summaryrefslogtreecommitdiff
path: root/methods/aptmethod.h
Commit message (Collapse)AuthorAgeFilesLines
* Modernize standard library includesJulian Andres Klode2024-02-201-2/+2
| | | | | | This was automated with sed and git-clang-format, and then I had to fix up the top of policy.cc by hand as git-clang-format accidentally indented it by two spaces.
* Use https config on https proxies for http serversDavid Kalnischkies2021-09-131-57/+66
| | | | | | | | | | The settings used for unwrapping TLS connections depend on the access and hostname we connect to more than what we eventually unwrap. The bugreport mentions CaInfo, but all other https-settings should also apply (regardless of generic or hostname specific) to an https proxy, even if the connection we proxy through it is http-only. Closes: #990555
* Replace PrintStatus with SendMessage usageDavid Kalnischkies2021-02-041-12/+18
| | | | | | | varg API is a nightmare as the symbols seems different on ever other arch, but more importantly SendMessage does a few checks on the content of the message and it is all outputted via C++ iostreams and not mixed in FILE* which is handy for overriding the streams.
* Implement encoded URI handling in all methodsDavid Kalnischkies2020-12-181-0/+12
| | | | | | | | Every method opts in to getting the encoded URI passed along while keeping compat in case we are operated by an older acquire system. Effectively this is just a change for the http-based methods as the others just decode the URI as they work with files directly.
* Remove code tagged APT_PKG_590, add some missing includesJulian Andres Klode2020-02-181-0/+1
| | | | | | Remove all code scheduled to be removed after 5.90, and fix files to include files they previously got from hashes.h including more headers.
* seccomp: Allow recvmmsg_time64() and futex_time64()Julian Andres Klode2020-02-101-0/+2
| | | | | Saw those in libseccomp commit, figured should add them too.
* seccomp: Allow time64 variants (>402,<415) of allowed syscallsJulian Andres Klode2020-02-091-0/+6
| | | | | | | | Went through the list of syscalls starting at 403 (and looked one back) up to the next unknown syscalls, and added all those that were present in their non-time64 variant. Closes: #951012
* netrc: Add warning when ignoring entries for unencrypted protocolsJulian Andres Klode2020-01-151-0/+12
| | | | | | | | Commit 93f33052de84e9aeaf19c92291d043dad2665bbd restricted auth.conf entries to only apply to https by default, but this was silent - there was no information why http sources with auth.conf entries suddenly started failing. Add such information, and extend test case to cover it.
* Apply various suggestions by cppcheckDavid Kalnischkies2019-07-081-2/+2
| | | | Reported-By: cppcheck
* aptmethod.h: Do not have gcc warning about ignoring write() resultJulian Andres Klode2019-02-051-0/+7
| | | | | This is a special case here, a best effort write, so there's no point in having warnings about it for every method.
* Add support for /etc/apt/auth.conf.d/*.conf (netrcparts)Julian Andres Klode2018-12-041-11/+36
| | | | | | | | | This allows us to install matching auth files for sources.list.d files, for example; very useful. This converts aptmethod's authfd from one FileFd to a vector of pointers to FileFd, as FileFd cannot be copied, and move operators are hard.
* Allow restart_syscall() syscall in seccomp sandboxesJulian Andres Klode2018-04-061-0/+1
| | | | Closes: #891644
* Turn off seccomp sandboxing by defaultJulian Andres Klode2018-04-061-1/+1
| | | | | | LP: #1732030 Closes: #890489 Fixes meefik/linuxdeploy#869
* reimplement and simplify mirror:// methodDavid Kalnischkies2018-01-031-0/+10
| | | | | | | | | | Embedding an entire acquire stack and HTTP logic in the mirror method made it rather heavy weight and fragile. This reimplement goes the other way by doing only the bare minimum in the method itself and instead redirect the actual download of files to their proper methods. The reimplementation drops the (in the real world) unused query-string feature as it isn't really implementable in the new architecture.
* report transient errors as transient errorsDavid Kalnischkies2017-12-131-0/+7
| | | | | | | | | | | | The Fail method for acquire methods has a boolean parameter indicating the transient-nature of a reported error. The problem with this is that Fail is called very late at a point where it is no longer easily identifiable if an error is indeed transient or not, so some calls were and some weren't and the acquire system would later mostly ignore the transient flag and guess by using the FailReason instead. Introducing a tri-state enum we can pass the information about fatal or transient errors through the callstack to generate the correct fails.
