From ca84abcb8c6ec2980f894a4bd31046d0054a68b1 Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Fri, 10 Jan 2025 15:29:54 +0100
Subject: [PATCH] Fix architecture applicability

Architecture applicability conditionals were matching
checking only in /proc/sys/kernel/osrelease which
doesn't contain the architecture on Ubuntu.

Added /proc/sys/kernel/arch to the checks and refactored
the OVALs to a Jinja macro.
---
 shared/applicability/aarch64_arch.yml         |  2 +-
 shared/applicability/not_aarch64_arch.yml     |  2 +-
 shared/applicability/not_s390x_arch.yml       |  2 +-
 ...proc_sys_kernel_osrelease_arch_aarch64.xml | 34 +-----------------
 ...proc_sys_kernel_osrelease_arch_ppc64le.xml | 34 +-----------------
 .../proc_sys_kernel_osrelease_arch_s390x.xml  | 34 +-----------------
 .../proc_sys_kernel_osrelease_arch_x86_64.xml | 34 +-----------------
 shared/applicability/ppc64le_arch.yml         |  2 +-
 shared/applicability/s390x_arch.yml           |  2 +-
 shared/applicability/x86_64_arch.yml          |  2 +-
 shared/macros/10-oval.jinja                   | 36 +++++++++++++++++++
 11 files changed, 46 insertions(+), 138 deletions(-)

diff --git a/shared/applicability/aarch64_arch.yml b/shared/applicability/aarch64_arch.yml
index 8ba95fee3b2..9880fcf6dae 100644
--- a/shared/applicability/aarch64_arch.yml
+++ b/shared/applicability/aarch64_arch.yml
@@ -1,5 +1,5 @@
 name: cpe:/a:aarch64_arch
 title: System architecture is AARCH64
 check_id: proc_sys_kernel_osrelease_arch_aarch64
-bash_conditional: 'grep -q aarch64 /proc/sys/kernel/osrelease'
+bash_conditional: 'grep -q aarch64 /proc/sys/kernel/{osrelease,arch}'
 ansible_conditional: 'ansible_architecture == "aarch64"'
diff --git a/shared/applicability/not_aarch64_arch.yml b/shared/applicability/not_aarch64_arch.yml
index 8ed261adbf1..0c88bd9c0aa 100644
--- a/shared/applicability/not_aarch64_arch.yml
+++ b/shared/applicability/not_aarch64_arch.yml
@@ -1,5 +1,5 @@
 name: cpe:/a:not_aarch64_arch
 title: System architecture is not AARCH64
 check_id: proc_sys_kernel_osrelease_arch_not_aarch64
-bash_conditional: '! grep -q aarch64 /proc/sys/kernel/osrelease'
+bash_conditional: '! grep -q aarch64 /proc/sys/kernel/{osrelease,arch}'
 ansible_conditional: 'ansible_architecture != "aarch64"'
diff --git a/shared/applicability/not_s390x_arch.yml b/shared/applicability/not_s390x_arch.yml
index f3257510a39..c21e1e99c30 100644
--- a/shared/applicability/not_s390x_arch.yml
+++ b/shared/applicability/not_s390x_arch.yml
@@ -1,5 +1,5 @@
 name: cpe:/a:not_s390x_arch
 title: System architecture is not S390X
 check_id: proc_sys_kernel_osrelease_arch_not_s390x
-bash_conditional: '! grep -q s390x /proc/sys/kernel/osrelease'
+bash_conditional: '! grep -q s390x /proc/sys/kernel/{osrelease,arch}'
 ansible_conditional: 'ansible_architecture != "s390x"'
diff --git a/shared/applicability/oval/proc_sys_kernel_osrelease_arch_aarch64.xml b/shared/applicability/oval/proc_sys_kernel_osrelease_arch_aarch64.xml
index 3d54f81e6d4..f55448d5532 100644
--- a/shared/applicability/oval/proc_sys_kernel_osrelease_arch_aarch64.xml
+++ b/shared/applicability/oval/proc_sys_kernel_osrelease_arch_aarch64.xml
@@ -1,33 +1 @@
-<def-group>
-  <definition class="inventory" id="proc_sys_kernel_osrelease_arch_aarch64"
-  version="1">
-    <metadata>
-      <title>Test that the architecture is aarch64</title>
-      <affected family="unix">
-        <platform>multi_platform_all</platform>
-      </affected>
-      <description>Check that architecture of kernel in /proc/sys/kernel/osrelease is aarch64</description>
-    </metadata>
-    <criteria>
-      <criterion comment="Architecture is aarch64"
-      test_ref="test_proc_sys_kernel_osrelease_arch_aarch64" />
-    </criteria>
-  </definition>
-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-      comment="proc_sys_kernel is for aarch64 architecture"
-      id="test_proc_sys_kernel_osrelease_arch_aarch64"
-  version="1">
-    <ind:object object_ref="object_proc_sys_kernel_osrelease_arch_aarch64" />
-    <ind:state state_ref="state_proc_sys_kernel_osrelease_arch_aarch64" />
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_aarch64" version="1">
-    <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
-    <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_aarch64" version="1">
