From f75b720bea2561c6771c236ce4836506aa5b9862 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sat, 26 Oct 2024 12:07:43 +0000 Subject: [PATCH] linter: Move capability check Signed-off-by: Michael Tremer --- src/libpakfire/file.c | 15 +-------------- src/libpakfire/include/pakfire/file.h | 2 ++ src/libpakfire/linter-file.c | 14 +++++++++++++- 3 files changed, 16 insertions(+), 15 deletions(-) diff --git a/src/libpakfire/file.c b/src/libpakfire/file.c index 23da7dc81..c168be46d 100644 --- a/src/libpakfire/file.c +++ b/src/libpakfire/file.c @@ -910,7 +910,7 @@ PAKFIRE_EXPORT void pakfire_file_set_perms(struct pakfire_file* file, const mode archive_entry_set_mode(file->entry, pakfire_file_get_type(file) | perms); } -static int pakfire_file_is_executable(struct pakfire_file* file) { +int pakfire_file_is_executable(struct pakfire_file* file) { return pakfire_file_get_mode(file) & (S_IXUSR|S_IXGRP|S_IXOTH); } @@ -2241,14 +2241,6 @@ ERROR: return r; } -static int pakfire_file_check_capabilities(struct pakfire_file* file) { - // Files cannot have capabilities but not be executable - if (!pakfire_file_is_executable(file) && pakfire_file_has_caps(file)) - file->issues |= PAKFIRE_FILE_INVALID_CAPS; - - return 0; -} - int pakfire_file_check(struct pakfire_file* file, int* issues) { int r; @@ -2264,11 +2256,6 @@ int pakfire_file_check(struct pakfire_file* file, int* issues) { if (r) return r; - // Perform capability check - r = pakfire_file_check_capabilities(file); - if (r) - return r; - // Run these checks only for ELF files if (pakfire_file_matches_class(file, PAKFIRE_FILE_ELF)) { switch (pakfire_file_get_elf_type(file)) { diff --git a/src/libpakfire/include/pakfire/file.h b/src/libpakfire/include/pakfire/file.h index b1532f66e..46d04f7ef 100644 --- a/src/libpakfire/include/pakfire/file.h +++ b/src/libpakfire/include/pakfire/file.h @@ -131,6 +131,8 @@ enum pakfire_file_classes { PAKFIRE_FILE_RUNTIME_LINKER = (1 << 14), }; +int pakfire_file_is_executable(struct pakfire_file* file); + int pakfire_file_has_payload(struct pakfire_file* file); int pakfire_file_write_fcaps(struct pakfire_file* file, struct vfs_cap_data* cap_data); diff --git a/src/libpakfire/linter-file.c b/src/libpakfire/linter-file.c index 6b4e2eb33..4a9f173da 100644 --- a/src/libpakfire/linter-file.c +++ b/src/libpakfire/linter-file.c @@ -131,6 +131,14 @@ struct pakfire_linter_file* pakfire_linter_file_unref(struct pakfire_linter_file return NULL; } +static int pakfire_linter_file_check_caps(struct pakfire_linter_file* lfile) { + // Files cannot have capabilities but not be executable + if (!pakfire_file_is_executable(lfile->file) && pakfire_file_has_caps(lfile->file)) + return pakfire_linter_file_error(lfile, "File has capabilities but is not executable"); + + return 0; +} + static int pakfire_linter_file_init_libelf(struct pakfire_linter_file* lfile) { // Initialize libelf if (elf_version(EV_CURRENT) == EV_NONE) { @@ -487,7 +495,6 @@ static int pakfire_linter_file_check_execstack(struct pakfire_linter_file* lfile return pakfire_linter_file_elf(lfile, __pakfire_linter_file_check_execstack, NULL); } - static int __pakfire_linter_file_has_bind_now(struct pakfire_linter_file* lfile, Elf* elf, const GElf_Shdr* shdr, const GElf_Dyn* dyn, void* data) { int* has_bind_now = (int*)data; @@ -801,6 +808,11 @@ static int pakfire_linter_file_check_cf_protection(struct pakfire_linter_file* l int pakfire_linter_file_lint(struct pakfire_linter_file* lfile) { int r = 0; + // Check capabilities + r = pakfire_linter_file_check_caps(lfile); + if (r < 0) + return r; + // Skip firmware files if (pakfire_file_matches(lfile->file, "/usr/lib/firmware/**")) return 0; -- 2.39.5