From 66468fdb682307066461332ed0a754f3275f141c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 22 Oct 2024 10:06:13 +0200
Subject: [PATCH] Pass OSCAP_BOOTC_BUILD to remediations

Starting with this commit, the OSCAP_BOOTC_BUILD environment variable
will be passed down to the bash remediation. If this environment
variable is set in the caller environment, the Bash remediations will be
able to access it and read its value. This will be useful because the
bash remediations will be able to contain a condition depending on this
variable. Using this feature we can influence the behavior of our Bash
remediations in the process of building bootable container images. The
`oscap-bootc` utility will export the `OSCAP_BOOTC_BUILD` environment
variable and the Bash remeditions will check this variable and for
example they will not start systemd services.

This commit also adds a small test.
---
 src/XCCDF_POLICY/xccdf_policy_remediate.c     | 12 +++-
 tests/API/XCCDF/unittests/CMakeLists.txt      |  1 +
 .../test_oscap_bootc_pass_down.ds.xml         | 66 +++++++++++++++++++
 .../unittests/test_oscap_bootc_pass_down.sh   | 31 +++++++++
 4 files changed, 107 insertions(+), 3 deletions(-)
 create mode 100644 tests/API/XCCDF/unittests/test_oscap_bootc_pass_down.ds.xml
 create mode 100755 tests/API/XCCDF/unittests/test_oscap_bootc_pass_down.sh

diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c
index 8c2aaf98c9..bf5a51f509 100644
--- a/src/XCCDF_POLICY/xccdf_policy_remediate.c
+++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c
@@ -445,9 +445,9 @@ static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_
 
 	int fork_result = fork();
 	if (fork_result >= 0) {
-		/* fork succeded */
+		/* fork succeeded */
 		if (fork_result == 0) {
-			/* Execute fix and forward output to the parrent. */
+			/* Execute fix and forward output to the parent. */
 			close(pipefd[0]);
 			dup2(pipefd[1], fileno(stdout));
 			dup2(pipefd[1], fileno(stderr));
@@ -459,8 +459,14 @@ static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_
 				NULL
 			};
 
-			char *const envp[2] = {
+			char *oscap_bootc_build = getenv("OSCAP_BOOTC_BUILD");
+			char *oscap_bootc_build_kvarg = NULL;
+			if (oscap_bootc_build != NULL) {
+				oscap_bootc_build_kvarg = oscap_sprintf("OSCAP_BOOTC_BUILD=%s", oscap_bootc_build);
+			}
+			char *const envp[3] = {
 				"PATH=/bin:/sbin:/usr/bin:/usr/sbin",
+				oscap_bootc_build_kvarg,
 				NULL
 			};
 
