1#!/bin/ksh 2# 3# $OpenBSD: syspatch.sh,v 1.167 2020/12/07 21:19:28 ajacoutot Exp $ 4# 5# Copyright (c) 2016, 2017 Antoine Jacoutot <ajacoutot@openbsd.org> 6# 7# Permission to use, copy, modify, and distribute this software for any 8# purpose with or without fee is hereby granted, provided that the above 9# copyright notice and this permission notice appear in all copies. 10# 11# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19set -e 20umask 0022 21export PATH=/usr/bin:/bin:/usr/sbin:/sbin 22 23err() 24{ 25 echo "${0##*/}: ${1}" 1>&2 26 return ${2:-1} 27} 28 29usage() 30{ 31 echo "usage: ${0##*/} [-c | -l | -R | -r]" 1>&2 32 return 1 33} 34 35apply_patch() 36{ 37 local _edir _file _files _patch=$1 _rc=0 _s _upself=false 38 [[ -n ${_patch} ]] 39 40 _edir=${_TMP}/${_patch} 41 42 fetch_and_verify "syspatch${_patch}.tgz" 43 44 trap '' INT 45 echo "Installing patch ${_patch##${_OSrev}-}" 46 install -d ${_edir} ${_PDIR}/${_patch} 47 48 (($(sysctl -n hw.ncpufound) > 1)) && 49 _s="-s @usr/share/relink/kernel/GENERIC/.*@@g" || 50 _s="-s @usr/share/relink/kernel/GENERIC.MP/.*@@g" 51 _files="$(tar -xvzphf ${_TMP}/syspatch${_patch}.tgz -C ${_edir} \ 52 ${_s})" || { rm -r ${_PDIR}/${_patch}; return 1; } 53 54 checkfs ${_files} 55 create_rollback ${_patch} "${_files}" 56 57 for _file in ${_files}; do 58 ((_rc == 0)) || break 59 [[ ${_file} == usr/sbin/syspatch ]] && _upself=true 60 install_file ${_edir}/${_file} /${_file} || _rc=$? 61 done 62 63 if ((_rc != 0)); then 64 err "Failed to apply patch ${_patch##${_OSrev}-}" 0 65 rollback_patch; return ${_rc} 66 fi 67 # don't fill up /tmp when installing multiple patches at once; non-fatal 68 rm -rf ${_edir} ${_TMP}/syspatch${_patch}.tgz 69 trap exit INT 70 71 echo ${_files} | grep -Eqv \ 72 '(^|[[:blank:]]+)usr/share/relink/kernel/GENERI(C|C.MP)/[[:print:]]+([[:blank:]]+|$)' || 73 _KARL=true 74 75 (! ${_upself} || err "updated itself, run it again to install \ 76missing patches" 2) 77} 78 79# quick-and-dirty filesystem status and size checks: 80# - assume old files are about the same size as new ones 81# - ignore new (nonexistent) files 82# - ignore rollback tarball: create_rollback() will handle the failure 83# - compute total size of all files per fs, simpler and less margin for error 84# (instead of computing before installing each file) 85checkfs() 86{ 87 local _d _dev _df _files="${@}" _sz 88 [[ -n ${_files} ]] 89 90 set +e # ignore errors due to: 91 # - nonexistent files (i.e. syspatch is installing new files) 92 # - broken interpolation due to bogus devices like remote filesystems 93 eval $(cd / && 94 stat -qf "_dev=\"\${_dev} %Sd\"; 95 local %Sd=\"\${%Sd:+\${%Sd}\+}%Uz\"" ${_files}) \ 96 2>/dev/null 97 set -e 98 99 for _d in $(printf '%s\n' ${_dev} | sort -u); do 100 [[ ${_d} != "??" ]] || err "Unsupported filesystem, aborting" 101 mount | grep -v read-only | grep -q "^/dev/${_d} " || 102 err "Read-only filesystem, aborting" 103 _df=$(df -Pk | grep "^/dev/${_d} " | tr -s ' ' | cut -d ' ' -f4) 104 _sz=$(($((_d))/1024)) 105 ((_df > _sz)) || err "No space left on ${_d}, aborting" 106 done 107} 108 109create_rollback() 110{ 111 # XXX annotate new files so we can remove them if we rollback? 