From 2e3c457351d53caa855d5e503025bb28526dbcdd Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Mon, 1 Nov 2021 22:38:26 +0100
Subject: [PATCH] Fix process58 probe errors when scanning minimalist
 filesystem in offline mode

Resolves: rhbz#2019054
---
 ...-1.3.6-empty-proc-in-offline-pr-1812.patch | 124 ++++++++++++++++++
 openscap.spec                                 |   6 +-
 2 files changed, 129 insertions(+), 1 deletion(-)
 create mode 100644 openscap-1.3.6-empty-proc-in-offline-pr-1812.patch

diff --git a/openscap-1.3.6-empty-proc-in-offline-pr-1812.patch b/openscap-1.3.6-empty-proc-in-offline-pr-1812.patch
new file mode 100644
index 0000000..7138beb
--- /dev/null
+++ b/openscap-1.3.6-empty-proc-in-offline-pr-1812.patch
@@ -0,0 +1,124 @@
+From ea87ecab21a54741e64680977521837ccaf0206b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Tue, 5 Oct 2021 14:33:37 +0200
+Subject: [PATCH] Allow empty /proc in offline mode
+
+When scanning offline file systems the /proc might be empty. Currently,
+OpenSCAP thinks that it means a permissions problems, which is often
+true if it happens on a real system, but in offline mode it can be a
+normal situation. We will not consider empty /proc an error in offline
+mode.
+
+The commit also includes a simple test case.
+
+Inspired by eda9881e08f0398d1481f133fbb56c0080cfe9f3
+
+Resolves: RHBZ #2008922
+---
+ src/OVAL/probes/unix/process58_probe.c | 18 ++++++++++----
+ tests/probes/process58/CMakeLists.txt  |  1 +
+ tests/probes/process58/empty_proc.sh   | 33 ++++++++++++++++++++++++++
+ 3 files changed, 47 insertions(+), 5 deletions(-)
+ create mode 100755 tests/probes/process58/empty_proc.sh
+
+diff --git a/src/OVAL/probes/unix/process58_probe.c b/src/OVAL/probes/unix/process58_probe.c
+index d1108fc59..29c582152 100644
+--- a/src/OVAL/probes/unix/process58_probe.c
++++ b/src/OVAL/probes/unix/process58_probe.c
+@@ -472,7 +472,7 @@ static inline char *make_defunc_str(char* const cmd_buffer){
+ static int read_process(SEXP_t *cmd_ent, SEXP_t *pid_ent, probe_ctx *ctx)
+ {
+ 	char buf[PATH_MAX];
+-	int err = PROBE_EACCESS, max_cap_id;
++	int max_cap_id;
+ 	DIR *d;
+ 	struct dirent *ent;
+ 	oval_schema_version_t oval_version;
+@@ -501,6 +501,7 @@ static int read_process(SEXP_t *cmd_ent, SEXP_t *pid_ent, probe_ctx *ctx)
+ 	cmd_buffer[0] = '[';
+ 
+ 	// Scan the directories
++	bool any_pid_dir_found = false;
+ 	while (( ent = readdir(d) )) {
+ 		int fd, len;
+ 		char *tmp, state, tty_dev[128];
+@@ -562,9 +563,7 @@ static int read_process(SEXP_t *cmd_ent, SEXP_t *pid_ent, probe_ctx *ctx)
+ 			}
+ 		}
+ 
+-
+-		err = PROBE_ESUCCESS; // If we get this far, no permission problems
+-		dI("Have command: %s", cmd);
++		any_pid_dir_found = true;
+ 		cmd_sexp = SEXP_string_newf("%s", cmd);
+ 		pid_sexp = SEXP_number_newu_32(pid);
+ 		if ((cmd_sexp == NULL || probe_entobj_cmp(cmd_ent, cmd_sexp) == OVAL_RESULT_TRUE) &&
+@@ -662,7 +661,16 @@ static int read_process(SEXP_t *cmd_ent, SEXP_t *pid_ent, probe_ctx *ctx)
+ 	}
+         closedir(d);
+ 	oscap_buffer_free(cmdline_buffer);
+-	return err;
++
++	if (!any_pid_dir_found) {
++		dW("No data about processes could be read from '%s'.", buf);
++	}
++	// In offline mode, empty /proc might be a normal situation and doesn't
