Pass OSCAP_BOOTC_BUILD variable to SCE checks

This change will cause that the `OSCAP_BOOTC_BUILD` environment variable will be passed from the external environment to the environment of SCE checks. The outcome is that the `OSCAP_BOOTC_BUILD` environment variable can be used inside SCE checks to differentiate between code that is supposed to run only during building a bootable container image, the code that can't run during building a bootable container image and code that can run in any environment.
OpenSCAP · Dec 17, 2024 · f3a2911 · f3a2911
1 parent b88b330
commit f3a2911
Show file tree

Hide file tree

Showing 4 changed files with 128 additions and 1 deletion.
diff --git a/src/SCE/sce_engine.c b/src/SCE/sce_engine.c
@@ -408,8 +408,8 @@ xccdf_test_result_type_t sce_engine_eval_rule(struct xccdf_policy *policy, const
 	};
 
 	// bound values in KEY=VALUE form, ready to be passed as environment variables
-	char ** env_values = malloc(10 * sizeof(char * ));
 	size_t env_value_count = 10;
+	char **env_values = malloc(env_value_count * sizeof(char *));
 	const size_t index_of_first_env_value_not_compiled_in = 10;
 
 	env_values[0] = "PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin";
@@ -424,6 +424,20 @@ xccdf_test_result_type_t sce_engine_eval_rule(struct xccdf_policy *policy, const
 	env_values[8] = "XCCDF_RESULT_INFORMATIONAL=108";
 	env_values[9] = "XCCDF_RESULT_FIXED=109";
 
+	char *oscap_bootc_build = getenv("OSCAP_BOOTC_BUILD");
+	if (oscap_bootc_build != NULL) {
+		char *oscap_bootc_build_kvarg = oscap_sprintf("OSCAP_BOOTC_BUILD=%s", oscap_bootc_build);
+		void *new_env_values = realloc(env_values, (env_value_count + 1) * sizeof(char *));
+		if (new_env_values == NULL) {
+			dE("Unable to re-allocate memory");
+			free(oscap_bootc_build_kvarg);
+			return XCCDF_RESULT_ERROR;
+		}
+		env_values = new_env_values;
+		env_values[10] = oscap_bootc_build_kvarg;
+		env_value_count++;
+	}
+
 	while (xccdf_value_binding_iterator_has_more(value_binding_it))
 	{
 		struct xccdf_value_binding* binding = xccdf_value_binding_iterator_next(value_binding_it);