112 local _file _patch=$1 _rbfiles _rc=0 113 [[ -n ${_patch} ]] 114 shift 115 local _files="${@}" 116 [[ -n ${_files} ]] 117 118 for _file in ${_files}; do 119 [[ -f /${_file} ]] && _rbfiles="${_rbfiles} ${_file}" 120 done 121 122 tar -C / -czf ${_PDIR}/${_patch}/rollback.tgz ${_rbfiles} || _rc=$? 123 124 if ((_rc != 0)); then 125 err "Failed to create rollback patch ${_patch##${_OSrev}-}" 0 126 rm -r ${_PDIR}/${_patch}; return ${_rc} 127 fi 128} 129 130fetch_and_verify() 131{ 132 local _tgz=$1 _title="Get/Verify" 133 [[ -n ${_tgz} ]] 134 135 [[ -t 0 ]] || echo "${_title} ${_tgz}" 136 unpriv -f "${_TMP}/${_tgz}" ftp -N syspatch -VD "${_title}" -o \ 137 "${_TMP}/${_tgz}" "${_MIRROR}/${_tgz}" 138 139 (cd ${_TMP} && sha256 -qC ${_TMP}/SHA256 ${_tgz}) 140} 141 142install_file() 143{ 144 # XXX handle hard link, dir->file, file->dir? 145 local _dst=$2 _fgrp _fmode _fown _src=$1 146 [[ -f ${_src} && -f ${_dst} ]] 147 148 if [[ -h ${_src} ]]; then 149 ln -sf $(readlink ${_src}) ${_dst} 150 else 151 eval $(stat -f "_fmode=%OMp%OLp _fown=%Su _fgrp=%Sg" ${_src}) 152 install -DFp -m ${_fmode} -o ${_fown} -g ${_fgrp} ${_src} \ 153 ${_dst} 154 fi 155} 156 157ls_installed() 158{ 159 local _p 160 for _p in ${_PDIR}/${_OSrev}-+([[:digit:]])_+([[:alnum:]_-]); do 161 [[ -f ${_p}/rollback.tgz ]] && echo ${_p##*/${_OSrev}-} 162 done 163} 164 165ls_missing() 166{ 167 local _c _f _cmd _l="$(ls_installed)" _p _sha=${_TMP}/SHA256 168 169 # don't output anything on stdout to prevent corrupting the patch list 170 unpriv -f "${_sha}.sig" ftp -N syspatch -MVo "${_sha}.sig" \ 171 "${_MIRROR}/SHA256.sig" >/dev/null 172 unpriv -f "${_sha}" signify -Veq -x ${_sha}.sig -m ${_sha} -p \ 173 /etc/signify/openbsd-${_OSrev}-syspatch.pub >/dev/null 174 175 # sig file less than 3 lines long doesn't list any patch (new release) 176 (($(grep -c ".*" ${_sha}.sig) < 3)) && return 177 178 set -o pipefail 179 grep -Eo "syspatch${_OSrev}-[[:digit:]]{3}_[[:alnum:]_-]+" ${_sha} | 180 while read _c; do _c=${_c##syspatch${_OSrev}-} && 181 [[ -n ${_l} ]] && echo ${_c} | grep -qw -- "${_l}" || echo ${_c} 182 done | while read _p; do 183 _cmd="ftp -N syspatch -MVo - \ 184 ${_MIRROR}/syspatch${_OSrev}-${_p}.tgz" 185 unpriv "${_cmd}" | tar tzf - | while read _f; do 186 # no earlier version of _all_ files contained in the tgz 187 # exists on the system, it means a missing set: skip it 188 [[ -f /${_f} ]] || continue && echo ${_p} && pkill -u \ 189 _syspatch -xf "${_cmd}" || true && break 190 done 191 done | sort -V # only used as a buffer to display all patches at once 192 set +o pipefail 193} 194 195rollback_patch() 196{ 197 local _edir _file _files _patch _rc=0 198 199 _patch="$(ls_installed | tail -1)" 200 [[ -n ${_patch} ]] || return 0 # nothing to rollback 201 202 _edir=${_TMP}/${_patch}-rollback 203 _patch=${_OSrev}-${_patch} 204 205 trap '' INT 206 echo "Reverting patch ${_patch##${_OSrev}-}" 207 install -d ${_edir} 208 209 _files="$(tar xvzphf ${_PDIR}/${_patch}/rollback.tgz -C ${_edir})" 210 checkfs ${_files} ${_PDIR} # check for read-only /var/syspatch 211 212 for _file in ${_files}; do 213 ((_rc == 0)) || break 214 install_file ${_edir}/${_file} /${_file} || _rc=$? 215 done 216 217 ((_rc != 0)) || rm -r ${_PDIR}/${_patch} || _rc=$? 