[New] Portable exec tests; unset LMD_BASEDIR after use; CHANGELOG sync

rfxn · rfxn · commit c0f12bb2dfcf · 2026-03-27T12:28:29.000-05:00
[New] tests/36-portable-exec.bats: 10 tests for source-tree auto-detect,
      LMD_BASEDIR override, symlink resolution, installed-path regression
[Fix] Unset LMD_BASEDIR after consumption to prevent leakage to child processes
[Fix] CHANGELOG/CHANGELOG.RELEASE: add 5 missing entries (alert templates,
      pkg_lib v1.0.6, batsman v1.3.0, CSIG compiler, portable exec);
      correct stale vendored lib versions (pkg_lib v1.0.5→v1.0.6,
      batsman v1.2.2→v1.3.0)
diff --git a/CHANGELOG b/CHANGELOG
@@ -51,9 +51,16 @@ v2.0.1 | Mar 25 2026:
 [New] Symlink farm enforcement: static manifest ships with RPM/DEB; pkg_fhs_verify_farm
       auto-detects and repairs broken symlinks at startup
 [New] FHS fallback sourcing: maldet boots from /usr/lib/maldet when legacy symlinks broken
+[New] Portable source-tree execution: run maldet directly from git clone or tarball without
+      install.sh; auto-detects inspath from script location; LMD_BASEDIR env override
 
   -- Changes --
 
+[Change] Alert templates: consolidate summary into header templates; add quarantine metrics
+         to scan and panel templates
+[Change] Update pkg_lib.sh to v1.0.6: symlink farm enforcement
+[Change] Update batsman submodule to v1.3.0: GNU parallel support, BATS --jobs
+
 [Change] Hook scans write to rolling hook.hits.log instead of creating session files;
          genalert suppressed for hook scans
 [Change] HTML email rendered on-demand at send time from current templates; persistent
@@ -73,7 +80,7 @@ v2.0.1 | Mar 25 2026:
 [Change] inotify_verbose per-file ClamAV logging deprecated; batch engine log
          messages supersede
 [Change] Vendored libraries updated: tlog_lib v2.0.4, elog_lib v1.0.4, alert_lib
-         v1.0.5, pkg_lib v1.0.5; batsman submodule v1.2.2
+         v1.0.5, pkg_lib v1.0.6; batsman submodule v1.3.0
 [Change] Scan engine: HEX+CSIG merged into single worker pass; scan stage reorder
          (strlen runs last); bulk awk HEX classifier
 [Change] gensigs: awk compiler replaces bash+sed wildcard/csig loops; dead helpers removed
@@ -83,6 +90,7 @@ v2.0.1 | Mar 25 2026:
 
   -- Bug Fixes --
 
+[Fix] CSIG compiler: reject invalid && separator and universal subsigs in OR groups
 [Fix] pkg/Makefile: VERSION extraction, test target Dockerfile paths
 [Fix] install.sh: detect supervisor and legacy monitor; graceful stop+restart on upgrade
 [Fix] -co/--config-option now position-independent; in-memory parser replaces tmpfile+sed
diff --git a/CHANGELOG.RELEASE b/CHANGELOG.RELEASE
@@ -51,9 +51,16 @@ v2.0.1 | Mar 25 2026:
 [New] Symlink farm enforcement: static manifest ships with RPM/DEB; pkg_fhs_verify_farm
       auto-detects and repairs broken symlinks at startup
 [New] FHS fallback sourcing: maldet boots from /usr/lib/maldet when legacy symlinks broken
+[New] Portable source-tree execution: run maldet directly from git clone or tarball without
+      install.sh; auto-detects inspath from script location; LMD_BASEDIR env override
 
   -- Changes --
 
+[Change] Alert templates: consolidate summary into header templates; add quarantine metrics
+         to scan and panel templates
+[Change] Update pkg_lib.sh to v1.0.6: symlink farm enforcement
+[Change] Update batsman submodule to v1.3.0: GNU parallel support, BATS --jobs
+
 [Change] Hook scans write to rolling hook.hits.log instead of creating session files;
          genalert suppressed for hook scans
 [Change] HTML email rendered on-demand at send time from current templates; persistent
@@ -73,7 +80,7 @@ v2.0.1 | Mar 25 2026:
 [Change] inotify_verbose per-file ClamAV logging deprecated; batch engine log
          messages supersede
 [Change] Vendored libraries updated: tlog_lib v2.0.4, elog_lib v1.0.4, alert_lib
-         v1.0.5, pkg_lib v1.0.5; batsman submodule v1.2.2
+         v1.0.5, pkg_lib v1.0.6; batsman submodule v1.3.0
 [Change] Scan engine: HEX+CSIG merged into single worker pass; scan stage reorder
          (strlen runs last); bulk awk HEX classifier
 [Change] gensigs: awk compiler replaces bash+sed wildcard/csig loops; dead helpers removed
@@ -83,6 +90,7 @@ v2.0.1 | Mar 25 2026:
 
