From 2915167e13a413e4f9617ee827f5934be20c382d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 29 Nov 2024 15:15:30 +0100
Subject: [PATCH 1/7] Improve grub2_bootloader_argument for IM

Extend the template `grub2_bootloader_argument` and
`grub2_bootloader_argument_absent` to make it work
also for bootable containers. In bootable containers, the kernel build
arguments are specified in TOML files in special directory
`/usr/lib/bootc/kargs.d/`. For more details, please read:
https://containers.github.io/bootc/building/kernel-arguments.html

This commit changes CPE platform to `system_with_kernel` in all rules
that use these templates. These rules configure kernel arguments,
therefore it makes sense to have them applicable on systems that contain
kernel, including bootable containers.
---
 .../grub2_enable_iommu_force/rule.yml         |  2 +-
 .../grub2_init_on_alloc_argument/rule.yml     |  2 +-
 .../grub2_kernel_trust_cpu_rng/rule.yml       |  2 +-
 .../grub2_l1tf_argument/rule.yml              |  2 +-
 .../grub2_mce_argument/rule.yml               |  2 +-
 .../grub2_mds_argument/rule.yml               |  2 +-
 .../grub2_mitigation_argument/rule.yml        |  2 +-
 .../grub2_nosmap_argument_absent/rule.yml     |  2 +-
 .../grub2_nosmep_argument_absent/rule.yml     |  2 +-
 .../rule.yml                                  |  2 +-
 .../grub2_pti_argument/rule.yml               |  2 +-
 .../rule.yml                                  |  2 +-
 .../grub2_slab_nomerge_argument/rule.yml      |  2 +-
 .../rule.yml                                  |  2 +-
 .../grub2_spectre_v2_argument/rule.yml        |  2 +-
 .../rule.yml                                  |  2 +-
 .../grub2_vsyscall_argument/rule.yml          |  2 +-
 shared/checks/oval/bootc.xml                  | 13 +++++
 .../grub2_bootloader_argument/bash.template   | 17 +++++-
 .../grub2_bootloader_argument/oval.template   | 54 +++++++++++++++++++
 .../grub2_bootloader_argument/template.py     |  3 +-
 .../bash.template                             |  5 ++
 .../oval.template                             | 21 ++++++++
 23 files changed, 127 insertions(+), 20 deletions(-)
 create mode 100644 shared/checks/oval/bootc.xml

diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
index 84d077c730a..4fa2ffd16ac 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
@@ -20,7 +20,7 @@ identifiers:
     cce@sle12: CCE-91532-2
     cce@sle15: CCE-91217-0
 
-platform: machine
+platform: system_with_kernel
 
 ocil_clause: 'I/OMMU is not activated'
 
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
index 09418dce6ce..ef5dc89ebb0 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
@@ -24,7 +24,7 @@ ocil_clause: 'the kernel is not configured to zero out memory before allocation'
 ocil: |-
     {{{ ocil_grub2_argument("init_on_alloc=1") | indent(4) }}}
 
-platform: machine
+platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
index 1abeb706b4f..93e6ac01ce2 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
@@ -46,7 +46,7 @@ ocil: |-
     the kernel, check that the option is configured through boot parameter.
     {{{ ocil_grub2_argument("random.trust_cpu=on") | indent(4) }}}
 
-platform: machine
+platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml
index c2294d46d55..979ec7c3554 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml
@@ -36,7 +36,7 @@ ocil_clause: 'l1tf mitigations are not configured appropriately'
 ocil: |-
     {{{ ocil_grub2_argument("l1tf=" + xccdf_value("var_l1tf_options")) | indent(4) }}}
 
-platform: machine
+platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml
index 1878c63fa04..8ebd96ed33d 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml
@@ -29,7 +29,7 @@ ocil_clause: 'MCE tolerance is not set to zero'
 ocil: |-
     {{{ ocil_grub2_argument("mce=0") | indent(4) }}}
 
-platform: machine
+platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_mds_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_mds_argument/rule.yml
index e9d37a1d3c1..afd6d1fccb6 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_mds_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_mds_argument/rule.yml
@@ -47,7 +47,7 @@ ocil_clause: 'MDS mitigations are not configured appropriately'
 ocil: |-
     {{{ ocil_grub2_argument("mds=" + xccdf_value(var_mds_options)) | indent(4) }}}
 
-platform: machine
+platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml
index 08f237cce8c..af4e46f8cfb 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml
@@ -24,7 +24,7 @@ references:
     srg: SRG-OS-000480-GPOS-00227
     stigid@ol8: OL08-00-010424
 
-platform: grub2
+platform: system_with_kernel
 
 ocil_clause: 'mitigations is set to off'
 
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml
index db1fdff2117..df1110432f2 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml
@@ -34,7 +34,7 @@ ocil: |-
     <pre>grep -q nosmap /boot/config-`uname -r`</pre>
     If the command returns a line, it means that SMAP is being disabled.
 