diff --git a/tests/sce/CMakeLists.txt b/tests/sce/CMakeLists.txt
@@ -10,4 +10,5 @@ if(ENABLE_SCE)
 	add_oscap_test("test_sce_in_report.sh")
 	add_oscap_test("test_sce_stdout_stderr.sh")
 	add_oscap_test("test_sce_streams_fill.sh")
+	add_oscap_test("test_sce_oscap_bootc_var.sh")
 endif()
diff --git a/tests/sce/test_sce_oscap_bootc_var.ds.xml b/tests/sce/test_sce_oscap_bootc_var.ds.xml
@@ -0,0 +1,78 @@
+<?xml version="1.0" encoding="utf-8"?>
+<ds:data-stream-collection xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sce="http://open-scap.org/page/SCE_xccdf_stream" id="scap_org.openscap.www_collection_from_xccdf_test_single_rule.xccdf.xml" schematron-version="1.3" xsi:schemaLocation="http://scap.nist.gov/schema/scap/source/1.2 https://scap.nist.gov/schema/scap/1.3/scap-source-data-stream_1.3.xsd">
+  <ds:data-stream id="scap_org.openscap.www_datastream_simple" scap-version="1.3" use-case="OTHER">
+    <ds:checklists>
+      <ds:component-ref id="scap_org.openscap.www_cref_test_single_rule.xccdf.xml" xlink:href="#scap_org.openscap.www_comp_test_single_rule.xccdf.xml">
+        <cat:catalog>
+          <cat:uri name="test_single_rule.oval.xml" uri="#scap_org.openscap.www_cref_test_single_rule.oval.xml"/>
+          <cat:uri name="fedora/checks/sce/rule_1.sh" uri="#scap_org.openscap.www_cref_fedora-checks-sce-rule_1.sh"/>
+        </cat:catalog>
+      </ds:component-ref>
+      <ds:component-ref id="scap_org.openscap.www_cref_fedora-checks-sce-rule_1.sh" xlink:href="#scap_org.openscap.www_ecomp_fedora-checks-sce-rule_1.sh"/>
+    </ds:checklists>
+    <ds:checks>
+      <ds:component-ref id="scap_org.openscap.www_cref_test_single_rule.oval.xml" xlink:href="#scap_org.openscap.www_comp_test_single_rule.oval.xml"/>
+    </ds:checks>
+  </ds:data-stream>
+  <ds:component id="scap_org.openscap.www_comp_test_single_rule.oval.xml" timestamp="2021-02-01T08:07:06+01:00">
+    <oval_definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:win-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd    http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#windows windows-definitions-schema.xsd">
+      <generator>
+        <oval:schema_version>5.11.2</oval:schema_version>
+        <oval:timestamp>2021-02-01T08:07:06+01:00</oval:timestamp>
+      </generator>
+      <definitions>
+        <definition class="compliance" id="oval:org.openscap.www:def:1" version="1">
+          <metadata>
+            <title>OVAL check for rule 1</title>
+            <description>pass</description>
+          </metadata>
+          <criteria>
+            <criterion comment="PASS test" test_ref="oval:org.openscap.www:tst:1"/>
+          </criteria>
+        </definition>
+      </definitions>
+      <tests>
+        <variable_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:org.openscap.www:tst:1" check="all" comment="always pass" version="1">
+          <object object_ref="oval:org.openscap.www:obj:1"/>
+        </variable_test>
+      </tests>
+      <objects>
+        <variable_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:org.openscap.www:obj:1" version="1" comment="x">
+          <var_ref>oval:org.openscap.www:var:1</var_ref>
+        </variable_object>
+      </objects>
+      <variables>
+        <constant_variable id="oval:org.openscap.www:var:1" version="1" comment="x" datatype="int">
+          <value>100</value>
+        </constant_variable>
+      </variables>
+    </oval_definitions>
+  </ds:component>
+  <ds:component id="scap_org.openscap.www_comp_test_single_rule.xccdf.xml" timestamp="2021-02-01T08:07:06+01:00">
+    <Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_org.openscap.www_benchmark_test">
+      <status>accepted</status>
+      <version>1.0</version>
+      <Profile id="xccdf_org.openscap.www_profile_common">
+        <title>Common hardening profile</title>
+        <description>This is a very cool profile</description>
+        <select idref="xccdf_org.openscap.www_rule_1" selected="true"/>
+      </Profile>
+      <Rule selected="false" id="xccdf_org.openscap.www_rule_1">
+        <title>Rule 1: Enable Audit Service</title>
+        <check system="http://open-scap.org/page/SCE">
+          <check-import import-name="stdout"/>
+          <check-content-ref href="fedora/checks/sce/rule_1.sh"/>
+        </check>
+        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+          <check-content-ref href="test_single_rule.oval.xml" name="oval:org.openscap.www:def:1"/>
+        </check>
+      </Rule>
+    </Benchmark>
+  </ds:component>
+  <ds:extended-component id="scap_org.openscap.www_ecomp_fedora-checks-sce-rule_1.sh" timestamp="2024-10-09T18:03:34">
+    <sce:script>#!/bin/bash
+env
+exit "$XCCDF_RESULT_FAIL"
+</sce:script>
+  </ds:extended-component>
+</ds:data-stream-collection>
diff --git a/tests/sce/test_sce_oscap_bootc_var.sh b/tests/sce/test_sce_oscap_bootc_var.sh
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+. $builddir/tests/test_common.sh
+
+set -e -o pipefail
+
+function test_var_set () {
+    stdout=$(mktemp)
+    stderr=$(mktemp)
+    arf=$(mktemp)
+
+    OSCAP_PREFERRED_ENGINE="SCE" OSCAP_BOOTC_BUILD="YES" $OSCAP xccdf eval --verbose INFO --progress --profile common --results-arf "$arf" > "$stdout" 2> "$stderr" "$srcdir/test_sce_oscap_bootc_var.ds.xml" || ret="$?"
+    grep -q "xccdf_org.openscap.www_rule_1:fail" "$stdout"
+    ! grep -q "I: oscap: Evaluating definition 'oval:org.openscap.www:def:1': OVAL check for rule 1." "$stderr"
+    grep -q "I: oscap: Executing SCE check 'fedora/checks/sce/rule_1.sh'" "$stderr"
+    grep -q "OSCAP_BOOTC_BUILD=YES" "$arf"
+    rm -rf "$stdout" "$stderr" "$arf"
+}
+
+function test_var_unset () {
+    stdout=$(mktemp)
+    stderr=$(mktemp)
+    arf=$(mktemp)
+
+    OSCAP_PREFERRED_ENGINE="SCE" $OSCAP xccdf eval --verbose INFO --progress --profile common --results-arf "$arf" > "$stdout" 2> "$stderr" "$srcdir/test_sce_oscap_bootc_var.ds.xml" || ret="$?"
+    grep -q "xccdf_org.openscap.www_rule_1:fail" "$stdout"
+    ! grep -q "I: oscap: Evaluating definition 'oval:org.openscap.www:def:1': OVAL check for rule 1." "$stderr"
+    grep -q "I: oscap: Executing SCE check 'fedora/checks/sce/rule_1.sh'" "$stderr"
+    ! grep -q "OSCAP_BOOTC_BUILD=YES" "$arf"
+    rm -rf "$stdout" "$stderr" "$arf"
+}
+
+test_var_set
+test_var_unset