19173594 oscap crashes when compliance is run
19262735 The file probe needs to be zone aware
--- a/components/openscap/Makefile Tue Jul 29 11:45:36 2014 -0700
+++ b/components/openscap/Makefile Wed Jul 30 09:58:58 2014 -0700
@@ -68,7 +68,7 @@
CONFIGURE_OPTIONS += --libexecdir=$(CONFIGURE_LIBDIR.$(BITS))
CONFIGURE_OPTIONS += am_cv_python_pythondir=$(PYTHON_VENDOR_PACKAGES)
CONFIGURE_OPTIONS += am_cv_python_pyexecdir=$(PYTHON_VENDOR_PACKAGES)
-CONFIGURE_OPTIONS += LIBS="-lldap_r -lscf -ldlpi -lsec"
+CONFIGURE_OPTIONS += LIBS="-lldap_r -lscf -ldlpi -lsec -lzonecfg"
CONFIGURE_OPTIONS += --with-report-branding="/usr/share/lib/xml/style/os-logo.xsl"
DOCS_DIR = $(PROTO_DIR)/usr/share/docs/openscap/html/
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openscap/patches/system_info3.c.patch Wed Jul 30 09:58:58 2014 -0700
@@ -0,0 +1,50 @@
+This patch fixes the issue, where the system_info probe crashes on solaris,
+ when the network interfaces cannot be detected. Fix provides the default
+ loop back interface as default.
+
+This patch has not been contributed upstream, but is planned to be done by
+ 2014-Aug-15.
+
+
+--- openscap-1.0.0/src/OVAL/probes/independent/system_info.c.~2~ 2014-07-24 11:02:52.698291479 -0700
++++ openscap-1.0.0/src/OVAL/probes/independent/system_info.c 2014-07-25 11:20:07.096049635 -0700
+@@ -170,6 +170,7 @@
+ char host[NI_MAXHOST], *mac;
+ SEXP_t *attrs;
+ SEXP_t *r0, *r1, *r2;
++ int item_added = 0;
+
+ if (getifaddrs(&ifaddr) == -1)
+ return rc;
+@@ -213,8 +214,6 @@
+ goto leave2;
+ }
+ }
+-
+-
+ attrs = probe_attr_creat("name",
+ r0 = SEXP_string_newf("%s", ifa->ifa_name),
+ "ip_address",
+@@ -223,10 +222,22 @@
+ r2 = SEXP_string_newf("%s", mac),
+ NULL);
+ probe_item_ent_add(item, "interface", attrs, NULL);
++ item_added = 1;
+ SEXP_vfree(attrs, r0, r1, r2, NULL);
+ }
+ leave2:
+ close(fd);
++ if (item_added == 0) {
++ attrs = probe_attr_creat("name",
++ r0 = SEXP_string_newf("dummy0"),
++ "ip_address",
++ r1 = SEXP_string_newf("127.0.0.1"),
++ "mac_address",
++ r2 = SEXP_string_newf("aa:bb:cc:dd:ee:ff"),
++ NULL);
++ probe_item_ent_add(item, "interface", attrs, NULL);
++ SEXP_vfree(attrs, r0, r1, r2, NULL);
++ }
+ leave1:
+ freeifaddrs(ifaddr);
+ return rc;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openscap/patches/zone_file_fix_opt.c.patch Wed Jul 30 09:58:58 2014 -0700
@@ -0,0 +1,169 @@
+This patch fixes an issue with file probe on solaris. The file probe currently
+ is not zone aware and so descends into non-global zones from the global-zone.
+Fix prevents file probe traversal into non-global zones from the global zone,
+ when local is specified for recursion.
+
+This patch has not been contributed upstream, but is planned to be done by
+ 2014-Aug-15.