-platform: machine
+platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument_absent
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml
index 3bdd52aa725..ba17b67cc90 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml
@@ -34,7 +34,7 @@ ocil: |-
     <pre>grep -q nosmep /boot/config-`uname -r`</pre>
     If the command returns a line, it means that SMEP is being disabled.
 
-platform: machine
+platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument_absent
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml
index e483044c000..bf166f797d4 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml
@@ -31,7 +31,7 @@ ocil_clause: 'randomization of the page allocator is not enabled in the kernel'
 ocil: |-
     {{{ ocil_grub2_argument("page_alloc.shuffle=1") | indent(4) }}}
 
-platform: machine
+platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
index eeaf319fadb..373a3b49776 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
@@ -34,7 +34,7 @@ ocil_clause: 'Kernel page-table isolation is not enabled'
 ocil: |-
     {{{ ocil_grub2_argument("pti=on") | indent(4) }}}
 
-platform: machine
+platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml
index 7d8006c8bfb..6168d85abce 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml
@@ -37,7 +37,7 @@ ocil_clause: 'trust on hardware random number generator is not configured approp
 ocil: |-
     {{{ ocil_grub2_argument("rng_core.default_quality=" + xccdf_value("var_rng_core_default_quality")) | indent(4) }}}
 
-platform: machine
+platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml
index fc87c9c677b..f4e9ec445a3 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml
@@ -35,7 +35,7 @@ ocil_clause: 'merging of slabs with similar size is enabled'
 ocil: |-
     {{{ ocil_grub2_argument("slab_nomerge=yes") | indent(4) }}}
 
-platform: machine
+platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml
index c5a8bf55a47..c302a04e37a 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml
@@ -39,7 +39,7 @@ ocil_clause: 'SSB is not configured appropriately'
 ocil: |-
     {{{ ocil_grub2_argument("spec_store_bypass_disable=" + xccdf_value("var_spec_store_bypass_disable_options")) | indent(4) }}}
 
-platform: machine
+platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml
index 30fac26201b..c6dceb12c27 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml
@@ -32,7 +32,7 @@ ocil_clause: 'spectre_v2 mitigation is not enforced'
 ocil: |-
     {{{ ocil_grub2_argument("spectre_v2=on") | indent(4) }}}
 
-platform: machine
+platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
index 55d8e0e7f64..973d2447dd7 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
@@ -44,7 +44,7 @@ ocil: |-
 fixtext: |-
     {{{ fixtext_grub2_bootloader_argument_absent("debug-shell") | indent(4) }}}
 
-platform: machine
+platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument_absent
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
index 3e1e837c8f2..f3907cd08d8 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
@@ -33,7 +33,7 @@ ocil_clause: 'vsyscalls are enabled'
 ocil: |-
     {{{ ocil_grub2_argument("vsyscall=none") | indent(4) }}}
 
