Merge pull request #2227 from evgenyz/fix-bash-remediation-env

jan-cerny · web-flow · commit 5cf310601235 · 2025-04-17T16:20:01.000+02:00
Inherit OpenSCAP environment when executing Bash remediations with `--remediate` option
diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c
@@ -483,18 +483,8 @@ static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_
 				NULL
 			};
 
-			char *oscap_bootc_build = getenv("OSCAP_BOOTC_BUILD");
-			char *oscap_bootc_build_kvarg = NULL;
-			if (oscap_bootc_build != NULL) {
-				oscap_bootc_build_kvarg = oscap_sprintf("OSCAP_BOOTC_BUILD=%s", oscap_bootc_build);
-			}
-			char *const envp[3] = {
-				"PATH=/bin:/sbin:/usr/bin:/usr/sbin",
-				oscap_bootc_build_kvarg,
-				NULL
-			};
-
-			execve(interpret, argvp, envp);
+			// We are inheriting openscap environment
+			execve(interpret, argvp, environ);
 			/* Wow, execve returned. In this special case, we failed to execute the fix
 			 * and we return 0 from function. At least the following error message will
 			 * indicate the problem in xccdf:message. */
diff --git a/tests/API/XCCDF/unittests/CMakeLists.txt b/tests/API/XCCDF/unittests/CMakeLists.txt
@@ -94,6 +94,7 @@ add_oscap_test("test_remediation_cdata.sh")
 add_oscap_test("test_remediation_subs_unresolved.sh")
 add_oscap_test("test_remediation_fix_without_system.sh")
 add_oscap_test("test_remediation_invalid_characters.sh")
+add_oscap_test("test_remediation_environment.sh")
 add_oscap_test("test_remediate_simple.sh")
 add_oscap_test("test_remediate_perl.sh")
 add_oscap_test("test_report_check_with_empty_selector.sh")
diff --git a/tests/API/XCCDF/unittests/test_remediation_environment.sh b/tests/API/XCCDF/unittests/test_remediation_environment.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+. $builddir/tests/test_common.sh
+
+set -e
+set -o pipefail
+
+name=$(basename $0 .sh)
+result=$(mktemp -t ${name}.out.XXXXXX)
+
+rm -f remediation.env
+
+CANARY_EXPORTED="CANARY_EXPORTED_VALUE"
+export CANARY_EXPORTED
+CANARY_PROCESS="CANARY_PROCESS_VALUE" $OSCAP xccdf eval --remediate $srcdir/${name}.xccdf.xml || true
+
+grep -q "${PATH}" remediation.env || die "PATH not found"
+grep -q "CANARY_EXPORTED_VALUE" remediation.env || die "CANARY_EXPORTED_VALUE not found"
+grep -q "CANARY_PROCESS_VALUE" remediation.env || die "CANARY_PROCESS_VALUE not found"
+
+rm -f remediation.env
+rm $result
diff --git a/tests/API/XCCDF/unittests/test_remediation_environment.xccdf.xml b/tests/API/XCCDF/unittests/test_remediation_environment.xccdf.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_moc.elpmaxe.www_benchmark_test">
+  <status>accepted</status>
+  <version>1.0</version>
+  <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_1">
+    <title>Write some environment variables</title>
+    <fix system="urn:xccdf:fix:script:sh">
+        echo "PATH=${PATH}" > remediation.env
+        echo "CANARY_EXPORTED=${CANARY_EXPORTED}" >> remediation.env
+        echo "CANARY_PROCESS=${CANARY_PROCESS}" >> remediation.env
+    </fix>
+    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+      <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
+    </check>
+  </Rule>
+</Benchmark>
