[PATCH 0/4] Ensure a reasonable umask, and fix up permissions

[PATCH 0/4] Ensure a reasonable umask, and fix up permissions

[Mark Hatle]

A fairly global problem was discovered that depending on the build users
umask, the directories and files being generated ended up with different
permissions.  This lead to situations where the first package to be
installed setup the permissions and could have lead to bugs and security
issues.

This patch set resolves the problem in two ways.  First it sets the umask
to a sane value for distribution creation, 022.  Note: I intentionally left
the patches and reverted global umask in this patch set.  Without the 
corresponding changes to bitbake the "Add umask task control" won't do
anything.

The package.bbclass change is described within that specific commit.  Note
there is still one outstanding issue when one package uses a directory and
another defines the item in terms of a symlink.  I intend to enhance the
code to deal with that situation in a future commit.

The following changes since commit f40f936b3ba00e31cae49c22b2633d4deb825533:

  Revert "eglibc: Upgrade recipes from 2.13 -> 2.14" (2011-06-22 16:52:11 -0500)

are available in the git repository at:
  git://git.pokylinux.org/poky-contrib mhatle/perms
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=mhatle/perms

Mark Hatle (4):
  classes/base.bbclass: Add umask
  Revert "classes/base.bbclass: Add umask"
  Add umask task control
  classes/package.bbclass: Add fixup_perms

 meta/classes/base.bbclass                          |    4 +
 meta/classes/image.bbclass                         |    2 +
 meta/classes/package.bbclass                       |  168 ++++++++++++++++++--
 meta/classes/staging.bbclass                       |    1 +
 meta/files/fs-perms.txt                            |   39 +++++
 .../installer/adt-installer_1.0.bb                 |    2 +
 meta/recipes-kernel/linux/linux-tools.inc          |    2 +
 7 files changed, 208 insertions(+), 10 deletions(-)
 create mode 100644 meta/files/fs-perms.txt

-- 
1.7.3.4

[PATCH 1/4] classes/base.bbclass: Add umask

[Mark Hatle]

In order for the build system to consistently create directories and files
with reasonable default permissions, we need to set the umask to a known
value, 022.

Prior to this patch we used the users umask and just verified it was
"compatible" with 022...

Note, this patch sets the umask -once- in the main bb thread.

Also remove the sanity check, as it's no longer needed.

Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
---
 meta/classes/base.bbclass   |   10 ++++++++++
 meta/classes/sanity.bbclass |    5 -----
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/meta/classes/base.bbclass b/meta/classes/base.bbclass
index 119b052..11ff0e0 100644
--- a/meta/classes/base.bbclass
+++ b/meta/classes/base.bbclass
@@ -13,6 +13,16 @@ inherit logging
 OE_IMPORTS += "os sys time oe.path oe.utils oe.data oe.packagegroup"
 OE_IMPORTS[type] = "list"
 
+# There are a few key items we need to setup in the environment
+# in order to get consistent builds.  Do them here.
+python oe_setup_env () {
+    if isinstance(e, bb.event.ConfigParsed) and bb.data.getVar("BB_WORKERCONTEXT", e.data, True) != "1":
+	import os
+	os.umask(0022)
+}
+
+addhandler oe_setup_env
+
 def oe_import(d):
     import os, sys
 
diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass
index fc005aa..cd883be 100644
--- a/meta/classes/sanity.bbclass
+++ b/meta/classes/sanity.bbclass
@@ -224,11 +224,6 @@ def check_sanity(e):
     if os.path.basename(os.readlink('/bin/sh')) == 'dash':
         messages = messages + "Using dash as /bin/sh causes various subtle build problems, please use bash instead (e.g. 'dpkg-reconfigure dash' on an Ubuntu system.\n"
 
-    omask = os.umask(022)
-    if omask & 0755:
-        messages = messages + "Please use a umask which allows a+rx and u+rwx\n"
-    os.umask(omask)
-
     oes_bb_conf = data.getVar( 'OES_BITBAKE_CONF', e.data, True )
     if not oes_bb_conf:
         messages = messages + 'You do not include OpenEmbeddeds version of conf/bitbake.conf. This means your environment is misconfigured, in particular check BBPATH.\n'
-- 
1.7.3.4

[PATCH 2/4] Revert "classes/base.bbclass: Add umask"

[Mark Hatle]

This reverts commit d8470b6a8efdbba04cef5d4dc1ce12720fe83621.

Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
---
 meta/classes/base.bbclass   |   10 ----------
 meta/classes/sanity.bbclass |    5 +++++
 2 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/meta/classes/base.bbclass b/meta/classes/base.bbclass
index 11ff0e0..119b052 100644
--- a/meta/classes/base.bbclass
+++ b/meta/classes/base.bbclass
@@ -13,16 +13,6 @@ inherit logging
 OE_IMPORTS += "os sys time oe.path oe.utils oe.data oe.packagegroup"
 OE_IMPORTS[type] = "list"
 
-# There are a few key items we need to setup in the environment
-# in order to get consistent builds.  Do them here.
-python oe_setup_env () {
-    if isinstance(e, bb.event.ConfigParsed) and bb.data.getVar("BB_WORKERCONTEXT", e.data, True) != "1":
-	import os
-	os.umask(0022)
-}
-
-addhandler oe_setup_env
-
 def oe_import(d):
     import os, sys
 
diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass
index cd883be..fc005aa 100644
--- a/meta/classes/sanity.bbclass
+++ b/meta/classes/sanity.bbclass
@@ -224,6 +224,11 @@ def check_sanity(e):
     if os.path.basename(os.readlink('/bin/sh')) == 'dash':
         messages = messages + "Using dash as /bin/sh causes various subtle build problems, please use bash instead (e.g. 'dpkg-reconfigure dash' on an Ubuntu system.\n"
 
+    omask = os.umask(022)
+    if omask & 0755:
+        messages = messages + "Please use a umask which allows a+rx and u+rwx\n"
+    os.umask(omask)
+
     oes_bb_conf = data.getVar( 'OES_BITBAKE_CONF', e.data, True )
     if not oes_bb_conf:
         messages = messages + 'You do not include OpenEmbeddeds version of conf/bitbake.conf. This means your environment is misconfigured, in particular check BBPATH.\n'
-- 
1.7.3.4

[PATCH 3/4] Add umask task control

[Mark Hatle]

Bitbake now allows the umask to be specified per task.  The
following tasks will have a umask of 022 set by default:

do_configure
do_compile
do_install
do_package
do_populate_sysroot
do_rootfs

do_configure and do_compile need a umask of 022 set because -many- recipes
directly copy generated files out of recipe's build directory.  Instead of
fixing each existing and future recipe, it was shown to be much easier to
just set the umask.

Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
---
 meta/classes/base.bbclass                          |    4 ++++
 meta/classes/image.bbclass                         |    2 ++
 meta/classes/staging.bbclass                       |    1 +
 .../installer/adt-installer_1.0.bb                 |    2 ++
 meta/recipes-kernel/linux/linux-tools.inc          |    2 ++
 5 files changed, 11 insertions(+), 0 deletions(-)

diff --git a/meta/classes/base.bbclass b/meta/classes/base.bbclass
index 119b052..9a07f49 100644
--- a/meta/classes/base.bbclass
+++ b/meta/classes/base.bbclass
@@ -262,14 +262,18 @@ python () {
     # If we're building a target package we need to use fakeroot (pseudo)
     # in order to capture permissions, owners, groups and special files
     if not bb.data.inherits_class('native', d) and not bb.data.inherits_class('cross', d):
+        bb.data.setVarFlag('do_configure', 'umask', 022, d)
+        bb.data.setVarFlag('do_compile', 'umask', 022, d)
         deps = (bb.data.getVarFlag('do_install', 'depends', d) or "").split()
         deps.append('virtual/fakeroot-native:do_populate_sysroot')
         bb.data.setVarFlag('do_install', 'depends', " ".join(deps),d)
         bb.data.setVarFlag('do_install', 'fakeroot', 1, d)
+        bb.data.setVarFlag('do_install', 'umask', 022, d)
         deps = (bb.data.getVarFlag('do_package', 'depends', d) or "").split()
         deps.append('virtual/fakeroot-native:do_populate_sysroot')
         bb.data.setVarFlag('do_package', 'depends', " ".join(deps),d)
         bb.data.setVarFlag('do_package', 'fakeroot', 1, d)
+        bb.data.setVarFlag('do_package', 'umask', 022, d)
         bb.data.setVarFlag('do_package_setscene', 'fakeroot', 1, d)
     source_mirror_fetch = bb.data.getVar('SOURCE_MIRROR_FETCH', d, 0)
     if not source_mirror_fetch:
diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index 2469442..e77ec42 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -83,6 +83,8 @@ do_build[nostamp] = "1"
 
