busybox.inc: Add sanity check to test if the suid binary provides sh

Add a sanity check during the do_compile task to fail if the suid
busybox provides /bin/sh. This is considered as a hard fail since not
only is providing sh as suid problematic for security reasons but also
because the sh configured for suid is less functional than the nosuid
configured sh and breaks a number of required features (e.g. 64-bit
test).

(From OE-Core rev: b64807549569817c8f1921a0aad52c815af90731)

Signed-off-by: Nathan Rossi <nathan@nathanrossi.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

1 files changed, 6 insertions, 0 deletions

diff --git a/meta/recipes-core/busybox/busybox.inc b/meta/recipes-core/busybox/busybox.inc
index 4012f921c6..157aea3968 100644
--- a/meta/recipes-core/busybox/busybox.inc
+++ b/meta/recipes-core/busybox/busybox.inc
@@ -183,6 +183,12 @@ do_compile() {
                         oe_runmake busybox.links
                         mv busybox.links busybox.links.$s
                 done
+
+                # hard fail if sh is being linked to the suid busybox (detects bug 10346)
+                if grep -q -x "/bin/sh" busybox.links.suid; then
+                        bbfatal "busybox suid binary incorrectly provides /bin/sh"
+                fi
+
                 # copy .config.orig back to .config, because the install process may check this file
                 cp .config.orig .config
                 # cleanup