diff options
author | Timo Teräs <timo.teras@iki.fi> | 2023-04-10 20:18:21 +0300 |
---|---|---|
committer | Timo Teräs <timo.teras@iki.fi> | 2023-04-10 21:30:30 +0300 |
commit | 423349f97fb5f2015dd6463a15550bb90dcd72b0 (patch) | |
tree | f70fceb38136367b96f6324e0769d4bc0ca08df9 | |
parent | 6ded697826ad97609d56b286c1c4e43b68f400d8 (diff) | |
download | apk-tools-423349f97fb5f2015dd6463a15550bb90dcd72b0.tar.gz apk-tools-423349f97fb5f2015dd6463a15550bb90dcd72b0.tar.bz2 apk-tools-423349f97fb5f2015dd6463a15550bb90dcd72b0.tar.xz apk-tools-423349f97fb5f2015dd6463a15550bb90dcd72b0.zip |
audit: add --protected-paths to override the audit exceptions
-rw-r--r-- | doc/apk-audit.8.scd | 4 | ||||
-rw-r--r-- | src/apk_context.h | 1 | ||||
-rw-r--r-- | src/app_audit.c | 10 | ||||
-rw-r--r-- | src/database.c | 12 |
4 files changed, 23 insertions, 4 deletions
diff --git a/doc/apk-audit.8.scd b/doc/apk-audit.8.scd index 6c84b87..2294f8a 100644 --- a/doc/apk-audit.8.scd +++ b/doc/apk-audit.8.scd @@ -57,6 +57,10 @@ then the affected path. The changes detected are: To repair all packages with modified files, one could use: apk audit --packages -q | xargs apk fix +*--protected-paths* _FILE_ + Use given FILE for protected paths listings. This also makes apk ignore + the regular protected_paths.d directories. + *--system* Audit all system files. All files provided by packages are verified for integrity with the exception of configuration files (listed in diff --git a/src/apk_context.h b/src/apk_context.h index 6a0a758..8de3d92 100644 --- a/src/apk_context.h +++ b/src/apk_context.h @@ -72,6 +72,7 @@ struct apk_ctx { const char *repositories_file; const char *uvol; struct apk_string_array *repository_list; + apk_blob_t protected_paths; struct apk_trust trust; struct apk_id_cache id_cache; diff --git a/src/app_audit.c b/src/app_audit.c index 0557a0f..f9f6690 100644 --- a/src/app_audit.c +++ b/src/app_audit.c @@ -40,6 +40,7 @@ struct audit_ctx { OPT(OPT_AUDIT_backup, "backup") \ OPT(OPT_AUDIT_check_permissions, "check-permissions") \ OPT(OPT_AUDIT_packages, "packages") \ + OPT(OPT_AUDIT_protected_paths, APK_OPT_ARG "protected-paths") \ OPT(OPT_AUDIT_recursive, APK_OPT_SH("r") "recursive") \ OPT(OPT_AUDIT_system, "system") @@ -48,6 +49,8 @@ APK_OPT_APPLET(option_desc, AUDIT_OPTIONS); static int option_parse_applet(void *applet_ctx, struct apk_ctx *ac, int opt, const char *optarg) { struct audit_ctx *actx = (struct audit_ctx *) applet_ctx; + struct apk_out *out = &ac->out; + int r; switch (opt) { case OPT_AUDIT_backup: @@ -62,6 +65,13 @@ static int option_parse_applet(void *applet_ctx, struct apk_ctx *ac, int opt, co case OPT_AUDIT_packages: actx->packages_only = 1; break; + case OPT_AUDIT_protected_paths: + r = apk_blob_from_file(AT_FDCWD, optarg, &ac->protected_paths); + if (r) { + apk_err(out, "unable to read protected path file: %s: %s", optarg, apk_error_str(r)); + return r; + } + break; case OPT_AUDIT_recursive: actx->recursive = 1; break; diff --git a/src/database.c b/src/database.c index d7b2aa9..50d6621 100644 --- a/src/database.c +++ b/src/database.c @@ -1747,11 +1747,15 @@ int apk_db_open(struct apk_database *db, struct apk_ctx *ac) goto ret_errno; } - blob = APK_BLOB_STR("+etc\n" "@etc/init.d\n" "!etc/apk\n"); - apk_blob_for_each_segment(blob, "\n", add_protected_path, db); + if (!APK_BLOB_IS_NULL(ac->protected_paths)) { + apk_blob_for_each_segment(ac->protected_paths, "\n", add_protected_path, db); + } else { + blob = APK_BLOB_STR("+etc\n" "@etc/init.d\n" "!etc/apk\n"); + apk_blob_for_each_segment(blob, "\n", add_protected_path, db); - apk_dir_foreach_file(openat(db->root_fd, "etc/apk/protected_paths.d", O_RDONLY | O_CLOEXEC), - add_protected_paths_from_file, db); + apk_dir_foreach_file(openat(db->root_fd, "etc/apk/protected_paths.d", O_RDONLY | O_CLOEXEC), + add_protected_paths_from_file, db); + } /* figure out where to have the cache */ if (!(db->ctx->flags & APK_NO_CACHE)) { |