# HG changeset patch # User Jacob Varughese # Date 1412976714 25200 # Node ID ab1cb904871a1e4e14db39b246c99a0dd283ee95 # Parent e99da14b537a20b484d372cc050cbd2399321232 19262735 The file probe needs to be zone aware 19173594 oscap crashes when compliance is run 19559867 compliance fails when no network interface are defined diff -r e99da14b537a -r ab1cb904871a components/openscap/Makefile --- a/components/openscap/Makefile Mon Oct 06 13:15:36 2014 -0700 +++ b/components/openscap/Makefile Fri Oct 10 14:31:54 2014 -0700 @@ -66,7 +66,7 @@ CONFIGURE_OPTIONS += --libexecdir=$(CONFIGURE_LIBDIR.$(BITS)) CONFIGURE_OPTIONS += am_cv_python_pythondir=$(PYTHON_VENDOR_PACKAGES) CONFIGURE_OPTIONS += am_cv_python_pyexecdir=$(PYTHON_VENDOR_PACKAGES) -CONFIGURE_OPTIONS += LIBS="-lsocket -lnsl -lldap_r -lscf -ldlpi -lsec" +CONFIGURE_OPTIONS += LIBS="-lsocket -lnsl -lldap_r -lscf -ldlpi -lsec -lzonecfg" CONFIGURE_OPTIONS += --with-report-branding="/usr/share/lib/xml/style/os-logo.xsl" DOCS_DIR = $(PROTO_DIR)/usr/share/docs/openscap/html/ diff -r e99da14b537a -r ab1cb904871a components/openscap/patches/system_info3.c.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openscap/patches/system_info3.c.patch Fri Oct 10 14:31:54 2014 -0700 @@ -0,0 +1,50 @@ +This patch fixes the issue, where the system_info probe crashes on solaris, + when the network interfaces cannot be detected. Fix provides the default + loop back interface as default. + +This patch has not been contributed upstream, but is planned to be done by + 2014-Aug-15. + + +--- openscap-1.0.0/src/OVAL/probes/independent/system_info.c.~2~ 2014-07-24 11:02:52.698291479 -0700 ++++ openscap-1.0.0/src/OVAL/probes/independent/system_info.c 2014-07-25 11:20:07.096049635 -0700 +@@ -170,6 +170,7 @@ + char host[NI_MAXHOST], *mac; + SEXP_t *attrs; + SEXP_t *r0, *r1, *r2; ++ int item_added = 0; + + if (getifaddrs(&ifaddr) == -1) + return rc; +@@ -213,8 +214,6 @@ + goto leave2; + } + } +- +- + attrs = probe_attr_creat("name", + r0 = SEXP_string_newf("%s", ifa->ifa_name), + "ip_address", +@@ -223,10 +222,22 @@ + r2 = SEXP_string_newf("%s", mac), + NULL); + probe_item_ent_add(item, "interface", attrs, NULL); ++ item_added = 1; + SEXP_vfree(attrs, r0, r1, r2, NULL); + } + leave2: + close(fd); ++ if (item_added == 0) { ++ attrs = probe_attr_creat("name", ++ r0 = SEXP_string_newf("dummy0"), ++ "ip_address", ++ r1 = SEXP_string_newf("127.0.0.1"), ++ "mac_address", ++ r2 = SEXP_string_newf("aa:bb:cc:dd:ee:ff"), ++ NULL); ++ probe_item_ent_add(item, "interface", attrs, NULL); ++ SEXP_vfree(attrs, r0, r1, r2, NULL); ++ } + leave1: + freeifaddrs(ifaddr); + return rc; diff -r e99da14b537a -r ab1cb904871a components/openscap/patches/system_info4.c.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openscap/patches/system_info4.c.patch Fri Oct 10 14:31:54 2014 -0700 @@ -0,0 +1,55 @@ +This patch fixes the issue, where the system_info probe fails on solaris, + when the network interfaces cannot be detected. Fix provides the default + loop back interface as default. The earlier patch was not a complete fix. + +This patch has not been contributed upstream, but is planned to be done by + 2014-Oct-15. + + +--- openscap-1.0.0/src/OVAL/probes/independent/system_info.c.