]>
git.ipfire.org Git - pakfire.git/log
Stefan Schantl [Tue, 21 Mar 2023 10:16:45 +0000 (11:16 +0100)]
FHS: Allow /usr/src/kernel
This directory and it's subdirectories will contain the source code
and helper scripts/binaries of the current compiled kernel.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Tue, 21 Mar 2023 10:14:13 +0000 (11:14 +0100)]
pakfire_format_time(): Fix typo
Fix a small typo when displaying the build time
which is longer than 1 hour.
In such a case the following message got displayed:
Build successfully completed in 01m07m02s
Which should be 01h07m02s
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Mon, 20 Mar 2023 17:47:25 +0000 (18:47 +0100)]
FHS: Allow /var/mail owned by root:mail
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 21 Mar 2023 08:14:12 +0000 (08:14 +0000)]
archive: Return a file descriptor for any archive files
This is a lot more handy for us later on when we are dealing with any of
the payload which might potentially larger as it can now be read bit by
bit.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Mon, 20 Mar 2023 11:38:49 +0000 (12:38 +0100)]
FHS: Drop /usr/bin/su from list of allowed SUID binaries
In the Makefile (util-linx.nm) we specify some capabilities to avoid setting
the suid bit.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 19 Mar 2023 20:13:27 +0000 (20:13 +0000)]
archive: Silently ignore if systemd-sysusers could not be executed
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 19 Mar 2023 20:13:12 +0000 (20:13 +0000)]
jail: Move flags to individual exec commands
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 19 Mar 2023 19:53:44 +0000 (19:53 +0000)]
strip: Apply hack to preserve capabilities
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 19 Mar 2023 19:49:08 +0000 (19:49 +0000)]
parser: Free regular expressions
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 19 Mar 2023 19:41:02 +0000 (19:41 +0000)]
FHS: Allow gpasswd, ksu and pkexec to have the setuid bit set
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 19 Mar 2023 19:37:59 +0000 (19:37 +0000)]
FHS: Fix setuid check
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 19 Mar 2023 19:25:57 +0000 (19:25 +0000)]
FHS: Silence a warning as it gets in the way of the progress bar
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 19 Mar 2023 19:18:50 +0000 (19:18 +0000)]
FHS: Allow installing kernel source in /usr/src
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 19 Mar 2023 19:16:38 +0000 (19:16 +0000)]
file: Check for capabilities being applied to non-executable files
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 19 Mar 2023 19:04:05 +0000 (19:04 +0000)]
transaction: Automatically create system users
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 19 Mar 2023 19:03:30 +0000 (19:03 +0000)]
tests: Check if relative/absolute paths confuse pakfire_path_match
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 19 Mar 2023 19:03:05 +0000 (19:03 +0000)]
jail: Log the path of the command we tried to execute
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 19 Mar 2023 12:57:35 +0000 (12:57 +0000)]
systemd: Automatically apply tmpfiles
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 19 Mar 2023 12:47:00 +0000 (12:47 +0000)]
packages: Fail match if we could not parse the dependency
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 19 Mar 2023 18:39:03 +0000 (18:39 +0000)]
file: Export capabilities in Python
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 19 Mar 2023 18:38:46 +0000 (18:38 +0000)]
file: Write capabilities
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 18 Mar 2023 17:11:45 +0000 (17:11 +0000)]
file: Read capabilities
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 18 Mar 2023 14:48:55 +0000 (14:48 +0000)]
FHS: Drop limitation for only non-executable files in /usr/share
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 18 Mar 2023 14:48:23 +0000 (14:48 +0000)]
FHS: Allow dotfiles in /root
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 18 Mar 2023 14:47:18 +0000 (14:47 +0000)]
FHS: Allow some setuid binaries
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 18 Mar 2023 12:50:08 +0000 (12:50 +0000)]
jail: Allow setting file capabilities in the jail
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Sat, 18 Mar 2023 11:32:49 +0000 (12:32 +0100)]
macros: Define docdir
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 18 Mar 2023 12:20:44 +0000 (12:20 +0000)]
Drop old hardening check script
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 18 Mar 2023 12:18:59 +0000 (12:18 +0000)]
file: Tidy up the RPATH checking code
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 18 Mar 2023 12:14:42 +0000 (12:14 +0000)]
file: Extend RELRO check to check for BIND_NOW
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 18 Mar 2023 12:13:42 +0000 (12:13 +0000)]
file: Pass Dyn tag to the callback function
Some values are not considered to be strings.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 18 Mar 2023 11:24:07 +0000 (11:24 +0000)]
