|
 |
ca8ab9 |
From 532a6c77f388d2e06ec12338df9ea97d955f5edc Mon Sep 17 00:00:00 2001
|
|
|
ca8ab9 |
From: Matus Marhefka <mmarhefk@redhat.com>
|
|
|
ca8ab9 |
Date: Thu, 16 Jan 2020 15:39:37 +0100
|
|
|
ca8ab9 |
Subject: [PATCH] utils/oscap-podman: Detect ambiguous scan target
|
|
|
ca8ab9 |
|
|
|
ca8ab9 |
In case that a container image and a running container have the same
|
|
|
ca8ab9 |
name, `oscap-podman` scans container image and a running container is
|
|
|
ca8ab9 |
skipped. This might be unexpected and might cause a confusion for user.
|
|
|
ca8ab9 |
Therefore, this commit adds a code which detects such situation and
|
|
|
ca8ab9 |
rather informs user about ambiguous scan target and terminates.
|
|
|
ca8ab9 |
In such cases the unique container image/container ID should be used
|
|
|
ca8ab9 |
for specifying the target of the scan.
|
|
|
ca8ab9 |
---
|
|
|
ca8ab9 |
utils/oscap-podman | 23 ++++++++++++++++++-----
|
|
|
ca8ab9 |
1 file changed, 18 insertions(+), 5 deletions(-)
|
|
|
ca8ab9 |
|
|
|
ca8ab9 |
diff --git a/utils/oscap-podman b/utils/oscap-podman
|
|
|
ca8ab9 |
index 272afd988..32ec0cfcb 100755
|
|
|
ca8ab9 |
--- a/utils/oscap-podman
|
|
|
ca8ab9 |
+++ b/utils/oscap-podman
|
|
|
ca8ab9 |
@@ -65,17 +65,30 @@ if grep -q "\-\-remediate" <<< "$@"; then
|
|
|
ca8ab9 |
die
|
|
|
ca8ab9 |
fi
|
|
|
ca8ab9 |
|
|
|
ca8ab9 |
+IMAGE_NAME=$(podman image exists "$1" \
|
|
|
ca8ab9 |
+ && podman image inspect --format "{{.Id}} {{.RepoTags}}" "$1")
|
|
|
ca8ab9 |
+CONTAINER_NAME=$(podman container exists "$1" \
|
|
|
ca8ab9 |
+ && podman container inspect --format "{{.Id}} {{.Name}}" "$1")
|
|
|
ca8ab9 |
+
|
|
|
ca8ab9 |
+if [ -n "$IMAGE_NAME" ] && [ -n "$CONTAINER_NAME" ]; then
|
|
|
ca8ab9 |
+ echo "Ambiguous target, container image and container with the same name detected: '$1'." >&2
|
|
|
ca8ab9 |
+ echo "Please rather use an unique ID to specify the target of the scan." >&2
|
|
|
ca8ab9 |
+ die
|
|
|
ca8ab9 |
+fi
|
|
|
ca8ab9 |
+
|
|
|
ca8ab9 |
# Check if the target of scan is image or container.
|
|
|
ca8ab9 |
CLEANUP=0
|
|
|
ca8ab9 |
-if podman images | grep -q $1; then
|
|
|
ca8ab9 |
+if [ -n "$IMAGE_NAME" ]; then
|
|
|
ca8ab9 |
ID=$(podman create $1) || die
|
|
|
ca8ab9 |
- IMG_NAME=$(podman images --format "{{.ID}} ({{.Repository}}:{{.Tag}})" | grep -m1 $1)
|
|
|
ca8ab9 |
- TARGET="podman-image://$IMG_NAME"
|
|
|
ca8ab9 |
+ TARGET="podman-image://$IMAGE_NAME"
|
|
|
ca8ab9 |
CLEANUP=1
|
|
|
ca8ab9 |
-else
|
|
|
ca8ab9 |
+elif [ -n "$CONTAINER_NAME" ]; then
|
|
|
ca8ab9 |
# If the target was not found in images we suppose it is a container.
|
|
|
ca8ab9 |
ID=$1
|
|
|
ca8ab9 |
- TARGET="podman-container://$1"
|
|
|
ca8ab9 |
+ TARGET="podman-container://$CONTAINER_NAME"
|
|
|
ca8ab9 |
+else
|
|
|
ca8ab9 |
+ echo "Target of the scan not found: '$1'." >&2
|
|
|
ca8ab9 |
+ die
|
|
|
ca8ab9 |
fi
|
|
|
ca8ab9 |
|
|
|
ca8ab9 |
# podman init creates required files such as: /run/.containerenv - we don't care about output and exit code
|