xref: /openbsd-src/usr.sbin/syspatch/syspatch.sh (revision c4ca033dcba535fe13dc4947ebd1e4b6588e1d9d) 
1#!/bin/ksh
2#
3# $OpenBSD: syspatch.sh,v 1.72 2016/12/05 16:11:17 ajacoutot Exp $
4#
5# Copyright (c) 2016 Antoine Jacoutot <ajacoutot@openbsd.org>
6#
7# Permission to use, copy, modify, and distribute this software for any
8# purpose with or without fee is hereby granted, provided that the above
9# copyright notice and this permission notice appear in all copies.
10#
11# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19set -e
20umask 0022
21
22sp_err()
23{
24	echo "${1}" 1>&2 && return ${2:-1}
25}
26
27usage()
28{
29	sp_err "usage: ${0##*/} [-c | -l | -r]"
30}
31
32apply_patch()
33{
34	local _explodir _file _files _patch=$1 _ret=0
35	[[ -n ${_patch} ]]
36
37	_explodir=${_TMP}/${_patch}
38
39	echo "Applying patch ${_patch##${_OSrev}-}"
40	fetch_and_verify "syspatch${_patch}.tgz"
41
42	trap '' INT
43	install -d ${_explodir} ${_PDIR}/${_patch}
44
45	_files="$(tar xvzphf ${_TMP}/syspatch${_patch}.tgz -C ${_explodir})"
46	checkfs ${_files}
47
48	create_rollback ${_patch} "${_files}"
49
50	for _file in ${_files}; do
51		((_ret == 0)) || break
52		if [[ ${_file} == @(bsd|bsd.mp) ]]; then
53			install_kernel ${_explodir}/${_file} || _ret=$?
54		else
55			install_file ${_explodir}/${_file} /${_file} || _ret=$?
56		fi
57	done
58
59	if ((_ret != 0)); then
60		sp_err "Failed to apply patch ${_patch##${_OSrev}-}" 0
61		rollback_patch; return ${_ret}
62	fi
63	trap exit INT
64}
65
66# quick-and-dirty size check:
67# - assume old files are about the same size as new ones
68# - ignore new (nonexistent) files
69# - compute total size of all files per fs, simpler and less margin for error
70# - if we install a kernel, double /bsd size (duplicate it in the list) when:
71#   - we are on an MP system (/bsd.mp does not exist there)
72#   - /bsd.syspatchXX is not present (create_rollback will copy it from /bsd)
73checkfs()
74{
75	local _d _df _dev _files="${@}" _sz
76	[[ -n ${_files} ]]
77
78	if echo "${_files}" | grep -qw bsd; then
79		${_BSDMP} || [[ ! -f /bsd.syspatch${_OSrev} ]] &&
80			_files="bsd ${_files}"
81	fi
82
83	eval $(cd / &&
84		stat -qf "_dev=\"\${_dev} %Sd\" %Sd=\"\${%Sd:+\${%Sd}\+}%Uz\"" \
85			${_files}) || true # ignore nonexistent files
86
87	for _d in $(printf '%s\n' ${_dev} | sort -u); do
88		mount | grep -v read-only | grep -q "^/dev/${_d} " ||
89			sp_err "Remote or read-only filesystem, aborting"
90		_df=$(df -Pk | grep "^/dev/${_d} " | tr -s ' ' | cut -d ' ' -f4)
91		_sz=$(($((_d))/1024))
92		((_df > _sz)) || sp_err "No space left on ${_d}, aborting"
93	done
94}
95
96create_rollback()
97{
98	local _file _patch=$1 _rbfiles _ret=0
99	[[ -n ${_patch} ]]
100	shift
101	local _files="${@}"
102	[[ -n ${_files} ]]
103
104	for _file in ${_files}; do
105		[[ -f /${_file} ]] || continue
106		# only save the original release kernel once
107		if [[ ${_file} == bsd && ! -f /bsd.syspatch${_OSrev} ]]; then
108			install -FSp /bsd /bsd.syspatch${_OSrev}
109		fi
110		_rbfiles="${_rbfiles} ${_file}"
111	done
112
113	# GENERIC.MP: substitute bsd.mp->bsd and bsd.sp->bsd
114	if ${_BSDMP} &&
115		tar -tzf ${_TMP}/syspatch${_patch}.tgz bsd >/dev/null 2>&1; then
116		tar -C / -czf ${_PDIR}/${_patch}/rollback.tgz -s '/^bsd.mp$//' \
117			-s '/^bsd$/bsd.mp/' -s '/^bsd.sp$/bsd/' bsd.sp \
118			${_rbfiles} || _ret=$?