 # Must call real_do_rootfs() from inside here, rather than as a separate
 # task, so that we have a single fakeroot context for the whole process.
+do_rootfs[umask] = 022
+
 fakeroot do_rootfs () {
 	#set -x
 	rm -rf ${IMAGE_ROOTFS}
diff --git a/meta/classes/staging.bbclass b/meta/classes/staging.bbclass
index fef6457..04d51ed 100644
--- a/meta/classes/staging.bbclass
+++ b/meta/classes/staging.bbclass
@@ -58,6 +58,7 @@ sysroot_stage_all() {
 }
 
 do_populate_sysroot[dirs] = "${SYSROOT_DESTDIR}"
+do_populate_sysroot[umask] = 022
 
 addtask populate_sysroot after do_install
 
diff --git a/meta/recipes-devtools/installer/adt-installer_1.0.bb b/meta/recipes-devtools/installer/adt-installer_1.0.bb
index 8f6e91f..0537440 100644
--- a/meta/recipes-devtools/installer/adt-installer_1.0.bb
+++ b/meta/recipes-devtools/installer/adt-installer_1.0.bb
@@ -54,6 +54,8 @@ SRC_URI = "svn://opkg.googlecode.com/svn;module=trunk;proto=http \
            file://opkg/conf/opkg-sdk-i686.conf \
 	  "
 
+do_deploy[umask] = 022
+
 fakeroot do_deploy () {
 	cd ${WORKDIR}
 	mkdir -p ${ADT_DEPLOY}
diff --git a/meta/recipes-kernel/linux/linux-tools.inc b/meta/recipes-kernel/linux/linux-tools.inc
index e4740d7..729e912 100644
--- a/meta/recipes-kernel/linux/linux-tools.inc
+++ b/meta/recipes-kernel/linux/linux-tools.inc
@@ -19,6 +19,8 @@ fakeroot do_install_perf() {
 addtask compile_perf after do_compile before do_install
 addtask install_perf after do_install before do_package
 
+do_compile_perf[umask] = 022
+do_install_perf[umask] = 022
 
 PERFDEPENDS = "virtual/libc:do_populate_sysroot elfutils:do_populate_sysroot"
 PERFDEPENDS_libc-uclibc = ""
-- 
1.7.3.4

[PATCH 4/4] classes/package.bbclass: Add fixup_perms

[Mark Hatle]

Add a new function that is responsible for fixing directory and file
permissions, owners and groups during the packaging process.  This will fix
various issues where two packages may create the same directory and end up
with different permissions, owner and/or group.

The issue being resolved is that if two packages conflict in their ownership
of a directory, the first installed into the rootfs sets the permissions.
This leads to a least potentially non-deterministic filesystems, at worst
security defects.

The user can specify their own settings via the configuration files
specified in FILESYSTEM_PERMS_TABLES.  If this is not defined, it will
fall back to loading files/fs-perms.txt from BBPATH.  The format of this
file is documented within the file.

By default all of the system directories, specified in bitbake.conf, will
be fixed to be 0755, root, root.

The fs-perms.txt contains a few default entries to correct documentation,
locale, headers and debug sources.  It was discovered these are often
incorrect due to being directly copied from the build user environment.

Also tweak a couple of warnings to provide more diagnostic information.

Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
---
 meta/classes/package.bbclass |  168 +++++++++++++++++++++++++++++++++++++++---
 meta/files/fs-perms.txt      |   39 ++++++++++
 2 files changed, 197 insertions(+), 10 deletions(-)
 create mode 100644 meta/files/fs-perms.txt

diff --git a/meta/classes/package.bbclass b/meta/classes/package.bbclass
index 8f91c95..3727868 100644
--- a/meta/classes/package.bbclass
+++ b/meta/classes/package.bbclass
@@ -16,24 +16,26 @@
 # d) split_and_strip_files - split the files into runtime and debug and strip them.
 #    Debug files include debug info split, and associated sources that end up in -dbg packages
 #
-# e) populate_packages - Split the files in PKGD into separate packages in PKGDEST/<pkgname>
+# e) fixup_perms - Fix up permissions in the package before we split it.
+#
+# f) populate_packages - Split the files in PKGD into separate packages in PKGDEST/<pkgname>
 #    Also triggers the binary stripping code to put files in -dbg packages.
 #
-# f) package_do_filedeps - Collect perfile run-time dependency metadata
+# g) package_do_filedeps - Collect perfile run-time dependency metadata
 #    The data is stores in FILER{PROVIDES,DEPENDS}_file_pkg variables with
 #    a list of affected files in FILER{PROVIDES,DEPENDS}FLIST_pkg
 #
-# g) package_do_shlibs - Look at the shared libraries generated and autotmatically add any 
+# h) package_do_shlibs - Look at the shared libraries generated and autotmatically add any 
 #    depenedencies found. Also stores the package name so anyone else using this library 
 #    knows which package to depend on.
 #
-# h) package_do_pkgconfig - Keep track of which packages need and provide which .pc files
+# i) package_do_pkgconfig - Keep track of which packages need and provide which .pc files
 #
-# i) read_shlibdeps - Reads the stored shlibs information into the metadata
+# j) read_shlibdeps - Reads the stored shlibs information into the metadata
 #
-# j) package_depchains - Adds automatic dependencies to -dbg and -dev packages
+# k) package_depchains - Adds automatic dependencies to -dbg and -dev packages
 #
-# k) emit_pkgdata - saves the packaging data into PKGDATA_DIR for use in later 
+# l) emit_pkgdata - saves the packaging data into PKGDATA_DIR for use in later 
 #    packaging steps
 
 inherit packagedata
@@ -237,7 +239,7 @@ def splitfile2(debugsrcdir, d):
        # We need to ignore files that are not actually ours
        # we do this by only paying attention to items from this package
        processdebugsrc += "fgrep -z '%s' | "
-       processdebugsrc += "(cd '%s' ; cpio -pd0mL '%s%s' 2>/dev/null)"
+       processdebugsrc += "(cd '%s' ; cpio -pd0mL --no-preserve-owner '%s%s' 2>/dev/null)"
 
        os.system(processdebugsrc % (sourcefile, workbasedir, workparentdir, dvar, debugsrcdir))
 
@@ -410,10 +412,154 @@ python perform_packagecopy () {
 	os.system('tar -cf - -C %s -ps . | tar -xf - -C %s' % (dest, dvar))
 }
 
