audit, db: add etc/apk/protected_files.d and new audit features
fixes #607. audit is now mostly rewritten for the new functionality. And has new features like --check-permissions, --recursive and --packages. $ROOT/etc/apk/protected_files.d/*.list can now contain additional protected paths, one path per line: +etc @etc/init.d -tmp + will include the directory as protected configuration directory. @ considers the directory protected, but will backup only symlinks. - removes any protection lbu should be modified to put include and exclude paths in etc/apk/protected_files.d/lbu.list. Additionally, some packages might provide their own listings. E.g. ssh might want to provide ssh.list with something like: +root/.ssh +home/*/.sshcute-signatures
parent
a1d16c5d5d
commit
ba3ee3f863
|
@ -38,22 +38,32 @@ struct apk_db_file {
|
|||
char name[];
|
||||
};
|
||||
|
||||
#define APK_DBDIRF_PROTECTED 0x01
|
||||
#define APK_DBDIRF_SYMLINKS_ONLY 0x02
|
||||
#define APK_DBDIRF_MODIFIED 0x04
|
||||
#define APK_DBDIRF_RECALC_MODE 0x08
|
||||
struct apk_protected_path {
|
||||
char *relative_pattern;
|
||||
unsigned protected : 1;
|
||||
unsigned symlinks_only : 1;
|
||||
};
|
||||
APK_ARRAY(apk_protected_path_array, struct apk_protected_path);
|
||||
|
||||
struct apk_db_dir {
|
||||
apk_hash_node hash_node;
|
||||
unsigned long hash;
|
||||
|
||||
struct apk_db_dir *parent;
|
||||
struct apk_protected_path_array *protected_paths;
|
||||
mode_t mode;
|
||||
uid_t uid;
|
||||
gid_t gid;
|
||||
|
||||
unsigned short refs;
|
||||
unsigned short namelen;
|
||||
unsigned char flags;
|
||||
|
||||
unsigned protected : 1;
|
||||
unsigned symlinks_only : 1;
|
||||
unsigned has_protected_children : 1;
|
||||
unsigned modified : 1;
|
||||
unsigned recalc_mode : 1;
|
||||
|
||||
char rooted_name[1];
|
||||
char name[];
|
||||
};
|
||||
|
@ -125,7 +135,7 @@ struct apk_database {
|
|||
int compat_old_world : 1;
|
||||
|
||||
struct apk_dependency_array *world;
|
||||
struct apk_string_array *protected_paths;
|
||||
struct apk_protected_path_array *protected_paths;
|
||||
struct apk_repository repos[APK_MAX_REPOS];
|
||||
struct apk_repository_tag repo_tags[APK_MAX_TAGS];
|
||||
struct apk_id_cache id_cache;
|
||||
|
@ -158,11 +168,10 @@ struct apk_name *apk_db_get_name(struct apk_database *db, apk_blob_t name);
|
|||
struct apk_name *apk_db_query_name(struct apk_database *db, apk_blob_t name);
|
||||
int apk_db_get_tag_id(struct apk_database *db, apk_blob_t tag);
|
||||
|
||||
struct apk_db_dir *apk_db_dir_query(struct apk_database *db,
|
||||
apk_blob_t name);
|
||||
struct apk_db_dir *apk_db_dir_get(struct apk_database *db, apk_blob_t name);
|
||||
struct apk_db_dir *apk_db_dir_query(struct apk_database *db, apk_blob_t name);
|
||||
struct apk_db_file *apk_db_file_query(struct apk_database *db,
|
||||
apk_blob_t dir,
|
||||
apk_blob_t name);
|
||||
apk_blob_t dir, apk_blob_t name);
|
||||
|
||||
#define APK_OPENF_READ 0x0001
|
||||
#define APK_OPENF_WRITE 0x0002
|
||||
|
|
302
src/audit.c
302
src/audit.c
|
@ -17,28 +17,69 @@
|
|||
#include <sys/stat.h>
|
||||
#include "apk_applet.h"
|
||||
#include "apk_database.h"
|
||||
#include "apk_print.h"
|
||||
|
||||
enum {
|
||||
MODE_BACKUP = 0,
|
||||
MODE_SYSTEM
|
||||
};
|
||||
|
||||
struct audit_ctx {
|
||||
unsigned int open_flags;
|
||||
