/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/*
* The purpose of this lex specification is to estimate the
* correctness of the various scripts that accompany packages. It
* is not flawless, but it is a better review than that of prior
* package validators. It looks for indications of interaction,
* root calls and attempts to modify locked files.
*/
%e 1500
%p 3500
%s WHROOT
%{
#define input() (((yytchar=yysptr>yysbuf?U(*--yysptr):getc(scr_fp))==10?(yylineno++,yytchar):yytchar)==EOF?0:yytchar)
#define ROOT_D 0x00000002
#define LOCKED_D 0x00000004
#define LOCKED_M 0x00040000
#define INITVAL 0x40000000
/* Abbreviations */
/* Things the preinstall and preremove scripts can't do. */
/*
* Things the class action script can't do. Don't get the impression that
* this means the class action script can be interactive; but, it can
* legitimately read stdin (which is what INTERACT tests for).
*/
/* Things the postinstall and postremove scripts can't do. */
/* Things the request script can't do. */
/* Things the checkinstall script can't do. */
/* Nothing definite - not worth returning an error */
#define WRN_INST_F "WARNING: script <%s> uses installf but no " \
"installf -f was detected."
#define WRN_REM_F "WARNING: script <%s> uses removef but no " \
"removef -f was detected."
#define WRN_INTERACT "WARNING: script <%s> may require " \
"user interaction at line <%d>."
#define WRN_LOCKED "WARNING: script <%s> may seek access to the " \
"transitional package database at line <%d>. " \
"This is safest in the postinstall or " \
"postremove script."
#define WRN_ROOT "WARNING: script <%s> may not have permission " \
"to execute line <%d>."
#define WRN_FORM_ARG "WARNING: not sure where script <%s> gets the "\
"parameter at line <%d>."
#define WRN_FORM_USE "WARNING: script <%s> questionable usage of "\
"parameter at line <%d>."
#define WRN_TRANSDB "WARNING: script <%s> questionable read " \
"of package database at line <%d>. An " \
"intermediate buffer may be appropriate."
#define WRN_SPACEACC "WARNING: script <%s> updates the package database " \
"but provides no space file to account for " \
"the additional package object."
#define ERR_INTERACT "ERROR: script <%s> requires user " \
"interaction at line <%d>."
#define ERR_LOCKED "ERROR: script <%s> attempts to modify locked " \
"package database at line <%d>."
#define ERR_ROOT "ERROR: script <%s> requires root permission at " \
"line <%d>."
#define ERR_FOPEN "ERROR: Cannot evaluate script <%s>, errno=%d."
#define ERR_ARGS "ERROR: scripteval() - no script provided for " \
"evaluation."
extern int errno;
static int line_no; /* current line number */
int pipe_release = 0; /* loop level for release of pipe */
int loop_depth = 0; /* current number of nested loops */
int case_depth = 0; /* same for case ... */
int if_depth = 0; /* ... and if statements */
int cur_level = 0; /* current number of nested anything */
int braces = 0; /* depth into a function */
int lock_level = 0;
int root_level = 0;
struct statstrct {
unsigned int in_function:1;
unsigned int in_pipe:1;
unsigned int in_loop:1;
unsigned int in_case:1;
unsigned int in_if:1;
unsigned int in_awk:1;
unsigned int pkg_rtn_done:1;
unsigned int pkgchk_f:1;
unsigned int instf:1;
unsigned int instf_f:1;
unsigned int remf:1;
unsigned int remf_f:1;
unsigned int nospacefile:1;
unsigned int needspacefile:1;
} status = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
%}
%%
%{
/*
* Validate a few OK patterns that look like bad patterns. These include:
* 1. comments
* 2. quoted strings
* 3. writes to $1 (request script)
* 4. reads from $1 (CAS)
*/
%}
#.*$ {
return INITVAL;
else
REJECT; /* No comments in the middle of an awk statement */
}
%{
%}
\>[ \t]*"/tmp" return INITVAL;
%{
/* If it's escaped, the next entry may as well be a space. */
%}
\\ {
char ch;
line_no++;
unput(' ');
}
%{
/* In the quotes is OK. */
%}
\" {
char ch;
while ((ch = input()) != '\"') {
if (ch == '\\') {
input(); /* Read this into the bit bucket. */
continue;
}
if (ch == '\n')
line_no++;
else if (ch == '\0')
return (0); /* EOF */
}
}
%{
/* In the single quotes is OK if they aren't associated with an awk script. */
%}
\' {
char ch;
if (status.in_awk != 0) {
REJECT;;
}
while ((ch = input()) != '\'') {
if (ch == '\\') {
input(); /* Read this into the bit bucket. */
continue;
}
if (ch == '\n')
line_no++;
else if (ch == '\0')
return (0); /* EOF */
}
}
%{
/*
* Check for use of parameters passed to the script.
