diff options
| author | erh <erh> | 2005-11-16 20:59:22 +0000 |
|---|---|---|
| committer | erh <erh> | 2005-11-16 20:59:22 +0000 |
| commit | d00d71fe8c6dd426db3cd16fef44c4fefee6ce68 (patch) | |
| tree | e79d295786cae513adb8bb1aacbbf8c36a42690f /mk | |
| parent | b1bca938c8a395a96e13d881c24c4e3c5c07526c (diff) | |
| download | pkgsrc-d00d71fe8c6dd426db3cd16fef44c4fefee6ce68.tar.gz | |
Improve the handling of allowed vulnerabilities. Instead of the single
ALLOW_VULNERABLE_PACKAGES settings that applies to all packages, there can
now be per-package lists of allowed vulnerability ids:
ALLOW_VULNERABILITIES.<pkgname>=<space separated list of vulnids>
To avoid duplication of code, audit-packages is now used to do these checks.
It can be skipped altogether by setting:
SKIP_AUDIT_PACKAGES=yes
Diffstat (limited to 'mk')
| -rw-r--r-- | mk/bsd.pkg.mk | 48 | ||||
| -rw-r--r-- | mk/bsd.prefs.mk | 4 | ||||
| -rw-r--r-- | mk/defaults/mk.conf | 18 |
3 files changed, 46 insertions, 24 deletions
diff --git a/mk/bsd.pkg.mk b/mk/bsd.pkg.mk index 81c9e53bd6c..63a12ba1166 100644 --- a/mk/bsd.pkg.mk +++ b/mk/bsd.pkg.mk @@ -1,4 +1,4 @@ -# $NetBSD: bsd.pkg.mk,v 1.1751 2005/11/15 21:21:01 rillig Exp $ +# $NetBSD: bsd.pkg.mk,v 1.1752 2005/11/16 20:59:22 erh Exp $ # # This file is in the public domain. # @@ -1363,35 +1363,45 @@ batch-check-distfiles: esac # check for any vulnerabilities in the package -# Please do not modify the leading "@" here + +_AUDIT_PACKAGES_MIN_VERSION=0.40 +_AUDIT_PACKAGES_OK!= ${PKG_INFO} -qe 'audit-packages>=${AUDIT_PACKAGES_MIN_VERSION}' ; echo $$? + +# Note: _any_ output from check-vulnerable is considered an error by do-fetch. .PHONY: check-vulnerable check-vulnerable: - @if [ ! -z "${PKG_SYSCONFDIR.audit-packages}" -a -f ${PKG_SYSCONFDIR.audit-packages}/audit-packages.conf ]; then \ - . ${PKG_SYSCONFDIR.audit-packages}/audit-packages.conf; \ - elif [ ! -z "${PKG_SYSCONFDIR}" -a -f ${PKG_SYSCONFDIR}/audit-packages.conf ]; then \ - . ${PKG_SYSCONFDIR}/audit-packages.conf; \ - fi; \ - if [ -f ${PKGVULNDIR}/pkg-vulnerabilities ]; then \ - ${SETENV} PKGNAME=${PKGNAME:Q} \ - PKGBASE=${PKGBASE:Q} \ - ${AWK} '/^$$/ { next } \ - /^#.*/ { next } \ - $$1 !~ ENVIRON["PKGBASE"] && $$1 !~ /\{/ { next } \ - { s = sprintf("${PKG_ADMIN} pmatch \"%s\" %s && ${ECHO} \"*** WARNING - %s vulnerability in %s - see %s for more information ***\"", $$1, ENVIRON["PKGNAME"], $$2, ENVIRON["PKGNAME"], $$3); system(s); }' < ${PKGVULNDIR}/pkg-vulnerabilities || ${FALSE}; \ - fi +.if empty(AUDIT_PACKAGES_OK:M0) + @${ECHO_MSG} "${_PKGSRC_IN}> *** The audit-packages package must be at least version ${AUDIT_PACKAGES_MIN_VERSION}" + @${ECHO_MSG} "${_PKGSRC_IN}> *** Please install pkgsrc/security/audit-packages package and run"; + @${ECHO_MSG} "${_PKGSRC_IN}> *** '${LOCALBASE}/sbin/download-vulnerability-list'."; + @false +.else + @${AUDIT_PACKAGES} -i ""${ALLOW_VULNERABILITIES.${PKGBASE}:Q} -p ${PKGNAME:Q} +.endif + + +.if defined(ALLOW_VULNERABILITIES.${PKGBASE}) +_ALLOW_VULNERABILITIES=${ALLOW_VULNERABILITIES.${PKGBASE}} +.else +_ALLOW_VULNERABILITIES=#none +.endif .PHONY: do-fetch .if !target(do-fetch) do-fetch: -. if !defined(ALLOW_VULNERABLE_PACKAGES) +. if empty(SKIP_AUDIT_PACKAGES:M[Yy][Ee][Ss]) && empty(_ALLOW_VULNERABILITIES:M[Yy][Ee][Ss]) ${_PKG_SILENT}${_PKG_DEBUG} \ if [ -f ${PKGVULNDIR}/pkg-vulnerabilities ]; then \ ${ECHO_MSG} "${_PKGSRC_IN}> Checking for vulnerabilities in ${PKGNAME}"; \ vul=`${MAKE} ${MAKEFLAGS} check-vulnerable`; \ case "$$vul" in \ "") ;; \ - *) ${ECHO} "$$vul"; \ - ${ECHO} "or define ALLOW_VULNERABLE_PACKAGES if this package is absolutely essential"; \ + *) vulnids=`echo "$$vul" | sed -e's/.