From: Michael Tremer Date: Thu, 11 Jun 2009 10:39:23 +0000 (+0200) Subject: pakfire: Added some hooks that will keep the packages clean. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e5192f6a18d0c7194e6360a5d361e7a1099ec618;p=ipfire-3.x.git pakfire: Added some hooks that will keep the packages clean. --- diff --git a/lfs/Config b/lfs/Config index 0d9389209..ad68ce35e 100644 --- a/lfs/Config +++ b/lfs/Config @@ -127,6 +127,11 @@ define DO_PACKAGE PKG_SHORT="$(value SHORT_DESC)" PKG_URL="$(URL)" \ CONTROL_PREIN="$(value CONTROL_PREIN)" CONTROL_PREUN="$(value CONTROL_POSTUN)" \ CONTROL_POSTIN="$(value CONTROL_POSTIN)" CONTROL_POSTUN="$(value CONTROL_POSTUN)" \ + \ + QUALITY_AGENT_WHITELIST_EXECSTACK="$(value QUALITY_AGENT_WHITELIST_EXECSTACK)" \ + QUALITY_AGENT_WHITELIST_RPATH="$(value QUALITY_AGENT_WHITELIST_RPATH)" \ + QUALITY_AGENT_WHITELIST_SONAME="$(value QUALITY_AGENT_WHITELIST_SONAME)" \ + \ $(DIR_SOURCE)/pakfire/compressor $(PKG_PACKAGE) $$ROOTFILE endef diff --git a/src/pakfire/compressor b/src/pakfire/compressor index 6396b7c79..3ff71ec74 100755 --- a/src/pakfire/compressor +++ b/src/pakfire/compressor @@ -19,6 +19,15 @@ # # ############################################################################### +PACKAGE_VERSION="0" + +function cleanup() { + echo " Cleaning up..." + for i in $ARCHIEVE $CONTROL $INFO $TMP_DIR; do + rm -rf ${i} + done +} + while [ $# -gt 0 ]; do case "$1" in *) @@ -41,7 +50,7 @@ if [ -z "$TARGET" ]; then exit 1 fi -echo -n "Running for $PKG_TARGET..." +echo "Packaging $PKG_TARGET..." if [ -e "/packages/$PKG_TARGET" ]; then echo "Skip." @@ -53,26 +62,41 @@ CONTROL=$(mktemp) INFO=$(mktemp) TMP_DIR=$(mktemp -d) +echo " Collecting files..." for rootfile in $ROOTFILES; do ERROR=$(cd / && \ grep -v "^#" < $rootfile | \ sed -e "s/KVER/$KVER/g" \ -e "s/IFS_TARGET/$IFS_TARGET/g" | \ - cpio -pdl --quiet $TMP_DIR 2>&1) + cpio -pd --quiet $TMP_DIR 2>&1) if [ -n "${ERROR}" ]; then echo -e "When copying the files, an error occoured:\n\n${ERROR}" >&2 - rm -rf $ARCHIEVE $CONTROL $INFO $TMP_DIR + cleanup + exit 1 + fi +done + +echo " Running quality agent hooks..." +for hook in $(dirname $0)/compressor.d/*; do + [ -x "${hook}" ] || continue + ${hook} $TMP_DIR + if [ "$?" != "0" ]; then + cleanup exit 1 fi done cd $TMP_DIR +echo " Writing data.img..." find . | cpio -o -H newc --quiet | lzma -cz - > $ARCHIEVE +echo " Writing meta-data..." cat <$INFO ### $NAME package +PACKAGE_VERSION="$PACKAGE_VERSION" + BUILD_HOST="$(cat /proc/sys/kernel/hostname)" BUILD_DATE="$(date -u)" @@ -97,6 +121,7 @@ PKG_DATA_SHA1="$(sha1sum $ARCHIEVE | awk '{ print $1 }')" ### EOF +echo " Writing control file..." cat <$CONTROL #!/bin/sh @@ -125,10 +150,9 @@ cat $ARCHIEVE > $TMP_DIR/data.img cat $CONTROL > $TMP_DIR/control cat $INFO > $TMP_DIR/info +echo " Packaging archive..." find . | cpio -o -H newc --quiet > $ARCHIEVE cat $ARCHIEVE > /packages/$PKG_TARGET -echo "Done." - -rm -rf $ARCHIEVE $CONTROL $INFO $TMP_DIR +cleanup diff --git a/src/pakfire/compressor.d/01-qa-unsafe-files b/src/pakfire/compressor.d/01-qa-unsafe-files new file mode 100755 index 000000000..90daad108 --- /dev/null +++ b/src/pakfire/compressor.d/01-qa-unsafe-files @@ -0,0 +1,45 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007, 2008, 2009 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +EXIT_CODE=0 + +echo " Searching for world-writeable files..." + +f=$(find ${1} -type f -perm -2 2>/dev/null) +if [ -n "$f" ]; then + echo " QA Security Notice:" + echo " - The folloing files will be world writable." + echo " - This may or may not be a security problem, most