tools: ctl: drop build-tree RUNPATH from sof-ctl#10968
Open
lgirdwood wants to merge 1 commit into
Open
Conversation
sof-ctl adds tools/lib as a link directory so it can link against a locally built ALSA. CMake also embeds that directory in the ELF RPATH/RUNPATH, so the binary carries a reference into the build tree. On install the path is stripped to an empty string, which leaves an empty DT_RUNPATH tag behind. Distro ELF security scanners reject that: scanelf reports "Security problem NULL DT_RUNPATH". Keep tools/lib as a -L link path only: skip the build RPATH and keep the install RPATH empty so no DT_RUNPATH tag is emitted at all. The installed binary resolves libasound through the normal loader search path. Link: thesofproject#10070 Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses downstream ELF security scanner failures by ensuring the sof-ctl binary no longer contains an empty/NULL DT_RUNPATH entry after installation. It does this by preventing CMake from embedding the build-tree tools/lib link directory into ELF RPATH/RUNPATH metadata while still allowing it to be used purely as a -L link path for a locally built ALSA during the build.
Changes:
- Disable build-tree RPATH generation for the
sof-ctltarget to avoid embeddingtools/libinto the binary. - Ensure the install-time RPATH is empty so the installed
sof-ctldoes not emit anyDT_RUNPATHtag.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
sof-ctlships with an empty/NULLDT_RUNPATHELF entry, which distroELF security scanners reject. Reported downstream (Gentoo) via scanelf:
This appeared in v2025.05 when the tools started linking against a
locally built ALSA.
Cause
tools/ctl/CMakeLists.txtaddstools/libas a link directory (-L) sosof-ctlcan link a locally builtlibasound. CMake also embeds thatdirectory in the binary's
RPATH/RUNPATH, pointing into the buildtree. At install time CMake strips the path to an empty string, leaving
an empty
DT_RUNPATHtag — the "NULL DT_RUNPATH" scanelf flags.Fix
Keep
tools/libas a-Llink path only. SetSKIP_BUILD_RPATH TRUEand an empty
INSTALL_RPATHon thesof-ctltarget so noDT_RUNPATHtag is emitted at all. The installed binary resolves
libasoundthroughthe normal loader search path.
Verification
Clean build of
tools/before/after:readelf -d sof-ctl→RUNPATH [.../tools/lib:]readelf -d sof-ctl→ noRPATH/RUNPATHtagsof-ctlstill links and runs against systemlibasound.Closes #10070