Google Git
Sign in
bazel/bazel/f8768306766429bf41ec8a61777beab216c2e62d^!/.
commit
f8768306766429bf41ec8a61777beab216c2e62d
[log]
author
jmmv <jmmv@google.com>
Mon Jan 28 06:10:36 2019 -0800
committer
Copybara-Service <copybara-piper@google.com>
Mon Jan 28 06:12:55 2019 -0800
tree
5fb3d4e5bd74f7252b744787235786264dc284db
parent
cb59bd26dd5886b9c05aca7edb7d6431a63ac48b [diff]
Prevent make_hashed_objlist from writing into undeclared locations.

The make_hashed_objlist script was creating symlinks to object files in
the same directory where those object files lived.  This is a problem
because there is no guarantee that we can write to those directories as
demonstrated by the stricter sandboxfs-sandboxing.

To fix this, make this script create its links to a given temporary
directory and fix the callers to create such directory.

Note that SandboxfsSandboxedSpawn currently contains code to cope with
this by creating all hierarchies that correspond to input files.  This
seems like a hack and is costly, hence why I'd like to remove it.

RELNOTES: None.
PiperOrigin-RevId: 231206610

diff --git a/tools/objc/libtool.sh b/tools/objc/libtool.sh
index e127575..8fd4502 100755
--- a/tools/objc/libtool.sh
+++ b/tools/objc/libtool.sh

@@ -66,7 +66,10 @@
       HASHED_FILELIST="${ARG%.objlist}_hashes.objlist"
       rm -f "${HASHED_FILELIST}"
       # Use python helper script for fast md5 calculation of many strings.
-      python "${MY_LOCATION}/make_hashed_objlist.py" "${ARG}" "${HASHED_FILELIST}"
+      TEMPDIR="$(mktemp -d "${TMPDIR:-/tmp}/libtool.XXXXXXXX")"
+      trap "rm -rf \"${TEMPDIR}\"" EXIT
+      python "${MY_LOCATION}/make_hashed_objlist.py" \
+        "${ARG}" "${HASHED_FILELIST}" "${TEMPDIR}"
       ARGS+=("${HASHED_FILELIST}")
       ;;
    # Output flag

diff --git a/tools/objc/make_hashed_objlist.py b/tools/objc/make_hashed_objlist.py
index 9dfd54a..bb32642 100644
--- a/tools/objc/make_hashed_objlist.py
+++ b/tools/objc/make_hashed_objlist.py

@@ -20,6 +20,10 @@
 becomes foo_{md5sum}.o), then saves the list of symbolic links to another
 file.
 
+The symbolic links are created into the given temporary directory.  There is
+no guarantee that we can write to the directory that contained the inputs to
+this script.
+
 This is to circumvent a bug in the original libtool that arises when two
 input files have the same base name (even if they are in different
 directories).
@@ -31,19 +35,22 @@
 
 
 def main():
+  outdir = sys.argv[3]
   with open(sys.argv[1]) as obj_file_list:
     with open(sys.argv[2], 'w') as hashed_obj_file_list:
       for line in obj_file_list:
         obj_file_path = line.rstrip('\n')
-        hashed_obj_file_path = '%s_%s.o' % (
-            os.path.splitext(obj_file_path)[0],
+
+        hashed_obj_file_name = '%s_%s.o' % (
+            os.path.basename(os.path.splitext(obj_file_path)[0]),
             hashlib.md5(obj_file_path.encode('utf-8')).hexdigest())
+        hashed_obj_file_path = os.path.join(outdir, hashed_obj_file_name)
 
         hashed_obj_file_list.write(hashed_obj_file_path + '\n')
 
         # Create symlink only if the symlink doesn't exist.
         if not os.path.exists(hashed_obj_file_path):
-          os.symlink(os.path.basename(obj_file_path),
+          os.symlink(os.path.abspath(obj_file_path),
                      hashed_obj_file_path)