diff --git a/docs/manual/developer/06_contributing_with_content.md b/docs/manual/developer/06_contributing_with_content.md index e1f5e4f906ea..11af2c115d5c 100644 --- a/docs/manual/developer/06_contributing_with_content.md +++ b/docs/manual/developer/06_contributing_with_content.md @@ -825,6 +825,13 @@ are unique to SCE: it is not necessary. Additionally, OCIL checks, if any is present in the `rule.yml`, are added as a top-level OR-operator `` with the results of this ``. + - `environment`: can be `normal`, `bootc`, `any`. + The default value that is used when this key is not set is `normal`. + This key specifies the environment in which the SCE check can run in. + This way you can restrict some SCE checks to run or not run in Image mode. + If set to `bootc`, the SCE check code will be modified to not run outside of the bootable image build process. + If set to `normal`, the SCE check code will be modified to not run during the bootable image build process. + If set to `any`, the SCE check code will not be modified and therefore will run in any environment. For an example of SCE content, consider the check: diff --git a/shared/templates/sebool/sce-bash.template b/shared/templates/sebool/sce-bash.template index 143aedfe1d8d..87a442ecbcc2 100644 --- a/shared/templates/sebool/sce-bash.template +++ b/shared/templates/sebool/sce-bash.template @@ -1,4 +1,5 @@ #!/usr/bin/env bash +# environment = bootc # check-import = stdout {{% if not SEBOOL_BOOL %}} # check-export = var_{{{ SEBOOLID }}}=var_{{{ SEBOOLID }}} diff --git a/shared/templates/service_disabled/sce-bash.template b/shared/templates/service_disabled/sce-bash.template index 84addf8e8ccf..4d86b9fdc99d 100644 --- a/shared/templates/service_disabled/sce-bash.template +++ b/shared/templates/service_disabled/sce-bash.template @@ -1,5 +1,6 @@ #!/bin/bash # check-import = stdout +# environment = bootc if [[ $(systemctl is-enabled {{{ DAEMONNAME }}}.service) == "masked" ]] ; then exit "$XCCDF_RESULT_PASS" fi diff --git a/shared/templates/service_enabled/sce-bash.template b/shared/templates/service_enabled/sce-bash.template index 5d33a00d3a68..03254c17170f 100644 --- a/shared/templates/service_enabled/sce-bash.template +++ b/shared/templates/service_enabled/sce-bash.template @@ -1,4 +1,5 @@ #!/bin/bash +# environment = bootc # check-import = stdout if [[ $(systemctl is-enabled {{{ DAEMONNAME }}}.service) == "enabled" ]] ; then exit "$XCCDF_RESULT_PASS" diff --git a/shared/templates/socket_disabled/sce-bash.template b/shared/templates/socket_disabled/sce-bash.template index 2b27cd73ba6a..3b0cca18f0cd 100644 --- a/shared/templates/socket_disabled/sce-bash.template +++ b/shared/templates/socket_disabled/sce-bash.template @@ -1,4 +1,5 @@ #!/bin/bash +# environment = bootc # check-import = stdout if [[ $(systemctl is-enabled {{{ SOCKETNAME }}}.socket) == "masked" ]] ; then exit "$XCCDF_RESULT_PASS" diff --git a/shared/templates/sysctl/sce-bash.template b/shared/templates/sysctl/sce-bash.template index 54a120e983e0..352b701f9b0d 100644 --- a/shared/templates/sysctl/sce-bash.template +++ b/shared/templates/sysctl/sce-bash.template @@ -1,4 +1,5 @@ #!/usr/bin/env bash +# environment = bootc # check-import = stdout {{% if SYSCTLVAL == "" %}} # check-export = sysctl_{{{ SYSCTLID }}}_value=sysctl_{{{ SYSCTLID }}}_value diff --git a/shared/templates/timer_enabled/sce-bash.template b/shared/templates/timer_enabled/sce-bash.template index 53101b496dd4..a09354aa3873 100644 --- a/shared/templates/timer_enabled/sce-bash.template +++ b/shared/templates/timer_enabled/sce-bash.template @@ -1,4 +1,5 @@ #!/bin/bash +# environment = bootc # check-import = stdout if [[ $(systemctl is-enabled {{{ TIMERNAME }}}.timer) == "enabled" ]] ; then exit "$XCCDF_RESULT_PASS" diff --git a/ssg/build_sce.py b/ssg/build_sce.py index 110a73f76174..a77d57ad098e 100644 --- a/ssg/build_sce.py +++ b/ssg/build_sce.py @@ -34,12 +34,33 @@ def load_sce_and_metadata(file_path, local_env_yaml): return load_sce_and_metadata_parsed(raw_content) +def _modify_sce_with_environment(sce_content, environment): + if environment == "any": + return + if environment == "bootc": + condition = "\"$OSCAP_BOOTC_BUILD\" == \"YES\"" + if environment == "normal": + condition = "\"$OSCAP_BOOTC_BUILD\" != \"YES\"" + for i in range(len(sce_content)): + if len(sce_content[i]) > 0: + sce_content[i] = (4 * " ") + sce_content[i] + sce_content.insert(0, f"if [[ {condition} ]] ; then") + sce_content.append("else") + sce_content.append(" echo \"The SCE check can't run in this environment.\"") + sce_content.append(" exit \"$XCCDF_RESULT_ERROR\"") + sce_content.append("fi") + + def load_sce_and_metadata_parsed(raw_content): metadata = dict() sce_content = [] - keywords = ['platform', 'check-import', 'check-export', 'complex-check'] + keywords = ['platform', 'check-import', 'check-export', 'complex-check', 'environment'] + shebang = "#!/usr/bin/bash" for line in raw_content.split("\n"): + if line.startswith("#!"): + shebang = line + continue found_metadata = False for keyword in keywords: if not line.startswith('# ' + keyword + ' = '): @@ -66,6 +87,17 @@ def load_sce_and_metadata_parsed(raw_content): if 'platform' in metadata: metadata['platform'] = metadata['platform'].split(',') + if "environment" not in metadata: + metadata["environment"] = "normal" + environment_options = ["normal", "bootc", "any"] + if metadata["environment"] not in environment_options: + raise RuntimeError( + f"Wrong value of the 'environment' headers: " + f"{metadata["environment"]}. It needs to be one of " + f"{", ".join(environment_options)}") + + _modify_sce_with_environment(sce_content, metadata["environment"]) + sce_content.insert(0, shebang) return "\n".join(sce_content), metadata