rpms / openscap

Clone
Source Code
GIT

Blame SOURCES/openscap-1.3.6-PR-1812-oscap-chroot-process58-empty-proc.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   909fca022c7ca189507b64780da181cd1b6cd821
  2.   SOURCES
  3.   openscap-1.3.6-PR-1812-oscap-chroot-process58-empty-proc.patch
Blob History Raw
909fca 
From ea87ecab21a54741e64680977521837ccaf0206b Mon Sep 17 00:00:00 2001
909fca 
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
909fca 
Date: Tue, 5 Oct 2021 14:33:37 +0200
909fca 
Subject: [PATCH] Allow empty /proc in offline mode
909fca
909fca 
When scanning offline file systems the /proc might be empty. Currently,
909fca 
OpenSCAP thinks that it means a permissions problems, which is often
909fca 
true if it happens on a real system, but in offline mode it can be a
909fca 
normal situation. We will not consider empty /proc an error in offline
909fca 
mode.
909fca
909fca 
The commit also includes a simple test case.
909fca
909fca 
Inspired by eda9881e08f0398d1481f133fbb56c0080cfe9f3
909fca
909fca 
Resolves: RHBZ #2008922
909fca 
---
909fca 
 src/OVAL/probes/unix/process58_probe.c | 18 ++++++++++----
909fca 
 tests/probes/process58/CMakeLists.txt  |  1 +
909fca 
 tests/probes/process58/empty_proc.sh   | 33 ++++++++++++++++++++++++++
909fca 
 3 files changed, 47 insertions(+), 5 deletions(-)
909fca 
 create mode 100755 tests/probes/process58/empty_proc.sh
909fca
909fca 
diff --git a/src/OVAL/probes/unix/process58_probe.c b/src/OVAL/probes/unix/process58_probe.c
909fca 
index d1108fc59..29c582152 100644
909fca 
--- a/src/OVAL/probes/unix/process58_probe.c
909fca 
+++ b/src/OVAL/probes/unix/process58_probe.c
909fca 
@@ -472,7 +472,7 @@ static inline char *make_defunc_str(char* const cmd_buffer){
909fca 
 static int read_process(SEXP_t *cmd_ent, SEXP_t *pid_ent, probe_ctx *ctx)
909fca 
 {
909fca 
 	char buf[PATH_MAX];
909fca 
-	int err = PROBE_EACCESS, max_cap_id;
909fca 
+	int max_cap_id;
909fca 
 	DIR *d;
909fca 
 	struct dirent *ent;
909fca 
 	oval_schema_version_t oval_version;
909fca 
@@ -501,6 +501,7 @@ static int read_process(SEXP_t *cmd_ent, SEXP_t *pid_ent, probe_ctx *ctx)
909fca 
 	cmd_buffer[0] = '[';
909fca
909fca 
 	// Scan the directories
909fca 
+	bool any_pid_dir_found = false;
909fca 
 	while (( ent = readdir(d) )) {
909fca 
 		int fd, len;
909fca 
 		char *tmp, state, tty_dev[128];
909fca 
@@ -562,9 +563,7 @@ static int read_process(SEXP_t *cmd_ent, SEXP_t *pid_ent, probe_ctx *ctx)
909fca 
 			}
909fca 
 		}
909fca
909fca 
-
909fca 
-		err = PROBE_ESUCCESS; // If we get this far, no permission problems
909fca 
-		dI("Have command: %s", cmd);
909fca 
+		any_pid_dir_found = true;
909fca 
 		cmd_sexp = SEXP_string_newf("%s", cmd);
909fca 
 		pid_sexp = SEXP_number_newu_32(pid);
909fca 
 		if ((cmd_sexp == NULL || probe_entobj_cmp(cmd_ent, cmd_sexp) == OVAL_RESULT_TRUE) &&
909fca 
@@ -662,7 +661,16 @@ static int read_process(SEXP_t *cmd_ent, SEXP_t *pid_ent, probe_ctx *ctx)
909fca 
 	}
909fca 
         closedir(d);
909fca 
 	oscap_buffer_free(cmdline_buffer);
909fca 
-	return err;
909fca 
+
909fca 
+	if (!any_pid_dir_found) {
909fca 
+		dW("No data about processes could be read from '%s'.", buf);
909fca 
+	}
909fca 
+	// In offline mode, empty /proc might be a normal situation and doesn't
909fca 
+	// have to mean permissions problems
909fca 
+	if (prefix)
909fca 
+		return PROBE_ESUCCESS;
909fca 
+	else
909fca 
+		return any_pid_dir_found ? PROBE_ESUCCESS : PROBE_EACCESS;
909fca 
 }
909fca
909fca 
 int process58_probe_offline_mode_supported(void)
909fca 
diff --git a/tests/probes/process58/CMakeLists.txt b/tests/probes/process58/CMakeLists.txt
909fca 
index 17261dbb7..947665de6 100644
909fca 
--- a/tests/probes/process58/CMakeLists.txt
909fca 
+++ b/tests/probes/process58/CMakeLists.txt
909fca 
@@ -2,6 +2,7 @@ if(ENABLE_PROBES_UNIX)
909fca 
 	add_oscap_test("capability.sh")
909fca 
 	add_oscap_test("command_line.sh")
909fca 
 	add_oscap_test("dev_to_tty.sh")
909fca 
+	add_oscap_test("empty_proc.sh")
909fca 
 	add_oscap_test("loginuid.sh")
909fca 
 	add_oscap_test("selinux_domain_label.sh")
909fca 
 	add_oscap_test("sessionid.sh")
909fca 
diff --git a/tests/probes/process58/empty_proc.sh b/tests/probes/process58/empty_proc.sh
909fca 
new file mode 100755
909fca 
index 000000000..2f0334b15
909fca 
--- /dev/null
909fca 
+++ b/tests/probes/process58/empty_proc.sh
909fca 
@@ -0,0 +1,33 @@
909fca 
+#!/usr/bin/env bash
909fca 
+
909fca 
+# This is regression test of RHBZ #2008922
909fca 
+
909fca 
+set -e -o pipefail
909fca 
+
909fca 
+. $builddir/tests/test_common.sh
909fca 
+probecheck "process58" || exit 255
909fca 
+
909fca 
+name=$(basename $0 .sh)
909fca 
+result=$(mktemp ${name}.out.XXXXXX)
909fca 
+stderr=$(mktemp ${name}.err.XXXXXX)
909fca 
+
909fca 
+root=$(mktemp -d)
909fca 
+
909fca 
+# create an empty /proc in the offline file system dir
909fca 
+mkdir -p "$root/proc"
909fca 
+
909fca 
+export OSCAP_PROBE_ROOT="$root"
909fca 
+$OSCAP oval eval --results $result $srcdir/capability.oval.xml 2> $stderr
909fca 
+
909fca 
+[ $? -eq 0 ]
909fca 
+grep -q "^W: oscap:\s\+No data about processes could be read from '$root/proc'." "$stderr"
909fca 
+grep -q "OpenSCAP Error: Probe at sd=1 (process58) reported an error: Operation not permitted" "$stderr" && false
909fca 
+grep -q "W: oscap:\s\+Can't receive message: 125, Operation canceled." "$stderr" && false
909fca 
+
909fca 
+[ -s "$result" ]
909fca 
+assert_exists 1 '/oval_results/results/system/definitions/definition[@result="false"]'
909fca 
+assert_exists 1 '/oval_results/results/system/oval_system_characteristics/collected_objects/object[@flag="does not exist"]'
909fca 
+
909fca 
+rm "$stderr"
909fca 
+rm "$result"
909fca 
+rm -r "$root"

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation