From 4a4c12bf3058079bc2336db9e7330aa869b0753f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 31 Oct 2019 16:00:52 +0100
Subject: [PATCH 1/2] Use only first occurence from /etc/mtab
The mount options of the first entry will be used. If there are
multiple lines in `/etc/mtab` that match the same mount point, the
variable `_previous_mount_opts` contained newline characters. These
newlines were propagated to `/etc/fstab`. As a result, an invalid entry
in /etc/fstab was created, `mount` command hasn't been successful and
the oscap scan after remediation returned false.
---
.../include_mount_options_functions.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/bash_remediation_functions/include_mount_options_functions.sh b/shared/bash_remediation_functions/include_mount_options_functions.sh
index 392367dc05..7e81e8c711 100644
--- a/shared/bash_remediation_functions/include_mount_options_functions.sh
+++ b/shared/bash_remediation_functions/include_mount_options_functions.sh
@@ -27,7 +27,7 @@ function ensure_mount_option_in_fstab {
if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
# runtime opts without some automatic kernel/userspace-added defaults
- _previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | awk '{print $4}' \
+ _previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
| sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//")
[ "$_previous_mount_opts" ] && _previous_mount_opts+=","
echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab
From 0a7f149efed656fe61ab3e873055fd630054f5f5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 1 Nov 2019 14:50:42 +0100
Subject: [PATCH 2/2] Add test scenario for multiple entries in mtab
---
.../tests/multiple_entries_in_mtab.fail.sh | 9 +++++++++
1 file changed, 9 insertions(+)
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh
new file mode 100644
index 0000000000..dd56f9bb6c
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+cat /etc/mtab > /etc/mtab.old
+# destroy symlink
+rm -f /etc/mtab
+cp /etc/mtab.old /etc/mtab
+echo "tmpfs /dev/shm tmpfs rw,seclabel,relatime 0 0" >> /etc/mtab
+echo "tmpfs /dev/shm tmpfs rw,seclabel,relatime 0 0" >> /etc/mtab