From 33368859d907ef357073112f108f358872dd7a02 Mon Sep 17 00:00:00 2001
From: Julio Montes <julio.montes@intel.com>
Date: Wed, 14 Aug 2019 17:41:31 +0000
Subject: [PATCH] qemu/nemu: remove blacklisted binaries

Remove blacklisted binaries, since they are not needed in kata and may have
CVEs.

fixes #311

Signed-off-by: Julio Montes <julio.montes@intel.com>
---
 static-build/nemu/build-static-nemu.sh |  6 ++++
 static-build/qemu.blacklist            | 38 ++++++++++++++++++++++++++
 static-build/qemu/build-static-qemu.sh |  6 ++++
 3 files changed, 50 insertions(+)
 create mode 100644 static-build/qemu.blacklist

diff --git a/static-build/nemu/build-static-nemu.sh b/static-build/nemu/build-static-nemu.sh
index 2e07da6ea4..f1027c2aa4 100755
--- a/static-build/nemu/build-static-nemu.sh
+++ b/static-build/nemu/build-static-nemu.sh
@@ -11,9 +11,11 @@ set -o pipefail
 script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 source "${script_dir}/../../scripts/lib.sh"
+source "${script_dir}/../qemu.blacklist"
 
 config_dir="${script_dir}/../../scripts/"
 nemu_tar="kata-nemu-static.tar.gz"
+nemu_tmp_tar="kata-nemu-static-tmp.tar.gz"
 Dockerfile="Dockerfile"
 
 if [ $# -ne 0 ];then
@@ -94,3 +96,7 @@ sudo docker run \
 	mv "/tmp/nemu-static/${nemu_tar}" /share/
 
 sudo chown ${USER}:${USER} "${PWD}/${nemu_tar}"
+
+# Remove blacklisted binaries
+gzip -d < "${nemu_tar}" | tar --delete --wildcards -f - ${qemu_black_list[*]} | gzip > "${nemu_tmp_tar}"
+mv -f "${nemu_tmp_tar}" "${nemu_tar}"
diff --git a/static-build/qemu.blacklist b/static-build/qemu.blacklist
new file mode 100644
index 0000000000..5584596767
--- /dev/null
+++ b/static-build/qemu.blacklist
@@ -0,0 +1,38 @@
+#
+# List of blacklisted files that are not
+# required in kata and may have CVEs.
+#
+qemu_black_list=(
+*/bin/qemu-pr-helper
+*/bin/virtfs-proxy-helper
+*/libexec/
+*/share/*/applications/
+*/share/*/*.dtb
+*/share/*/efi-e1000e.rom
+*/share/*/efi-e1000.rom
+*/share/*/efi-eepro100.rom
+*/share/*/efi-ne2k_pci.rom
+*/share/*/efi-pcnet.rom
+*/share/*/efi-rtl8139.rom
+*/share/*/efi-vmxnet3.rom
+*/share/*/icons/
+*/share/*/*.img
+*/share/*/keymaps/
+*/share/*/multiboot.bin
+*/share/*/openbios-ppc
+*/share/*/openbios-sparc32
+*/share/*/openbios-sparc64
+*/share/*/palcode-clipper
+*/share/*/ppc_rom.bin
+*/share/*/pvh.bin
+*/share/*/pxe-*
+*/share/*/QEMU,*
+*/share/*/qemu_vga.ndrv
+*/share/*/sgabios.bin
+*/share/*/skiboot.lid
+*/share/*/slof.bin
+*/share/*/spapr-rtas.bin
+*/share/*/trace-events-all
+*/share/*/u-boot*
+*/share/*/vgabios*
+)
diff --git a/static-build/qemu/build-static-qemu.sh b/static-build/qemu/build-static-qemu.sh
index d2986897cd..030e142c5f 100755
--- a/static-build/qemu/build-static-qemu.sh
+++ b/static-build/qemu/build-static-qemu.sh
@@ -11,9 +11,11 @@ set -o pipefail
 script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 source "${script_dir}/../../scripts/lib.sh"
+source "${script_dir}/../qemu.blacklist"
 
 packaging_dir="${script_dir}/../.."
 qemu_tar="kata-qemu-static.tar.gz"
+qemu_tmp_tar="kata-qemu-static-tmp.tar.gz"
 
 qemu_repo="${qemu_repo:-}"
 qemu_version="${qemu_version:-}"
@@ -54,3 +56,7 @@ sudo docker run \
 	mv "/tmp/qemu-static/${qemu_tar}" /share/
 
 sudo chown ${USER}:${USER} "${PWD}/${qemu_tar}"
+
+# Remove blacklisted binaries
+gzip -d < "${qemu_tar}" | tar --delete --wildcards -f - ${qemu_black_list[*]} | gzip > "${qemu_tmp_tar}"
+mv -f "${qemu_tmp_tar}" "${qemu_tar}"