Enable rpathification and working relocation on Linux (take 3)

Dumpcap depends on wsutil.so. The path to the shared library is encoded in the RPATH (or RUNPATH) property of ELF binaries. This is currently an absolute path on most Unixy systems. Dumpcap could not be made to work with a relative RPATH because it uses elevated privileges and some loaders will ignore relative RPATHs and non-standard paths under those circumstances, because of (justified) security concerns. To enable relocation of the program we link dumpcap statically with wsutil instead. This provides a fully working relocatable installation on Linux and other platforms that support relative RPATHs.
2 months ago · 9cb759b38e
parent 81996c5d79
commit 9cb759b38e
4 changed files with 90 additions and 31 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -270,26 +270,25 @@ if(NOT (WIN32 OR APPLE OR USE_STATIC))
 		# Some systems support $ORIGIN in RPATH to enable relocatable
 		# binaries. In other cases, only absolute paths can be used.
 		# https://www.lekensteyn.nl/rpath.html
+		#
+		# Also note that some systems (notably those using GNU libc)
+		# silently ignore $ORIGIN in RPATH for binaries that are
+		# setuid root or use privileged capabilities.
+		#
 		if(CMAKE_SYSTEM_NAME MATCHES "^(Linux|SunOS|FreeBSD)$")
 			set(_enable_rpath_origin TRUE)
-			if(BUILD_dumpcap AND ENABLE_PCAP)
-				# dumpcap will most likely be installed with
-				# capabilities or setuid. Relative RPATHs that
-				# resolve to non-standard library directories
-				# are ignored for such binaries and since we
-				# cannot achieve relocatable builds, just
-				# disable it by default.
-				set(_enable_rpath_origin FALSE)
-			endif()
-			# Provide a knob to optionally force absolute rpaths,
-			# to support old/buggy systems and as a user preference
-			# for hardening.
-			set(ENABLE_RPATH_ORIGIN ${_enable_rpath_origin} CACHE BOOL
-				"Use $ORIGIN with INSTALL_RPATH")
-			mark_as_advanced(ENABLE_RPATH_ORIGIN)
 		else()
-			set(ENABLE_RPATH_ORIGIN FALSE)
+			set(_enable_rpath_origin FALSE)
 		endif()
+
+		# Provide a knob to optionally force absolute rpaths,
+		# to support old/buggy systems and as a user preference
+		# for hardening.
+		# XXX Should this be a CMake option?
+		set(ENABLE_RPATH_ORIGIN ${_enable_rpath_origin} CACHE BOOL
+			"Use $ORIGIN with INSTALL_RPATH")
+		mark_as_advanced(ENABLE_RPATH_ORIGIN)
+
 		if(ENABLE_RPATH_ORIGIN)
 			set(LIBRARY_INSTALL_RPATH     "$ORIGIN")
 			set(EXECUTABLE_INSTALL_RPATH  "$ORIGIN/../${CMAKE_INSTALL_LIBDIR}")
@ -3120,28 +3119,47 @@ endif()
 if(BUILD_dumpcap AND PCAP_FOUND)
 	set(dumpcap_LIBS
 		writecap
-		wsutil
-		caputils
-		iface_monitor
+		wsutil_static
 		pcap::pcap
 		${CAP_LIBRARIES}
 		${ZLIB_LIBRARIES}
+		${NL_LIBRARIES}
 		${APPLE_CORE_FOUNDATION_LIBRARY}
 		${APPLE_SYSTEM_CONFIGURATION_LIBRARY}
 		${WIN_WS2_32_LIBRARY}
 	)
+	if(UNIX)
+		list(APPEND CAPUTILS_SRC
+			capture/capture-pcap-util-unix.c)
+	endif()
+	if(WIN32)
+		list(APPEND CAPUTILS_SRC
+			capture/capture_win_ifnames.c
+			capture/capture-wpcap.c
+		)
+	endif()
+	list(APPEND CAPUTILS_SRC
+		capture/capture-pcap-util.c
+	)
+	if (AIRPCAP_FOUND)
+		list(APPEND CAPUTILS_SRC capture/airpcap_loader.c)
+	endif()
 	set(dumpcap_FILES
-		$<TARGET_OBJECTS:capture_opts>
-		$<TARGET_OBJECTS:cli_main>
+		capture_opts.c
+		cli_main.c
 		dumpcap.c
 		ringbuffer.c
 		sync_pipe_write.c
+		capture/iface_monitor.c
+		capture/ws80211_utils.c
+		${CAPUTILS_SRC}
 	)
 	set_executable_resources(dumpcap "Dumpcap" UNIQUE_RC)
 	add_executable(dumpcap ${dumpcap_FILES})
 	set_extra_executable_properties(dumpcap "Executables")
 	target_link_libraries(dumpcap ${dumpcap_LIBS})
-	target_include_directories(dumpcap SYSTEM PRIVATE ${ZLIB_INCLUDE_DIRS})
+	target_include_directories(dumpcap SYSTEM PRIVATE ${ZLIB_INCLUDE_DIRS} ${NL_INCLUDE_DIRS})
+	target_compile_definitions(dumpcap PRIVATE ENABLE_STATIC)
 	executable_link_mingw_unicode(dumpcap)
 	install(TARGETS dumpcap
 			RUNTIME	DESTINATION ${CMAKE_INSTALL_BINDIR}
--- a/docbook/release-notes.adoc
+++ b/docbook/release-notes.adoc
@ -36,6 +36,9 @@ Previously it was ``$XDG_CONFIG_HOME/wireshark/extcap``.
 The installation target no longer installs development headers by default.
 That must be done explicitly using ``cmake --install <builddir> --component Development``.

