Merge pull request #208 from JonathonReinhart/207-bulk-audit

Perform RUNPATH auditing on all PyInstaller archive libraries before aborting

Author: JonathonReinhart

CHANGELOG.md

@@ -2,6 +2,11 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [Unreleased]
+### Changed
+- Perform RUNPATH auditing on all PyInstaller archive libraries before aborting ([#208])
+
+
 ## [0.13.3] - 2021-10-14
 ### Fixed
 - Fix ldd warning about libnssfix.so not being executable ([#204])
@@ -276,3 +281,4 @@ Initial release
 [#197]: https://github.com/JonathonReinhart/staticx/pull/197
 [#199]: https://github.com/JonathonReinhart/staticx/pull/199
 [#204]: https://github.com/JonathonReinhart/staticx/pull/204
+[#208]: https://github.com/JonathonReinhart/staticx/pull/208

staticx/errors.py

@@ -32,6 +32,8 @@ class UnsupportedDynTagError(InvalidInputError):
     See https://github.com/JonathonReinhart/staticx/issues/172
     """
     def __init__(self, libpath, value):
+        self.libpath = libpath
+        self.value = value
         super().__init__("{} uses unsupported {} ({!r}).\n"
                 "See https://github.com/JonathonReinhart/staticx/issues/188"
                 .format(libpath, self.tag, value))

staticx/hooks/pyinstaller.py

@@ -3,6 +3,7 @@
 import tempfile
 
 from ..elf import get_shobj_deps, is_dynamic, LddError
+from ..errors import Error, UnsupportedRpathError, UnsupportedRunpathError
 from ..utils import make_executable, mkdirs_for
 
 def process_pyinstaller_archive(sx):
@@ -44,9 +45,15 @@ def __exit__(self, *exc_info):
 
     def process(self):
         binaries = self._extract_binaries()
+
+        # These could be Python libraries, shared object dependencies, or
+        # anything else a user might add via `binaries` in the .spec file.
+        # Filter out everything except dynamic ELFs
+        binaries = [b for b in binaries if is_dynamic(b)]
+
+        self._audit_libs(binaries)
+
         for binary in binaries:
-            # These could be Python libraries, shared object dependencies, or
-            # anything else a user might add via `binaries` in the .spec file.
             self._add_required_deps(binary)
 
 
@@ -69,32 +76,41 @@ def _extract_binaries(self):
             with open(tmppath, 'wb') as f:
                 f.write(data)
 
+            # Silence "you do not have execution permission" warning from ldd
+            make_executable(tmppath)
+
             # We can't use yield here, because we need all of the libraries to be
             # extracted prior to running ldd (see #61)
             result.append(tmppath)
 
         return result
 
+    def _audit_libs(self, libs):
+        """Audit the dynamic libraries included in the PyInstaller archive"""
+        errors = []
+        for lib in libs:
+            # Check for RPATH/RUNPATH, but only "dangerous" values and let
+            # "harmless" values pass (e.g. "$ORIGIN/cffi.libs")
+            try:
+                self.sx.check_library_rpath(lib, dangerous_only=True)
+            except (UnsupportedRpathError, UnsupportedRunpathError) as e:
+                # Unfortunately, there's no easy way to fix an UnsupportedRunpathError
+                # here, because staticx is not about to to modify the library and
+                # re-pack the PyInstaller archive itself.
+                errors.append(e)
+
+        if errors:
+            msg = "Unsupported PyInstaller input\n\n"
+            msg += "One or more libraries included in the PyInstaller"
+            msg += " archive uses unsupported RPATH/RUNPATH tags:\n\n"
+            for e in errors:
+                msg += "  {}: {}={!r}\n".format(e.libpath, e.tag, e.value)
+            msg += "\nSee https://github.com/JonathonReinhart/staticx/issues/188"
+            raise Error(msg)
 
     def _add_required_deps(self, lib):
         """Add dependencies of lib to staticx archive"""
 