119	else
120		tar -C / -czf ${_PDIR}/${_patch}/rollback.tgz ${_rbfiles} ||
121			_ret=$?
122	fi
123
124	# XXX missing archive (empty _rbfiles list) probably means a missing set
125	[[ -f ${_PDIR}/${_patch}/rollback.tgz ]] || _ret=$?
126
127	if ((_ret != 0)); then
128		sp_err "Failed to create rollback patch ${_patch##${_OSrev}-}" 0
129		rm -r ${_PDIR}/${_patch}; return ${_ret}
130	fi
131}
132
133fetch_and_verify()
134{
135	local _sig=${_TMP}/SHA256.sig _tgz=$1
136	[[ -n ${_tgz} ]]
137
138	[[ -f ${_sig} ]] || \
139		unpriv -f "${_sig}" ${_FETCH} -o "${_sig}" "${_URL}/SHA256.sig"
140
141	unpriv -f "${_TMP}/${_tgz}" ${_FETCH} -mD "Get/Verify" -o \
142		"${_TMP}/${_tgz}" "${_URL}/${_tgz}"
143
144	(cd ${_TMP} && unpriv signify -qC -p \
145		/etc/signify/openbsd-${_OSrev}-syspatch.pub -x SHA256.sig \
146		${_tgz})
147}
148
149install_file()
150{
151	# XXX handle symlinks, dir->file, file->dir?
152	local _dst=$2 _fgrp _fmode _fown _src=$1
153	[[ -f ${_src} && -f ${_dst} ]]
154
155	eval $(stat -f "_fmode=%OMp%OLp _fown=%Su _fgrp=%Sg" ${_src})
156
157	install -DFS -m ${_fmode} -o ${_fown} -g ${_fgrp} ${_src} ${_dst}
158}
159
160install_kernel()
161{
162	local _bsd _kern=$1
163	[[ -n ${_kern} ]]
164
165	if ${_BSDMP}; then
166		[[ ${_kern##*/} == bsd ]] && _bsd=bsd.sp || _bsd=bsd
167	fi
168
169	install -FS ${_kern} /${_bsd:-${_kern##*/}}
170}
171
172ls_installed()
173{
174	local _p
175	for _p in ${_PDIR}/*; do
176		[[ -f ${_p}/rollback.tgz ]] && echo ${_p##*/${_OSrev}-}
177	done | sort -V
178}
179
180ls_missing()
181{
182	# XXX match with installed sets (comp, x...)?
183	local _index=${_TMP}/index.txt _installed _p
184	_installed="$(ls_installed)"
185
186	unpriv -f "${_index}" ${_FETCH} -o "${_index}" "${_URL}/index.txt"
187
188	for _p in $(grep -o "syspatch${_OSrev}-[0-9][0-9][0-9]_.*" ${_index} |
189		sed "s/^syspatch${_OSrev}-//;s/.tgz$//"| sort -V); do
190		if [[ -n ${_installed} ]]; then
191			echo ${_p} | grep -qw -- "${_installed}" || echo ${_p}
192		else
193			echo ${_p}
194		fi
195	done
196}
197
198rollback_patch()
199{
200	local _explodir _file _files _patch _ret=0
201
202	_patch="$(ls_installed | sort -V | tail -1)"
203	[[ -n ${_patch} ]]
204
205	_explodir=${_TMP}/${_patch}-rollback
206	_patch=${_OSrev}-${_patch}
207
208	echo "Reverting patch ${_patch##${_OSrev}-}"
209	install -d ${_explodir}
210
211	_files="$(tar xvzphf ${_PDIR}/${_patch}/rollback.tgz -C ${_explodir})"
212	checkfs ${_files} ${_PDIR} # check for read-only /var/syspatch
213
214	for _file in ${_files}; do
215		((_ret == 0)) || break
216		if [[ ${_file} == @(bsd|bsd.mp) ]]; then
217			install_kernel ${_explodir}/${_file} || _ret=$?
