From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 17 Mar 2023 11:57:33 +0000 (+0000)
Subject: FHS: Do not allow any executable files in /usr/share
X-Git-Tag: 0.9.29~282
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=760e16155ab56957aea0c60fca97aadbab3b31e1;p=pakfire.git

FHS: Do not allow any executable files in /usr/share

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/libpakfire/fhs.c b/src/libpakfire/fhs.c
index f646fafd0..720d3d7ea 100644
--- a/src/libpakfire/fhs.c
+++ b/src/libpakfire/fhs.c
@@ -40,6 +40,7 @@ static const struct pakfire_fhs_check {
 	const char* gname;
 	enum pakfire_fhs_check_flags {
 		PAKFIRE_FHS_MUSTNOTEXIST = (1 << 0),
+		PAKFIRE_FHS_NOEXEC       = (1 << 1),
 	} flags;
 } pakfire_fhs_check[] = {
 	// /usr
@@ -74,6 +75,9 @@ static const struct pakfire_fhs_check {
 	{ "/usr/lib/firmware/**", S_IFREG, 0644, "root", "root", 0 },
 	{ "/usr/lib/firmware/**", S_IFDIR, 0755, "root", "root", 0 },
 
+	// /usr/share cannot have any exectuable files
+	{ "/usr/share/**",        S_IFREG,    0,   NULL,   NULL, PAKFIRE_FHS_NOEXEC },
+
 	// /var
 	{ "/var",                 S_IFDIR, 0755, "root", "root", 0 },
 	{ "/var/cache",           S_IFDIR, 0755, "root", "root", 0 },
@@ -254,6 +258,27 @@ static int pakfire_fhs_check_ownership(struct pakfire* pakfire,
 	return 0;
 }
 
+static int pakfire_fhs_check_noexec(struct pakfire* pakfire,
+		const struct pakfire_fhs_check* check, struct pakfire_file* file) {
+	// Skip this check if PAKFIRE_FHS_NOEXEC is not set
+	if (!(check->flags & PAKFIRE_FHS_NOEXEC))
+		return 0;
+
+	// Fetch path
+	const char* path = pakfire_file_get_path(file);
+
+	// Fetch permissions
+	const mode_t perms = pakfire_file_get_perms(file);
+
+	// Check that none of the executable bits are set
+	if (perms & (S_IXUSR|S_IXGRP|S_IXOTH)) {
+		DEBUG(pakfire, "%s must not be executable\n", path);
+		return 1;
+	}
+
+	return 0;
+}
+
 int pakfire_fhs_check_file(struct pakfire* pakfire, struct pakfire_file* file) {
 	const struct pakfire_fhs_check* check = NULL;
 	int r;
@@ -286,6 +311,11 @@ int pakfire_fhs_check_file(struct pakfire* pakfire, struct pakfire_file* file) {
 	if (r)
 		return r;
 
+	// Check for PAKFIRE_FHS_NOEXEC
+	r = pakfire_fhs_check_noexec(pakfire, check, file);
+	if (r)
+		return r;
+
 	// Check passed!
 	return 0;
 }