~3~ 2014-09-18 11:08:42.983747329 -0700 ++++ openscap-1.0.0/src/OVAL/probes/independent/system_info.c 2014-09-18 12:41:13.266535881 -0700 +@@ -166,14 +166,16 @@ + static int get_ifs(SEXP_t *item) + { + struct ifaddrs *ifaddr, *ifa; +- int family, rc=1; ++ int family, rc=0; + char host[NI_MAXHOST], *mac; + SEXP_t *attrs; + SEXP_t *r0, *r1, *r2; +- int item_added = 0; ++#if defined(__SVR4) && defined(__sun) ++ int item_added = 0; ++#endif + + if (getifaddrs(&ifaddr) == -1) +- return rc; ++ return 1; + + fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_IP); + if (fd < 0) +@@ -222,12 +224,15 @@ + r2 = SEXP_string_newf("%s", mac), + NULL); + probe_item_ent_add(item, "interface", attrs, NULL); ++#if defined(__SVR4) && defined(__sun) + item_added = 1; ++#endif + SEXP_vfree(attrs, r0, r1, r2, NULL); + } + leave2: + close(fd); +- if (item_added == 0) { ++#if defined(__SVR4) && defined(__sun) ++ if (item_added == 0 && rc == 0) { + attrs = probe_attr_creat("name", + r0 = SEXP_string_newf("dummy0"), + "ip_address", +@@ -238,6 +243,7 @@ + probe_item_ent_add(item, "interface", attrs, NULL); + SEXP_vfree(attrs, r0, r1, r2, NULL); + } ++#endif + leave1: + freeifaddrs(ifaddr); + return rc; diff -r e99da14b537a -r ab1cb904871a components/openscap/patches/zone_file_fix_opt.c.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openscap/patches/zone_file_fix_opt.c.patch Fri Oct 10 14:31:54 2014 -0700 @@ -0,0 +1,169 @@ +This patch fixes an issue with file probe on solaris. The file probe currently + is not zone aware and so descends into non-global zones from the global-zone. +Fix prevents file probe traversal into non-global zones from the global zone, + when local is specified for recursion. + +This patch has not been contributed upstream, but is planned to be submitted by + 2014-Oct-15. +--- openscap-1.0.0/src/OVAL/probes/oval_fts.c.~2~ 2014-07-24 10:53:15.269589073 -0700 ++++ openscap-1.0.0/src/OVAL/probes/oval_fts.c 2014-07-24 11:02:30.267608422 -0700 +@@ -45,6 +45,8 @@ + #if defined(__SVR4) && defined(__sun) + #include "fts_sun.h" + #include ++#include ++#include + #else + #include + #endif +@@ -138,6 +140,13 @@ + #define MNTTYPE_PROC "proc" + #endif + ++typedef struct zone_path { ++ avl_node_t avl_link_next; ++ char zpath[MAXPATHLEN]; ++} zone_path_t; ++static avl_tree_t avl_tree_list; ++ ++ + static bool valid_remote_fs(char *fstype) + { + if (strcmp(fstype, MNTTYPE_NFS) == 0 || +@@ -160,6 +169,85 @@ + return (false); + return (true); + } ++ ++/* function to compare two avl nodes in the avl tree */ ++static int compare_zoneroot(const void *entry1, const void *entry2) ++{ ++ zone_path_t *t1, *t2; ++ int comp; ++ ++ t1 = (zone_path_t *)entry1; ++ t2 = (zone_path_t *)entry2; ++ if ((comp = strcmp(t1->zpath, t2->zpath)) == 0) { ++ return (0); ++ } ++ return (comp > 0 ? 