of the time it is one." + echo " - Please double check that these files really need a world writeable bit and file bugs accordingly." + echo + echo "$f" + EXIT_CODE=1 +fi + +f=$(find ${1} -type f '(' -perm -2002 -o -perm -4002 ')') +if [ -n "$f" ]; then + echo " QA Notice: Unsafe files detected (set*id and world writable)" + echo + echo "$f" + EXIT_CODE=1 +fi + +exit $EXIT_CODE diff --git a/src/pakfire/compressor.d/02-qa-static-libs b/src/pakfire/compressor.d/02-qa-static-libs new file mode 100755 index 000000000..9d2a970c2 --- /dev/null +++ b/src/pakfire/compressor.d/02-qa-static-libs @@ -0,0 +1,29 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007, 2008, 2009 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +echo " Searching for static libs or *.la-files..." + +f=$(find ${1} -name *.{a,la} 2>/dev/null) +if [ -n "$f" ]; then + echo " QA Notice: Excessive files found:" + echo "${f}" + exit 1 +fi diff --git a/src/pakfire/compressor.d/03-qa-execstacks b/src/pakfire/compressor.d/03-qa-execstacks new file mode 100755 index 000000000..4e280806a --- /dev/null +++ b/src/pakfire/compressor.d/03-qa-execstacks @@ -0,0 +1,48 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007, 2008, 2009 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +echo " Searching for executeable stacks..." + +# Also, executable stacks only matter on linux... + +command="scanelf -qyRF '%e %p' ${1} | awk '{ print $NF }'" + +for i in $QUALITY_AGENT_WHITELIST_EXECSTACK; do + if [ -n "$FILTER" ]; then + FILTER="$FILTER|$i" + else + FILTER="$i" + fi +done + +if [ -n "$FILTER" ]; then + command="$command | grep -vE \"$FILTER\"" +fi + +files=$($command) +if [ -n "$files" ]; then + echo " QA Notice: The following files contain executable stacks" + echo " Files with executable stacks will not work properly (or at all!)" + echo " on some architectures/operating systems." + echo "${files}" + echo + exit 1 +fi diff --git a/src/pakfire/compressor.d/04-qa-rpath b/src/pakfire/compressor.d/04-qa-rpath new file mode 100755 index 000000000..3a650950e --- /dev/null +++ b/src/pakfire/compressor.d/04-qa-rpath @@ -0,0 +1,51 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007, 2008, 2009 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +TMP_DIR=$1 + +echo " Searching for bad RPATH attributes..." + +# Make sure we disallow insecure RUNPATH/RPATH's +# Don't want paths that point to the tree where the package was built +# (older, broken libtools would do this). Also check for null paths +# because the loader will search $PWD when it finds null paths. + +command="scanelf -qyRF '%r %p' ${TMP_DIR} 2>/dev/null | awk '{ print $NF }'" + +for i in $QUALITY_AGENT_WHITELIST_RPATH; do + if [ -n "$FILTER" ]; then + FILTER="$FILTER|$i" + else + FILTER="$i" + fi +done + +if [ -n "$FILTER" ]; then + command="$command | grep -vE \"$FILTER\"" +fi + +files=$($command) +if [ -n "$files" ]; then + echo " QA Notice: The following files contain insecure RUNPATH's" + echo "${files}" + echo + exit 1 +fi diff --git a/src/pakfire/compressor.d/05-qa-textrels b/src/pakfire/compressor.d/05-qa-textrels new file mode 100755 index 000000000..56ef7121b --- /dev/null +++ b/src/pakfire/compressor.d/05-qa-textrels @@ -0,0 +1,35 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007, 2008, 2009 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +# TEXTREL's are baaaaaaaad + +echo " Searching for bad TEXTRELs..." +f=$(scanelf -qyRF '%t %p' ${1} 2>/dev/null | awk '{ print $NF }') +if [ -n "$f" ]; then + echo " QA Notice: The following files contain runtime text relocations" + echo " Text relocations