Merge pull request #625 from messense/auditwheel-zlib

auditwheel: add `libz.so.1` to whitelisted libraries
PyO3 · Sep 18, 2021 · e5150d5 · e5150d5
2 parents 58e2381 + c9b8e40
commit e5150d5
Show file tree

Hide file tree

Showing 9 changed files with 358 additions and 265 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/src/auditwheel/audit.rs b/src/auditwheel/audit.rs
@@ -168,19 +168,38 @@ fn policy_is_satisfied(
     let arch_versions = &policy.symbol_versions.get(arch).ok_or_else(|| {
         AuditWheelError::UnsupportedArchitecture(policy.clone(), arch.to_string())
     })?;
-    let mut offenders = HashSet::new();
+    let mut offending_libs = HashSet::new();
+    let mut offending_blacklist_syms = HashMap::new();
+    let undef_symbols: HashSet<String> = elf
+        .dynsyms
+        .iter()
+        .filter_map(|sym| {
+            if sym.st_shndx == goblin::elf::section_header::SHN_UNDEF as usize {
+                elf.dynstrtab.get_at(sym.st_name).map(ToString::to_string)
+            } else {
+                None
+            }
+        })
+        .collect();
     for dep in deps {
         // Skip dynamic linker/loader
         if dep.starts_with("ld-linux") || dep == "ld64.so.2" || dep == "ld64.so.1" {
             continue;
         }
         if !policy.lib_whitelist.contains(dep) {
-            offenders.insert(dep.clone());
+            offending_libs.insert(dep.clone());
+        }
+        if let Some(sym_list) = policy.blacklist.get(dep) {
+            let mut intersection: Vec<_> = sym_list.intersection(&undef_symbols).cloned().collect();
+            if !intersection.is_empty() {
+                intersection.sort();
+                offending_blacklist_syms.insert(dep, intersection);
+            }
         }
     }
     for library in versioned_libraries {
         if !policy.lib_whitelist.contains(&library.name) {
-            offenders.insert(library.name.clone());
+            offending_libs.insert(library.name.clone());
             continue;
         }
         let mut versions: HashMap<String, HashSet<String>> = HashMap::new();
@@ -216,13 +235,20 @@ fn policy_is_satisfied(
                         offending_symbols.join(", ")
                     )
                 };
-                offenders.insert(offender);
+                offending_libs.insert(offender);
             }
         }
     }
     // Checks if we can give a more helpful error message
     let is_libpython = Regex::new(r"^libpython3\.\d+\.so\.\d+\.\d+$").unwrap();
-    let offenders: Vec<String> = offenders.into_iter().collect();
+    let mut offenders: Vec<String> = offending_libs.into_iter().collect();
+    for (lib, syms) in offending_blacklist_syms {
+        offenders.push(format!(
+            "{} offending black-listed symbols: {}",
+            lib,
+            syms.join(", ")
+        ));
+    }
     match offenders.as_slice() {
         [] => Ok(()),
         [lib] if is_libpython.is_match(lib) => {

diff --git a/src/auditwheel/manylinux-policy.json b/src/auditwheel/manylinux-policy.json
diff --git a/src/auditwheel/musllinux-policy.json b/src/auditwheel/musllinux-policy.json
@@ -3,7 +3,8 @@
    "aliases": [],
    "priority": 0,
    "symbol_versions": {},
-   "lib_whitelist": []
+   "lib_whitelist": [],
+   "blacklist": {}
   },
   {"name": "musllinux_1_1",
     "aliases": [],
@@ -22,9 +23,10 @@
       "armv7l": {
       }
     },
-    "lib_whitelist": [
-      "libc.so"
-    ]},
+    "lib_whitelist": ["libc.so", "libz.so.1"],
+    "blacklist": {
+      "libz.so.1": ["_dist_code", "_length_code", "_tr_align", "_tr_flush_block", "_tr_init", "_tr_stored_block", "_tr_tally", "bi_windup", "crc32_vpmsum", "crc_fold_512to32", "crc_fold_copy", "crc_fold_init", "deflate_copyright", "deflate_medium", "fill_window", "flush_pending", "gzflags", "inflate_copyright", "inflate_fast", "inflate_table", "longest_match", "slide_hash_sse", "static_ltree", "uncompress2", "x86_check_features", "x86_cpu_has_pclmul", "x86_cpu_has_sse2", "x86_cpu_has_sse42", "z_errmsg", "zcalloc", "zcfree"]
+    }},
     {"name": "musllinux_1_2",
     "aliases": [],
     "priority": 90,
@@ -42,7 +44,8 @@
       "armv7l": {
       }
     },
-    "lib_whitelist": [
-      "libc.so"
-    ]}
+    "lib_whitelist": ["libc.so", "libz.so.1"],
+    "blacklist": {
+      "libz.so.1": ["_dist_code", "_length_code", "_tr_align", "_tr_flush_block", "_tr_init", "_tr_stored_block", "_tr_tally", "bi_windup", "crc32_vpmsum", "crc_fold_512to32", "crc_fold_copy", "crc_fold_init", "deflate_copyright", "deflate_medium", "fill_window", "flush_pending", "gzflags", "inflate_copyright", "inflate_fast", "inflate_table", "longest_match", "slide_hash_sse", "static_ltree", "uncompress2", "x86_check_features", "x86_cpu_has_pclmul", "x86_cpu_has_sse2", "x86_cpu_has_sse42", "z_errmsg", "zcalloc", "zcfree"]
+    }}
 ]
diff --git a/src/auditwheel/policy.rs b/src/auditwheel/policy.rs
@@ -29,17 +29,20 @@ pub static MUSLLINUX_POLICIES: Lazy<Vec<Policy>> = Lazy::new(|| {
 /// Manylinux policy
 #[derive(Debug, Clone, PartialEq, Deserialize)]
 pub struct Policy {
-    /// manylinux platform tag name
+    /// platform tag name
     pub name: String,
-    /// manylinux platform tag aliases
+    /// platform tag aliases
     pub aliases: Vec<String>,
     /// policy priority. Tags supporting more platforms have higher priority
     pub priority: i64,
     /// platform architecture to symbol versions map
     #[serde(rename = "symbol_versions")]
     pub symbol_versions: HashMap<String, HashMap<String, HashSet<String>>>,
+    /// whitelisted libraries
     #[serde(rename = "lib_whitelist")]
     pub lib_whitelist: HashSet<String>,
+    /// blacklisted symbols of whitelisted libraries
+    pub blacklist: HashMap<String, HashSet<String>>,
 }
 
 impl Default for Policy {

diff --git a/test-crates/lib_with_disallowed_lib/Cargo.lock b/test-crates/lib_with_disallowed_lib/Cargo.lock
diff --git a/test-crates/lib_with_disallowed_lib/Cargo.toml b/test-crates/lib_with_disallowed_lib/Cargo.toml
@@ -9,5 +9,4 @@ crate-type = ["cdylib"]
 
 [dependencies]
 libz-sys = { version = "1.1.2", default-features = false }
-# Don't use the macros feature, which makes compilation much faster
-pyo3 = { version = "0.14.0", default-features = false, features = ["extension-module"] }
+pyo3 = { version = "0.14.0", features = ["extension-module"] }