Skip to content

Commit

Permalink
Introduce 'environment' header key to SCE checks
Browse files Browse the repository at this point in the history
This adds a new mechanism that allow content authors to control
the execution of SCE checks depending on environment. They can
use the `environment` key to disable running their SCE check during a build
of a bootable container image, or on contrary, disable running the
SCE check outside of the bootable container image build environment.

We need to distinguish generic SCE checks from SCE checks that are meant
to be executed only during the "podman build" phase of the bootable
containers. We need to have a way to specify that some code is special
for this environment. This way, we will prevent using SCE checks that
require DBUS or other special SCE checks. Also, it will prevent using
SCE checks that are designed only for the bootable containers to be
executed in other scenarios.

This change depends on this OpenSCAP PR:
OpenSCAP/openscap#2189
  • Loading branch information
jan-cerny committed Dec 18, 2024
1 parent 6e3ab9d commit 0b2d3a1
Show file tree
Hide file tree
Showing 8 changed files with 47 additions and 1 deletion.
7 changes: 7 additions & 0 deletions docs/manual/developer/06_contributing_with_content.md
Original file line number Diff line number Diff line change
Expand Up @@ -825,6 +825,13 @@ are unique to SCE:
it is not necessary. Additionally, OCIL checks, if any is present in the
`rule.yml`, are added as a top-level OR-operator `<complex-check />` with
the results of this `<complex-check />`.
- `environment`: can be `normal`, `bootc`, `any`.
The default value that is used when this key is not set is `normal`.
This key specifies the environment in which the SCE check can run in.
This way you can restrict some SCE checks to run or not run in Image mode.
If set to `bootc`, the SCE check code will be modified to not run outside of the bootable image build process.
If set to `normal`, the SCE check code will be modified to not run during the bootable image build process.
If set to `any`, the SCE check code will not be modified and therefore will run in any environment.
For an example of SCE content, consider the check:
Expand Down
1 change: 1 addition & 0 deletions shared/templates/sebool/sce-bash.template
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#!/usr/bin/env bash
# environment = bootc
# check-import = stdout
{{% if not SEBOOL_BOOL %}}
# check-export = var_{{{ SEBOOLID }}}=var_{{{ SEBOOLID }}}
Expand Down
1 change: 1 addition & 0 deletions shared/templates/service_disabled/sce-bash.template
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
#!/bin/bash
# check-import = stdout
# environment = bootc
if [[ $(systemctl is-enabled {{{ DAEMONNAME }}}.service) == "masked" ]] ; then
exit "$XCCDF_RESULT_PASS"
fi
Expand Down
1 change: 1 addition & 0 deletions shared/templates/service_enabled/sce-bash.template
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#!/bin/bash
# environment = bootc
# check-import = stdout
if [[ $(systemctl is-enabled {{{ DAEMONNAME }}}.service) == "enabled" ]] ; then
exit "$XCCDF_RESULT_PASS"
Expand Down
1 change: 1 addition & 0 deletions shared/templates/socket_disabled/sce-bash.template
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#!/bin/bash
# environment = bootc
# check-import = stdout
if [[ $(systemctl is-enabled {{{ SOCKETNAME }}}.socket) == "masked" ]] ; then
exit "$XCCDF_RESULT_PASS"
Expand Down
1 change: 1 addition & 0 deletions shared/templates/sysctl/sce-bash.template
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#!/usr/bin/env bash
# environment = bootc
# check-import = stdout
{{% if SYSCTLVAL == "" %}}
# check-export = sysctl_{{{ SYSCTLID }}}_value=sysctl_{{{ SYSCTLID }}}_value
Expand Down
1 change: 1 addition & 0 deletions shared/templates/timer_enabled/sce-bash.template
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#!/bin/bash
# environment = bootc
# check-import = stdout
if [[ $(systemctl is-enabled {{{ TIMERNAME }}}.timer) == "enabled" ]] ; then
exit "$XCCDF_RESULT_PASS"
Expand Down
35 changes: 34 additions & 1 deletion ssg/build_sce.py
Original file line number Diff line number Diff line change
Expand Up @@ -34,12 +34,33 @@ def load_sce_and_metadata(file_path, local_env_yaml):
return load_sce_and_metadata_parsed(raw_content)


def _modify_sce_with_environment(sce_content, environment):
if environment == "any":
return
if environment == "bootc":
condition = "\"$OSCAP_BOOTC_BUILD\" == \"YES\""
if environment == "normal":
condition = "\"$OSCAP_BOOTC_BUILD\" != \"YES\""
for i in range(len(sce_content)):
if len(sce_content[i]) > 0:
sce_content[i] = (4 * " ") + sce_content[i]
sce_content.insert(0, "if [[ " + condition + " ]] ; then")
sce_content.append("else")
sce_content.append(" echo \"The SCE check can't run in this environment.\"")
sce_content.append(" exit \"$XCCDF_RESULT_ERROR\"")
sce_content.append("fi")


def load_sce_and_metadata_parsed(raw_content):
metadata = dict()
sce_content = []

keywords = ['platform', 'check-import', 'check-export', 'complex-check']
keywords = ['platform', 'check-import', 'check-export', 'complex-check', 'environment']
shebang = "#!/usr/bin/bash"
for line in raw_content.split("\n"):
if line.startswith("#!"):
shebang = line
continue
found_metadata = False
for keyword in keywords:
if not line.startswith('# ' + keyword + ' = '):
Expand All @@ -66,6 +87,18 @@ def load_sce_and_metadata_parsed(raw_content):
if 'platform' in metadata:
metadata['platform'] = metadata['platform'].split(',')

if "environment" not in metadata:
metadata["environment"] = "normal"
environment_options = ["normal", "bootc", "any"]
if metadata["environment"] not in environment_options:
raise RuntimeError(
"Wrong value of the 'environment' headers: '%s'. It needs to be "
"one of %s" % (
metadata["environment"], ", ".join(environment_options))
)

_modify_sce_with_environment(sce_content, metadata["environment"])
sce_content.insert(0, shebang)
return "\n".join(sce_content), metadata


Expand Down

0 comments on commit 0b2d3a1

Please sign in to comment.