system: reject sysupgrade of invalid firmware images by default

This validation step can be bypassed by passing "force" argument. This
is very similar to the /sbin/sysupgrade behavior and --force.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>

diff --git a/system.c b/system.c
index 7d7073d00a06418da9e3090c318a82b90112e511..94bef1bea6cf5a615a1717e0764f0835ab571b52 100644 (file)
--- a/system.c
+++ b/system.c
@@ -490,6 +490,7 @@ static int validate_firmware_image(struct ubus_context *ctx,
 
 enum {
        SYSUPGRADE_PATH,
+       SYSUPGRADE_FORCE,
        SYSUPGRADE_PREFIX,
        SYSUPGRADE_COMMAND,
        SYSUPGRADE_OPTIONS,
@@ -498,6 +499,7 @@ enum {
 
 static const struct blobmsg_policy sysupgrade_policy[__SYSUPGRADE_MAX] = {
        [SYSUPGRADE_PATH] = { .name = "path", .type = BLOBMSG_TYPE_STRING },
+       [SYSUPGRADE_FORCE] = { .name = "force", .type = BLOBMSG_TYPE_BOOL },
        [SYSUPGRADE_PREFIX] = { .name = "prefix", .type = BLOBMSG_TYPE_STRING },
        [SYSUPGRADE_COMMAND] = { .name = "command", .type = BLOBMSG_TYPE_STRING },
        [SYSUPGRADE_OPTIONS] = { .name = "options", .type = BLOBMSG_TYPE_TABLE },
@@ -539,6 +541,9 @@ static int sysupgrade(struct ubus_context *ctx, struct ubus_object *obj,
                if (!forceable) {
                        fprintf(stderr, "Firmware image is broken and cannot be installed\n");
                        return UBUS_STATUS_NOT_SUPPORTED;
+               } else if (!tb[SYSUPGRADE_FORCE] || !blobmsg_get_bool(tb[SYSUPGRADE_FORCE])) {
+                       fprintf(stderr, "Firmware image is invalid\n");
+                       return UBUS_STATUS_NOT_SUPPORTED;
                }
        }