218			# remove the backup kernel if all kernel syspatches have
219			# been reverted; non-fatal (`-f')
220			cmp -s /bsd /bsd.syspatch${_OSrev} &&
221				rm -f /bsd.syspatch${_OSrev}
222		else
223			install_file ${_explodir}/${_file} /${_file} || _ret=$?
224		fi
225	done
226
227	((_ret == 0)) && rm -r ${_PDIR}/${_patch} ||
228		sp_err "Failed to revert patch ${_patch##${_OSrev}-}" ${_ret}
229}
230
231sp_cleanup()
232{
233	local _d _k _m
234
235	# remove non matching release /var/syspatch/ content
236	for _d in ${_PDIR}/*; do
237		[[ -e ${_d} ]] || continue
238		[[ ${_d##*/} == ${_OSrev}-@([0-9][0-9][0-9])_* ]] || rm -r ${_d}
239	done
240
241	# remove non matching release backup kernel
242	for _k in /bsd.syspatch*; do
243		[[ -f ${_k} ]] || continue
244		[[ ${_k} == /bsd.syspatch${_OSrev} ]] || rm ${_k}
245	done
246
247	# in case a patch added a new directory (install -D);
248	# non-fatal in case some mount point is read-only or remote
249	for _m in /etc/mtree/{4.4BSD,BSD.x11}.dist; do
250		[[ -f ${_m} ]] && mtree -qdef ${_m} -p / -U >/dev/null || true
251	done
252}
253
254unpriv()
255{
256	# XXX use a dedicated user?
257	local _file=$2 _user=_pkgfetch
258
259	if [[ $1 == -f && -n ${_file} ]]; then
260		>${_file}
261		chown "${_user}" "${_file}"
262		chmod 0711 ${_TMP}
263		shift 2
264	fi
265	(($# >= 1))
266
267	eval su -s /bin/sh ${_user} -c "'$@'"
268}
269
270# XXX needs a way to match release <=> syspatch
271# only run on release (not -current nor -stable)
272set -A _KERNV -- $(sysctl -n kern.version |
273	sed 's/^OpenBSD \([0-9]\.[0-9]\)\([^ ]*\).*/\1 \2/;q')
274((${#_KERNV[*]} > 1)) && sp_err "Unsupported release ${_KERNV[*]}"
275
276[[ $@ == @(|-[[:alpha:]]) ]] || usage; [[ $@ == @(|-(c|r)) ]] &&
277	(($(id -u) != 0)) && sp_err "${0##*/}: need root privileges"
278
279(($(sysctl -n hw.ncpufound) > 1)) && _BSDMP=true || _BSDMP=false
280_FETCH="ftp -MVk ${FTP_KEEPALIVE-0}"
281_OSrev=${_KERNV[0]%\.*}${_KERNV[0]#*\.}
282_PDIR="/var/syspatch"
283_TMP=$(mktemp -d -p /tmp syspatch.XXXXXXXXXX)
284# XXX to be discussed
285_URL=http://syspatch.openbsd.org/pub/OpenBSD/${_KERNV[0]}/syspatch/$(machine)
286readonly _BSDMP _FETCH _OSrev _PDIR _REL _TMP _URL
287
288trap 'set +e; rm -rf "${_TMP}"' EXIT
289trap exit HUP INT TERM
290
291[[ -n ${_OSrev} ]]
292
293while getopts clr arg; do
294	case ${arg} in
295		c) ls_missing;;
296		l) ls_installed;;
297		r) rollback_patch;;
298		*) usage;;
299	esac
300done
301shift $((OPTIND -1))
302[[ $# -ne 0 ]] && usage
303
304if ((OPTIND == 1)); then
305	for _PATCH in $(ls_missing); do
306		apply_patch ${_OSrev}-${_PATCH}
307	done
308	sp_cleanup
309fi
310