diff options
author | Carlo Landmeter <clandmeter@alpinelinux.org> | 2018-07-04 12:50:58 +0000 |
---|---|---|
committer | Carlo Landmeter <clandmeter@alpinelinux.org> | 2019-01-27 12:30:08 +0000 |
commit | 7e1d41d60966a16411f81e8df0c904b472514993 (patch) | |
tree | 8d2df2bd7d7b4a10b350d051418e6dde6153a4aa | |
parent | 392aa6fce2d4464c4f2d972a870aec6bf1416920 (diff) | |
download | alpine_aports-7e1d41d60966a16411f81e8df0c904b472514993.tar.bz2 alpine_aports-7e1d41d60966a16411f81e8df0c904b472514993.tar.xz alpine_aports-7e1d41d60966a16411f81e8df0c904b472514993.zip |
main/openrc: add modloop signature verification
-rw-r--r-- | main/openrc/APKBUILD | 4 | ||||
-rwxr-xr-x[-rw-r--r--] | main/openrc/modloop.initd | 22 |
2 files changed, 23 insertions, 3 deletions
diff --git a/main/openrc/APKBUILD b/main/openrc/APKBUILD index 62c804979e..ad15f6767f 100644 --- a/main/openrc/APKBUILD +++ b/main/openrc/APKBUILD | |||
@@ -2,7 +2,7 @@ | |||
2 | pkgname=openrc | 2 | pkgname=openrc |
3 | pkgver=0.39.2 | 3 | pkgver=0.39.2 |
4 | _ver=${pkgver/_git*/} | 4 | _ver=${pkgver/_git*/} |
5 | pkgrel=2 | 5 | pkgrel=3 |
6 | pkgdesc="OpenRC manages the services, startup and shutdown of a host" | 6 | pkgdesc="OpenRC manages the services, startup and shutdown of a host" |
7 | url="https://gitweb.gentoo.org/proj/openrc.git" | 7 | url="https://gitweb.gentoo.org/proj/openrc.git" |
8 | arch="all" | 8 | arch="all" |
@@ -96,7 +96,7 @@ e56ea82dbf8bf6b4cff4fa48db8e4f06589094ba99aad930fc498e2fe235db6ce2afe96e2bc047dd | |||
96 | 259552165ee5e9ca973bbe18d1d9ec5cc67526cb26a9e0ac717076ef4913bb7ff4055d6ccb9f77996ed9c00b67f46edba552e1a21b836068a112dda2428502b3 hostname.initd | 96 | 259552165ee5e9ca973bbe18d1d9ec5cc67526cb26a9e0ac717076ef4913bb7ff4055d6ccb9f77996ed9c00b67f46edba552e1a21b836068a112dda2428502b3 hostname.initd |
97 | c06eac7264f6cc6888563feeae5ca745aae538323077903de1b19102e4f16baa34c18b8c27af5dd5423e7670834e2261e9aa55f2b1ec8d8fdc2be105fe894d55 hwdrivers.initd | 97 | c06eac7264f6cc6888563feeae5ca745aae538323077903de1b19102e4f16baa34c18b8c27af5dd5423e7670834e2261e9aa55f2b1ec8d8fdc2be105fe894d55 hwdrivers.initd |
98 | b04058ec630e19de0bafefe06198dc1bff8c8d5d2c89e4660dd83dda8bb82a76cdb1d8661cce88e4a406aa6b4152e17efff52d3eb18ffaec0751d0b6cdbcc48a modules.initd | 98 | b04058ec630e19de0bafefe06198dc1bff8c8d5d2c89e4660dd83dda8bb82a76cdb1d8661cce88e4a406aa6b4152e17efff52d3eb18ffaec0751d0b6cdbcc48a modules.initd |
99 | 27c036a2c07f658f7fb1e066c59dc494674ba0d81bcb85fea9caffec28ee537eb11e863e20aa4b1c88607f12496ac66d5b092c787c86ff8b8a80e423a8d99440 modloop.initd | 99 | 595098085d5a1204e3c5af59bb4a3b3d1fb2980db77925995aa1ec43ef5ae378cef736ddc7924191a99d39c93891d59274fbba08127b15d584c2f82b067ef683 modloop.initd |
100 | 55df0ac13dac1f215f0c573ac07b150d31232a5204eccfc8941d5af73f91b4535a85d79b7f6514217038ecbe6bffa28cb83fd8d46fd4c596e07103deb8bc8a57 networking.initd | 100 | 55df0ac13dac1f215f0c573ac07b150d31232a5204eccfc8941d5af73f91b4535a85d79b7f6514217038ecbe6bffa28cb83fd8d46fd4c596e07103deb8bc8a57 networking.initd |
