microsoft · elainezhao1 · Sep 30, 2024 · Oct 1, 2024 · Oct 2, 2024 · Oct 2, 2024
@@ -55,6 +55,9 @@ const (
 	// CmdlineSELinuxEnforcingArg is the arg required for forcing SELinux to be in enforcing mode.
 	CmdlineSELinuxEnforcingArg = "enforcing=1"
 
+	// CmdlineSELinuxPermissiveArg is the arg for SELinux to be in force-permissive mode.
+	CmdlineSELinuxPermissiveArg = "enforcing=0"
+
 	// CmdlineSELinuxSettings is the kernel command-line args for enabling SELinux.
 	CmdlineSELinuxSettings = CmdlineSELinuxSecurityArg + " " + CmdlineSELinuxEnabledArg
 

@@ -13,10 +13,12 @@ import (
 
 // OS defines how each system present on the image is supposed to be configured.
 type OS struct {
-	Hostname string                     `yaml:"hostname"`
-	SELinux  imagecustomizerapi.SELinux `yaml:"selinux"`
-	Users    []imagecustomizerapi.User  `yaml:"users"`
-	Overlays *[]Overlay                 `yaml:"overlays"`
+	Hostname   string                     `yaml:"hostname"`
+	SELinux    imagecustomizerapi.SELinux `yaml:"selinux"`
+	Users      []imagecustomizerapi.User  `yaml:"users"`
+	Overlays   *[]Overlay                 `yaml:"overlays"`
+	Verity     *imagecustomizerapi.Verity `yaml:"verity"`
+	RootDevice string                     `yaml:"rootDevice"`
 }
 
 func (s *OS) IsValid() error {
@@ -65,5 +67,10 @@ func (s *OS) IsValid() error {
 		}
 	}
 
+	err = s.Verity.IsValid()
+	if err != nil {
+		return fmt.Errorf("invalid verity:\n%w", err)
+	}
+
 	return nil
 }
@@ -136,6 +136,21 @@ func (b *BootCustomizer) UpdateSELinuxCommandLine(selinuxMode imagecustomizerapi
 	return nil
 }
 
+// Update the image's SELinux kernel command-line args.
+func (b *BootCustomizer) UpdateSELinuxCommandLineWithEnforcingArg(selinuxMode imagecustomizerapi.SELinuxMode) error {
+	newSELinuxArgs, err := selinuxModeToArgsWithEnforcingArg(selinuxMode)
+	if err != nil {
+		return err
+	}
+
+	err = b.UpdateKernelCommandLineArgs(defaultGrubFileVarNameCmdlineForSELinux, selinuxArgNames, newSELinuxArgs)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func (b *BootCustomizer) UpdateKernelCommandLineArgs(defaultGrubFileVarName defaultGrubFileVarName,
 	argsToRemove []string, newArgs []string,
 ) error {

@@ -123,7 +123,7 @@ func updateGrubConfigForVerity(rootfsVerity imagecustomizerapi.Verity, rootHash
 		return err
 	}
 
-	formattedCorruptionOption, err := systemdFormatCorruptionOption(rootfsVerity.CorruptionOption)
+	formattedCorruptionOption, err := SystemdFormatCorruptionOption(rootfsVerity.CorruptionOption)
 	if err != nil {
 		return err
 	}
@@ -231,7 +231,7 @@ func systemdFormatPartitionId(configDeviceId string, mountIdType imagecustomizer
 	}
 }
 
-func systemdFormatCorruptionOption(corruptionOption imagecustomizerapi.CorruptionOption) (string, error) {
+func SystemdFormatCorruptionOption(corruptionOption imagecustomizerapi.CorruptionOption) (string, error) {
 	switch corruptionOption {
 	case imagecustomizerapi.CorruptionOptionDefault, imagecustomizerapi.CorruptionOptionIoError:
 		return "", nil

@@ -591,6 +591,28 @@ func selinuxModeToArgs(selinuxMode imagecustomizerapi.SELinuxMode) ([]string, er
 	return newSELinuxArgs, nil
 }
 