int check_permissions : 1;
|
||||
int (*audit)(struct audit_ctx *actx, struct apk_database *db);
|
||||
unsigned mode : 1;
|
||||
unsigned recursive : 1;
|
||||
unsigned check_permissions : 1;
|
||||
unsigned packages_only : 1;
|
||||
};
|
||||
|
||||
static int audit_parse(void *ctx, struct apk_db_options *dbopts,
|
||||
int optch, int optindex, const char *optarg)
|
||||
{
|
||||
struct audit_ctx *actx = (struct audit_ctx *) ctx;
|
||||
|
||||
switch (optch) {
|
||||
case 0x10000:
|
||||
actx->mode = MODE_BACKUP;
|
||||
break;
|
||||
case 0x10001:
|
||||
actx->mode = MODE_SYSTEM;
|
||||
break;
|
||||
case 0x10002:
|
||||
actx->check_permissions = 1;
|
||||
break;
|
||||
case 0x10003:
|
||||
actx->packages_only = 1;
|
||||
break;
|
||||
case 'r':
|
||||
actx->recursive = 1;
|
||||
break;
|
||||
default:
|
||||
return -1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
struct audit_tree_ctx {
|
||||
struct audit_ctx *actx;
|
||||
struct apk_database *db;
|
||||
size_t pathlen;
|
||||
char path[PATH_MAX];
|
||||
};
|
||||
|
||||
static int audit_file(struct audit_ctx *actx,
|
||||
struct apk_database *db,
|
||||
struct apk_db_file *dbf,
|
||||
const char *name)
|
||||
int dirfd, const char *name)
|
||||
{
|
||||
struct apk_file_info fi;
|
||||
|
||||
if (dbf == NULL)
|
||||
return 'A';
|
||||
|
||||
if (apk_file_get_info(db->root_fd, name, APK_FI_NOFOLLOW | dbf->csum.type, &fi) != 0)
|
||||
return 0;
|
||||
if (apk_file_get_info(dirfd, name, APK_FI_NOFOLLOW | dbf->csum.type, &fi) != 0)
|
||||
return -EPERM;
|
||||
|
||||
if (dbf->csum.type != APK_CHECKSUM_NONE &&
|
||||
apk_checksum_compare(&fi.csum, &dbf->csum) == 0)
|
||||
apk_checksum_compare(&fi.csum, &dbf->csum) != 0)
|
||||
return 'U';
|
||||
|
||||
if (S_ISLNK(fi.mode) && dbf->csum.type == APK_CHECKSUM_NONE)
|
||||
|
@ -74,160 +115,163 @@ static int audit_directory(struct audit_ctx *actx,
|
|||
return 0;
|
||||
}
|
||||
|
||||
struct audit_tree_ctx {
|
||||
struct audit_ctx *actx;
|
||||
struct apk_database *db;
|
||||
};
|
||||
static void report_audit(struct audit_ctx *actx,
|
||||
char reason, apk_blob_t bfull, struct apk_package *pkg)
|
||||
{
|
||||
if (!reason)
|
||||
return;
|
||||
|
||||
static int audit_directory_tree(apk_hash_item item, void *ctx)
|
||||
if (actx->packages_only) {
|
||||
if (pkg == NULL || pkg->state_int != 0)
|
||||
return;
|
||||
pkg->state_int = 1;
|
||||
if (apk_verbosity < 1)
|
||||
printf("%s\n", pkg->name->name);
|
||||
else
|
||||
printf(PKG_VER_FMT "\n", PKG_VER_PRINTF(pkg));
|
||||
} else if (apk_verbosity < 1) {
|
||||
printf(BLOB_FMT "\n", BLOB_PRINTF(bfull));
|
||||
} else
|
||||
printf("%c " BLOB_FMT "\n", reason, BLOB_PRINTF(bfull));
|
||||
}
|
||||
|
||||
static int audit_directory_tree_item(void *ctx, int dirfd, const char *name)
|
||||
{
|
||||
struct audit_tree_ctx *atctx = (struct audit_tree_ctx *) ctx;
|
||||
apk_blob_t bdir = APK_BLOB_PTR_LEN(atctx->path, atctx->pathlen);
|
||||
apk_blob_t bent = APK_BLOB_STR(name);
|
||||
apk_blob_t bfull;
|
||||
struct audit_ctx *actx = atctx->actx;
|
||||
struct apk_database *db = atctx->db;
|
||||
struct apk_db_dir *dbd = (struct apk_db_dir *) item;
|
||||
struct apk_db_dir *dbd;
|
||||
struct apk_file_info fi;
|
||||
struct dirent *de;
|
||||
apk_blob_t bdir = APK_BLOB_PTR_LEN(dbd->name, dbd->namelen);
|
||||
char tmp[PATH_MAX], reason;
