Pass OSCAP_BOOTC_BUILD to remediations

Starting with this commit, the OSCAP_BOOTC_BUILD environment variable will be passed down to the bash remediation. If this environment variable is set in the caller environment, the Bash remediations will be able to access it and read its value. This will be useful because the bash remediations will be able to contain a condition depending on this variable. Using this feature we can influence the behavior of our Bash remediations in the process of building bootable container images. The `oscap-bootc` utility will export the `OSCAP_BOOTC_BUILD` environment variable and the Bash remeditions will check this variable and for example they will not start systemd services. This commit also adds a small test.
OpenSCAP · Oct 22, 2024 · 66468fd · 66468fd
1 parent 97d8831
commit 66468fd
Show file tree

Hide file tree

Showing 4 changed files with 107 additions and 3 deletions.
diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c
@@ -445,9 +445,9 @@ static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_
 
 	int fork_result = fork();
 	if (fork_result >= 0) {
-		/* fork succeded */
+		/* fork succeeded */
 		if (fork_result == 0) {
-			/* Execute fix and forward output to the parrent. */
+			/* Execute fix and forward output to the parent. */
 			close(pipefd[0]);
 			dup2(pipefd[1], fileno(stdout));
 			dup2(pipefd[1], fileno(stderr));
@@ -459,8 +459,14 @@ static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_
 				NULL
 			};
 
-			char *const envp[2] = {
+			char *oscap_bootc_build = getenv("OSCAP_BOOTC_BUILD");
+			char *oscap_bootc_build_kvarg = NULL;
+			if (oscap_bootc_build != NULL) {
+				oscap_bootc_build_kvarg = oscap_sprintf("OSCAP_BOOTC_BUILD=%s", oscap_bootc_build);
+			}
+			char *const envp[3] = {
 				"PATH=/bin:/sbin:/usr/bin:/usr/sbin",
+				oscap_bootc_build_kvarg,
 				NULL
 			};
 

diff --git a/tests/API/XCCDF/unittests/CMakeLists.txt b/tests/API/XCCDF/unittests/CMakeLists.txt
@@ -110,3 +110,4 @@ add_oscap_test("test_skip_rule.sh")
 add_oscap_test("test_no_newline_between_select_elements.sh")
 add_oscap_test("test_single_line_tailoring.sh")
 add_oscap_test("test_reference.sh")
+add_oscap_test("test_oscap_bootc_pass_down.sh")
diff --git a/tests/API/XCCDF/unittests/test_oscap_bootc_pass_down.ds.xml b/tests/API/XCCDF/unittests/test_oscap_bootc_pass_down.ds.xml
@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="utf-8"?>
+<ds:data-stream-collection xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" id="scap_org.open-scap_collection_from_xccdf_test_single_rule.xccdf.xml" schematron-version="1.2">
+  <ds:data-stream id="scap_org.open-scap_datastream_from_xccdf_test_single_rule.xccdf.xml" scap-version="1.2" use-case="OTHER">
+    <ds:checklists>
+      <ds:component-ref id="scap_org.open-scap_cref_test_single_rule.xccdf.xml" xlink:href="#scap_org.open-scap_comp_test_single_rule.xccdf.xml">
+        <cat:catalog>
+          <cat:uri name="test_single_rule.oval.xml" uri="#scap_org.open-scap_cref_test_single_rule.oval.xml"/>
+        </cat:catalog>
+      </ds:component-ref>
+    </ds:checklists>
+    <ds:checks>
+      <ds:component-ref id="scap_org.open-scap_cref_test_single_rule.oval.xml" xlink:href="#scap_org.open-scap_comp_test_single_rule.oval.xml"/>
+    </ds:checks>
+  </ds:data-stream>
+  <ds:component id="scap_org.open-scap_comp_test_single_rule.oval.xml" timestamp="2017-06-09T07:07:38">
+    <oval_definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:win-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd    http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd   http://oval.mitre.org/XMLSchema/oval-definitions-5#windows windows-definitions-schema.xsd">
+      <generator>
+        <oval:schema_version>5.11.1</oval:schema_version>
+        <oval:timestamp>2009-01-12T10:41:00-05:00</oval:timestamp>
+      </generator>
+      <definitions>
+        <definition class="compliance" id="oval:x:def:1" version="1">
+          <metadata>
+            <title>FAIL</title>
+            <description>fail</description>
+          </metadata>
+          <criteria>
+            <criterion comment="PASS test" test_ref="oval:x:tst:1" negate="true"/>
+          </criteria>
+        </definition>
+      </definitions>
+      <tests>
+        <variable_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:x:tst:1" check="all" comment="always pass" version="1">
+          <object object_ref="oval:x:obj:1"/>
+        </variable_test>
+      </tests>
+      <objects>
+        <variable_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:x:obj:1" version="1" comment="x">
+          <var_ref>oval:x:var:1</var_ref>
+        </variable_object>
+      </objects>
+      <variables>
+        <constant_variable id="oval:x:var:1" version="1" comment="x" datatype="int">
+          <value>100</value>
+        </constant_variable>
+      </variables>
+    </oval_definitions>
+  </ds:component>
+  <ds:component id="scap_org.open-scap_comp_test_single_rule.xccdf.xml" timestamp="2017-06-09T09:15:45">
+    <Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_com.example.www_benchmark_dummy" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" resolved="false" xml:lang="en-US">
+      <status>accepted</status>
+      <version>1.0</version>
+      <Rule selected="true" id="xccdf_com.example.www_rule_test-fail">
+        <title>This rule always fails</title>
+        <fix id="bash_remediation" system="urn:xccdf:fix:script:sh">
+          if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+            printf "WE ARE BUILDING BOOTABLE CONTAINER IMAGE NOW"
+          fi
+        </fix>
+        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+          <check-content-ref href="test_single_rule.oval.xml" name="oval:x:def:1"/>
+        </check>
+      </Rule>
+    </Benchmark>
+  </ds:component>
+</ds:data-stream-collection>
diff --git a/tests/API/XCCDF/unittests/test_oscap_bootc_pass_down.sh b/tests/API/XCCDF/unittests/test_oscap_bootc_pass_down.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+. $builddir/tests/test_common.sh
+
+set -e -o pipefail
+
+function test_pass_env_var_down() {
+    stdout=$(mktemp)
+    stderr=$(mktemp)
+    result=$(mktemp)
+
+    OSCAP_BOOTC_BUILD=YES $OSCAP xccdf eval --remediate --results "$result" "$srcdir/test_oscap_bootc_pass_down.ds.xml" > "$stdout" 2> "$stderr" || ret=$?
+    assert_exists 1 '//rule-result/message[text()="WE ARE BUILDING BOOTABLE CONTAINER IMAGE NOW"]'
+
+    rm -rf "$stdout" "$stderr" "$result"
+}
+
+function test_no_env_var() {
+    stdout=$(mktemp)
+    stderr=$(mktemp)
+    result=$(mktemp)
+
+    $OSCAP xccdf eval --remediate --results "$result" "$srcdir/test_oscap_bootc_pass_down.ds.xml" > "$stdout" 2> "$stderr" || ret=$?
+    assert_exists 0 '//rule-result/message[text()="WE ARE BUILDING BOOTABLE CONTAINER IMAGE NOW"]'
+
+    rm -rf "$stdout" "$stderr" "$result"
+}
+
+
+test_pass_env_var_down
+test_no_env_var