Do not execute probes if they don't support offline mode

jan-cerny · jan-cerny · commit e52a6fb2ae5e · 2019-12-03T14:21:31.000+01:00
If a probe didn't support offline mode, eg. systemdunitproperty probe,
we didn't call chroot and we executed the probe_*main function which
meant it scanned the host. We should terminate and return notapplicable
if offline mode is requested and the probe does not support it.
diff --git a/src/OVAL/probes/probe/input_handler.c b/src/OVAL/probes/probe/input_handler.c
@@ -122,99 +122,86 @@ void *probe_input_handler(void *arg)
 
 		if (oid != NULL) {
 			SEXP_VALIDATE(oid);
+			probe_out = probe_rcache_sexp_get(probe->rcache, oid);
 
-			if (probe->offline_mode && probe->supported_offline_mode == PROBE_OFFLINE_NONE) {
-				dW("Requested offline mode is not supported by %s probe.", oval_subtype_get_text(probe->subtype));
-				/* Return a dummy. */
-				probe_out = probe_cobj_new(SYSCHAR_FLAG_NOT_APPLICABLE, NULL, NULL, NULL);
-				probe_ret = 0;
-				SEXP_free(oid);
+			if (probe_out == NULL) { /* cache miss */
+				SEXP_t *skip_flag, *obj_mask;
+
+				skip_flag = probe_obj_getattrval(probe_in, "skip_eval");
+								obj_mask  = probe_obj_getmask(probe_in);
 				SEXP_free(probe_in);
-				oid = NULL;
 				probe_in = NULL;
-			}
-			else {
-				probe_out = probe_rcache_sexp_get(probe->rcache, oid);
-
-				if (probe_out == NULL) { /* cache miss */
-					SEXP_t *skip_flag, *obj_mask;
 
-					skip_flag = probe_obj_getattrval(probe_in, "skip_eval");
-	                                obj_mask  = probe_obj_getmask(probe_in);
-					SEXP_free(probe_in);
-					probe_in = NULL;
+				if (skip_flag != NULL) {
+					oval_syschar_collection_flag_t cobj_flag;
 
-					if (skip_flag != NULL) {
-						oval_syschar_collection_flag_t cobj_flag;
+					cobj_flag = SEXP_number_geti_32(skip_flag);
+					probe_out = probe_cobj_new(cobj_flag, NULL, NULL, obj_mask);
 
-						cobj_flag = SEXP_number_geti_32(skip_flag);
-						probe_out = probe_cobj_new(cobj_flag, NULL, NULL, obj_mask);
+					if (probe_rcache_sexp_add(probe->rcache, oid, probe_out) != 0) {
+						/* TODO */
+						abort();
+					}
 
-						if (probe_rcache_sexp_add(probe->rcache, oid, probe_out) != 0) {
-							/* TODO */
-							abort();
-						}
+					probe_ret = 0;
+					SEXP_free(oid);
+										SEXP_free(skip_flag);
+										SEXP_free(obj_mask);
+				} else {
 
-						probe_ret = 0;
-						SEXP_free(oid);
-	                                        SEXP_free(skip_flag);
-	                                        SEXP_free(obj_mask);
+					SEXP_free(oid);
+					SEXP_free(skip_flag);
+					SEXP_free(obj_mask);
+
+					probe_pwpair_t *pair = malloc(sizeof(probe_pwpair_t));
+					pair->probe = probe;
+					pair->pth   = probe_worker_new();
+					pair->pth->sid = SEAP_msg_id(seap_request);
+					pair->pth->msg = seap_request;
+					pair->pth->msg_handler = &probe_worker;
+
+					if (rbt_i32_add(probe->workers, pair->pth->sid, pair->pth, NULL) != 0) {
+						/*
+							* Getting here means that there is already a
+							* thread handling the message with the given
+							* ID.
+							*/
+						dW("Attempt to evaluate an object "
+							"(ID=%u) " // TODO: 64b IDs
+							"which is already being evaluated by an other thread.", pair->pth->sid);
+
+						free(pair->pth);
+						free(pair);
+						SEAP_msg_free(seap_request);
 					} else {
+						/* OK */
+
+						if (pthread_create(&pair->pth->tid, &pth_attr, &probe_worker_runfn, pair))
+						{
+							dE("Cannot start a new worker thread: %d, %s.", errno, strerror(errno));
 
-						SEXP_free(oid);
-						SEXP_free(skip_flag);
-						SEXP_free(obj_mask);
-
-						probe_pwpair_t *pair = malloc(sizeof(probe_pwpair_t));
-						pair->probe = probe;
-						pair->pth   = probe_worker_new();
-						pair->pth->sid = SEAP_msg_id(seap_request);
-						pair->pth->msg = seap_request;
-						pair->pth->msg_handler = &probe_worker;
-
-						if (rbt_i32_add(probe->workers, pair->pth->sid, pair->pth, NULL) != 0) {
-							/*
-							 * Getting here means that there is already a
-							 * thread handling the message with the given
-							 * ID.
-							 */
-							dW("Attempt to evaluate an object "
-							   "(ID=%u) " // TODO: 64b IDs
-							   "which is already being evaluated by an other thread.", pair->pth->sid);
+							if (rbt_i32_del(probe->workers, pair->pth->sid, NULL) != 0)
+								dE("rbt_i32_del: failed to remove worker thread (ID=%u)", pair->pth->sid);
 
+							SEAP_msg_free(pair->pth->msg);
 							free(pair->pth);
 							free(pair);
-							SEAP_msg_free(seap_request);
-						} else {
-							/* OK */
 
-							if (pthread_create(&pair->pth->tid, &pth_attr, &probe_worker_runfn, pair))
-							{
-								dE("Cannot start a new worker thread: %d, %s.", errno, strerror(errno));
+							probe_ret = PROBE_EUNKNOWN;
+							probe_out = NULL;
 
-								if (rbt_i32_del(probe->workers, pair->pth->sid, NULL) != 0)
-									dE("rbt_i32_del: failed to remove worker thread (ID=%u)", pair->pth->sid);
-
-								SEAP_msg_free(pair->pth->msg);
-								free(pair->pth);
-								free(pair);
-
-								probe_ret = PROBE_EUNKNOWN;
-								probe_out = NULL;
-
-								goto __error_reply;
-							}
+							goto __error_reply;
 						}
-
-						seap_request = NULL;
-						continue;
 					}
-				} else {
-					/* cache hit */
-					SEXP_free(oid);
-					SEXP_free(probe_in);
-					probe_ret = 0;
+
+					seap_request = NULL;
+					continue;
 				}
+			} else {
+				/* cache hit */
+				SEXP_free(oid);
+				SEXP_free(probe_in);
+				probe_ret = 0;
 			}
 		} else {
                         /* the `id' was not found in the input object */
diff --git a/src/OVAL/probes/probe/worker.c b/src/OVAL/probes/probe/worker.c
@@ -982,12 +982,16 @@ SEXP_t *probe_worker(probe_t *probe, SEAP_msg_t *msg_in, int *ret)
 	 */
 	rootdir = getenv("OSCAP_PROBE_ROOT");
 	if ((rootdir != NULL) && (strlen(rootdir) > 0)) {
-		probe->offline_mode = true;
-
 		preload_libraries_before_chroot(); // todo - maybe useless for own mode
 
-		if (probe->supported_offline_mode & PROBE_OFFLINE_OWN) {
+		if (probe->supported_offline_mode == PROBE_OFFLINE_NONE) {
+			dW("Requested offline mode is not supported by %s probe.", oval_subtype_get_text(probe->subtype));
+			*ret = 0;
+			return probe_cobj_new(SYSCHAR_FLAG_NOT_APPLICABLE, NULL, NULL, NULL);
+
+		} else if (probe->supported_offline_mode & PROBE_OFFLINE_OWN) {
 			dI("Switching probe to PROBE_OFFLINE_OWN mode.");
+			probe->offline_mode = true;
 			probe->selected_offline_mode = PROBE_OFFLINE_OWN;
 
 		} else if (probe->supported_offline_mode & PROBE_OFFLINE_CHROOT) {
@@ -1008,12 +1012,14 @@ SEXP_t *probe_worker(probe_t *probe, SEAP_msg_t *msg_in, int *ret)
 			 * mechanism to control this behaviour in the future.
 			 */
 			dI("Switching probe to PROBE_OFFLINE_CHROOT mode.");
+			probe->offline_mode = true;
 			probe->selected_offline_mode = PROBE_OFFLINE_CHROOT;
 		}
 	}
 
 	if (getenv("OSCAP_PROBE_RPMDB_PATH") != NULL) {
 		dI("Switching probe to PROBE_OFFLINE_RPMDB mode.");
+		probe->offline_mode = true;
 		probe->selected_offline_mode = PROBE_OFFLINE_RPMDB;
 	}
 #endif
