aboutsummaryrefslogtreecommitdiffstats
path: root/recipes-core/swupd-client/swupd-client/ignore-xattrs-when-verifying-Manifest-files.patch
diff options
context:
space:
mode:
Diffstat (limited to 'recipes-core/swupd-client/swupd-client/ignore-xattrs-when-verifying-Manifest-files.patch')
-rw-r--r--recipes-core/swupd-client/swupd-client/ignore-xattrs-when-verifying-Manifest-files.patch167
1 files changed, 15 insertions, 152 deletions
diff --git a/recipes-core/swupd-client/swupd-client/ignore-xattrs-when-verifying-Manifest-files.patch b/recipes-core/swupd-client/swupd-client/ignore-xattrs-when-verifying-Manifest-files.patch
index 7410b1d..b3dd47b 100644
--- a/recipes-core/swupd-client/swupd-client/ignore-xattrs-when-verifying-Manifest-files.patch
+++ b/recipes-core/swupd-client/swupd-client/ignore-xattrs-when-verifying-Manifest-files.patch
@@ -1,7 +1,7 @@
-From c16e1e7fc16933669ed4be63858edd4082509183 Mon Sep 17 00:00:00 2001
+From cc44bbfb2eaa90284a67ad6d42706e6433abd7ff Mon Sep 17 00:00:00 2001
From: Patrick Ohly <patrick.ohly@intel.com>
Date: Thu, 3 Nov 2016 11:47:53 +0100
-Subject: [PATCH] ignore xattrs when verifying Manifest files
+Subject: [PATCH 1/3] verify_file: ignore xattrs when verifying Manifest files
When IMA or Smack are active on the client, the downloaded Manifest
files will be assigned certain xattrs (security.ima
@@ -12,170 +12,33 @@ Manifest hashes even if they existed (see write_manifest_plain() in
src/manifest.c).
Therefore the client must ignore xattrs when verifying Manifest files.
-This is the only place where verification gets relaxed. All other locations
-still use xattrs, just as before.
+
+Upstream-Status: Backported [https://github.com/clearlinux/swupd-client/commit/09c26658d346cdd80ea54188d991db3493983176]
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
- include/swupd.h | 2 +-
- src/delta.c | 2 +-
- src/download.c | 6 +++---
- src/hash.c | 6 +++---
- src/helpers.c | 2 +-
- src/manifest.c | 2 +-
- src/scripts.c | 2 +-
- src/verify.c | 4 ++--
- 8 files changed, 13 insertions(+), 13 deletions(-)
+ src/hash.c | 9 ++++++++-
-diff --git a/include/swupd.h b/include/swupd.h
-index e1e1f3d..14e65ab 100644
---- a/include/swupd.h
-+++ b/include/swupd.h
-@@ -225,7 +225,7 @@ extern struct list *recurse_manifest(struct manifest *manifest, const char *comp
- extern struct list *consolidate_files(struct list *files);
- extern void debug_write_manifest(struct manifest *manifest, char *filename);
- extern void populate_file_struct(struct file *file, char *filename);
--extern bool verify_file(struct file *file, char *filename);
-+extern bool verify_file(struct file *file, char *filename, bool use_xattrs);
- extern int verify_bundle_hash(struct manifest *manifest, struct file *bundle);
- extern void unlink_all_staged_content(struct file *file);
- extern void link_renames(struct list *newfiles, struct manifest *from_manifest);
-diff --git a/src/delta.c b/src/delta.c
-index 8172b67..317adde 100644
---- a/src/delta.c
-+++ b/src/delta.c
-@@ -109,7 +109,7 @@ static void do_delta(struct file *file)
- }
- xattrs_copy(origin, filename);
-
-- if (!verify_file(file, filename)) {
-+ if (!verify_file(file, filename, true)) {
- unlink_all_staged_content(file);
- goto out;
- }
-diff --git a/src/download.c b/src/download.c
-index 9ea957d..6d81d81 100644
---- a/src/download.c
-+++ b/src/download.c
-@@ -98,7 +98,7 @@ static int swupd_curl_hashmap_insert(struct file *file)
- string_or_die(&targetfile, "%s/staged/%s", state_dir, file->hash);
-
- if (lstat(targetfile, &stat) == 0) {
-- if (verify_file(file, targetfile)) {
-+ if (verify_file(file, targetfile, true)) {
- free(targetfile);
- pthread_mutex_unlock(&bucket->mutex);
- return 1;
-@@ -260,7 +260,7 @@ int untar_full_download(void *data)
- * NOTE: this should NEVER happen given the checking that happens
- * ahead of queueing a download. But... */
