diff --git a/SOURCES/openscap-1.3.4-detect_remote_file_systems-PR_1573.patch b/SOURCES/openscap-1.3.4-detect_remote_file_systems-PR_1573.patch new file mode 100644 index 0000000..77d8b01 --- /dev/null +++ b/SOURCES/openscap-1.3.4-detect_remote_file_systems-PR_1573.patch @@ -0,0 +1,94 @@ +diff --git a/src/OVAL/probes/fsdev.c b/src/OVAL/probes/fsdev.c +index 82356d5e0..983675098 100644 +--- a/src/OVAL/probes/fsdev.c ++++ b/src/OVAL/probes/fsdev.c +@@ -62,6 +62,7 @@ + #endif + + #include "fsdev.h" ++#include "common/util.h" + + /** + * Compare two dev_t variables. +@@ -79,10 +80,6 @@ static int fsdev_cmp(const void *a, const void *b) + #if defined(OS_LINUX) + static int is_local_fs(struct mntent *ment) + { +-// todo: would it be usefull to provide the choice during build-time? +-#if 1 +- char *s; +- + /* + * When type of the filesystem is autofs, it means the mtab entry + * describes the autofs configuration, which means ment->mnt_fsname +@@ -97,37 +94,42 @@ static int is_local_fs(struct mntent *ment) + return 0; + } + +- if (ment->mnt_fsname == NULL) { +- return 0; +- } +- +- s = ment->mnt_fsname; +- /* If the fsname begins with "//", it is probably CIFS. */ +- if (s[0] == '/' && s[1] == '/') +- return 0; +- +- /* If there's a ':' in the fsname and it occurs before any +- * '/', then this is probably NFS and the file system is +- * considered "remote". ++ /* ++ * The following code is inspired by systemd, function fstype_is_network: ++ * https://github.com/systemd/systemd/blob/21fd6bc263f49b57867d90d2e1f9f255e5509134/src/basic/mountpoint-util.c#L290 + */ +- s = strpbrk(s, "/:"); +- if (s && *s == ':') +- return 0; + ++ const char *fstype = ment->mnt_type; ++ if (oscap_str_startswith(fstype, "fuse.")) { ++ fstype += strlen("fuse."); ++ } ++ const char *network_fs[] = { ++ "afs", ++ "ceph", ++ "cifs", ++ "smb3", ++ "smbfs", ++ "sshfs", ++ "ncpfs", ++ "ncp", ++ "nfs", ++ "nfs4", ++ "gfs", ++ "gfs2", ++ "glusterfs", ++ "gpfs", ++ "pvfs2", /* OrangeFS */ ++ "ocfs2", ++ "lustre", ++ "davfs", ++ NULL ++ }; ++ for (int i = 0; network_fs[i]; i++) { ++ if (!strcmp(network_fs[i], fstype)) { ++ return 0; ++ } ++ } + return 1; +-#else +- struct stat st; +- +- /* If the file system is not backed-up by a real file, it is +- considered remote. A notable exception is "tmpfs" to allow +- traversal of /tmp et al. */ +- if (strcmp(ment->mnt_fsname, "tmpfs") != 0 +- && (stat(ment->mnt_fsname, &st) != 0 +- || !(S_ISBLK(st.st_mode)))) +- return 0; +- else +- return 1; +-#endif + } + + #elif defined(OS_AIX) diff --git a/SPECS/openscap.spec b/SPECS/openscap.spec index 6836de2..2536e77 100644 --- a/SPECS/openscap.spec +++ b/SPECS/openscap.spec @@ -1,6 +1,6 @@ Name: openscap Version: 1.3.3 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Set of open source libraries enabling integration of the SCAP line of standards Group: System Environment/Libraries License: LGPLv2+ @@ -12,6 +12,7 @@ Patch3: openscap-1.3.4-add_compression_support-PR_1557.patch Patch4: openscap-1.3.4-add_compression_test-PR_1564.patch Patch5: openscap-1.3.4-add_compression_tracing-PR_1561.patch Patch6: openscap-1.3.4-rpmverifyfile_leak-PR_1565.patch +Patch7: openscap-1.3.4-detect_remote_file_systems-PR_1573.patch BuildRequires: cmake >= 2.6 BuildRequires: swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser @@ -138,6 +139,7 @@ for developing applications that use %{name}-engine-sce. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 mkdir build %build @@ -225,6 +227,9 @@ rm -rf $RPM_BUILD_ROOT %{_bindir}/oscap-run-sce-script %changelog +* Wed Aug 19 2020 Jan Černý - 1.3.3-5 +- Detect remote file systems correctly (RHBZ#1870087) + * Mon Aug 03 2020 Jan Černý - 1.3.3-4 - Fix memory leaks in rpmverifyfile probe (RHBZ#1861301)