macros: Add macro to apply sysusers based users/groups inside the jail

This macro can be called inside a build file and easily allows to apply
any kind of users/groups specified in a sysusers file.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

macros: Add macro to automatically install any systemd sysusers files

This macros works very similar than the tmpfiles one but handles
sysusers files.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

systemd.macro: Avoid declaring the directory for tmpfiles twice

We allready have declared this directory in the arch macro file,
so there is no need in doing this again.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

macros: Introduce sysusersdir

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

meson: Avoid calling meson without setup is deprecated

Calling meson without setup as argument when configure
a project is deprecated since a while by the meson developers.

To avoid any problems in future adding this argument.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

archive: sysusers: Fix walking through archive for sysusers files

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

Hardening: Declare content of /usr/lib/grub as firmware files

This folder contains the neccessary files, which are written to
the MBR, dealing with EFI, or loading additional required grub
modules unless the whole grub menu can be displayed or a selected
OS will start up.

Some of these files are 32bit ELF files or do not have SSP etc.

So I would suggest to mark them as firmware files and therefore
skip some of the hardening tests.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

Merge branch 'master' of ssh://git.ipfire.org/pub/git/pakfire

parser: Perform a side-lookup for packages in build namespace

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

macros: Simplify customisation of configure/make/make install

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

macros: Move cmake/meson/ninja/perl stuff into the build namespace

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

macros: Drop anything related to Python 2

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Tolerate runtime linkers in /usr/lib

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

archive: read: Correctly fail if we cannot find a file

The routine did not properly clear up the cookie after it could not find
a file in the archive.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tests: archive: Free file handle at the end

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Make the _cleanup function configurable to tidy up as well

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tests: Make the testsuite compile again

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

transaction: Show which step, action and package failed

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Be smarter when removing files

Before, when we tried to remove a file from the filesystem, we tried to
call unlink() and if that failed, we tried rmdir() instead.

This patch changes that we will call rmdir() in the first place for
directories and unlink() for everything else so that we can catch error
codes more granulary.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

transaction: Use cleanup function to remove all files from a filelist

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Whitelist libgcc_so.* and libmvec.so.* from SSP check

libgcc_s.so cannot be built with SSP, at least it will create some
problems linking start files later on.

libmvec should generally not be on here, but all the assembly magic
seems to confuse something so that it won't be linked okay.

Fixes: #13069
Fixes: #13070
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

_pakfire: Make File objects immutable

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

_pakfire: Fix potential SEGV when accesing File attributes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

_pakfire: Fix repr() output for File objects

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Allow /usr/src/kernel

This directory and it's subdirectories will contain the source code
and helper scripts/binaries of the current compiled kernel.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

pakfire_format_time(): Fix typo

Fix a small typo when displaying the build time
which is longer than 1 hour.

In such a case the following message got displayed:

Build successfully completed in 01m07m02s

Which should be 01h07m02s

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Allow /usr/src/kernel

This directory and it's subdirectories will contain the source code
and helper scripts/binaries of the current compiled kernel.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

pakfire_format_time(): Fix typo

Fix a small typo when displaying the build time
which is longer than 1 hour.

In such a case the following message got displayed:

Build successfully completed in 01m07m02s

Which should be 01h07m02s

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

FHS: Allow /var/mail owned by root:mail

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

archive: Return a file descriptor for any archive files

This is a lot more handy for us later on when we are dealing with any of
the payload which might potentially larger as it can now be read bit by
bit.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Allow /var/mail owned by root:mail

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

FHS: Drop /usr/bin/su from list of allowed SUID binaries

In the Makefile (util-linx.nm) we specify some capabilities to avoid setting
the suid bit.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Drop /usr/bin/su from list of allowed SUID binaries

In the Makefile (util-linx.nm) we specify some capabilities to avoid setting
the suid bit.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

Merge branch 'master' of ssh://git.ipfire.org/pub/git/pakfire

archive: Silently ignore if systemd-sysusers could not be executed

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

jail: Move flags to individual exec commands

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

strip: Apply hack to preserve capabilities

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

parser: Free regular expressions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Allow gpasswd, ksu and pkexec to have the setuid bit set

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Fix setuid check

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Silence a warning as it gets in the way of the progress bar

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Allow installing kernel source in /usr/src

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Check for capabilities being applied to non-executable files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

transaction: Automatically create system users

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tests: Check if relative/absolute paths confuse pakfire_path_match

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

jail: Log the path of the command we tried to execute

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

systemd: Automatically apply tmpfiles

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

packages: Fail match if we could not parse the dependency

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Export capabilities in Python

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Write capabilities

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Read capabilities

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge branch 'master' of ssh://git.ipfire.org/pub/git/pakfire

FHS: Drop limitation for only non-executable files in /usr/share

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Allow dotfiles in /root

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Allow some setuid binaries

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

jail: Allow setting file capabilities in the jail

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge branch 'master' of ssh://git.ipfire.org/pub/git/pakfire

macros: Define docdir

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Drop old hardening check script

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Tidy up the RPATH checking code

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Extend RELRO check to check for BIND_NOW

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Pass Dyn tag to the callback function

Some values are not considered to be strings.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

macros: Define docdir

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

Drop old RPATH check script

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Implement RPATH/RUNPATH check

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Make fetch more information from ELF sections easier

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Unify fetching ELF sections

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Rename NO-* flags to MISSING-*

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

build: Do not perform BUILDROOT check on Python bytecode files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

filelist: Add option to show a progressbar

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

filelist: Add flags argument to walk function

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Perform world writable check only for regular files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

macros: Define tmpfilesdir

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Add /root

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Set r if file could not be opened

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

files: Skip payload check for empty files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Do not check for ELF status again when dumping issues

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

build: Move strip check into file check

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

build: Rename hardening check to just check

That way, we can include some checks that are not too closely related to
any hardening issues.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

build: Move FHS check into hardening checks

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Check for world-writable files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

util: Fix path pattern matching with characters after stars

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

file: Remove forgotten debug statements

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

build: Perform BUILDROOT check in C

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Check for correct location and permission of shared objects

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tests: Add check for pakfire_path_match with stars in middle

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Fix indentation

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Do not allow any executable files in /var

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Do not allow any executable files in /usr/share

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: All files in /boot must be owned by root

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Ensure that firmware files are not executable

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Rearrange the matrix

No functional changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

build: Drop check-include

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Check permissions of files in /usr/include

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Do not allow any unknown subdirectories in /var

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Enfore that all files in /usr/*bin are executable

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Do not allow any subdirectories in /usr/bin & /usr/sbin

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Implement being able to check for file type

This allows us a more granular filtering

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Do not allow any more files in /usr and /usr/src

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

FHS: Implement checking file ownerships

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>