diff --git a/tests/API/XCCDF/unittests/CMakeLists.txt b/tests/API/XCCDF/unittests/CMakeLists.txt
index 7a9b3b452c..865f5c18ae 100644
--- a/tests/API/XCCDF/unittests/CMakeLists.txt
+++ b/tests/API/XCCDF/unittests/CMakeLists.txt
@@ -110,3 +110,4 @@ add_oscap_test("test_skip_rule.sh")
 add_oscap_test("test_no_newline_between_select_elements.sh")
 add_oscap_test("test_single_line_tailoring.sh")
 add_oscap_test("test_reference.sh")
+add_oscap_test("test_oscap_bootc_pass_down.sh")
diff --git a/tests/API/XCCDF/unittests/test_oscap_bootc_pass_down.ds.xml b/tests/API/XCCDF/unittests/test_oscap_bootc_pass_down.ds.xml
new file mode 100644
index 0000000000..660575d55e
--- /dev/null
+++ b/tests/API/XCCDF/unittests/test_oscap_bootc_pass_down.ds.xml
@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="utf-8"?>
+<ds:data-stream-collection xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" id="scap_org.open-scap_collection_from_xccdf_test_single_rule.xccdf.xml" schematron-version="1.2">
+  <ds:data-stream id="scap_org.open-scap_datastream_from_xccdf_test_single_rule.xccdf.xml" scap-version="1.2" use-case="OTHER">
+    <ds:checklists>
+      <ds:component-ref id="scap_org.open-scap_cref_test_single_rule.xccdf.xml" xlink:href="#scap_org.open-scap_comp_test_single_rule.xccdf.xml">
+        <cat:catalog>
+          <cat:uri name="test_single_rule.oval.xml" uri="#scap_org.open-scap_cref_test_single_rule.oval.xml"/>
+        </cat:catalog>
+      </ds:component-ref>
+    </ds:checklists>
+    <ds:checks>
+      <ds:component-ref id="scap_org.open-scap_cref_test_single_rule.oval.xml" xlink:href="#scap_org.open-scap_comp_test_single_rule.oval.xml"/>
+    </ds:checks>
+  </ds:data-stream>
+  <ds:component id="scap_org.open-scap_comp_test_single_rule.oval.xml" timestamp="2017-06-09T07:07:38">
+    <oval_definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:win-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd    http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd   http://oval.mitre.org/XMLSchema/oval-definitions-5#windows windows-definitions-schema.xsd">
+      <generator>
+        <oval:schema_version>5.11.1</oval:schema_version>
+        <oval:timestamp>2009-01-12T10:41:00-05:00</oval:timestamp>
+      </generator>
+      <definitions>
+        <definition class="compliance" id="oval:x:def:1" version="1">
+          <metadata>
+            <title>FAIL</title>
+            <description>fail</description>
+          </metadata>
+          <criteria>
+            <criterion comment="PASS test" test_ref="oval:x:tst:1" negate="true"/>
+          </criteria>
+        </definition>
+      </definitions>
+      <tests>
+        <variable_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:x:tst:1" check="all" comment="always pass" version="1">
+          <object object_ref="oval:x:obj:1"/>
+        </variable_test>
+      </tests>
+      <objects>
+        <variable_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:x:obj:1" version="1" comment="x">
+          <var_ref>oval:x:var:1</var_ref>
+        </variable_object>
+      </objects>
+      <variables>
+        <constant_variable id="oval:x:var:1" version="1" comment="x" datatype="int">
+          <value>100</value>
+        </constant_variable>
+      </variables>
+    </oval_definitions>
+  </ds:component>
+  <ds:component id="scap_org.open-scap_comp_test_single_rule.xccdf.xml" timestamp="2017-06-09T09:15:45">
+    <Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_com.example.www_benchmark_dummy" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" resolved="false" xml:lang="en-US">
+      <status>accepted</status>
+      <version>1.0</version>
+      <Rule selected="true" id="xccdf_com.example.www_rule_test-fail">
+        <title>This rule always fails</title>
+        <fix id="bash_remediation" system="urn:xccdf:fix:script:sh">
+          if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+            printf "WE ARE BUILDING BOOTABLE CONTAINER IMAGE NOW"
+          fi
+        </fix>
+        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+          <check-content-ref href="test_single_rule.oval.xml" name="oval:x:def:1"/>
+        </check>
+      </Rule>
+    </Benchmark>
+  </ds:component>
+</ds:data-stream-collection>
diff --git a/tests/API/XCCDF/unittests/test_oscap_bootc_pass_down.sh b/tests/API/XCCDF/unittests/test_oscap_bootc_pass_down.sh
new file mode 100755
index 0000000000..09783de1d3
--- /dev/null
+++ b/tests/API/XCCDF/unittests/test_oscap_bootc_pass_down.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+. $builddir/tests/test_common.sh
+
+set -e -o pipefail
+
+function test_pass_env_var_down() {
+    stdout=$(mktemp)
+    stderr=$(mktemp)
+    result=$(mktemp)
+
+    OSCAP_BOOTC_BUILD=YES $OSCAP xccdf eval --remediate --results "$result" "$srcdir/test_oscap_bootc_pass_down.ds.xml" > "$stdout" 2> "$stderr" || ret=$?
+    assert_exists 1 '//rule-result/message[text()="WE ARE BUILDING BOOTABLE CONTAINER IMAGE NOW"]'
+
+    rm -rf "$stdout" "$stderr" "$result"
+}
+
+function test_no_env_var() {
+    stdout=$(mktemp)
+    stderr=$(mktemp)
+    result=$(mktemp)
+
+    $OSCAP xccdf eval --remediate --results "$result" "$srcdir/test_oscap_bootc_pass_down.ds.xml" > "$stdout" 2> "$stderr" || ret=$?
+    assert_exists 0 '//rule-result/message[text()="WE ARE BUILDING BOOTABLE CONTAINER IMAGE NOW"]'
+
+    rm -rf "$stdout" "$stderr" "$result"
+}
+
+
+test_pass_env_var_down
+test_no_env_var