Improve macOS and FreeBSD portability in build and probes

Guard Linux-specific compiler/linker assumptions in CMake and add platform-compatible fallbacks in Unix probes and common utilities.

Add Darwin handling for sysctl collection, memory usage, and MAC address resolution. Add unsupported-path behavior for runlevel on platforms where runlevels are not applicable.

Handle missing fgetpwent environments in password/shadow probe paths so builds complete and offline evaluation remains functional.

Author: ed-silva-eb

CMakeLists.txt

@@ -205,6 +205,7 @@ check_function_exists(memalign HAVE_MEMALIGN)
 check_function_exists(fts_open HAVE_FTS_OPEN)
 check_function_exists(strsep HAVE_STRSEP)
 check_function_exists(strptime HAVE_STRPTIME)
+check_function_exists(fgetpwent HAVE_FGETPWENT)
 
 check_include_file(syslog.h HAVE_SYSLOG_H)
 check_include_file(stdio_ext.h HAVE_STDIO_EXT_H)
@@ -529,8 +530,16 @@ if (MSVC)
 endif()
 
 if (${CMAKE_C_COMPILER_ID} STREQUAL "GNU" OR ${CMAKE_C_COMPILER_ID} STREQUAL "Clang")
-	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pipe -W -Wall -Wnonnull -Wshadow -Wformat -Wundef -Wno-unused-parameter -Wmissing-prototypes -Wno-unknown-pragmas -Wno-int-conversion -Werror=implicit-function-declaration -D_GNU_SOURCE -DRBT_IMPLICIT_LOCKING=1 -std=c99")
-	add_link_options(-Wl,-z,now)
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pipe -W -Wall -Wnonnull -Wshadow -Wformat -Wundef -Wno-unused-parameter -Wmissing-prototypes -Wno-unknown-pragmas -Wno-int-conversion -Werror=implicit-function-declaration -DRBT_IMPLICIT_LOCKING=1 -std=c99")
+	# -D_GNU_SOURCE exposes GNU extensions but changes function signatures on non-glibc
+	# platforms (e.g. strerror_r on macOS becomes XSI). Only set it on glibc systems.
+	if(NOT APPLE AND NOT CMAKE_SYSTEM_NAME STREQUAL "FreeBSD")
+		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_GNU_SOURCE")
+	endif()
+	# -Wl,-z,now is a Linux/ELF linker flag; not supported on macOS (uses -bind_at_load)
+	if(NOT APPLE)
+		add_link_options(-Wl,-z,now)
+	endif()
 endif()
 if(${CMAKE_SYSTEM_NAME} STREQUAL "FreeBSD")
 	add_link_options(-lkvm -lm -lprocstat)

config.h.in

@@ -85,6 +85,7 @@
 #cmakedefine HAVE_STRSEP
 #cmakedefine HAVE_FLOCK
 #cmakedefine HAVE_STRPTIME
+#cmakedefine HAVE_FGETPWENT
 
 #cmakedefine OPENSCAP_PROBE_INDEPENDENT_ENVIRONMENTVARIABLE
 #cmakedefine OPENSCAP_PROBE_INDEPENDENT_ENVIRONMENTVARIABLE58

src/OVAL/probes/unix/password_probe.c

@@ -67,6 +67,51 @@
 #include <probe/option.h>
 #include "password_probe.h"
 
+/*
+ * fgetpwent() is a GNU/glibc extension; provide a portable fallback.
+ * This parses a standard /etc/passwd-format file one entry at a time.
+ */
+#ifndef HAVE_FGETPWENT
+static struct passwd *oscap_fgetpwent(FILE *fp)
+{
+	static char line[2048];
+	static struct passwd pw;
+	char *fields[7], *p;
+	int f;
+
+	while (fgets(line, sizeof(line), fp) != NULL) {
+		if (line[0] == '#' || line[0] == '\n')
+			continue;
+		f = 0;
+		p = line;
+		while (f < 7) {
+			fields[f++] = p;
+			p = strchr(p, ':');
+			if (p)
+				*p++ = '\0';
+			else
+				break;
+		}
+		if (f < 7)
+			continue;
+		/* strip trailing newline from shell field */
+		size_t n = strlen(fields[6]);
+		if (n > 0 && fields[6][n - 1] == '\n')
+			fields[6][n - 1] = '\0';
+		pw.pw_name   = fields[0];
+		pw.pw_passwd = fields[1];
+		pw.pw_uid    = (uid_t)atoi(fields[2]);
+		pw.pw_gid    = (gid_t)atoi(fields[3]);
+		pw.pw_gecos  = fields[4];
+		pw.pw_dir    = fields[5];
+		pw.pw_shell  = fields[6];
+		return &pw;
+	}
+	return NULL;
+}
+#define fgetpwent oscap_fgetpwent
+#endif
+
 /* Convenience structure for the results being reported */
 struct result_info {
         const char *username;