*vulnid:\\([[:digit:]]*\\).*/\\1/'`; \ + ${ECHO} "$$vul"; \ + ${ECHO} "or if this package is absolutely essential, add this to mk.conf:"; \ + for vulnid in $$vulnids ; do \ + ${ECHO} " ALLOW_VULNERABILITIES.${PKGBASE}+=$$vulnid"; \ + done ; \ ${FALSE} ;; \ esac; \ else \ @@ -1400,6 +1410,8 @@ do-fetch: ${ECHO_MSG} "${_PKGSRC_IN}> *** the pkgsrc/security/audit-packages package and run"; \ ${ECHO_MSG} "${_PKGSRC_IN}> *** '${LOCALBASE}/sbin/download-vulnerability-list'."; \ fi +. else + @${ECHO_MSG} "${_PKGSRC_IN}> *** Skipping vulnerability checks for ${PKGNAME}" . endif . if !empty(_ALLFILES) ${_PKG_SILENT}${_PKG_DEBUG} \ diff --git a/mk/bsd.prefs.mk b/mk/bsd.prefs.mk index 5a6ea81b049..ca1830ced16 100644 --- a/mk/bsd.prefs.mk +++ b/mk/bsd.prefs.mk @@ -1,4 +1,4 @@ -# $NetBSD: bsd.prefs.mk,v 1.209 2005/11/14 04:51:47 rillig Exp $ +# $NetBSD: bsd.prefs.mk,v 1.210 2005/11/16 20:59:23 erh Exp $ # # Make file, included to get the site preferences, if any. Should # only be included by package Makefiles before any .if defined() @@ -497,6 +497,7 @@ PKG_DELETE_CMD?= ${PKG_TOOLS_BIN}/pkg_delete PKG_INFO_CMD?= ${PKG_TOOLS_BIN}/pkg_info PKG_VIEW_CMD?= ${PKG_TOOLS_BIN}/pkg_view LINKFARM_CMD?= ${PKG_TOOLS_BIN}/linkfarm +AUDIT_PACKAGES_CMD?= ${LOCALBASE}/sbin/audit-packages .if !defined(PKGTOOLS_VERSION) PKGTOOLS_VERSION!= ${PKG_INFO_CMD} -V 2>/dev/null || echo 20010302 @@ -527,6 +528,7 @@ PKG_DELETE?= ${PKGTOOLS_ENV} ${PKG_DELETE_CMD} ${PKGTOOLS_ARGS} PKG_INFO?= ${PKGTOOLS_ENV} ${PKG_INFO_CMD} ${PKGTOOLS_ARGS} PKG_VIEW?= ${PKGTOOLS_ENV} ${PKG_VIEW_CMD} ${PKG_VIEW_ARGS} LINKFARM?= ${LINKFARM_CMD} +AUDIT_PACKAGES?= ${PKGTOOLS_ENV} ${AUDIT_PACKAGES_CMD} ${PKGTOOLS_ARGS} # "${PKG_BEST_EXISTS} pkgpattern" prints out the name of the installed # package that best matches pkgpattern. Use this instead of diff --git a/mk/defaults/mk.conf b/mk/defaults/mk.conf index 1f02dfc9bf3..772abbed489 100644 --- a/mk/defaults/mk.conf +++ b/mk/defaults/mk.conf @@ -1,4 +1,4 @@ -# $NetBSD: mk.conf,v 1.91 2005/11/15 12:54:36 tonio Exp $ +# $NetBSD: mk.conf,v 1.92 2005/11/16 20:59:23 erh Exp $ # # This file provides default values for variables that may be overridden @@ -14,12 +14,20 @@ # NOTE TO PEOPLE EDITING THIS FILE - USE LEADING SPACES, NOT LEADING TABS. # ************************************************************************ -#ALLOW_VULNERABLE_PACKAGES= -# allow the user to build packages which are known to be vulnerable to -# security exploits -# Possible: defined, not defined +#ALLOW_VULNERABILITIES.<pkgname>= +# List of vulnerability ids to ignore when performing audit-packages +# check when building a package. +# Possible: one or more vulnerabilities ids, +# or the word "yes" to allow all. (not recommended) # Default: not defined +SKIP_AUDIT_PACKAGES=no +# Completely skip running audit-packages to check for vulnerable packages. +# Specifying individual vulnerabilities with +# ALLOW_VULNERABILITIES.<pkgname>=<vulnid> is preferred to using this. +# Possible: yes, no +# Default: no + MANINSTALL?= maninstall catinstall # Specify manpage installation types. # Possible: maninstall, catinstall, both types or empty |