adding rpm architecture of to our maps, so 32 bit and 64 bit rpms do …

…not fail has modified files check Signed-off-by: Adam D. Cornett <adc@redhat.com>
redhat-openshift-ecosystem · Jul 19, 2023 · 4062e33 · 4062e33
1 parent b4ad7f3
commit 4062e33
Showing 1 changed file with 27 additions and 3 deletions.
diff --git a/internal/policy/container/has_modified_files.go b/internal/policy/container/has_modified_files.go
@@ -208,6 +208,28 @@ func (p *HasModifiedFilesCheck) validate(ctx context.Context, layerIDs []string,
 			previousPackage := packageFiles[layerIDs[idx-1]].LayerPackages[previousPackageVersion]
 			currentPackage := ref.LayerPackages[currentPackageVersion]
 
+			// below swaps the architecture between 32bit and 64bit so we can look later to see if the opposite arch package is also installed
+			// this is needed since the RPM DB, will have an entry for each arch, and potentially the same file listed as `owned` by both arches
+			var architecture string
+			switch currentPackage.Arch {
+			case "i686":
+				architecture = "x86_64"
+				break
+			case "x86_64":
+				architecture = "i686"
+				break
+			}
+
+			// checking to see if the opposite architectures RPM exists in the same layer, if so we need to ensure that NVRA of both architectures match,
+			// if there is a match we can continue to the next modified file, if not proceed with all other checks
+			currentPackageVersionDiffArch := strings.Join([]string{currentPackage.Name, currentPackage.Version, currentPackage.Release, architecture}, "-")
+			if currentPackageDiffArch, ok := ref.LayerPackages[currentPackageVersionDiffArch]; ok {
+				if currentPackage.Name == currentPackageDiffArch.Name && currentPackage.Version == currentPackageDiffArch.Version &&
+					currentPackage.Release == currentPackageDiffArch.Release {
+					continue
+				}
+			}
+
 			if previousPackageVersion == currentPackageVersion {
 				if !strings.Contains(currentPackage.Release, packageDist) && packageDist != "unknown" {
 					// This means it's _probably_ not a RH package. If the file is changed, warn, but don't fail
@@ -241,7 +263,9 @@ func (p *HasModifiedFilesCheck) validate(ctx context.Context, layerIDs []string,
 
 			if (previousOsRelease && !currentOsRelease) || (previousPackage.Arch != currentPackage.Arch) {
 				// If either of these differ, that's a fail
-				return false, nil
+				logger.V(log.DBG).Info("mismatch in package architecture", "file", modifiedFile)
+				disallowedModifications = true
+				continue
 			}
 
 			// This appears like an update. This is allowed.
@@ -274,7 +298,7 @@ func (p HasModifiedFilesCheck) Metadata() check.Metadata {
 func extractPackageNameVersionRelease(pkgList []*rpmdb.PackageInfo) map[string]packageMeta {
 	pkgNameList := make(map[string]packageMeta, len(pkgList))
 	for _, pkg := range pkgList {
-		pkgNameList[fmt.Sprintf("%s-%s-%s", pkg.Name, pkg.Version, pkg.Release)] = packageMeta{
+		pkgNameList[strings.Join([]string{pkg.Name, pkg.Version, pkg.Release, pkg.Arch}, "-")] = packageMeta{
 			Name:        pkg.Name,
 			Version:     pkg.Version,
 			Release:     pkg.Release,
@@ -403,7 +427,7 @@ func installedFileMapWithExclusions(ctx context.Context, pkglist []*rpmdb.Packag
 				// It is either an explicitly excluded path or directory. Skip it.
 				continue
 			}
-			m[normalized] = fmt.Sprintf("%s-%s-%s", pkg.Name, pkg.Version, pkg.Release)
+			m[normalized] = strings.Join([]string{pkg.Name, pkg.Version, pkg.Release, pkg.Arch}, "-")
 		}
 	}
 	return m, nil