|
||||
DIR *dir;
|
||||
int reason = 0;
|
||||
|
||||
if (!(dbd->flags & APK_DBDIRF_PROTECTED))
|
||||
return 0;
|
||||
if (bdir.len + bent.len + 1 >= sizeof(atctx->path))
|
||||
return -ENOMEM;
|
||||
|
||||
dir = fdopendir(openat(db->root_fd, dbd->name, O_RDONLY | O_CLOEXEC));
|
||||
if (dir == NULL)
|
||||
return 0;
|
||||
dbd = apk_db_dir_get(db, bdir);
|
||||
if (dbd == NULL)
|
||||
return -ENOMEM;
|
||||
|
||||
while ((de = readdir(dir)) != NULL) {
|
||||
if (strcmp(de->d_name, ".") == 0 ||
|
||||
strcmp(de->d_name, "..") == 0)
|
||||
continue;
|
||||
if (apk_file_get_info(dirfd, name, APK_FI_NOFOLLOW, &fi) < 0)
|
||||
return -EPERM;
|
||||
|
||||
snprintf(tmp, sizeof(tmp), "%s/%s", dbd->name, de->d_name);
|
||||
|
||||
if (apk_file_get_info(db->root_fd, tmp, APK_FI_NOFOLLOW, &fi) < 0)
|
||||
continue;
|
||||
|
||||
if ((dbd->flags & APK_DBDIRF_SYMLINKS_ONLY) &&
|
||||
!S_ISLNK(fi.mode))
|
||||
continue;
|
||||
memcpy(&atctx->path[atctx->pathlen], bent.ptr, bent.len);
|
||||
atctx->pathlen += bent.len;
|
||||
bfull = APK_BLOB_PTR_LEN(atctx->path, atctx->pathlen);
|
||||
|
||||
if (S_ISDIR(fi.mode)) {
|
||||
struct apk_db_dir *dbd;
|
||||
dbd = apk_db_dir_query(db, APK_BLOB_STR(tmp));
|
||||
reason = audit_directory(actx, db, dbd, &fi);
|
||||
struct apk_db_dir *child;
|
||||
int recurse = TRUE;
|
||||
|
||||
child = apk_db_dir_query(db, bfull);
|
||||
if (actx->mode == MODE_BACKUP) {
|
||||
if (!dbd->has_protected_children)
|
||||
recurse = FALSE;
|
||||
if (!dbd->protected)
|
||||
goto recurse_check;
|
||||
} else {
|
||||
if (child == NULL)
|
||||
recurse = FALSE;
|
||||
}
|
||||
|
||||
reason = audit_directory(actx, db, child, &fi);
|
||||
if (reason < 0)
|
||||
goto done;
|
||||
if (reason == 'D') {
|
||||
if (actx->mode == MODE_SYSTEM)
|
||||
goto done;
|
||||
if (!actx->recursive)
|
||||
recurse = FALSE;
|
||||
}
|
||||
|
||||
recurse_check:
|
||||
atctx->path[atctx->pathlen++] = '/';
|
||||
bfull.len++;
|
||||
report_audit(actx, reason, bfull, NULL);
|
||||
if (recurse) {
|
||||
reason = apk_dir_foreach_file(
|
||||
openat(dirfd, name, O_RDONLY|O_CLOEXEC),
|
||||
audit_directory_tree_item, atctx);
|
||||
}
|
||||
bfull.len--;
|
||||
atctx->pathlen--;
|
||||
} else {
|
||||
struct apk_db_file *dbf;
|
||||
dbf = apk_db_file_query(db, bdir, APK_BLOB_STR(de->d_name));
|
||||
reason = audit_file(actx, db, dbf, tmp);
|
||||
|
||||
if (actx->mode == MODE_BACKUP) {
|
||||
if (!dbd->protected)
|
||||
goto done;
|
||||
if (dbd->symlinks_only && !S_ISLNK(fi.mode))
|
||||
goto done;
|
||||
} else {
|
||||
if (dbd->protected)
|
||||
goto done;
|
||||
}
|
||||
|
||||
if (reason) {
|
||||
if (apk_verbosity < 1)
|
||||
printf("%s\n", tmp);
|
||||
else
|
||||
printf("%c %s\n", reason, tmp);
|
||||
}
|
||||
}
|
||||
closedir(dir);
|
||||
|
||||
return 0;
|
||||
dbf = apk_db_file_query(db, bdir, bent);
|
||||
reason = audit_file(actx, db, dbf, dirfd, name);
|
||||
if (reason < 0)
|
||||
goto done;
|
||||
if (reason == 'A' && actx->mode == MODE_SYSTEM)
|
||||
goto done;
|
||||
report_audit(actx, reason, bfull, dbf ? dbf->diri->pkg : NULL);
|
||||
}
|
||||
|
||||
static int audit_backup(struct audit_ctx *actx, struct apk_database *db)
|
||||
{
|
||||
struct audit_tree_ctx atctx = {
|
||||
.actx = actx,
|
||||
.db = db,
|
||||
};
|
||||
