Decouple the install tools from the main system as much as possible.

I.e., not only copy them to a scratch dir, but also make them use saved
copies of libraries and locale files.  That gives us several benefits:

1) ABI breakages should no longer affect installworld over the live system.

2) It becomes safe to run installworld while still running the old kernel.
   However, it can be reasonable to save the old /rescue before that to be
   able to run the old reboot(8), as the new binaries are rather likely to
   fail with the old kernel.  Anyhow, it's now possible to upgrade a system
   in a single reboot _reliably_.

3) With a bit of hackery around rtld(8), it becomes possible to do destructive
   cross-installs, e.g., i386->amd64 over the live system.

The only shared item left between the old and new systems is rtld(8),
which cannot be run from a saved copy easily because its full
pathname is stored in the respective field of each ELF executable.
(In theory, that field could be overridden, e.g., from the environment,
but this can lead to security issues.)  That's why a destructive
cross-install isn't possible w/o hackery yet.

Fruitful ideas by:	ru
Reviewed by:		ru
Tested with:		audit(4)

1 files changed, 32 insertions, 14 deletions

diff --git a/Makefile.inc1 b/Makefile.inc1
index e64fd4b473878..4447bdc43f1e1 100644
--- a/Makefile.inc1
+++ b/Makefile.inc1
@@ -159,7 +159,14 @@ XPATH=		${WORLDTMP}/usr/sbin:${WORLDTMP}/usr/bin:${WORLDTMP}/usr/games
 STRICTTMPPATH=	${BPATH}:${XPATH}
 TMPPATH=	${STRICTTMPPATH}:${PATH}
 
+#
+# Avoid running mktemp(1) unless actually needed.
+# It may not be functional, e.g., due to new ABI
+# when in the middle of installing over this system.
+#
+.if make(distributeworld) || make(installworld)
 INSTALLTMP!=	/usr/bin/mktemp -d -u -t install
+.endif
 
 #
 # Building a world goes through the following stages
@@ -265,14 +272,16 @@ LIB32IMAKE=	${LIB32WMAKE:NINSTALL=*:NDESTDIR=*} -DNO_INCS
 .endif
 
 # install stage
+IMAKEENV=	${CROSSENV}
+IMAKE=		${IMAKEENV} ${MAKE} -f Makefile.inc1
 .if empty(.MAKEFLAGS:M-n)
-IMAKEENV=	${CROSSENV} \
-		PATH=${STRICTTMPPATH}:${INSTALLTMP}
+IMAKEENV+=	PATH=${STRICTTMPPATH}:${INSTALLTMP} \
+		LD_LIBRARY_PATH=${INSTALLTMP} \
+		PATH_LOCALE=${INSTALLTMP}/locale
+IMAKE+=		__MAKE_SHELL=${INSTALLTMP}/sh
 .else
-IMAKEENV=	${CROSSENV} \
-		PATH=${TMPPATH}:${INSTALLTMP}
+IMAKEENV+=	PATH=${TMPPATH}:${INSTALLTMP}
 .endif
-IMAKE=		${IMAKEENV} ${MAKE} -f Makefile.inc1
 
 # kernel stage
 KMAKEENV=	${WMAKEENV}
@@ -564,6 +573,14 @@ installcheck_UGID:
 .endfor
 
 #
+# Required install tools to be saved in a scratch dir for safety.
+#
+ITOOLS=	[ awk cap_mkdb cat chflags chmod chown \
+	date echo egrep find grep install-info \
+	ln lockf make mkdir mtree mv pwd_mkdb rm sed sh sysctl \
+	test true uname wc zic
+
+#
 # distributeworld
 #
 # Distributes everything compiled by a `buildworld'.
@@ -574,19 +591,20 @@ installcheck_UGID:
 #
 distributeworld installworld: installcheck
 	mkdir -p ${INSTALLTMP}
-	for prog in [ awk cap_mkdb cat chflags chmod chown \
-	    date echo egrep find grep install-info \
-	    ln lockf make mkdir mtree mv pwd_mkdb rm sed sh sysctl \
-	    test true uname wc zic; do \
+	for prog in ${ITOOLS}; do \
 		if progpath=`which $$prog`; then \
-			cp $$progpath ${INSTALLTMP}; \
+			progs="$$progs $$progpath"; \
 		else \
-			echo "Required install tool $$prog not found" >&2; \
+			echo "Required tool $$prog not found in PATH." >&2; \
 			exit 1; \
 		fi; \
-	done
-	${_+_}cd ${.CURDIR}; ${IMAKE} re${.TARGET:S/world$//}
-	rm -rf ${INSTALLTMP}
+	done; \
+	cp $$progs ${INSTALLTMP}; \
+	cp `ldd -f "%p\n" -f "%p\n" $$progs 2>/dev/null | \
+	    sort -u` ${INSTALLTMP}
+	cp -R $${PATH_LOCALE:-"/usr/share/locale"} ${INSTALLTMP}/locale
+	${_+_}cd ${.CURDIR}; ${IMAKE} re${.TARGET:S/world$//}; \
+	    ${IMAKEENV} rm -rf ${INSTALLTMP}
 
 #
 # reinstall