Merge pull request #1944 from evgenyz/add_fwupd_test

Add fwupd probe test and some fixes

Author: jan-cerny

.github/workflows/build.yml

@@ -34,7 +34,7 @@ jobs:
     - name: Install Deps
       run: |
         sudo apt-get update
-        sudo apt-get -y install lcov swig xsltproc rpm-common lua5.3 libyaml-dev libapt-pkg-dev libdbus-1-dev libdbus-glib-1-dev libcurl4-openssl-dev libgcrypt-dev libselinux1-dev libgconf2-dev libacl1-dev libblkid-dev libcap-dev libxml2-dev libxslt1-dev libxml-parser-perl libxml-xpath-perl libperl-dev librpm-dev librtmp-dev libxmlsec1-dev libxmlsec1-openssl
+        sudo apt-get -y install lcov swig xsltproc rpm-common lua5.3 libyaml-dev libapt-pkg-dev libdbus-1-dev libdbus-glib-1-dev libcurl4-openssl-dev libgcrypt-dev libselinux1-dev libgconf2-dev libacl1-dev libblkid-dev libcap-dev libxml2-dev libxslt1-dev libxml-parser-perl libxml-xpath-perl libperl-dev librpm-dev librtmp-dev libxmlsec1-dev libxmlsec1-openssl python3-dbusmock
         sudo apt-get -y remove rpm
 
     # Runs a set of commands using the runners shell
@@ -47,6 +47,7 @@ jobs:
     - name: Test
       working-directory: ./build
       run: |
+        export $(dbus-launch)
         ctest --output-on-failure
 
   build-fedora:
@@ -56,7 +57,7 @@ jobs:
       image: fedora:latest
     steps:
     - name: Install Deps
-      run: dnf install -y cmake git dbus-devel GConf2-devel libacl-devel libblkid-devel libcap-devel libcurl-devel libgcrypt-devel libselinux-devel libxml2-devel libxslt-devel libattr-devel make openldap-devel pcre-devel perl-XML-Parser perl-XML-XPath perl-devel python3-devel rpm-devel swig bzip2-devel gcc-c++ libyaml-devel xmlsec1-devel xmlsec1-openssl-devel hostname bzip2 lua rpm-build which strace
+      run: dnf install -y cmake git dbus-devel GConf2-devel libacl-devel libblkid-devel libcap-devel libcurl-devel libgcrypt-devel libselinux-devel libxml2-devel libxslt-devel libattr-devel make openldap-devel pcre-devel perl-XML-Parser perl-XML-XPath perl-devel python3-devel python3-dbusmock rpm-devel swig bzip2-devel gcc-c++ libyaml-devel xmlsec1-devel xmlsec1-openssl-devel hostname bzip2 lua rpm-build which strace
     - name: Checkout
       uses: actions/checkout@v3
       with:
@@ -69,6 +70,7 @@ jobs:
     - name: Test
       working-directory: ./build
       run: |
+        export $(dbus-launch)
         ctest --output-on-failure
 
   build-macos:

.github/workflows/codeql.yml

@@ -32,7 +32,7 @@ jobs:
     - name: Install Deps
       run: |
         sudo apt-get update
-        sudo apt-get -y install lcov swig xsltproc rpm-common lua5.3 libyaml-dev libapt-pkg-dev libdbus-1-dev libdbus-glib-1-dev libcurl4-openssl-dev libgcrypt-dev libselinux1-dev libgconf2-dev libacl1-dev libblkid-dev libcap-dev libxml2-dev libxslt1-dev libxml-parser-perl libxml-xpath-perl libperl-dev librpm-dev librtmp-dev libxmlsec1-dev libxmlsec1-openssl
+        sudo apt-get -y install lcov swig xsltproc rpm-common lua5.3 libyaml-dev libapt-pkg-dev libdbus-1-dev libdbus-glib-1-dev libcurl4-openssl-dev libgcrypt-dev libselinux1-dev libgconf2-dev libacl1-dev libblkid-dev libcap-dev libxml2-dev libxslt1-dev libxml-parser-perl libxml-xpath-perl libperl-dev librpm-dev librtmp-dev libxmlsec1-dev libxmlsec1-openssl python3-dbusmock
         sudo apt-get -y remove rpm
 
