Fix process58 probe errors when scanning minimalist filesystem in offline mode
Resolves: rhbz#2019054
This commit is contained in:
parent
058a36bb6d
commit
2e3c457351
124
openscap-1.3.6-empty-proc-in-offline-pr-1812.patch
Normal file
124
openscap-1.3.6-empty-proc-in-offline-pr-1812.patch
Normal file
@ -0,0 +1,124 @@
|
|||||||
|
From ea87ecab21a54741e64680977521837ccaf0206b Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||||
|
Date: Tue, 5 Oct 2021 14:33:37 +0200
|
||||||
|
Subject: [PATCH] Allow empty /proc in offline mode
|
||||||
|
|
||||||
|
When scanning offline file systems the /proc might be empty. Currently,
|
||||||
|
OpenSCAP thinks that it means a permissions problems, which is often
|
||||||
|
true if it happens on a real system, but in offline mode it can be a
|
||||||
|
normal situation. We will not consider empty /proc an error in offline
|
||||||
|
mode.
|
||||||
|
|
||||||
|
The commit also includes a simple test case.
|
||||||
|
|
||||||
|
Inspired by eda9881e08f0398d1481f133fbb56c0080cfe9f3
|
||||||
|
|
||||||
|
Resolves: RHBZ #2008922
|
||||||
|
---
|
||||||
|
src/OVAL/probes/unix/process58_probe.c | 18 ++++++++++----
|
||||||
|
tests/probes/process58/CMakeLists.txt | 1 +
|
||||||
|
tests/probes/process58/empty_proc.sh | 33 ++++++++++++++++++++++++++
|
||||||
|
3 files changed, 47 insertions(+), 5 deletions(-)
|
||||||
|
create mode 100755 tests/probes/process58/empty_proc.sh
|
||||||
|
|
||||||
|
diff --git a/src/OVAL/probes/unix/process58_probe.c b/src/OVAL/probes/unix/process58_probe.c
|
||||||
|
index d1108fc59..29c582152 100644
|
||||||
|
--- a/src/OVAL/probes/unix/process58_probe.c
|
||||||
|
+++ b/src/OVAL/probes/unix/process58_probe.c
|
||||||
|
@@ -472,7 +472,7 @@ static inline char *make_defunc_str(char* const cmd_buffer){
|
||||||
|
static int read_process(SEXP_t *cmd_ent, SEXP_t *pid_ent, probe_ctx *ctx)
|
||||||
|
{
|
||||||
|
char buf[PATH_MAX];
|
||||||
|
- int err = PROBE_EACCESS, max_cap_id;
|
||||||
|
+ int max_cap_id;
|
||||||
|
DIR *d;
|
||||||
|
struct dirent *ent;
|
||||||
|
oval_schema_version_t oval_version;
|
||||||
|
@@ -501,6 +501,7 @@ static int read_process(SEXP_t *cmd_ent, SEXP_t *pid_ent, probe_ctx *ctx)
|
||||||
|
cmd_buffer[0] = '[';
|
||||||
|
|
||||||
|
// Scan the directories
|
||||||
|
+ bool any_pid_dir_found = false;
|
||||||
|
while (( ent = readdir(d) )) {
|
||||||
|
int fd, len;
|
||||||
|
char *tmp, state, tty_dev[128];
|
||||||
|
@@ -562,9 +563,7 @@ static int read_process(SEXP_t *cmd_ent, SEXP_t *pid_ent, probe_ctx *ctx)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
-
|
||||||
|
- err = PROBE_ESUCCESS; // If we get this far, no permission problems
|
||||||
|
- dI("Have command: %s", cmd);
|
||||||
|
+ any_pid_dir_found = true;
|
||||||
|
cmd_sexp = SEXP_string_newf("%s", cmd);
|
||||||
|
pid_sexp = SEXP_number_newu_32(pid);
|
||||||
|
if ((cmd_sexp == NULL || probe_entobj_cmp(cmd_ent, cmd_sexp) == OVAL_RESULT_TRUE) &&
|
||||||
|
@@ -662,7 +661,16 @@ static int read_process(SEXP_t *cmd_ent, SEXP_t *pid_ent, probe_ctx *ctx)
|
||||||
|
}
|
||||||
|
closedir(d);
|
||||||
|
oscap_buffer_free(cmdline_buffer);
|
||||||
|
- return err;
|
||||||
|
+
|
||||||
|
+ if (!any_pid_dir_found) {
|
||||||
|
+ dW("No data about processes could be read from '%s'.", buf);
|
||||||
|
+ }
|
||||||
|
+ // In offline mode, empty /proc might be a normal situation and doesn't
|
||||||
|
+ // have to mean permissions problems
|
||||||
|
+ if (prefix)
|
||||||
|
+ return PROBE_ESUCCESS;
|
||||||
|
+ else
|
||||||
|
+ return any_pid_dir_found ? PROBE_ESUCCESS : PROBE_EACCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
int process58_probe_offline_mode_supported(void)
|
||||||
|
diff --git a/tests/probes/process58/CMakeLists.txt b/tests/probes/process58/CMakeLists.txt
|
||||||
|
index 17261dbb7..947665de6 100644
|
||||||
|
--- a/tests/probes/process58/CMakeLists.txt
|
