Skip to content

Commit 1e475b3

Browse files
rfrohlrfrohl
committed
Improve readability of SYSCTL_BLACKLIST
code review feedback
1 parent c1eb501 commit 1e475b3

File tree

1 file changed

+20
-3
lines changed

1 file changed

+20
-3
lines changed

tests/probes/sysctl/test_sysctl_probe_all.sh

Lines changed: 20 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,24 @@ set -e -o pipefail
99
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
1010

1111
# non root users are not able to access some kernel params, so they get blacklisted
12-
SYSCTL_BLACKLIST='stable_secret\|vm.stat_refresh\|fs.protected_hardlinks\|fs.protected_symlinks\|kernel.cad_pid\|kernel.unprivileged_userns_apparmor_policy\|kernel.usermodehelper.bset\|kernel.usermodehelper.inheritable\|net.core.bpf_jit_harden\|net.core.bpf_jit_kallsyms\|net.ipv4.tcp_fastopen_key\|vm.mmap_rnd_bits\|vm.mmap_rnd_compat_bits'
12+
SYSCTL_BLACKLIST='
13+
fs.protected_hardlinks
14+
fs.protected_symlinks
15+
kernel.cad_pid
16+
kernel.unprivileged_userns_apparmor_policy
17+
kernel.usermodehelper.bset
18+
kernel.usermodehelper.inheritable
19+
net.core.bpf_jit_harden
20+
net.core.bpf_jit_kallsyms
21+
net.ipv4.tcp_fastopen_key
22+
stable_secret
23+
vm.mmap_rnd_bits
24+
vm.mmap_rnd_compat_bits
25+
vm.stat_refresh'
26+
27+
SYSCTL_BLACKLIST_REGEX="$(printf '\|%s' $SYSCTL_BLACKLIST)"
28+
# strip leading '\|'
29+
SYSCTL_BLACKLIST_REGEX=${SYSCTL_BLACKLIST_REGEX:2}
1330

1431
function perform_test {
1532
probecheck "sysctl" || return 255
@@ -31,9 +48,9 @@ $OSCAP oval eval --results $result $srcdir/test_sysctl_probe_all.oval.xml > /dev
3148
# sysctl has duplicities in output
3249
# hide permission errors like: "sysctl: permission denied on key 'fs.protected_hardlinks'"
3350
# kernel parameters might use "/" and "." separators interchangeably - normalizing
34-
sysctl -aN --deprecated 2> /dev/null | grep -v $SYSCTL_BLACKLIST | tr "/" "." | sort -u > "$sysctlNames"
51+
sysctl -aN --deprecated 2> /dev/null | grep -v $SYSCTL_BLACKLIST_REGEX | tr "/" "." | sort -u > "$sysctlNames"
3552

36-
grep unix-sys:name "$result" | grep -v $SYSCTL_BLACKLIST | sed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames"
53+
grep unix-sys:name "$result" | grep -v $SYSCTL_BLACKLIST_REGEX | sed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames"
3754

3855
# If procps_ver > 3.3.12 we need to filter *stable_secret and vm.stat_refresh
3956
# options from the sysctl output, for more details see

0 commit comments

Comments
 (0)