* 1. writes to $1 as though it were a file
* 2. use of $1 in any capacity
* 3. use of other parameters
* Within a function or an awk script, these parameters aren't
* the one's of interest.
*/
%}
\>[\t ]*\$1/[\t\n ] {
if (status.in_function == 0 && status.in_awk == 0)
return (WPARM1_M);
}
^$1/[\t\n ] |
[\t ]$1/[\t\n ] {
if (status.in_function == 0 && status.in_awk == 0)
return (USEPARM1_M);
}
\$[2-9] |
\$[0-9][0-9]+ {
if (status.in_function == 0 && status.in_awk == 0)
return (ODDPARM_M);
}
%{
/*
* Detect shell function.
*/
%}
"()"[ \t]*\n[ \t]*/\{ { status.in_function = 1; line_no++; }
"()"[ ]*/\{ status.in_function = 1;
"{" {
if (status.in_function == 1)
braces++;
}
"}" {
if (status.in_function == 1) {
braces--;
if (braces == 0)
status.in_function = 0;
}
}
%{
/*
* Detect for or while loop.
*/
%}
^for/[\t\n ] |
^[\t ]+for/[\t\n ] |
^while/[\t\n ] |
^[\t ]+while/[\t\n ] {
status.in_loop = 1;
loop_depth++;
cur_level++;
REJECT; /* What's in the argument is important too. */
}
^done/[\t\n ] |
^[\t ]+done/[\t\n ] {
if (status.in_loop == 1) {
loop_depth--;
cur_level--;
if (loop_depth == 0)
status.in_loop = 0;
}
}
%{
/*
* Detect case.
*/
%}
^case/[\t\n ] |
^[\t ]+case/[\t\n ] {
status.in_case = 1;
case_depth++;
cur_level++;
REJECT; /* What's in the argument is important too. */
}
^esac/[\t\n ] |
^[\t ]+esac/[\t\n ] {
if (status.in_case == 1) {
case_depth--;
cur_level--;
if (case_depth == 0)
status.in_case = 0;
}
}
%{
/*
* Detect if.
*/
%}
^if" "*"[" |
^[\t ]+if" "*"[" {
status.in_if = 1;
if_depth++;
cur_level++;
REJECT; /* What's in the argument is important too. */
}
^fi/[\t\n ] |
^[\t ]+fi/[\t\n ] {
if (status.in_if == 1) {
if_depth--;
cur_level--;
if (if_depth == 0)
status.in_if = 0;
}
}
%{
/*
* Detect awk or nawk function. If the function is enclosed in "`"s
* the entire line will be grabbed., so we check for that possibility.
*/
%}
^n?awk[^\n^']*\' |
[\t \\\(\/]n?awk[^\n^']*\' {status.in_awk = 1;
#ifdef VERBOSE
#endif
}
\' {
if (status.in_awk == 1) {
#ifdef VERBOSE
#endif
status.in_awk = 0;
}
}
%{
/* Detect pipe target. */
%}
[\$A-Za-z] {
if (status.in_pipe == 1 && pipe_release == cur_level) {
status.in_pipe = 0; /* target located */
pipe_release = 0;
#ifdef VERBOSE
#endif
status.allow_int = 1; /* this isn't really interactive. */
REJECT; /* put it back */
}
}
%{
/* If it's a pipe, note that and continue. */
%}
"||" |
"|" {
if (status.in_pipe == 0) {
status.in_pipe = 1;
#ifdef VERBOSE
#endif
pipe_release = cur_level;
}
}
%{
/*
* Test input for admin-type telltale interactive functions. Definite's
* first, maybe's next.
