tmpdir audit: only fail with files referenced below (#35068)
On Linux the `$TMPDIR` is `/build`. The TMPDIR audit looks for `$TMPDIR` in the build output, which will then fail with packages like /buildkite-agent. This fixes the heuristic to look for `$TMPDIR/` instead.
This commit is contained in:
parent
e15bac8f76
commit
551aecfa83
1 changed files with 5 additions and 5 deletions
|
@ -13,23 +13,23 @@ auditTmpdir() {
|
|||
local dir="$1"
|
||||
[ -e "$dir" ] || return 0
|
||||
|
||||
header "checking for references to $TMPDIR in $dir..."
|
||||
header "checking for references to $TMPDIR/ in $dir..."
|
||||
|
||||
local i
|
||||
while IFS= read -r -d $'\0' i; do
|
||||
if [[ "$i" =~ .build-id ]]; then continue; fi
|
||||
|
||||
if isELF "$i"; then
|
||||
if patchelf --print-rpath "$i" | grep -q -F "$TMPDIR"; then
|
||||
echo "RPATH of binary $i contains a forbidden reference to $TMPDIR"
|
||||
if patchelf --print-rpath "$i" | grep -q -F "$TMPDIR/"; then
|
||||
echo "RPATH of binary $i contains a forbidden reference to $TMPDIR/"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
if isScript "$i"; then
|
||||
if [ -e "$(dirname "$i")/.$(basename "$i")-wrapped" ]; then
|
||||
if grep -q -F "$TMPDIR" "$i"; then
|
||||
echo "wrapper script $i contains a forbidden reference to $TMPDIR"
|
||||
if grep -q -F "$TMPDIR/" "$i"; then
|
||||
echo "wrapper script $i contains a forbidden reference to $TMPDIR/"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
|
Loading…
Reference in a new issue