Add ability to block paths

People will be able to tell probes to skip certain paths during
content evaluation. They can specify a list of paths by setting the
`OSCAP_PROBE_IGNORE_PATHS` environment variable. The paths in this
list should be separated by a colon.

Author: jan-cerny

docs/manual/manual.adoc

@@ -1619,6 +1619,7 @@ not considered local by the scanner:
 * `SOURCE_DATE_EPOCH` - Timestamp in seconds since epoch. This timestamp will be used instead of the current time to populate `timestamp` attributes in SCAP source data streams created by `oscap ds sds-compose` sub-module. This is used for reproducible builds of data streams.
 * `OSCAP_PROBE_MEMORY_USAGE_RATIO` - maximum memory usage ratio (used/total) for OpenSCAP probes, default: 0.1
 * `OSCAP_PROBE_MAX_COLLECTED_ITEMS` - maximal count of collected items by OpenSCAP probe for a single OVAL object evaluation
+* `OSCAP_PROBE_IGNORE_PATHS` - Skip given paths during evaluation. If multiple paths should be skipped they need to be separated by a colon.
 
 Also, OpenSCAP uses `libcurl` library which also can be configured using environment variables. See https://curl.se/libcurl/c/libcurl-env.html[the list of libcurl environment variables].
 

src/OVAL/probes/independent/textfilecontent54_probe.c

@@ -53,6 +53,8 @@
 #include "common/debug_priv.h"
 #include "common/util.h"
 #include "common/oscap_pcre.h"
+#include "common/list.h"
+
 #include "textfilecontent54_probe.h"
 
 #define FILE_SEPARATOR '/'
@@ -118,7 +120,7 @@ struct pfdata {
 	oscap_pcre_t *compiled_regex;
 };
 
-static int process_file(const char *prefix, const char *path, const char *file, struct pfdata *pfd, oval_schema_version_t over)
+static int process_file(const char *prefix, const char *path, const char *file, struct pfdata *pfd, oval_schema_version_t over, struct oscap_list *blocked_paths)
 {
 	int ret = 0, path_len, file_len, cur_inst = 0, fd = -1, substr_cnt,
 		buf_size = 0, buf_used = 0, ofs = 0, buf_inc = 4096;
@@ -143,6 +145,9 @@ static int process_file(const char *prefix, const char *path, const char *file,
 
 	memcpy(whole_path + path_len, file, file_len + 1);
 
+	if (probe_path_is_blocked(whole_path, blocked_paths)) {
+		goto cleanup;
+	}
 	/*
 	 * If stat() fails, don't report an error and just skip the file.
 	 * This is an expected situation, because the fts_*() functions
@@ -360,7 +365,7 @@ int textfilecontent54_probe_main(probe_ctx *ctx, void *arg)
 			if (ofts_ent->fts_info == FTS_F
 			    || ofts_ent->fts_info == FTS_SL) {
 				// todo: handle return code
-				process_file(prefix, ofts_ent->path, ofts_ent->file, &pfd, over);
+				process_file(prefix, ofts_ent->path, ofts_ent->file, &pfd, over, ctx->blocked_paths);
 			}
 			oval_ftsent_free(ofts_ent);
 		}

src/OVAL/probes/probe-api.c

@@ -1794,4 +1794,52 @@ SEXP_t *probe_obj_getmask(SEXP_t *obj)
     SEXP_free(objents);
     return (mask);
 }
+
+static bool path_startswith(const char *path, const char *prefix)
+{
+	bool res = true;
+	const char *del = "/";
+	char *path_dup = oscap_strdup(path);
+	char **path_split = oscap_split(path_dup, del);
+	char *prefix_dup = oscap_strdup(prefix);
+	char **prefix_split = oscap_split(prefix_dup, del);
+	int i = 0, j = 0;
+	while (prefix_split[i] && path_split[j]) {
+		if (!strcmp(prefix_split[i], "")) {
+			++i;
+			continue;
+		}
+		if (!strcmp(path_split[j], "")) {
+			++j;
+			continue;
+		}
+		if (strcmp(prefix_split[i], path_split[j])) {
+			res = false;
+			break;
+		}
+		++i;
+		++j;
+	}
+	free(path_dup);
+	free(path_split);
+	free(prefix_dup);
+	free(prefix_split);
+	return res;
+}
+
+bool probe_path_is_blocked(const char *path, struct oscap_list *blocked_paths)
+{
+	bool res = false;
+	struct oscap_iterator *it = oscap_iterator_new(blocked_paths);
+	while (oscap_iterator_has_more(it)) {
+		const char *item = oscap_iterator_next(it);
+		if (path_startswith(path, item)) {
+			res = true;
+			break;
+		}
+	}
+	oscap_iterator_free(it);
+	return res;
+}
+
 /// @}

src/OVAL/probes/probe/probe.h

@@ -94,6 +94,7 @@ struct probe_ctx {
 	int offline_mode;
 	double max_mem_ratio;
 	size_t max_collected_items;
+	struct oscap_list *blocked_paths;
 };
 
 typedef enum {

src/OVAL/probes/probe/worker.c

@@ -972,6 +972,19 @@ static SEXP_t *probe_set_eval(probe_t *probe, SEXP_t *set, size_t depth)
 	return result;
 }
 
