diff --git a/SOURCES/openscap-1.2.17-use-chroot-for-rpm-probes.patch b/SOURCES/openscap-1.2.17-use-chroot-for-rpm-probes.patch new file mode 100644 index 0000000..00f7d80 --- /dev/null +++ b/SOURCES/openscap-1.2.17-use-chroot-for-rpm-probes.patch @@ -0,0 +1,68 @@ +From 2e15ace4f3fe4b7e5e5b3829ddcd2d13f2743544 Mon Sep 17 00:00:00 2001 +From: Martin Preisler +Date: Wed, 18 Apr 2018 11:55:40 -0400 +Subject: [PATCH] Force the CHROOT offline mode for RPM related probes + +librpm doesn't fully support the rpmtsSetRootDir, we can't rely on it. +--- + src/OVAL/probes/unix/linux/rpminfo.c | 2 +- + src/OVAL/probes/unix/linux/rpmverify.c | 2 +- + src/OVAL/probes/unix/linux/rpmverifyfile.c | 2 +- + src/OVAL/probes/unix/linux/rpmverifypackage.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/OVAL/probes/unix/linux/rpminfo.c b/src/OVAL/probes/unix/linux/rpminfo.c +index 77759b047..8f52f020c 100644 +--- a/src/OVAL/probes/unix/linux/rpminfo.c ++++ b/src/OVAL/probes/unix/linux/rpminfo.c +@@ -269,7 +269,7 @@ void probe_preload () + + void probe_offline_mode () + { +- probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, PROBE_OFFLINE_OWN|PROBE_OFFLINE_RPMDB); ++ probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, PROBE_OFFLINE_CHROOT|PROBE_OFFLINE_RPMDB); + } + + void *probe_init (void) +diff --git a/src/OVAL/probes/unix/linux/rpmverify.c b/src/OVAL/probes/unix/linux/rpmverify.c +index 1a9aca01a..b1a9eaf05 100644 +--- a/src/OVAL/probes/unix/linux/rpmverify.c ++++ b/src/OVAL/probes/unix/linux/rpmverify.c +@@ -226,7 +226,7 @@ void probe_preload () + + void probe_offline_mode () + { +- probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, PROBE_OFFLINE_OWN); ++ probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, PROBE_OFFLINE_CHROOT); + } + + void *probe_init (void) +diff --git a/src/OVAL/probes/unix/linux/rpmverifyfile.c b/src/OVAL/probes/unix/linux/rpmverifyfile.c +index 877653b84..cbcb85fc0 100644 +--- a/src/OVAL/probes/unix/linux/rpmverifyfile.c ++++ b/src/OVAL/probes/unix/linux/rpmverifyfile.c +@@ -311,7 +311,7 @@ void probe_preload () + + void probe_offline_mode () + { +- probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, PROBE_OFFLINE_OWN); ++ probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, PROBE_OFFLINE_CHROOT); + } + + void *probe_init (void) +diff --git a/src/OVAL/probes/unix/linux/rpmverifypackage.c b/src/OVAL/probes/unix/linux/rpmverifypackage.c +index 3c0dd5003..2a110ef5a 100644 +--- a/src/OVAL/probes/unix/linux/rpmverifypackage.c ++++ b/src/OVAL/probes/unix/linux/rpmverifypackage.c +@@ -312,7 +312,7 @@ ret: + + void probe_offline_mode () + { +- probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, PROBE_OFFLINE_OWN); ++ probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, PROBE_OFFLINE_CHROOT); + } + + void *probe_init (void) +-- +2.14.3 + diff --git a/SOURCES/openscap-1.2.17-use-chroot-for-textfilecontent.patch b/SOURCES/openscap-1.2.17-use-chroot-for-textfilecontent.patch new file mode 100644 index 0000000..67caa76 --- /dev/null +++ b/SOURCES/openscap-1.2.17-use-chroot-for-textfilecontent.patch @@ -0,0 +1,120 @@ +From ff8e3a420f294339317f7d8d0e16f04a03511269 Mon Sep 17 00:00:00 2001 +From: Martin Preisler +Date: Wed, 18 Apr 2018 12:02:46 -0400 +Subject: [PATCH] Revert "Enables offline scan without chroot in + textfilecontent and textfilecontent54 probes" + +This reverts commit 908d002c68e43a3d3c3bede128c535fbee815a10. +--- + src/OVAL/probes/independent/textfilecontent.c | 20 ++------------------ + src/OVAL/probes/independent/textfilecontent54.c | 21 ++------------------- + 2 files changed, 4 insertions(+), 37 deletions(-) + +diff --git a/src/OVAL/probes/independent/textfilecontent.c b/src/OVAL/probes/independent/textfilecontent.c +index 2edba7a9b..961cd98cb 100644 +--- a/src/OVAL/probes/independent/textfilecontent.c ++++ b/src/OVAL/probes/independent/textfilecontent.c +@@ -327,13 +327,9 @@ static int process_file(const char *path, const char *filename, void *arg) + return ret; + } + +-void probe_offline_mode () +-{ +- probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, PROBE_OFFLINE_OWN); +-} +- + void *probe_init(void) + { ++ probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, PROBE_OFFLINE_CHROOT); + return NULL; + } + +@@ -341,8 +337,6 @@ int