   -- Bug Fixes --
 
+[Fix] CSIG compiler: reject invalid && separator and universal subsigs in OR groups
 [Fix] pkg/Makefile: VERSION extraction, test target Dockerfile paths
 [Fix] install.sh: detect supervisor and legacy monitor; graceful stop+restart on upgrade
 [Fix] -co/--config-option now position-independent; in-memory parser replaces tmpfile+sed
diff --git a/files/maldet b/files/maldet
@@ -23,6 +23,7 @@ else
 	fi
 	unset _self _selfdir
 fi
+unset LMD_BASEDIR  # consumed; prevent leakage to child processes (e.g. maldet -b)
 intcnf="$inspath/internals/internals.conf"
 if [ -f "/etc/sysconfig/maldet" ]; then
         syscnf=/etc/sysconfig/maldet
diff --git a/tests/36-portable-exec.bats b/tests/36-portable-exec.bats
@@ -0,0 +1,73 @@
+#!/usr/bin/env bats
+
+load '/usr/local/lib/bats/bats-support/load'
+load '/usr/local/lib/bats/bats-assert/load'
+
+LMD_INSTALL="/usr/local/maldetect"
+
+# --- Source-tree auto-detect ---
+
+@test "portable: internals.conf uses conditional inspath assignment" {
+    grep -q 'inspath="\${inspath:-/usr/local/maldetect}"' "$LMD_INSTALL/internals/internals.conf"
+}
+
+@test "portable: maldet resolves inspath from own directory" {
+    # When invoked via absolute path, auto-detect finds internals/ beside the script
+    run bash -c '_self=$(readlink -f "'"$LMD_INSTALL/maldet"'" 2>/dev/null); _selfdir="${_self%/*}"; [ -f "$_selfdir/internals/internals.conf" ] && echo "found" || echo "missing"'
+    assert_output "found"
+}
+
+@test "portable: default inspath resolves to /usr/local/maldetect" {
+    run maldet --version
+    assert_success
+    assert_output --partial "Linux Malware Detect"
+}
+
+# --- LMD_BASEDIR env override ---
+
+@test "portable: LMD_BASEDIR overrides inspath" {
+    run env LMD_BASEDIR="$LMD_INSTALL" maldet --version
+    assert_success
+    assert_output --partial "Linux Malware Detect"
+}
+
+@test "portable: LMD_BASEDIR with invalid path fails gracefully" {
+    run env LMD_BASEDIR="/nonexistent" maldet --version
+    assert_failure
+    assert_output --partial "intcnf not found"
+}
+
+@test "portable: LMD_BASEDIR is unset after consumption" {
+    # LMD_BASEDIR should not leak to child processes
+    grep -q 'unset LMD_BASEDIR' "$LMD_INSTALL/maldet"
+}
+
+# --- Symlink resolution ---
+
+@test "portable: symlink to maldet resolves to real path" {
+    local _tmplink
+    _tmplink=$(mktemp -u /tmp/maldet-symlink-XXXXXX)
+    ln -s "$LMD_INSTALL/maldet" "$_tmplink"
+    run "$_tmplink" --version
+    rm -f "$_tmplink"
+    assert_success
+    assert_output --partial "Linux Malware Detect"
+}
+
+# --- Regression: installed path unaffected ---
+
+@test "portable: installed maldet still uses /usr/local/maldetect paths" {
+    # Verify that session dir resolves under the install path
+    run bash -c 'source '"$LMD_INSTALL"'/internals/internals.conf; echo "$sessdir"'
+    assert_output "/usr/local/maldetect/sess"
+}
+
+@test "portable: internals.conf preserves pre-set inspath" {
+    run bash -c 'inspath="/custom/path"; source '"$LMD_INSTALL"'/internals/internals.conf; echo "$inspath"'
+    assert_output "/custom/path"
+}
+
+@test "portable: internals.conf defaults when inspath is unset" {
+    run bash -c 'unset inspath; source '"$LMD_INSTALL"'/internals/internals.conf; echo "$inspath"'
+    assert_output "/usr/local/maldetect"
+}
