unix: add slash to DT_NEEDED to force loading our libpython

indygreg/PyOxidizer#406 reported that presence
of LD_LIBRARY_PATH can cause the loader to pull in a libpython from an
unrelated Python install. This is because our DT_NEEDED values were
relative paths (e.g. `libpython3.9.so.1.0`) and the Linux loader will
use LD_LIBRARY_PATH over DT_RUNPATH unless the DT_NEEDED value contains
contains a slash. See the ld.so man page for more.

This commit adds a slash to our DT_NEEDED values to force the loader to
load an explicit relative path, thus eliminating the potential for
LD_LIBRARY_PATH to intefere with libpython resolution.

Author: indygreg

cpython-unix/build-cpython.sh

@@ -719,17 +719,24 @@ if [ "${PYBUILD_SHARED}" = "1" ]; then
                 ${ROOT}/out/python/install/bin/python${PYTHON_MAJMIN_VERSION}${PYTHON_BINARY_SUFFIX}
         fi
     else
-        LIBPYTHON_SHARED_LIBRARY=${ROOT}/out/python/install/lib/libpython${PYTHON_MAJMIN_VERSION}${PYTHON_BINARY_SUFFIX}.so.1.0
+        LIBPYTHON_SHARED_LIBRARY_BASENAME=libpython${PYTHON_MAJMIN_VERSION}.so.1.0
+        LIBPYTHON_SHARED_LIBRARY=${ROOT}/out/python/install/lib/${LIBPYTHON_SHARED_LIBRARY_BASENAME}
 
-        patchelf --set-rpath '$ORIGIN/../lib' ${ROOT}/out/python/install/bin/python${PYTHON_MAJMIN_VERSION}
+        # If we simply set DT_RUNPATH via --set-rpath, LD_LIBRARY_PATH would be used before
+        # DT_RUNPATH, which could result in confusion at run-time. But if DT_NEEDED
+        # contains a slash, the explicit path is used.
+        patchelf --replace-needed ${LIBPYTHON_SHARED_LIBRARY_BASENAME} "\$ORIGIN/../lib/${LIBPYTHON_SHARED_LIBRARY_BASENAME}" \
+            ${ROOT}/out/python/install/bin/python${PYTHON_MAJMIN_VERSION}
 
         # libpython3.so isn't present in debug builds.
         if [ -z "${CPYTHON_DEBUG}" ]; then
-            patchelf --set-rpath '$ORIGIN/../lib' ${ROOT}/out/python/install/lib/libpython3.so
+            patchelf --replace-needed ${LIBPYTHON_SHARED_LIBRARY_BASENAME} "\$ORIGIN/../lib/${LIBPYTHON_SHARED_LIBRARY_BASENAME}" \
+                ${ROOT}/out/python/install/lib/libpython3.so
         fi
 
         if [ -n "${PYTHON_BINARY_SUFFIX}" ]; then
-            patchelf --set-rpath '$ORIGIN/../lib' ${ROOT}/out/python/install/bin/python${PYTHON_MAJMIN_VERSION}${PYTHON_BINARY_SUFFIX}
+            patchelf --replace-needed ${LIBPYTHON_SHARED_LIBRARY_BASENAME} "\$ORIGIN/../lib/${LIBPYTHON_SHARED_LIBRARY_BASENAME}" \
+                ${ROOT}/out/python/install/bin/python${PYTHON_MAJMIN_VERSION}${PYTHON_BINARY_SUFFIX}
         fi
     fi
 fi

src/main.rs

@@ -430,8 +430,14 @@ fn validate_elf(
         allowed_libraries.extend(extra.iter().map(|x| x.to_string()));
     }
 
-    allowed_libraries.push(format!("libpython{}.so.1.0", python_major_minor));
-    allowed_libraries.push(format!("libpython{}d.so.1.0", python_major_minor));
+    allowed_libraries.push(format!(
+        "$ORIGIN/../lib/libpython{}.so.1.0",
+        python_major_minor
+    ));
+    allowed_libraries.push(format!(
+        "$ORIGIN/../lib/libpython{}d.so.1.0",
+        python_major_minor
+    ));
 
     for lib in &elf.libraries {
         if !allowed_libraries.contains(&lib.to_string()) {