Add prefix to variables imported from the container configuration

Unprefixed variables won't be processed in offline mode
p0p0p0 · Aug 14, 2019 · 4e17d67 · 4e17d67
1 parent f865cb4
commit 4e17d67
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 5 deletions.
diff --git a/src/OVAL/probes/independent/environmentvariable58_probe.c b/src/OVAL/probes/independent/environmentvariable58_probe.c
@@ -59,6 +59,7 @@
 #include "environmentvariable58_probe.h"
 
 #define BUFFER_SIZE 256
+#define VAR_OFFLINE_PREFIX "OSCAP_OFFLINE_"
 
 extern char **environ;
 
@@ -157,16 +158,28 @@ static int read_environment(SEXP_t *pid_ent, SEXP_t *name_ent, probe_ctx *ctx)
 					continue;
 				}
 
-				env_name_size =  eq_char - buffer;
-				env_name = SEXP_string_new(buffer, env_name_size);
+				env_name_size = eq_char - buffer;
+				if (ctx->offline_mode == PROBE_OFFLINE_OWN) {
+					// We are not processing unprefixed (i.e. originated from the host) variables in offline mode
+					if (memmem(buffer, env_name_size, VAR_OFFLINE_PREFIX, strlen(VAR_OFFLINE_PREFIX)) != buffer
+						|| strlen(VAR_OFFLINE_PREFIX) >= env_name_size) {
+						buffer_used -= null_char + 1 - buffer;
+						memmove(buffer, null_char + 1, buffer_used);
+						continue;
+					}
+					env_name = SEXP_string_new(buffer + strlen(VAR_OFFLINE_PREFIX), env_name_size - strlen(VAR_OFFLINE_PREFIX));
+				} else {
+					env_name = SEXP_string_new(buffer, env_name_size);
+				}
 				env_value = SEXP_string_newf("%s", buffer + env_name_size + 1);
+
 				if (probe_entobj_cmp(name_ent, env_name) == OVAL_RESULT_TRUE) {
 					item = probe_item_create(
 						OVAL_INDEPENDENT_ENVIRONMENT_VARIABLE58, NULL,
 						"pid", OVAL_DATATYPE_INTEGER, (int64_t)pid,
 						"name",  OVAL_DATATYPE_SEXP, env_name,
 						"value", OVAL_DATATYPE_SEXP, env_value,
-					      NULL);
+						NULL);
 					probe_item_collect(ctx, item);
 					err = 0;
 				}

diff --git a/utils/oscap-podman b/utils/oscap-podman
@@ -80,7 +80,7 @@ fi
 DIR=$(podman mount $ID) || die
 
 for VAR in `podman inspect $ID --format '{{join .Config.Env " "}}'`; do
-    eval "export $VAR"
+    eval "export OSCAP_OFFLINE_$VAR"
 done
 
 export OSCAP_PROBE_ROOT="$(cd "$DIR"; pwd)"

diff --git a/utils/oscap_docker_python/oscap_docker_util.py b/utils/oscap_docker_python/oscap_docker_util.py
@@ -155,7 +155,7 @@ def oscap_chroot(self, chroot_path, target, *oscap_args):
         os.environ["OSCAP_EVALUATION_TARGET"] = name
         for var in config.get("Env", []):
             vname, val = var.split("=", 1)
-            os.environ[vname] = val
+            os.environ["OSCAP_OFFLINE_"+vname] = val
         cmd = [self.oscap_binary] + [x for x in oscap_args]
         oscap_process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
         oscap_stdout, oscap_stderr = oscap_process.communicate()