1 : -1); ++} ++ ++int load_zones_path_list() ++{ ++ FILE *cookie; ++ char *name; ++ zone_state_t state_num; ++ zone_path_t *temp = NULL; ++ avl_index_t where; ++ char rpath[MAXPATHLEN]; ++ ++ cookie = setzoneent(); ++ if (getzoneid() != GLOBAL_ZONEID) ++ return (0); ++ avl_create(&avl_tree_list, compare_zoneroot, ++ sizeof(zone_path_t), offsetof(zone_path_t, avl_link_next)); ++ while ((name = getzoneent(cookie)) != NULL) { ++ if (strcmp(name, "global") == 0) ++ continue; ++ if (zone_get_state(name, &state_num) != Z_OK) { ++ dE("Could not get zone state for %s\n", name); ++ continue; ++ } else if (state_num > ZONE_STATE_CONFIGURED) { ++ temp = malloc(sizeof(zone_path_t)); ++ if (temp == NULL) { ++ dE("Memory alloc failed\n"); ++ return(1); ++ } ++ if (zone_get_zonepath(name, rpath, ++ sizeof(rpath)) != Z_OK) { ++ dE("Could not get zone path for %s\n", ++ name); ++ continue; ++ } ++ if (realpath(rpath, temp->zpath) != NULL) ++ avl_add(&avl_tree_list, temp); ++ } ++ } ++ endzoneent(cookie); ++ return (0); ++} ++ ++static void free_zones_path_list() ++{ ++ zone_path_t *temp; ++ void* cookie = NULL; ++ ++ while ((temp = avl_destroy_nodes(&avl_tree_list, &cookie)) != NULL) { ++ free(temp); ++ } ++ avl_destroy(&avl_tree_list); ++} ++ ++static bool valid_local_zone(char *path) ++{ ++ zone_path_t temp; ++ avl_index_t where; ++ ++ strlcpy(temp.zpath, path, sizeof(temp.zpath)); ++ if (avl_find(&avl_tree_list, &temp, &where) != NULL) ++ return (true); ++ ++ return (false); ++} ++ ++ + #endif + + static bool OVAL_FTS_localp(OVAL_FTS *ofts, const char *path, void *id) +@@ -168,9 +256,11 @@ + if (id != NULL && (*(char*)id) != '\0') { + /* if not a valid local fs skip */ + if (valid_local_fs((char*)id)) { +- /* if recurse is local , skip remote fs */ ++ /* if recurse is local , skip remote fs ++ and non-global zones */ + if (ofts->filesystem == OVAL_RECURSE_FS_LOCAL) { +- return (!valid_remote_fs((char*)id)); ++ return (!(valid_remote_fs((char*)id) || ++ valid_local_zone(path))); + } + return (true); + } +@@ -179,9 +269,11 @@ + /* id was not set, because fts_read failed to stat the node */ + struct stat sb; + if ((stat(path, &sb) == 0) && (valid_local_fs(sb.st_fstype))) { +- /* if recurse is local , skip remote fs */ ++ /* if recurse is local , skip remote fs ++ and non-global zones */ + if (ofts->filesystem == OVAL_RECURSE_FS_LOCAL) { +- return (!valid_remote_fs(sb.st_fstype)); ++ return (!(valid_remote_fs(sb.st_fstype) || ++ valid_local_zone(path))); + } + return (true); + } +@@ -793,6 +884,12 @@ + ofts->ofts_sfilepath = SEXP_ref(filepath); + } + ++#if defined(__SVR4) && defined(__sun) ++ if (load_zones_path_list() != 0) { ++ dE("Failed to load zones path info. Recursing non-global zones."); ++ free_zones_path_list(); ++ } ++#endif + return (ofts); + } + +@@ -1249,6 +1346,9 @@ + fsdev_free(ofts->localdevs); + + OVAL_FTS_free(ofts); ++#if defined(__SVR4) && defined(__sun) ++ free_zones_path_list(); ++#endif + + return (0); + } diff -r e99da14b537a -r ab1cb904871a components/openscap/resolve.deps --- a/components/openscap/resolve.deps Mon Oct 06 13:15:36 2014 -0700 +++ b/components/openscap/resolve.deps Fri Oct 10 14:31:54 2014 -0700 @@ -4,8 +4,8 @@ library/libxslt library/openldap library/pcre +runtime/perl-512 runtime/python-26 -runtime/perl-512 security/compliance/openscap system/library system/library/gcc-3-runtime @@ -13,4 +13,5 @@ system/library/gcc/gcc-c-runtime system/library/math system/library/security/libgcrypt +system/zones web/curl