[patch-glibc] fix permission errors for shrink-rpath (#1672)

savil · web-flow · commit 1444a582e31b · 2023-12-07T09:06:40.000-08:00
## Summary Motivation: we were trying to call `patchelf shrink-rpath` on binaries being patched for glibc, but would hit permission errors. More Details: for: ``` cat devbox.json { "packages": { "hello":{ "version": "latest", "patch_glibc": true} }, } ``` in a ubuntu container: when I run `devbox shell`, I see: ``` Error: Command: /home/devbox/.nix-profile/bin/nix print-dev-env /code/.devbox/gen/flake --extra-experimental-features ca-derivations --option experimental-features nix-command flakes fetch-closure --json: exit status 100 2023/12/06 21:19:05 Command stderr: copying path '/nix/store/zlzz2z48s7ry0hkl55xiqp5a73b4mzrg-gcc-wrapper-12.3.0' from 'https://cache.nixos.org'... warning: Ignoring setting 'auto-allocate-uids' because experimental feature 'auto-allocate-uids' is not enabled warning: Ignoring setting 'impure-env' because experimental feature 'configurable-impure-env' is not enabled building '/nix/store/j4ymkws1mpx01mh9lysrzb8kdwq48yxa-devbox-patched-glibc.drv'... copying path '/nix/store/bbxdw4rgwwl3gnajri82yidr1nlsfskf-stdenv-linux' from 'https://cache.nixos.org'... error: builder for '/nix/store/j4ymkws1mpx01mh9lysrzb8kdwq48yxa-devbox-patched-glibc.drv' failed with exit code 123; last 4 log lines: > patching elf binaries count=1 > running patchelf file="/nix/store/a4xdm6q25y0pd11jpljkgv9z78vpmwia-devbox-patched-glibc/bin/hello" rpath="/nix/store/gqghjch4p1s69sv4mcjksb2kb65rwqjy-glibc-2.38-23/lib:/nix/store/qn3ggz5sf3hkjs2c797xf7nan3amdxmp-glibc-2.38-27/lib" perm="555" > shrinking binary rpaths > patchelf: open: Permission denied For full logs, run 'nix log /nix/store/j4ymkws1mpx01mh9lysrzb8kdwq48yxa-devbox-patched-glibc.drv'. error: 1 dependencies of derivation '/nix/store/9hqky67zgpnz8iilf8vcg4n01aaiw7sz-nix-shell-env.drv' failed to build ``` ## How was it tested? in a linux container, did `devbox shell`: BEFORE: https://gist.github.com/savil/bc7ec6b923202c535e90002dc55fd0dc AFTER: https://gist.github.com/savil/674091eafb3af058eecf3411a1854e65 Note that there are more NEEDED libraries, which are all the glibc libraries. This demonstrates that the patch did work.
diff --git a/internal/shellgen/tmpl/glibc-patch.bash b/internal/shellgen/tmpl/glibc-patch.bash
@@ -63,6 +63,9 @@ patch() {
 	         --add-needed libutil.so.1 \
 	         --set-interpreter "$interp" \
                  "$binary"
+
+	# Neaten the runpath by removing extraneous paths. This will likely remove any old glibc.
+	patchelf --shrink-rpath "$binary"
 	chmod "$perm" "$binary"
 }
 
@@ -73,6 +76,3 @@ echo "patching elf binaries count=$count"
 for binary in $elves; do
 	patch "$binary" exe
 done
-
-echo "shrinking binary rpaths"
-echo "$elves" | xargs "$patchelf/bin/patchelf" --shrink-rpath