+// Converts an SELinux mode into the list of required command-line args for that mode (with enforcing mode).
+func selinuxModeToArgsWithEnforcingArg(selinuxMode imagecustomizerapi.SELinuxMode) ([]string, error) {
+	newSELinuxArgs := []string(nil)
+	switch selinuxMode {
+	case imagecustomizerapi.SELinuxModeDisabled:
+		newSELinuxArgs = []string{installutils.CmdlineSELinuxDisabledArg}
+
+	case imagecustomizerapi.SELinuxModeForceEnforcing:
+		newSELinuxArgs = []string{installutils.CmdlineSELinuxSecurityArg, installutils.CmdlineSELinuxEnabledArg,
+			installutils.CmdlineSELinuxEnforcingArg}
+
+	case imagecustomizerapi.SELinuxModePermissive, imagecustomizerapi.SELinuxModeEnforcing:
+		newSELinuxArgs = []string{installutils.CmdlineSELinuxSecurityArg, installutils.CmdlineSELinuxEnabledArg,
+			installutils.CmdlineSELinuxPermissiveArg}
+
+	default:
+		return nil, fmt.Errorf("unknown SELinux mode (%s)", selinuxMode)
+	}
+
+	return newSELinuxArgs, nil
+}
+
 // Update the SELinux kernel command-line args.
 func updateSELinuxCommandLineHelperAll(grub2Config string, selinuxMode imagecustomizerapi.SELinuxMode, allowMultiple bool, requireKernelOpts bool) (string, error) {
 	newSELinuxArgs, err := selinuxModeToArgs(selinuxMode)

@@ -61,6 +61,67 @@ func doModifications(baseConfigPath string, osConfig *osmodifierapi.OS) error {
 		}
 	}
 
+	if osConfig.Verity != nil {
+
+		bootCustomizer, err := imagecustomizerlib.NewBootCustomizer(dummyChroot)
+		if err != nil {
+			return err
+		}
+
+		err = updateDefaultGrubForVerity(osConfig.Verity, bootCustomizer)
+		if err != nil {
+			return err
+		}
+
+		err = bootCustomizer.WriteToFile(dummyChroot)
+		if err != nil {
+			return err
+		}
+	}
+
+	if osConfig.RootDevice != "" {
+
+		bootCustomizer, err := imagecustomizerlib.NewBootCustomizer(dummyChroot)
+		if err != nil {
+			return err
+		}
+
+		err = bootCustomizer.SetRootDevice(osConfig.RootDevice)
+		if err != nil {
+			return err
+		}
+
+		err = bootCustomizer.WriteToFile(dummyChroot)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func updateDefaultGrubForVerity(verity *imagecustomizerapi.Verity, bootCustomizer *imagecustomizerlib.BootCustomizer) error {
+
+	var err error
+
+	formattedCorruptionOption, err := imagecustomizerlib.SystemdFormatCorruptionOption(verity.CorruptionOption)
+	if err != nil {
+		return err
+	}
+
+	newArgs := []string{
+		"rd.systemd.verity=1",
+		fmt.Sprintf("systemd.verity_root_data=%s", verity.DataDeviceId),
+		fmt.Sprintf("systemd.verity_root_hash=%s", verity.HashDeviceId),
+		fmt.Sprintf("systemd.verity_root_options=%s", formattedCorruptionOption),
+	}
+
+	err = bootCustomizer.UpdateKernelCommandLineArgs("GRUB_CMDLINE_LINUX", []string{"rd.systemd.verity",
+		"systemd.verity_root_data", "systemd.verity_root_hash", "systemd.verity_root_options"}, newArgs)
+	if err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -109,12 +170,7 @@ func handleSELinux(selinuxMode imagecustomizerapi.SELinuxMode, bootCustomizer *i
 
 	logger.Log.Infof("Configuring SELinux mode")
 
-	err = bootCustomizer.UpdateSELinuxCommandLine(selinuxMode)
-	if err != nil {
-		return err
-	}
-
-	err = imagecustomizerlib.UpdateSELinuxModeInConfigFile(selinuxMode, dummyChroot)
+	err = bootCustomizer.UpdateSELinuxCommandLineWithEnforcingArg(selinuxMode)
 	if err != nil {
 		return err
 	}

@@ -14,12 +14,8 @@ import (
 
 var grubArgs = []string{
 	"rd.overlayfs",
-	"roothash",
 	"root",
-	"rd.systemd.verity",
-	"systemd.verity_root_data",
-	"systemd.verity_root_hash",
-	"systemd.verity_root_options",
+	"roothash",
 	"selinux",
 	"enforcing",
 }
@@ -92,6 +88,5 @@ func extractValuesFromGrubConfig(imageChroot safechroot.ChrootInterface) ([]stri
 			}
 		}
 	}
-
 	return values, rootDevice, nil
 }