1#!/bin/ksh 2# 3# $OpenBSD: syspatch.sh,v 1.69 2016/12/02 10:59:27 ajacoutot Exp $ 4# 5# Copyright (c) 2016 Antoine Jacoutot <ajacoutot@openbsd.org> 6# 7# Permission to use, copy, modify, and distribute this software for any 8# purpose with or without fee is hereby granted, provided that the above 9# copyright notice and this permission notice appear in all copies. 10# 11# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19set -e 20umask 0022 21 22sp_err() 23{ 24 echo "${1}" 1>&2 && return ${2:-1} 25} 26 27usage() 28{ 29 sp_err "usage: ${0##*/} [-c | -l | -r]" 30} 31 32apply_patch() 33{ 34 local _explodir _file _files _patch=$1 _ret=0 35 [[ -n ${_patch} ]] 36 37 _explodir=${_TMP}/${_patch} 38 39 echo "Applying patch ${_patch##${_OSrev}-}" 40 fetch_and_verify "syspatch${_patch}.tgz" 41 42 trap '' INT 43 install -d ${_explodir} ${_PDIR}/${_patch} 44 45 _files="$(tar xvzphf ${_TMP}/syspatch${_patch}.tgz -C ${_explodir})" 46 checkfs ${_files} 47 48 create_rollback ${_patch} "${_files}" 49 50 for _file in ${_files}; do 51 ((_ret == 0)) || break 52 if [[ ${_file} == @(bsd|bsd.mp) ]]; then 53 install_kernel ${_explodir}/${_file} || _ret=$? 54 else 55 install_file ${_explodir}/${_file} /${_file} || _ret=$? 56 fi 57 done 58 59 if ((_ret != 0)); then 60 sp_err "Failed to apply patch ${_patch##${_OSrev}-}" 0 61 rollback_patch; return ${_ret} 62 fi 63 trap exit INT 64} 65 66# quick-and-dirty size check: 67# - assume old files are about the same size as new ones 68# - ignore new (nonexistent) files 69# - compute total size of all files per fs, simpler and less margin for error 70# - if we install a kernel, double /bsd size (duplicate it in the list) when: 71# - we are on an MP system (/bsd.mp does not exist there) 72# - /bsd.syspatchXX is not present (create_rollback will copy it from /bsd) 73checkfs() 74{ 75 local _d _df _dev _files="${@}" _sz 76 [[ -n ${_files} ]] 77 78 if echo "${_files}" | grep -qw bsd; then 79 ${_BSDMP} || [[ ! -f /bsd.syspatch${_OSrev} ]] && 80 _files="bsd ${_files}" 81 fi 82 83 eval $(cd / && 84 stat -qf "_dev=\"\${_dev} %Sd\" %Sd=\"\${%Sd:+\${%Sd}\+}%Uz\"" \ 85 ${_files}) || true # ignore nonexistent files 86 87 for _d in $(printf '%s\n' ${_dev} | sort -u); do 88 mount | grep -v read-only | grep -q "^/dev/${_d} " || 89 sp_err "Remote or read-only filesystem, aborting" 90 _df=$(df -Pk | grep "^/dev/${_d} " | tr -s ' ' | cut -d ' ' -f4) 91 _sz=$(($((_d))/1024)) 92 ((_df > _sz)) || sp_err "No space left on ${_d}, aborting" 93 done 94} 95 96create_rollback() 97{ 98 local _file _patch=$1 _rbfiles 99 [[ -n ${_patch} ]] 100 shift 101 local _files="${@}" 102 [[ -n ${_files} ]] 103 104 for _file in ${_files}; do 105 [[ -f /${_file} ]] || continue 106 # only save the original release kernel once 107 if [[ ${_file} == bsd && ! -f /bsd.syspatch${_OSrev} ]]; then 108 install -FSp /bsd /bsd.syspatch${_OSrev} 109 fi 110 _rbfiles="${_rbfiles} ${_file}" 111 done 112 113 if ! (cd / && 114 # GENERIC.MP: substitute bsd.mp->bsd and bsd.sp->bsd 115 if ${_BSDMP} && 116 tar -tzf ${_TMP}/syspatch${_patch}.tgz bsd >/dev/null \ 117 2>&1; then 118 tar -czf ${_PDIR}/${_patch}/rollback.tgz \ 119 -s '/^bsd.mp$//' -s '/^bsd$/bsd.mp/' \ 