git: a5bd3edbfb49 - main - security/base-audit: Add the ability to specify ignored jails

[Dan Langille]

The branch main has been updated by dvl:

URL: https://cgit.FreeBSD.org/ports/commit/?id=a5bd3edbfb4991f75ec5f2a5580e164f5e977fb4

commit a5bd3edbfb4991f75ec5f2a5580e164f5e977fb4
Author:     Dan Langille <dvl at FreeBSD.org>
AuthorDate: 2021-08-10 02:01:00 +0000
Commit:     Dan Langille <dvl at FreeBSD.org>
CommitDate: 2021-08-10 02:03:29 +0000

    security/base-audit: Add the ability to specify ignored jails
    
    security_status_baseaudit_jails_ignore is a space delimited list of jails
    to ignore.
    
    If non-empty, the code iterates over security_status_baseaudit_jails_ignore
    to avoid partial matches (i.e. ignore foo.bar, but not foo). If there is a
    better way to do that without looping, please let me know.
    
    Example use case: I have jails which purposely are older vulnerable versions
    for testing.
    
    PR:             257685
    Approved by:    000.fbsd at quip.cz (maintainer)
---
 security/base-audit/Makefile                    |  2 +-
 security/base-audit/files/405.pkg-base-audit.in | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/security/base-audit/Makefile b/security/base-audit/Makefile
index 0911dc27d3fe..f6233a937f9e 100644
--- a/security/base-audit/Makefile
+++ b/security/base-audit/Makefile
@@ -1,7 +1,7 @@
 # Created by: Miroslav Lachman
 
 PORTNAME=	base-audit
-PORTVERSION=	0.4
+PORTVERSION=	0.5
 CATEGORIES=	security
 MASTER_SITES=	# none
 DISTFILES=	# none
diff --git a/security/base-audit/files/405.pkg-base-audit.in b/security/base-audit/files/405.pkg-base-audit.in
old mode 100644
new mode 100755
index f8664346d590..f607a5929fc7
--- a/security/base-audit/files/405.pkg-base-audit.in
+++ b/security/base-audit/files/405.pkg-base-audit.in
@@ -40,6 +40,7 @@ fi
 : ${security_status_baseaudit_quiet:=NO}
 : ${security_status_baseaudit_chroots=$pkg_chroots}
 : ${security_status_baseaudit_jails=$pkg_jails}
+: ${security_status_baseaudit_jails_ignore=""}
 : ${security_status_baseaudit_expiry:=2}
 
 # Compute PKG_DBDIR from the config file.
@@ -166,6 +167,19 @@ audit_base_all() {
 	esac
 
 	for j in $jails ; do
+		# ignore some jails
+		if [ -n "$security_status_baseaudit_jails_ignore" ]; then
+			# we iterate to get exact matches because we want substring matches
+			# foo should not match foo.bar
+			for ignore in $security_status_baseaudit_jails_ignore ; do
+				if [ "${j%|*}" == "$ignore" ]; then
+					echo
+					echo "ignoring jail: ${j%|*}"
+					# continue with the main loop
+					continue 2
+				fi
+			done
+		fi
 		echo
 		echo "jail: ${j%|*}"
 		audit_base "-j ${j%|*}" ${j##*|}