-platform: machine and x86_64_arch
+platform: system_with_kernel and x86_64_arch
 
 template:
     name: grub2_bootloader_argument
diff --git a/shared/checks/oval/bootc.xml b/shared/checks/oval/bootc.xml
new file mode 100644
index 00000000000..c42129ba964
--- /dev/null
+++ b/shared/checks/oval/bootc.xml
@@ -0,0 +1,13 @@
+<def-group>
+  <definition class="inventory" id="bootc" version="1">
+    {{{ oval_metadata("Bootable container or bootc system", affected_platforms=["multi_platform_all"]) }}}
+    <criteria operator="AND">
+      <criterion comment="kernel is installed" test_ref="bootc_platform_test_kernel_installed" />
+      <criterion comment="rpm-ostree is installed" test_ref="bootc_platform_test_rpm_ostree_installed" />
+      <criterion comment="bootc is installed" test_ref="bootc_platform_test_bootc_installed" />
+    </criteria>
+  </definition>
+{{{ oval_test_package_installed(package="kernel", test_id="bootc_platform_test_kernel_installed") }}}
+{{{ oval_test_package_installed(package="rpm-ostree", test_id="bootc_platform_test_rpm_ostree_installed") }}}
+{{{ oval_test_package_installed(package="bootc", test_id="bootc_platform_test_bootc_installed") }}}
+</def-group>
diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template
index 3a60d19bdcc..484a7165d62 100644
--- a/shared/templates/grub2_bootloader_argument/bash.template
+++ b/shared/templates/grub2_bootloader_argument/bash.template
@@ -3,9 +3,22 @@
    See the OVAL template for more comments.
    Product-specific categorization should be synced across all template content types
 -#}}
+
 {{%- if ARG_VARIABLE %}}
 {{{- bash_instantiate_variables(ARG_VARIABLE) }}}
 {{%- set ARG_NAME_VALUE= ARG_NAME ~ "=$" ~ ARG_VARIABLE %}}
-{{%- endif %}}
+expected_value="${{{ ARG_VARIABLE }}}"
+{{% else %}}
+expected_value="{{{ ARG_VALUE }}}"
+{{% endif %}}
 
-{{{ grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME_VALUE) }}}
+if {{{ bash_bootc_build() }}} ; then
+    KARGS_DIR="/usr/lib/bootc/kargs.d/"
+    if grep -q -E "{{{ ARG_NAME }}}" "$KARGS_DIR/*.toml" ; then
+        sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"{{{ ARG_NAME }}}=[^\"]*\"(.*]\s*)/\1\"{{{ ARG_NAME }}}=$expected_value\"\2/" "$KARGS_DIR/*.toml"
+    else
+        echo "kargs = [\"{{{ ARG_NAME }}}=$expected_value\"]" >> "$KARGS_DIR/10-{{{ SANITIZED_ARG_NAME }}}.toml"
+    fi
+else
+{{{ grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME_VALUE) | indent(4) }}}
+fi
diff --git a/shared/templates/grub2_bootloader_argument/oval.template b/shared/templates/grub2_bootloader_argument/oval.template
index 7da54a99f1b..7159c571597 100644
--- a/shared/templates/grub2_bootloader_argument/oval.template
+++ b/shared/templates/grub2_bootloader_argument/oval.template
@@ -12,6 +12,7 @@
 {{% set system_with_kernel_options_in_etc_default_grub_d = false -%}}
 {{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
 {{% set system_with_bios_and_uefi_support = false -%}}
+{{% set bootable_containers_supported = false %}}
 
 {{% if product in ["fedora", "ol9", "rhel9", "rhel10"] -%}}
 {{% set system_with_expanded_kernel_options_in_loader_entries = true %}}
@@ -33,10 +34,14 @@
 {{% set system_with_bios_and_uefi_support = true %}}
 {{%- endif -%}}
 
+{{% if product in ["rhel9", "rhel10"] -%}}
+{{% set bootable_containers_supported = true %}}
+{{%- endif -%}}
 
 <def-group>
   <definition class="compliance" id="{{{ _RULE_ID }}}" version="2">
     {{{ oval_metadata("Ensure " + ARG_NAME_VALUE + " is configured in the kernel line in /etc/default/grub.") }}}
+    <criteria operator="OR">
     <criteria operator="AND">
       {{% if system_with_expanded_kernel_options_in_loader_entries_or_with_options_in_grubenv %}}
       <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_entries_expanded_or_referenced"
@@ -109,6 +114,13 @@
         </criteria>
       {{%- endif %}}
     </criteria>
+    {{% if bootable_containers_supported %}}
+      <criteria operator="AND">
+        <extend_definition comment="The system is RHEL Image Mode"  definition_ref="bootc" />
+        <criterion comment="The {{{ ARG_NAME_VALUE }}} is present in the /usr/lib/bootc/kargs.d/*.toml files"  test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_usr_lib_bootc_kargs_d" />
+      </criteria>
+    {{% endif %}}
+    </criteria>
   </definition>
 
 {{% if system_with_expanded_kernel_options_in_loader_entries_or_with_options_in_grubenv %}}
@@ -307,4 +319,46 @@
   <external_variable comment="Variable defining the value the argument should have" datatype="string" id="{{{ ARG_VARIABLE }}}" version="1" />
 {{% endif %}}
 
