Added support to check SHA256 integrity for binary pkgs.
This currently checks: - While removing, any file is checked and if hash doesn't match the file is ignored and not removed. - While installing, if a binary pkg file doesn't match with the one reported by the repository's pkg index file, the process will be stopped. --HG-- extra : convert_revision : 42bb64e89a092f0ff3e7d951e5b26e45d63a60fe
This commit is contained in:
parent
99ba792509
commit
255c48b198
7 changed files with 144 additions and 83 deletions
2
doc/TODO
2
doc/TODO
|
@ -13,8 +13,6 @@ xbps-bin:
|
|||
* Add support to handle conf_files and keep_dirs from package metadata.
|
||||
* Add support to remove recursively all deps of a package. [IN PROGRESS]
|
||||
* Add support to detect orphaned packages.
|
||||
* Add support to check sha256 hashes of all installed files, as well as
|
||||
hashes for binary packages before installation happens.
|
||||
* Add support to install binary packages without any repository.
|
||||
|
||||
xbps-repo:
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
|
||||
/* from lib/util.c */
|
||||
char * xbps_append_full_path(bool, const char *, const char *);
|
||||
int xbps_check_file_hash(const char *, const char *);
|
||||
int xbps_check_is_installed_pkg(const char *);
|
||||
bool xbps_check_is_installed_pkgname(const char *);
|
||||
char * xbps_get_pkg_index_plist(const char *);
|
||||
|
|
|
@ -98,6 +98,7 @@ store_dependency(prop_dictionary_t origind, prop_dictionary_t depd,
|
|||
size_t len = 0, dirdepscnt = 0, indirdepscnt = 0;
|
||||
const char *pkgname, *version, *reqbyname, *reqbyver, *arch;
|
||||
const char *repoloc, *binfile, *originpkg, *short_desc;
|
||||
const char *sha256;
|
||||
char *reqby, *pkgnver;
|
||||
int rv = 0;
|
||||
bool indirectdep = false;
|
||||
|
@ -114,6 +115,7 @@ store_dependency(prop_dictionary_t origind, prop_dictionary_t depd,
|
|||
prop_dictionary_get_cstring_nocopy(depd, "filename", &binfile);
|
||||
prop_dictionary_get_cstring_nocopy(depd, "short_desc", &short_desc);
|
||||
prop_dictionary_get_cstring_nocopy(depd, "architecture", &arch);
|
||||
prop_dictionary_get_cstring_nocopy(depd, "filename-sha256", &sha256);
|
||||
prop_dictionary_get_uint32(depd, "priority", &prio);
|
||||
prop_dictionary_get_cstring_nocopy(origind, "pkgname", &reqbyname);
|
||||
prop_dictionary_get_cstring_nocopy(origind, "version", &reqbyver);
|
||||
|
@ -205,6 +207,7 @@ store_dependency(prop_dictionary_t origind, prop_dictionary_t depd,
|
|||
prop_dictionary_set_cstring(dict, "short_desc", short_desc);
|
||||
prop_dictionary_set_bool(dict, "indirect_dep", indirectdep);
|
||||
prop_dictionary_set_cstring(dict, "architecture", arch);
|
||||
prop_dictionary_set_cstring(dict, "filename-sha256", sha256);
|
||||
|
||||
/*
|
||||
* Add the dictionary into the array.
