Bug 1199312

Summary: Building kernel-4.0.0-0.rc2.git0.1 on F21 gives rpmbuild error for insecure path.
Product: [Fedora] Fedora Reporter: stan <gryt2>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: gansalmon, gryt2, itamar, jonathan, kernel-maint, madhu.chinakonda, mchehab
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: kernel-4.0.0-0.rc4.git0.1.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-22 04:42:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description stan 2015-03-05 22:51:41 UTC 
Description of problem:
I build a custom kernel from the src.rpm for package kernel-4.0.0-0.rc2.git0.1 in F21.  It builds fine, but when it is time to package it, it gets the following error:

+ QA_CHECK_RPATHS=1
+ case "${QA_CHECK_RPATHS:-}" in
+ /usr/lib/rpm/check-rpaths
*******************************************************************************
*
* WARNING: 'check-rpaths' detected a broken RPATH and will cause 'rpmbuild'
*          to fail. To ignore these errors, you can set the '$QA_RPATHS'
*          environment variable which is a bitmask allowing the values
*          below. The current value of QA_RPATHS is 0x0000.
*
*    0x0001 ... standard RPATHs (e.g. /usr/lib); such RPATHs are a minor
*               issue but are introducing redundant searchpaths without
*               providing a benefit. They can also cause errors in multilib
*               environments.
*    0x0002 ... invalid RPATHs; these are RPATHs which are neither absolute
*               nor relative filenames and can therefore be a SECURITY risk
*    0x0004 ... insecure RPATHs; these are relative RPATHs which are a
*               SECURITY risk
*    0x0008 ... the special '$ORIGIN' RPATHs are appearing after other
*               RPATHs; this is just a minor issue but usually unwanted
*    0x0010 ... the RPATH is empty; there is no reason for such RPATHs
*               and they cause unneeded work while loading libraries
*    0x0020 ... an RPATH references '..' of an absolute path; this will break
*               the functionality when the path before '..' is a symlink
*          
*
* Examples:
* - to ignore standard and empty RPATHs, execute 'rpmbuild' like
*   $ QA_RPATHS=$[ 0x0001|0x0010 ] rpmbuild my-package.src.rpm
* - to check existing files, set $RPM_BUILD_ROOT and execute check-rpaths like
*   $ RPM_BUILD_ROOT=<top-dir> /usr/lib/rpm/check-rpaths
*  
*******************************************************************************
ERROR   0004: file '/usr/bin/cpupower' contains an insecure rpath './' in [./]
error: Bad exit status from /var/tmp/rpm-tmp.A6u26r (%install)
    Bad exit status from /var/tmp/rpm-tmp.A6u26r (%install)

Version-Release number of selected component (if applicable):
kernel-4.0.0-0.rc2.git0.1

How reproducible:
Every time

Steps to Reproduce:
1.  Compile a kernel using rpmbuild
2.
3.

Actual results:
The above error

Expected results:
Valid rpm packages

Additional info:
This error started with the 3.20 series of kernels.  Using the suggested workaround does produce packages, but I don't thing the kernel should be looking for relative files.
Comment 1 Josh Boyer 2015-03-06 00:31:42 UTC 
The error isn't on the kernel binary.  It's on a userspace tool that is packaged in kernel-tools.
Comment 2 Josh Boyer 2015-03-06 13:36:18 UTC 
I emailed the upstream maintainers about this issue.  We'll see what they say.
Comment 3 stan 2015-03-06 16:44:16 UTC 
Thanks a lot!  The fact that it isn't in the actual kernel is reassuring.  I look forward to the response.
Comment 4 Josh Boyer 2015-03-11 14:35:44 UTC 
I sent a revert patch upstream and it looks like it will be accepted.  I've included the patch in the rc3.git1 build today.
Comment 5 stan 2015-03-11 14:52:10 UTC 
Thanks.  I'll give that a whirl once the packages are built.  Probably won't be till tomorrow, though.
Comment 6 stan 2015-03-12 18:03:09 UTC 
Yes, the rc3.git1 built just fine, and I am currently running it without any problems.  Thank you.
Comment 7 Josh Boyer 2015-03-12 18:20:13 UTC 
Thanks for confirming!
Comment 8 Fedora Update System 2015-03-16 19:36:01 UTC 
kernel-4.0.0-0.rc4.git0.1.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/kernel-4.0.0-0.rc4.git0.1.fc22
Comment 9 Fedora Update System 2015-03-18 10:30:10 UTC 
Package kernel-4.0.0-0.rc4.git0.1.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing kernel-4.0.0-0.rc4.git0.1.fc22'
as soon as you are able to, then reboot.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-4066/kernel-4.0.0-0.rc4.git0.1.fc22
then log in and leave karma (feedback).
Comment 10 Fedora Update System 2015-03-22 04:42:51 UTC 
kernel-4.0.0-0.rc4.git0.1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.