-    <ind:subexpression datatype="string" operation="pattern match">^aarch64$</ind:subexpression>
-  </ind:textfilecontent54_state>
-</def-group>
+{{{ oval_check_proc_sys_kernel_osrelease_arch("aarch64") }}}
diff --git a/shared/applicability/oval/proc_sys_kernel_osrelease_arch_ppc64le.xml b/shared/applicability/oval/proc_sys_kernel_osrelease_arch_ppc64le.xml
index 058de0db5e7..e9a71cbd869 100644
--- a/shared/applicability/oval/proc_sys_kernel_osrelease_arch_ppc64le.xml
+++ b/shared/applicability/oval/proc_sys_kernel_osrelease_arch_ppc64le.xml
@@ -1,33 +1 @@
-<def-group>
-  <definition class="inventory" id="proc_sys_kernel_osrelease_arch_ppc64le"
-  version="1">
-    <metadata>
-      <title>Test that the architecture is ppc64le</title>
-      <affected family="unix">
-        <platform>multi_platform_all</platform>
-      </affected>
-      <description>Check that architecture of kernel in /proc/sys/kernel/osrelease is ppc64le</description>
-    </metadata>
-    <criteria>
-      <criterion comment="Architecture is ppc64le"
-      test_ref="test_proc_sys_kernel_osrelease_arch_ppc64le" />
-    </criteria>
-  </definition>
-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-      comment="proc_sys_kernel is for ppc64le architecture"
-      id="test_proc_sys_kernel_osrelease_arch_ppc64le"
-  version="1">
-    <ind:object object_ref="object_proc_sys_kernel_osrelease_arch_ppc64le" />
-    <ind:state state_ref="state_proc_sys_kernel_osrelease_arch_ppc64le" />
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_ppc64le" version="1">
-    <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
-    <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_ppc64le" version="1">
-    <ind:subexpression datatype="string" operation="pattern match">^ppc64le$</ind:subexpression>
-  </ind:textfilecontent54_state>
-</def-group>
+{{{ oval_check_proc_sys_kernel_osrelease_arch("ppc64le") }}}
diff --git a/shared/applicability/oval/proc_sys_kernel_osrelease_arch_s390x.xml b/shared/applicability/oval/proc_sys_kernel_osrelease_arch_s390x.xml
index 7f416de6475..ae9087bf4bb 100644
--- a/shared/applicability/oval/proc_sys_kernel_osrelease_arch_s390x.xml
+++ b/shared/applicability/oval/proc_sys_kernel_osrelease_arch_s390x.xml
@@ -1,33 +1 @@
-<def-group>
-  <definition class="inventory" id="proc_sys_kernel_osrelease_arch_s390x"
-  version="1">
-    <metadata>
-      <title>Test that the architecture is s390x</title>
-      <affected family="unix">
-        <platform>multi_platform_all</platform>
-      </affected>
-      <description>Check that architecture of kernel in /proc/sys/kernel/osrelease is s390x</description>
-    </metadata>
-    <criteria>
-      <criterion comment="Architecture is s390x"
-      test_ref="test_proc_sys_kernel_osrelease_arch_s390x" />
-    </criteria>
-  </definition>
-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-      comment="proc_sys_kernel is for s390x architecture"
-      id="test_proc_sys_kernel_osrelease_arch_s390x"
-  version="1">
-    <ind:object object_ref="object_proc_sys_kernel_osrelease_arch_s390x" />
-    <ind:state state_ref="state_proc_sys_kernel_osrelease_arch_s390x" />
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_s390x" version="1">
-    <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
-    <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_s390x" version="1">
-    <ind:subexpression datatype="string" operation="pattern match">^s390x$</ind:subexpression>
-  </ind:textfilecontent54_state>
-</def-group>
+{{{ oval_check_proc_sys_kernel_osrelease_arch("s390x") }}}
diff --git a/shared/applicability/oval/proc_sys_kernel_osrelease_arch_x86_64.xml b/shared/applicability/oval/proc_sys_kernel_osrelease_arch_x86_64.xml
index 8ebbc9b84a6..bc60ef869df 100644
--- a/shared/applicability/oval/proc_sys_kernel_osrelease_arch_x86_64.xml
+++ b/shared/applicability/oval/proc_sys_kernel_osrelease_arch_x86_64.xml
@@ -1,33 +1 @@
-<def-group>
-  <definition class="inventory" id="proc_sys_kernel_osrelease_arch_x86_64"
-  version="1">
-    <metadata>
-      <title>Test that the architecture is x86_64</title>
-      <affected family="unix">
-        <platform>multi_platform_all</platform>
-      </affected>
-      <description>Check that architecture of kernel in /proc/sys/kernel/osrelease is x86_64</description>
