diff --git a/hosts/guard/install_pacman_hooks.sh b/hosts/guard/install_pacman_hooks.sh index c4b63c5..63e92e7 100755 --- a/hosts/guard/install_pacman_hooks.sh +++ b/hosts/guard/install_pacman_hooks.sh @@ -9,21 +9,8 @@ HOOKS_DIR="/etc/pacman.d/hooks" install -d -m 755 "$HOOKS_DIR" -# Pre-transaction hook -cat >"$HOOKS_DIR/10-unlock-etc-hosts.hook" <<'HOOK' -[Trigger] -Operation = Upgrade -Operation = Install -Operation = Remove -Type = Package -Target = * - -[Action] -Description = Temporarily unlocking /etc/hosts for transaction -When = PreTransaction -Exec = /bin/bash /usr/local/share/hosts-guard/pacman-pre-unlock-hosts.sh -NeedsTargets -HOOK +# Ensure any legacy pre-transaction hook is removed so pre-unlock only occurs via the wrapper +rm -f "$HOOKS_DIR/10-unlock-etc-hosts.hook" 2>/dev/null || true # Post-transaction hook cat >"$HOOKS_DIR/90-relock-etc-hosts.hook" <<'HOOK' @@ -43,7 +30,9 @@ HOOK # Place helper scripts into a shared location install -d -m 755 /usr/local/share/hosts-guard -install -m 755 "$SCRIPT_DIR/pacman-hooks/pacman-pre-unlock-hosts.sh" /usr/local/share/hosts-guard/ install -m 755 "$SCRIPT_DIR/pacman-hooks/pacman-post-relock-hosts.sh" /usr/local/share/hosts-guard/ +# Remove legacy pre-unlock helper if present to reduce accidental execution surface +rm -f /usr/local/share/hosts-guard/pacman-pre-unlock-hosts.sh 2>/dev/null || true + echo "Pacman hooks installed into $HOOKS_DIR." diff --git a/hosts/guard/pacman-hooks/pacman-post-relock-hosts.sh b/hosts/guard/pacman-hooks/pacman-post-relock-hosts.sh index 450f4e7..9589bb3 100644 --- a/hosts/guard/pacman-hooks/pacman-post-relock-hosts.sh +++ b/hosts/guard/pacman-hooks/pacman-post-relock-hosts.sh @@ -8,7 +8,7 @@ LOGTAG=hosts-guard-hook mount_layers_count() { awk '$5=="/etc/hosts"{c++} END{print c+0}' /proc/self/mountinfo 2>/dev/null || echo 0; } collapse_mounts() { local i=0 - if command -v mountpoint >/devnull 2>&1; then + if command -v mountpoint >/dev/null 2>&1; then while mountpoint -q "$TARGET"; do umount -l "$TARGET" >/dev/null 2>&1 || break i=$((i+1)) diff --git a/hosts/guard/pacman-hooks/pacman-pre-unlock-hosts.sh b/hosts/guard/pacman-hooks/pacman-pre-unlock-hosts.sh deleted file mode 100644 index e44866a..0000000 --- a/hosts/guard/pacman-hooks/pacman-pre-unlock-hosts.sh +++ /dev/null @@ -1,66 +0,0 @@ -#!/usr/bin/env bash -# Non-interactive pre-transaction hook to temporarily unlock /etc/hosts - -TARGET=/etc/hosts -LOGTAG=hosts-guard-hook - -stop_units_if_present() { - local units=(hosts-bind-mount.service hosts-guard.path) - for u in "${units[@]}"; do - if command -v systemctl >/dev/null 2>&1; then - if systemctl list-unit-files 2>/dev/null | grep -q "^$u"; then - systemctl stop "$u" >/dev/null 2>&1 || true - fi - fi - done -} - -is_ro_mount() { findmnt -no OPTIONS -T "$TARGET" 2>/dev/null | grep -qw ro; } -is_bind_mount() { findmnt -no OPTIONS -T "$TARGET" 2>/dev/null | grep -qw bind; } - -mount_layers_count() { awk '$5=="/etc/hosts"{c++} END{print c+0}' /proc/self/mountinfo 2>/dev/null || echo 0; } -cleanup_mount_stacks() { - local i=0 - # Unmount bind layers until /etc/hosts is no longer a mountpoint - if command -v mountpoint >/dev/null 2>&1; then - while mountpoint -q "$TARGET"; do - umount -l "$TARGET" >/dev/null 2>&1 || break - i=$((i+1)) - (( i > 20 )) && break - done - else - # Fallback to best-effort using mountinfo count - local cnt - cnt=$(mount_layers_count) - while (( cnt > 1 )); do - umount -l "$TARGET" >/dev/null 2>&1 || break - i=$((i+1)) - (( i > 20 )) && break - cnt=$(mount_layers_count) - done - fi -} - -# Drop protective attributes if present -if command -v lsattr >/dev/null 2>&1; then - attrs=$(lsattr -d "$TARGET" 2>/dev/null || true) - echo "$attrs" | grep -q " i " && chattr -i "$TARGET" >/dev/null 2>&1 || true - echo "$attrs" | grep -q " a " && chattr -a "$TARGET" >/dev/null 2>&1 || true -fi - -stop_units_if_present - -logger -t "$LOGTAG" "pre: unlocking /etc/hosts (starting)" -echo "$(date -Is) pre-unlock" >> /run/hosts-guard-hook.log 2>/dev/null || true - -# Always collapse any existing layers; we'll operate on the plain file -cleanup_mount_stacks - -# If someone managed a ro single-layer mount, ensure rw by remounting or collapsing again -if is_ro_mount; then - mount -o remount,rw "$TARGET" >/dev/null 2>&1 || cleanup_mount_stacks -fi - -logger -t "$LOGTAG" "pre: unlocking /etc/hosts (done)" - -exit 0 diff --git a/scripts/pacman_wrapper.sh b/scripts/pacman_wrapper.sh index 70c4046..afdb4f0 100755 --- a/scripts/pacman_wrapper.sh +++ b/scripts/pacman_wrapper.sh @@ -11,7 +11,7 @@ CYAN='\033[0;36m' BOLD='\033[1m' NC='\033[0m' # No Color -PACMAN_BIN="/usr/bin/pacman" +PACMAN_BIN="${PACMAN_BIN:-/usr/bin/pacman}" declare -a BLOCKED_KEYWORDS_LIST=() declare -a WHITELISTED_NAMES_LIST=() @@ -65,24 +65,142 @@ needs_unlock() { # Run pre/post hooks for /etc/hosts guard if present pre_unlock_hosts() { - local pre="/usr/local/share/hosts-guard/pacman-pre-unlock-hosts.sh" - if [[ -x "$pre" ]]; then + # Inline, non-exported logic to temporarily unlock /etc/hosts for the transaction + # This avoids a separate runnable script while keeping the behavior when using this wrapper. + local TARGET=/etc/hosts + local LOGTAG=hosts-guard-wrapper + + # Allow dry run for testing + if [[ -n "$HOSTS_GUARD_DRY_RUN" ]]; then + echo "[dry-run] Would unlock /etc/hosts (stop units, drop attrs, collapse mounts, ensure rw)" >&2 + return 0 + fi + + # Helper functions (kept local to this scope) + stop_units_if_present() { + local units=(hosts-bind-mount.service hosts-guard.path) + for u in "${units[@]}"; do + if command -v systemctl >/dev/null 2>&1; then + if systemctl list-unit-files 2>/dev/null | grep -q "^$u"; then + systemctl stop "$u" >/dev/null 2>&1 || true + fi + fi + done + } + + is_ro_mount() { findmnt -no OPTIONS -T "$TARGET" 2>/dev/null | grep -qw ro; } + mount_layers_count() { awk '$5=="/etc/hosts"{c++} END{print c+0}' /proc/self/mountinfo 2>/dev/null || echo 0; } + + cleanup_mount_stacks() { + local i=0 + if command -v mountpoint >/dev/null 2>&1; then + while mountpoint -q "$TARGET"; do + umount -l "$TARGET" >/dev/null 2>&1 || break + i=$((i+1)) + (( i > 20 )) && break + done + else + local cnt + cnt=$(mount_layers_count) + while (( cnt > 1 )); do + umount -l "$TARGET" >/dev/null 2>&1 || break + i=$((i+1)) + (( i > 20 )) && break + cnt=$(mount_layers_count) + done + fi + } + + # Make any protective attributes writable if present + if command -v lsattr >/dev/null 2>&1; then + local attrs + attrs=$(lsattr -d "$TARGET" 2>/dev/null || true) + echo "$attrs" | grep -q " i " && chattr -i "$TARGET" >/dev/null 2>&1 || true + echo "$attrs" | grep -q " a " && chattr -a "$TARGET" >/dev/null 2>&1 || true + fi + echo -e "${CYAN}[hosts-guard] Preparing /etc/hosts for transaction...