From f8366b395b977392d724c6cc84c7295590c39ee8 Mon Sep 17 00:00:00 2001 From: Evgeny Kolesnikov Date: Tue, 7 Nov 2023 20:01:44 +0100 Subject: [PATCH] Fix tests/probes/sysctl_all The test will now automatically adapt to the list of readable variables and won't break every time a new root-readable variable is introduced in kernel. --- tests/probes/sysctl/test_sysctl_probe_all.sh | 144 +++++++------------ 1 file changed, 50 insertions(+), 94 deletions(-) diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh index f1834059fb..efaa31b9b1 100755 --- a/tests/probes/sysctl/test_sysctl_probe_all.sh +++ b/tests/probes/sysctl/test_sysctl_probe_all.sh @@ -8,101 +8,57 @@ set -e -o pipefail # non root users PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin -# non root users are not able to access some kernel params, so they get excluded -SYSCTL_EXCLUDE=' - dev.parport.parport0.autoprobe - dev.tty.legacy_tiocsti - fs.protected_hardlinks - fs.protected_fifos - fs.protected_regular - fs.protected_symlinks - kernel.apparmor_display_secid_mode - kernel.apparmor_restrict_unprivileged_userns - kernel.apparmor_restrict_unprivileged_userns_complain - kernel.apparmor_restrict_unprivileged_userns_force - kernel.cad_pid - kernel.unprivileged_userns_apparmor_policy - kernel.usermodehelper.bset - kernel.usermodehelper.inheritable - net.core.bpf_jit_harden - net.core.bpf_jit_kallsyms - net.core.bpf_jit_limit - net.ipv4.tcp_fastopen_key - stable_secret - vm.mmap_rnd_bits - vm.mmap_rnd_compat_bits - vm.stat_refresh' - -SYSCTL_EXCLUDE_REGEX="$(printf '\|%s' $SYSCTL_EXCLUDE)" -# strip leading '\|' -SYSCTL_EXCLUDE_REGEX=${SYSCTL_EXCLUDE_REGEX:2} - function perform_test { -probecheck "sysctl" || return 255 - -name=$(basename $0 .sh) - -result=$(mktemp ${name}.res.out.XXXXXX) -stderr=$(mktemp ${name}.err.out.XXXXXX) -ourNames=$(mktemp ${name}.our.out.XXXXXX) -sysctlNames=$(mktemp ${name}.sysctl.out.XXXXXX) - -echo "Result file: $result" -echo "Our names file: $ourNames" -echo "Sysctl names file: $sysctlNames" -echo "Errors file: $stderr" - -$OSCAP oval eval --results $result $srcdir/test_sysctl_probe_all.oval.xml > /dev/null 2>$stderr - -case $(uname) in - FreeBSD) - sysctl -aN 2> /dev/null > "$sysctlNames" - ;; - Linux) - # sysctl has duplicities in output - # hide permission errors like: "sysctl: permission denied on key 'fs.protected_hardlinks'" - # kernel parameters might use "/" and "." separators interchangeably - normalizing - sysctl -aN --deprecated 2> /dev/null | grep -v $SYSCTL_EXCLUDE_REGEX | tr "/" "." | sort -u > "$sysctlNames" - ;; -esac - -grep unix-sys:name "$result" | grep -v $SYSCTL_EXCLUDE_REGEX | xsed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames" - -# If procps_ver > 3.3.12 we need to filter *stable_secret and vm.stat_refresh -# options from the sysctl output, for more details see -# https://github.com/OpenSCAP/openscap/issues/1152. -procps_ver="$(package_version procps-ng procps)" - -lowest_ver=$(echo -e "3.3.12\n$procps_ver" | sort -V | head -n1) -if [ "$procps_ver" != "$lowest_ver" ]; then - sed -i '/net.ipv6.conf.*stable_secret$/d' "$sysctlNames" - sed -i '/.*vm.stat_refresh/d' "$sysctlNames" -fi - -if ! grep -q "hugepages" "$ourNames"; then - sed -i "/^.*hugepages.*$/d" "$sysctlNames" -fi - -echo "Diff (sysctlNames / ourNames): ------" -diff "$sysctlNames" "$ourNames" -echo "-------------------------------------" - -# remove oscap error message related to permissions from stderr -sed -i -E "/^E: oscap: +Can't read sysctl value from /d" "$stderr" -sed -i -E "/^E: oscap: +An error.*, Operation not permitted/d" "$stderr" - -# remove oscap error message related to gibberish binary entries -# that can't fit into 8K buffer and result in errno 14 -# (for example /proc/sys/kernel/spl/hostid could be the case) -sed -i -E "/^E: oscap: +An error.*14, Bad address/d" "$stderr" -sed -i "/^.*hugepages.*$/d" "$stderr" - -echo "Errors (without messages related to permissions):" -cat "$stderr" - -[ ! -s $stderr ] - -rm $stderr $result $ourNames $sysctlNames + probecheck "sysctl" || return 255 + + name=$(basename $0 .sh) + + result=$(mktemp ${name}.res.out.XXXXXX) + stderr=$(mktemp ${name}.err.out.XXXXXX) + ourNames=$(mktemp ${name}.our.out.XXXXXX) + sysctlNames=$(mktemp ${name}.sysctl.out.XXXXXX) + + echo "Result file: $result" + echo "Our names file: $ourNames" + echo "Sysctl names file: $sysctlNames" + echo "Errors file: $stderr" + + $OSCAP oval eval --results $result $srcdir/test_sysctl_probe_all.oval.xml > /dev/null 2>$stderr + + case $(uname) in + FreeBSD) + sysctl -aN 2> /dev/null > "$sysctlNames" + ;; + Linux) + # sysctl has duplicities in output + # hide permission errors like: "sysctl: permission denied on key 'fs.protected_hardlinks'" + # kernel parameters might use "/" and "." separators interchangeably - normalizing + sysctl -a --deprecated 2> /dev/null | tr "/" "." | cut -d "=" -f 1 | tr -d " " | sort -u > "$sysctlNames" + ;; + esac + + grep unix-sys:name "$result" | xsed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames" + + echo "Diff (sysctlNames / ourNames): ------" + diff "$sysctlNames" "$ourNames" + echo "-------------------------------------" + + # remove oscap error message related to permissions from stderr + sed -i -E "/^E: oscap: +Can't read sysctl value from /d" "$stderr" + sed -i -E "/^E: oscap: +An error.*, Operation not permitted/d" "$stderr" + + # remove oscap error message related to gibberish binary entries + # that can't fit into 8K buffer and result in errno 14 + # (for example /proc/sys/kernel/spl/hostid could be the case) + sed -i -E "/^E: oscap: +An error.*14, Bad address/d" "$stderr" + sed -i "/^.*hugepages.*$/d" "$stderr" + + echo "Errors (without messages related to permissions):" + cat "$stderr" + + [ ! -s $stderr ] + + rm $stderr $result $ourNames $sysctlNames } perform_test