218 ((_rc == 0)) || 219 err "Failed to revert patch ${_patch##${_OSrev}-}" ${_rc} 220 rm -rf ${_edir} # don't fill up /tmp when using `-R'; non-fatal 221 trap exit INT 222 223 echo ${_files} | grep -Eqv \ 224 '(^|[[:blank:]]+)usr/share/relink/kernel/GENERI(C|C.MP)/[[:print:]]+([[:blank:]]+|$)' || 225 _KARL=true 226} 227 228trap_handler() 229{ 230 set +e # we're trapped 231 rm -rf "${_TMP}" 232 233 # in case a patch added a new directory (install -D) 234 if [[ -n ${_PATCHES} ]]; then 235 mtree -qdef /etc/mtree/4.4BSD.dist -p / -U >/dev/null 236 [[ -f /var/sysmerge/xetc.tgz ]] && 237 mtree -qdef /etc/mtree/BSD.x11.dist -p / -U >/dev/null 238 fi 239 240 if ${_KARL}; then 241 echo -n "Relinking to create unique kernel..." 242 if /usr/libexec/reorder_kernel; then 243 echo " done; reboot to load the new kernel" 244 else 245 echo " failed!\n!!! \"/usr/libexec/reorder_kernel\" \ 246must be run manually to install the new kernel" 247 exit 1 248 fi 249 fi 250 251 ${_PATCH_APPLIED} && echo "Errata can be reviewed under ${_PDIR}" 252} 253 254unpriv() 255{ 256 local _file=$2 _rc=0 _user=_syspatch 257 258 if [[ $1 == -f && -n ${_file} ]]; then 259 >${_file} 260 chown "${_user}" "${_file}" 261 chmod 0711 ${_TMP} 262 shift 2 263 fi 264 (($# >= 1)) 265 266 eval su -s /bin/sh ${_user} -c "'$@'" || _rc=$? 267 268 [[ -n ${_file} ]] && chown root "${_file}" 269 270 return ${_rc} 271} 272 273# only run on release (not -current nor -stable) 274set -A _KERNV -- $(sysctl -n kern.version | 275 sed 's/^OpenBSD \([1-9][0-9]*\.[0-9]\)\([^ ]*\).*/\1 \2/;q') 276((${#_KERNV[*]} > 1)) && err "Unsupported release: ${_KERNV[0]}${_KERNV[1]}" 277 278[[ $@ == @(|-[[:alpha:]]) ]] || usage; [[ $@ == @(|-(c|R|r)) ]] && 279 (($(id -u) != 0)) && err "need root privileges" 280[[ $@ == @(|-(R|r)) ]] && pgrep -qxf '/bin/ksh .*reorder_kernel' && 281 err "cannot apply patches while reorder_kernel is running" 282 283_OSrev=${_KERNV[0]%.*}${_KERNV[0]#*.} 284[[ -n ${_OSrev} ]] 285 286_MIRROR=$(while read _line; do _line=${_line%%#*}; [[ -n ${_line} ]] && 287 print -r -- "${_line}"; done </etc/installurl | tail -1) 2>/dev/null 288[[ ${_MIRROR} == @(file|ftp|http|https)://* ]] || 289 _MIRROR=https://cdn.openbsd.org/pub/OpenBSD 290_MIRROR="${_MIRROR}/syspatch/${_KERNV[0]}/$(machine)" 291 292_PATCH_APPLIED=false 293_PDIR="/var/syspatch" 294_TMP=$(mktemp -d -p ${TMPDIR:-/tmp} syspatch.XXXXXXXXXX) 295_KARL=false 296 297readonly _KERNV _MIRROR _OSrev _PDIR _TMP 298 299trap 'trap_handler' EXIT 300trap exit HUP INT TERM 301 302while getopts clRr arg; do 303 case ${arg} in 304 c) ls_missing ;; 305 l) ls_installed ;; 306 R) while [[ -n $(ls_installed) ]]; do rollback_patch; done ;; 307 r) rollback_patch ;; 308 *) usage ;; 309 esac 310done 311shift $((OPTIND - 1)) 312(($# != 0)) && usage 313 314# default action: apply all patches 315if ((OPTIND == 1)); then 316 # remove non matching release /var/syspatch/ content 317 for _D in ${_PDIR}/{.[!.],}*; do 318 [[ -e ${_D} ]] || continue 319 [[ ${_D##*/} == ${_OSrev}-+([[:digit:]])_+([[:alnum:]_-]) ]] && 320 [[ -f ${_D}/rollback.tgz ]] || rm -r ${_D} 321 done 322 _PATCHES=$(ls_missing) # can't use errexit in a for loop 323 [[ -n ${_PATCHES} ]] || exit 2 324 for _PATCH in ${_PATCHES}; do 325 apply_patch ${_OSrev}-${_PATCH} 326 _PATCH_APPLIED=true 327 done 328fi 329