From 598563e0b68bdf97de0d95988fd1f501aeb7c237 Mon Sep 17 00:00:00 2001 From: Karol Lewandowski Date: Wed, 6 Sep 2023 12:36:13 +0200 Subject: [PATCH] pkg_manager, generator: Ensure files are installed accessible All files should be readable except for rootfs.img, which are used only for mounting data filesystem. Additionally, change generator to check rootfs.img accessability only when mount unit is being setup (to skip it during user-services setup). Change-Id: Id7740cbd91aa6c08277813bd6d116cb82f73b282 --- packaging/isu.spec | 2 +- src/pkg_manager/isu | 18 +++++++++++++++++- src/systemd_generator/isu-generator | 10 ++++++++-- 3 files changed, 26 insertions(+), 4 deletions(-) diff --git a/packaging/isu.spec b/packaging/isu.spec index 4934153..b20906d 100644 --- a/packaging/isu.spec +++ b/packaging/isu.spec @@ -1,6 +1,6 @@ Summary: Individual Service Upgrade support Name: isu -Version: 8.0.4 +Version: 8.0.5 Release: 1 Source0: %{name}-%{version}.tar.gz License: MIT diff --git a/src/pkg_manager/isu b/src/pkg_manager/isu index b4e89e5..c6fbd56 100755 --- a/src/pkg_manager/isu +++ b/src/pkg_manager/isu @@ -73,6 +73,16 @@ function verify_checksum() return $res } +function fixup_permissions() +{ + local pkg_path="$1" + find "$pkg_path" \ + \( -type f \( -exec chmod 644 '{}' \; -and -exec chsmack -a _ '{}' \; \) \) -o \ + \( -type d \( -exec chmod 755 '{}' \; -and -exec chsmack -a _ '{}' \; \) \) + chmod 0400 "$pkg_path"/rootfs.img + return 0 +} + function install_pkg() { local pkg_file="$1" @@ -86,9 +96,15 @@ function install_pkg() local temp_path=$(mktemp -d) if ! unzip "$pkg_file" -d "$temp_path" > /dev/null; then - echo "ISU Package installation error" + echo "Unable to extract ISU package" return $PKG_INSTALL_ERROR fi + + if ! fixup_permissions "$temp_path"; then + echo "Unable to santize ISU package files permissions" + return $PKG_INSTALL_ERROR + fi + local pkg_name=$(grep -e '^name' "$temp_path/isu.cfg" | head -n 1 | awk -F '=' '{gsub(/[ ]+/,""); print $2}') if [ -z "$pkg_name" ]; then echo "Invalid package name in isu.cfg" diff --git a/src/systemd_generator/isu-generator b/src/systemd_generator/isu-generator index c930c2a..8f82ba1 100755 --- a/src/systemd_generator/isu-generator +++ b/src/systemd_generator/isu-generator @@ -87,6 +87,12 @@ install_mount_unit() local mount_unit="run-isu-$(systemd-escape ${isu_pkg_name})-rootfs.mount" if [ ! -r "$UNITDIR/$mount_unit" ]; then + + if ! test -r "$i"/rootfs.img; then + echo "Can not access rootfs.img. Skipping $isu_pkg_name" + return 1 + fi + # generate mount unit for ISU image and extend the service file to use it # if mount unit already exists, it means it's been generated by previous # install_mount_unit() invocation - for the same ISU package, but different @@ -127,7 +133,7 @@ isu_prepare_system() echo "Public key verification succeeded for $isu_pkg_dir" fi - if [ -s "$cksum_path" ]; then + if [ -s "$cksum_path" ]; then pushd "$isu_pkg_dir" if ! sha256sum -c --status "$cksum_path"; then popd @@ -178,7 +184,7 @@ isu_prepare() # assume isu packages are extracted for i in "$PKGDIR"/*; do - if ! test -d "$i" -a -r "$i"/rootfs.img -a -r "$i"/isu.cfg; then + if ! test -d "$i" -a -r "$i"/isu.cfg; then echo "Can not access essential ISU package data. Skipping $PKGDIR" continue fi -- 2.7.4