+--- openscap-1.0.0/src/OVAL/probes/oval_fts.c.~2~ 2014-07-24 10:53:15.269589073 -0700
++++ openscap-1.0.0/src/OVAL/probes/oval_fts.c 2014-07-24 11:02:30.267608422 -0700
+@@ -45,6 +45,8 @@
+ #if defined(__SVR4) && defined(__sun)
+ #include "fts_sun.h"
+ #include <sys/mntent.h>
++#include <libzonecfg.h>
++#include <sys/avl.h>
+ #else
+ #include <fts.h>
+ #endif
+@@ -138,6 +140,13 @@
+ #define MNTTYPE_PROC "proc"
+ #endif
+
++typedef struct zone_path {
++ avl_node_t avl_link_next;
++ char zpath[MAXPATHLEN];
++} zone_path_t;
++static avl_tree_t avl_tree_list;
++
++
+ static bool valid_remote_fs(char *fstype)
+ {
+ if (strcmp(fstype, MNTTYPE_NFS) == 0 ||
+@@ -160,6 +169,85 @@
+ return (false);
+ return (true);
+ }
++
++/* function to compare two avl nodes in the avl tree */
++static int compare_zoneroot(const void *entry1, const void *entry2)
++{
++ zone_path_t *t1, *t2;
++ int comp;
++
++ t1 = (zone_path_t *)entry1;
++ t2 = (zone_path_t *)entry2;
++ if ((comp = strcmp(t1->zpath, t2->zpath)) == 0) {
++ return (0);
++ }
++ return (comp > 0 ? 1 : -1);
++}
++
++int load_zones_path_list()
++{
++ FILE *cookie;
++ char *name;
++ zone_state_t state_num;
++ zone_path_t *temp = NULL;
++ avl_index_t where;
++ char rpath[MAXPATHLEN];
++
++ cookie = setzoneent();
++ if (getzoneid() != GLOBAL_ZONEID)
++ return (0);
++ avl_create(&avl_tree_list, compare_zoneroot,
++ sizeof(zone_path_t), offsetof(zone_path_t, avl_link_next));
++ while ((name = getzoneent(cookie)) != NULL) {
++ if (strcmp(name, "global") == 0)
++ continue;
++ if (zone_get_state(name, &state_num) != Z_OK) {
++ dE("Could not get zone state for %s\n", name);
++ continue;
++ } else if (state_num > ZONE_STATE_CONFIGURED) {
++ temp = malloc(sizeof(zone_path_t));
++ if (temp == NULL) {
++ dE("Memory alloc failed\n");
++ return(1);
++ }
++ if (zone_get_zonepath(name, rpath,
++ sizeof(rpath)) != Z_OK) {
++ dE("Could not get zone path for %s\n",
++ name);
++ continue;
++ }
++ if (realpath(rpath, temp->zpath) != NULL)
++ avl_add(&avl_tree_list, temp);
++ }
++ }
++ endzoneent(cookie);
++ return (0);
++}
++
++static void free_zones_path_list()
++{
++ zone_path_t *temp;
++ void* cookie = NULL;
++
++ while ((temp = avl_destroy_nodes(&avl_tree_list, &cookie)) != NULL) {
++ free(temp);
++ }
++ avl_destroy(&avl_tree_list);
++}
++
++static bool valid_local_zone(char *path)
++{
++ zone_path_t temp;
++ avl_index_t where;
++
++ strlcpy(temp.zpath, path, sizeof(temp.zpath));
++ if (avl_find(&avl_tree_list, &temp, &where) != NULL)
++ return (true);
++
++ return (false);
++}
++
++
+ #endif
+
+ static bool OVAL_FTS_localp(OVAL_FTS *ofts, const char *path, void *id)
+@@ -168,9 +256,11 @@
+ if (id != NULL && (*(char*)id) != '\0') {
+ /* if not a valid local fs skip */
+ if (valid_local_fs((char*)id)) {
+- /* if recurse is local , skip remote fs */
++ /* if recurse is local , skip remote fs
++ and non-global zones */
+ if (ofts->filesystem == OVAL_RECURSE_FS_LOCAL) {
+- return (!valid_remote_fs((char*)id));
++ return (!(valid_remote_fs((char*)id) ||
++ valid_local_zone(path)));
+ }
+ return (true);
+ }
+@@ -179,9 +269,11 @@
+ /* id was not set, because fts_read failed to stat the node */
+ struct stat sb;
+ if ((stat(path, &sb) == 0) && (valid_local_fs(sb.st_fstype))) {
+- /* if recurse is local , skip remote fs */
++ /* if recurse is local , skip remote fs
++ and non-global zones */
+ if (ofts->filesystem == OVAL_RECURSE_FS_LOCAL) {
+- return (!valid_remote_fs(sb.st_fstype));
++ return (!(valid_remote_fs(sb.st_fstype) ||
++ valid_local_zone(path)));
+ }
+ return (true);
+ }
+@@ -793,6 +884,12 @@
+ ofts->ofts_sfilepath = SEXP_ref(filepath);
+ }
+
++#if defined(__SVR4) && defined(__sun)
++ if (load_zones_path_list() != 0) {
++ dE("Failed to load zones path info. Recursing non-global zones.");
++ free_zones_path_list();
++ }
++#endif
+ return (ofts);
+ }
+
+@@ -1249,6 +1346,9 @@
+ fsdev_free(ofts->localdevs);
+
+ OVAL_FTS_free(ofts);
++#if defined(__SVR4) && defined(__sun)
++ free_zones_path_list();
++#endif
+
+ return (0);
+ }
--- a/components/openscap/resolve.deps Tue Jul 29 11:45:36 2014 -0700
+++ b/components/openscap/resolve.deps Wed Jul 30 09:58:58 2014 -0700
@@ -4,8 +4,8 @@
library/libxslt
library/openldap
library/pcre
+runtime/perl-512
runtime/python-26
-runtime/perl-512
security/compliance/openscap
system/library
system/library/gcc-3-runtime
@@ -13,4 +13,5 @@
system/library/gcc/gcc-c-runtime
system/library/math
system/library/security/libgcrypt
+system/zones
web/curl