* Do not attempt seccomp under qemu-user and drop EFAULT workaroundJulian Andres Klode2017-11-121-1/+37
| | | | | | | | | | | | | | | | | | | qemu-user passes prctl()-based seccomp through to the kernel, umodified. That's bad, as it blocks the wrong syscalls. We ignored EFAULT which fixed the problem for targets with different pointer sizes from the host, but was a bad hack. In order to identify qemu we can rely on the fact that qemu-user prints its version and exits with 0 if QEMU_VERSION is set to an unsupported value. If we run a command that should fail in such an environment, and it exits with 0, then we are running in qemu-user. apt-helper is an obvious command to run. The tests ensure it exits with 1, and it only prints usage information. We also could not use /bin/false because apt might just as well be from a foreign arch while /bin/false is not. Closes: #881519
* seccomp: Allow clock_nanosleep() and nanosleep() syscallsJulian Andres Klode2017-10-271-0/+2
| | | | We sleep in http.cc, so we should allow the sleeping syscalls.
* seccomp: Allow ipc() for fakeroot, and allow sysinfo() for sortJulian Andres Klode2017-10-261-0/+2
| | | | | | | Sorting apparently calls sysconf() which calls sysinfo() to get free pages or whatever. Closes: #879814, #879826
* Print syscall number and arch to stderr when trapped by seccompJulian Andres Klode2017-10-261-0/+33
| | | | | | This should help debugging crashes. The signal handler is a C++11 lambda, yay! Special care has been taken to only use signal handler -safe functions inside there.
* Only warn about seccomp() EINVAL (normal) and EFAULT (qemu) errorsJulian Andres Klode2017-10-251-3/+5
| | | | | | | | | | If seccomp is disabled, we fallback to running without it. Qemu fails in the seccomp() call, returning ENOSYS and libseccomp falls back to prctl() without adjusting the pointer, causing the EFAULT. I hope qemu gets fixed at some point to return EINVAL for seccomp via prctl. Bug-Qemu: https://bugs.launchpad.net/qemu/+bug/1726394
* methods: Enable additional syscalls (SYSV IPC) in fakerootJulian Andres Klode2017-10-251-0/+10
| | | | | | | If FAKED_MODE is set, enable SYSV IPC so we don't crash when running in fakeroot. Closes: #879662
* seccomp: Conditionalize statx() whitelistingJulian Andres Klode2017-10-231-0/+2
| | | | | statx was introduced in 4.11, so it fails to build in stretch if we just unconditionally use it.
* seccomp: Add missing syscalls for ppc64el, i386, and othersJulian Andres Klode2017-10-231-0/+11
| | | | | | | These are a few overlooked syscalls. Also add readv(), writev(), renameat2(), and statx() in case libc uses them. Gbp-Dch: ignore
* Sandbox methods with seccomp-BPF; except cdrom, gpgv, rshJulian Andres Klode2017-10-221-5/+212
| | | | | | | | | | | | This reduces the number of syscalls to about 140 from about 350 or so, significantly reducing security risks. Also change prepare-release to ignore the architecture lists in the build dependencies when generating the build-depends package for travis. We might want to clean up things a bit more and/or move it somewhere else.
* allow the auth.conf to be root:root ownedDavid Kalnischkies2017-07-261-18/+39
| | | | | | | | | | | Opening the file before we drop privileges in the methods allows us to avoid chowning in the acquire main process which can apply to the wrong file (imagine Binary scoped settings) and surprises users as their permission setup is overridden. There are no security benefits as the file is open, so an evil method could as before read the contents of the file, but it isn't worse than before and we avoid permission problems in this setup.