-    </metadata>
-    <criteria>
-      <criterion comment="Architecture is x86_64"
-      test_ref="test_proc_sys_kernel_osrelease_arch_x86_64" />
-    </criteria>
-  </definition>
-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-      comment="proc_sys_kernel is for x86_64 architecture"
-      id="test_proc_sys_kernel_osrelease_arch_x86_64"
-  version="1">
-    <ind:object object_ref="object_proc_sys_kernel_osrelease_arch_x86_64" />
-    <ind:state state_ref="state_proc_sys_kernel_osrelease_arch_x86_64" />
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_x86_64" version="1">
-    <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
-    <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_x86_64" version="1">
-    <ind:subexpression datatype="string" operation="pattern match">^x86_64$</ind:subexpression>
-  </ind:textfilecontent54_state>
-</def-group>
+{{{ oval_check_proc_sys_kernel_osrelease_arch("x86_64") }}}
diff --git a/shared/applicability/ppc64le_arch.yml b/shared/applicability/ppc64le_arch.yml
index 40aa30dfff8..c8c76e4ef0c 100644
--- a/shared/applicability/ppc64le_arch.yml
+++ b/shared/applicability/ppc64le_arch.yml
@@ -1,5 +1,5 @@
 name: "cpe:/a:ppc64le_arch"
 title: "System architecture is ppc64le"
 check_id: proc_sys_kernel_osrelease_arch_ppc64le
-bash_conditional: 'grep -q ppc64le /proc/sys/kernel/osrelease'
+bash_conditional: 'grep -q ppc64le /proc/sys/kernel/{osrelease,arch}'
 ansible_conditional: 'ansible_architecture == "ppc64le"'
diff --git a/shared/applicability/s390x_arch.yml b/shared/applicability/s390x_arch.yml
index 34fe148267f..5db3ff4157b 100644
--- a/shared/applicability/s390x_arch.yml
+++ b/shared/applicability/s390x_arch.yml
@@ -1,5 +1,5 @@
 name: cpe:/a:s390x_arch
 title: System architecture is S390X
 check_id: proc_sys_kernel_osrelease_arch_s390x
-bash_conditional: 'grep -q s390x /proc/sys/kernel/osrelease'
+bash_conditional: 'grep -q s390x /proc/sys/kernel/{osrelease,arch}'
 ansible_conditional: 'ansible_architecture == "s390x"'
diff --git a/shared/applicability/x86_64_arch.yml b/shared/applicability/x86_64_arch.yml
index 6d8a2424250..1a0652aa250 100644
--- a/shared/applicability/x86_64_arch.yml
+++ b/shared/applicability/x86_64_arch.yml
@@ -1,5 +1,5 @@
 name: cpe:/a:x86_64_arch
 title: System architecture is x86_64
 check_id: proc_sys_kernel_osrelease_arch_x86_64
-bash_conditional: 'grep -q x86_64 /proc/sys/kernel/osrelease'
+bash_conditional: 'grep -q x86_64 /proc/sys/kernel/{osrelease,arch}'
 ansible_conditional: 'ansible_architecture == "x86_64"'
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
index 4570f252ec5..0fd0f07bf94 100644
--- a/shared/macros/10-oval.jinja
+++ b/shared/macros/10-oval.jinja
@@ -1724,3 +1724,39 @@ The macros generates the OVAL test including the dependent OVAL object and OVAL
   <ind:subexpression operation="pattern match">altfiles</ind:subexpression>
 </ind:textfilecontent54_state>
 {{%- endmacro -%}}
+
+{{#
+  Macro for checking the system architecture in /proc/sys/kernel/{osrelease,arch}
+
+  :param arch: system architecture (x86_64, aarch64, s90x, ppc64le, ...)
+#}}
+{{%- macro oval_check_proc_sys_kernel_osrelease_arch(arch) -%}}
+<def-group>
+  <definition class="inventory" id="proc_sys_kernel_osrelease_arch_{{{ arch }}}"
+  version="1">
+    <metadata>
+      <title>Test that the architecture is {{{ arch }}}</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <description>Check that architecture of kernel in /proc/sys/kernel is {{{ arch }}}</description>
+    </metadata>
+    <criteria>
+      <criterion comment="Architecture is {{{ arch }}}"
+      test_ref="test_proc_sys_kernel_osrelease_arch_{{{ arch }}}" />
+    </criteria>
+  </definition>
+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
+      comment="proc_sys_kernel is for {{{ arch }}} architecture"
+      id="test_proc_sys_kernel_osrelease_arch_{{{ arch }}}" version="1">
+    <ind:object object_ref="object_proc_sys_kernel_osrelease_arch_{{{ arch }}}" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_{{{ arch }}}" version="1">
+    <ind:filepath operation="pattern match">/proc/sys/kernel/(osrelease|arch)</ind:filepath>
+    <ind:pattern operation="pattern match">^.*\.{{{ arch }}}$|^{{{ arch }}}$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
+{{%- endmacro -%}}