rpms/openscap
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix test test_sysctl_probe_all.sh

Browse Source 
and clean up the repository
This commit is contained in:
Jan Černý 2023-12-20 09:57:11 +01:00
parent 54a8bbe88a
commit d2b7872b70
3 changed files with 173 additions and 2218 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2213
2015.patch
View File

File diff suppressed because it is too large Load Diff

165
openscap-1.3.10-fix_sysctl_probe_tests-PR-2050.patch Normal file
View File

@ -0,0 +1,165 @@
From f8366b395b977392d724c6cc84c7295590c39ee8 Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Tue, 7 Nov 2023 20:01:44 +0100
Subject: [PATCH] Fix tests/probes/sysctl_all
The test will now automatically adapt to the list of readable
variables and won't break every time a new root-readable variable
is introduced in kernel.
---
tests/probes/sysctl/test_sysctl_probe_all.sh | 144 +++++++------------
1 file changed, 50 insertions(+), 94 deletions(-)
diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh
index f1834059fb..efaa31b9b1 100755
--- a/tests/probes/sysctl/test_sysctl_probe_all.sh
+++ b/tests/probes/sysctl/test_sysctl_probe_all.sh
@@ -8,98 +8,57 @@ set -e -o pipefail
# non root users
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
-# non root users are not able to access some kernel params, so they get excluded
-SYSCTL_EXCLUDE='
- dev.parport.parport0.autoprobe
- dev.tty.legacy_tiocsti
- fs.protected_hardlinks
- fs.protected_fifos
- fs.protected_regular
- fs.protected_symlinks
- kernel.cad_pid
- kernel.unprivileged_userns_apparmor_policy
- kernel.apparmor_display_secid_mode
- kernel.usermodehelper.bset
- kernel.usermodehelper.inheritable
- net.core.bpf_jit_harden
- net.core.bpf_jit_kallsyms
- net.core.bpf_jit_limit
- net.ipv4.tcp_fastopen_key
- stable_secret
- vm.mmap_rnd_bits
- vm.mmap_rnd_compat_bits
- vm.stat_refresh'
-
-SYSCTL_EXCLUDE_REGEX="$(printf '\|%s' $SYSCTL_EXCLUDE)"
-# strip leading '\|'
-SYSCTL_EXCLUDE_REGEX=${SYSCTL_EXCLUDE_REGEX:2}
-
function perform_test {
-probecheck "sysctl" || return 255
-
-name=$(basename $0 .sh)
-
-result=$(mktemp ${name}.res.out.XXXXXX)
-stderr=$(mktemp ${name}.err.out.XXXXXX)
-ourNames=$(mktemp ${name}.our.out.XXXXXX)
-sysctlNames=$(mktemp ${name}.sysctl.out.XXXXXX)
-
-echo "Result file: $result"
-echo "Our names file: $ourNames"
-echo "Sysctl names file: $sysctlNames"
-echo "Errors file: $stderr"
-
-$OSCAP oval eval --results $result $srcdir/test_sysctl_probe_all.oval.xml > /dev/null 2>$stderr
-
-case $(uname) in
- FreeBSD)
- sysctl -aN 2> /dev/null > "$sysctlNames"
- ;;
- Linux)
- # sysctl has duplicities in output
- # hide permission errors like: "sysctl: permission denied on key 'fs.protected_hardlinks'"
- # kernel parameters might use "/" and "." separators interchangeably - normalizing
- sysctl -aN --deprecated 2> /dev/null | grep -v $SYSCTL_EXCLUDE_REGEX | tr "/" "." | sort -u > "$sysctlNames"
- ;;
-esac
-
-grep unix-sys:name "$result" | grep -v $SYSCTL_EXCLUDE_REGEX | xsed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames"
-
-# If procps_ver > 3.3.12 we need to filter *stable_secret and vm.stat_refresh
-# options from the sysctl output, for more details see
-# https://github.com/OpenSCAP/openscap/issues/1152.
-procps_ver="$(package_version procps-ng procps)"
-
-lowest_ver=$(echo -e "3.3.12\n$procps_ver" | sort -V | head -n1)
-if [ "$procps_ver" != "$lowest_ver" ]; then
- sed -i '/net.ipv6.conf.*stable_secret$/d' "$sysctlNames"
- sed -i '/.*vm.stat_refresh/d' "$sysctlNames"
-fi
-
-if ! grep -q "hugepages" "$ourNames"; then
- sed -i "/^.*hugepages.*$/d" "$sysctlNames"
-fi
-
-echo "Diff (sysctlNames / ourNames): ------"
-diff "$sysctlNames" "$ourNames"
-echo "-------------------------------------"
-
-# remove oscap error message related to permissions from stderr
-sed -i -E "/^E: oscap: +Can't read sysctl value from /d" "$stderr"
-sed -i -E "/^E: oscap: +An error.*, Operation not permitted/d" "$stderr"
-
-# remove oscap error message related to gibberish binary entries
-# that can't fit into 8K buffer and result in errno 14
-# (for example /proc/sys/kernel/spl/hostid could be the case)
-sed -i -E "/^E: oscap: +An error.*14, Bad address/d" "$stderr"
-sed -i "/^.*hugepages.*$/d" "$stderr"
-
-echo "Errors (without messages related to permissions):"
-cat "$stderr"
-
-[ ! -s $stderr ]
-
-rm $stderr $result $ourNames $sysctlNames
+ probecheck "sysctl" || return 255
+
+ name=$(basename $0 .sh)
+
+ result=$(mktemp ${name}.res.out.XXXXXX)
+ stderr=$(mktemp ${name}.err.out.XXXXXX)
+ ourNames=$(mktemp ${name}.our.out.XXXXXX)
+ sysctlNames=$(mktemp ${name}.sysctl.out.XXXXXX)
+
+ echo "Result file: $result"
+ echo "Our names file: $ourNames"
+ echo "Sysctl names file: $sysctlNames"
+ echo "Errors file: $stderr"
+
+ $OSCAP oval eval --results $result $srcdir/test_sysctl_probe_all.oval.xml > /dev/null 2>$stderr
+
+ case $(uname) in
+ FreeBSD)
+ sysctl -aN 2> /dev/null > "$sysctlNames"
+ ;;
+ Linux)
+ # sysctl has duplicities in output
+ # hide permission errors like: "sysctl: permission denied on key 'fs.protected_hardlinks'"
+ # kernel parameters might use "/" and "." separators interchangeably - normalizing
+ sysctl -a --deprecated 2> /dev/null | tr "/" "." | cut -d "=" -f 1 | tr -d " " | sort -u > "$sysctlNames"
+ ;;
+ esac
+
+ grep unix-sys:name "$result" | xsed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames"
+
+ echo "Diff (sysctlNames / ourNames): ------"
+ diff "$sysctlNames" "$ourNames"
+ echo "-------------------------------------"
+
+ # remove oscap error message related to permissions from stderr
+ sed -i -E "/^E: oscap: +Can't read sysctl value from /d" "$stderr"
+ sed -i -E "/^E: oscap: +An error.*, Operation not permitted/d" "$stderr"
+
+ # remove oscap error message related to gibberish binary entries
+ # that can't fit into 8K buffer and result in errno 14
+ # (for example /proc/sys/kernel/spl/hostid could be the case)
+ sed -i -E "/^E: oscap: +An error.*14, Bad address/d" "$stderr"
+ sed -i "/^.*hugepages.*$/d" "$stderr"
+
+ echo "Errors (without messages related to permissions):"
+ cat "$stderr"
+
+ [ ! -s $stderr ]
+
+ rm $stderr $result $ourNames $sysctlNames
}
perform_test