     # Initializes the CodeQL tools for scanning.

docs/developer/developer.adoc

@@ -65,7 +65,7 @@ On Fedora 24+, the command to install the build dependencies is:
 sudo yum install \
 cmake dbus-devel GConf2-devel libacl-devel libblkid-devel libcap-devel libcurl-devel \
 libgcrypt-devel libselinux-devel libxml2-devel libxslt-devel libattr-devel make openldap-devel \
-pcre-devel perl-XML-Parser perl-XML-XPath perl-devel python3-devel rpm-devel swig \
+pcre-devel perl-XML-Parser perl-XML-XPath perl-devel python3-devel python3-dbusmock rpm-devel swig \
 bzip2-devel gcc-c++ libyaml-devel xmlsec1-devel xmlsec1-openssl-devel
 ----
 

openscap.spec

@@ -31,6 +31,7 @@ BuildRequires:  systemd
 %if %{?_with_check:1}%{!?_with_check:0}
 BuildRequires:  perl-XML-XPath
 BuildRequires:  bzip2
+BuildRequires:  python3-dbusmock
 %endif
 Requires:       bash
 Requires:       bzip2-libs

schemas/oval/5.11.3/linux-definitions-schema.xsd

@@ -2508,7 +2508,6 @@
                </xsd:complexContent>
           </xsd:complexType>
      </xsd:element>
-
      <!-- =============================================================== -->
      <!-- =================   FWUPD SECURITY ATTRIBUTE   ================ -->
      <!-- =============================================================== -->
@@ -2569,7 +2568,7 @@
                               <xsd:choice>
                                    <xsd:element ref="oval-def:set"/>
                                    <xsd:sequence>
-                                        <xsd:element name="stream-id" type="oval-def:EntityObjectStringType">
+                                        <xsd:element name="stream_id" type="oval-def:EntityObjectStringType">
                                              <xsd:annotation>
                                                   <xsd:documentation>This refers to a specific firmware, hardware, and fw/hw configurations and is defined by fwupd.</xsd:documentation>
                                              </xsd:annotation>
@@ -2590,7 +2589,7 @@
                <xsd:complexContent>
                     <xsd:extension base="oval-def:StateType">
                          <xsd:sequence>
-                              <xsd:element name="security-attr" type="oval-def:EntityObjectStringType">
+                              <xsd:element name="security_attr" type="oval-def:EntityObjectStringType">
                                    <xsd:annotation>
                                         <xsd:documentation>This is the current firmware security status defined by fwupd.</xsd:documentation>
                                    </xsd:annotation>
@@ -2600,10 +2599,6 @@
                </xsd:complexContent>
           </xsd:complexType>
      </xsd:element>
-
-
-
-
      <!-- =============================================================================== -->
      <!-- =============================================================================== -->
      <!-- =============================================================================== -->

schemas/oval/5.11.3/linux-system-characteristics-schema.xsd

@@ -1108,6 +1108,32 @@
           </xsd:complexType>
      </xsd:element>
      <!-- =============================================================================== -->
+     <!-- ===========================  FWUPD SECURITY ATTRIBUTE ITEM  =================== -->
+     <!-- =============================================================================== -->
+     <xsd:element name="fwupdsecattr_item" substitutionGroup="oval-sc:item">
+          <xsd:annotation>
+               <xsd:documentation>This item describes a security attribute state as defined by fwupd. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.</xsd:documentation>
+          </xsd:annotation>
+          <xsd:complexType>
+               <xsd:complexContent>
+                    <xsd:extension base="oval-sc:ItemType">
+                         <xsd:sequence>
+                              <xsd:element name="stream_id" type="oval-sc:EntityItemStringType" minOccurs="0" maxOccurs="1">
+                                   <xsd:annotation>
+                                        <xsd:documentation>The attribute Stream ID.</xsd:documentation>
+                                   </xsd:annotation>
+                              </xsd:element>
+                              <xsd:element name="security_attr" type="oval-sc:EntityItemStringType" minOccurs="0" maxOccurs="1">
+                                   <xsd:annotation>
+                                        <xsd:documentation>The attribute status.</xsd:documentation>
+                                   </xsd:annotation>
+                              </xsd:element>
+                         </xsd:sequence>
+                    </xsd:extension>
+               </xsd:complexContent>
+          </xsd:complexType>
+     </xsd:element>
+     <!-- =============================================================================== -->
      <!-- =============================================================================== -->
      <!-- =============================================================================== -->
      <xsd:complexType name="EntityItemRpmVerifyResultType">

src/OVAL/probes/unix/linux/fwupdsecattr_probe.c

@@ -81,6 +81,7 @@ static void hsicache_callback(char *name, const uint32_t value)
 	}
 	entry->name = oscap_strdup(name);
 	entry->hsi_result = value;
+	dD("HSI cache add name: %s value: %d\n", entry->name, entry->hsi_result);
 	LIST_INSERT_HEAD(&hsi_result_cache, entry, entries);
 }
 
@@ -89,12 +90,13 @@ static uint32_t hsicache_get(const char *key)
 	struct secattr_cache *next;
 
