From 25bbefcdd9424ed1b6ef35a39e84420fc4cce322 Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Sun, 26 May 2024 19:54:29 +0200 Subject: [PATCH] apk: limit CONFIG_IPK_FILES_CHECKSUMS config to OPKG Limit CONFIG_IPK_FILES_CHECKSUMS config to OPKG as APK have different way to validate package integrity (apk audit) Link: https://github.com/openwrt/openwrt/pull/15543 Signed-off-by: Christian Marangi --- config/Config-build.in | 1 + include/package-pack.mk | 13 ++++--------- package/base-files/files/sbin/pkg_check | 19 +++++++++++++------ 3 files changed, 18 insertions(+), 15 deletions(-) diff --git a/config/Config-build.in b/config/Config-build.in index 292899df6b..ed4feb58c2 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -113,6 +113,7 @@ menu "Global build settings" config IPK_FILES_CHECKSUMS bool prompt "Record files checksums in package metadata" + depends on !USE_APK help This makes file checksums part of package metadata. It increases size but provides you with pkg_check command to check for flash corruptions. diff --git a/include/package-pack.mk b/include/package-pack.mk index 26a3278834..33247be024 100644 --- a/include/package-pack.mk +++ b/include/package-pack.mk @@ -226,15 +226,6 @@ endif $(RSTRIP) $$(IDIR_$(1)) - ifneq ($$(CONFIG_IPK_FILES_CHECKSUMS),) - (cd $$(IDIR_$(1)); \ - ( \ - find . -type f \! -path ./CONTROL/\* -exec $(MKHASH) sha256 -n \{\} \; 2> /dev/null | \ - sed 's|\([[:blank:]]\)\./| \1/|' > $$(IDIR_$(1))/CONTROL/files-sha256sum \ - ) || true \ - ) - endif - ifneq ($$(KEEP_$(1)),) @( \ keepfiles=""; \ @@ -329,6 +320,10 @@ else rm -rf $$(IDIR_$(1))/CONTROL/conffiles; \ fi + ifneq ($$(CONFIG_IPK_FILES_CHECKSUMS),) + if [ -f $$(IDIR_$(1))/CONTROL/files-sha256sum ]; then mv -f $$(IDIR_$(1))/CONTROL/files-sha256sum $$(IDIR_$(1))/lib/apk/packages/$(1).files-sha256sum; fi + endif + if [ -z "$$$$(ls -A $$(IDIR_$(1))/CONTROL 2>/dev/null)" ]; then \ rm -rf $$(IDIR_$(1))/CONTROL; \ else \ diff --git a/package/base-files/files/sbin/pkg_check b/package/base-files/files/sbin/pkg_check index 28e87925ae..dcddbebc7d 100755 --- a/package/base-files/files/sbin/pkg_check +++ b/package/base-files/files/sbin/pkg_check @@ -23,6 +23,13 @@ MISSING="" SUMMARY="" NL=" " +if [ -d /usr/lib/opkg ]; then + IPKG_INFO_DIR=/usr/lib/opkg/info +elif [ -d /lib/apk ]; + IPKG_INFO_DIR=/lib/apk/packages +else + exti 1 +fi # Arguments parsing while expr "x$1" : "x-" > /dev/null; do @@ -49,12 +56,12 @@ done # Check all packages by default if [ -z "$1" ]; then - set $(cd /usr/lib/opkg/info/; for i in *.files-sha256sum; do basename $i .files-sha256sum; done) + set $(cd $IPKG_INFO_DIR; for i in *.files-sha256sum; do basename $i .files-sha256sum; done) fi # Iterate over packages while [ "$1" ]; do - if [ \! -f "/usr/lib/opkg/info/$1.files-sha256sum" ]; then + if [ \! -f "$IPKG_INFO_DIR/$1.files-sha256sum" ]; then if [ "$ERRFATAL" = no ]; then echo " * No checksums for $1 - skipping" echo @@ -72,13 +79,13 @@ while [ "$1" ]; do fi [ $QUIET = yes ] || echo " * Checking package $1:" ERR="" - CHECK="$(sha256sum -c /usr/lib/opkg/info/$1.files-sha256sum 2> /dev/null)" + CHECK="$(sha256sum -c $IPKG_INFO_DIR/$1.files-sha256sum 2> /dev/null)" # Are the changed files config files? - if [ $? -ne 0 ] && [ "$(cat "/usr/lib/opkg/info/$1.files-sha256sum")" ]; then + if [ $? -ne 0 ] && [ "$(cat "$IPKG_INFO_DIR/$1.files-sha256sum")" ]; then NEWCHECK="$(echo "$CHECK" | grep '^.*: OK$')" for i in $(echo "$CHECK" | sed -n 's|^\(.*\): FAILED$|\1|p'); do - if [ "$(grep "^$i\$" "/usr/lib/opkg/info/$1.conffiles" 2> /dev/null)" ] || \ + if [ "$(grep "^$i\$" "$IPKG_INFO_DIR/$1.conffiles" 2> /dev/null)" ] || \ [ "$(echo "$i" | grep "^/etc/uci-defaults/")" ]; then NEWCHECK="${NEWCHECK}${NL}${i}: CONFIGURED" else @@ -91,7 +98,7 @@ while [ "$1" ]; do # Do we have changed files or not? if [ -z "$ERR" ]; then - [ $QUIET = yes ] || [ ! -s "/usr/lib/opkg/info/$1.files-sha256sum" ] || echo "$CHECK" | sed 's|^| - |' + [ $QUIET = yes ] || [ ! -s "$IPKG_INFO_DIR/$1.files-sha256sum" ] || echo "$CHECK" | sed 's|^| - |' [ $QUIET = yes ] || echo " * Package $1 is ok" [ $QUIET = yes ] || echo else -- 2.30.2