+# We generate a master list of directories to process, we start by
+# seeding this list with reasonable defaults, then load from
+# the fs-perms.txt files
+python fixup_perms () {
+	import stat, pwd, grp
+
+	def get_fs_perms_list(d):
+		str = ""
+		fs_perms_tables = bb.data.getVar('FILESYSTEM_PERMS_TABLES', d, True)
+		if not fs_perms_tables:
+			fs_perms_tables = 'files/fs-perms.txt'
+		for fs_perms_table in fs_perms_tables.split():
+			str += " %s" % bb.which(bb.data.getVar('BBPATH', d, True), fs_perms_table)
+		return str
+
+	def set_fs_perms_table(line, d):
+		line = bb.data.expand(line, d)
+		lsplit = line.split()
+		dir = lsplit[0]
+		if lsplit[1] is "-":
+			fs_perms_mode[dir] = -1
+		else:
+			fs_perms_mode[dir] = int(lsplit[1],8)
+		if lsplit[2] is "-":
+			fs_perms_uid[dir] = -1
+		elif lsplit[2].isdigit():
+			fs_perms_uid[dir] = int(lsplit[2])
+		else:
+			fs_perms_uid[dir] = pwd.getpwnam(lsplit[2]).pw_uid
+		if lsplit[3] is "-":
+			fs_perms_gid[dir] = -1
+		elif lsplit[3].isdigit():
+			fs_perms_gid[dir] = int(lsplit[3])
+		else:
+			fs_perms_gid[dir] = grp.getgrnam(lsplit[3]).gr_gid
+		if lsplit[4].lower() == 'true':
+			fs_perms_walk[dir] = 'true'
+		else:
+			fs_perms_walk[dir] = 'false'
+		if lsplit[5] is "-":
+			fs_perms_fmode[dir] = -1
+		else:
+			fs_perms_fmode[dir] = int(lsplit[5],8)
+		if lsplit[6] is "-":
+			fs_perms_fuid[dir] = -1
+		elif lsplit[6].isdigit():
+			fs_perms_fuid[dir] = int(lsplit[6])
+		else:
+			fs_perms_fuid[dir] = pwd.getpwnam(lsplit[6]).pw_uid
+		if lsplit[7] is "-":
+			fs_perms_fgid[dir] = -1
+		elif lsplit[7].isdigit():
+			fs_perms_fgid[dir] = int(lsplit[7])
+		else:
+			fs_perms_fgid[dir] = grp.getgrnam(lsplit[7]).gr_gid
+
+	dvar = bb.data.getVar('PKGD', d, True)
+
+	fs_perms_mode = {}
+	fs_perms_uid = {}
+	fs_perms_gid = {}
+	fs_perms_walk = {}
+	fs_perms_fmode = {}
+	fs_perms_fuid = {}
+	fs_perms_fgid = {}
+
+	# By default all of the standard directories specified in
+	# bitbake.conf will get 0755 root:root.
+	target_path_vars = [	'base_prefix',
+				'prefix',
+				'exec_prefix',
+				'base_bindir',
+				'base_sbindir',
+				'base_libdir',
+				'datadir',
+				'sysconfdir',
+				'servicedir',
+				'sharedstatedir',
+				'localstatedir',
+				'infodir',
+				'mandir',
+				'docdir',
+				'bindir',
+				'sbindir',
+				'libexecdir',
+				'libdir',
+				'includedir',
+				'oldincludedir' ]
+
+	for path in target_path_vars:
+		dir = bb.data.getVar(path, d, True)
+		if not dir or dir is "":
+			continue
+		set_fs_perms_table("%s 0755 root root false - - -" % dir, d)
+
+	# Now we actually load from the configuration files
+	for conf in get_fs_perms_list(d).split():
+		if os.path.exists(conf):
+			f = open(conf)
+			for line in f:
+				if line.startswith('#'):
+					continue
+				lsplit = line.split()
+				if len(lsplit) == 0:
+					continue
+				if len(lsplit) != 8:
+					bb.error("Fixup perms: %s invalid line: %s" % (conf, line))
+					continue
+				set_fs_perms_table(line, d)
+			f.close()
+
+	# Debug -- list out in-memory table
+	#for dir in fs_perms_mode:
+	#	bb.note("%s 0%o %d %d %s 0%o %d %d" % \
+	#		(dir, fs_perms_mode[dir], fs_perms_uid[dir], fs_perms_gid[dir], fs_perms_walk[dir], \
+	#			fs_perms_fmode[dir], fs_perms_fuid[dir], fs_perms_fgid[dir]))
+
+	for dir in fs_perms_mode:
+		if (dir and os.path.exists(dvar + dir) and os.path.isdir(dvar + dir)):
+			#bb.note("Fixup Perms: %s 0%o %d %d" % (dir, fs_perms_mode[dir], fs_perms_uid[dir], fs_perms_gid[dir]))
+			if fs_perms_mode[dir] != -1:
+				os.chmod(dvar + dir, fs_perms_mode[dir])
+			if fs_perms_uid[dir] != -1 and fs_perms_gid[dir] != -1:
+				os.chown(dvar + dir, fs_perms_uid[dir], fs_perms_gid[dir])
+
+			if fs_perms_walk[dir] == 'true':
+				for root, dirs, files in os.walk(dvar + dir):
+					for dr in dirs:
+						each_dir = os.path.join(root, dr)
+						#bb.note("Fixup Perms: %s 0%o %d %d" % (each_dir.replace(dvar, "", 1), fs_perms_mode[dir], fs_perms_uid[dir], fs_perms_gid[dir]))
+						if fs_perms_mode[dir] != -1:
+							os.chmod(each_dir, fs_perms_mode[dir])
+						if fs_perms_uid[dir] != -1 and fs_perms_gid[dir] != -1:
+							os.chown(each_dir, fs_perms_uid[dir], fs_perms_gid[dir])
+					for f in files:
+						each_file = os.path.join(root, f)
+						#bb.note("Fixup Perms: %s 0%o %d %d" % (each_file.replace(dvar, "", 1), fs_perms_fmode[dir], fs_perms_fuid[dir], fs_perms_fgid[dir]))
+						if fs_perms_fmode[dir] != -1:
+							os.chmod(each_file, fs_perms_fmode[dir])
+						if fs_perms_uid[dir] != -1 and fs_perms_gid[dir] != -1:
+							os.chown(each_file, fs_perms_fuid[dir], fs_perms_fgid[dir])
+}
+
 python split_and_strip_files () {
 	import commands, stat, errno
 
