Partition probe broken with PCRE2
jan-cerny opened this issue · comments
Description of Problem:
When OpenSCAP is built with PCRE2, the partition probe doesn't evaluate properly OVAL partition objects that contain a regular expression pattern.
This breaks rule audit_rules_privileged_commands
from scap-security-guide-0.1.69.
OpenSCAP Version:
current upstream maint-1.3 branch as of HEAD 9b3e756
Operating System & Version:
Fedora 38
Steps to Reproduce:
Reproducer OVAL: reproducer.zip
- cmake -DWITH_PCRE2=ON -DCMAKE_BUILD_TYPE=Debug .. && make
- ./oscap_wrapper oval eval --results results.xml reproducer.xml
Actual Results:
Definition oval:x:def:1
is evaluated as false
, the XML results shows that the object doesn't exist.
Expected Results:
Behavior should be the same as when built with PCRE1. Specifically, definition oval:x:def:1
is evaluated as true
, the XML results contains many items matching the partition object.
Additional Information / Debugging Steps:
This patch seems to fix the problem:
diff --git a/src/OVAL/probes/unix/linux/partition_probe.c b/src/OVAL/probes/unix/linux/partition_probe.c
index cd0e10413..eea7bc348 100644
--- a/src/OVAL/probes/unix/linux/partition_probe.c
+++ b/src/OVAL/probes/unix/linux/partition_probe.c
@@ -402,7 +402,7 @@ int partition_probe_main(probe_ctx *ctx, void *probe_arg)
rc = oscap_pcre_exec(re, mnt_entp->mnt_dir,
strlen(mnt_entp->mnt_dir), 0, 0, NULL, 0);
- if (rc == 0) {
+ if (rc >= 0) {
if (
#if defined(HAVE_BLKID_GET_TAG_VALUE)
collect_item(ctx, obj_over, mnt_entp, blkcache)
Additionally, you can discover this by running Automatus test scenarios for the rule audit_rules_privileged_commands on a VM back end where the VM contains a custom build of OpenSCAP with the PCRE2.
We should try and reproduce the problem in OpenSCAP upstream unit tests on top of fixing the problem. Good catch!