openscap/openscap-1.3.10-fix_sysctl_probe_tests-PR-2050.patch

166 lines
5.6 KiB
Diff
Raw Normal View History

From f8366b395b977392d724c6cc84c7295590c39ee8 Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Tue, 7 Nov 2023 20:01:44 +0100
Subject: [PATCH] Fix tests/probes/sysctl_all
The test will now automatically adapt to the list of readable
variables and won't break every time a new root-readable variable
is introduced in kernel.
---
tests/probes/sysctl/test_sysctl_probe_all.sh | 144 +++++++------------
1 file changed, 50 insertions(+), 94 deletions(-)
diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh
index f1834059fb..efaa31b9b1 100755
--- a/tests/probes/sysctl/test_sysctl_probe_all.sh
+++ b/tests/probes/sysctl/test_sysctl_probe_all.sh
@@ -8,98 +8,57 @@ set -e -o pipefail
# non root users
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
-# non root users are not able to access some kernel params, so they get excluded
-SYSCTL_EXCLUDE='
- dev.parport.parport0.autoprobe
- dev.tty.legacy_tiocsti
- fs.protected_hardlinks
- fs.protected_fifos
- fs.protected_regular
- fs.protected_symlinks
- kernel.cad_pid
- kernel.unprivileged_userns_apparmor_policy
- kernel.apparmor_display_secid_mode
- kernel.usermodehelper.bset
- kernel.usermodehelper.inheritable
- net.core.bpf_jit_harden
- net.core.bpf_jit_kallsyms
- net.core.bpf_jit_limit
- net.ipv4.tcp_fastopen_key
- stable_secret
- vm.mmap_rnd_bits
- vm.mmap_rnd_compat_bits
- vm.stat_refresh'
-
-SYSCTL_EXCLUDE_REGEX="$(printf '\|%s' $SYSCTL_EXCLUDE)"
-# strip leading '\|'
-SYSCTL_EXCLUDE_REGEX=${SYSCTL_EXCLUDE_REGEX:2}
-
function perform_test {
-probecheck "sysctl" || return 255
-
-name=$(basename $0 .sh)
-
-result=$(mktemp ${name}.res.out.XXXXXX)
-stderr=$(mktemp ${name}.err.out.XXXXXX)
-ourNames=$(mktemp ${name}.our.out.XXXXXX)
-sysctlNames=$(mktemp ${name}.sysctl.out.XXXXXX)
-
-echo "Result file: $result"
-echo "Our names file: $ourNames"
-echo "Sysctl names file: $sysctlNames"
-echo "Errors file: $stderr"
-
-$OSCAP oval eval --results $result $srcdir/test_sysctl_probe_all.oval.xml > /dev/null 2>$stderr
-
-case $(uname) in
- FreeBSD)
- sysctl -aN 2> /dev/null > "$sysctlNames"
- ;;
- Linux)
- # sysctl has duplicities in output
- # hide permission errors like: "sysctl: permission denied on key 'fs.protected_hardlinks'"
- # kernel parameters might use "/" and "." separators interchangeably - normalizing
- sysctl -aN --deprecated 2> /dev/null | grep -v $SYSCTL_EXCLUDE_REGEX | tr "/" "." | sort -u > "$sysctlNames"
- ;;
-esac
-
-grep unix-sys:name "$result" | grep -v $SYSCTL_EXCLUDE_REGEX | xsed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames"
-
-# If procps_ver > 3.3.12 we need to filter *stable_secret and vm.stat_refresh
-# options from the sysctl output, for more details see
-# https://github.com/OpenSCAP/openscap/issues/1152.
-procps_ver="$(package_version procps-ng procps)"
-
-lowest_ver=$(echo -e "3.3.12\n$procps_ver" | sort -V | head -n1)
-if [ "$procps_ver" != "$lowest_ver" ]; then
- sed -i '/net.ipv6.conf.*stable_secret$/d' "$sysctlNames"
- sed -i '/.*vm.stat_refresh/d' "$sysctlNames"
-fi
-
-if ! grep -q "hugepages" "$ourNames"; then
- sed -i "/^.*hugepages.*$/d" "$sysctlNames"
-fi
-
-echo "Diff (sysctlNames / ourNames): ------"
-diff "$sysctlNames" "$ourNames"
-echo "-------------------------------------"
-
-# remove oscap error message related to permissions from stderr
-sed -i -E "/^E: oscap: +Can't read sysctl value from /d" "$stderr"
-sed -i -E "/^E: oscap: +An error.*, Operation not permitted/d" "$stderr"
-
-# remove oscap error message related to gibberish binary entries
-# that can't fit into 8K buffer and result in errno 14
-# (for example /proc/sys/kernel/spl/hostid could be the case)
-sed -i -E "/^E: oscap: +An error.*14, Bad address/d" "$stderr"
-sed -i "/^.*hugepages.*$/d" "$stderr"
-
-echo "Errors (without messages related to permissions):"
-cat "$stderr"
-
-[ ! -s $stderr ]
-
-rm $stderr $result $ourNames $sysctlNames
+ probecheck "sysctl" || return 255
+
+ name=$(basename $0 .sh)
+
+ result=$(mktemp ${name}.res.out.XXXXXX)
+ stderr=$(mktemp ${name}.err.out.XXXXXX)
+ ourNames=$(mktemp ${name}.our.out.XXXXXX)
+ sysctlNames=$(mktemp ${name}.sysctl.out.XXXXXX)
+
+ echo "Result file: $result"
+ echo "Our names file: $ourNames"
+ echo "Sysctl names file: $sysctlNames"
+ echo "Errors file: $stderr"
+
+ $OSCAP oval eval --results $result $srcdir/test_sysctl_probe_all.oval.xml > /dev/null 2>$stderr
+
+ case $(uname) in
+ FreeBSD)
+ sysctl -aN 2> /dev/null > "$sysctlNames"
+ ;;
+ Linux)
+ # sysctl has duplicities in output
+ # hide permission errors like: "sysctl: permission denied on key 'fs.protected_hardlinks'"
+ # kernel parameters might use "/" and "." separators interchangeably - normalizing
+ sysctl -a --deprecated 2> /dev/null | tr "/" "." | cut -d "=" -f 1 | tr -d " " | sort -u > "$sysctlNames"
+ ;;
+ esac
+
+ grep unix-sys:name "$result" | xsed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames"
+
+ echo "Diff (sysctlNames / ourNames): ------"
+ diff "$sysctlNames" "$ourNames"
+ echo "-------------------------------------"
+
+ # remove oscap error message related to permissions from stderr
+ sed -i -E "/^E: oscap: +Can't read sysctl value from /d" "$stderr"
+ sed -i -E "/^E: oscap: +An error.*, Operation not permitted/d" "$stderr"
+
+ # remove oscap error message related to gibberish binary entries
+ # that can't fit into 8K buffer and result in errno 14
+ # (for example /proc/sys/kernel/spl/hostid could be the case)
+ sed -i -E "/^E: oscap: +An error.*14, Bad address/d" "$stderr"
+ sed -i "/^.*hugepages.*$/d" "$stderr"
+
+ echo "Errors (without messages related to permissions):"
+ cat "$stderr"
+
+ [ ! -s $stderr ]
+
+ rm $stderr $result $ourNames $sysctlNames
}
perform_test