* reimplement and document auth.confDavid Kalnischkies2017-07-261-0/+19
| | | | | | | | | | | | | | | | | | We have support for an netrc-like auth.conf file since 0.7.25 (closing 518473), but it was never documented in apt that it even exists and netrc seems to have fallen out of usage as a manpage for it no longer exists making the feature even more arcane. On top of that the code was a bit of a mess (as it is written in c-style) and as a result the matching of machine tokens to URIs also a bit strange by checking for less specific matches (= without path) first. We now do a single pass over the stanzas. In practice early adopters of the undocumented implementation will not really notice the differences and the 'new' behaviour is simpler to document and more usual for an apt user. Closes: #811181
* Reformat and sort all includes with clang-formatJulian Andres Klode2017-07-121-1/+1
| | | | | | | | | | | | | This makes it easier to see which headers includes what. The changes were done by running git grep -l '#\s*include' \ | grep -E '.(cc|h)$' \ | xargs sed -i -E 's/(^\s*)#(\s*)include/\1#\2 include/' To modify all include lines by adding a space, and then running ./git-clang-format.sh.
* methods/aptmethod.h: Add missing fileutl.h includeJulian Andres Klode2017-07-121-0/+1
|
* methods: read config in most to least specific orderDavid Kalnischkies2016-08-171-2/+2
| | | | | | | | | | | | The implementation of the generic config fallback did the fallback in the wrong order so that the least specific option wasn't the last value picked but in fact the first one… doh! So in the bugreports case http -> https -> http::<hostname> -> https::<hostname> while it should have been the reverse as before. Regression-In: 30060442025824c491f58887ca7369f3c572fa57 Closes: 834642
* implement generic config fallback for methodsDavid Kalnischkies2016-08-101-5/+67
| | | | | | | | | | The https method implemented for a long while now a hardcoded fallback to the same options in http, which, while it works, is rather inflexible if we want to allow the methods to use another name to change their behavior slightly, like apt-transport-tor does to https – most of the diff being s#https#tor#g which then fails to do the full circle fallthrough tor -> https -> http for https sources. With this config infrastructure this could be implemented now.
* detect redirection loops in acquire instead of workersDavid Kalnischkies2016-08-101-1/+2
| | | | | | | Having the detection handled in specific (http) workers means that a redirection loop over different hostnames isn't detected. Its also not a good idea have this implement in each method independently even if it would work
* don't change owner/perms/times through file:// symlinksDavid Kalnischkies2016-07-061-0/+31
| | | | | | | | | | | | | If we have files in partial/ from a previous invocation or similar such those could be symlinks created by file:// sources. The code is expecting only real files through and happily changes owner, modification times and permission on the file the symlink points to which tend to be files we have no business in touching in this way. Permissions of symlinks shouldn't be changed, changing owner is usually pointless to, but just to be sure we pick the easy way out and use lchown, check for symlinks before chmod/utimes. Reported-By: Mattia Rizzolo on IRC
* ignore std::locale exeception on non-existent "" localeDavid Kalnischkies2016-06-021-1/+5
| | | | | | | | In 8b79c94af7f7cf2e5e5342294bc6e5a908cacabf changing to usage of C++ way of setting the locale causes us to be terminated in case of usage of an ungenerated locale as LC_ALL (or similar) – but we don't want to fail here, we just want to carry on as before with setlocale which we call in that case just for good measure.
* use std::locale::global instead of setlocaleDavid Kalnischkies2016-05-281-1/+4
| | | | | | We use a wild mixture of C and C++ ways of generating output, so having a consistent world-view in both styles sounds like a good idea and should help in preventing regressions.
* apt-pkg/acquire-worker.cc: Introduce 104 Warning messageJulian Andres Klode2016-03-151-0/+8
| | | | | | | | | This can be used by workers to send warnings to the main program. The messages will be passed to _error->Warning() by APT with the URI prepended. We are not going to make that really public now, as the interface might change a bit.
* allow acquire method specific options via Binary scopeDavid Kalnischkies2015-11-051-23/+28
| | | | | | | | Allows users who know what they are getting themselves into with this trick to e.g. disable privilege dropping for e.g. file:// until they can fix up the permissions on those repositories. It helps also the test framework and people with a similar setup (= me) to run in less modified environments.
* drop privileges in copy:// method as we do for file://David Kalnischkies2015-11-051-0/+37
Continueing on the track of dropping privileges in all methods, lets drop it in copy, too, as the reasoning for it is very similar to file and the interaction between the too quiet interesting as copy kinda surfed as a fallback for file not being able to read the file. Both now show a better error message as well as it was previously claiming to have a hashsum mismatch, given that it couldn't read the file. Git-Dch: Ignore