changes to enable freebsd builds

Author: ed-silva-eb

src/OVAL/probes/unix/interface_probe.c

@@ -298,8 +298,10 @@ static void get_flags(const struct ifaddrs *ifa, char ***fp) {
                 if (ifa->ifa_flags & IFF_RENAMING)
                         flags_buf[i++] = "RENAMING";
 
+#ifdef IFF_NOGROUP
                 if (ifa->ifa_flags & IFF_NOGROUP)
                         flags_buf[i++] = "NOGROUP";
+#endif
 	}
 
 	flags_buf[i] = NULL;

src/OVAL/probes/unix/sysctl_probe.c

@@ -36,6 +36,7 @@
 #include "sysctl_probe.h"
 
 #if defined(OS_FREEBSD)
+#include <ctype.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <limits.h>
@@ -45,6 +46,7 @@
 
 #define SYSCTL_CMD "/sbin/sysctl -ae"
 #elif defined(OS_APPLE)
+#include <ctype.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <limits.h>
@@ -317,6 +319,85 @@ int sysctl_probe_main(probe_ctx *ctx, void *probe_arg)
 
 #elif defined(OS_FREEBSD) || defined(OS_APPLE)
 
+static int sysctl_name_char(int ch)
+{
+	return isalnum((unsigned char) ch) || ch == '.' || ch == '_' ||
+		ch == '%' || ch == '-';
+}
+
+static int sysctl_parse_line(char *line, char **mib, char **sysval)
+{
+	char *sep;
+	size_t i, mib_len;
+
+	sep = strchr(line, '=');
+	if (sep == NULL)
+		return 0;
+
+	mib_len = (size_t)(sep - line);
+	if (mib_len == 0 || !isalpha((unsigned char) line[0]))
+		return 0;
+
+	for (i = 0; i < mib_len; ++i) {
+		if (!sysctl_name_char(line[i]))
+			return 0;
+	}
+
+	*sep = '\0';
+	*mib = line;
+	*sysval = sep + 1;
+	return 1;
+}
+
+static int sysctl_append_value(char **value, size_t *value_len, const char *line)
+{
+	size_t line_len, new_len;
+	char *new_value;
+
+	line_len = strlen(line);
+	new_len = *value_len + line_len + (*value_len > 0 ? 1 : 0) + 1;
+	new_value = realloc(*value, new_len);
+	if (new_value == NULL)
+		return -1;
+
+	*value = new_value;
+	if (*value_len > 0)
+		new_value[(*value_len)++] = '\n';
+
+	memcpy(new_value + *value_len, line, line_len + 1);
+	*value_len += line_len;
+	return 0;
+}
+
+static int sysctl_collect_item(probe_ctx *ctx, SEXP_t *name_entity,
+			       const char *mib, const char *sysval)
+{
+	SEXP_t *item, *se_mib;
+
+	se_mib = SEXP_string_new(mib, strlen(mib));
+	if (!se_mib) {
+		dE("Failed to allocate new SEXP_string for se_mib");
+		return PROBE_ENOENT;
+	}
+
+	if (probe_entobj_cmp(name_entity, se_mib) == OVAL_RESULT_TRUE) {
+		item = probe_item_create(OVAL_UNIX_SYSCTL, NULL,
+					 "name", OVAL_DATATYPE_SEXP, se_mib,
+					 "value", OVAL_DATATYPE_STRING, sysval,
+					 NULL);
+		if (!item) {
+			dE("probe_item_create() returned a null item");
+			SEXP_free(se_mib);
+			return PROBE_ENOENT;
+		}
+
+		probe_item_collect(ctx, item);
+	}
+
+	SEXP_free(se_mib);
+	return 0;
+}
+
 int sysctl_probe_offline_mode_supported(void)
 {
         return PROBE_OFFLINE_NONE;
@@ -326,11 +407,11 @@ int sysctl_probe_main(probe_ctx *ctx, void *probe_arg)
 {
         FILE *fp;
         char output[LINE_MAX];
-        const char* SEP = "=";
-        char* mib;
-        char* sysval;
-        SEXP_t *se_mib;
         SEXP_t *name_entity, *probe_in;
+	int ret = 0;
+	char *current_mib = NULL;
+	char *current_value = NULL;
+	size_t current_value_len = 0;
 
         probe_in    = probe_ctx_getobject(ctx);
         name_entity = probe_obj_getent(probe_in, "name", 1);
@@ -354,50 +435,59 @@ int sysctl_probe_main(probe_ctx *ctx, void *probe_arg)
         }
 