return apk_hash_foreach(&db->installed.dirs, audit_directory_tree, &atctx);
|
||||
}
|
||||
|
||||
static int audit_system(struct audit_ctx *actx, struct apk_database *db)
|
||||
{
|
||||
struct apk_installed_package *ipkg;
|
||||
struct apk_package *pkg;
|
||||
struct apk_db_dir_instance *diri;
|
||||
struct apk_db_file *file;
|
||||
struct hlist_node *dn, *fn;
|
||||
char name[PATH_MAX];
|
||||
int done;
|
||||
|
||||
list_for_each_entry(ipkg, &db->installed.packages, installed_pkgs_list) {
|
||||
pkg = ipkg->pkg;
|
||||
hlist_for_each_entry(diri, dn, &ipkg->owned_dirs, pkg_dirs_list) {
|
||||
if (diri->dir->flags & APK_DBDIRF_PROTECTED)
|
||||
continue;
|
||||
|
||||
done = 0;
|
||||
hlist_for_each_entry(file, fn, &diri->owned_files,
|
||||
diri_files_list) {
|
||||
|
||||
snprintf(name, sizeof(name), "%s/%s",
|
||||
diri->dir->name, file->name);
|
||||
|
||||
if (audit_file(actx, db, file, name) == 0)
|
||||
continue;
|
||||
|
||||
if (apk_verbosity < 1) {
|
||||
printf("%s\n", pkg->name->name);
|
||||
done = 1;
|
||||
break;
|
||||
}
|
||||
|
||||
printf("M %s\n", name);
|
||||
}
|
||||
if (done)
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int audit_parse(void *ctx, struct apk_db_options *dbopts,
|
||||
int optch, int optindex, const char *optarg)
|
||||
{
|
||||
struct audit_ctx *actx = (struct audit_ctx *) ctx;
|
||||
|
||||
switch (optch) {
|
||||
case 0x10000:
|
||||
actx->audit = audit_backup;
|
||||
break;
|
||||
case 0x10001:
|
||||
actx->audit = audit_system;
|
||||
break;
|
||||
case 0x10002:
|
||||
actx->check_permissions = 1;
|
||||
break;
|
||||
default:
|
||||
return -1;
|
||||
}
|
||||
return 0;
|
||||
done:
|
||||
atctx->pathlen -= bent.len;
|
||||
return reason < 0 ? reason : 0;
|
||||
}
|
||||
|
||||
static int audit_main(void *ctx, struct apk_database *db, int argc, char **argv)
|
||||
{
|
||||
struct audit_ctx *actx = (struct audit_ctx *) ctx;
|
||||
struct audit_tree_ctx atctx;
|
||||
int i, r = 0;
|
||||
|
||||
if (actx->audit == NULL)
|
||||
return -EINVAL;
|
||||
atctx.db = db;
|
||||
atctx.actx = (struct audit_ctx *) ctx;
|
||||
atctx.pathlen = 0;
|
||||
atctx.path[0] = 0;
|
||||
|
||||
return actx->audit(actx, db);
|
||||
if (argc == 0) {
|
||||
r = apk_dir_foreach_file(dup(db->root_fd), audit_directory_tree_item, &atctx);
|
||||
} else {
|
||||
for (i = 0; i < argc; i++) {
|
||||
if (argv[i][0] != '/') {
|
||||
apk_warning("%s: relative path skipped.\n",
|
||||
argv[i]);
|
||||
continue;
|
||||
}
|
||||
argv[i]++;
|
||||
atctx.pathlen = strlen(argv[i]);
|
||||
memcpy(atctx.path, argv[i], atctx.pathlen);
|
||||
if (atctx.path[atctx.pathlen-1] != '/')
|
||||
atctx.path[atctx.pathlen++] = '/';
|
||||
|
||||
r |= apk_dir_foreach_file(
|
||||
openat(db->root_fd, argv[i], O_RDONLY|O_CLOEXEC),
|
||||
audit_directory_tree_item, &atctx);
|
||||
}
|
||||
}
|
||||
return r;
|
||||
}
|
||||
|
||||
static struct apk_option audit_options[] = {
|
||||
{ 0x10000, "backup",
|
||||
"List all modified configuration files that need to be backed up" },
|
||||
{ 0x10001, "system", "Verify checksums of all installed files "
|
||||
"(-q to print only modfied packages)" },
|
||||
{ 0x10000, "backup", "List all modified configuration files (in "
|
||||
"protected_paths.d) that need to be backed up" },
|
||||
{ 0x10001, "system", "Verify checksums of all installed non-configuration files " },