 	LIST_FOREACH(next, &hsi_result_cache, entries) {
-		dD("HSI search key %s name %s value %d\n", key, next->name, next->hsi_result);
+		dD("HSI search key: %s (name: %s value: %d)\n", key, next->name, next->hsi_result);
 		if (!strncmp(next->name, key, strlen(next->name))) {
 			return next->hsi_result;
 		}
 	}
 
+	dW("HSI key not found: %s\n", key);
 	return UINT32_MAX;
 }
 
@@ -119,13 +121,14 @@ static int get_all_security_attributes(DBusConnection *conn, void(*callback)(cha
 	}
 
 	DBusMessageIter args, property_iter;
+	_DBusBasicValue value;
 
 	if (!dbus_connection_send_with_reply(conn, msg, &pending, -1)) {
-		dD("Failed to send message via dbus!");
+		dD("Failed to send message via D-Bus!");
 		goto cleanup;
 	}
 	if (pending == NULL) {
-		dD("Invalid dbus pending call!");
+		dD("Invalid D-Bus pending call!");
 		goto cleanup;
 	}
 
@@ -135,18 +138,19 @@ static int get_all_security_attributes(DBusConnection *conn, void(*callback)(cha
 	dbus_pending_call_block(pending);
 	msg = dbus_pending_call_steal_reply(pending);
 	if (msg == NULL) {
-		dD("Failed to steal dbus pending call reply.");
+		dD("Failed to steal D-Bus pending call reply.");
 		goto cleanup;
 	}
 	dbus_pending_call_unref(pending); pending = NULL;
 
 	if (!dbus_message_iter_init(msg, &args)) {
-		dD("Failed to initialize iterator over received dbus message.");
+		dD("Failed to initialize iterator over received D-Bus message.");
 		goto cleanup;
 	}
 
 	if (dbus_message_get_type(msg) == DBUS_MESSAGE_TYPE_ERROR) {
-		dD("Receive an error exception from dBus");
+		dbus_message_iter_get_basic(&args, &value);
+		dW("Received an error from D-Bus (%s): %s", dbus_message_get_error_name(msg), value.str);
 		goto cleanup;
 	}
 
@@ -180,7 +184,6 @@ static int get_all_security_attributes(DBusConnection *conn, void(*callback)(cha
 				goto cleanup;
 			}
 
-			_DBusBasicValue value;
 			dbus_message_iter_get_basic(&dict_entry, &value);
 			property_name = oscap_strdup(value.str);
 			dD("Element key: %s", property_name);
@@ -274,13 +277,17 @@ fwupd_security_attr_result_to_string(FwupdSecurityAttrResult result)
 		return "supported";
 	if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_SUPPORTED)
 		return "not-supported";
-	return NULL;
+	if (result == FWUPD_SECURITY_ATTR_RESULT_UNKNOWN) {
+		dD("Got FWUPD_SECURITY_ATTR_RESULT_UNKNOWN\n");
+		return "unknown";
+	}
+	dW("Unknown/invalid FwupdSecurityAttrResult value: %d\n", result);
+	return "invalid-hsi-result";
 }
 
 int fwupdsecattr_probe_main(probe_ctx *ctx, void *arg)
 {
 	SEXP_t *val, *item, *ent, *probe_in;
-	oval_schema_version_t oval_version;
 	char *stream_id = NULL;
 	const char *hsi_result_str;
 	uint64_t hsi_result = UINT64_MAX;
@@ -294,12 +301,7 @@ int fwupdsecattr_probe_main(probe_ctx *ctx, void *arg)
 	if (probe_in == NULL)
 		return PROBE_ENOOBJ;
 
-	oval_version = probe_obj_get_platform_schema_version(probe_in);
-	if (oval_schema_version_cmp(oval_version, OVAL_SCHEMA_VERSION(5.11.3)) < 0) {
-		return PROBE_EOPNOTSUPP;
-	}
-
-	ent = probe_obj_getent(probe_in, "stream-id", 1);
+	ent = probe_obj_getent(probe_in, "stream_id", 1);
 	if (ent == NULL)
 		return PROBE_ENOENT;
 
@@ -313,25 +315,28 @@ int fwupdsecattr_probe_main(probe_ctx *ctx, void *arg)
 	SEXP_free(val);
 	SEXP_free(ent);
 
