Description of Problem:

When OpenSCAP is built with PCRE2, the partition probe doesn't evaluate properly OVAL partition objects that contain a regular expression pattern.

This breaks rule audit_rules_privileged_commands from scap-security-guide-0.1.69.

OpenSCAP Version:

current upstream maint-1.3 branch as of HEAD 9b3e756

Operating System & Version:

Fedora 38

Steps to Reproduce:

Reproducer OVAL: reproducer.zip

1. cmake -DWITH_PCRE2=ON -DCMAKE_BUILD_TYPE=Debug .. && make
2. ./oscap_wrapper oval eval --results results.xml reproducer.xml

Actual Results:

Definition oval:x:def:1 is evaluated as false, the XML results shows that the object doesn't exist.

Expected Results:

Behavior should be the same as when built with PCRE1. Specifically, definition oval:x:def:1 is evaluated as true, the XML results contains many items matching the partition object.

Additional Information / Debugging Steps:

This patch seems to fix the problem:

diff --git a/src/OVAL/probes/unix/linux/partition_probe.c b/src/OVAL/probes/unix/linux/partition_probe.c
index cd0e10413..eea7bc348 100644
--- a/src/OVAL/probes/unix/linux/partition_probe.c
+++ b/src/OVAL/probes/unix/linux/partition_probe.c
@@ -402,7 +402,7 @@ int partition_probe_main(probe_ctx *ctx, void *probe_arg)
                                 rc = oscap_pcre_exec(re, mnt_entp->mnt_dir,
                                                strlen(mnt_entp->mnt_dir), 0, 0, NULL, 0);
 
-                                if (rc == 0) {
+                                if (rc >= 0) {
                                        if (
 #if defined(HAVE_BLKID_GET_TAG_VALUE)
                                                collect_item(ctx, obj_over, mnt_entp, blkcache)

Additionally, you can discover this by running Automatus test scenarios for the rule audit_rules_privileged_commands on a VM back end where the VM contains a custom build of OpenSCAP with the PCRE2.

We should try and reproduce the problem in OpenSCAP upstream unit tests on top of fixing the problem. Good catch!