From 94934207b34978f92ab2f7b7cc0e8a73508c8266 Mon Sep 17 00:00:00 2001 From: Evgeny Kolesnikov Date: Thu, 17 Apr 2025 14:02:55 +0200 Subject: [PATCH] Inherit opscap environment when executing Bash remediations with --remediate Make the Bash remediation environment consistent with other types of remediation. --- src/XCCDF_POLICY/xccdf_policy_remediate.c | 8 ++----- tests/API/XCCDF/unittests/CMakeLists.txt | 1 + .../unittests/test_remediation_environment.sh | 21 +++++++++++++++++++ .../test_remediation_environment.xccdf.xml | 16 ++++++++++++++ 4 files changed, 40 insertions(+), 6 deletions(-) create mode 100755 tests/API/XCCDF/unittests/test_remediation_environment.sh create mode 100644 tests/API/XCCDF/unittests/test_remediation_environment.xccdf.xml diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c index d99f6d49de..842ef2df9d 100644 --- a/src/XCCDF_POLICY/xccdf_policy_remediate.c +++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c @@ -464,12 +464,8 @@ static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_ NULL }; - char *const envp[2] = { - "PATH=/bin:/sbin:/usr/bin:/usr/sbin", - NULL - }; - - execve(interpret, argvp, envp); + // We are inheriting openscap environment + execve(interpret, argvp, environ); /* Wow, execve returned. In this special case, we failed to execute the fix * and we return 0 from function. At least the following error message will * indicate the problem in xccdf:message. */ diff --git a/tests/API/XCCDF/unittests/CMakeLists.txt b/tests/API/XCCDF/unittests/CMakeLists.txt index 164b795e0e..ef835e3506 100644 --- a/tests/API/XCCDF/unittests/CMakeLists.txt +++ b/tests/API/XCCDF/unittests/CMakeLists.txt @@ -92,6 +92,7 @@ add_oscap_test("test_remediation_cdata.sh") add_oscap_test("test_remediation_subs_unresolved.sh") add_oscap_test("test_remediation_fix_without_system.sh") add_oscap_test("test_remediation_invalid_characters.sh") +add_oscap_test("test_remediation_environment.sh") add_oscap_test("test_remediate_simple.sh") add_oscap_test("test_remediate_perl.sh") add_oscap_test("test_report_check_with_empty_selector.sh") diff --git a/tests/API/XCCDF/unittests/test_remediation_environment.sh b/tests/API/XCCDF/unittests/test_remediation_environment.sh new file mode 100755 index 0000000000..1f5fd0afbf --- /dev/null +++ b/tests/API/XCCDF/unittests/test_remediation_environment.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash +. $builddir/tests/test_common.sh + +set -e +set -o pipefail + +name=$(basename $0 .sh) +result=$(mktemp -t ${name}.out.XXXXXX) + +rm -f remediation.env + +CANARY_EXPORTED="CANARY_EXPORTED_VALUE" +export CANARY_EXPORTED +CANARY_PROCESS="CANARY_PROCESS_VALUE" $OSCAP xccdf eval --remediate $srcdir/${name}.xccdf.xml || true + +grep -q "${PATH}" remediation.env || die "PATH not found" +grep -q "CANARY_EXPORTED_VALUE" remediation.env || die "CANARY_EXPORTED_VALUE not found" +grep -q "CANARY_PROCESS_VALUE" remediation.env || die "CANARY_PROCESS_VALUE not found" + +rm -f remediation.env +rm $result diff --git a/tests/API/XCCDF/unittests/test_remediation_environment.xccdf.xml b/tests/API/XCCDF/unittests/test_remediation_environment.xccdf.xml new file mode 100644 index 0000000000..0875b6c241 --- /dev/null +++ b/tests/API/XCCDF/unittests/test_remediation_environment.xccdf.xml @@ -0,0 +1,16 @@ + + + accepted + 1.0 + + Write some environment variables + + echo "PATH=${PATH}" > remediation.env + echo "CANARY_EXPORTED=${CANARY_EXPORTED}" >> remediation.env + echo "CANARY_PROCESS=${CANARY_PROCESS}" >> remediation.env + + + + + +