|
||||
|
|
|
@ -54,29 +54,24 @@ xbps_install_binary_pkg_fini(prop_dictionary_t repo, prop_dictionary_t pkg,
|
|||
prop_dictionary_get_cstring_nocopy(pkg, "pkgname", &pkgname);
|
||||
prop_dictionary_get_cstring_nocopy(pkg, "version", &version);
|
||||
prop_dictionary_get_cstring_nocopy(pkg, "short_desc", &desc);
|
||||
assert(pkgname != NULL);
|
||||
assert(version != NULL);
|
||||
assert(desc != NULL);
|
||||
|
||||
if (repo == false)
|
||||
automatic = true;
|
||||
|
||||
printf("Installing %s%s: found version %s ... ",
|
||||
printf("Installing %s%s: found version %s ...\n",
|
||||
automatic ? "dependency " : "", pkgname, version);
|
||||
|
||||
(void)fflush(stdout);
|
||||
|
||||
rv = xbps_unpack_binary_pkg(repo, pkg, destdir, flags);
|
||||
if (rv == 0) {
|
||||
rv = xbps_register_pkg(pkg, pkgname, version, desc, automatic);
|
||||
if (rv != 0) {
|
||||
printf("failed!\n");
|
||||
printf("ERROR: couldn't register %s-%s! (%s)\n",
|
||||
pkgname, version, strerror(rv));
|
||||
return rv;
|
||||
}
|
||||
}
|
||||
|
||||
printf("done.\n");
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
175
lib/remove.c
175
lib/remove.c
|
@ -36,6 +36,13 @@
|
|||
|
||||
#include <xbps_api.h>
|
||||
|
||||
struct rm_cbarg {
|
||||
const char *destdir;
|
||||
int flags;
|
||||
};
|
||||
|
||||
static int remove_pkg_files(prop_object_t, void *, bool *);
|
||||
|
||||
int
|
||||
xbps_unregister_pkg(const char *pkgname)
|
||||
{
|
||||
|
@ -100,11 +107,74 @@ xbps_remove_binary_pkg_meta(const char *pkgname, const char *destdir, int flags)
|
|||
return rv;
|
||||
}
|
||||
|
||||
static int
|
||||
remove_pkg_files(prop_object_t obj, void *arg, bool *loop_done)
|
||||
{
|
||||
struct rm_cbarg *rmcb = arg;
|
||||
const char *file = NULL, *sha256;
|
||||
char *path = NULL;
|
||||
int rv = 0;
|
||||
|
||||
(void)loop_done;
|
||||
|
||||
prop_dictionary_get_cstring_nocopy(obj, "file", &file);
|
||||
if (file != NULL) {
|
||||
path = xbps_append_full_path(false, rmcb->destdir, file);
|
||||
if (path == NULL)
|
||||
return EINVAL;
|
||||
|
||||
prop_dictionary_get_cstring_nocopy(obj, "sha256", &sha256);
|
||||
if ((rv = xbps_check_file_hash(path, sha256)) == ERANGE) {
|
||||
if (rmcb->flags & XBPS_UNPACK_VERBOSE)
|
||||
printf("WARNING: SHA256 doesn't match for "
|
||||
"file %s, ignoring...\n", file);
|
||||
goto out;
|
||||
}
|
||||
|
||||
if ((rv = unlink(path)) == -1) {
|
||||
if (rmcb->flags & XBPS_UNPACK_VERBOSE)
|
||||
printf("WARNING: can't remove file %s (%s)\n",
|
||||
file, strerror(errno));
|
||||
goto out;
|
||||
}
|
||||
if (rmcb->flags & XBPS_UNPACK_VERBOSE)
|
||||
printf("Removed file: %s\n", file);
|
||||
|
||||
goto out;
|
||||
}
|
||||
|
||||
prop_dictionary_get_cstring_nocopy(obj, "dir", &file);
|
||||
if (file != NULL) {
|
||||
path = xbps_append_full_path(false, rmcb->destdir, file);
|
||||
if (path == NULL)
|
||||
return EINVAL;
|
||||
|
||||
if ((rv = rmdir(path)) == -1) {
|
||||
if (errno == ENOTEMPTY)
|
||||
goto out;
|
||||
|
||||
if (rmcb->flags & XBPS_UNPACK_VERBOSE) {
|
||||
printf("WARNING: can't remove "
|
||||
"directory %s (%s)\n", file,
|
||||
strerror(errno));
|
||||
goto out;
|
||||
}
|
||||
if (rmcb->flags & XBPS_UNPACK_VERBOSE)
|
||||
printf("Removed directory: %s\n", file);
|
||||
}
|
||||
}
|
||||
out:
|
||||
free(path);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
xbps_remove_binary_pkg(const char *pkgname, const char *destdir, int flags)
|
||||
{
|
||||
FILE *flist;
|
||||
char path[PATH_MAX - 1], line[LINE_MAX - 1], *p, *buf;
|
||||
prop_dictionary_t fdict;
|
||||
struct rm_cbarg rmcbarg;
|
||||
char path[PATH_MAX - 1], *buf;
|
||||
int fd, rv = 0;
|
||||
size_t len = 0;
|
||||
bool prepostf = false;
|
||||
|
@ -136,8 +206,8 @@ xbps_remove_binary_pkg(const char *pkgname, const char *destdir, int flags)
|
|||
/* Find out if the prepost-rm file exists */
|
||||
if ((fd = open(buf, O_RDONLY)) == -1) {
|
||||
if (errno != ENOENT) {
|
||||
rv = errno;
|
||||
goto out;
|
||||
free(buf);
|
||||
return errno;
|
||||
}
|
||||
} else {
|
||||
/* Run the preremove action */
|
||||
|
@ -147,89 +217,48 @@ xbps_remove_binary_pkg(const char *pkgname, const char *destdir, int flags)
|
|||
NULL)) != 0) {
|
||||
printf("%s: prerm action target error (%s)\n", pkgname,
|
||||
strerror(errno));
|
||||
goto out;
|
||||
free(buf);
|
||||
return rv;
|
||||
}
|
||||
}
|
||||
|
||||
(void)snprintf(path, sizeof(path), "%s%s/metadata/%s/flist",
|
||||
/*
|
||||
* Iterate over the pkg file list dictionary and remove all
|
||||
* files/dirs associated.
