summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTimo Teräs <timo.teras@iki.fi>2023-04-10 20:18:21 +0300
committerTimo Teräs <timo.teras@iki.fi>2023-04-11 20:55:13 +0300
commitb33825b6a41730d11e8e1dfd15ae479ce2ea8bc2 (patch)
tree41d8b73eb542bb64571a96a463bddc21949b88e9
parentb3c4636ee213d8e37f21ecaae2748876b1063076 (diff)
downloadapk-tools-b33825b6a41730d11e8e1dfd15ae479ce2ea8bc2.tar.gz
apk-tools-b33825b6a41730d11e8e1dfd15ae479ce2ea8bc2.tar.bz2
apk-tools-b33825b6a41730d11e8e1dfd15ae479ce2ea8bc2.tar.xz
apk-tools-b33825b6a41730d11e8e1dfd15ae479ce2ea8bc2.zip
audit: add --protected-paths to override the audit exceptions
-rw-r--r--doc/apk-audit.8.scd4
-rw-r--r--src/apk_database.h1
-rw-r--r--src/app_audit.c9
-rw-r--r--src/database.c12
4 files changed, 22 insertions, 4 deletions
diff --git a/doc/apk-audit.8.scd b/doc/apk-audit.8.scd
index 6c84b87..2294f8a 100644
--- a/doc/apk-audit.8.scd
+++ b/doc/apk-audit.8.scd
@@ -57,6 +57,10 @@ then the affected path. The changes detected are:
To repair all packages with modified files, one could use:
apk audit --packages -q | xargs apk fix
+*--protected-paths* _FILE_
+ Use given FILE for protected paths listings. This also makes apk ignore
+ the regular protected_paths.d directories.
+
*--system*
Audit all system files. All files provided by packages are verified
for integrity with the exception of configuration files (listed in
diff --git a/src/apk_database.h b/src/apk_database.h
index f70ae1c..90fb292 100644
--- a/src/apk_database.h
+++ b/src/apk_database.h
@@ -131,6 +131,7 @@ struct apk_db_options {
const char *keys_dir;
const char *cache_dir;
const char *repositories_file;
+ apk_blob_t protected_paths;
struct list_head repository_list;
};
diff --git a/src/app_audit.c b/src/app_audit.c
index 9b410c5..ecf3e22 100644
--- a/src/app_audit.c
+++ b/src/app_audit.c
@@ -39,6 +39,7 @@ struct audit_ctx {
OPT(OPT_AUDIT_backup, "backup") \
OPT(OPT_AUDIT_check_permissions, "check-permissions") \
OPT(OPT_AUDIT_packages, "packages") \
+ OPT(OPT_AUDIT_protected_paths, APK_OPT_ARG "protected-paths") \
OPT(OPT_AUDIT_recursive, APK_OPT_SH("r") "recursive") \
OPT(OPT_AUDIT_system, "system")
@@ -47,6 +48,7 @@ APK_OPT_APPLET(option_desc, AUDIT_OPTIONS);
static int option_parse_applet(void *ctx, struct apk_db_options *dbopts, int opt, const char *optarg)
{
struct audit_ctx *actx = (struct audit_ctx *) ctx;
+ int r;
switch (opt) {
case OPT_AUDIT_backup:
@@ -61,6 +63,13 @@ static int option_parse_applet(void *ctx, struct apk_db_options *dbopts, int opt
case OPT_AUDIT_packages:
actx->packages_only = 1;
break;
+ case OPT_AUDIT_protected_paths:
+ r = apk_blob_from_file(AT_FDCWD, optarg, &dbopts->protected_paths);
+ if (r) {
+ apk_error("unable to read protected path file: %s: %s", optarg, apk_error_str(r));
+ return r;
+ }
+ break;
case OPT_AUDIT_recursive:
actx->recursive = 1;
break;
diff --git a/src/database.c b/src/database.c
index 9cad108..282e3a0 100644
--- a/src/database.c
+++ b/src/database.c
@@ -1653,11 +1653,15 @@ int apk_db_open(struct apk_database *db, struct apk_db_options *dbopts)
}
}
- blob = APK_BLOB_STR("+etc\n" "@etc/init.d\n" "!etc/apk\n");
- apk_blob_for_each_segment(blob, "\n", add_protected_path, db);
+ if (!APK_BLOB_IS_NULL(dbopts->protected_paths)) {
+ apk_blob_for_each_segment(dbopts->protected_paths, "\n", add_protected_path, db);
+ } else {
+ blob = APK_BLOB_STR("+etc\n" "@etc/init.d\n" "!etc/apk\n");
+ apk_blob_for_each_segment(blob, "\n", add_protected_path, db);
- apk_dir_foreach_file(openat(db->root_fd, "etc/apk/protected_paths.d", O_RDONLY | O_CLOEXEC),
- add_protected_paths_from_file, db);
+ apk_dir_foreach_file(openat(db->root_fd, "etc/apk/protected_paths.d", O_RDONLY | O_CLOEXEC),
+ add_protected_paths_from_file, db);
+ }
/* figure out where to have the cache */
fd = openat(db->root_fd, dbopts->cache_dir, O_RDONLY | O_CLOEXEC);