120 -s '/^bsd.sp$/bsd/' bsd.sp ${_rbfiles} 121 else 122 tar -czf ${_PDIR}/${_patch}/rollback.tgz \ 123 ${_rbfiles} 124 fi 125 ); then 126 rm -r ${_PDIR}/${_patch} 127 sp_err "Failed to create rollback patch ${_patch##${_OSrev}-}" 128 fi 129} 130 131fetch_and_verify() 132{ 133 local _sig=${_TMP}/SHA256.sig _tgz=$1 134 [[ -n ${_tgz} ]] 135 136 [[ -f ${_sig} ]] || \ 137 unpriv -f "${_sig}" ${_FETCH} -o "${_sig}" "${_URL}/SHA256.sig" 138 139 unpriv -f "${_TMP}/${_tgz}" ${_FETCH} -mD "Get/Verify" -o \ 140 "${_TMP}/${_tgz}" "${_URL}/${_tgz}" 141 142 (cd ${_TMP} && unpriv signify -qC -p \ 143 /etc/signify/openbsd-${_OSrev}-syspatch.pub -x SHA256.sig \ 144 ${_tgz}) 145} 146 147install_file() 148{ 149 # XXX handle symlinks, dir->file, file->dir? 150 local _dst=$2 _fgrp _fmode _fown _src=$1 151 [[ -f ${_src} && -f ${_dst} ]] 152 153 eval $(stat -f "_fmode=%OMp%OLp _fown=%Su _fgrp=%Sg" ${_src}) 154 155 install -DFS -m ${_fmode} -o ${_fown} -g ${_fgrp} ${_src} ${_dst} 156} 157 158install_kernel() 159{ 160 local _bsd _kern=$1 161 [[ -n ${_kern} ]] 162 163 if ${_BSDMP}; then 164 [[ ${_kern##*/} == bsd ]] && _bsd=bsd.sp || _bsd=bsd 165 fi 166 167 install -FS ${_kern} /${_bsd:-${_kern##*/}} 168} 169 170ls_installed() 171{ 172 local _p 173 ### XXX temporary quirks; remove before 6.1 ############################ 174 local _r _s _t _u _v 175 if [[ -f /bsd.rollback${_OSrev} ]]; then 176 [[ $(id -u) -ne 0 ]] && sp_err "${0##*/}: need root privileges" 177 mv /bsd.rollback${_OSrev} /bsd.syspatch${_OSrev} 178 fi 179 if [[ -d ${_PDIR}/${_KERNV[0]} ]]; then 180 ( cd ${_PDIR}/${_KERNV[0]} && for _r in *; do 181 if [[ ${_r} == rollback-syspatch-${_OSrev}-*.tgz ]]; then 182 [[ $(id -u) -ne 0 ]] && 183 sp_err "${0##*/}: need root privileges" 184 mv ${_r} rollback${_OSrev}${_r#*-syspatch-${_OSrev}} 185 fi 186 done ) 187 ( cd ${_PDIR}/${_KERNV[0]} && for _s in *; do 188 if [[ ${_s} == rollback${_OSrev}-*.tgz ]]; then 189 [[ $(id -u) -ne 0 ]] && 190 sp_err "${0##*/}: need root privileges" 191 _t=${_s#rollback${_OSrev}-} 192 _t=${_t%.tgz} 193 mv ${_s} ${_t}.rollback.tgz 194 fi 195 done ) 196 ( cd ${_PDIR}/${_KERNV[0]} && for _u in *; do 197 if [[ ${_u} == *.rollback.tgz ]]; then 198 [[ $(id -u) -ne 0 ]] && 199 sp_err "${0##*/}: need root privileges" 200 _v=${_u%.rollback.tgz} 201 install -d ${_PDIR}/${_OSrev}-${_v} 202 mv ${_u} ${_PDIR}/${_OSrev}-${_v}/rollback.tgz 203 mv ${_v}.patch.sig ${_PDIR}/${_OSrev}-${_v}/ 204 fi 205 done ) 206 rmdir ${_PDIR}/${_KERNV[0]} 207 fi 208 ######################################################################## 209 for _p in ${_PDIR}/*; do 210 [[ -f ${_p}/rollback.tgz ]] && echo ${_p##*/${_OSrev}-} 211 done | sort -V 212} 213 214ls_missing() 215{ 216 # XXX match with installed sets (comp, x...)? 217 local _index=${_TMP}/index.txt _installed _p 218 _installed="$(ls_installed)" 219 220 unpriv -f "${_index}" ${_FETCH} -o "${_index}" "${_URL}/index.txt" 221 222 for _p in $(grep -o "syspatch${_OSrev}-[0-9][0-9][0-9]_.