Merge pull request #1393 from evgenyz/offline-env

Offline mode support for environmentvariable58_probe

Author: jan-cerny

src/OVAL/probes/independent/environmentvariable58_probe.c

@@ -51,13 +51,15 @@
 #include <sys/types.h>
 #include <dirent.h>
 
+#include <probe/probe.h>
 #include "_seap.h"
 #include "probe-api.h"
 #include "probe/entcmp.h"
 #include "common/debug_priv.h"
 #include "environmentvariable58_probe.h"
 
 #define BUFFER_SIZE 256
+#define VAR_OFFLINE_PREFIX "OSCAP_OFFLINE_"
 
 extern char **environ;
 
@@ -156,16 +158,28 @@ static int read_environment(SEXP_t *pid_ent, SEXP_t *name_ent, probe_ctx *ctx)
 					continue;
 				}
 
-				env_name_size =  eq_char - buffer;
-				env_name = SEXP_string_new(buffer, env_name_size);
+				env_name_size = eq_char - buffer;
+				if (ctx->offline_mode == PROBE_OFFLINE_OWN) {
+					// We are not processing unprefixed (i.e. originated from the host) variables in offline mode
+					if (memmem(buffer, env_name_size, VAR_OFFLINE_PREFIX, strlen(VAR_OFFLINE_PREFIX)) != buffer
+						|| strlen(VAR_OFFLINE_PREFIX) >= env_name_size) {
+						buffer_used -= null_char + 1 - buffer;
+						memmove(buffer, null_char + 1, buffer_used);
+						continue;
+					}
+					env_name = SEXP_string_new(buffer + strlen(VAR_OFFLINE_PREFIX), env_name_size - strlen(VAR_OFFLINE_PREFIX));
+				} else {
+					env_name = SEXP_string_new(buffer, env_name_size);
+				}
 				env_value = SEXP_string_newf("%s", buffer + env_name_size + 1);
+
 				if (probe_entobj_cmp(name_ent, env_name) == OVAL_RESULT_TRUE) {
 					item = probe_item_create(
 						OVAL_INDEPENDENT_ENVIRONMENT_VARIABLE58, NULL,
 						"pid", OVAL_DATATYPE_INTEGER, (int64_t)pid,
 						"name",  OVAL_DATATYPE_SEXP, env_name,
 						"value", OVAL_DATATYPE_SEXP, env_value,
-					      NULL);
+						NULL);
 					probe_item_collect(ctx, item);
 					err = 0;
 				}
@@ -192,6 +206,11 @@ static int read_environment(SEXP_t *pid_ent, SEXP_t *name_ent, probe_ctx *ctx)
 	return err;
 }
 
+int environmentvariable58_probe_offline_mode_supported(void)
+{
+	return PROBE_OFFLINE_OWN;
+}
+
 int environmentvariable58_probe_main(probe_ctx *ctx, void *arg)
 {
 	SEXP_t *probe_in, *name_ent, *pid_ent;
@@ -229,9 +248,16 @@ int environmentvariable58_probe_main(probe_ctx *ctx, void *arg)
 		SEXP_free(nref);
 		SEXP_free(nval);
 		pid_ent = new_pid_ent;
+	} else {
+		if (ctx->offline_mode != PROBE_OFFLINE_NONE) {
+			err = PROBE_EINVAL;
+			goto cleanup;
+		}
 	}
 
 	err = read_environment(pid_ent, name_ent, ctx);
+
+cleanup:
 	SEXP_free(name_ent);
 	SEXP_free(pid_ent);
 

src/OVAL/probes/independent/environmentvariable58_probe.h

@@ -25,6 +25,7 @@
 
 #include "probe-api.h"
 
+int environmentvariable58_probe_offline_mode_supported(void);
 int environmentvariable58_probe_main(probe_ctx *ctx, void *arg);
 
 #endif /* OPENSCAP_ENVIRONMENTVARIABLE58_PROBE_H */

src/OVAL/probes/probe-table.c

@@ -213,7 +213,7 @@ static const probe_table_entry_t probe_table[] = {
 	{OVAL_INDEPENDENT_ENVIRONMENT_VARIABLE, NULL, environmentvariable_probe_main, NULL, NULL},
 #endif
 #ifdef OPENSCAP_PROBE_INDEPENDENT_ENVIRONMENTVARIABLE58
-	{OVAL_INDEPENDENT_ENVIRONMENT_VARIABLE58, NULL, environmentvariable58_probe_main, NULL, NULL},
+	{OVAL_INDEPENDENT_ENVIRONMENT_VARIABLE58, NULL, environmentvariable58_probe_main, NULL, environmentvariable58_probe_offline_mode_supported},
 #endif
 #ifdef OPENSCAP_PROBE_INDEPENDENT_FAMILY
 	{OVAL_INDEPENDENT_FAMILY, NULL, family_probe_main, NULL, family_probe_offline_mode_supported},

