 0 deletions
diff --git a/meta/classes/insane.bbclass b/meta/classes/insane.bbclass new file mode 100644 index 000000000..5912ae494 --- /dev/null +++ b/meta/classes/insane.bbclass @@ -0,0 +1,151 @@ +# BB Class inspired by ebuild.sh +# +# This class will test files after installation for certain +# security issues and other kind of issues. +# +# Checks we do: +# -Check the ownership and permissions +# -Check the RUNTIME path for the $TMPDIR +# -Check if .la files wrongly point to workdir +# -Check if .pc files wrongly point to workdir +# -Check if packages contains .debug directories or .so files where they should be in -dev or -dbg +# + + +# +# We need to have the scanelf utility as soon as +# possible and this is contained within the pax-utils-native +# + + +# We play a special package function +inherit package +PACKAGE_DEPENDS += "pax-utils-native" +PACKAGEFUNCS += " do_package_qa " + +def package_qa_check_rpath(file,name,d): + """ + Check for dangerous RPATHs + """ + import bb, os + scanelf = os.path.join(bb.data.getVar('STAGING_BINDIR_NATIVE',d,True),'scanelf') + bad_dir = bb.data.getVar('TMPDIR', d, True) + "/work" + if not os.path.exists(scanelf): + bb.note("Can not check RPATH scanelf not found") + if not bad_dir in bb.data.getVar('WORKDIR', d, True): + bb.fatal("This class assumed that WORKDIR is ${TMPDIR}/work... Not doing any check") + + output = os.popen("%s -Byr %s" % (scanelf,file)) + txt = output.readline().rsplit() + if bad_dir in txt: + bb.fatal("QA Issue package %s contains bad RPATH %s in file %s" % (name, txt, file)) + + pass + +def package_qa_check_devdbg(path, name,d): + """ + Check for debug remains inside the binary or + non dev packages containing + """ + + import bb + if not "-dev" in name: + if path[-3:] == ".so": + bb.fatal("QA Issue: non dev package contains .so: %s" % name) + + if not "-dbg" in name: + if '.debug' in path: + bb.fatal("QA Issue: non debug package contains .debug directory: %s" % name) + +def package_qa_check_perm(path,name,d): + """ + Check the permission of files + """ + pass + +def package_qa_check_arch(path,name,d): + """ + Check if archs are compatible + """ + pass + +def package_qa_check_pcla(path,name,d): + """ + .pc and .la files should not point + """ + +def package_qa_check_staged(path,d): + """ + Check staged la and pc files for sanity + -e.g. installed being false + """ + pass + +# Walk over all files in a directory and call func +def package_qa_walk(path, funcs, package,d): + import os + for root, dirs, files in os.walk(path): + for file in files: + path = os.path.join(root,file) + for func in funcs: + func(path, package,d) + + +def package_qa_check_rdepends(pkg, workdir, d): + import bb + if not "-dbg" in pkg and not "task-" in pkg and not "-image" in pkg: + # Copied from package_ipk.bbclass + # boiler plate to update the data + localdata = bb.data.createCopy(d) + root = "%s/install/%s" % (workdir, pkg) + + bb.data.setVar('ROOT', '', localdata) + bb.data.setVar('ROOT_%s' % pkg, root, localdata) + pkgname = bb.data.getVar('PKG_%s' % pkg, localdata, 1) + if not pkgname: + pkgname = pkg + bb.data.setVar('PKG', pkgname, localdata) + + overrides = bb.data.getVar('OVERRIDES', localdata) + if not overrides: + raise bb.build.FuncFailed('OVERRIDES not defined') + overrides = bb.data.expand(overrides, localdata) + bb.data.setVar('OVERRIDES', overrides + ':' + pkg, localdata) + + bb.data.update_data(localdata) + + # Now check the RDEPENDS + rdepends = explode_deps(bb.data.getVar('RDEPENDS', localdata, True) or "") + + + # Now do the sanity check!!! + for rdepend in rdepends: + if "-dbg" in rdepend: + bb.fatal("QA issue, koen give us a better msg!!!") + +# The PACKAGE FUNC to scan each package +python do_package_qa () { + bb.note("DO PACKAGE QA") + workdir = bb.data.getVar('WORKDIR', d, True) + packages = bb.data.getVar('PACKAGES',d, True) + + # no packages should be scanned + if not packages: + return + + for package in packages.split(): + bb.note("Package: %s" % package) + path = "%s/install/%s" % (workdir, package) + package_qa_walk(path, [package_qa_check_rpath, package_qa_check_devdbg, package_qa_check_perm, package_qa_check_arch], package, d) + package_qa_check_rdepends(package, workdir, d) + +} + + +# The Staging Func, to check all staging +addtask qa_staging after do_populate_staging before do_build +python do_qa_staging() { + bb.note("Staged!") + + package_qa_check_staged(bb.data.getVar('STAGING_DIR',d,True), d) +} |