Fix level inheritance when processing profiles

[marcusburghardt]

Description:

The get_profiles_from_products function was introduced to allow external tools, such as complyscribe to process profiles externally.

During tests it was noticed that some rules were not available in profiles levels with inheritance.

Rationale:

• Fixes https://issues.redhat.com/browse/CPLYTM-889

Review Hints:

The get_profiles_from_products function is not used internally in the building system.
But this simple script may help to test the changes after using source .pyenv.sh:

import os
from ssg.profiles import get_profiles_from_products
from ssg.jinja import load_macros_from_content_dir
from pprint import pprint


def _get_root_content_dir() -> str:
    # Update the path according to your environment
    home_dir = os.path.expanduser("~")
    content_root_dir = os.path.join(home_dir, "CaC", "Forks", "content")
    return content_root_dir


def main():
    rhel_products = ['rhel10']
    content_root_dir = _get_root_content_dir()
    load_macros_from_content_dir(content_root_dir)
    
    # Get all profiles for the specified products.
    profiles = get_profiles_from_products(content_root_dir, rhel_products, sorted=True)
    for profile in profiles:
        if profile.profile_id in ['anssi_bp28_high']:
            print(f'Rules for {profile.product_id} in profile {profile.profile_id}:')
            pprint(profile.rules)


if __name__ == "__main__":
    main()

[jan-cerny]

I have checked that this doesn't impact the profile selections in RHEL 9 data streams.
I have tried your test script and it works fine as expected. The change looks good to me. Would it be possible to have a unit test that tests this?

[AlexXuan233]

@jan-cerny Hi, Jan.

Try use ssg to get selected rules and unselected rules for rhel9/anssi_bp28_high.profile . The problem is selected rules result.

from ssg.profiles import get_profiles_from_products

profiles = get_profiles_from_products(cac_content_root, "rhel9")
for profile in profiles:
    if profile.profile_id == "anssi_bp28_high":
        print(f"profile rules: {profile.rules}")
        print(f"profile unselected rules: {profile.unselected_rules}")
        break 

This is selected rules result:

['kernel_config_strict_kernel_rwx', 'kernel_config_debug_wx', 'kernel_config_debug_fs', 'kernel_config_stackprotector', 'kernel_config_stackprotector_strong', 'kernel_config_sched_stack_end_check', 'kernel_config_hardened_usercopy', 'kernel_config_hardened_usercopy_fallback', 'kernel_config_vmap_stack', 'kernel_config_refcount_full', 'kernel_config_fortify_source', 'kernel_config_acpi_custom_method', 'kernel_config_devkmem', 'kernel_config_proc_kcore', 'kernel_config_compat_vdso', 'kernel_config_security_dmesg_restrict', 'kernel_config_retpoline', 'kernel_config_legacy_vsyscall_none', 'kernel_config_legacy_vsyscall_emulate', 'kernel_config_legacy_vsyscall_xonly', 'kernel_config_x86_vsyscall_emulation', 'kernel_config_debug_credentials', 'kernel_config_debug_notifiers', 'kernel_config_debug_list', 'kernel_config_debug_sg', 'kernel_config_bug_on_data_corruption', 'kernel_config_slab_freelist_random', 'kernel_config_slab_freelist_hardened', 'kernel_config_slab_merge_default', 'kernel_config_slub_debug', 'kernel_config_page_poisoning', 'kernel_config_page_poisoning_no_sanity', 'kernel_config_page_poisoning_zero', 'kernel_config_compat_brk', 'kernel_config_strict_module_rwx', 'kernel_config_module_sig', 'kernel_config_module_sig_force', 'kernel_config_module_sig_all', 'kernel_config_module_sig_sha512', 'kernel_config_module_sig_hash', 'kernel_config_module_sig_key', 'kernel_config_bug', 'kernel_config_panic_on_oops', 'kernel_config_panic_timeout', 'kernel_config_seccomp', 'kernel_config_seccomp_filter', 'kernel_config_security', 'kernel_config_security_yama', 'kernel_config_security_writable_hooks', 'kernel_config_gcc_plugin_latent_entropy', 'kernel_config_gcc_plugin_stackleak', 'kernel_config_gcc_plugin_structleak', 'kernel_config_gcc_plugin_structleak_byref_all', 'kernel_config_gcc_plugin_randstruct', 'kernel_config_syn_cookies', 'kernel_config_kexec', 'kernel_config_hibernation', 'kernel_config_binfmt_misc', 'kernel_config_legacy_ptys', 'kernel_config_default_mmap_min_addr', 'kernel_config_randomize_base', 'kernel_config_randomize_memory', 'kernel_config_page_table_isolation', 'kernel_config_ia32_emulation', 'kernel_config_modify_ldt_syscall', 'kernel_config_arm64_sw_ttbr0_pan', 'kernel_config_unmap_kernel_at_el0', 'selinux_policytype', 'sebool_selinuxuser_execheap', 'sebool_deny_execmem', 'sebool_selinuxuser_execstack', 'sebool_secure_mode_insmod', 'sebool_ssh_sysadm_login', 'package_setroubleshoot_removed', 'package_setroubleshoot-server_removed', 'package_setroubleshoot-plugins_removed', 'package_aide_installed', 'aide_build_database', 'aide_periodic_cron_checking', 'aide_periodic_checking_systemd_timer', 'aide_scan_notification', 'aide_verify_acls', 'aide_verify_ext_attributes']

This is unselected rules result

['sebool_secure_mode_insmod', 'partition_for_opt', 'accounts_passwords_pam_tally2_deny_root', 'install_PAE_kernel_on_x86-32', 'partition_for_boot', 'aide_periodic_checking_systemd_timer', 'sudo_add_ignore_dot', 'audit_rules_privileged_commands_rmmod', 'audit_rules_privileged_commands_modprobe', 'package_dracut-fips-aesni_installed', 'cracklib_accounts_password_pam_lcredit', 'partition_for_usr', 'cracklib_accounts_password_pam_ocredit', 'enable_pam_namespace', 'audit_rules_privileged_commands_insmod', 'service_chronyd_or_ntpd_enabled', 'chronyd_configure_pool_and_server', 'accounts_passwords_pam_tally2', 'cracklib_accounts_password_pam_ucredit', 'accounts_passwords_pam_tally2_unlock_time', 'sudo_add_umask', 'sudo_add_env_reset', 'cracklib_accounts_password_pam_minlen', 'cracklib_accounts_password_pam_dcredit', 'ensure_oracle_gpgkey_installed', 'ensure_almalinux_gpgkey_installed', 'package_kea_removed', 'audit_rules_file_deletion_events_renameat2', 'audit_rules_dac_modification_fchmodat2', 'apparmor_configured', 'all_apparmor_profiles_enforced', 'grub2_enable_apparmor', 'package_apparmor_installed', 'package_pam_apparmor_installed', 'package_rsh-server_removed', 'package_rsh_removed', 'package_xinetd_removed', 'package_ypbind_removed', 'package_ypserv_removed', 'file_groupowner_efi_grub2_cfg', 'file_owner_efi_grub2_cfg', 'file_permissions_efi_grub2_cfg', 'file_groupowner_efi_user_cfg', 'file_owner_efi_user_cfg', 'file_permissions_efi_user_cfg', 'grub2_uefi_password', 'package_talk_removed', 'package_talk-server_removed']

In anssi control file, R1 control. It contains rule grub2_nosmep_argument_absent and grub2_nosmap_argument_absent and it's not unselected in anssi_bp28_high.profile. But the selected rules result do not contains these two rules.

[jan-cerny]

Yes, both of us know this.

[openshift-ci]

@marcusburghardt: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.16-images	946ce0e	link	true	/test 4.16-images

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[qlty-cloud-legacy]

Code Climate has analyzed commit 946ce0e and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.7% (0.0% change).

View more on Code Climate.