|
||||
{ 0x10002, "check-permissions", "Check file and directory uid/gid/mode too" },
|
||||
{ 'r', "recursive", "List individually all entries in new directories" },
|
||||
{ 0x10003, "packages", "List only the changed packages (or names only with -q)" },
|
||||
};
|
||||
|
||||
static struct apk_applet apk_audit = {
|
||||
.name = "audit",
|
||||
.help = "Audit the filesystem for changes compared to installed "
|
||||
"database.",
|
||||
.help = "Audit the directories (defaults to all) for changes "
|
||||
"compared to installed database. Use -q to list only "
|
||||
"package names instead of files.",
|
||||
.arguments = "[directory to audit]...",
|
||||
.open_flags = APK_OPENF_READ|APK_OPENF_NO_SCRIPTS|APK_OPENF_NO_REPOS,
|
||||
.context_size = sizeof(struct audit_ctx),
|
||||
.num_options = ARRAY_SIZE(audit_options),
|
||||
|
|
179
src/database.c
179
src/database.c
|
@ -245,7 +245,7 @@ static void apk_db_dir_unref(struct apk_database *db, struct apk_db_dir *dir,
|
|||
dir->refs--;
|
||||
if (dir->refs > 0) {
|
||||
if (allow_rmdir) {
|
||||
dir->flags |= APK_DBDIRF_RECALC_MODE;
|
||||
dir->recalc_mode = 1;
|
||||
dir->mode = 0;
|
||||
dir->uid = (uid_t) -1;
|
||||
dir->gid = (gid_t) -1;
|
||||
|
@ -258,13 +258,13 @@ static void apk_db_dir_unref(struct apk_database *db, struct apk_db_dir *dir,
|
|||
if (allow_rmdir) {
|
||||
/* The final instance of this directory was removed,
|
||||
* so this directory gets deleted in reality too. */
|
||||
dir->flags &= ~APK_DBDIRF_RECALC_MODE;
|
||||
dir->recalc_mode = 0;
|
||||
dir->mode = 0;
|
||||
dir->uid = (uid_t) -1;
|
||||
dir->gid = (gid_t) -1;
|
||||
|
||||
unlinkat(db->root_fd, dir->name, AT_REMOVEDIR);
|
||||
} else if (dir->flags & APK_DBDIRF_RECALC_MODE) {
|
||||
} else if (dir->recalc_mode) {
|
||||
/* Directory permissions need a reset. */
|
||||
apk_db_dir_mkdir(db, dir);
|
||||
}
|
||||
|
@ -285,12 +285,13 @@ struct apk_db_dir *apk_db_dir_query(struct apk_database *db,
|
|||
return (struct apk_db_dir *) apk_hash_get(&db->installed.dirs, name);
|
||||
}
|
||||
|
||||
static struct apk_db_dir *apk_db_dir_get(struct apk_database *db,
|
||||
apk_blob_t name)
|
||||
struct apk_db_dir *apk_db_dir_get(struct apk_database *db, apk_blob_t name)
|
||||
{
|
||||
struct apk_db_dir *dir;
|
||||
struct apk_protected_path_array *ppaths;
|
||||
apk_blob_t bparent;
|
||||
unsigned long hash = apk_hash_from_key(&db->installed.dirs, name);
|
||||
char *relative_name;
|
||||
int i;
|
||||
|
||||
if (name.len && name.ptr[name.len-1] == '/')
|
||||
|
@ -311,38 +312,54 @@ static struct apk_db_dir *apk_db_dir_get(struct apk_database *db,
|
|||
dir->name[name.len] = 0;
|
||||
dir->namelen = name.len;
|
||||
dir->hash = hash;
|
||||
apk_protected_path_array_init(&dir->protected_paths);
|
||||
apk_hash_insert_hashed(&db->installed.dirs, dir, hash);
|
||||
|
||||
if (name.len == 0)
|
||||
if (name.len == 0) {
|
||||
dir->parent = NULL;
|
||||
else if (apk_blob_rsplit(name, '/', &bparent, NULL))
|
||||
dir->has_protected_children = 1;
|
||||
ppaths = NULL;
|
||||
} else if (apk_blob_rsplit(name, '/', &bparent, NULL)) {
|
||||
dir->parent = apk_db_dir_get(db, bparent);
|
||||
else
|
||||
dir->protected = dir->parent->protected;
|
||||
dir->has_protected_children = dir->protected;
|
||||
dir->symlinks_only = dir->parent->symlinks_only;
