Skip to content

tools: ctl: drop build-tree RUNPATH from sof-ctl#10968

Open
lgirdwood wants to merge 1 commit into
thesofproject:mainfrom
lgirdwood:fix-sof-ctl-runpath
Open

tools: ctl: drop build-tree RUNPATH from sof-ctl#10968
lgirdwood wants to merge 1 commit into
thesofproject:mainfrom
lgirdwood:fix-sof-ctl-runpath

Conversation

@lgirdwood

Copy link
Copy Markdown
Member

Problem

sof-ctl ships with an empty/NULL DT_RUNPATH ELF entry, which distro
ELF security scanners reject. Reported downstream (Gentoo) via scanelf:

scanelf: rpath_security_checks(): Security problem NULL DT_RUNPATH in .../usr/bin/sof-ctl

This appeared in v2025.05 when the tools started linking against a
locally built ALSA.

Cause

tools/ctl/CMakeLists.txt adds tools/lib as a link directory (-L) so
sof-ctl can link a locally built libasound. CMake also embeds that
directory in the binary's RPATH/RUNPATH, pointing into the build
tree. At install time CMake strips the path to an empty string, leaving
an empty DT_RUNPATH tag — the "NULL DT_RUNPATH" scanelf flags.

Fix

Keep tools/lib as a -L link path only. Set SKIP_BUILD_RPATH TRUE
and an empty INSTALL_RPATH on the sof-ctl target so no DT_RUNPATH
tag is emitted at all. The installed binary resolves libasound through
the normal loader search path.

Verification

Clean build of tools/ before/after:

  • Before: readelf -d sof-ctlRUNPATH [.../tools/lib:]
  • After: readelf -d sof-ctl → no RPATH/RUNPATH tag

sof-ctl still links and runs against system libasound.

Closes #10070

sof-ctl adds tools/lib as a link directory so it can link against a
locally built ALSA. CMake also embeds that directory in the ELF
RPATH/RUNPATH, so the binary carries a reference into the build tree.
On install the path is stripped to an empty string, which leaves an
empty DT_RUNPATH tag behind. Distro ELF security scanners reject that:
scanelf reports "Security problem NULL DT_RUNPATH".

Keep tools/lib as a -L link path only: skip the build RPATH and keep
the install RPATH empty so no DT_RUNPATH tag is emitted at all. The
installed binary resolves libasound through the normal loader search
path.

Link: thesofproject#10070
Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>
@lgirdwood lgirdwood requested a review from singalsu as a code owner July 2, 2026 13:32
Copilot AI review requested due to automatic review settings July 2, 2026 13:32

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses downstream ELF security scanner failures by ensuring the sof-ctl binary no longer contains an empty/NULL DT_RUNPATH entry after installation. It does this by preventing CMake from embedding the build-tree tools/lib link directory into ELF RPATH/RUNPATH metadata while still allowing it to be used purely as a -L link path for a locally built ALSA during the build.

Changes:

  • Disable build-tree RPATH generation for the sof-ctl target to avoid embedding tools/lib into the binary.
  • Ensure the install-time RPATH is empty so the installed sof-ctl does not emit any DT_RUNPATH tag.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

v2025.05: sof-ctl introduces Security problem NULL DT_RUNPATH

3 participants