src/OVAL/probes/unix/runlevel_probe.c

@@ -468,9 +468,10 @@ static int get_runlevel (struct runlevel_req *req, struct runlevel_rep **rep)
         _A(rep != NULL);
         return GET_RUNLEVEL(LINUX_DISTRO, req, rep);
 }
-#elif defined(OS_FREEBSD)
+#elif defined(OS_FREEBSD) || defined(OS_APPLE)
 static int get_runlevel (struct runlevel_req *req, struct runlevel_rep **rep)
 {
+        /* SysV runlevels are a Linux/Solaris concept; not applicable on BSD/macOS */
         _A(req != NULL);
         _A(rep != NULL);
         return (-1);

src/OVAL/probes/unix/shadow_probe.c

@@ -62,6 +62,11 @@
 #include "shadow_probe.h"
 
 #ifndef HAVE_SHADOW_H
+int shadow_probe_offline_mode_supported()
+{
+	return PROBE_OFFLINE_NONE;
+}
+
 int shadow_probe_main(probe_ctx *ctx, void *arg)
 {
         SEXP_t *item_sexp;

src/OVAL/probes/unix/sysctl_probe.c

@@ -44,6 +44,16 @@
 #include "common/debug_priv.h"
 
 #define SYSCTL_CMD "/sbin/sysctl -ae"
+#elif defined(OS_APPLE)
+#include <stdio.h>
+#include <stdlib.h>
+#include <limits.h>
+#include <string.h>
+
+#include "common/debug_priv.h"
+
+/* On macOS sysctl(8) lives under /usr/sbin */
+#define SYSCTL_CMD "/usr/sbin/sysctl -ae"
 #endif
 
 #if defined(OS_LINUX)
@@ -305,7 +315,7 @@ int sysctl_probe_main(probe_ctx *ctx, void *probe_arg)
         return (0);
 }
 
-#elif defined(OS_FREEBSD)
+#elif defined(OS_FREEBSD) || defined(OS_APPLE)
 
 int sysctl_probe_offline_mode_supported(void)
 {

src/XCCDF/result.c

@@ -70,6 +70,16 @@
 #include <sys/sockio.h>
 #endif
 
+#if defined(OS_APPLE)
+#include <arpa/inet.h>
+#include <ifaddrs.h>
+#include <net/if.h>
+#include <net/if_dl.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <sys/socket.h>
+#endif
+
 #include "item.h"
 #include "helpers.h"
 #include "xccdf_impl.h"
@@ -468,6 +478,58 @@ void xccdf_result_fill_sysinfo(struct xccdf_result *result)
 	out1:
 		freeifaddrs(ifaddr);
 	}
+#elif defined(OS_APPLE)
+	if (!probe_root) {
+		struct ifaddrs *ifaddr, *ifa;
+		if (getifaddrs(&ifaddr) == -1)
+			return;
+		for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
+			int family;
+			char hostip[NI_MAXHOST];
+
+			if (!ifa->ifa_addr)
+				continue;
+			family = ifa->ifa_addr->sa_family;
+
+			if (family == AF_INET || family == AF_INET6) {
+				if (family == AF_INET) {
+					if (getnameinfo(ifa->ifa_addr, sizeof(struct sockaddr_in),
+							hostip, sizeof(hostip), NULL, 0, NI_NUMERICHOST))
+						continue;
+				} else {
+					struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)ifa->ifa_addr;
+					if (!inet_ntop(family, &sin6->sin6_addr, hostip, sizeof(hostip)))
+						continue;
+				}
+				xccdf_result_add_target_address(result, hostip);
+				fact = xccdf_target_fact_new();
+				xccdf_target_fact_set_name(fact, family == AF_INET ?
+					"urn:xccdf:fact:asset:identifier:ipv4" :
+					"urn:xccdf:fact:asset:identifier:ipv6");
+				xccdf_target_fact_set_string(fact, hostip);
+				_xccdf_result_add_target_fact_uniq(result, fact);
+			} else if (family == AF_LINK) {
+				/* macOS exposes MAC addresses as AF_LINK entries in getifaddrs */
+				struct sockaddr_dl *sdl = (struct sockaddr_dl *)ifa->ifa_addr;
+				if (sdl->sdl_alen == 6) {
+					unsigned char *mac = (unsigned char *)LLADDR(sdl);
+					char macbuf[20];
+					snprintf(macbuf, sizeof(macbuf),
+						"%02X:%02X:%02X:%02X:%02X:%02X",
+						mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]);
+					fact = xccdf_target_fact_new();
+					xccdf_target_fact_set_name(fact, "urn:xccdf:fact:ethernet:MAC");
+					xccdf_target_fact_set_string(fact, macbuf);
+					_xccdf_result_add_target_fact_uniq(result, fact);
+					fact = xccdf_target_fact_new();
+					xccdf_target_fact_set_name(fact, "urn:xccdf:fact:asset:identifier:mac");
+					xccdf_target_fact_set_string(fact, macbuf);
+					_xccdf_result_add_target_fact_uniq(result, fact);
+				}
+			}
+		}
+		freeifaddrs(ifaddr);
+	}
 #elif defined(OS_WINDOWS)
 