force the dynamic linker to perform extra" + echo " work at startup, waste system resources, and may pose a security" + echo " risk. On some architectures, the code may not even function" + echo " properly, if at all." + echo "${f}" + + exit 1 +fi diff --git a/src/pakfire/compressor.d/06-qa-shared-soname b/src/pakfire/compressor.d/06-qa-shared-soname new file mode 100755 index 000000000..19978d36f --- /dev/null +++ b/src/pakfire/compressor.d/06-qa-shared-soname @@ -0,0 +1,48 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007, 2008, 2009 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +TMP_DIR=$1 + +check_files=$(find ${TMP_DIR} -name lib*.so*) + +command="scanelf -ByF '%S %p' $check_files | awk '$2 == "" { print }'" + +for i in $QUALITY_AGENT_WHITELIST_SONAME; do + if [ -n "$FILTER" ]; then + FILTER="$FILTER|$i" + else + FILTER="$i" + fi +done + +if [ -n "$FILTER" ]; then + command="$command | grep -vE \"$FILTER\"" +fi + +echo " Searching bad libs that lack a SONAME..." +if [ -n "$check_files" ]; then + f=$(command) + if [ -n "$f" ]; then + echo " QA Notice: The following shared libraries lack a SONAME" + echo "${f}" + exit 1 + fi +fi diff --git a/src/pakfire/compressor.d/07-qa-shared-needed b/src/pakfire/compressor.d/07-qa-shared-needed new file mode 100755 index 000000000..421ec9fd6 --- /dev/null +++ b/src/pakfire/compressor.d/07-qa-shared-needed @@ -0,0 +1,34 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007, 2008, 2009 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +TMP_DIR=$1 + +check_files=$(find ${TMP_DIR} -name lib*.so*) + +echo " Searching bad libs that lack the NEEDED attribute..." +if [ -n "$check_files" ]; then + f=$(scanelf -ByF '%n %p' $check_files | awk '$2 == "" { print }') + if [ -n "$f" ]; then + echo " QA Notice: The following shared libraries lack NEEDED entries" + echo "${f}" + exit 1 + fi +fi diff --git a/src/pakfire/compressor.d/50-python b/src/pakfire/compressor.d/50-python new file mode 100755 index 000000000..124849c9d --- /dev/null +++ b/src/pakfire/compressor.d/50-python @@ -0,0 +1,30 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007, 2008, 2009 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +## If the pyc and pyo files are the same, we can hardlink them + +echo " Hard-linking python bytecode files..." +for pyc in $(find ${1} -type f -name "*.pyc"); do + pyo=$(echo "$pyc" | sed "s/.pyc$/.pyo/") + if cmp -s "$pyc" "$pyo"; then + ln -f "$pyc" "$pyo" + fi +done diff --git a/src/pakfire/compressor.d/99-strip-debug b/src/pakfire/compressor.d/99-strip-debug new file mode 100755 index 000000000..293338ae1 --- /dev/null +++ b/src/pakfire/compressor.d/99-strip-debug @@ -0,0 +1,29 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007, 2008, 2009 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +## Strip debugging symbols + +echo " Stripping debugging symbols..." +for f in $(find ${1} -type f \( -perm -0100 -or -perm -0010 -or -perm -0001 \)); do + if (file $f | grep -q ' shared object,'); then + strip --strip-debug "$f" || : + fi +done diff --git a/src/pakfire/compressor.d/99-strip-unneeded b/src/pakfire/compressor.d/99-strip-unneeded new file mode 100755 index 000000000..1d2edfe3c --- /dev/null +++ b/src/pakfire/compressor.d/99-strip-unneeded @@ -0,0 +1,29 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007, 2008, 2009 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +## Strip unneeded symbols + +echo " Stripping unneeded symbols..." +for f in $(find ${1} -type f); do + if (file $f | grep -q ' shared object,'); then + strip --strip-unneeded "$f" || : + fi +done