diff options
| -rw-r--r-- | 004.psxstub.vars | 3 | ||||
| -rw-r--r-- | 007.musl.full.build | 8 | ||||
| -rw-r--r-- | 009.gcc.full.build | 8 | ||||
| -rw-r--r-- | 010.pkgconf_host.vars | 2 | ||||
| -rw-r--r-- | 999.tarballs.build | 14 | ||||
| -rwxr-xr-x | build.sh | 8 | ||||
| -rw-r--r-- | build.subr | 62 | ||||
| -rw-r--r-- | build.vars | 7 | ||||
| -rw-r--r-- | pkg.build | 16 |
9 files changed, 85 insertions, 43 deletions
diff --git a/004.psxstub.vars b/004.psxstub.vars index d9c467d1..cf18c4b1 100644 --- a/004.psxstub.vars +++ b/004.psxstub.vars @@ -9,8 +9,7 @@ pkg_psxstub_finish() { cd psxstub; make ${MAKEFLAGS} DESTDIR=${PKG_PREFIX} TARGET=${TARGET} install; if [ -e ${PKG_PREFIX}/lib/libpsxscl.a ]; then - echo rm -f -- ${PKG_PREFIX}/lib/libpsxscl.a; - rm -f -- ${PKG_PREFIX}/lib/libpsxscl.a; + secure_rm ${PKG_PREFIX}/lib/libpsxscl.a; fi; set_build_script_done install finish; fi; diff --git a/007.musl.full.build b/007.musl.full.build index 4c6e2310..ab89e256 100644 --- a/007.musl.full.build +++ b/007.musl.full.build @@ -16,12 +16,12 @@ if [ "${3}" = no-complex ]; then if ! is_build_script_done fetch; then fetch http://www.musl-libc.org/releases/musl-${PKG_MUSL_VERSION}.tar.gz \ ${PKG_MUSL_SHA256SUM}; - rm_if_exists mmglue; + secure_rm mmglue; fetch_git mmglue ${GITROOT}/mmglue; set_build_script_done fetch -extract; fi; if ! is_build_script_done extract; then - rm_if_exists musl-${PKG_MUSL_VERSION}; + secure_rm musl-${PKG_MUSL_VERSION}; tar -xf ${DLCACHEDIR}/musl-${PKG_MUSL_VERSION}.tar.gz; set +o noglob; cp -R -- mmglue/* musl-${PKG_MUSL_VERSION}/; set -o noglob; set_build_script_done extract -patch; @@ -41,7 +41,9 @@ elif [ "${3}" = full ]; then set_build_dir musl-${PKG_MUSL_VERSION} cross; fi; if ! is_build_script_done configure; then - rm_if_exists -m -c ${PKG_BUILD_DIR}; + secure_rm ${PKG_BUILD_DIR}; + insecure_mkdir ${PKG_BUILD_DIR}; + secure_cd ${PKG_BUILD_DIR}; env lz_cflags_cmdline="${PKG_MUSL_CFLAGS_CONFIGURE_EXTRA}" \ lz_debug="yes" \ ../lazy/lazy \ diff --git a/009.gcc.full.build b/009.gcc.full.build index eaba17d3..6131678d 100644 --- a/009.gcc.full.build +++ b/009.gcc.full.build @@ -77,12 +77,12 @@ else export CFLAGS CXXFLAGS CFLAGS_FOR_BUILD CPPFLAGS_FOR_BUILD CXXFLAGS_FOR_BUILD CFLAGS_FOR_TARGET XGCC_FLAGS_FOR_TARGET CPPFLAGS_FOR_TARGET CXXFLAGS_FOR_TARGET LIBCFLAGS_FOR_TARGET; if ! is_build_script_done configure; then if [ "${3}" = stage1 ]; then - mkdir -p -- ${PKG_PREFIX}/include; + insecure_mkdir ${PKG_PREFIX}/include; [ \! -d ${PKG_PREFIX}/usr ] && \ ln -s -- . ${PKG_PREFIX}/usr; _configure_args="--prefix=${PREFIX} --with-sysroot=${PKG_PREFIX}"; elif [ "${3}" = native ]; then - mkdir -p -- ${PKG_PREFIX}/${TARGET}; + insecure_mkdir ${PKG_PREFIX}/${TARGET}; if [ \! -d ${PKG_PREFIX}/${TARGET}/usr ]; then ln -s -- . ${PKG_PREFIX}/${TARGET}/usr; fi; @@ -99,7 +99,9 @@ else --with-mpfr=${PKG_PREFIX} \ --with-sysroot="; fi; - rm_if_exists -m -c ${PKG_BUILD_DIR}; + secure_rm ${PKG_BUILD_DIR}; + insecure_mkdir ${PKG_BUILD_DIR}; + secure_cd ${PKG_BUILD_DIR}; ../cbb-gcc-${PKG_GCC_VERSION}/configure \ --disable-bootstrap \ --disable-libmudflap \ diff --git a/010.pkgconf_host.vars b/010.pkgconf_host.vars index 3443633b..61d467a2 100644 --- a/010.pkgconf_host.vars +++ b/010.pkgconf_host.vars @@ -4,7 +4,7 @@ pkg_pkgconf_host_install_post() { if [ -e ${PREFIX}/bin/${TARGET}-pkg-config ]; then - rm -f -- ${PREFIX}/bin/${TARGET}-pkg-config; + secure_rm ${PREFIX}/bin/${TARGET}-pkg-config; fi; cat > ${PREFIX}/bin/${TARGET}-pkg-config <<EOF #!/bin/sh diff --git a/999.tarballs.build b/999.tarballs.build index 7be57a33..e815b77e 100644 --- a/999.tarballs.build +++ b/999.tarballs.build @@ -27,12 +27,16 @@ TARBALL_FNAME=${TARBALL_FNAME_PREFIX}${BUILD_USER}@${BUILD_HNAME}-${BUILD_DATE_S TARBALL_SRC_FNAME=${TARBALL_SRC_FNAME_PREFIX}${BUILD_USER}@${BUILD_HNAME}-${BUILD_DATE_START}.tar.${TARBALL_SUFFIX}; PREFIX_BASENAME=${PREFIX_NATIVE##*/}; -rm_if_exists -m ${PREFIX_BASENAME}/lib.bak; +secure_rm ${PREFIX_BASENAME}/lib.bak; +insecure_mkdir ${PREFIX_BASENAME}/lib.bak; tar -C ${PREFIX_BASENAME}/lib -cpf - . | tar -C ${PREFIX_BASENAME}/lib.bak -xpf -; log_msg info "Backed up ${PREFIX_BASENAME}/lib."; -find native/lib -maxdepth 1 -type l \ - -exec sh -c '[ -f "${DEST:=native/lib/$(readlink -- "${0}")}" ] && \ - rm -f -- "${0}" && ln -f -- "${DEST}" "${0}"' {} \;; +for __ in $(find native/lib -maxdepth 1 -type l -printf '%P\n'); do + ___="native/lib/$(readlink -- ${__})"; + if [ -f "${___}" ]; then + secure_rm ${__}; ln -f -- "${___}" "${__}"; + fi; +done; log_msg info "Converted symbolic links in ${PREFIX_BASENAME}/lib to hard links."; tar -cpf - $(find . -maxdepth 2 -mindepth 1 -type d \ @@ -47,7 +51,7 @@ if [ -x "$(which gpg 2>/dev/null)" -a -n "${TARBALL_SIGN_GPG_KEY}" ] &&\ --local-user "${TARBALL_SIGN_GPG_KEY}" --sign ${TARBALL_FNAME}; log_msg info "Signed binary distribution tarball."; fi; -rm -rf -- ${PREFIX_BASENAME}/lib; mv -- ${PREFIX_BASENAME}/lib.bak ${PREFIX_BASENAME}/lib; +secure_rm ${PREFIX_BASENAME}/lib; mv -- ${PREFIX_BASENAME}/lib.bak ${PREFIX_BASENAME}/lib; log_msg info "Restored ${PREFIX_BASENAME}/lib."; if [ "${BUILD}" = "debug" ]; then @@ -88,16 +88,16 @@ if [ ${ARG_CLEAN:-0} -eq 1 ]; then log_msg info "-c specified, cleaning prefix..."; for __ in ${CLEAR_PREFIX_DIRS}; do if [ -e ${PREFIX}/${__} ]; then - rm -rf -- ${PREFIX}/${__}; + secure_rm ${PREFIX}/${__}; fi; done; fi; # Create directory hierarchy and usr -> . symlinks. -mkdir -p -- ${PREFIX} ${PREFIX_NATIVE} ${PREFIX_CROSS} ${PREFIX_TARGET}/lib ${DLCACHEDIR} ${WORKDIR}; +insecure_mkdir ${PREFIX} ${PREFIX_NATIVE} ${PREFIX_CROSS} ${PREFIX_TARGET}/lib ${DLCACHEDIR} ${WORKDIR}; for __ in ${PREFIX}/usr ${PREFIX_NATIVE}/usr; do if [ ! -L "${__}" ]; then - rm -rf -- "${__}"; ln -sf -- . "${__}"; + secure_rm "${__}"; ln -sf -- . "${__}"; fi; done; @@ -169,7 +169,7 @@ log_msg info "${BUILD_NFINI} finished, ${BUILD_NSKIP} skipped, and ${BUILD_NFAIL log_msg info "Build time: ${BUILD_TIMES_HOURS} hour(s), ${BUILD_TIMES_MINUTES} minute(s), and ${BUILD_TIMES_SECS} second(s)."; if [ -f "${BUILD_STATUS_IN_PROGRESS_FNAME}" ]; then - rm -f -- ${BUILD_STATUS_IN_PROGRESS_FNAME}; + secure_rm ${BUILD_STATUS_IN_PROGRESS_FNAME}; fi; exit ${BUILD_SCRIPT_RC})} 2>&1 | tee ${BUILD_LOG_FNAME} & @@ -32,7 +32,6 @@ fetch() { touch ${_f_url_dst}.fetched; unset _f_url _f_url_dst _f_sha256sum_src _f_sha256sum_dst; }; - fetch_git() { _fg_subdir="${1}"; _fg_url="${2}"; _fg_branch="${3}"; if [ -e "${DLCACHEDIR}/${_fg_subdir}" ]; then @@ -47,7 +46,7 @@ fetch_git() { git checkout -b ${_fg_branch} && cd ${OLDPWD}; fi; fi; - rm_if_exists ${_fg_subdir}; + secure_rm ${_fg_subdir}; echo cp -pr ${DLCACHEDIR}/${_fg_subdir} .; cp -pr ${DLCACHEDIR}/${_fg_subdir} .; }; @@ -136,7 +135,7 @@ set_build_script_done() { _sbsd_done_fname=${WORKDIR}/.${_sbsd_script_fname%.build}; while [ $# -ge 1 ]; do if [ "${1#-}" != "${1}" ]; then - rm -f -- ${_sbsd_done_fname}.${1#-}; + secure_rm ${_sbsd_done_fname}.${1#-}; else touch ${_sbsd_done_fname}.${1}; log_msg info "Finished build step ${1} of build script \`${_sbsd_script_fname}'."; @@ -160,6 +159,7 @@ log_env_vars() { shift; done; unset _lev_arg_len_max; }; + log_msg() { _lm_lvl=${1}; shift; case ${_lm_lvl} in @@ -223,19 +223,51 @@ set_env_vars_with_sep() { done; unset _sevws_sep; pop_IFS; }; -rm_if_exists() { - [ -z "${1#-m}" ] && { _rie_arg_m=1; shift; }; - [ -z "${1#-c}" ] && { _rie_arg_c=1; shift; }; - [ -z "${1}" ] && return 1; - if [ -d ${1} -o -f ${1} ]; then - log_msg warn "Removing directory or file \`${1}'."; - rm -rf -- ${1}; +secure_cd() { + if [ \( -z "${1}" \) -o \( ! -e "${1}" \) ]; then + return 1; + else + (cd "${1}"; [ "${PWD#${PREFIX_ROOT}}" = "${PWD}" ] &&\ + return 1 || return 0); + if [ ${?} -eq 0 ]; then + log_msg warn "Changing working directory to \`${1}'."; + cd -- "${1}"; + else + log_msg failexit "secure_cd() called with pathname \`${1}' not below \${PREFIX_ROOT} (${PREFIX_ROOT}). This is a bug."; + fi; fi; - [ ${_rie_arg_m:-0} -eq 1 ] && { - log_msg warn "Making directory \`${1}'."; - mkdir -- ${1}; unset _rie_arg_m; }; - [ ${_rie_arg_c:-0} -eq 1 ] && { cd ${1}; unset _rie_arg_c; }; - return 0; +}; +insecure_mkdir() { + while [ ${#} -gt 0 ]; do + if [ -z "${1}" ]; then + return 1; + elif [ ! -e "${1}" ]; then + log_msg warn "Making directory \`${1}'."; + mkdir -p -- "${1}"; + fi; shift; + done; +}; +secure_rm() { + while [ ${#} -gt 0 ]; do + if [ -z "${1}" ]; then + return 1; + elif [ -e "${1}" ]; then + if [ -d "${1}" ]; then + _sr_pname_check="${1}"; + else + _sr_pname_check="$(dirname "${1}")"; + fi; + (cd "${_sr_pname_check}"; [ "${PWD#${PREFIX_ROOT}}" = "${PWD}" ] &&\ + return 1 || return 0); + if [ ${?