||||||
|
+++ b/tests/probes/process58/CMakeLists.txt
|
||||||
|
@@ -2,6 +2,7 @@ if(ENABLE_PROBES_UNIX)
|
||||||
|
add_oscap_test("capability.sh")
|
||||||
|
add_oscap_test("command_line.sh")
|
||||||
|
add_oscap_test("dev_to_tty.sh")
|
||||||
|
+ add_oscap_test("empty_proc.sh")
|
||||||
|
add_oscap_test("loginuid.sh")
|
||||||
|
add_oscap_test("selinux_domain_label.sh")
|
||||||
|
add_oscap_test("sessionid.sh")
|
||||||
|
diff --git a/tests/probes/process58/empty_proc.sh b/tests/probes/process58/empty_proc.sh
|
||||||
|
new file mode 100755
|
||||||
|
index 000000000..2f0334b15
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/probes/process58/empty_proc.sh
|
||||||
|
@@ -0,0 +1,33 @@
|
||||||
|
+#!/usr/bin/env bash
|
||||||
|
+
|
||||||
|
+# This is regression test of RHBZ #2008922
|
||||||
|
+
|
||||||
|
+set -e -o pipefail
|
||||||
|
+
|
||||||
|
+. $builddir/tests/test_common.sh
|
||||||
|
+probecheck "process58" || exit 255
|
||||||
|
+
|
||||||
|
+name=$(basename $0 .sh)
|
||||||
|
+result=$(mktemp ${name}.out.XXXXXX)
|
||||||
|
+stderr=$(mktemp ${name}.err.XXXXXX)
|
||||||
|
+
|
||||||
|
+root=$(mktemp -d)
|
||||||
|
+
|
||||||
|
+# create an empty /proc in the offline file system dir
|
||||||
|
+mkdir -p "$root/proc"
|
||||||
|
+
|
||||||
|
+export OSCAP_PROBE_ROOT="$root"
|
||||||
|
+$OSCAP oval eval --results $result $srcdir/capability.oval.xml 2> $stderr
|
||||||
|
+
|
||||||
|
+[ $? -eq 0 ]
|
||||||
|
+grep -q "^W: oscap:\s\+No data about processes could be read from '$root/proc'." "$stderr"
|
||||||
|
+grep -q "OpenSCAP Error: Probe at sd=1 (process58) reported an error: Operation not permitted" "$stderr" && false
|
||||||
|
+grep -q "W: oscap:\s\+Can't receive message: 125, Operation canceled." "$stderr" && false
|
||||||
|
+
|
||||||
|
+[ -s "$result" ]
|
||||||
|
+assert_exists 1 '/oval_results/results/system/definitions/definition[@result="false"]'
|
||||||
|
+assert_exists 1 '/oval_results/results/system/oval_system_characteristics/collected_objects/object[@flag="does not exist"]'
|
||||||
|
+
|
||||||
|
+rm "$stderr"
|
||||||
|
+rm "$result"
|
||||||
|
+rm -r "$root"
|
@ -1,6 +1,6 @@
|
|||||||
Name: openscap
|
Name: openscap
|
||||||
Version: 1.3.5
|
Version: 1.3.5
|
||||||
Release: 9%{?dist}
|
Release: 10%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Summary: Set of open source libraries enabling integration of the SCAP line of standards
|
Summary: Set of open source libraries enabling integration of the SCAP line of standards
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
@ -17,6 +17,7 @@ Patch8: openscap-1.3.6-coverity-issues-pr-1748.patch
|
|||||||
Patch9: openscap-1.3.6-coverity-issues-pr-1778.patch
|
Patch9: openscap-1.3.6-coverity-issues-pr-1778.patch
|
||||||
Patch10: openscap-1.3.6-disable-sha1-md5-pr-1781.patch
|
Patch10: openscap-1.3.6-disable-sha1-md5-pr-1781.patch
|
||||||
Patch11: openscap-1.3.6-http_error_fix-PR_1805.patch
|
Patch11: openscap-1.3.6-http_error_fix-PR_1805.patch
|
||||||
|
Patch12: openscap-1.3.6-empty-proc-in-offline-pr-1812.patch
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: cmake >= 2.6
|
BuildRequires: cmake >= 2.6
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
@ -207,6 +208,9 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm
|
|||||||
%{_bindir}/oscap-run-sce-script
|
%{_bindir}/oscap-run-sce-script
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Nov 01 2021 Evgenii Kolesnikov <ekolesni@redhat.com> - 1:1.3.5-10
|
||||||
|
- Fix process58 probe errors when scanning minimalist filesystem in offline mode (rhbz#2019054)
|
||||||
|
|
||||||
* Mon Nov 01 2021 Matej Tyc <matyc@redhat.com> - 1:1.3.5-9
|
* Mon Nov 01 2021 Matej Tyc <matyc@redhat.com> - 1:1.3.5-9
|
||||||
- Fix bad handling of HTTP error code (rhbz#2002733)
|
- Fix bad handling of HTTP error code (rhbz#2002733)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user