From 96df8475810a2717e41bceb4c0e26de4dab180cf Mon Sep 17 00:00:00 2001 From: Austin Schuh Date: Tue, 30 Apr 2019 09:55:23 -0700 Subject: [PATCH] Use a sandboxed openssl.cnf file for phantomjs (#353) Debian buster ahs changed /etc/ssl/openssl.cnf far enough that the openssl built into phantomjs can't parse it. I found this out by stracing a test run and watching it access /etc/ssl/openssl.cnf. We want bazel to not rely on anything outside the sandbox. The error that is returned otherwise is: 140302110000960:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:185:filename(libssl_conf.so): libssl_conf.so: cannot open shared object file: No such file or directory 140302110000960:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: 140302110000960:error:0E07506E:configuration file routines:MODULE_LOAD_DSO:error loading dso:conf_mod.c:285:module=ssl_conf, path=ssl_conf 140302110000960:error:0E076071:configuration file routines:MODULE_RUN:unknown module name:conf_mod.c:222:module=ssl_conf Fixes: #351 --- third_party/openssl/BUILD | 7 +++++++ third_party/openssl/openssl.cnf | 1 + third_party/phantomjs/BUILD | 1 + third_party/phantomjs/phantomjs.sh | 1 + 4 files changed, 10 insertions(+) create mode 100644 third_party/openssl/BUILD create mode 100644 third_party/openssl/openssl.cnf diff --git a/third_party/openssl/BUILD b/third_party/openssl/BUILD new file mode 100644 index 0000000000..7b4748f104 --- /dev/null +++ b/third_party/openssl/BUILD @@ -0,0 +1,7 @@ +licenses(["unencumbered"]) + +filegroup( + name = "files", + srcs = ["openssl.cnf"], + visibility = ["//visibility:public"], +) diff --git a/third_party/openssl/openssl.cnf b/third_party/openssl/openssl.cnf new file mode 100644 index 0000000000..d211288401 --- /dev/null +++ b/third_party/openssl/openssl.cnf @@ -0,0 +1 @@ +# An empty openssl.cnf file seems to be good enough for phantomjs diff --git a/third_party/phantomjs/BUILD b/third_party/phantomjs/BUILD index 60fe047d90..14561a6b89 100644 --- a/third_party/phantomjs/BUILD +++ b/third_party/phantomjs/BUILD @@ -26,6 +26,7 @@ sh_binary( "//third_party/fontconfig:config", "//third_party/fontconfig:libfontconfig_k8", "//third_party/freetype:libfreetype_k8", + "//third_party/openssl:files", "//third_party/png:libpng_k8", ], ) diff --git a/third_party/phantomjs/phantomjs.sh b/third_party/phantomjs/phantomjs.sh index 6217961a57..671369ba36 100755 --- a/third_party/phantomjs/phantomjs.sh +++ b/third_party/phantomjs/phantomjs.sh @@ -34,6 +34,7 @@ export OPENSSL_CONF=/etc/ssl/ export FONTCONFIG_PATH="${RUNFILES}/third_party/fontconfig" export XDG_DATA_HOME="${RUNFILES}" export XDG_CACHE_HOME="$(mktemp -d "${TMPDIR:-/tmp}/fontcache.XXXXXXXXXX")" +export OPENSSL_CONF="${RUNFILES}/third_party/openssl/openssl.cnf" "${RUNFILES}/third_party/phantomjs/bin/phantomjs" "$@" rc="$?"