diff options
| author | Leah Rowe <leah@libreboot.org> | 2024-05-29 01:49:07 +0100 |
|---|---|---|
| committer | Leah Rowe <leah@libreboot.org> | 2024-05-29 02:07:38 +0100 |
| commit | e9b9e825f1738a1b7159f81a45cb8e0f46d9ff94 (patch) | |
| tree | 4379e3a39e5a9b13a3cd26932b2a2fe9451199ae /include/vendor.sh | |
| parent | 0dd0dfaf3db5082f0256ec376180eb8b4eaab1c3 (diff) | |
./vendor download: more fine-tuned error control
By default, the build system does set -u -e
Some errors are unavoidable and have to be handled, so
we have to set +u +e (turn off error handling in sh),
when downloading vendor files, but only certain parts of
vendor.sh trigger errors (which cause an exit).
Replace the current bazooka approach with a more fine
grained approach, turning error handling back on again
when it is safe to do so.
In the parts of the code where it is disabled, the code
is written very, very carefully, with errors still handled
manually, but more careful auditing is required.
This change has been tested and makes the command much
safer to run. In security (or any bug auditing), it is
the principle of least privilege that holds true.
Signed-off-by: Leah Rowe <leah@libreboot.org>
Diffstat (limited to 'include/vendor.sh')
| -rwxr-xr-x | include/vendor.sh | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/include/vendor.sh b/include/vendor.sh index 96631618..8178fbf9 100755 --- a/include/vendor.sh +++ b/include/vendor.sh @@ -28,7 +28,6 @@ eval "$(setvars "" _b EC_url_bkup EC_hash DL_hash DL_url_bkup MRC_refcode_gbe \ vendor_download() { - set +u +e export PATH="$PATH:/sbin" [ $# -gt 0 ] || $err "No argument given" @@ -48,7 +47,9 @@ detect_firmware() [ -d "$boarddir" ] || $err "Target '$board' not defined." check_defconfig "$boarddir" 1>"$tmpdir/vendorcfg.list" && return 0 while read -r cbcfgfile; do + set +u +e . "$cbcfgfile" 2>/dev/null + set -u -e done < "$tmpdir/vendorcfg.list" . "$boarddir/target.cfg" 2>/dev/null @@ -131,6 +132,7 @@ fetch() x_ rm -Rf "${_dl}_extracted" mkdirs "$_dest" "extract_$dl_type" || return 0 eval "extract_$dl_type" + set -u -e [ -f "$_dest" ] && return 0 $err "extract_$dl_type (fetch): missing file: '$_dest'" @@ -167,6 +169,8 @@ extract_intel_me() sdir="$(mktemp -d)" [ -z "$sdir" ] && return 0 mkdir -p "$sdir" || $err "extract_intel_me: !mkdir -p \"$sdir\"" + + set +u +e ( [ "${cdir#/a}" != "$cdir" ] && cdir="${cdir#/}" cd "$cdir" || $err "extract_intel_me: !cd \"$cdir\"" @@ -224,6 +228,7 @@ extract_kbc1126ec() extract_e6400vga() { + set +u +e for v in E6400_VGA_offset E6400_VGA_romname; do eval "[ -z \"\$$v\" ] && $err \"e6400vga: $v undefined\"" done |