++	// have to mean permissions problems
++	if (prefix)
++		return PROBE_ESUCCESS;
++	else
++		return any_pid_dir_found ? PROBE_ESUCCESS : PROBE_EACCESS;
+ }
+ 
+ int process58_probe_offline_mode_supported(void)
+diff --git a/tests/probes/process58/CMakeLists.txt b/tests/probes/process58/CMakeLists.txt
+index 17261dbb7..947665de6 100644
+--- a/tests/probes/process58/CMakeLists.txt
++++ b/tests/probes/process58/CMakeLists.txt
+@@ -2,6 +2,7 @@ if(ENABLE_PROBES_UNIX)
+ 	add_oscap_test("capability.sh")
+ 	add_oscap_test("command_line.sh")
+ 	add_oscap_test("dev_to_tty.sh")
++	add_oscap_test("empty_proc.sh")
+ 	add_oscap_test("loginuid.sh")
+ 	add_oscap_test("selinux_domain_label.sh")
+ 	add_oscap_test("sessionid.sh")
+diff --git a/tests/probes/process58/empty_proc.sh b/tests/probes/process58/empty_proc.sh
+new file mode 100755
+index 000000000..2f0334b15
+--- /dev/null
++++ b/tests/probes/process58/empty_proc.sh
+@@ -0,0 +1,33 @@
++#!/usr/bin/env bash
++
++# This is regression test of RHBZ #2008922
++
++set -e -o pipefail
++
++. $builddir/tests/test_common.sh
++probecheck "process58" || exit 255
++
++name=$(basename $0 .sh)
++result=$(mktemp ${name}.out.XXXXXX)
++stderr=$(mktemp ${name}.err.XXXXXX)
++
++root=$(mktemp -d)
++
++# create an empty /proc in the offline file system dir
++mkdir -p "$root/proc"
++
++export OSCAP_PROBE_ROOT="$root"
++$OSCAP oval eval --results $result $srcdir/capability.oval.xml 2> $stderr
++
++[ $? -eq 0 ]
++grep -q "^W: oscap:\s\+No data about processes could be read from '$root/proc'." "$stderr"
++grep -q "OpenSCAP Error: Probe at sd=1 (process58) reported an error: Operation not permitted" "$stderr" && false
++grep -q "W: oscap:\s\+Can't receive message: 125, Operation canceled." "$stderr" && false
++
++[ -s "$result" ]
++assert_exists 1 '/oval_results/results/system/definitions/definition[@result="false"]'
++assert_exists 1 '/oval_results/results/system/oval_system_characteristics/collected_objects/object[@flag="does not exist"]'
++
++rm "$stderr"
++rm "$result"
++rm -r "$root"
diff --git a/openscap.spec b/openscap.spec
index 53aef95..1ef7163 100644
--- a/openscap.spec
+++ b/openscap.spec
@@ -1,6 +1,6 @@
 Name:           openscap
 Version:        1.3.5
-Release:        9%{?dist}
+Release:        10%{?dist}
 Epoch:          1
 Summary:        Set of open source libraries enabling integration of the SCAP line of standards
 License:        LGPLv2+
@@ -17,6 +17,7 @@ Patch8:         openscap-1.3.6-coverity-issues-pr-1748.patch
 Patch9:         openscap-1.3.6-coverity-issues-pr-1778.patch
 Patch10:        openscap-1.3.6-disable-sha1-md5-pr-1781.patch
 Patch11:        openscap-1.3.6-http_error_fix-PR_1805.patch
+Patch12:        openscap-1.3.6-empty-proc-in-offline-pr-1812.patch
 BuildRequires:  make
 BuildRequires:  cmake >= 2.6
 BuildRequires:  gcc
@@ -207,6 +208,9 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm
 %{_bindir}/oscap-run-sce-script
 
 %changelog
+* Mon Nov 01 2021 Evgenii Kolesnikov <ekolesni@redhat.com> - 1:1.3.5-10
+- Fix process58 probe errors when scanning minimalist filesystem in offline mode (rhbz#2019054)
+
 * Mon Nov 01 2021 Matej Tyc <matyc@redhat.com> - 1:1.3.5-9
 - Fix bad handling of HTTP error code (rhbz#2002733)