|
||||
ppaths = dir->parent->protected_paths;
|
||||
} else {
|
||||
dir->parent = apk_db_dir_get(db, APK_BLOB_NULL);
|
||||
|
||||
if (dir->parent != NULL)
|
||||
dir->flags = dir->parent->flags;
|
||||
|
||||
for (i = 0; i < db->protected_paths->num; i++) {
|
||||
int flags = dir->flags, j;
|
||||
|
||||
flags |= APK_DBDIRF_PROTECTED;
|
||||
for (j = 0; ; j++) {
|
||||
switch (db->protected_paths->item[i][j]) {
|
||||
case '-':
|
||||
flags &= ~(APK_DBDIRF_PROTECTED |
|
||||
APK_DBDIRF_SYMLINKS_ONLY);
|
||||
continue;
|
||||
case '*':
|
||||
flags |= APK_DBDIRF_SYMLINKS_ONLY |
|
||||
APK_DBDIRF_PROTECTED;
|
||||
continue;
|
||||
}
|
||||
break;
|
||||
ppaths = db->protected_paths;
|
||||
}
|
||||
|
||||
if (strcmp(&db->protected_paths->item[i][j], dir->name) == 0)
|
||||
dir->flags = flags;
|
||||
if (ppaths == NULL)
|
||||
return dir;
|
||||
|
||||
relative_name = strrchr(dir->rooted_name, '/') + 1;
|
||||
for (i = 0; i < ppaths->num; i++) {
|
||||
struct apk_protected_path *ppath = &ppaths->item[i];
|
||||
char *slash;
|
||||
|
||||
slash = strchr(ppath->relative_pattern, '/');
|
||||
if (slash != NULL) {
|
||||
*slash = 0;
|
||||
if (fnmatch(ppath->relative_pattern, relative_name, FNM_PATHNAME) != 0) {
|
||||
*slash = '/';
|
||||
continue;
|
||||
}
|
||||
*slash = '/';
|
||||
|
||||
*apk_protected_path_array_add(&dir->protected_paths) = (struct apk_protected_path) {
|
||||
.relative_pattern = slash + 1,
|
||||
.protected = ppath->protected,
|
||||
.symlinks_only = ppath->symlinks_only,
|
||||
};
|
||||
dir->has_protected_children |= ppath->protected;
|
||||
} else {
|
||||
if (fnmatch(ppath->relative_pattern, relative_name, FNM_PATHNAME) != 0)
|
||||
continue;
|
||||
|
||||
dir->protected = ppath->protected;
|
||||
dir->symlinks_only = ppath->symlinks_only;
|
||||
}
|
||||
}
|
||||
|
||||
return dir;
|
||||
|
@ -393,8 +410,8 @@ static void apk_db_diri_free(struct apk_database *db,
|
|||
struct apk_db_dir_instance *diri,
|
||||
int allow_rmdir)
|
||||
{
|
||||
if ((allow_rmdir == APK_DISALLOW_RMDIR) &&
|
||||
(diri->dir->flags & APK_DBDIRF_RECALC_MODE))
|
||||
if (allow_rmdir == APK_DISALLOW_RMDIR &&
|
||||
diri->dir->recalc_mode)
|
||||
apk_db_dir_apply_diri_permissions(diri);
|
||||
|
||||
apk_db_dir_unref(db, diri->dir, allow_rmdir);
|
||||
|
@ -407,6 +424,9 @@ struct apk_db_file *apk_db_file_query(struct apk_database *db,
|
|||
{
|
||||
struct apk_db_file_hash_key key;
|
||||
|
||||
if (dir.len && dir.ptr[dir.len-1] == '/')
|
||||
dir.len--;
|
||||
|
||||
key = (struct apk_db_file_hash_key) {
|
||||
.dirname = dir,
|
||||
.filename = name,
|
||||
|
@ -1120,8 +1140,67 @@ int apk_db_index_write(struct apk_database *db, struct apk_ostream *os)
|
|||
static int add_protected_path(void *ctx, apk_blob_t blob)
|
||||
{
|
||||
struct apk_database *db = (struct apk_database *) ctx;
|
||||
int protected = 0, symlinks_only = 0;
|
||||
|
||||
/* skip empty lines and comments */
|
||||
if (blob.len == 0)
|
||||
return 0;
|
||||
|
||||
switch (blob.ptr[0]) {
|
||||
case '#':
|
||||
return 0;
|
||||
case '-':
|
||||
blob.ptr++;
|
||||
blob.len--;
|
||||
break;
|
||||
case '@':
|
||||
protected = 1;
|
||||
symlinks_only = 1;
|
||||
blob.ptr++;
|
||||
blob.len--;
|
||||
break;
|
||||
case '+':
|
||||
protected = 1;
|
||||
blob.ptr++;
|
||||
blob.len--;
|