*" ${_index} | 223 sed "s/^syspatch${_OSrev}-//;s/.tgz$//"| sort -V); do 224 if [[ -n ${_installed} ]]; then 225 echo ${_p} | grep -qw -- "${_installed}" || echo ${_p} 226 else 227 echo ${_p} 228 fi 229 done 230} 231 232rollback_patch() 233{ 234 local _explodir _file _files _patch _ret=0 235 236 _patch="$(ls_installed | sort -V | tail -1)" 237 [[ -n ${_patch} ]] 238 239 _explodir=${_TMP}/${_patch}-rollback 240 _patch=${_OSrev}-${_patch} 241 242 echo "Reverting patch ${_patch##${_OSrev}-}" 243 install -d ${_explodir} 244 245 _files="$(tar xvzphf ${_PDIR}/${_patch}/rollback.tgz -C ${_explodir})" 246 checkfs ${_files} ${_PDIR} # check for read-only /var/syspatch 247 248 for _file in ${_files}; do 249 ((_ret == 0)) || break 250 if [[ ${_file} == @(bsd|bsd.mp) ]]; then 251 install_kernel ${_explodir}/${_file} || _ret=$? 252 # remove the backup kernel if all kernel syspatches have 253 # been reverted; non-fatal (`-f') 254 cmp -s /bsd /bsd.syspatch${_OSrev} && 255 rm -f /bsd.syspatch${_OSrev} 256 else 257 install_file ${_explodir}/${_file} /${_file} || _ret=$? 258 fi 259 done 260 261 ((_ret == 0)) && rm -r ${_PDIR}/${_patch} || 262 sp_err "Failed to revert patch ${_patch##${_OSrev}-}" ${_ret} 263} 264 265sp_cleanup() 266{ 267 local _d _k _m 268 269 # remove non matching release /var/syspatch/ content 270 for _d in ${_PDIR}/*; do 271 [[ -e ${_d} ]] || continue 272 [[ ${_d##*/} == ${_OSrev}-@([0-9][0-9][0-9])_* ]] || rm -r ${_d} 273 done 274 275 # remove non matching release backup kernel 276 for _k in /bsd.syspatch*; do 277 [[ -f ${_k} ]] || continue 278 [[ ${_k} == /bsd.syspatch${_OSrev} ]] || rm ${_k} 279 done 280 281 # in case a patch added a new directory (install -D); 282 # non-fatal in case some mount point is read-only or remote 283 for _m in /etc/mtree/{4.4BSD,BSD.x11}.dist; do 284 [[ -f ${_m} ]] && mtree -qdef ${_m} -p / -U >/dev/null || true 285 done 286} 287 288unpriv() 289{ 290 # XXX use a dedicated user? 291 local _file=$2 _user=_pkgfetch 292 293 if [[ $1 == -f && -n ${_file} ]]; then 294 >${_file} 295 chown "${_user}" "${_file}" 296 chmod 0711 ${_TMP} 297 shift 2 298 fi 299 (($# >= 1)) 300 301 eval su -s /bin/sh ${_user} -c "'$@'" 302} 303 304# XXX needs a way to match release <=> syspatch 305# only run on release (not -current nor -stable) 306set -A _KERNV -- $(sysctl -n kern.version | 307 sed 's/^OpenBSD \([0-9]\.[0-9]\)\([^ ]*\).*/\1 \2/;q') 308[[ -z ${_KERNV[1]} ]] 309 310[[ $@ == @(|-[[:alpha:]]) ]] || usage; [[ $@ == @(|-(c|r)) ]] && 311 (($(id -u) != 0)) && sp_err "${0##*/}: need root privileges" 312 313(($(sysctl -n hw.ncpufound) > 1)) && _BSDMP=true || _BSDMP=false 314_FETCH="ftp -MVk ${FTP_KEEPALIVE-0}" 315_OSrev=${_KERNV[0]%\.*}${_KERNV[0]#*\.} 316_PDIR="/var/syspatch" 317_TMP=$(mktemp -d -p /tmp syspatch.XXXXXXXXXX) 318# XXX to be discussed 319_URL=http://syspatch.openbsd.org/pub/OpenBSD/${_KERNV[0]}/syspatch/$(machine) 320readonly _BSDMP _FETCH _OSrev _PDIR _REL _TMP _URL 321 322trap 'set +e; rm -rf "${_TMP}"' EXIT 323trap exit HUP INT TERM 324 325[[ -n ${_OSrev} ]] 326 327while getopts clr arg; do 328 case ${arg} in 329 c) ls_missing;; 330 l) ls_installed;; 331 r) rollback_patch;; 332 *) usage;; 333 esac 334done 335shift $((OPTIND -1)) 336[[ $# -ne 0 ]] && usage 337 338if ((OPTIND == 1)); then 339 for _PATCH in $(ls_missing); do 340 apply_patch ${_OSrev}-${_PATCH} 341 done 342 sp_cleanup 343fi 344