- if (lstat(targetfile, &stat) == 0) {
-- if (verify_file(file, targetfile)) {
-+ if (verify_file(file, targetfile, true)) {
- unlink(tar_dotfile);
- unlink(tarfile);
- free(tar_dotfile);
-@@ -316,7 +316,7 @@ int untar_full_download(void *data)
- }
-
- err = lstat(targetfile, &stat);
-- if (!err && !verify_file(file, targetfile)) {
-+ if (!err && !verify_file(file, targetfile, true)) {
- /* Download was successful but the hash was bad. This is fatal*/
- printf("Error: File content hash mismatch for %s (bad server data?)\n", targetfile);
- exit(EXIT_FAILURE);
diff --git a/src/hash.c b/src/hash.c
-index 34da6eb..00a6802 100644
+index 1e61454..9553644 100644
--- a/src/hash.c
+++ b/src/hash.c
-@@ -226,7 +226,7 @@ int compute_hash(struct file *file, char *filename)
- return 0;
- }
-
--bool verify_file(struct file *file, char *filename)
-+bool verify_file(struct file *file, char *filename, bool use_xattrs)
- {
- struct file *local = calloc(1, sizeof(struct file));
-
-@@ -235,7 +235,7 @@ bool verify_file(struct file *file, char *filename)
+@@ -236,7 +236,14 @@ bool verify_file(struct file *file, char *filename)
}
local->filename = file->filename;
- local->use_xattrs = true;
-+ local->use_xattrs = use_xattrs;
++ /*
++ * xattrs are currently not supported for manifest files.
++ * They are data files produced by the swupd-server and
++ * therefore do not have any of the xattrs normally
++ * set for the actual system files (like security.ima
++ * when using IMA or security.SMACK64 when using Smack).
++ */
++ local->use_xattrs = !file->is_manifest;
populate_file_struct(local, filename);
if (compute_hash(local, filename) != 0) {
-@@ -275,7 +275,7 @@ int verify_bundle_hash(struct manifest *manifest, struct file *bundle)
- string_or_die(&local, "%s/%i/Manifest.%s", state_dir,
- current->last_change, current->filename);
-
-- if (!verify_file(bundle, local)) {
-+ if (!verify_file(bundle, local, false)) {
- printf("Warning: hash check failed for Manifest.%s\n",
- current->filename);
- ret = 0;
-diff --git a/src/helpers.c b/src/helpers.c
-index e71688c..01fd4a3 100644
---- a/src/helpers.c
-+++ b/src/helpers.c
-@@ -787,7 +787,7 @@ int verify_fix_path(char *targetpath, struct manifest *target_MoM)
-
- ret = stat(target, &sb);
- if (ret == 0) {
-- if (verify_file(file, target)) {
-+ if (verify_file(file, target, true)) {
- continue;
- }
- printf("Hash did not match for path : %s\n", path);
-diff --git a/src/manifest.c b/src/manifest.c
-index 2b57d3d..ee6d29a 100644
---- a/src/manifest.c
-+++ b/src/manifest.c
-@@ -674,7 +674,7 @@ struct list *create_update_list(struct manifest *current, struct manifest *serve
- if (fullname == NULL) {
- abort();
- }
-- if (verify_file(file, fullname)) {
-+ if (verify_file(file, fullname, true)) {
- free(fullname);
- continue;
- }
-diff --git a/src/scripts.c b/src/scripts.c
-index 59417af..c2157f7 100644
---- a/src/scripts.c
-+++ b/src/scripts.c
-@@ -127,7 +127,7 @@ void run_preupdate_scripts(struct manifest *manifest)
- }
-
- /* Check that system file matches file in manifest */
-- if (verify_file(file, script)) {
-+ if (verify_file(file, script, true)) {
- system(script);
- break;
- }
-diff --git a/src/verify.c b/src/verify.c
-index 1514988..eaf9dd8 100644
---- a/src/verify.c
-+++ b/src/verify.c
-@@ -462,7 +462,7 @@ static void deal_with_hash_mismatches(struct manifest *official_manifest, bool r
- if (fullname == NULL) {
- abort();
- }
-- if (verify_file(file, fullname)) {
-+ if (verify_file(file, fullname, true)) {
- free(fullname);
- continue;
- } else {
-@@ -483,7 +483,7 @@ static void deal_with_hash_mismatches(struct manifest *official_manifest, bool r
- }
-
- /* at the end of all this, verify the hash again to judge success */
-- if (verify_file(file, fullname)) {
-+ if (verify_file(file, fullname, true)) {
- file_fixed_count++;
- printf("\tfixed\n");
- } else {
--
2.1.4