-	DBusError dbus_error;
-	DBusConnection *dbus_conn;
-
 	if (LIST_EMPTY(&hsi_result_cache)) {
+		DBusError dbus_error;
+		DBusConnection *dbus_conn;
+
 		dbus_error_init(&dbus_error);
 		dbus_conn = connect_dbus();
 
 		if (dbus_conn == NULL) {
 			dbus_error_free(&dbus_error);
-			SEXP_t *msg = probe_msg_creat(OVAL_MESSAGE_LEVEL_INFO, "DBus connection failed, could not identify fwupd.");
+			SEXP_t *msg = probe_msg_creat(OVAL_MESSAGE_LEVEL_INFO, "D-Bus connection failed, could not identify fwupd.");
 			probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_ERROR);
 			probe_cobj_add_msg(probe_ctx_getresult(ctx), msg);
 			SEXP_free(msg);
 			return 0;
 		}
 
-		if (get_all_security_attributes(dbus_conn, hsicache_callback, NULL)) {
+		int res = get_all_security_attributes(dbus_conn, hsicache_callback, NULL);
+		disconnect_dbus(dbus_conn);
+
+		if (res) {
 			dbus_error_free(&dbus_error);
-			SEXP_t *msg = probe_msg_creat(OVAL_MESSAGE_LEVEL_INFO, "fwupd is not properly installed or configured.");
+			SEXP_t *msg = probe_msg_creat(OVAL_MESSAGE_LEVEL_INFO, "The fwupd service is not properly installed or configured.");
 			probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_ERROR);
 			probe_cobj_add_msg(probe_ctx_getresult(ctx), msg);
 			SEXP_free(msg);
@@ -343,7 +348,7 @@ int fwupdsecattr_probe_main(probe_ctx *ctx, void *arg)
 
 	if (hsi_result == UINT32_MAX) {
 		item = probe_item_create(OVAL_LINUX_FWUPDSECATTR, NULL,
-					 "security-attr", OVAL_DATATYPE_STRING, "Attribute not found",
+					 "security_attr", OVAL_DATATYPE_STRING, "not-found",
 					 NULL);
 		probe_item_setstatus(item, SYSCHAR_STATUS_NOT_COLLECTED);
 		probe_item_collect(ctx, item);
@@ -352,12 +357,11 @@ int fwupdsecattr_probe_main(probe_ctx *ctx, void *arg)
 
 	hsi_result_str = fwupd_security_attr_result_to_string(hsi_result);
 	item = probe_item_create(OVAL_LINUX_FWUPDSECATTR, NULL,
-				 "security-attr", OVAL_DATATYPE_STRING, hsi_result_str,
+				 "security_attr", OVAL_DATATYPE_STRING, hsi_result_str,
 				 NULL);
 	probe_item_collect(ctx, item);
 
 exit:
 	free(stream_id);
-	disconnect_dbus(dbus_conn);
 	return 0;
 }

tests/probes/CMakeLists.txt

@@ -6,6 +6,7 @@ add_subdirectory("fileextendedattribute")
 add_subdirectory("filehash")
 add_subdirectory("filehash58")
 add_subdirectory("filemd5")
+add_subdirectory("fwupdsecattr")
 add_subdirectory("iflisteners")
 add_subdirectory("interface")
 add_subdirectory("isainfo")

tests/probes/fwupdsecattr/CMakeLists.txt

@@ -0,0 +1,7 @@
+if(ENABLE_PROBES_LINUX)
+	if(DBUS_FOUND)
+		add_oscap_test("test_probes_fwupdsecattr.sh")
+		add_oscap_test("test_probes_fwupdsecattr_mock.sh")
+	endif()
+endif()
+

tests/probes/fwupdsecattr/org.freedesktop.fwupd.py

@@ -0,0 +1,33 @@
+# This is a template for D-Bus mock
+# see init_dbus_mock() from test_common.sh.
+# The Exit() method is expected by
+# clean_dbus_mock() from the same file.
+
+__author__ = 'Evgenii Kolesnikov'
+__copyright__ = '''
+(c) 2023 Red Hat Inc.
+'''
+
+import dbus
+
+
+BUS_NAME = 'org.freedesktop.fwupd'
+MAIN_OBJ = '/'
+MAIN_IFACE = 'org.freedesktop.fwupd'
+SYSTEM_BUS = False
+
+
+def load(mock, _parameters):
+    mock.AddMethods(MAIN_IFACE, [
+        ('GetHostSecurityAttrs', '', 'aa{sv}', 'ret = self.SecurityAattrs'),
+        ('Exit', '', '', 'sys.exit()'),
+    ])
+
+    mock.SecurityAattrs = [
+        {
+            'AppstreamId': 'org.fwupd.hsi.Kernel.Lockdown', 'HsiResult': dbus.UInt32(2)
+        },
+        {
+            'AppstreamId': 'org.fwupd.hsi.Kernel.InvalidStatus', 'HsiResult': dbus.UInt32(200)
+        }
+    ]