*/
%}
^ckdate/[\t\n ] |
[\t \/]ckdate/[\t\n ] |
^ckint/[\t\n ] |
[\t \/]ckint/[\t\n ] |
^ckrange/[\t\n ] |
[\t \/]ckrange/[\t\n ] |
^cktime/[\t\n ] |
[\t \/]cktime/[\t\n ] |
^ckyorn/[\t\n ] |
[\t \/]ckyorn/[\t\n ] |
^ckgid/[\t\n ] |
[\t \/]ckgid/[\t\n ] |
^ckpath/[\t\n ] |
[\t \/]ckpath/[\t\n ] |
^ckstr/[\t\n ] |
[\t \/]ckstr/[\t\n ] |
^ckuid/[\t\n ] |
[\t \/]ckuid/[\t\n ] {
if (status.in_pipe == 1 || status.allow_int == 1)
return (INITVAL);
else
return (INTERACT_M); /* maybe should be _D */
}
^read/[\t\n ] |
[\t ]read/[\t\n ] |
"=[ ]+&<"[\t ] {
if (status.in_pipe == 1 || status.allow_int == 1)
return (INITVAL);
else
return (INTERACT_M);
}
%{
/* Scan for root authority commands. Definite's first, maybe's next. */
%}
^mkdir/[\t\n ] |
[\t \/]mkdir/[\t\n ] |
^mv/[\t\n ] |
[\t \/]mv/[\t\n ] |
^cpio/[\t\n ] |
[\t \/]cpio/[\t\n ] |
^tar/[\t\n ] |
[\t \/]tar/[\t\n ] |
^(un)?compress/[\t\n ] |
[\t \/](un)?compress/[\t\n ] |
^rmdir/[\t\n ] |
[\t \/]rmdir/[\t\n ] return (ROOT_D);
^r?cp(dir)?/[\t\n ] |
[\t \/]r?cp(dir)?/[\t\n ] |
^rm/[\t\n ] |
[\t \/]rm/[\t\n ] |
\>[ \t]*[\$\/a-zA-Z0-9] return (ROOT_M);
%{
/* These root commands may also be locked. */
/* Here we analyze any pkgchk calls. If it's "pkgchk ... -f ..." then that calls for root authority. We then check for a "-R" argument. */
%}
^pkgchk[^\n^|^>^;]*"-f" |
[\t \/]pkgchk[^\n^|^>^;]*"-f" {
status.pkgchk_f = 1;
REJECT; /* We need the intermediate args. */
}
%{
/* If it's "pkgchk ... -R ..." then the local package database is not being tested and no database warning is necessary. */
%}
^pkgchk[^\n^|^>^;]*"-R"[ \t][\/\$]/[^ ^\t^\n] |
[\t \/]pkgchk[^\n^|^>^;]*"-R"[ \t][\/\$]/[^ ^\t^\n] {
if (status.pkgchk_f)
return (ROOT_D);
else
return (INITVAL);
}
%{
/* If it's just "pkgchk ..." then we need to mention something about access to the package database. With Solaris 2.5, an improved locking mechanism is in place, so this message may be something we can drop later. */
%}
^pkgchk/[\t\n ] |
[\t \/]pkgchk/[\t\n ] {
if (status.pkgchk_f) {
status.pkgchk_f = 0;
return (ROOT_D | PKGDB_M);
} else
return (PKGDB_M);
}
%{
/* The installf and removef utilities require root authority, they modify the package database and they must be invoked at least once with a "-f" argument. */
/* First test for a "-f" argument. */
%}
^installf[^\n^|^>^;]*"-f" |
[\t \/]installf[^\n^|^>^;]*"-f" {
status.instf_f = 1;
REJECT; /* The whole line needs to be re-reviewed. */
}
^removef[^\n^|^>^;]*"-f" |
[\t \/]removef[^\n^|^>^;]*"-f" {
status.remf_f = 1;
REJECT; /* The whole line needs to be re-reviewed. */
}
^installf/[\t\n ] |
[\t \/]installf/[\t\n ] {
status.instf = 1;
status.needspacefile = 1;
root_level = ROOT_D;
lock_level = LOCKED_M;
