file: Check for capabilities being applied to non-executable files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/libpakfire/file.c b/src/libpakfire/file.c
index 756b9f913942f40283b15245152aff15b0236b96..d375a9a75f93fd1d61dd3ebba8ab0a2472fb3775 100644 (file)
--- a/src/libpakfire/file.c
+++ b/src/libpakfire/file.c
@@ -867,6 +867,13 @@ char* pakfire_file_dump(struct pakfire_file* file, int flags) {
                        if (r < 0)
                                goto ERROR;
                }
+
+               // Invalid capabilities
+               if (file->issues & PAKFIRE_FILE_INVALID_CAPS) {
+                       r = asprintf(&buffer, "%s [INVALID-CAPS]", buffer);
+                       if (r < 0)
+                               goto ERROR;
+               }
        }
 
        return buffer;
@@ -1058,6 +1065,10 @@ PAKFIRE_EXPORT void pakfire_file_set_perms(struct pakfire_file* file, const mode
        file->st.st_mode |= ~S_IFMT & perms;
 }
 
+static int pakfire_file_is_executable(struct pakfire_file* file) {
+       return file->st.st_mode & (S_IXUSR|S_IXGRP|S_IXOTH);
+}
+
 PAKFIRE_EXPORT time_t pakfire_file_get_ctime(struct pakfire_file* file) {
        return file->st.st_ctime;
 }
@@ -2314,6 +2325,15 @@ static int pakfire_file_check_runpath(struct pakfire_file* file) {
        return pakfire_file_open_elf(file, __pakfire_file_check_runpath, NULL);
 }
 
+static int pakfire_file_check_capabilities(struct pakfire_file* file) {
+       // Files cannot have capabilities but not be executable
+       if (!pakfire_file_is_executable(file) && pakfire_file_has_caps(file))
+               file->issues |= PAKFIRE_FILE_INVALID_CAPS;
+
+       return 0;
+}
+
+
 int pakfire_file_check(struct pakfire_file* file, int* issues) {
        int r;
 
@@ -2324,6 +2344,11 @@ int pakfire_file_check(struct pakfire_file* file, int* issues) {
                if (r)
                        file->issues |= PAKFIRE_FILE_FHS_ERROR;
 
+               // Perform capability check
+               r = pakfire_file_check_capabilities(file);
+               if (r)
+                       return r;
+
                // Do not perform the following checks on firmware
                if (pakfire_file_matches_class(file, PAKFIRE_FILE_FIRMWARE))
                        goto DONE;

diff --git a/src/libpakfire/include/pakfire/file.h b/src/libpakfire/include/pakfire/file.h
index 390c38194d50c6a04c1dd4839fea3cc113d2b01f..7508f32d40efa9f9a1dc369330b1a96d0ba0c771 100644 (file)
--- a/src/libpakfire/include/pakfire/file.h
+++ b/src/libpakfire/include/pakfire/file.h
@@ -191,6 +191,7 @@ enum pakfire_file_check_issues {
        PAKFIRE_FILE_EXECSTACK          = (1 << 4),
        PAKFIRE_FILE_NO_RELRO           = (1 << 5),
        PAKFIRE_FILE_HAS_RUNPATH        = (1 << 6),
+       PAKFIRE_FILE_INVALID_CAPS       = (1 << 7),
 };
 
 int pakfire_file_check(struct pakfire_file* file, int* issues);