audit: protection mask for "symlinks only"

and use it for /etc/init.d by default. fixes #99.

src/apk_database.h

@@ -37,6 +37,7 @@ struct apk_db_file {
 };
 
 #define APK_DBDIRF_PROTECTED		0x0001
+#define APK_DBDIRF_SYMLINKS_ONLY	0x0002
 
 struct apk_db_dir {
 	apk_hash_node hash_node;

src/audit.c

@@ -56,6 +56,11 @@ static int audit_directory(apk_hash_item item, void *ctx)
 		if (apk_file_get_info(tmp, APK_CHECKSUM_NONE, &fi) < 0)
 			continue;
 
+		if (!(actx->type & AUDIT_SYSTEM) &&
+		    (dbd->flags & APK_DBDIRF_SYMLINKS_ONLY) &&
+		    !S_ISLNK(fi.mode))
+			continue;
+
 		if (S_ISDIR(fi.mode)) {
 			if (apk_db_dir_query(db, APK_BLOB_STR(tmp)) != NULL)
 				continue;

src/database.c

@@ -235,11 +235,25 @@ static struct apk_db_dir *apk_db_dir_get(struct apk_database *db,
 		dir->flags = dir->parent->flags;
 
 	for (i = 0; i < db->protected_paths->num; i++) {
-		if (db->protected_paths->item[i][0] == '-' &&
-		    strcmp(&db->protected_paths->item[i][1], dir->name) == 0)
-			dir->flags &= ~APK_DBDIRF_PROTECTED;
-		else if (strcmp(db->protected_paths->item[i], dir->name) == 0)
-			dir->flags |= APK_DBDIRF_PROTECTED;
+		int flags = dir->flags, j;
+
+		flags |= APK_DBDIRF_PROTECTED;
+		for (j = 0; ; j++) {
+			switch (db->protected_paths->item[i][j]) {
+			case '-':
+				flags &= ~(APK_DBDIRF_PROTECTED |
+					   APK_DBDIRF_SYMLINKS_ONLY);
+				continue;
+			case '*':
+				flags |= APK_DBDIRF_SYMLINKS_ONLY |
+					 APK_DBDIRF_PROTECTED;
+				continue;
+			}
+			break;
+		}
+
+		if (strcmp(&db->protected_paths->item[i][j], dir->name) == 0)
+			dir->flags = flags;
 	}
 
 	return dir;
@@ -895,7 +909,7 @@ int apk_db_open(struct apk_database *db, const char *root, unsigned int flags)
 		}
 	}
 
-	blob = APK_BLOB_STR("etc:-etc/init.d");
+	blob = APK_BLOB_STR("etc:*etc/init.d");
 	apk_blob_for_each_segment(blob, ":", add_protected_path, db);
 
 	if (root != NULL) {

src/io.c

@@ -468,7 +468,7 @@ int apk_file_get_info(const char *filename, int checksum, struct apk_file_info *
 	struct stat st;
 	struct apk_bstream *bs;
 
-	if (stat(filename, &st) != 0)
+	if (lstat(filename, &st) != 0)
 		return -errno;
 
 	*fi = (struct apk_file_info) {