||||
break;
|
||||
default:
|
||||
protected = 1;
|
||||
break;
|
||||
}
|
||||
|
||||
*apk_protected_path_array_add(&db->protected_paths) = (struct apk_protected_path) {
|
||||
.relative_pattern = apk_blob_cstr(blob),
|
||||
.protected = protected,
|
||||
.symlinks_only = symlinks_only,
|
||||
};
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int file_ends_with_dot_list(const char *file)
|
||||
{
|
||||
const char *ext = strrchr(file, '.');
|
||||
if (ext == NULL || strcmp(ext, ".list") != 0)
|
||||
return FALSE;
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
static int add_protected_paths_from_file(void *ctx, int dirfd, const char *file)
|
||||
{
|
||||
struct apk_database *db = (struct apk_database *) ctx;
|
||||
apk_blob_t blob;
|
||||
|
||||
if (!file_ends_with_dot_list(file))
|
||||
return 0;
|
||||
|
||||
blob = apk_blob_from_file(dirfd, file);
|
||||
if (APK_BLOB_IS_NULL(blob))
|
||||
return 0;
|
||||
|
||||
apk_blob_for_each_segment(blob, "\n", add_protected_path, db);
|
||||
free(blob.ptr);
|
||||
|
||||
*apk_string_array_add(&db->protected_paths) = apk_blob_cstr(blob);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -1238,10 +1317,8 @@ static int add_repos_from_file(void *ctx, int dirfd, const char *file)
|
|||
apk_blob_t blob;
|
||||
|
||||
if (dirfd != db->root_fd) {
|
||||
/* if loading from repositories.d,
|
||||
* the name must end in .list */
|
||||
const char *ext = strrchr(file, '.');
|
||||
if (ext == NULL || strcmp(ext, ".list") != 0)
|
||||
/* loading from repositories.d; check extension */
|
||||
if (!file_ends_with_dot_list(file))
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -1282,7 +1359,7 @@ int apk_db_open(struct apk_database *db, struct apk_db_options *dbopts)
|
|||
list_init(&db->installed.packages);
|
||||
list_init(&db->installed.triggers);
|
||||
apk_dependency_array_init(&db->world);
|
||||
apk_string_array_init(&db->protected_paths);
|
||||
apk_protected_path_array_init(&db->protected_paths);
|
||||
db->permanent = 1;
|
||||
|
||||
/* Get first repository tag (the NULL tag) */
|
||||
|
@ -1348,8 +1425,11 @@ int apk_db_open(struct apk_database *db, struct apk_db_options *dbopts)
|
|||
}
|
||||
}
|
||||
|
||||
blob = APK_BLOB_STR("etc:*etc/init.d");
|
||||
apk_blob_for_each_segment(blob, ":", add_protected_path, db);
|
||||
blob = APK_BLOB_STR("+etc\n" "@etc/init.d\n");
|
||||
apk_blob_for_each_segment(blob, "\n", add_protected_path, db);
|
||||
|
||||
apk_dir_foreach_file(openat(db->root_fd, "etc/apk/protected_paths.d", O_RDONLY | O_CLOEXEC),
|
||||
add_protected_paths_from_file, db);
|
||||
|
||||
/* figure out where to have the cache */
|
||||
fd = openat(db->root_fd, apk_linked_cache_dir, O_RDONLY | O_CLOEXEC);
|
||||
|
@ -1546,9 +1626,10 @@ void apk_db_close(struct apk_database *db)
|
|||
free(db->repos[i].description.ptr);
|
||||
}
|
||||
for (i = 0; i < db->protected_paths->num; i++)
|
||||
free(db->protected_paths->item[i]);
|
||||
free(db->protected_paths->item[i].relative_pattern);
|
||||
apk_protected_path_array_free(&db->protected_paths);
|
||||
|
||||
apk_dependency_array_free(&db->world);
|
||||
apk_string_array_free(&db->protected_paths);
|
||||
|
||||
apk_hash_free(&db->available.packages);
|
||||
apk_hash_free(&db->available.names);
|
||||
|
@ -1602,8 +1683,7 @@ static int fire_triggers(apk_hash_item item, void *ctx)
