From 5b48b855600aa316e3c9385e998c68ad757794a2 Mon Sep 17 00:00:00 2001 From: Timo Teras Date: Thu, 30 Jul 2009 10:42:20 +0300 Subject: audit: protection mask for "symlinks only" and use it for /etc/init.d by default. fixes #99. --- src/apk_database.h | 1 + src/audit.c | 5 +++++ src/database.c | 26 ++++++++++++++++++++------ src/io.c | 2 +- 4 files changed, 27 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/apk_database.h b/src/apk_database.h index 35b0da1..241719d 100644 --- a/src/apk_database.h +++ b/src/apk_database.h @@ -37,6 +37,7 @@ struct apk_db_file { }; #define APK_DBDIRF_PROTECTED 0x0001 +#define APK_DBDIRF_SYMLINKS_ONLY 0x0002 struct apk_db_dir { apk_hash_node hash_node; diff --git a/src/audit.c b/src/audit.c index fe72c88..31965df 100644 --- a/src/audit.c +++ b/src/audit.c @@ -56,6 +56,11 @@ static int audit_directory(apk_hash_item item, void *ctx) if (apk_file_get_info(tmp, APK_CHECKSUM_NONE, &fi) < 0) continue; + if (!(actx->type & AUDIT_SYSTEM) && + (dbd->flags & APK_DBDIRF_SYMLINKS_ONLY) && + !S_ISLNK(fi.mode)) + continue; + if (S_ISDIR(fi.mode)) { if (apk_db_dir_query(db, APK_BLOB_STR(tmp)) != NULL) continue; diff --git a/src/database.c b/src/database.c index f308e48..968d55e 100644 --- a/src/database.c +++ b/src/database.c @@ -235,11 +235,25 @@ static struct apk_db_dir *apk_db_dir_get(struct apk_database *db, dir->flags = dir->parent->flags; for (i = 0; i < db->protected_paths->num; i++) { - if (db->protected_paths->item[i][0] == '-' && - strcmp(&db->protected_paths->item[i][1], dir->name) == 0) - dir->flags &= ~APK_DBDIRF_PROTECTED; - else if (strcmp(db->protected_paths->item[i], dir->name) == 0) - dir->flags |= APK_DBDIRF_PROTECTED; + int flags = dir->flags, j; + + flags |= APK_DBDIRF_PROTECTED; + for (j = 0; ; j++) { + switch (db->protected_paths->item[i][j]) { + case '-': + flags &= ~(APK_DBDIRF_PROTECTED | + APK_DBDIRF_SYMLINKS_ONLY); + continue; + case '*': + flags |= APK_DBDIRF_SYMLINKS_ONLY | + APK_DBDIRF_PROTECTED; + continue; + } + break; + } + + if (strcmp(&db->protected_paths->item[i][j], dir->name) == 0) + dir->flags = flags; } return dir; @@ -895,7 +909,7 @@ int apk_db_open(struct apk_database *db, const char *root, unsigned int flags) } } - blob = APK_BLOB_STR("etc:-etc/init.d"); + blob = APK_BLOB_STR("etc:*etc/init.d"); apk_blob_for_each_segment(blob, ":", add_protected_path, db); if (root != NULL) { diff --git a/src/io.c b/src/io.c index 8739752..18e89d3 100644 --- a/src/io.c +++ b/src/io.c @@ -468,7 +468,7 @@ int apk_file_get_info(const char *filename, int checksum, struct apk_file_info * struct stat st; struct apk_bstream *bs; - if (stat(filename, &st) != 0) + if (lstat(filename, &st) != 0) return -errno; *fi = (struct apk_file_info) { -- cgit v1.2.3-70-g09d2