${NC}" >&2 - /bin/bash "$pre" || true - fi + logger -t "$LOGTAG" "pre: unlocking /etc/hosts (starting)" || true + echo "$(date -Is) pre-unlock(wrapper)" >> /run/hosts-guard-hook.log 2>/dev/null || true + + # Always collapse any existing layers; we'll operate on the plain file + cleanup_mount_stacks + + # Ensure RW if someone left a single-layer RO bind + if is_ro_mount; then + mount -o remount,rw "$TARGET" >/dev/null 2>&1 || cleanup_mount_stacks + fi + + # Stop related units last to avoid races where they remount immediately + stop_units_if_present + + logger -t "$LOGTAG" "pre: unlocking /etc/hosts (done)" || true } post_relock_hosts() { - local post="/usr/local/share/hosts-guard/pacman-post-relock-hosts.sh" - if [[ -x "$post" ]]; then - /bin/bash "$post" || true + # Inline relock logic (mirrors pacman-post-relock-hosts.sh) + local TARGET=/etc/hosts + local ENFORCE=/usr/local/sbin/enforce-hosts.sh + local LOGTAG=hosts-guard-wrapper + + # Allow dry run for testing + if [[ -n "$HOSTS_GUARD_DRY_RUN" ]]; then + echo "[dry-run] Would reapply protections to /etc/hosts (collapse mounts, bind ro, start path watcher)" >&2 + return 0 + fi + + mount_layers_count() { awk '$5=="/etc/hosts"{c++} END{print c+0}' /proc/self/mountinfo 2>/dev/null || echo 0; } + collapse_mounts() { + local i=0 + if command -v mountpoint >/dev/null 2>&1; then + while mountpoint -q "$TARGET"; do + umount -l "$TARGET" >/dev/null 2>&1 || break + i=$((i+1)) + (( i > 20 )) && break + done + else + local cnt + cnt=$(mount_layers_count) + while (( cnt > 1 )); do + umount -l "$TARGET" >/dev/null 2>&1 || break + i=$((i+1)) + (( i > 20 )) && break + cnt=$(mount_layers_count) + done + fi + } + + logger -t "$LOGTAG" "post: relocking /etc/hosts (starting)" || true + echo "$(date -Is) post-relock(wrapper start)" >> /run/hosts-guard-hook.log 2>/dev/null || true + + collapse_mounts + + if [[ -x "$ENFORCE" ]]; then + "$ENFORCE" >/dev/null 2>&1 || true + fi + + # Apply exactly one ro bind layer + mount --bind "$TARGET" "$TARGET" >/dev/null 2>&1 || true + mount -o remount,ro,bind "$TARGET" >/dev/null 2>&1 || true + + # Start only the path watcher + if command -v systemctl >/dev/null 2>&1; then + systemctl start hosts-guard.path >/dev/null 2>&1 || true + fi + + logger -t "$LOGTAG" "post: relocking /etc/hosts (done)" || true + echo "$(date -Is) post-relock(wrapper done)" >> /run/hosts-guard-hook.log 2>/dev/null || true + echo -e "${CYAN}[hosts-guard] Protections re-applied to /etc/hosts.${NC}" >&2 - fi } # Ensure periodic system services (timer/monitor) are set up; if not, trigger setup ensure_periodic_maintenance() { + # Allow tests or callers to skip side-effectful setup + if [[ -n "$SKIP_PERIODIC_MAINTENANCE" ]]; then + return 0 + fi # Only proceed if systemd/systemctl is available if ! command -v systemctl >/dev/null 2>&1; then return 0