add enforcing=0 for permissive mode

microsoft · Oct 31, 2024 · d78451e · d78451e
1 parent 7555cc3
commit d78451e
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 1 deletion.
diff --git a/toolkit/tools/imagegen/installutils/installutils.go b/toolkit/tools/imagegen/installutils/installutils.go
@@ -55,6 +55,9 @@ const (
 	// CmdlineSELinuxEnforcingArg is the arg required for forcing SELinux to be in enforcing mode.
 	CmdlineSELinuxEnforcingArg = "enforcing=1"
 
+	// CmdlineSELinuxPermissiveArg is the arg required for SELinux to be in permissive mode.
+	CmdlineSELinuxPermissiveArg = "enforcing=0"
+
 	// CmdlineSELinuxSettings is the kernel command-line args for enabling SELinux.
 	CmdlineSELinuxSettings = CmdlineSELinuxSecurityArg + " " + CmdlineSELinuxEnabledArg
 

diff --git a/toolkit/tools/pkg/imagecustomizerlib/bootcustomizer.go b/toolkit/tools/pkg/imagecustomizerlib/bootcustomizer.go
@@ -136,6 +136,21 @@ func (b *BootCustomizer) UpdateSELinuxCommandLine(selinuxMode imagecustomizerapi
 	return nil
 }
 
+// Update the image's SELinux kernel command-line args.
+func (b *BootCustomizer) UpdateSELinuxCommandLineWithEnforcingArg(selinuxMode imagecustomizerapi.SELinuxMode) error {
+	newSELinuxArgs, err := selinuxModeToArgsWithEnforcingArg(selinuxMode)
+	if err != nil {
+		return err
+	}
+
+	err = b.UpdateKernelCommandLineArgs(defaultGrubFileVarNameCmdlineForSELinux, selinuxArgNames, newSELinuxArgs)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func (b *BootCustomizer) UpdateKernelCommandLineArgs(defaultGrubFileVarName defaultGrubFileVarName,
 	argsToRemove []string, newArgs []string,
 ) error {

diff --git a/toolkit/tools/pkg/imagecustomizerlib/grubcfgutils.go b/toolkit/tools/pkg/imagecustomizerlib/grubcfgutils.go
@@ -591,6 +591,28 @@ func selinuxModeToArgs(selinuxMode imagecustomizerapi.SELinuxMode) ([]string, er
 	return newSELinuxArgs, nil
 }
 
+// Converts an SELinux mode into the list of required command-line args for that mode (with enforcing mode).
+func selinuxModeToArgsWithEnforcingArg(selinuxMode imagecustomizerapi.SELinuxMode) ([]string, error) {
+	newSELinuxArgs := []string(nil)
+	switch selinuxMode {
+	case imagecustomizerapi.SELinuxModeDisabled:
+		newSELinuxArgs = []string{installutils.CmdlineSELinuxDisabledArg}
+
+	case imagecustomizerapi.SELinuxModeForceEnforcing:
+		newSELinuxArgs = []string{installutils.CmdlineSELinuxSecurityArg, installutils.CmdlineSELinuxEnabledArg,
+			installutils.CmdlineSELinuxEnforcingArg}
+
+	case imagecustomizerapi.SELinuxModePermissive, imagecustomizerapi.SELinuxModeEnforcing:
+		newSELinuxArgs = []string{installutils.CmdlineSELinuxSecurityArg, installutils.CmdlineSELinuxEnabledArg,
+		installutils.CmdlineSELinuxPermissiveArg}
+
+	default:
+		return nil, fmt.Errorf("unknown SELinux mode (%s)", selinuxMode)
+	}
+
+	return newSELinuxArgs, nil
+}
+
 // Update the SELinux kernel command-line args.
 func updateSELinuxCommandLineHelperAll(grub2Config string, selinuxMode imagecustomizerapi.SELinuxMode, allowMultiple bool, requireKernelOpts bool) (string, error) {
 	newSELinuxArgs, err := selinuxModeToArgs(selinuxMode)

diff --git a/toolkit/tools/pkg/osmodifierlib/modifierutils.go b/toolkit/tools/pkg/osmodifierlib/modifierutils.go
@@ -170,7 +170,7 @@ func handleSELinux(selinuxMode imagecustomizerapi.SELinuxMode, bootCustomizer *i
 
 	logger.Log.Infof("Configuring SELinux mode")
 
-	err = bootCustomizer.UpdateSELinuxCommandLine(selinuxMode)
+	err = bootCustomizer.UpdateSELinuxCommandLineWithEnforcingArg(selinuxMode)
 	if err != nil {
 		return err
 	}