|
||||
*/
|
||||
(void)snprintf(path, sizeof(path), "%s%s/metadata/%s/files.plist",
|
||||
destdir, XBPS_META_PATH, pkgname);
|
||||
|
||||
if ((flist = fopen(path, "r")) == NULL) {
|
||||
rv = errno;
|
||||
goto out;
|
||||
fdict = prop_dictionary_internalize_from_file(path);
|
||||
if (fdict == NULL) {
|
||||
free(buf);
|
||||
return errno;
|
||||
}
|
||||
|
||||
while (!feof(flist)) {
|
||||
p = fgets(line, sizeof(line), flist);
|
||||
if (p == NULL) {
|
||||
if (feof(flist))
|
||||
break;
|
||||
if (ferror(flist)) {
|
||||
rv = errno;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (strlen(line) == 0 || line[0] == '#' ||
|
||||
isspace((unsigned char)line[0]) != 0)
|
||||
continue;
|
||||
rmcbarg.destdir = destdir;
|
||||
rmcbarg.flags = flags;
|
||||
|
||||
len = strlen(line) + 1;
|
||||
p = calloc(1, len);
|
||||
if (p == NULL) {
|
||||
rv = errno;
|
||||
break;
|
||||
}
|
||||
|
||||
(void)strncpy(p, line, len - 2);
|
||||
(void)snprintf(path, sizeof(path), "%s%s",
|
||||
destdir, p);
|
||||
|
||||
/*
|
||||
* Remove the file or the directory if it's empty.
|
||||
*/
|
||||
if ((rv = unlink(path)) == -1) {
|
||||
if (errno == EISDIR) {
|
||||
if ((rv = rmdir(path)) == -1) {
|
||||
if (errno == ENOTEMPTY) {
|
||||
rv = 0;
|
||||
goto next;
|
||||
}
|
||||
if (flags & XBPS_UNPACK_VERBOSE)
|
||||
printf("WARNING: can't remove "
|
||||
"directory %s (%s)\n",
|
||||
path, strerror(errno));
|
||||
goto next;
|
||||
}
|
||||
if (flags & XBPS_UNPACK_VERBOSE)
|
||||
printf("Removed directory: %s\n", path);
|
||||
goto next;
|
||||
}
|
||||
if (flags & XBPS_UNPACK_VERBOSE)
|
||||
printf("WARNING: can't remove file %s (%s)\n", path,
|
||||
strerror(errno));
|
||||
goto next;
|
||||
}
|
||||
if (flags & XBPS_UNPACK_VERBOSE)
|
||||
printf("Removed file: %s\n", path);
|
||||
next:
|
||||
free(p);
|
||||
p = NULL;
|
||||
rv = xbps_callback_array_iter_in_dict(fdict, "filelist",
|
||||
remove_pkg_files, (void *)&rmcbarg);
|
||||
if (rv != 0) {
|
||||
free(buf);
|
||||
prop_object_release(fdict);
|
||||
return rv;
|
||||
}
|
||||
(void)fclose(flist);
|
||||
prop_object_release(fdict);
|
||||
|
||||
/* If successful, unregister pkg from db */
|
||||
if (rv == 0) {
|
||||
if (((rv = xbps_unregister_pkg(pkgname)) == 0) && prepostf) {
|
||||
/* Run the postremove action target */
|
||||
if ((rv = xbps_file_exec(buf, destdir, "post",
|
||||
pkgname, NULL)) != 0) {
|
||||
printf("%s: postrm action target error (%s)\n",
|
||||
pkgname, strerror(errno));
|
||||
}
|
||||
if (((rv = xbps_unregister_pkg(pkgname)) == 0) && prepostf) {
