[dpdk-dev] [dpdk-stable] [PATCH] mk: remove library search path from binary

[Thomas Monjalon]

21/11/2019 18:12, Ferruh Yigit:
> On 11/18/2019 3:14 PM, Thomas Monjalon wrote:
> > 12/11/2019 14:15, Ferruh Yigit:
> >> This patch functionally reverts the patch in fixes line to not have any
> >> hardcoded library path in the final binary for the security reasons, in
> >> case this binary distributed to production environment.
> > 
> > What about meson?
> > There are these rpaths:
> > 	$ORIGIN/../lib
> > 	$ORIGIN/../drivers
> > 
> > 
> >> RPATH only added in RTE_DEVEL_BUILD case and this binary shouldn't
> >> distributed, but still removing it to be cautious.
> > 
> > For convenience, we could keep adding rpath for internal apps.
> 
> This was the main intention, but the concern is someone unaware of this
> capability and distributes a binary that we think it will be internal.

Internal apps are only for developers.
I don't see how there could be a security issue.

> >> --- a/devtools/test-null.sh
> >> +++ b/devtools/test-null.sh
> > 
> >>  if ldd $testpmd | grep -q librte_ ; then
> >> +	export LD_LIBRARY_PATH=$build/lib:$LD_LIBRARY_PATH
> >>  	libs='-d librte_mempool_ring.so -d librte_pmd_null.so'
> > 
> > 
> > There is an issue in this change, because $build may be undefined.
> > It can be fixed with adding this line:
> > 
> > +[ -f "$testpmd" ] && build=$(dirname $(dirname $testpmd))
> >  [ -f "$testpmd" ] || testpmd=$build/app/dpdk-testpmd
> >  [ -f "$testpmd" ] || testpmd=$build/app/testpmd
> 
> 'build' is already defined as following at the beginning of the script
> build=${1:-build}

Yes, but $1 can be the testpmd path as well, so $build is meaningless.

> And if 'build' is wrong/missing, script can't reach to this line at all, because
> 'testpmd' path found based on 'build' and if 'testpmd' not found, script will exit.

No, $testpmd can be defined from $1, not based on $build.
You missed this comment:

build=${1:-build} # first argument can be the build directory
testpmd=$1 # or first argument can be the testpmd path

> Can you please give more detail what is problem with 'build'?

If the testpmd path is directly passed as first parameter,
build directory is not known.
That's why I suggest getting it with $(dirname $(dirname $testpmd)).