From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun, 19 Mar 2023 19:16:38 +0000 (+0000)
Subject: file: Check for capabilities being applied to non-executable files
X-Git-Tag: 0.9.29~239
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=691091ad0855f8aad8469f1d9b8f9c84648acea9;p=pakfire.git

file: Check for capabilities being applied to non-executable files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/libpakfire/file.c b/src/libpakfire/file.c
index 756b9f913..d375a9a75 100644
--- a/src/libpakfire/file.c
+++ b/src/libpakfire/file.c
@@ -867,6 +867,13 @@ char* pakfire_file_dump(struct pakfire_file* file, int flags) {
 			if (r < 0)
 				goto ERROR;
 		}
+
+		// Invalid capabilities
+		if (file->issues & PAKFIRE_FILE_INVALID_CAPS) {
+			r = asprintf(&buffer, "%s [INVALID-CAPS]", buffer);
+			if (r < 0)
+				goto ERROR;
+		}
 	}
 
 	return buffer;
@@ -1058,6 +1065,10 @@ PAKFIRE_EXPORT void pakfire_file_set_perms(struct pakfire_file* file, const mode
 	file->st.st_mode |= ~S_IFMT & perms;
 }
 
+static int pakfire_file_is_executable(struct pakfire_file* file) {
+	return file->st.st_mode & (S_IXUSR|S_IXGRP|S_IXOTH);
+}
+
 PAKFIRE_EXPORT time_t pakfire_file_get_ctime(struct pakfire_file* file) {
 	return file->st.st_ctime;
 }
@@ -2314,6 +2325,15 @@ static int pakfire_file_check_runpath(struct pakfire_file* file) {
 	return pakfire_file_open_elf(file, __pakfire_file_check_runpath, NULL);
 }
 
+static int pakfire_file_check_capabilities(struct pakfire_file* file) {
+	// Files cannot have capabilities but not be executable
+	if (!pakfire_file_is_executable(file) && pakfire_file_has_caps(file))
+		file->issues |= PAKFIRE_FILE_INVALID_CAPS;
+
+	return 0;
+}
+
+
 int pakfire_file_check(struct pakfire_file* file, int* issues) {
 	int r;
 
@@ -2324,6 +2344,11 @@ int pakfire_file_check(struct pakfire_file* file, int* issues) {
 		if (r)
 			file->issues |= PAKFIRE_FILE_FHS_ERROR;
 
+		// Perform capability check
+		r = pakfire_file_check_capabilities(file);
+		if (r)
+			return r;
+
 		// Do not perform the following checks on firmware
 		if (pakfire_file_matches_class(file, PAKFIRE_FILE_FIRMWARE))
 			goto DONE;
diff --git a/src/libpakfire/include/pakfire/file.h b/src/libpakfire/include/pakfire/file.h
index 390c38194..7508f32d4 100644
--- a/src/libpakfire/include/pakfire/file.h
+++ b/src/libpakfire/include/pakfire/file.h
@@ -191,6 +191,7 @@ enum pakfire_file_check_issues {
 	PAKFIRE_FILE_EXECSTACK          = (1 << 4),
 	PAKFIRE_FILE_NO_RELRO           = (1 << 5),
 	PAKFIRE_FILE_HAS_RUNPATH        = (1 << 6),
+	PAKFIRE_FILE_INVALID_CAPS       = (1 << 7),
 };
 
 int pakfire_file_check(struct pakfire_file* file, int* issues);