|
||||
/* Run the postremove action target */
|
||||
if ((rv = xbps_file_exec(buf, destdir, "post",
|
||||
pkgname, NULL)) != 0) {
|
||||
printf("%s: postrm action target error (%s)\n",
|
||||
pkgname, strerror(errno));
|
||||
free(buf);
|
||||
return rv;
|
||||
}
|
||||
}
|
||||
|
||||
out:
|
||||
free(buf);
|
||||
rv = xbps_remove_binary_pkg_meta(pkgname, destdir, flags);
|
||||
|
||||
|
|
|
@ -45,6 +45,7 @@ xbps_unpack_binary_pkg(prop_dictionary_t repo, prop_dictionary_t pkg,
|
|||
const char *destdir, int flags)
|
||||
{
|
||||
prop_string_t filename, repoloc, arch;
|
||||
const char *sha256;
|
||||
char *binfile, *path;
|
||||
int rv = 0;
|
||||
|
||||
|
@ -53,6 +54,7 @@ xbps_unpack_binary_pkg(prop_dictionary_t repo, prop_dictionary_t pkg,
|
|||
/* Append filename to the full path for binary pkg */
|
||||
filename = prop_dictionary_get(pkg, "filename");
|
||||
arch = prop_dictionary_get(pkg, "architecture");
|
||||
prop_dictionary_get_cstring_nocopy(pkg, "filename-sha256", &sha256);
|
||||
if (repo)
|
||||
repoloc = prop_dictionary_get(repo, "location-local");
|
||||
else
|
||||
|
@ -72,6 +74,13 @@ xbps_unpack_binary_pkg(prop_dictionary_t repo, prop_dictionary_t pkg,
|
|||
}
|
||||
free(path);
|
||||
|
||||
if ((rv = xbps_check_file_hash(binfile, sha256)) == ERANGE) {
|
||||
printf("ERROR: SHA256 doesn't match for %s!",
|
||||
prop_string_cstring_nocopy(filename));
|
||||
free(binfile);
|
||||
return rv;
|
||||
}
|
||||
|
||||
rv = unpack_archive_init(pkg, destdir, binfile, flags);
|
||||
free(binfile);
|
||||
return rv;
|
||||
|
|
26
lib/util.c
26
lib/util.c
|
@ -28,6 +28,7 @@
|
|||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <limits.h>
|
||||
#include <sys/utsname.h>
|
||||
|
||||
|
@ -35,6 +36,31 @@
|
|||
|
||||
static const char *rootdir;
|
||||
|
||||
int
|
||||
xbps_check_file_hash(const char *path, const char *sha256)
|
||||
{
|
||||
SHA256_CTX ctx;
|
||||
const char *res;
|
||||
uint8_t buf[BUFSIZ * 20], digest[SHA256_DIGEST_LENGTH * 2 + 1];
|
||||
ssize_t bytes;
|
||||
int fd, rv = 0;
|
||||
|
||||
if ((fd = open(path, O_RDONLY)) == -1)
|
||||
return errno;
|
||||
|
||||
SHA256_Init(&ctx);
|
||||
while ((bytes = read(fd, buf, sizeof(buf))) > 0)
|
||||
SHA256_Update(&ctx, buf, (size_t)bytes);
|
||||
res = SHA256_End(&ctx, digest);
|
||||
|
||||
if (strcmp(sha256, res))
|
||||
rv = ERANGE;
|
||||
|
||||
(void)close(fd);
|
||||
|
||||
return rv;
|
||||
}
|
||||
|
||||
int
|
||||
xbps_check_is_installed_pkg(const char *pkg)
|
||||
{
|
||||
|
|
Loading…
Reference in a new issue