Introduce 044-verify-unit.brp

It is intended to check the sanity of systemd units installed in the
buildroot. As of today, it errors out on executable unit files and units
passing nobody as User=, Group= or in SupplementaryGroups=.

configure.ac

@@ -922,6 +922,7 @@ AC_OUTPUT([ Doxyfile Makefile rpmrc macros platform rpmpopt
 	scripts/brp-strip-lto
 	scripts/brp-verify_elf
 	scripts/brp-verify-info
+	scripts/brp-verify-unit
 	scripts/compress_files
 	scripts/cpp.req
 	scripts/debuginfo.prov

scripts/Makefile.am

@@ -12,6 +12,7 @@ EXTRA_DIST = \
 	brp-check_contents brp-cleanup brp-compress brp-debuginfo \
 	brp-fix-perms brp-fixup brp-strip-lto \
 	brp-verify_elf brp-verify-info \
+	brp-verify-unit \
 	compress_files \
 	cpp.req cpp.req.files \
 	find-lang \
@@ -79,6 +80,7 @@ install-data-local:
 	$(INSTALL) -m755 brp-check_contents $(DESTDIR)$(configdir)/brp.d/028-check_contents.brp
 	$(INSTALL) -m755 brp-compress $(DESTDIR)$(configdir)/brp.d/032-compress.brp
 	$(INSTALL) -m755 brp-verify-info $(DESTDIR)$(configdir)/brp.d/040-verify-info.brp
+	$(INSTALL) -m755 brp-verify-unit $(DESTDIR)$(configdir)/brp.d/044-verify-unit.brp
 	$(INSTALL) -m755 brp-adjust_libraries $(DESTDIR)$(configdir)/brp.d/048-adjust_libraries.brp
 	$(INSTALL) -m755 brp-debuginfo $(DESTDIR)$(configdir)/brp.d/056-debuginfo.brp
 	$(INSTALL) -m755 brp-sign-kmodules $(DESTDIR)$(configdir)/brp.d/057-brp-sign-kmodules.brp

scripts/brp-verify-unit.in

@@ -0,0 +1,69 @@
+#!/bin/sh -eu
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+. @RPMCONFIGDIR@/functions
+ValidateBuildRoot
+
+cd "$RPM_BUILD_ROOT"
+
+Error() {
+	echo "${0##*/}: ERROR: $*" >&2
+}
+
+# Validates permissions and credentials set on this unit file.
+ValidateUnitPerms() {
+	local unitf="$1"; shift
+
+	# Allow non-executable regular files.
+	stat -c '%A' "$unitf" | grep -Eq '^-..-..-..-' || {
+		Info "bad permissions on \"${unitf#.}\": $(stat -c '%A' "$unitf")"
+		return 1
+	}
+}
+
+# Validates user and group credentials of processes spawned by this unit.
+ValidateUnitExecUG() {
+	# We do not catch the case where a relevant directive is set to an
+	# invalid value and then overwritten with a valid value by a further
+	# drop-in file, always present when the original unit is present. It
+	# makes very little sense to do this in a package instead of patching
+	# the unit to be correct.
+	local k_regex
+	local unitf="$1"; shift
+	[ -L "$unitf" ] && return ||:
+
+	k_regex='^[[:space:]]*(User|Group)[[:space:]]*=[[:space:]]*'
+	if sed -En "s/$k_regex//p" "$unitf" | grep -Eq 'nobody|65534'; then
+		Error "\"${unitf#.}\" assumes overflowugid credentials"
+		rc=1
+	fi
+
+	k_regex='^[[:space:]]*SupplementaryGroups[[:space:]]*=[[:space:]]*'
+	# A space-separated list of names or IDs.
+	if sed -En "s/$k_regex/ /p" "$unitf" | grep -Eq ' (nobody|65534)'; then
+		Error "\"${unitf#.}\" assumes overflowgid as supplementary group"
+		rc=1
+	fi
+
+	return $rc
+}
+
+USERUNITDIR="./usr/lib/systemd/user"
+UNITDIR="./usr/lib/systemd/system"
+[ -d "$UNITDIR" ] || UNITDIR="./lib/systemd/system"
+[ -d "$UNITDIR" -o -d "$USERUNITDIR" ] || exit 0
+
+rc=0
+echo "Verifying systemd units in $RPM_BUILD_ROOT"
+
+Verbose "Examining ${UNITDIR#.}"
+[ -d "$UNITDIR" ] && for f in $(find "$UNITDIR" -type f); do
+	ValidateUnitPerms "$f" || rc=1
+	ValidateUnitExecUG "$f" || rc=1
+done
+Verbose "Examining ${USERUNITDIR#.}"
+[ -d "$USERUNITDIR" ] && for f in $(find "$USERUNITDIR" -type f); do
+	ValidateUnitPerms "$f" || rc=1
+done
+
+exit $rc