+The Wireshark installation is relocatable on Linux (and other ELF platforms
+with support for relative RPATHs).
+
 Many other improvements have been made.
 See the “New and Updated Features” section below for more details.

--- a/include/ws_symbol_export.h
+++ b/include/ws_symbol_export.h
@ -91,22 +91,21 @@
     * be necessary, e.g. if what's declared is an array whose size is
     * not given in the declaration.
     */
-    #ifdef __GNUC__
+    #ifdef ENABLE_STATIC
+      /*
+       * We're building all-static, so we're not building any DLLs.
+       */
+      #define WS_DLL_PUBLIC_DEF
+    #elif defined(__GNUC__)
      /* GCC */
      #define WS_DLL_PUBLIC_DEF __attribute__ ((dllimport))
-    #elif ! (defined ENABLE_STATIC) /* ! __GNUC__ */
+    #else /* ! ENABLE_STATIC && ! __GNUC__ */
      /*
       * Presumably MSVC, and we're not building all-static.
       * Note: actually gcc seems to also support this syntax.
       */
      #define WS_DLL_PUBLIC_DEF __declspec(dllimport)
-    #else /* ! __GNUC__  && ENABLE_STATIC */
-      /*
-       * Presumably MSVC, and we're building all-static, so we're
-       * not building any DLLs.
-       */
-      #define WS_DLL_PUBLIC_DEF
-    #endif /* __GNUC__ */
+    #endif
  #endif /* WS_BUILD_DLL */

  /*
--- a/wsutil/CMakeLists.txt
+++ b/wsutil/CMakeLists.txt
@ -410,6 +410,45 @@ install(FILES ${WSUTIL_PUBLIC_HEADERS}
 	EXCLUDE_FROM_ALL
 )

+add_library(wsutil_static STATIC
+	${WSUTIL_FILES}
+)
+
+target_compile_definitions(wsutil_static PRIVATE
+	ENABLE_STATIC
+	BUILD_WSUTIL
+)
+
+target_link_libraries(wsutil_static
+	PUBLIC
+		${GLIB2_LIBRARIES}
+	PRIVATE
+		${GMODULE2_LIBRARIES}
+		${APPLE_CORE_FOUNDATION_LIBRARY}
+		${CMAKE_DL_LIBS}
+		${GCRYPT_LIBRARIES}
+		${GNUTLS_LIBRARIES}
+		${ZLIB_LIBRARIES}
+		${PCRE2_LIBRARIES}
+		${WIN_IPHLPAPI_LIBRARY}
+		${WIN_WS2_32_LIBRARY}
+)
+
+target_include_directories(wsutil_static SYSTEM
+	PUBLIC
+		${GLIB2_INCLUDE_DIRS}
+		${GCRYPT_INCLUDE_DIRS}
+		${GNUTLS_INCLUDE_DIRS}
+	PRIVATE
+		${GMODULE2_INCLUDE_DIRS}
+		${ZLIB_INCLUDE_DIRS}
+		${PCRE2_INCLUDE_DIRS}
+)
+
+if(NOT VCSVERSION_OVERRIDE)
+	add_dependencies(wsutil_static vcs_version)
+endif()
+
 add_executable(wmem_test EXCLUDE_FROM_ALL wmem/wmem_test.c ${WMEM_FILES})

 target_link_libraries(wmem_test wsutil)