Drop old RPATH check script
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 18 Mar 2023 11:23:32 +0000 (11:23 +0000)]
file: Implement RPATH/RUNPATH check
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 18 Mar 2023 11:23:12 +0000 (11:23 +0000)]
file: Make fetch more information from ELF sections easier
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 15:45:18 +0000 (15:45 +0000)]
file: Unify fetching ELF sections
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 15:30:01 +0000 (15:30 +0000)]
file: Rename NO-* flags to MISSING-*
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 15:00:51 +0000 (15:00 +0000)]
build: Do not perform BUILDROOT check on Python bytecode files
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 14:56:28 +0000 (14:56 +0000)]
filelist: Add option to show a progressbar
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 14:33:30 +0000 (14:33 +0000)]
filelist: Add flags argument to walk function
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 14:29:12 +0000 (14:29 +0000)]
FHS: Perform world writable check only for regular files
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 14:09:11 +0000 (14:09 +0000)]
macros: Define tmpfilesdir
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 14:02:50 +0000 (14:02 +0000)]
FHS: Add /root
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 14:00:08 +0000 (14:00 +0000)]
file: Set r if file could not be opened
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 13:59:39 +0000 (13:59 +0000)]
files: Skip payload check for empty files
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 13:57:33 +0000 (13:57 +0000)]
file: Do not check for ELF status again when dumping issues
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 13:56:40 +0000 (13:56 +0000)]
build: Move strip check into file check
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 13:46:50 +0000 (13:46 +0000)]
build: Rename hardening check to just check
That way, we can include some checks that are not too closely related to
any hardening issues.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 13:41:55 +0000 (13:41 +0000)]
build: Move FHS check into hardening checks
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 13:29:52 +0000 (13:29 +0000)]
FHS: Check for world-writable files
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 13:24:47 +0000 (13:24 +0000)]
util: Fix path pattern matching with characters after stars
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 13:14:39 +0000 (13:14 +0000)]
file: Remove forgotten debug statements
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 13:05:21 +0000 (13:05 +0000)]
build: Perform BUILDROOT check in C
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 12:17:31 +0000 (12:17 +0000)]
FHS: Check for correct location and permission of shared objects
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 12:13:53 +0000 (12:13 +0000)]
tests: Add check for pakfire_path_match with stars in middle
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 12:03:03 +0000 (12:03 +0000)]
FHS: Fix indentation
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 12:00:35 +0000 (12:00 +0000)]
FHS: Do not allow any executable files in /var
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 11:57:33 +0000 (11:57 +0000)]
FHS: Do not allow any executable files in /usr/share
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 11:56:59 +0000 (11:56 +0000)]
FHS: All files in /boot must be owned by root
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 11:46:30 +0000 (11:46 +0000)]
FHS: Ensure that firmware files are not executable
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 11:06:15 +0000 (11:06 +0000)]
FHS: Rearrange the matrix
No functional changes
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 10:54:40 +0000 (10:54 +0000)]
build: Drop check-include
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 10:53:50 +0000 (10:53 +0000)]
FHS: Check permissions of files in /usr/include
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 10:53:13 +0000 (10:53 +0000)]
FHS: Do not allow any unknown subdirectories in /var
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 10:49:21 +0000 (10:49 +0000)]
FHS: Enfore that all files in /usr/*bin are executable
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 10:40:33 +0000 (10:40 +0000)]
FHS: Do not allow any subdirectories in /usr/bin & /usr/sbin
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 10:37:25 +0000 (10:37 +0000)]
FHS: Implement being able to check for file type
This allows us a more granular filtering
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 10:23:51 +0000 (10:23 +0000)]
FHS: Do not allow any more files in /usr and /usr/src
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 10:18:06 +0000 (10:18 +0000)]
FHS: Implement checking file ownerships
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 10:05:26 +0000 (10:05 +0000)]
build: Drop check-libraries script