} -eq 0 ]; then + unset _sr_pname_check; + log_msg warn "Removing directory or file \`${1}'."; + rm -rf -- "${1}"; + else + log_msg failexit "secure_rm() called with pathname \`${1}' not below \${PREFIX_ROOT} (${PREFIX_ROOT}). This is a bug."; + fi; + fi; shift; + done; }; run_cmd_unsplit() { @@ -29,17 +29,18 @@ else log_msg failexit "Error: unknown build type \`${BUILD}'."; fi; -: ${PREFIX:=${HOME}/midipix/${ARCH}/${BUILD}}; +: ${PREFIX_ROOT:=${HOME}/midipix}; +: ${PREFIX:=${PREFIX_ROOT}/${ARCH}/${BUILD}}; : ${PREFIX_NATIVE:=${PREFIX}/native}; : ${PREFIX_CROSS:=${PREFIX}/${TARGET}}; -: ${DLCACHEDIR:=${HOME}/midipix/dlcache}; +: ${DLCACHEDIR:=${PREFIX_ROOT}/dlcache}; : ${WORKDIR:=${PREFIX}/tmp}; export PATH="${PREFIX}/bin${PATH:+:${PATH}}"; : ${BUILD_LOG_FNAME:=${PREFIX}/build.log}; : ${BUILD_LOG_LAST_FNAME:=${PREFIX}/build.log.last}; : ${BUILD_STATUS_IN_PROGRESS_FNAME:=${PREFIX}/BUILD_IN_PROGRESS}; -: ${CHECK_PREREQ_CMDS:="aclocal autoconf autopoint awk basename bunzip2 flex git groff gunzip install libtool lzma make makeinfo nl nroff openssl patch sed sha256sum sort tar tee tr uname wget xz"}; +: ${CHECK_PREREQ_CMDS:="aclocal autoconf autopoint awk basename bunzip2 find flex git groff gunzip install libtool lzma make makeinfo nl nroff openssl patch sed sha256sum sort tar tee tr uname wget xz"}; : ${CHECK_PREREQ_FILES:="/usr/include/gmpxx.h /usr/include/mpc.h /usr/include/mpfr.h"}; : ${CHECK_PATH_VARS:="PREFIX PREFIX_NATIVE PREFIX_CROSS DLCACHEDIR WORKDIR"}; : ${CLEAR_ENV_VARS_EXCEPT:="HOME PATH SHELL TERM USER"}; @@ -34,9 +34,9 @@ if test_cmd pkg_${PKG_NAME}_finish; then pkg_${PKG_NAME}_finish; exit 0; elif [ "${PKG_URL_TYPE:-wget}" = wget ] &&\ ! is_build_script_done extract; then - rm_if_exists ${PKG_SUBDIR}; + secure_rm ${PKG_SUBDIR}; if [ ${PKG_SUBDIR_CREATE:-0} -eq 1 ]; then - mkdir -- ${PKG_SUBDIR}; + insecure_mkdir ${PKG_SUBDIR}; fi; if [ "${PKG_FNAME##*.tar.}" = "bz2" ]; then bunzip2 -d < ${DLCACHEDIR}/${PKG_FNAME} | tar ${PKG_SUBDIR_CREATE:+-C ${PKG_SUBDIR}} -xf -; @@ -63,7 +63,8 @@ if [ -z "${PKG_BUILD_DIR}" ]; then fi; if ! is_build_script_done build_dir; then [ "${PKG_SUBDIR}" != "${PKG_BUILD_DIR}" ] &&\ - rm_if_exists -m ${PKG_BUILD_DIR}; + secure_rm ${PKG_BUILD_DIR}; + insecure_mkdir ${PKG_BUILD_DIR}; set_build_script_done build_dir -patch; fi; if [ -e ${PKG_SUBDIR}/configure -o \ @@ -193,7 +194,9 @@ if ! is_build_script_done install; then fi; fi; if [ -d ${PKG_PREFIX}/lib ]; then - find ${PKG_PREFIX}/lib -type f -name \*.la -exec rm -f -- {} \; + for __ in $(find ${PKG_PREFIX}/lib -type f -name \*.la); do + secure_rm ${__}; + done; fi; if [ -n "${PKG_INSTALL_FILES}" ]; then (set -- ${PKG_INSTALL_FILES}; @@ -208,8 +211,7 @@ if ! is_build_script_done install; then ;; /=*) __mkdir_fname="${1#/=}"; - echo mkdir -p -- ${PKG_PREFIX}/${__mkdir_fname}; - mkdir -p -- ${PKG_PREFIX}/${__mkdir_fname}; + insecure_mkdir ${PKG_PREFIX}/${__mkdir_fname}; ;; *) __file_fname_src="${1%=*}"; @@ -225,7 +227,7 @@ if ! is_build_script_done install; then $(find \( -name "*.so" \ -or -name "*.so.[0-9]" \ -or -name "*.so.[0-9].[0-9]" \ - -or -name "*.so.[0-9].[0-9].[0-9]" \) -printf "%P\n"); + -or -name "*.so.[0-9].[0-9].[0-9]" \) -printf '%P\n'); do if [ \( -e ${__so_fname%.so}.lib.a \) -o \ \( ! -e ${PKG_PREFIX}/lib/${__so_fname} \) ]; |