BEGIN WHROOT;
}
^removef/[\t\n ] |
[\t \/]removef/[\t\n ] {
status.remf = 1;
root_level = ROOT_D;
lock_level = LOCKED_M;
BEGIN WHROOT;
}
%{
/* There's no question that use of a pkgadd or pkgrm in a script is bound to cause problems unless it is to a different root. */
%}
^pkgadd/[\t\n ] |
[\t \/]pkgadd/[\t\n ] |
^pkgrm/[\t\n ] |
[\t \/]pkgrm/[\t\n ] {
root_level = ROOT_D;
lock_level = LOCKED_D;
BEGIN WHROOT;
}
%{
/* The only way to get here is if we are in the middle of a pkg command. */
%}
<WHROOT>. {
if (status.pkg_rtn_done) {
status.pkg_rtn_done = 0;
BEGIN 0;
} else
REJECT;
}
<WHROOT>[ \t]+"-R"[ \t][\/\$]/[^ ^\t^\n] {
status.pkg_rtn_done = 1;
return (root_level); /* "-R" means locking is unlikely. */
}
<WHROOT>[\n] {
if (status.pkg_rtn_done) {
status.pkg_rtn_done = 0;
line_no++;
BEGIN 0;
} else {
status.pkg_rtn_done = 1;
unput('\n');
return (root_level | lock_level); /* No "-R". */
}
}
<WHROOT>[;|>] {
status.pkg_rtn_done = 1;
return (root_level | lock_level); /* End of command without a "-R". */
}
\n { line_no++; status.allow_int = 0;
#ifdef VERBOSE
#endif
}
. {
/*
XXX - bug - resets prematurely if we pipe into a while loop or
other such construct
status.allow_int = 0;
*/
}
%%
#include <stdio.h>
#include <limits.h>
#include <dirent.h>
#include <unistd.h>
#include <libintl.h>
#ifdef DEBUG
/*
* Since this is a lex specification twice removed from the binary,
* I strongly recommend leaving the DEBUG portions in place. When new
* keywords are added, this will be very important. After modifying
* the specification, create an executable to test in this way.
*
* lex scriptvfy.l
* -DDEBUG [-DVERBOSE] -ll -lintl
* scriptvfy test_directory
*/
main(int argc, char *argv[])
{
int val;
line_no = 1;
if (argc == 1) {
exit(1);
}
val = checkscripts(argv[1], 0);
}
#endif
/*
* This function evaluates the provided script and returns a bit string
* describing what patterns were located.
*/
static int
scripteval(char *script_name, char *script_path, int mask, int silent)
{
int val = 0;
int error = 0;
line_no = 1;
if ((script_path == NULL) || (*script_path == NULL) ||
(script_name == NULL)) {
logerr(gettext(ERR_ARGS));
return (0);
}
#ifdef VERBOSE
#endif
if ((scr_fp = fopen(script_path, "r")) == NULL) {
logerr(gettext(ERR_FOPEN), script_path, errno);
return (0);
}
#ifdef VERBOSE
#endif
while (val = yylex()) {
#ifdef VERBOSE
yytext, val, line_no);
status.in_function, status.in_awk, status.in_loop,
status.in_case, status.in_if, status.in_pipe);
loop_depth, case_depth, if_depth, pipe_release, cur_level);
#endif
val &= mask;
if (val) {
error |= ((val & MAYBE_ONLY) ? 1 : 2);
/*
* So at this point, val contains all status bits
* appropriate to this script.