probe_main(probe_ctx *ctx, void *arg) + { + SEXP_t *path_ent, *filename_ent, *line_ent, *behaviors_ent, *filepath_ent, *probe_in; + char *pattern; +- char path_with_root[PATH_MAX + 1]; +- unsigned int root_len = 0; + + OVAL_FTS *ofts; + OVAL_FTSENT *ofts_ent; +@@ -389,22 +383,12 @@ int probe_main(probe_ctx *ctx, void *arg) + pfd.filename_ent = filename_ent; + pfd.ctx = ctx; + +- path_with_root[PATH_MAX] = '\0'; +- if (OSCAP_GSYM(offline_mode) & PROBE_OFFLINE_OWN) { +- strncpy(path_with_root, getenv("OSCAP_PROBE_ROOT"), PATH_MAX); +- root_len = strlen(path_with_root); +- +- if (path_with_root[root_len - 1] == FILE_SEPARATOR) +- --root_len; +- } +- + if ((ofts = oval_fts_open(path_ent, filename_ent, filepath_ent, behaviors_ent, probe_ctx_getresult(ctx))) != NULL) { + while ((ofts_ent = oval_fts_read(ofts)) != NULL) { + if (ofts_ent->fts_info == FTS_F + || ofts_ent->fts_info == FTS_SL) { +- strncpy(path_with_root + root_len, ofts_ent->path, PATH_MAX - root_len); + // todo: handle return code +- process_file(path_with_root, ofts_ent->file, &pfd); ++ process_file(ofts_ent->path, ofts_ent->file, &pfd); + } + oval_ftsent_free(ofts_ent); + } +diff --git a/src/OVAL/probes/independent/textfilecontent54.c b/src/OVAL/probes/independent/textfilecontent54.c +index 1f76ee4e9..ecff6057b 100644 +--- a/src/OVAL/probes/independent/textfilecontent54.c ++++ b/src/OVAL/probes/independent/textfilecontent54.c +@@ -347,13 +347,9 @@ static int process_file(const char *path, const char *file, void *arg) + return ret; + } + +-void probe_offline_mode () +-{ +- probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, PROBE_OFFLINE_OWN); +-} +- + void *probe_init(void) + { ++ probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, PROBE_OFFLINE_CHROOT); + return NULL; + } + +@@ -375,8 +371,6 @@ int probe_main(probe_ctx *ctx, void *arg) + #endif + OVAL_FTS *ofts; + OVAL_FTSENT *ofts_ent; +- char path_with_root[PATH_MAX + 1]; +- unsigned int root_len = 0; + + (void)arg; + +@@ -504,23 +498,12 @@ int probe_main(probe_ctx *ctx, void *arg) + goto cleanup; + } + #endif +- +- path_with_root[PATH_MAX] = '\0'; +- if (OSCAP_GSYM(offline_mode) & PROBE_OFFLINE_OWN) { +- strncpy(path_with_root, getenv("OSCAP_PROBE_ROOT"), PATH_MAX); +- root_len = strlen(path_with_root); +- +- if (path_with_root[root_len - 1] == FILE_SEPARATOR) +- --root_len; +- } +- + if ((ofts = oval_fts_open(path_ent, file_ent, filepath_ent, bh_ent, probe_ctx_getresult(ctx))) != NULL) { + while ((ofts_ent = oval_fts_read(ofts)) != NULL) { + if (ofts_ent->fts_info == FTS_F + || ofts_ent->fts_info == FTS_SL) { +- strncpy(path_with_root + root_len, ofts_ent->path, PATH_MAX - root_len); + // todo: handle return code +- process_file(path_with_root, ofts_ent->file, &pfd); ++ process_file(ofts_ent->path, ofts_ent->file, &pfd); + } + oval_ftsent_free(ofts_ent); + } +-- +2.14.3 + diff --git a/SPECS/openscap.spec b/SPECS/openscap.spec index ff28bb1..ea87688 100644 --- a/SPECS/openscap.spec +++ b/SPECS/openscap.spec @@ -6,7 +6,7 @@ restorecon -R /usr/bin/oscap /usr/libexec/openscap; \ Name: openscap Version: 1.2.16 -Release: 6%{?dist} +Release: 8%{?dist} Summary: Set of open source libraries enabling integration of the SCAP line of standards Group: System Environment/Libraries License: LGPLv2+ @@ -16,6 +16,8 @@ Patch0: openscap-1.2.17-updated-bash-completion.patch Patch1: openscap-1.2.17-align-bash-role-header-with-help.patch Patch2: openscap-1.2.17-revert-warnings-by-default.patch Patch3: openscap-1.2.17-oscap-docker-cleanup-temp-image.patch +Patch4: openscap-1.2.17-use-chroot-for-textfilecontent.patch +Patch5: openscap-1.2.17-use-chroot-for-rpm-probes.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: swig libxml2-devel libxslt-devel perl-XML-Parser BuildRequires: rpm-devel @@ -134,6 +136,8 @@ Tool for scanning Atomic containers. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 +%patch5 -p1 %build %ifarch sparc64 @@ -285,6 +289,12 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Thu Apr 19 2018 Martin Preisler - 1.2.16-8 +- Use the chroot mode for rpm probes (#1556988) + +* Wed Apr 18 2018 Martin Preisler - 1.2.16-7 +- Use the chroot mode for textfilecontent (#1547107) + * Tue Feb 06 2018 Watson Yuuma Sato - 1.2.16-6 - Cleanup temporary images created by oscap-docker (#1454637)