13
openscap.spec
View File

@ -1,6 +1,6 @@
Name: openscap Name: openscap
Version: 1.3.9 Version: 1.3.9
Release: 2%{?dist} Release: 3%{?dist}
Epoch: 1 Epoch: 1
Summary: Set of open source libraries enabling integration of the SCAP line of standards Summary: Set of open source libraries enabling integration of the SCAP line of standards
License: LGPL-2.1-or-later License: LGPL-2.1-or-later
@ -10,10 +10,6 @@ Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}
%bcond_without check %bcond_without check
# merged to 1.3.9
# port to PCRE2 (PR#2015), minus CI-specific changes
# Patch0: 2015.patch
# Fedora arched lib directories # Fedora arched lib directories
# https://github.com/OpenSCAP/openscap/pull/2056 # https://github.com/OpenSCAP/openscap/pull/2056
Patch1: openscap-1.3.9-perlpath.patch Patch1: openscap-1.3.9-perlpath.patch
@ -23,6 +19,9 @@ Patch1: openscap-1.3.9-perlpath.patch
# reported in #PR2060, #PR2061, #PR2062 # reported in #PR2060, #PR2061, #PR2062
Patch2: openscap-1.3.9-includes.patch Patch2: openscap-1.3.9-includes.patch
# Fix test test_sysctl_probe_all.sh
Patch3: openscap-1.3.10-fix_sysctl_probe_tests-PR-2050.patch
BuildRequires: make BuildRequires: make
BuildRequires: cmake >= 2.6 BuildRequires: cmake >= 2.6
BuildRequires: gcc BuildRequires: gcc
@ -276,6 +275,10 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
%{_mandir}/man8/oscap-podman.8* %{_mandir}/man8/oscap-podman.8*
%changelog %changelog
* Wed Dec 20 2023 Jan Černý <jcerny@redhat.com> - 1:1.3.9-3
- Fix test test_sysctl_probe_all.sh
- Clean up the repository
* Thu Nov 23 2023 Michal Ambroz <rebus _AT seznam.cz> - 1:1.3.9-2 * Thu Nov 23 2023 Michal Ambroz <rebus _AT seznam.cz> - 1:1.3.9-2
- adding conditional for apt-devel apt-libs as proposed upstream - adding conditional for apt-devel apt-libs as proposed upstream