 	dvar = bb.data.getVar('PKGD', d, True)
+	pn = bb.data.getVar('PN', d, True)
 
 	# We default to '.debug' style
 	if bb.data.getVar('PACKAGE_DEBUG_SPLIT_STYLE', d, True) == 'debug-file-directory':
@@ -551,7 +697,7 @@ python split_and_strip_files () {
 			if file_list[file].startswith("ELF: "):
 				elf_file = int(file_list[file][5:])
 				if elf_file & 2:
-					bb.warn("File '%s' was already stripped, this will prevent future debugging!" % (src))
+					bb.warn("File '%s' from %s was already stripped, this will prevent future debugging!" % (src, pn))
 					continue
 
 				# Split the file...
@@ -690,7 +836,7 @@ python populate_packages () {
 				unshipped.append(path)
 
 	if unshipped != []:
-		bb.warn("the following files were installed but not shipped in any package:")
+		bb.warn("the following files were installed but not shipped in any package: %s" % pn)
 		for f in unshipped:
 			bb.warn("  " + f)
 
@@ -1373,6 +1519,7 @@ PACKAGEFUNCS ?= "package_get_auto_pr \
                 ${PACKAGE_PREPROCESS_FUNCS} \
 		package_do_split_locales \
 		split_and_strip_files \
+		fixup_perms \
 		populate_packages \
 		package_do_filedeps \
 		package_do_shlibs \
@@ -1400,6 +1547,7 @@ python do_package () {
 	for f in (bb.data.getVar('PACKAGEFUNCS', d, True) or '').split():
 		bb.build.exec_func(f, d)
 }
+
 do_package[dirs] = "${SHLIBSWORKDIR} ${PKGDESTWORK} ${D}"
 addtask package before do_build after do_install
 
diff --git a/meta/files/fs-perms.txt b/meta/files/fs-perms.txt
new file mode 100644
index 0000000..f00bff3
--- /dev/null
+++ b/meta/files/fs-perms.txt
@@ -0,0 +1,39 @@
+# This file contains a list of files and directories with known permissions.
+# It is used by the packaging class to ensure that the permissions, owners and
+# group of listed files and directories are in sync across the system.
+#
+# The format of this file 
+#
+#<path>	<mode>	<uid>	<gid>	<walk>	<fmode>	<fuid>	<fgid>
+#
+# <path>: directory path
+# <mode>: mode for directory
+# <uid>:  uid for directory
+# <gid>:  gid for directory
+# <walk>: recursively walk the directory?  true or false
+# <fmode>: if walking, new mode for files
+# <fuid>:  if walking, new uid for files
+# <fgid>:  if walking, new gid for files
+#
+# in mode, uid or gid, a "-" means don't change any existing values
+#
+# /usr/src		0755	root	root	false	-	-	-
+# /usr/share/man	0755	root	root	true	0644	root	root
+
+# Note: all standard config directories are automatically assigned "0755 root root false - - -"
+
+# Documentation should always be corrected
+${mandir}		0755	root	root	true	0644	root	root
+${infodir}		0755	root	root	true	0644	root	root
+${docdir}		0755	root	root	true	0644	root	root
+${datadir}/gtk-doc	0755	root	root	true	0644	root	root
+
+# Fixup locales
+${datadir}/locale	0755	root	root	true	0644	root	root
+
+# Cleanup headers
+${includedir}		0755	root	root	true	0644	root	root
+${oldincludedir}	0755	root	root	true	0644	root	root
+
+# Cleanup debug src
+/usr/src/debug		0755	root	root	true	0644	root	root
-- 
1.7.3.4