From ded83b317369ca7e90366bb3b2db2d8766b34bb8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 23 Oct 2024 11:21:15 +0200 Subject: [PATCH 1/2] Add special conditions for bootable containers This commit adds 2 new Jinja macros: `bootc_build` and `not_bootc_build`. These macros define Bash conditional expressions that are evaluated as true or false if the remediation is performed during a build of a bootable container image or not performed during a build of a bootable container image. These macros can be used in Bash remediation code. They can be used to control the remediation behavior in the bootable container build environment. This commit changes the Bash remediation in rule `disable_ctrlaltdel_reboot` to demonstrate usefulness of the new macros. --- .../disable_ctrlaltdel_reboot/bash/shared.sh | 9 +++++++-- shared/macros/10-bash.jinja | 16 ++++++++++++++++ 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh index 212d9aa0f03..ff3936552fd 100644 --- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh @@ -1,3 +1,8 @@ # platform = multi_platform_all -systemctl disable --now ctrl-alt-del.target -systemctl mask --now ctrl-alt-del.target +if {{{ bootc_build() }}} ; then + systemctl disable ctrl-alt-del.target + systemctl mask ctrl-alt-del.target +else + systemctl disable --now ctrl-alt-del.target + systemctl mask --now ctrl-alt-del.target +fi diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 00e0925f2aa..5317e50f725 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -2517,3 +2517,19 @@ mkdir -p /etc/dconf/db/{{{ database }}}.d chmod -R u=rwX,go=rX /etc/dconf/profile (umask 0022 && dconf update) {{%- endmacro -%}} + +{{# +This macro defines a conditional expression that is evaluated as true +if the remediation is performed during a build of a bootable container image. +#}} +{{%- macro bootc_build() -%}} +[[ "$OSCAP_BOOTC_BUILD" == "YES" ]] +{{%- endmacro -%}} + +{{# +This macro defines a conditional expression that is evaluated as true +if the remediation is not performed during a build of a bootable container image. +#}} +{{%- macro not_bootc_build() -%}} +[[ "$OSCAP_BOOTC_BUILD" != "YES" ]] +{{%- endmacro -%}} From 0834570b5e137f72a52417d770f14e7677663619 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 25 Oct 2024 11:35:52 +0200 Subject: [PATCH 2/2] Prefix bootc macro names with bash --- .../disable_ctrlaltdel_reboot/bash/shared.sh | 2 +- shared/macros/10-bash.jinja | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh index ff3936552fd..00441137262 100644 --- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh @@ -1,5 +1,5 @@ # platform = multi_platform_all -if {{{ bootc_build() }}} ; then +if {{{ bash_bootc_build() }}} ; then systemctl disable ctrl-alt-del.target systemctl mask ctrl-alt-del.target else diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 5317e50f725..883f8929ddf 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -2522,7 +2522,7 @@ chmod -R u=rwX,go=rX /etc/dconf/profile This macro defines a conditional expression that is evaluated as true if the remediation is performed during a build of a bootable container image. #}} -{{%- macro bootc_build() -%}} +{{%- macro bash_bootc_build() -%}} [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] {{%- endmacro -%}} @@ -2530,6 +2530,6 @@ if the remediation is performed during a build of a bootable container image. This macro defines a conditional expression that is evaluated as true if the remediation is not performed during a build of a bootable container image. #}} -{{%- macro not_bootc_build() -%}} +{{%- macro bash_not_bootc_build() -%}} [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] {{%- endmacro -%}}