From ea87ecab21a54741e64680977521837ccaf0206b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 5 Oct 2021 14:33:37 +0200 Subject: [PATCH] Allow empty /proc in offline mode When scanning offline file systems the /proc might be empty. Currently, OpenSCAP thinks that it means a permissions problems, which is often true if it happens on a real system, but in offline mode it can be a normal situation. We will not consider empty /proc an error in offline mode. The commit also includes a simple test case. Inspired by eda9881e08f0398d1481f133fbb56c0080cfe9f3 Resolves: RHBZ #2008922 --- src/OVAL/probes/unix/process58_probe.c | 18 ++++++++++---- tests/probes/process58/CMakeLists.txt | 1 + tests/probes/process58/empty_proc.sh | 33 ++++++++++++++++++++++++++ 3 files changed, 47 insertions(+), 5 deletions(-) create mode 100755 tests/probes/process58/empty_proc.sh diff --git a/src/OVAL/probes/unix/process58_probe.c b/src/OVAL/probes/unix/process58_probe.c index d1108fc59..29c582152 100644 --- a/src/OVAL/probes/unix/process58_probe.c +++ b/src/OVAL/probes/unix/process58_probe.c @@ -472,7 +472,7 @@ static inline char *make_defunc_str(char* const cmd_buffer){ static int read_process(SEXP_t *cmd_ent, SEXP_t *pid_ent, probe_ctx *ctx) { char buf[PATH_MAX]; - int err = PROBE_EACCESS, max_cap_id; + int max_cap_id; DIR *d; struct dirent *ent; oval_schema_version_t oval_version; @@ -501,6 +501,7 @@ static int read_process(SEXP_t *cmd_ent, SEXP_t *pid_ent, probe_ctx *ctx) cmd_buffer[0] = '['; // Scan the directories + bool any_pid_dir_found = false; while (( ent = readdir(d) )) { int fd, len; char *tmp, state, tty_dev[128]; @@ -562,9 +563,7 @@ static int read_process(SEXP_t *cmd_ent, SEXP_t *pid_ent, probe_ctx *ctx) } } - - err = PROBE_ESUCCESS; // If we get this far, no permission problems - dI("Have command: %s", cmd); + any_pid_dir_found = true; cmd_sexp = SEXP_string_newf("%s", cmd); pid_sexp = SEXP_number_newu_32(pid); if ((cmd_sexp == NULL || probe_entobj_cmp(cmd_ent, cmd_sexp) == OVAL_RESULT_TRUE) && @@ -662,7 +661,16 @@ static int read_process(SEXP_t *cmd_ent, SEXP_t *pid_ent, probe_ctx *ctx) } closedir(d); oscap_buffer_free(cmdline_buffer); - return err; + + if (!any_pid_dir_found) { + dW("No data about processes could be read from '%s'.", buf); + } + // In offline mode, empty /proc might be a normal situation and doesn't + // have to mean permissions problems + if (prefix) + return PROBE_ESUCCESS; + else + return any_pid_dir_found ? PROBE_ESUCCESS : PROBE_EACCESS; } int process58_probe_offline_mode_supported(void) diff --git a/tests/probes/process58/CMakeLists.txt b/tests/probes/process58/CMakeLists.txt index 17261dbb7..947665de6 100644 --- a/tests/probes/process58/CMakeLists.txt +++ b/tests/probes/process58/CMakeLists.txt @@ -2,6 +2,7 @@ if(ENABLE_PROBES_UNIX) add_oscap_test("capability.sh") add_oscap_test("command_line.sh") add_oscap_test("dev_to_tty.sh") + add_oscap_test("empty_proc.sh") add_oscap_test("loginuid.sh") add_oscap_test("selinux_domain_label.sh") add_oscap_test("sessionid.sh") diff --git a/tests/probes/process58/empty_proc.sh b/tests/probes/process58/empty_proc.sh new file mode 100755 index 000000000..2f0334b15 --- /dev/null +++ b/tests/probes/process58/empty_proc.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash + +# This is regression test of RHBZ #2008922 + +set -e -o pipefail + +. $builddir/tests/test_common.sh +probecheck "process58" || exit 255 + +name=$(basename $0 .sh) +result=$(mktemp ${name}.out.XXXXXX) +stderr=$(mktemp ${name}.err.XXXXXX) + +root=$(mktemp -d) + +# create an empty /proc in the offline file system dir +mkdir -p "$root/proc" + +export OSCAP_PROBE_ROOT="$root" +$OSCAP oval eval --results $result $srcdir/capability.oval.xml 2> $stderr + +[ $? -eq 0 ] +grep -q "^W: oscap:\s\+No data about processes could be read from '$root/proc'." "$stderr" +grep -q "OpenSCAP Error: Probe at sd=1 (process58) reported an error: Operation not permitted" "$stderr" && false +grep -q "W: oscap:\s\+Can't receive message: 125, Operation canceled." "$stderr" && false + +[ -s "$result" ] +assert_exists 1 '/oval_results/results/system/definitions/definition[@result="false"]' +assert_exists 1 '/oval_results/results/system/oval_system_characteristics/collected_objects/object[@flag="does not exist"]' + +rm "$stderr" +rm "$result" +rm -r "$root"