+static void _add_blocked_paths(struct oscap_list *bpaths)
+{
+	char *envar = getenv("OSCAP_PROBE_IGNORE_PATHS");
+	if (envar == NULL) {
+		return;
+	}
+	char **paths = oscap_split(envar, ":");
+	for (int i = 0; paths[i]; ++i) {
+		oscap_list_add(bpaths, strdup(paths[i]));
+	}
+	free(paths);
+}
+
 /**
  * Worker thread function. This functions handles the evalution of objects and sets.
  * @param msg_in SEAP message with the request which contains the object to be evaluated
@@ -1083,6 +1096,9 @@ SEXP_t *probe_worker(probe_t *probe, SEAP_msg_t *msg_in, int *ret)
 			}
 		}
 
+		pctx.blocked_paths = oscap_list_new();
+		_add_blocked_paths(pctx.blocked_paths);
+
 		/* simple object */
                 pctx.icache  = probe->icache;
 		pctx.filters = probe_prepare_filters(probe, probe_in);
@@ -1142,6 +1158,7 @@ SEXP_t *probe_worker(probe_t *probe, SEAP_msg_t *msg_in, int *ret)
 				SEXP_free(pctx.filters);
 				SEXP_free(probe_in);
 				SEXP_free(mask);
+				oscap_list_free(pctx.blocked_paths, free);
 				*ret = PROBE_EUNKNOWN;
 				return (NULL);
 			}
@@ -1181,6 +1198,7 @@ SEXP_t *probe_worker(probe_t *probe, SEAP_msg_t *msg_in, int *ret)
 		}
 
                 SEXP_free(pctx.filters);
+		oscap_list_free(pctx.blocked_paths, free);
 	}
 
 	SEXP_free(probe_in);

src/OVAL/probes/public/probe-api.h

@@ -68,6 +68,7 @@
 #include <oval_types.h>
 #include "sexp-types.h"
 #include "oscap_export.h"
+#include "list.h"
 
 /*
  * items
@@ -538,4 +539,11 @@ OSCAP_API oval_schema_version_t probe_obj_get_platform_schema_version(const SEXP
  */
 OSCAP_API SEXP_t *probe_obj_getmask(SEXP_t *obj);
 
+/**
+ * Check if the given path matches any of the paths in the blocked paths list
+ * @param path path to be examined
+ * @param blocked_paths list of blocked paths
+ */
+OSCAP_API bool probe_path_is_blocked(const char *path, struct oscap_list *blocked_paths);
+
 /// @}

src/OVAL/probes/unix/file_probe.c

@@ -304,7 +304,7 @@ static SEXP_t *has_extended_acl(const char *path)
 #endif
 }
 
-static int file_cb(const char *prefix, const char *p, const char *f, void *ptr, oval_schema_version_t over, struct ID_cache *cache, struct gr_sexps *grs, SEXP_t *gr_lastpath)
+static int file_cb(const char *prefix, const char *p, const char *f, void *ptr, oval_schema_version_t over, struct ID_cache *cache, struct gr_sexps *grs, SEXP_t *gr_lastpath, struct oscap_list *blocked_paths)
 {
         char path_buffer[PATH_MAX];
         SEXP_t *item;
@@ -325,6 +325,10 @@ static int file_cb(const char *prefix, const char *p, const char *f, void *ptr,
 		st_path = path_buffer;
 	}
 
+	if (probe_path_is_blocked(st_path, blocked_paths)) {
+		return 0;
+	}
+
 	char *st_path_with_prefix = oscap_path_join(prefix, st_path);
 	if (lstat(st_path_with_prefix, &st) == -1) {
                 dD("lstat failed when processing %s: errno=%u, %s.", st_path, errno, strerror (errno));
@@ -509,7 +513,7 @@ int file_probe_main(probe_ctx *ctx, void *mutex)
 
 	if ((ofts = oval_fts_open_prefixed(prefix, path, filename, filepath, behaviors, probe_ctx_getresult(ctx))) != NULL) {
 		while ((ofts_ent = oval_fts_read(ofts)) != NULL) {
-			if (file_cb(prefix, ofts_ent->path, ofts_ent->file, &cbargs, over, cache, grs, &gr_lastpath) != 0) {
+			if (file_cb(prefix, ofts_ent->path, ofts_ent->file, &cbargs, over, cache, grs, &gr_lastpath, ctx->blocked_paths) != 0) {
 				oval_ftsent_free(ofts_ent);
 				break;
 			}