FHS: Drop limitation for only non-executable files in /usr/share

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Allow dotfiles in /root

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Allow some setuid binaries

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

jail: Allow setting file capabilities in the jail

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

macros: Define docdir

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Drop old hardening check script

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Tidy up the RPATH checking code

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Extend RELRO check to check for BIND_NOW

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Pass Dyn tag to the callback function

Some values are not considered to be strings.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Drop old RPATH check script

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Implement RPATH/RUNPATH check

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Make fetch more information from ELF sections easier

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Unify fetching ELF sections

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Rename NO-* flags to MISSING-*

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

build: Do not perform BUILDROOT check on Python bytecode files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

filelist: Add option to show a progressbar

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

filelist: Add flags argument to walk function

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Perform world writable check only for regular files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

macros: Define tmpfilesdir

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Add /root

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Set r if file could not be opened

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

files: Skip payload check for empty files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Do not check for ELF status again when dumping issues

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

build: Move strip check into file check

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

build: Rename hardening check to just check

That way, we can include some checks that are not too closely related to
any hardening issues.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

build: Move FHS check into hardening checks

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Check for world-writable files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

util: Fix path pattern matching with characters after stars

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Remove forgotten debug statements

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

build: Perform BUILDROOT check in C

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Check for correct location and permission of shared objects

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tests: Add check for pakfire_path_match with stars in middle

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Fix indentation

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Do not allow any executable files in /var

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Do not allow any executable files in /usr/share

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: All files in /boot must be owned by root

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Ensure that firmware files are not executable

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Rearrange the matrix

No functional changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

build: Drop check-include

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Check permissions of files in /usr/include

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Do not allow any unknown subdirectories in /var

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Enfore that all files in /usr/*bin are executable

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Do not allow any subdirectories in /usr/bin & /usr/sbin

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Implement being able to check for file type

This allows us a more granular filtering

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Do not allow any more files in /usr and /usr/src

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Implement checking file ownerships

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

build: Drop check-libraries script

This is now covered by the new builtin FHS check.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

build: Drop old FHS script

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Implement some simple filesystem checks

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

util: path_matches: Check if pattern is shorter than string

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

util: Implement a simple path matching function that supports **

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

arch: Drop support for all 32 bit architectures

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

compress: Fix wrong variable in threads code

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

packager: Don't initialize an unsigned integer with -1

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

compress: Enable parallel compression for Zstandard if available

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

compress: Create a unified function to create archives

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

snapshots: Call it store/restore

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

snapshots: Do not modify an existing snapshot

Instead, the routines will now write the new snapshot to a temporary
location and replace it more or less atomically.

Fixes: #13045 - Multiple concurrent instances can destroy the snapshot
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Revert "snapshots: Pass path instead of file descriptor"

This reverts commit 4667a2ca811f6f2b20c1cfb3223dd8b90af4952c.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

compress: Do not overwrite configuration on extraction

This is somewhat experimental and I would need to think a little bit
more about this.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

jail: Enable all QEMU CPU features by default

When we are emulating a different architecture, QEMU by default emulates
a very basic processor which might not be able to emulate for example
SIMD instructions.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Mark files as executable

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Rename extension check to patterns

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Do not check for SSP for runtime linkers

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

python: Release and acquire the GIL when we need it

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

build: Dump the complete filelist

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

compress: Resolve hardlinks when writing archives

Fixes: #13014
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Correctly fail PIE test

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

build: Show build time at the end

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

string: Add function to format elapsed time

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Perform magic check for all files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Skip hardening checks for firmware files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

CFLAGS: Move string formatting stuff into an extra variable

That way, we can clear it easily.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Disable all hardening checks for Relocatable Objects

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Skip SSP check for data libraries

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

build: Implement marking configuration files in archives

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Fix digest comment

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Add missing return type

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

archive: Store MIME type of files

This is going to be helpful in the build service and generally some
useful metadata.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

files: Fix iterating over extended attributes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

build: Check if ELF files contain debug information

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Show error when the hardening check fails

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Show error when a file has no symbol table

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Show tags for failed execstack/partly RELRO check

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

archive: Be more efficient when reading single files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

archive: Fix reading files from archives

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

compress: Swap PAKFIRE_WALK_DONE and *_END for semantic reasons

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

archive: Fix reading filelists/extraction on newer formats

Fixes: #12995 - pakfire extracts meta files in archives
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

archive: Drop support for legacy package formats

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

archive: Fix progress bar on extraction

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

macros: Use CET on x86_64

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

macros: Enable libstcd++ assertions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hub: Change how we append arguments to the request

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

daemon: Do not send DEBUG messages to the build service and log file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

repositories: Refactor how we are reading metadata

This is a large rewrite of how we are discovering and reading any
repository metadata.

It first of all makes the code a little bit more straight forward by
breaking steps into their own function.

Those functions will now do "the right thing" depending whether we are
dealing with a local or remote repository and will try to read
repository metdata for local repositories, too.

If that fails, we will of course fall back and scan.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

pakfire: Allow setting a custom cache path through the configuration

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

downloader: Read proxy settings from the general section

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

repo: compose: Ensure that the destination path always exists

realpath() fails if the destination does not exist, so we will try to
create it before.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

repo: Store the real path on stack to avoid it being altered later

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

repos: Try to hardlink packages when possible

Since we no longer change any packages when composing a repository (no
embedded signatures), we can try to hardlink to save disk space and IO.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>