From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 17 Mar 2023 13:41:55 +0000 (+0000)
Subject: build: Move FHS check into hardening checks
X-Git-Tag: 0.9.29~273
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6d9dd7bc4173c90e15de27a404363d955a683df4;p=pakfire.git

build: Move FHS check into hardening checks

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/libpakfire/build.c b/src/libpakfire/build.c
index aea945e51..e40c4ab2d 100644
--- a/src/libpakfire/build.c
+++ b/src/libpakfire/build.c
@@ -32,7 +32,6 @@
 #include <pakfire/cgroup.h>
 #include <pakfire/dependencies.h>
 #include <pakfire/dist.h>
-#include <pakfire/fhs.h>
 #include <pakfire/file.h>
 #include <pakfire/i18n.h>
 #include <pakfire/jail.h>
@@ -1190,35 +1189,6 @@ static int pakfire_build_post_check_broken_symlinks(
 		PAKFIRE_BUILD_ERROR_IF_NOT_EMPTY);
 }
 
-/*
-	Filesystem Layout Check
-*/
-static int __pakfire_build_post_check_filesystem(
-		struct pakfire* pakfire, struct pakfire_file* file, void* data) {
-	struct pakfire_filelist* illegal = (struct pakfire_filelist*)data;
-	int r;
-
-	// Perform FHS check
-	r = pakfire_fhs_check_file(pakfire, file);
-	if (r) {
-		r = pakfire_filelist_add(illegal, file);
-		if (r)
-			return r;
-	}
-
-	return 0;
-}
-
-static int pakfire_build_post_check_filesystem(
-		struct pakfire_build* build, struct pakfire_filelist* filelist) {
-	return pakfire_build_post_process_files(
-		build,
-		filelist,
-		"Illegal files:",
-		__pakfire_build_post_check_filesystem,
-		PAKFIRE_BUILD_ERROR_IF_NOT_EMPTY);
-}
-
 /*
 	BUILDROOT Check
 */
@@ -1256,10 +1226,6 @@ static int __pakfire_build_post_check_hardening(
 	int issues = 0;
 	int r;
 
-	// Skip anything that isn't an ELF file
-	if (!pakfire_file_matches_class(file, PAKFIRE_FILE_ELF))
-		return 0;
-
 	// Check hardening
 	r = pakfire_file_check_hardening(file, &issues);
 	if (r) {
@@ -1331,11 +1297,6 @@ static int pakfire_build_run_post_build_checks(struct pakfire_build* build) {
 	if (r)
 		goto ERROR;
 
-	// Check filesystem layout
-	r = pakfire_build_post_check_filesystem(build, filelist);
-	if (r)
-		goto ERROR;
-
 	// Check for BUILDROOT
 	r = pakfire_build_post_check_buildroot(build, filelist);
 	if (r)
diff --git a/src/libpakfire/file.c b/src/libpakfire/file.c
index a4ad3306c..126be6164 100644
--- a/src/libpakfire/file.c
+++ b/src/libpakfire/file.c
@@ -35,6 +35,7 @@
 
 #include <pakfire/constants.h>
 #include <pakfire/digest.h>
+#include <pakfire/fhs.h>
 #include <pakfire/file.h>
 #include <pakfire/logging.h>
 #include <pakfire/pakfire.h>
@@ -616,6 +617,12 @@ char* pakfire_file_dump(struct pakfire_file* file, int flags) {
 
 	// Hardning Status
 	if (flags & PAKFIRE_FILE_DUMP_HARDENING) {
+		if (file->hardening_issues & PAKFIRE_FILE_FHS_ERROR) {
+			r = asprintf(&buffer, "%s [FHS-ERROR]", buffer);
+			if (r < 0)
+				goto ERROR;
+		}
+
 		if (pakfire_file_matches_class(file, PAKFIRE_FILE_ELF)) {
 			// Stack-smashing Protection
 			if (file->hardening_issues & PAKFIRE_FILE_NO_SSP) {
@@ -1918,41 +1925,49 @@ static int pakfire_file_hardening_check_relro(struct pakfire_file* file) {
 int pakfire_file_check_hardening(struct pakfire_file* file, int* issues) {
 	int r;
 
-	// Do not perform this check on firmware
-	if (pakfire_file_matches_class(file, PAKFIRE_FILE_FIRMWARE))
-		return 0;
-
 	// Return previous result if this has been run before
 	if (!file->hardening_check_done) {
-		switch (pakfire_file_get_elf_type(file)) {
-			// Do not check Relocatable Objects
-			case ET_REL:
-				goto DONE;
+		// Perform FHS check
+		r = pakfire_fhs_check_file(file->pakfire, file);
+		if (r)
+			file->hardening_issues |= PAKFIRE_FILE_FHS_ERROR;
 
-			// Check everything else
-			default:
-				break;
-		}
+		// Do not perform the following checks on firmware
+		if (pakfire_file_matches_class(file, PAKFIRE_FILE_FIRMWARE))
+			goto DONE;
 
-		// Check for SSP
-		r = pakfire_file_hardening_check_ssp(file);
-		if (r)
-			return r;
+		// Run these checks only for ELF files
+		if (pakfire_file_matches_class(file, PAKFIRE_FILE_ELF)) {
+			switch (pakfire_file_get_elf_type(file)) {
+				// Do not check Relocatable Objects
+				case ET_REL:
+					goto DONE;
+
+				// Check everything else
+				default:
+					break;
+			}
 
-		// Check for PIE
-		r = pakfire_file_hardening_check_pie(file);
-		if (r)
-			return r;
+			// Check for SSP
+			r = pakfire_file_hardening_check_ssp(file);
+			if (r)
+				return r;
 
-		// Check for executable stacks
-		r = pakfire_file_hardening_check_execstack(file);
-		if (r)
-			return r;
+			// Check for PIE
+			r = pakfire_file_hardening_check_pie(file);
+			if (r)
+				return r;
 
-		// Check for RELRO
-		r = pakfire_file_hardening_check_relro(file);
-		if (r)
-			return r;
+			// Check for executable stacks
+			r = pakfire_file_hardening_check_execstack(file);
+			if (r)
+				return r;
+
+			// Check for RELRO
+			r = pakfire_file_hardening_check_relro(file);
+			if (r)
+				return r;
+		}
 
 DONE:
 		// All checks done
diff --git a/src/libpakfire/include/pakfire/file.h b/src/libpakfire/include/pakfire/file.h
index e9d190cca..6282b3945 100644
--- a/src/libpakfire/include/pakfire/file.h
+++ b/src/libpakfire/include/pakfire/file.h
@@ -176,10 +176,11 @@ int pakfire_file_verify(struct pakfire_file* file, int* status);
 	Hardening Checks
 */
 enum pakfire_file_hardening_flags {
-	PAKFIRE_FILE_NO_SSP             = (1 << 0),
-	PAKFIRE_FILE_NO_PIE             = (1 << 1),
-	PAKFIRE_FILE_EXECSTACK          = (1 << 2),
-	PAKFIRE_FILE_NO_PARTIALLY_RELRO = (1 << 3),
+	PAKFIRE_FILE_FHS_ERROR          = (1 << 0),
+	PAKFIRE_FILE_NO_SSP             = (1 << 1),
+	PAKFIRE_FILE_NO_PIE             = (1 << 2),
+	PAKFIRE_FILE_EXECSTACK          = (1 << 3),
+	PAKFIRE_FILE_NO_PARTIALLY_RELRO = (1 << 4),
 };
 
 int pakfire_file_is_stripped(struct pakfire_file* file);