audit: add --protected-paths to override the audit exceptions

4 files changed, 23 insertions, 4 deletions

diff --git a/doc/apk-audit.8.scd b/doc/apk-audit.8.scd
index 6c84b87..2294f8a 100644
--- a/doc/apk-audit.8.scd
+++ b/doc/apk-audit.8.scd
@@ -57,6 +57,10 @@ then the affected path. The changes detected are:
 	To repair all packages with modified files, one could use:
 		apk audit --packages -q | xargs apk fix
 
+*--protected-paths* _FILE_
+	Use given FILE for protected paths listings. This also makes apk ignore
+	the regular protected_paths.d directories.
+
 *--system*
 	Audit all system files. All files provided by packages are verified
 	for integrity with the exception of configuration files (listed in
diff --git a/src/apk_context.h b/src/apk_context.h
index 6a0a758..8de3d92 100644
--- a/src/apk_context.h
+++ b/src/apk_context.h
@@ -72,6 +72,7 @@ struct apk_ctx {
 	const char *repositories_file;
 	const char *uvol;
 	struct apk_string_array *repository_list;
+	apk_blob_t protected_paths;
 
 	struct apk_trust trust;
 	struct apk_id_cache id_cache;
diff --git a/src/app_audit.c b/src/app_audit.c
index 0557a0f..f9f6690 100644
--- a/src/app_audit.c
+++ b/src/app_audit.c
@@ -40,6 +40,7 @@ struct audit_ctx {
 	OPT(OPT_AUDIT_backup,			"backup") \
 	OPT(OPT_AUDIT_check_permissions,	"check-permissions") \
 	OPT(OPT_AUDIT_packages,			"packages") \
+	OPT(OPT_AUDIT_protected_paths,		APK_OPT_ARG "protected-paths") \
 	OPT(OPT_AUDIT_recursive,		APK_OPT_SH("r") "recursive") \
 	OPT(OPT_AUDIT_system,			"system")
 
@@ -48,6 +49,8 @@ APK_OPT_APPLET(option_desc, AUDIT_OPTIONS);
 static int option_parse_applet(void *applet_ctx, struct apk_ctx *ac, int opt, const char *optarg)
 {
 	struct audit_ctx *actx = (struct audit_ctx *) applet_ctx;
+	struct apk_out *out = &ac->out;
+	int r;
 
 	switch (opt) {
 	case OPT_AUDIT_backup:
@@ -62,6 +65,13 @@ static int option_parse_applet(void *applet_ctx, struct apk_ctx *ac, int opt, co
 	case OPT_AUDIT_packages:
 		actx->packages_only = 1;
 		break;
+	case OPT_AUDIT_protected_paths:
+		r = apk_blob_from_file(AT_FDCWD, optarg, &ac->protected_paths);
+		if (r) {
+			apk_err(out, "unable to read protected path file: %s: %s", optarg, apk_error_str(r));
+			return r;
+		}
+		break;
 	case OPT_AUDIT_recursive:
 		actx->recursive = 1;
 		break;
diff --git a/src/database.c b/src/database.c
index d7b2aa9..50d6621 100644
--- a/src/database.c
+++ b/src/database.c
@@ -1747,11 +1747,15 @@ int apk_db_open(struct apk_database *db, struct apk_ctx *ac)
 			goto ret_errno;
 	}
 
-	blob = APK_BLOB_STR("+etc\n" "@etc/init.d\n" "!etc/apk\n");
-	apk_blob_for_each_segment(blob, "\n", add_protected_path, db);
+	if (!APK_BLOB_IS_NULL(ac->protected_paths)) {
+		apk_blob_for_each_segment(ac->protected_paths, "\n", add_protected_path, db);
+	} else {
+		blob = APK_BLOB_STR("+etc\n" "@etc/init.d\n" "!etc/apk\n");
+		apk_blob_for_each_segment(blob, "\n", add_protected_path, db);
 
-	apk_dir_foreach_file(openat(db->root_fd, "etc/apk/protected_paths.d", O_RDONLY | O_CLOEXEC),
-			     add_protected_paths_from_file, db);
+		apk_dir_foreach_file(openat(db->root_fd, "etc/apk/protected_paths.d", O_RDONLY | O_CLOEXEC),
+				     add_protected_paths_from_file, db);
+	}
 
 	/* figure out where to have the cache */
 	if (!(db->ctx->flags & APK_NO_CACHE)) {