The relative RPATH ("./") supplied to linker options in CFLAGS is resolved relative to current working directory and not the executable directory, which will lead in incorrect resolution when the test executable is run from elsewhere. Changing it to $ORIGIN makes it resolve relative to the directory in which the executable resides, which is supposedly the desired behaviour.

Discovered by the check-rpaths script[1][2] that checks for insecure RPATH/RUNPATH[3], such as relative directories, during an attempt to package BPF selftests for later use in CI:

ERROR 0004: file '/usr/libexec/kselftests/bpf/urandom_read' contains an insecure runpath '.' in [.]

[1] https://github.com/rpm-software-management/rpm/blob/master/scripts/check-rpa... [2] https://github.com/rpm-software-management/rpm/blob/master/scripts/check-rpa... [3] https://cwe.mitre.org/data/definitions/426.html

Signed-off-by: Eugene Syromiatnikov esyr@redhat.com --- tools/testing/selftests/bpf/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile index dd49c1d23a60..6a3dc9b99159 100644 --- a/tools/testing/selftests/bpf/Makefile +++ b/tools/testing/selftests/bpf/Makefile @@ -241,7 +241,7 @@ $(OUTPUT)/urandom_read: urandom_read.c urandom_read_aux.c $(OUTPUT)/liburandom_r $(filter-out -static,$(CFLAGS) $(LDFLAGS)) $(filter %.c,$^) \ -lurandom_read $(filter-out -static,$(LDLIBS)) -L$(OUTPUT) \ -fuse-ld=$(LLD) -Wl,-znoseparate-code -Wl,--build-id=sha1 \ - -Wl,-rpath=. -o $@ + -Wl,-rpath=$$ORIGIN/ -o $@

$(OUTPUT)/sign-file: ../../../../scripts/sign-file.c $(call msg,SIGN-FILE,,$@)