diff options
author | Timo Teräs <timo.teras@iki.fi> | 2012-02-14 16:31:40 +0200 |
---|---|---|
committer | Timo Teräs <timo.teras@iki.fi> | 2012-02-14 16:31:40 +0200 |
commit | ab20d618329f481d05fd9f1a94bfd2b6bbd5389c (patch) | |
tree | 13fe602093f408314fc97d67c15f99676599252a | |
parent | 97bd260bfd27337ff348180ecc51a8eb798a2651 (diff) | |
download | apk-tools-ab20d618329f481d05fd9f1a94bfd2b6bbd5389c.tar.gz apk-tools-ab20d618329f481d05fd9f1a94bfd2b6bbd5389c.tar.bz2 apk-tools-ab20d618329f481d05fd9f1a94bfd2b6bbd5389c.tar.xz apk-tools-ab20d618329f481d05fd9f1a94bfd2b6bbd5389c.zip |
audit: check dirent mode, uid and gid if requested
-rw-r--r-- | src/audit.c | 103 |
1 files changed, 71 insertions, 32 deletions
diff --git a/src/audit.c b/src/audit.c index d6a66b7..b1fbef5 100644 --- a/src/audit.c +++ b/src/audit.c @@ -20,34 +20,71 @@ struct audit_ctx { unsigned int open_flags; - int (*audit)(struct apk_database *db); + int check_permissions : 1; + int (*audit)(struct audit_ctx *actx, struct apk_database *db); }; -static int audit_file(struct apk_database *db, struct apk_db_file *dbf, +static int audit_file(struct audit_ctx *actx, + struct apk_database *db, + struct apk_db_file *dbf, const char *name) { struct apk_file_info fi; + if (dbf == NULL) + return 'A'; + if (apk_file_get_info(db->root_fd, name, APK_FI_NOFOLLOW | dbf->csum.type, &fi) != 0) - return 1; + return 0; if (dbf->csum.type != APK_CHECKSUM_NONE && apk_checksum_compare(&fi.csum, &dbf->csum) == 0) - return 0; + return 'U'; if (S_ISLNK(fi.mode) && dbf->csum.type == APK_CHECKSUM_NONE) - return 0; + return 'U'; + + if (actx->check_permissions && + (dbf->mode != 0 || dbf->uid != 0 || dbf->gid != 0)) { + if ((fi.mode & 07777) != (dbf->mode & 07777)) + return 'M'; + if (fi.uid != dbf->uid || fi.gid != dbf->gid) + return 'M'; + } - /* FIXME: check uid/gid/mode; but they are not in DB */ + return 0; +} + +static int audit_directory(struct audit_ctx *actx, + struct apk_database *db, + struct apk_db_dir *dbd, + struct apk_file_info *fi) +{ + if (dbd == NULL) + return 'D'; + + if (actx->check_permissions && + (dbd->mode != 0 || dbd->uid != 0 || dbd->gid != 0)) { + if ((fi->mode & 07777) != (dbd->mode & 07777)) + return 'm'; + if (fi->uid != dbd->uid || fi->gid != dbd->gid) + return 'm'; + } - return 1; + return 0; } -static int audit_directory(apk_hash_item item, void *ctx) +struct audit_tree_ctx { + struct audit_ctx *actx; + struct apk_database *db; +}; + +static int audit_directory_tree(apk_hash_item item, void *ctx) { - struct apk_database *db = (struct apk_database *) ctx; + struct audit_tree_ctx *atctx = (struct audit_tree_ctx *) ctx; + struct audit_ctx *actx = atctx->actx; + struct apk_database *db = atctx->db; struct apk_db_dir *dbd = (struct apk_db_dir *) item; - struct apk_db_file *dbf; struct apk_file_info fi; struct dirent *de; apk_blob_t bdir = APK_BLOB_PTR_LEN(dbd->name, dbd->namelen); @@ -76,39 +113,37 @@ static int audit_directory(apk_hash_item item, void *ctx) continue; if (S_ISDIR(fi.mode)) { - if (apk_db_dir_query(db, APK_BLOB_STR(tmp)) != NULL) { - /* FIXME: check uid/gid/mode */ - continue; - } - - reason = 'D'; + struct apk_db_dir *dbd; + dbd = apk_db_dir_query(db, APK_BLOB_STR(tmp)); + reason = audit_directory(actx, db, dbd, &fi); } else { + struct apk_db_file *dbf; dbf = apk_db_file_query(db, bdir, APK_BLOB_STR(de->d_name)); - if (dbf != NULL) { - if (audit_file(db, dbf, tmp) == 0) - continue; - reason = 'U'; - } else { - reason = 'A'; - } + reason = audit_file(actx, db, dbf, tmp); } - if (apk_verbosity < 1) - printf("%s\n", tmp); - else - printf("%c %s\n", reason, tmp); + if (reason) { + if (apk_verbosity < 1) + printf("%s\n", tmp); + else + printf("%c %s\n", reason, tmp); + } } closedir(dir); return 0; } -static int audit_backup(struct apk_database *db) +static int audit_backup(struct audit_ctx *actx, struct apk_database *db) { - return apk_hash_foreach(&db->installed.dirs, audit_directory, db); + struct audit_tree_ctx atctx = { + .actx = actx, + .db = db, + }; + return apk_hash_foreach(&db->installed.dirs, audit_directory_tree, &atctx); } -static int audit_system(struct apk_database *db) +static int audit_system(struct audit_ctx *actx, struct apk_database *db) { struct apk_installed_package *ipkg; struct apk_package *pkg; @@ -131,7 +166,7 @@ static int audit_system(struct apk_database *db) snprintf(name, sizeof(name), "%s/%s", diri->dir->name, file->name); - if (audit_file(db, file, name) == 0) + if (audit_file(actx, db, file, name) == 0) continue; if (apk_verbosity < 1) { @@ -162,6 +197,9 @@ static int audit_parse(void *ctx, struct apk_db_options *dbopts, case 0x10001: actx->audit = audit_system; break; + case 0x10002: + actx->check_permissions = 1; + break; default: return -1; } @@ -175,7 +213,7 @@ static int audit_main(void *ctx, struct apk_database *db, int argc, char **argv) if (actx->audit == NULL) return -EINVAL; - return actx->audit(db); + return actx->audit(actx, db); } static struct apk_option audit_options[] = { @@ -183,6 +221,7 @@ static struct apk_option audit_options[] = { "List all modified configuration files that need to be backed up" }, { 0x10001, "system", "Verify checksums of all installed files " "(-q to print only modfied packages)" }, + { 0x10002, "check-permissions", "Check file and directory uid/gid/mode too" }, }; static struct apk_applet apk_audit = { |