 #define VERSION_LEN 32

src/common/memusage.c

@@ -50,7 +50,13 @@
 #define GET_VM_ACT_PAGE_COUNT   "vm.stats.vm.v_active_count"
 
 #define BYTES_TO_KIB(x) (x >> 10)
-#endif
+#endif /* OS_FREEBSD */
+
+#if defined(OS_APPLE)
+#include <mach/mach.h>
+#include <sys/sysctl.h>
+#define BYTES_TO_KIB(x) ((x) >> 10)
+#endif /* OS_APPLE */
 
 #include "debug_priv.h"
 #include "memusage.h"
@@ -305,6 +311,32 @@ int oscap_sys_memusage(struct sys_memusage *mu)
 #elif defined(OS_FREEBSD)
 	if (freebsd_sys_memusage(mu))
 		return -1;
+#elif defined(OS_APPLE)
+	{
+		vm_statistics64_data_t vm_stat;
+		mach_msg_type_number_t count = HOST_VM_INFO64_COUNT;
+		vm_size_t page_size;
+		host_page_size(mach_host_self(), &page_size);
+		if (host_statistics64(mach_host_self(), HOST_VM_INFO64,
+		                      (host_info64_t)&vm_stat, &count) != KERN_SUCCESS) {
+			errno = EOPNOTSUPP;
+			return -1;
+		}
+		mu->mu_free     = BYTES_TO_KIB((uint64_t)vm_stat.free_count     * page_size);
+		mu->mu_active   = BYTES_TO_KIB((uint64_t)vm_stat.active_count   * page_size);
+		mu->mu_inactive = BYTES_TO_KIB((uint64_t)vm_stat.inactive_count * page_size);
+		mu->mu_buffers  = 0;
+		mu->mu_cached   = 0;
+		mu->mu_realfree = mu->mu_free + mu->mu_inactive;
+		/* Query total physical RAM via sysctl HW_MEMSIZE */
+		int mib[2] = { CTL_HW, HW_MEMSIZE };
+		uint64_t memsize = 0;
+		size_t len = sizeof(memsize);
+		if (sysctl(mib, 2, &memsize, &len, NULL, 0) == 0)
+			mu->mu_total = BYTES_TO_KIB(memsize);
+		else
+			mu->mu_total = 0;
+	}
 #else
 	errno = EOPNOTSUPP;
 	return -1;
@@ -326,6 +358,24 @@ int oscap_proc_memusage(struct proc_memusage *mu)
 #elif defined(OS_FREEBSD)
 	if (freebsd_proc_memusage(mu))
 		return -1;
+#elif defined(OS_APPLE)
+	{
+		struct task_basic_info info;
+		mach_msg_type_number_t count = TASK_BASIC_INFO_COUNT;
+		if (task_info(mach_task_self(), TASK_BASIC_INFO,
+		              (task_info_t)&info, &count) != KERN_SUCCESS) {
+			errno = EOPNOTSUPP;
+			return -1;
+		}
+		mu->mu_rss   = info.resident_size / 1024;
+		mu->mu_data  = info.virtual_size  / 1024;
+		/* TASK_BASIC_INFO doesn't expose peak RSS; use current as approximation */
+		mu->mu_hwm   = mu->mu_rss;
+		mu->mu_text  = 0;
+		mu->mu_stack = 0;
+		mu->mu_lib   = 0;
+		mu->mu_lock  = 0;
+	}
 #else
 	errno = EOPNOTSUPP;
 	return -1;