|
|||
int i;
|
||||
|
||||
list_for_each_entry(ipkg, &db->installed.triggers, trigger_pkgs_list) {
|
||||
if ((!ipkg->run_all_triggers) &&
|
||||
((dbd->flags & APK_DBDIRF_MODIFIED) == 0))
|
||||
if (!ipkg->run_all_triggers && !dbd->modified)
|
||||
continue;
|
||||
|
||||
for (i = 0; i < ipkg->triggers->num; i++) {
|
||||
|
@ -2243,7 +2323,7 @@ static void apk_db_purge_pkg(struct apk_database *db,
|
|||
|
||||
hlist_for_each_entry_safe(diri, dc, dn, &ipkg->owned_dirs, pkg_dirs_list) {
|
||||
if (exten == NULL)
|
||||
diri->dir->flags |= APK_DBDIRF_MODIFIED;
|
||||
diri->dir->modified = 1;
|
||||
|
||||
hlist_for_each_entry_safe(file, fc, fn, &diri->owned_files, diri_files_list) {
|
||||
snprintf(name, sizeof(name), "%s/%s%s",
|
||||
|
@ -2254,7 +2334,7 @@ static void apk_db_purge_pkg(struct apk_database *db,
|
|||
.filename = APK_BLOB_PTR_LEN(file->name, file->namelen),
|
||||
};
|
||||
hash = apk_blob_hash_seed(key.filename, diri->dir->hash);
|
||||
if (!(diri->dir->flags & APK_DBDIRF_PROTECTED) ||
|
||||
if ((!diri->dir->protected) ||
|
||||
(apk_flags & APK_PURGE) ||
|
||||
(file->csum.type != APK_CHECKSUM_NONE &&
|
||||
apk_file_get_info(db->root_fd, name, APK_FI_NOFOLLOW | file->csum.type, &fi) == 0 &&
|
||||
|
@ -2289,7 +2369,7 @@ static void apk_db_migrate_files(struct apk_database *db,
|
|||
|
||||
hlist_for_each_entry_safe(diri, dc, dn, &ipkg->owned_dirs, pkg_dirs_list) {
|
||||
dir = diri->dir;
|
||||
dir->flags |= APK_DBDIRF_MODIFIED;
|
||||
dir->modified = 1;
|
||||
|
||||
hlist_for_each_entry_safe(file, fc, fn, &diri->owned_files, diri_files_list) {
|
||||
snprintf(name, sizeof(name), "%s/%s",
|
||||
|
@ -2311,8 +2391,7 @@ static void apk_db_migrate_files(struct apk_database *db,
|
|||
/* We want to compare checksums only if one exists
|
||||
* in db, and the file is in a protected path */
|
||||
cstype = APK_CHECKSUM_NONE;
|
||||
if (ofile != NULL &&
|
||||
(diri->dir->flags & APK_DBDIRF_PROTECTED))
|
||||
if (ofile != NULL && diri->dir->protected)
|
||||
cstype = ofile->csum.type;
|
||||
cstype |= APK_FI_NOFOLLOW;
|
||||
|
||||
|
@ -2321,7 +2400,7 @@ static void apk_db_migrate_files(struct apk_database *db,
|
|||
/* File was from overlay, delete the
|
||||
* packages version */
|
||||
unlinkat(db->root_fd, tmpname, 0);
|
||||
} else if ((diri->dir->flags & APK_DBDIRF_PROTECTED) &&
|
||||
} else if ((diri->dir->protected) &&
|
||||
(r == 0) &&
|
||||
(ofile == NULL ||
|
||||
ofile->csum.type == APK_CHECKSUM_NONE ||
|
||||
|
|
|
@ -50,7 +50,7 @@ static int fix_parse(void *pctx, struct apk_db_options *dbopts,
|
|||
static int mark_recalculate(apk_hash_item item, void *ctx)
|
||||
{
|
||||
struct apk_db_dir *dir = (struct apk_db_dir *) item;
|
||||
dir->flags |= APK_DBDIRF_RECALC_MODE;
|
||||
dir->recalc_mode = 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
5
src/io.c
5
src/io.c
|
@ -560,8 +560,11 @@ int apk_dir_foreach_file(int dirfd, apk_dir_file_cb cb, void *ctx)
|
|||
rewinddir(dir);
|
||||
|
||||
while ((de = readdir(dir)) != NULL) {
|
||||
if (de->d_name[0] == '.')
|
||||
if (de->d_name[0] == '.') {
|
||||
if (de->d_name[1] == 0 ||
|
||||
(de->d_name[1] == '.' && de->d_name[2] == 0))
|
||||
continue;
|
||||
}
|
||||
cb(ctx, dirfd, de->d_name);
|
||||
}
|
||||
closedir(dir);
|
||||
|
|
Loading…
Reference in New Issue