         while (fgets(output, sizeof(output), fp)) {
-                char *strp;
-                mib = strtok_r(output, SEP, &strp);
-                sysval = strtok_r(NULL, SEP, &strp);
-
-                if (!mib)
-                        continue;
-
-                if (!sysval)
-                        continue;
-
-                se_mib = SEXP_string_new(mib, strlen(mib));
-
-                if (!se_mib) {
-                        dE("Failed to allocate new SEXP_string for se_mib");
-                        pclose(fp);
-                        return (PROBE_ENOENT);
-                }
-
-                /* Remove newline */
-                sysval[strlen(sysval)-1] = '\0';
-
-                if (probe_entobj_cmp(name_entity, se_mib) == OVAL_RESULT_TRUE) {
-                        SEXP_t *item;
-
-                        item = probe_item_create(OVAL_UNIX_SYSCTL, NULL,
-                                                "name", OVAL_DATATYPE_SEXP, se_mib,
-                                                "value", OVAL_DATATYPE_STRING, sysval,
-                                                NULL);
-
-                        if (!item) {
-                                dE("probe_item_create() returned a null item");
-                                pclose(fp);
-                                SEXP_free(se_mib);
-                                return (PROBE_ENOENT);
-                        }
-
-                        probe_item_collect(ctx, item);
-                }
-
-                SEXP_free(se_mib);
+		char *mib, *sysval, *newline;
+
+		newline = strchr(output, '\n');
+		if (newline != NULL)
+			*newline = '\0';
+
+		if (sysctl_parse_line(output, &mib, &sysval)) {
+			if (current_mib != NULL) {
+				ret = sysctl_collect_item(ctx, name_entity, current_mib,
+							  current_value != NULL ? current_value : "");
+				if (ret != 0)
+					goto cleanup;
+			}
+
+			free(current_mib);
+			free(current_value);
+			current_mib = strdup(mib);
+			current_value = NULL;
+			current_value_len = 0;
+			if (current_mib == NULL) {
+				dE("Failed to allocate new sysctl name buffer");
+				ret = PROBE_ENOENT;
+				goto cleanup;
+			}
+
+			if (sysctl_append_value(&current_value, &current_value_len, sysval) != 0) {
+				dE("Failed to append sysctl value");
+				ret = PROBE_ENOENT;
+				goto cleanup;
+			}
+
+			continue;
+		}
+
+		if (current_mib == NULL)
+			continue;
+
+		if (sysctl_append_value(&current_value, &current_value_len, output) != 0) {
+			dE("Failed to append sysctl continuation value");
+			ret = PROBE_ENOENT;
+			goto cleanup;
+		}
         }
 
+	if (current_mib != NULL)
+		ret = sysctl_collect_item(ctx, name_entity, current_mib,
+					  current_value != NULL ? current_value : "");
+
+cleanup:
+	free(current_mib);
+	free(current_value);
         pclose(fp);
-        return (0);
+        return ret;
 }
 
 #else

src/XCCDF_POLICY/xccdf_policy_remediate.c

@@ -35,6 +35,7 @@
 #include <io.h>
 #else
 #include <unistd.h>
+extern char **environ;
 #endif
 
 #include <libxml/tree.h>
@@ -2068,4 +2069,3 @@ int xccdf_policy_generate_fix(struct xccdf_policy *policy, struct xccdf_result *
 
 	return ret;
 }
-

tests/probes/sysctl/test_sysctl_probe_all.sh

@@ -34,10 +34,16 @@ function perform_test {
 
 	case $(uname) in
 		FreeBSD)
-			sysctl -aN 2> /dev/null > "$sysctlNames"
+			sysctl -ae 2> /dev/null | \
+				grep -E '^[[:alpha:]][[:alnum:]_.%-]*=' | \
+				cut -d "=" -f 1 | \
+				sort -u > "$sysctlNames"
 			;;
 		Darwin)
-			sysctl -aN 2> /dev/null > "$sysctlNames"
+			sysctl -ae 2> /dev/null | \
+				grep -E '^[[:alpha:]][[:alnum:]_.%-]*=' | \
+				cut -d "=" -f 1 | \
+				sort -u > "$sysctlNames"
 			;;
 		Linux)
 			# sysctl has duplicities in output
@@ -50,7 +56,12 @@ function perform_test {
 			;;
 	esac
 
-	grep unix-sys:name "$result" | xsed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames"
+	# Some platforms emit large values (for example FreeBSD's kern.geom.confxml)
+	# on the same line as the <unix-sys:name> element. Match the explicit name
+	# tags so value payloads do not pollute the extracted key list.
+	grep '<unix-sys:name>' "$result" | \
+		xsed -E 's;.*<unix-sys:name>([^<]+)</unix-sys:name>.*;\1;g' | \
+		sort > "$ourNames"
 
 	echo "Diff (sysctlNames / ourNames): ------"
 	diff "$sysctlNames" "$ourNames"