101 | 80e43ded522e2d48b876131c7c9997debd43f3790e0985801a8c1dd60bc6e09f625b35a127bf225eb45a65eec7808a50d1c08a5e8abceafc61726211e061e0a2 modloop.confd | 101 | 80e43ded522e2d48b876131c7c9997debd43f3790e0985801a8c1dd60bc6e09f625b35a127bf225eb45a65eec7808a50d1c08a5e8abceafc61726211e061e0a2 modloop.confd |
102 | d76c75c58e6f4b0801edac4e081b725ef3d50a9a8c9bbb5692bf4d0f804af7d383bf71a73d5d03ed348a89741ef0b2427eb6a7cbf5a9b9ff60a240639fa6ec88 sysfsconf.initd | 102 | d76c75c58e6f4b0801edac4e081b725ef3d50a9a8c9bbb5692bf4d0f804af7d383bf71a73d5d03ed348a89741ef0b2427eb6a7cbf5a9b9ff60a240639fa6ec88 sysfsconf.initd |
diff --git a/main/openrc/modloop.initd b/main/openrc/modloop.initd index dcc43448b1..a815d66f5a 100644..100755 --- a/main/openrc/modloop.initd +++ b/main/openrc/modloop.initd | |||
@@ -31,6 +31,7 @@ find_modloop() { | |||
31 | IFS="$oifs" | 31 | IFS="$oifs" |
32 | for line; do | 32 | for line; do |
33 | img=${line%%:*} | 33 | img=${line%%:*} |
34 | verify_modloop "$img" || eerror "Failed to verify signature of $img!" | ||
34 | mount "$img" -o loop,ro /.modloop || continue | 35 | mount "$img" -o loop,ro /.modloop || continue |
35 | if [ -d /.modloop/modules/$kver ]; then | 36 | if [ -d /.modloop/modules/$kver ]; then |
36 | return 0 | 37 | return 0 |
@@ -40,6 +41,22 @@ find_modloop() { | |||
40 | return 1 | 41 | return 1 |
41 | } | 42 | } |
42 | 43 | ||
44 | verify_modloop() { | ||
45 | local modloop=$1 key= | ||
46 | for key in /etc/apk/keys/*.pub; do | ||
47 | local sig=/var/cache/misc/${modloop##*/}.SIGN.RSA.${key##*/} | ||
48 | if [ -f "$sig" ]; then | ||
49 | if ! command -v openssl > /dev/null; then | ||
50 | ewarn "Missing openssl. Modloop verification disabled!" | ||
51 | return 0 | ||
52 | fi | ||
53 | einfo "Verifying modloop" | ||
54 | openssl dgst -sha1 -verify "$key" -signature "$sig" "$modloop" \ | ||
55 | >/dev/null 2>&1 || return 1 | ||
56 | fi | ||
57 | done | ||
58 | } | ||
59 | |||
43 | find_backing_file() { | 60 | find_backing_file() { |
44 | local dir="$1" | 61 | local dir="$1" |
45 | local dev=$(df -P "$dir" | tail -1 | awk '{print $1}') | 62 | local dev=$(df -P "$dir" | tail -1 | awk '{print $1}') |
@@ -54,7 +71,9 @@ start() { | |||
54 | case "$KOPT_modloop" in | 71 | case "$KOPT_modloop" in |
55 | http://*|https://*|ftp://*) | 72 | http://*|https://*|ftp://*) |
56 | modloop=$modloop_dldir/${KOPT_modloop##*/} | 73 | modloop=$modloop_dldir/${KOPT_modloop##*/} |
57 | [ ! -f "$modloop" ] && wget -P "$modloop_dldir" "$KOPT_modloop" | 74 | if [ ! -f "$modloop" ]; then |
75 | wget -P "$modloop_dldir" "$KOPT_modloop" || eend 1 | ||
76 | fi | ||
58 | ;; | 77 | ;; |
59 | *) | 78 | *) |
60 | for dir in $(mountdirs); do | 79 | for dir in $(mountdirs); do |
@@ -69,6 +88,7 @@ start() { | |||
69 | 88 | ||
70 | ebegin "Mounting modloop $modloop" | 89 | ebegin "Mounting modloop $modloop" |
71 | if [ -n "$modloop" ]; then | 90 | if [ -n "$modloop" ]; then |
91 | verify_modloop "$modloop" || eerror "Failed to verify signature of $img!" | ||
72 | mount -o loop,ro $modloop /.modloop | 92 | mount -o loop,ro $modloop /.modloop |
73 | eend $? || return 1 | 93 | eend $? || return 1 |
74 | else | 94 | else |