Blame SOURCES/scap-security-guide-0.1.47-first_occurence_mtab.patch

44eea6
From 4a4c12bf3058079bc2336db9e7330aa869b0753f Mon Sep 17 00:00:00 2001
44eea6
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
44eea6
Date: Thu, 31 Oct 2019 16:00:52 +0100
44eea6
Subject: [PATCH 1/2] Use only first occurence from /etc/mtab
44eea6
44eea6
The mount options of the first entry will be used.  If there are
44eea6
multiple lines in `/etc/mtab` that match the same mount point, the
44eea6
variable `_previous_mount_opts` contained newline characters. These
44eea6
newlines were propagated to `/etc/fstab`. As a result, an invalid entry
44eea6
in /etc/fstab was created, `mount` command hasn't been successful and
44eea6
the oscap scan after remediation returned false.
44eea6
---
44eea6
 .../include_mount_options_functions.sh                          | 2 +-
44eea6
 1 file changed, 1 insertion(+), 1 deletion(-)
44eea6
44eea6
diff --git a/shared/bash_remediation_functions/include_mount_options_functions.sh b/shared/bash_remediation_functions/include_mount_options_functions.sh
44eea6
index 392367dc05..7e81e8c711 100644
44eea6
--- a/shared/bash_remediation_functions/include_mount_options_functions.sh
44eea6
+++ b/shared/bash_remediation_functions/include_mount_options_functions.sh
44eea6
@@ -27,7 +27,7 @@ function ensure_mount_option_in_fstab {
44eea6
 
44eea6
 	if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
44eea6
 		# runtime opts without some automatic kernel/userspace-added defaults
44eea6
-		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | awk '{print $4}' \
44eea6
+		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
44eea6
 					| sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//")
44eea6
 		[ "$_previous_mount_opts" ] && _previous_mount_opts+=","
44eea6
 		echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab
44eea6
44eea6
From 0a7f149efed656fe61ab3e873055fd630054f5f5 Mon Sep 17 00:00:00 2001
44eea6
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
44eea6
Date: Fri, 1 Nov 2019 14:50:42 +0100
44eea6
Subject: [PATCH 2/2] Add test scenario for multiple entries in mtab
44eea6
44eea6
---
44eea6
 .../tests/multiple_entries_in_mtab.fail.sh               | 9 +++++++++
44eea6
 1 file changed, 9 insertions(+)
44eea6
 create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh
44eea6
44eea6
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh
44eea6
new file mode 100644
44eea6
index 0000000000..dd56f9bb6c
44eea6
--- /dev/null
44eea6
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh
44eea6
@@ -0,0 +1,9 @@
44eea6
+#!/bin/bash
44eea6
+# profiles = xccdf_org.ssgproject.content_profile_ospp
44eea6
+
44eea6
+cat /etc/mtab > /etc/mtab.old
44eea6
+# destroy symlink
44eea6
+rm -f /etc/mtab
44eea6
+cp /etc/mtab.old /etc/mtab
44eea6
+echo "tmpfs /dev/shm tmpfs rw,seclabel,relatime 0 0" >> /etc/mtab
44eea6
+echo "tmpfs /dev/shm tmpfs rw,seclabel,relatime 0 0" >> /etc/mtab