utils/oscap-podman

@@ -28,21 +28,26 @@ function usage()
     echo "oscap-podman -- Tool for SCAP evaluation of Podman images and containers."
     echo
     echo "Compliance scan of Podman image:"
-    echo "$ sudo oscap-podman IMAGE_NAME OSCAP_ARGUMENT [OSCAP_ARGUMENT...]"
+    echo "$ sudo oscap-podman [--oscap=<OSCAP_BINARY>] IMAGE_NAME OSCAP_ARGUMENT [OSCAP_ARGUMENT...]"
     echo
     echo "Compliance scan of Podman container:"
-    echo "$ sudo oscap-podman CONTAINER_NAME OSCAP_ARGUMENT [OSCAP_ARGUMENT...]"
+    echo "$ sudo oscap-podman [--oscap=<OSCAP_BINARY>] CONTAINER_NAME OSCAP_ARGUMENT [OSCAP_ARGUMENT...]"
     echo
     echo "See \`man oscap\` to learn more about semantics of OSCAP_ARGUMENT options."
 }
 
+OSCAP_BINARY=oscap
+
 if [ $# -lt 1 ]; then
     echo "No arguments provided."
     usage
     die
 elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
     usage
     die
+elif [[ "$1" == --oscap=* ]] && [ $# -gt 2 ]; then
+    OSCAP_BINARY=${1#"--oscap="}
+    shift
 elif [ "$#" -gt 1 ]; then
     true
 else
@@ -74,14 +79,18 @@ else
 fi
 DIR=$(podman mount $ID) || die
 
+for VAR in `podman inspect $ID --format '{{join .Config.Env " "}}'`; do
+    eval "export OSCAP_OFFLINE_$VAR"
+done
+
 export OSCAP_PROBE_ROOT="$(cd "$DIR"; pwd)"
 export OSCAP_PROBE_OS_NAME="Linux"
 export OSCAP_PROBE_OS_VERSION="$(uname --kernel-release)"
 export OSCAP_PROBE_ARCHITECTURE="$(uname --hardware-platform)"
 export OSCAP_EVALUATION_TARGET="$TARGET"
 shift 1
 
-oscap "$@"
+$OSCAP_BINARY "$@"
 EXIT_CODE=$?
 podman umount $ID > /dev/null || die
 if [ $CLEANUP -eq 1 ]; then

utils/oscap-podman.8

@@ -12,10 +12,10 @@ This script cannot run in rootless mode.
 Usage of the tool mimics usage and options of oscap(8) tool.
 
 .SS Compliance scan of Podman container image:
-oscap-podman IMAGE_NAME OSCAP_ARGUMENT [OSCAP_ARGUMENT...]
+oscap-podman [--oscap=<OSCAP_BINARY>] IMAGE_NAME OSCAP_ARGUMENT [OSCAP_ARGUMENT...]
 
 .SS Compliance scan of Podman container:
-oscap-podman CONTAINER_NAME OSCAP_ARGUMENT [OSCAP_ARGUMENT...]
+oscap-podman [--oscap=<OSCAP_BINARY>] CONTAINER_NAME OSCAP_ARGUMENT [OSCAP_ARGUMENT...]
 
 Refer to oscap(8) to learn about OSCAP_ARGUMENT options.
 

utils/oscap_docker_python/oscap_docker_util.py

@@ -115,7 +115,7 @@ def _get_dist(self, chroot, target):
             if "{0}{1}: true".format(self.CPE, dist) in result.stdout:
                 return dist
 
-    def _get_target_name(self, target):
+    def _get_target_name_and_config(self, target):
         '''
         Determines if target is image or container. For images returns full
         image name if exists or image ID otherwise. For containers returns
@@ -131,28 +131,31 @@ def _get_target_name(self, target):
                 name = ", ".join(image["RepoTags"])
             else:
                 name = image["Id"][len("sha256:"):][:10]
-            return "docker-image://{}".format(name)
+            return "docker-image://{}".format(name), image["Config"]
         except docker.errors.NotFound:
             try:
                 container = client.inspect_container(target)
                 if container["Name"]:
                     name = container["Name"].lstrip("/")
                 else:
                     name = container["Id"][:10]
-                return "docker-container://{}".format(name)
+                return "docker-container://{}".format(name), container["Config"]
             except docker.errors.NotFound:
-                return "unknown"
+                return "unknown", {}
 
     def oscap_chroot(self, chroot_path, target, *oscap_args):
         '''
         Wrapper function for executing oscap in a subprocess
         '''
-
         os.environ["OSCAP_PROBE_ARCHITECTURE"] = platform.processor()
         os.environ["OSCAP_PROBE_ROOT"] = os.path.join(chroot_path)
         os.environ["OSCAP_PROBE_OS_NAME"] = platform.system()
         os.environ["OSCAP_PROBE_OS_VERSION"] = platform.release()
-        os.environ["OSCAP_EVALUATION_TARGET"] = self._get_target_name(target)
+        name, conf = self._get_target_name_and_config(target)
+        os.environ["OSCAP_EVALUATION_TARGET"] = name
+        for var in config.get("Env", []):
+            vname, val = var.split("=", 1)
+            os.environ["OSCAP_OFFLINE_"+vname] = val
         cmd = [self.oscap_binary] + [x for x in oscap_args]
         oscap_process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
         oscap_stdout, oscap_stderr = oscap_process.communicate()