qemu/nemu: remove blacklisted binaries

Remove blacklisted binaries, since they are not needed in kata and may have CVEs. fixes #311 Signed-off-by: Julio Montes <julio.montes@intel.com>
2026-01-29 21:39:23 +00:00 · 2019-08-14 17:41:31 +00:00
parent 9de19ddbeb
commit 33368859d9
3 changed files with 50 additions and 0 deletions
--- a/static-build/nemu/build-static-nemu.sh
+++ b/static-build/nemu/build-static-nemu.sh
@@ -11,9 +11,11 @@ set -o pipefail
 script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

 source "${script_dir}/../../scripts/lib.sh"
+source "${script_dir}/../qemu.blacklist"

 config_dir="${script_dir}/../../scripts/"
 nemu_tar="kata-nemu-static.tar.gz"
+nemu_tmp_tar="kata-nemu-static-tmp.tar.gz"
 Dockerfile="Dockerfile"

 if [ $# -ne 0 ];then
@@ -94,3 +96,7 @@ sudo docker run \
 	mv "/tmp/nemu-static/${nemu_tar}" /share/

 sudo chown ${USER}:${USER} "${PWD}/${nemu_tar}"
+
+# Remove blacklisted binaries
+gzip -d < "${nemu_tar}" | tar --delete --wildcards -f - ${qemu_black_list[*]} | gzip > "${nemu_tmp_tar}"
+mv -f "${nemu_tmp_tar}" "${nemu_tar}"
--- a/static-build/qemu.blacklist
+++ b/static-build/qemu.blacklist
@@ -0,0 +1,38 @@
+#
+# List of blacklisted files that are not
+# required in kata and may have CVEs.
+#
+qemu_black_list=(
+*/bin/qemu-pr-helper
+*/bin/virtfs-proxy-helper
+*/libexec/
+*/share/*/applications/
+*/share/*/*.dtb
+*/share/*/efi-e1000e.rom
+*/share/*/efi-e1000.rom
+*/share/*/efi-eepro100.rom
+*/share/*/efi-ne2k_pci.rom
+*/share/*/efi-pcnet.rom
+*/share/*/efi-rtl8139.rom
+*/share/*/efi-vmxnet3.rom
+*/share/*/icons/
+*/share/*/*.img
+*/share/*/keymaps/
+*/share/*/multiboot.bin
+*/share/*/openbios-ppc
+*/share/*/openbios-sparc32
+*/share/*/openbios-sparc64
+*/share/*/palcode-clipper
+*/share/*/ppc_rom.bin
+*/share/*/pvh.bin
+*/share/*/pxe-*
+*/share/*/QEMU,*
+*/share/*/qemu_vga.ndrv
+*/share/*/sgabios.bin
+*/share/*/skiboot.lid
+*/share/*/slof.bin
+*/share/*/spapr-rtas.bin
+*/share/*/trace-events-all
+*/share/*/u-boot*
+*/share/*/vgabios*
+)
--- a/static-build/qemu/build-static-qemu.sh
+++ b/static-build/qemu/build-static-qemu.sh
@@ -11,9 +11,11 @@ set -o pipefail
 script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

 source "${script_dir}/../../scripts/lib.sh"
+source "${script_dir}/../qemu.blacklist"

 packaging_dir="${script_dir}/../.."
 qemu_tar="kata-qemu-static.tar.gz"
+qemu_tmp_tar="kata-qemu-static-tmp.tar.gz"

 qemu_repo="${qemu_repo:-}"
 qemu_version="${qemu_version:-}"
@@ -54,3 +56,7 @@ sudo docker run \
 	mv "/tmp/qemu-static/${qemu_tar}" /share/

 sudo chown ${USER}:${USER} "${PWD}/${qemu_tar}"
+
+# Remove blacklisted binaries
+gzip -d < "${qemu_tar}" | tar --delete --wildcards -f - ${qemu_black_list[*]} | gzip > "${qemu_tmp_tar}"
+mv -f "${qemu_tmp_tar}" "${qemu_tar}"