From 704e6ae9c30f6cd2b07172e779197c24c4251f3b Mon Sep 17 00:00:00 2001 From: David du Colombier Date: Wed, 18 Feb 2026 15:03:36 +0100 Subject: [PATCH] Switch RPM probes from PROBE_OFFLINE_CHROOT to PROBE_OFFLINE_OWN The rpminfo, rpmverifyfile, and rpmverify probes declared PROBE_OFFLINE_CHROOT mode, causing the probe framework to call chroot which requires root privileges. All three probes already had PROBE_OFFLINE_OWN handler code using rpmtsSetRootDir to point librpm at the sysroot's RPM database without chroot. Switch the offline mode to PROBE_OFFLINE_OWN so oscap-chroot scans work as an unprivileged user. Update the offline test scripts to use set_offline_chroot_dir directly, removing the chroot capability requirement. --- src/OVAL/probes/unix/linux/rpminfo_probe.c | 2 +- src/OVAL/probes/unix/linux/rpmverify_probe.c | 3 +-- .../probes/unix/linux/rpmverifyfile_probe.c | 3 +-- tests/probes/rpm/rpm_common.sh | 19 +++++++++++++++++++ .../rpminfo/test_probes_rpminfo_offline.sh | 4 ++-- ..._rpmverify_not_equals_operation_offline.sh | 4 ++-- .../test_probes_rpmverifyfile_offline.sh | 4 ++-- 7 files changed, 28 insertions(+), 11 deletions(-) diff --git a/src/OVAL/probes/unix/linux/rpminfo_probe.c b/src/OVAL/probes/unix/linux/rpminfo_probe.c index 0730ddc707..32d5732573 100644 --- a/src/OVAL/probes/unix/linux/rpminfo_probe.c +++ b/src/OVAL/probes/unix/linux/rpminfo_probe.c @@ -282,7 +282,7 @@ static int get_rpminfo(struct rpminfo_req *req, struct rpminfo_rep **rep, struct int rpminfo_probe_offline_mode_supported() { - return PROBE_OFFLINE_CHROOT; + return PROBE_OFFLINE_OWN; } void *rpminfo_probe_init(void) diff --git a/src/OVAL/probes/unix/linux/rpmverify_probe.c b/src/OVAL/probes/unix/linux/rpmverify_probe.c index bf310ea7d7..4086cb0c6f 100644 --- a/src/OVAL/probes/unix/linux/rpmverify_probe.c +++ b/src/OVAL/probes/unix/linux/rpmverify_probe.c @@ -222,8 +222,7 @@ static int rpmverify_collect(probe_ctx *ctx, int rpmverify_probe_offline_mode_supported() { - // TODO: Switch this to OFFLINE_MODE_OWN once rpmtsSetRootDir is fully supported by librpm - return PROBE_OFFLINE_CHROOT; + return PROBE_OFFLINE_OWN; } void *rpmverify_probe_init(void) diff --git a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c index 8da310e51b..49155546df 100644 --- a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c +++ b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c @@ -342,8 +342,7 @@ static int rpmverify_collect(probe_ctx *ctx, int rpmverifyfile_probe_offline_mode_supported() { - // TODO: Switch this to OFFLINE_MODE_OWN once rpmtsSetRootDir is fully supported by librpm - return PROBE_OFFLINE_CHROOT; + return PROBE_OFFLINE_OWN; } void *rpmverifyfile_probe_init(void) diff --git a/tests/probes/rpm/rpm_common.sh b/tests/probes/rpm/rpm_common.sh index eb96f76d80..dbf4e596cf 100755 --- a/tests/probes/rpm/rpm_common.sh +++ b/tests/probes/rpm/rpm_common.sh @@ -35,11 +35,30 @@ function rpm_prepare_offline { rpm -i ${RPMBUILD}/RPMS/noarch/foo-1.0-1.noarch.rpm --badreloc --relocate="/etc=${RPMTEST}/etc/" --dbpath="${RPMTEST}${RPMDB_PATH}" } +# Variant for probes using PROBE_OFFLINE_OWN (rpmtsSetRootDir) that +# do not require chroot capability. +function rpm_prepare_offline_own { + set_offline_chroot_dir "$RPMTEST" + require "rpm" || return 255 + rm -rf ${RPMTEST} + mkdir -p ${RPMTEST}/usr/lib/rpm + cp /usr/lib/rpm/rpmrc ${RPMTEST}/usr/lib/rpm/rpmrc + cp /usr/lib/rpm/macros ${RPMTEST}/usr/lib/rpm/macros + rpm_build + rpm -i ${RPMBUILD}/RPMS/noarch/foobar-1.0-1.noarch.rpm --badreloc --relocate="/etc=${RPMTEST}/etc/" --dbpath="${RPMTEST}${RPMDB_PATH}" + rpm -i ${RPMBUILD}/RPMS/noarch/foo-1.0-1.noarch.rpm --badreloc --relocate="/etc=${RPMTEST}/etc/" --dbpath="${RPMTEST}${RPMDB_PATH}" +} + function rpm_cleanup_offline { rm -rf ${RPMTEST} unset_chroot_offline_test_mode } +function rpm_cleanup_offline_own { + rm -rf ${RPMTEST} + set_offline_chroot_dir "" +} + function rpm_query { require "rpm" || return 255 if [ -d "$OSCAP_PROBE_ROOT" ]; then diff --git a/tests/probes/rpm/rpminfo/test_probes_rpminfo_offline.sh b/tests/probes/rpm/rpminfo/test_probes_rpminfo_offline.sh index 7cffcf53a3..460e1763f9 100755 --- a/tests/probes/rpm/rpminfo/test_probes_rpminfo_offline.sh +++ b/tests/probes/rpm/rpminfo/test_probes_rpminfo_offline.sh @@ -21,10 +21,10 @@ set -e -o pipefail test_init -rpm_prepare_offline +rpm_prepare_offline_own test_run "rpminfo probe test (offline)" test_probes_rpminfo foo foobar -rpm_cleanup_offline +rpm_cleanup_offline_own test_exit \ No newline at end of file diff --git a/tests/probes/rpm/rpmverify/test_probes_rpmverify_not_equals_operation_offline.sh b/tests/probes/rpm/rpmverify/test_probes_rpmverify_not_equals_operation_offline.sh index 2cb2ec54d1..afb5a6e4ef 100755 --- a/tests/probes/rpm/rpmverify/test_probes_rpmverify_not_equals_operation_offline.sh +++ b/tests/probes/rpm/rpmverify/test_probes_rpmverify_not_equals_operation_offline.sh @@ -32,8 +32,8 @@ function perform_test { } -rpm_prepare_offline +rpm_prepare_offline_own test_run "rpmverify probe test not equals operation (offline)" perform_test -rpm_cleanup_offline +rpm_cleanup_offline_own diff --git a/tests/probes/rpm/rpmverifyfile/test_probes_rpmverifyfile_offline.sh b/tests/probes/rpm/rpmverifyfile/test_probes_rpmverifyfile_offline.sh index 25d2c33dc0..e5e0a4fc17 100755 --- a/tests/probes/rpm/rpmverifyfile/test_probes_rpmverifyfile_offline.sh +++ b/tests/probes/rpm/rpmverifyfile/test_probes_rpmverifyfile_offline.sh @@ -85,10 +85,10 @@ function test_probes_rpmverifyfile { test_init -rpm_prepare_offline +rpm_prepare_offline_own test_run "rpmverifyfile probe test with OVAL 5.11.1 (offline)" test_probes_rpmverifyfile -rpm_cleanup_offline +rpm_cleanup_offline_own test_exit \ No newline at end of file