stages: add org.osbuild.update-crypto-policies stage

This stage calls `update-crypto-policies` to set the policy applicable for the various cryptographic back-ends, such as SSL/TLS libraries. Signed-off-by: Miguel Martín <mmartinv@redhat.com>
mmartinv · Nov 13, 2023 · 41d5441 · 41d5441
1 parent fb1bc6f
commit 41d5441
Show file tree

Hide file tree

Showing 6 changed files with 2,308 additions and 0 deletions.
diff --git a/stages/org.osbuild.update-crypto-policies b/stages/org.osbuild.update-crypto-policies
@@ -0,0 +1,52 @@
+#!/usr/bin/python3
+"""
+Sets the policy applicable for the various cryptographic back-ends,
+such as SSL/TLS libraries.
+
+This stage calls `update-crypto-policies` to set the system's
+cryptographic policy.
+
+Notes:
+  - Requires 'chroot' in the buildroot.
+  - Runs the 'update-crypto-policies' script from the image in the chroot.
+"""
+
+
+import subprocess
+import sys
+
+from osbuild import api
+
+SCHEMA_2 = r"""
+"options": {
+  "additionalProperties": false,
+  "description": "Sets the current policy and overwrites the config file",
+  "required": [ "policy" ],
+  "properties": {
+    "policy": {
+      "type": "string",
+      "minLength": 1,
+      "description": "The policy to be applied."
+    }
+  }
+}
+"""
+
+
+def main(tree, options):
+    policy = options.get("policy", "")
+    if policy == "":
+        return 1
+
+    cmd = ["/usr/sbin/chroot", tree,
+           "/usr/bin/update-crypto-policies", "--set", policy]
+
+    subprocess.run(cmd, check=True)
+
+    return 0
+
+
+if __name__ == "__main__":
+    args = api.arguments()
+    r = main(args["tree"], args["options"])
+    sys.exit(r)