linter: Move capability check

author Michael Tremer <michael.tremer@ipfire.org>

Sat, 26 Oct 2024 12:07:43 +0000 (12:07 +0000)

committer Michael Tremer <michael.tremer@ipfire.org>

Sat, 26 Oct 2024 12:07:43 +0000 (12:07 +0000)
author Michael Tremer <michael.tremer@ipfire.org>
Sat, 26 Oct 2024 12:07:43 +0000 (12:07 +0000)
committer Michael Tremer <michael.tremer@ipfire.org>
Sat, 26 Oct 2024 12:07:43 +0000 (12:07 +0000)
diff --git a/src/libpakfire/file.c b/src/libpakfire/file.c

index 23da7dc81f8fc0729767480a5d9c25713aa47aa1..c168be46d7328ddd204cdb3848b2f6b338c0f8e8 100644 (file)
--- a/src/libpakfire/file.c
+++ b/src/libpakfire/file.c
@@ -910,7 +910,7 @@ PAKFIRE_EXPORT void pakfire_file_set_perms(struct pakfire_file* file, const mode
         archive_entry_set_mode(file->entry, pakfire_file_get_type(file) | perms);
  }
  
-static int pakfire_file_is_executable(struct pakfire_file* file) {
+int pakfire_file_is_executable(struct pakfire_file* file) {
         return pakfire_file_get_mode(file) & (S_IXUSR|S_IXGRP|S_IXOTH);
  }
  
@@ -2241,14 +2241,6 @@ ERROR:
         return r;
  }
  
-static int pakfire_file_check_capabilities(struct pakfire_file* file) {
-       // Files cannot have capabilities but not be executable
-       if (!pakfire_file_is_executable(file) && pakfire_file_has_caps(file))
-               file->issues |= PAKFIRE_FILE_INVALID_CAPS;
-
-       return 0;
-}
-
  int pakfire_file_check(struct pakfire_file* file, int* issues) {
         int r;
  
@@ -2264,11 +2256,6 @@ int pakfire_file_check(struct pakfire_file* file, int* issues) {
                 if (r)
                         return r;
  
-               // Perform capability check
-               r = pakfire_file_check_capabilities(file);
-               if (r)
-                       return r;
-
                 // Run these checks only for ELF files
                 if (pakfire_file_matches_class(file, PAKFIRE_FILE_ELF)) {
                         switch (pakfire_file_get_elf_type(file)) {
diff --git a/src/libpakfire/include/pakfire/file.h b/src/libpakfire/include/pakfire/file.h

index b1532f66e927755cc554312acf7b6bd9bf5ccad1..46d04f7efd3aaed8f4fe06517f56998ac83c181d 100644 (file)
--- a/src/libpakfire/include/pakfire/file.h
+++ b/src/libpakfire/include/pakfire/file.h
@@ -131,6 +131,8 @@ enum pakfire_file_classes {
         PAKFIRE_FILE_RUNTIME_LINKER  = (1 << 14),
  };
  
+int pakfire_file_is_executable(struct pakfire_file* file);
+
  int pakfire_file_has_payload(struct pakfire_file* file);
  
  int pakfire_file_write_fcaps(struct pakfire_file* file, struct vfs_cap_data* cap_data);
diff --git a/src/libpakfire/linter-file.c b/src/libpakfire/linter-file.c

index 6b4e2eb3335505996ca138e3f32131244e4c5b63..4a9f173dad0c9d4e14f7294496c7ce12609c5f5a 100644 (file)
--- a/src/libpakfire/linter-file.c
+++ b/src/libpakfire/linter-file.c
@@ -131,6 +131,14 @@ struct pakfire_linter_file* pakfire_linter_file_unref(struct pakfire_linter_file
         return NULL;
  }
  
+static int pakfire_linter_file_check_caps(struct pakfire_linter_file* lfile) {
+       // Files cannot have capabilities but not be executable
+       if (!pakfire_file_is_executable(lfile->file) && pakfire_file_has_caps(lfile->file))
+               return pakfire_linter_file_error(lfile, "File has capabilities but is not executable");
+
+       return 0;
+}
+
  static int pakfire_linter_file_init_libelf(struct pakfire_linter_file* lfile) {
         // Initialize libelf
         if (elf_version(EV_CURRENT) == EV_NONE) {
@@ -487,7 +495,6 @@ static int pakfire_linter_file_check_execstack(struct pakfire_linter_file* lfile
         return pakfire_linter_file_elf(lfile, __pakfire_linter_file_check_execstack, NULL);
  }
  
-
  static int __pakfire_linter_file_has_bind_now(struct pakfire_linter_file* lfile,
                 Elf* elf, const GElf_Shdr* shdr, const GElf_Dyn* dyn, void* data) {
         int* has_bind_now = (int*)data;
@@ -801,6 +808,11 @@ static int pakfire_linter_file_check_cf_protection(struct pakfire_linter_file* l
  int pakfire_linter_file_lint(struct pakfire_linter_file* lfile) {
         int r = 0;
  
+       // Check capabilities
+       r = pakfire_linter_file_check_caps(lfile);
+       if (r < 0)
+               return r;
+
         // Skip firmware files
         if (pakfire_file_matches(lfile->file, "/usr/lib/firmware/**"))
                 return 0;
author	Michael Tremer <michael.tremer@ipfire.org>
	Sat, 26 Oct 2024 12:07:43 +0000 (12:07 +0000)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Sat, 26 Oct 2024 12:07:43 +0000 (12:07 +0000)
src/libpakfire/file.c		patch \| blob \| blame \| history
src/libpakfire/include/pakfire/file.h		patch \| blob \| blame \| history
src/libpakfire/linter-file.c		patch \| blob \| blame \| history