-        # Verify this is a shared library
-        if not is_dynamic(lib):
-            # It's okay if there's a static executable in the PyInstaller
-            # archive. See issue #78
-            return
-
-        # Silence "you do not have execution permission" warning from ldd
-        make_executable(lib)
-
-        # Check for RPATH/RUNPATH, but only "dangerous" values and let
-        # "harmless" values pass (e.g. "$ORIGIN/cffi.libs")
-        self.sx.check_library_rpath(lib, dangerous_only=True)
-        # Unfortunately, there's no easy way to fix an UnsupportedRunpathError
-        # here, because staticx is not about to to modify the library and
-        # re-pack the PyInstaller archive itself.
-
         # Try to get any dependencies of this file
         try:
             deps = get_shobj_deps(lib, libpath=[self.tmpdir.name])

test/pyinstall-lib-runpath/app.py

@@ -4,9 +4,15 @@
 
 mydir = Path(__file__).parent
 
-dll = CDLL(mydir / 'shlib.so')
+libfoo = CDLL(mydir / 'libfoo.so')
+libbar = CDLL(mydir / 'libbar.so')
 
-dll.foo.argtypes = ()
-dll.foo.restype = c_int
+def setup_prototype(func, restype, *argtypes):
+    func.restype = restype
+    func.argtypes = argtypes
 
-print("foo() =>", dll.foo())
+setup_prototype(libfoo.foo, c_int)
+setup_prototype(libbar.bar, c_int)
+
+print("foo() =>", libfoo.foo())
+print("bar() =>", libbar.bar())

test/pyinstall-lib-runpath/app.spec

@@ -1,6 +1,9 @@
 # PyInstaller spec file
 
-binaries = [('shlib.so', '.')]
+binaries = [
+    ('libfoo.so', '.'),
+    ('libbar.so', '.'),
+]
 
 a = Analysis(['app.py'], binaries=binaries)
 

test/pyinstall-lib-runpath/libbar.c

@@ -0,0 +1,6 @@
+#include "libbar.h"
+
+int bar(void)
+{
+    return 88;
+}

test/pyinstall-lib-runpath/libbar.h

@@ -0,0 +1,6 @@
+#ifndef LIBBAR_DOT_H
+#define LIBBAR_DOT_H
+
+int bar(void);
+
+#endif /* LIBBAR_DOT_H */

test/pyinstall-lib-runpath/shlib.c test/pyinstall-lib-runpath/libfoo.c

@@ -1,4 +1,4 @@
-#include "shlib.h"
+#include "libfoo.h"
 
 int foo(void)
 {

test/pyinstall-lib-runpath/libfoo.h

@@ -0,0 +1,6 @@
+#ifndef LIBFOO_DOT_H
+#define LIBFOO_DOT_H
+
+int foo(void);
+
+#endif /* LIBFOO_DOT_H */

test/pyinstall-lib-runpath/run_test.sh

@@ -11,9 +11,15 @@ app="./dist/app"
 outfile="./dist/app.staticx"
 
 # Build the shared library
-gcc -Wall -Werror -fPIC -c -o shlib.o shlib.c
-gcc -shared -Wl,-rpath=/bogus/absolute/path -Wl,--enable-new-dtags -o shlib.so shlib.o
-verify_uses_runpath shlib.so
+function make_shlib() {
+    lib="$1"
+    gcc -Wall -Werror -fPIC -c -o $lib.o $lib.c
+    gcc -shared -Wl,-rpath=/bogus/absolute/path -Wl,--enable-new-dtags -o $lib.so $lib.o
+    verify_uses_runpath $lib.so
+}
+
+make_shlib libfoo
+make_shlib libbar
 
 # Run the application normally
 echo -e "\nPython app run normally:"
@@ -35,9 +41,19 @@ if output=$(staticx $STATICX_FLAGS $app $outfile); then
     echo "FAIL: Staticx permitted a problematic library using RUNPATH"
     exit 66
 fi
-if ! (echo "$output" | grep -q "unsupported DT_RUNPATH"); then
-    echo "FAIL: Unexpected output text:"
-    echo "$output"
-    exit 66
-fi
+
+function check_output() {
+    pat="$1"
+    if ! (echo "$output" | grep -q "$pat"); then
+        echo "FAIL: Unexpected output text (missing \"$pat\"):"
+        echo "-----------------------------------------------------------------"
+        echo "$output"
+        echo "-----------------------------------------------------------------"
+        exit 66
+    fi
+}
+check_output "Unsupported PyInstaller input"
+check_output "libfoo.so.*DT_RUNPATH"
+check_output "libbar.so.*DT_RUNPATH"
+
 echo "Success"