audit: add --protected-paths to override the audit exceptions

4 files changed, 22 insertions, 4 deletions

diff --git a/doc/apk-audit.8.scd b/doc/apk-audit.8.scd
index 6c84b87..2294f8a 100644
--- a/doc/apk-audit.8.scd
+++ b/doc/apk-audit.8.scd
@@ -57,6 +57,10 @@ then the affected path. The changes detected are:
 	To repair all packages with modified files, one could use:
 		apk audit --packages -q | xargs apk fix
 
+*--protected-paths* _FILE_
+	Use given FILE for protected paths listings. This also makes apk ignore
+	the regular protected_paths.d directories.
+
 *--system*
 	Audit all system files. All files provided by packages are verified
 	for integrity with the exception of configuration files (listed in
diff --git a/src/apk_database.h b/src/apk_database.h
index f70ae1c..90fb292 100644
--- a/src/apk_database.h
+++ b/src/apk_database.h
@@ -131,6 +131,7 @@ struct apk_db_options {
 	const char *keys_dir;
 	const char *cache_dir;
 	const char *repositories_file;
+	apk_blob_t protected_paths;
 	struct list_head repository_list;
 };
 
diff --git a/src/app_audit.c b/src/app_audit.c
index 9b410c5..ecf3e22 100644
--- a/src/app_audit.c
+++ b/src/app_audit.c
@@ -39,6 +39,7 @@ struct audit_ctx {
 	OPT(OPT_AUDIT_backup,			"backup") \
 	OPT(OPT_AUDIT_check_permissions,	"check-permissions") \
 	OPT(OPT_AUDIT_packages,			"packages") \
+	OPT(OPT_AUDIT_protected_paths,		APK_OPT_ARG "protected-paths") \
 	OPT(OPT_AUDIT_recursive,		APK_OPT_SH("r") "recursive") \
 	OPT(OPT_AUDIT_system,			"system")
 
@@ -47,6 +48,7 @@ APK_OPT_APPLET(option_desc, AUDIT_OPTIONS);
 static int option_parse_applet(void *ctx, struct apk_db_options *dbopts, int opt, const char *optarg)
 {
 	struct audit_ctx *actx = (struct audit_ctx *) ctx;
+	int r;
 
 	switch (opt) {
 	case OPT_AUDIT_backup:
@@ -61,6 +63,13 @@ static int option_parse_applet(void *ctx, struct apk_db_options *dbopts, int opt
 	case OPT_AUDIT_packages:
 		actx->packages_only = 1;
 		break;
+	case OPT_AUDIT_protected_paths:
+		r = apk_blob_from_file(AT_FDCWD, optarg, &dbopts->protected_paths);
+		if (r) {
+			apk_error("unable to read protected path file: %s: %s", optarg, apk_error_str(r));
+			return r;
+		}
+		break;
 	case OPT_AUDIT_recursive:
 		actx->recursive = 1;
 		break;
diff --git a/src/database.c b/src/database.c
index 9cad108..282e3a0 100644
--- a/src/database.c
+++ b/src/database.c
@@ -1653,11 +1653,15 @@ int apk_db_open(struct apk_database *db, struct apk_db_options *dbopts)
 		}
 	}
 
-	blob = APK_BLOB_STR("+etc\n" "@etc/init.d\n" "!etc/apk\n");
-	apk_blob_for_each_segment(blob, "\n", add_protected_path, db);
+	if (!APK_BLOB_IS_NULL(dbopts->protected_paths)) {
+		apk_blob_for_each_segment(dbopts->protected_paths, "\n", add_protected_path, db);
+	} else {
+		blob = APK_BLOB_STR("+etc\n" "@etc/init.d\n" "!etc/apk\n");
+		apk_blob_for_each_segment(blob, "\n", add_protected_path, db);
 
-	apk_dir_foreach_file(openat(db->root_fd, "etc/apk/protected_paths.d", O_RDONLY | O_CLOEXEC),
-			     add_protected_paths_from_file, db);
+		apk_dir_foreach_file(openat(db->root_fd, "etc/apk/protected_paths.d", O_RDONLY | O_CLOEXEC),
+				     add_protected_paths_from_file, db);
+	}
 
 	/* figure out where to have the cache */
 	fd = openat(db->root_fd, dbopts->cache_dir, O_RDONLY | O_CLOEXEC);