Commit 5b48b855 authored by Timo Teräs's avatar Timo Teräs

audit: protection mask for "symlinks only"

and use it for /etc/init.d by default. fixes #99.
parent 60c668f1
...@@ -37,6 +37,7 @@ struct apk_db_file { ...@@ -37,6 +37,7 @@ struct apk_db_file {
}; };
#define APK_DBDIRF_PROTECTED 0x0001 #define APK_DBDIRF_PROTECTED 0x0001
#define APK_DBDIRF_SYMLINKS_ONLY 0x0002
struct apk_db_dir { struct apk_db_dir {
apk_hash_node hash_node; apk_hash_node hash_node;
......
...@@ -56,6 +56,11 @@ static int audit_directory(apk_hash_item item, void *ctx) ...@@ -56,6 +56,11 @@ static int audit_directory(apk_hash_item item, void *ctx)
if (apk_file_get_info(tmp, APK_CHECKSUM_NONE, &fi) < 0) if (apk_file_get_info(tmp, APK_CHECKSUM_NONE, &fi) < 0)
continue; continue;
if (!(actx->type & AUDIT_SYSTEM) &&
(dbd->flags & APK_DBDIRF_SYMLINKS_ONLY) &&
!S_ISLNK(fi.mode))
continue;
if (S_ISDIR(fi.mode)) { if (S_ISDIR(fi.mode)) {
if (apk_db_dir_query(db, APK_BLOB_STR(tmp)) != NULL) if (apk_db_dir_query(db, APK_BLOB_STR(tmp)) != NULL)
continue; continue;
......
...@@ -235,11 +235,25 @@ static struct apk_db_dir *apk_db_dir_get(struct apk_database *db, ...@@ -235,11 +235,25 @@ static struct apk_db_dir *apk_db_dir_get(struct apk_database *db,
dir->flags = dir->parent->flags; dir->flags = dir->parent->flags;
for (i = 0; i < db->protected_paths->num; i++) { for (i = 0; i < db->protected_paths->num; i++) {
if (db->protected_paths->item[i][0] == '-' && int flags = dir->flags, j;
strcmp(&db->protected_paths->item[i][1], dir->name) == 0)
dir->flags &= ~APK_DBDIRF_PROTECTED; flags |= APK_DBDIRF_PROTECTED;
else if (strcmp(db->protected_paths->item[i], dir->name) == 0) for (j = 0; ; j++) {
dir->flags |= APK_DBDIRF_PROTECTED; switch (db->protected_paths->item[i][j]) {
case '-':
flags &= ~(APK_DBDIRF_PROTECTED |
APK_DBDIRF_SYMLINKS_ONLY);
continue;
case '*':
flags |= APK_DBDIRF_SYMLINKS_ONLY |
APK_DBDIRF_PROTECTED;
continue;
}
break;
}
if (strcmp(&db->protected_paths->item[i][j], dir->name) == 0)
dir->flags = flags;
} }
return dir; return dir;
...@@ -895,7 +909,7 @@ int apk_db_open(struct apk_database *db, const char *root, unsigned int flags) ...@@ -895,7 +909,7 @@ int apk_db_open(struct apk_database *db, const char *root, unsigned int flags)
} }
} }
blob = APK_BLOB_STR("etc:-etc/init.d"); blob = APK_BLOB_STR("etc:*etc/init.d");
apk_blob_for_each_segment(blob, ":", add_protected_path, db); apk_blob_for_each_segment(blob, ":", add_protected_path, db);
if (root != NULL) { if (root != NULL) {
......
...@@ -468,7 +468,7 @@ int apk_file_get_info(const char *filename, int checksum, struct apk_file_info * ...@@ -468,7 +468,7 @@ int apk_file_get_info(const char *filename, int checksum, struct apk_file_info *
struct stat st; struct stat st;
struct apk_bstream *bs; struct apk_bstream *bs;
if (stat(filename, &st) != 0) if (lstat(filename, &st) != 0)
return -errno; return -errno;
*fi = (struct apk_file_info) { *fi = (struct apk_file_info) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment