Skip to content

Fix rsyslog logfiles bash remediation for omfile paths and globs#14715

Draft
Mab879 wants to merge 1 commit into
ComplianceAsCode:masterfrom
Mab879:cursor/rsyslog-logfiles-bash-remediation-fix
Draft

Fix rsyslog logfiles bash remediation for omfile paths and globs#14715
Mab879 wants to merge 1 commit into
ComplianceAsCode:masterfrom
Mab879:cursor/rsyslog-logfiles-bash-remediation-fix

Conversation

@Mab879
Copy link
Copy Markdown
Member

@Mab879 Mab879 commented May 15, 2026

Description:

Split NUL-separated omfile matches into separate paths before chmod, expand $IncludeConfig globs in a nullglob subshell, and skip non-regular files. Document eval trust boundary for include path expansion.

Rationale:

Fixes #14570

Review Hints:

Review the contest test results and ensure they pass.

@Mab879
Fix rsyslog logfiles bash remediation for omfile paths and globs
f6fa85c 
Split NUL-separated omfile matches into separate paths before chmod,
expand $IncludeConfig globs in a nullglob subshell, and skip non-regular
files. Document eval trust boundary for include path expansion.
@Mab879 Mab879 added this to the 0.1.81 milestone May 15, 2026
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label May 15, 2026
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented May 15, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@Mab879 Mab879 marked this pull request as ready for review May 15, 2026 18:19
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label May 15, 2026
@Mab879
Copy link
Copy Markdown
Member Author

Mab879 commented May 15, 2026

/retest-required

@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented May 15, 2026

@Mab879: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-node-compliance f6fa85c link true /test e2e-aws-openshift-node-compliance
ci/prow/e2e-aws-openshift-platform-compliance f6fa85c link true /test e2e-aws-openshift-platform-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

comps
comps reviewed May 16, 2026
View reviewed changes
Comment thread shared/templates/rsyslog_logfiles_attributes_modify/bash.template
# newline-concatenated string being appended as one bogus array element (breaks chmod).
ACTION_OMFILE_LINES=$(LC_ALL=C grep -iozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" "${LOG_FILE}" 2>/dev/null || true)
[[ -n "${ACTION_OMFILE_LINES}" ]] || continue
_ACTION_NL=$(printf '%s' "${ACTION_OMFILE_LINES}" | tr '\0' '\n')
Copy link
Copy Markdown
Collaborator

@comps comps May 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm pretty sure this doesn't do anything, bash variables cannot contain zeros.

$ printf '\x00\x01\x02' | hexdump -C
00000000  00 01 02                                          |...|
00000003

$ a=$(printf '\x00\x01\x02')
bash: warning: command substitution: ignored null byte in input
$ echo ${#a}
2

$ printf '\x00\x01\x02' > tmpf
$ read a < tmpf 

$ echo ${#a}
2
$ printf '%s' "$a" | hexdump -C
00000000  01 02                                             |..|
00000002

$ hexdump -C <<<"$a"
00000000  01 02 0a                                          |...|
00000003

This was referenced May 18, 2026
Merged
Merged
@Mab879 Mab879 marked this pull request as draft May 18, 2026 16:58
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label May 18, 2026
@Arden97 Arden97 modified the milestones: 0.1.81, 0.1.82 May 20, 2026
@openshift-ci openshift-ci Bot added the needs-rebase Used by openshift-ci bot. label Jun 4, 2026
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Jun 4, 2026

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@comps comps comps left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

do-not-merge/work-in-progress Used by openshift-ci bot. needs-rebase Used by openshift-ci bot.

Projects

None yet

Milestone

0.1.82

Development

Successfully merging this pull request may close these issues.

rsyslog_files_permissions is failing in CI

3 participants

@Mab879 @comps @Arden97