This is now covered by the new builtin FHS check.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 10:03:36 +0000 (10:03 +0000)]
build: Drop old FHS script
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 Mar 2023 10:00:59 +0000 (10:00 +0000)]
FHS: Implement some simple filesystem checks
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 16 Mar 2023 19:27:28 +0000 (19:27 +0000)]
util: path_matches: Check if pattern is shorter than string
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 16 Mar 2023 15:54:51 +0000 (15:54 +0000)]
util: Implement a simple path matching function that supports **
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 16 Mar 2023 10:27:19 +0000 (10:27 +0000)]
arch: Drop support for all 32 bit architectures
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 16 Mar 2023 09:10:00 +0000 (09:10 +0000)]
compress: Fix wrong variable in threads code
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 16 Mar 2023 09:05:44 +0000 (09:05 +0000)]
packager: Don't initialize an unsigned integer with -1
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 16 Mar 2023 09:04:33 +0000 (09:04 +0000)]
compress: Enable parallel compression for Zstandard if available
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 16 Mar 2023 09:04:04 +0000 (09:04 +0000)]
compress: Create a unified function to create archives
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 16 Mar 2023 08:11:23 +0000 (08:11 +0000)]
snapshots: Call it store/restore
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 16 Mar 2023 08:07:57 +0000 (08:07 +0000)]
snapshots: Do not modify an existing snapshot
Instead, the routines will now write the new snapshot to a temporary
location and replace it more or less atomically.
Fixes: #13045 - Multiple concurrent instances can destroy the snapshot
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 15 Mar 2023 18:48:55 +0000 (18:48 +0000)]
Revert "snapshots: Pass path instead of file descriptor"
This reverts commit
4667a2ca811f6f2b20c1cfb3223dd8b90af4952c .
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 15 Mar 2023 18:40:49 +0000 (18:40 +0000)]
compress: Do not overwrite configuration on extraction
This is somewhat experimental and I would need to think a little bit
more about this.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 15 Mar 2023 18:29:42 +0000 (18:29 +0000)]
jail: Enable all QEMU CPU features by default
When we are emulating a different architecture, QEMU by default emulates
a very basic processor which might not be able to emulate for example
SIMD instructions.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 15 Mar 2023 16:51:23 +0000 (16:51 +0000)]
file: Mark files as executable
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 15 Mar 2023 16:43:36 +0000 (16:43 +0000)]
file: Rename extension check to patterns
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 15 Mar 2023 16:33:18 +0000 (16:33 +0000)]
file: Do not check for SSP for runtime linkers
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 15 Mar 2023 13:28:46 +0000 (13:28 +0000)]
python: Release and acquire the GIL when we need it
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 15 Mar 2023 11:31:07 +0000 (11:31 +0000)]
build: Dump the complete filelist
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 15 Mar 2023 11:30:41 +0000 (11:30 +0000)]
compress: Resolve hardlinks when writing archives
Fixes: #13014
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 15 Mar 2023 10:48:20 +0000 (10:48 +0000)]
file: Correctly fail PIE test
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 15 Mar 2023 03:01:46 +0000 (03:01 +0000)]
build: Show build time at the end
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 15 Mar 2023 03:01:30 +0000 (03:01 +0000)]
string: Add function to format elapsed time
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 14 Mar 2023 18:57:01 +0000 (18:57 +0000)]
file: Perform magic check for all files
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 14 Mar 2023 18:56:20 +0000 (18:56 +0000)]
file: Skip hardening checks for firmware files
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 14 Mar 2023 18:55:32 +0000 (18:55 +0000)]
CFLAGS: Move string formatting stuff into an extra variable
That way, we can clear it easily.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 13 Mar 2023 16:52:44 +0000 (16:52 +0000)]
file: Disable all hardening checks for Relocatable Objects
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 13 Mar 2023 15:34:08 +0000 (15:34 +0000)]
file: Skip SSP check for data libraries
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 11 Mar 2023 16:24:08 +0000 (16:24 +0000)]
build: Implement marking configuration files in archives
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 11 Mar 2023 15:21:59 +0000 (15:21 +0000)]
file: Fix digest comment
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 11 Mar 2023 15:21:45 +0000 (15:21 +0000)]
file: Add missing return type
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>