*/
if (!silent) {
char *msg_ptr;
if (val & INTERACT_D)
msg_ptr = gettext(ERR_INTERACT);
else if (val & ROOT_D)
msg_ptr = gettext(ERR_ROOT);
else if (val & LOCKED_D)
msg_ptr = gettext(ERR_LOCKED);
else if (val & INTERACT_M)
msg_ptr = gettext(WRN_INTERACT);
else if (val & ROOT_M)
msg_ptr = gettext(WRN_ROOT);
else if (val & LOCKED_M)
msg_ptr = gettext(WRN_LOCKED);
else if (val & WPARM1_M)
msg_ptr = gettext(WRN_FORM_USE);
else if (val & USEPARM1_M)
msg_ptr = gettext(WRN_FORM_USE);
else if (val & ODDPARM_M)
msg_ptr = gettext(WRN_FORM_ARG);
else if (val & PKGDB_M)
msg_ptr = gettext(WRN_TRANSDB);
else
logerr(msg_ptr, script_name, line_no);
}
}
}
/* Warn if required about missing "-f" calls. */
if (status.instf && !(status.instf_f))
logerr(gettext(WRN_INST_F), script_name);
if (status.remf && !(status.remf_f))
logerr(gettext(WRN_REM_F), script_name);
status.instf = status.instf_f = status.remf = status.remf_f = 0;
/* Warn if installf was used but no space file is in place. */
if (status.nospacefile && status.needspacefile) {
logerr(gettext(WRN_SPACEACC), script_name);
status.needspacefile = 0;
}
status.in_pipe = 0; /* Pipes may dangle. */
fclose(scr_fp);
if (error == 3)
error = 2;
return (error);
}
/* Test a preinstall or preremove script for validity. */
int
pre_valid(char *script_name, char *script_path, int silent)
{
return (scripteval(script_name, script_path, PRE_MASK, silent));
}
/* Test a class action script for validity. */
int
cas_valid(char *script_name, char *script_path, int silent)
{
return (scripteval(script_name, script_path, CAS_MASK, silent));
}
/* Test a postinstall or postremove script for validity. */
int
post_valid(char *script_name, char *script_path, int silent)
{
return (scripteval(script_name, script_path, POST_MASK, silent));
}
/* Test a class action script for validity. */
int
req_valid(char *script_name, char *script_path, int silent)
{
return (scripteval(script_name, script_path, REQ_MASK, silent));
}
/* Test a class action script for validity. */
int
chk_valid(char *script_name, char *script_path, int silent)
{
return (scripteval(script_name, script_path, CHK_MASK, silent));
}
/* This tests all of the scripts in the provided directory. */
int
checkscripts(char *inst_dir, int silent)
{
DIR *dirfp;
struct dirent *dp;
char path[PATH_MAX];
int retval = 0;
/* For future reference, determine if a space file is present. */
if (access(path, F_OK) != 0)
status.nospacefile = 1;
if ((dirfp = opendir(inst_dir)) == NULL)
return (0);
while ((dp = readdir(dirfp)) != NULL) {
#ifdef VERBOSE
#endif
#ifdef BUG_DEBUG
if ((status.in_function != 0)
|| (status.in_pipe != 0)
|| (status.in_loop != 0)
|| (status.in_case != 0)
|| (status.in_if != 0)
|| (status.in_awk != 0)
|| (pipe_release != 0)
|| (loop_depth != 0)
|| (case_depth != 0)
|| (if_depth != 0)
|| (cur_level != 0)
|| (braces != 0)) {
status.in_function, status.in_awk, status.in_loop,
status.in_case, status.in_if, status.in_pipe);
loop_depth, case_depth, if_depth, pipe_release,
cur_level);
return (0);
} else {
}
#endif
/* Reset all variables before processing the next file */
status.in_function = status.in_pipe = status.in_loop =
status.in_case = status.in_if = status.in_awk = 0;
pipe_release = loop_depth = case_depth = if_depth =
cur_level = braces = 0;
if (dp->d_name[0] == '.')
continue;
sprintf(path, "%s/%s", inst_dir, dp->d_name);
retval |= pre_valid(dp->d_name, path, silent);
continue;
}
if ((strncmp(dp->d_name, "i.", 2) == 0) ||
(strncmp(dp->d_name, "r.", 2) == 0)) {
sprintf(path, "%s/%s", inst_dir, dp->d_name);
retval |= cas_valid(dp->d_name, path, silent);
continue;
}
sprintf(path, "%s/%s", inst_dir, dp->d_name);
retval |= post_valid(dp->d_name, path, silent);
continue;
}
sprintf(path, "%s/%s", inst_dir, dp->d_name);
retval |= req_valid(dp->d_name, path, silent);
continue;
}
sprintf(path, "%s/%s", inst_dir, dp->d_name);
retval |= chk_valid(dp->d_name, path, silent);
continue;
}
}
(void) closedir(dirfp);
return (retval);
}