+{{% if bootable_containers_supported %}}
+  <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_usr_lib_bootc_kargs_d"
+                              comment="check kernel command line parameters for {{{ ARG_NAME_VALUE }}} for all boot entries."
+                              check="at least one" check_existence="at_least_one_exists" version="1">
+    <ind:object object_ref="object_grub2_{{{ SANITIZED_ARG_NAME }}}_usr_lib_bootc_kargs_d" />
+    <ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_usr_lib_bootc_kargs_d" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_grub2_{{{ SANITIZED_ARG_NAME }}}_usr_lib_bootc_kargs_d" version="1">
+    <ind:path>/usr/lib/bootc/kargs.d/</ind:path>
+    <ind:filename operation="pattern match">^.*\.toml$</ind:filename>
+    <ind:pattern operation="pattern match">^kargs = \["([^\"]+)"\]$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+{{% if ARG_VALUE %}}
+  <ind:textfilecontent54_state id="state_grub2_{{{ SANITIZED_ARG_NAME }}}_usr_lib_bootc_kargs_d" version="1">
+    <ind:subexpression operation="pattern match">^(?:.*\s)?{{{ ESCAPED_ARG_NAME_VALUE }}}(?:\s.*)?$</ind:subexpression>
+  </ind:textfilecontent54_state>
+{{% else %}}
+  <ind:textfilecontent54_state id="state_grub2_{{{ SANITIZED_ARG_NAME }}}_usr_lib_bootc_kargs_d" version="1">
+    <ind:subexpression operation="pattern match" var_ref="local_var_regex_{{{ SANITIZED_ARG_NAME }}}_{{{ ARG_VARIABLE }}}" />
+  </ind:textfilecontent54_state>
+
+  <local_variable id="local_var_regex_{{{ SANITIZED_ARG_NAME }}}_{{{ ARG_VARIABLE }}}"
+  comment="Regex that matches {{{ ARG_NAME }}} with value {{{ ARG_VARIABLE }}}"
+  datatype="string" version="1">
+    <concat>
+      <literal_component>^(?:.*\s)?{{{ ARG_NAME }}}=</literal_component>
+      {{% if IS_SUBSTRING == "true" %}}
+      <literal_component>\S*</literal_component>
+      {{% endif %}}
+      <variable_component var_ref="{{{ ARG_VARIABLE }}}" />
+      {{% if IS_SUBSTRING == "true" %}}
+      <literal_component>\S*</literal_component>
+      {{% endif %}}
+      <literal_component>(?:\s.*)?$</literal_component>
+    </concat>
+  </local_variable>
+
+  <external_variable comment="Variable defining the value the argument should have" datatype="string" id="{{{ ARG_VARIABLE }}}" version="1" />
+{{% endif %}}
+{{% endif %}}
+
 </def-group>
diff --git a/shared/templates/grub2_bootloader_argument/template.py b/shared/templates/grub2_bootloader_argument/template.py
index 9189d1dc543..af42a9007ec 100644
--- a/shared/templates/grub2_bootloader_argument/template.py
+++ b/shared/templates/grub2_bootloader_argument/template.py
@@ -21,5 +21,6 @@ def preprocess(data, lang):
         data["escaped_arg_name_value"] = data["arg_name_value"].replace(".", "\\.")
         data["escaped_arg_name"] = data["arg_name"].replace(".", "\\.")
         # replace . with _, this is used in test / object / state ids
-        data["sanitized_arg_name"] = ssg.utils.escape_id(data["arg_name"])
+
+    data["sanitized_arg_name"] = ssg.utils.escape_id(data["arg_name"])
     return data
diff --git a/shared/templates/grub2_bootloader_argument_absent/bash.template b/shared/templates/grub2_bootloader_argument_absent/bash.template
index 8d7d6e9ea83..ca95bdea81b 100644
--- a/shared/templates/grub2_bootloader_argument_absent/bash.template
+++ b/shared/templates/grub2_bootloader_argument_absent/bash.template
@@ -3,4 +3,9 @@
    See the OVAL template for more comments.
    Product-specific categorization should be synced across all template content types
 -#}}
+if {{{ bash_bootc_build() }}} ; then
+    sed -i -E "/kargs\s*=\s*\[\s*\"{{{ ARG_NAME }}}=[^\"]*\"\s*]/d" "$KARGS_DIR/*.toml"
+    sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"{{{ ARG_NAME }}}=[^\"]*\"(.*]\s*)/\1\2/" "$KARGS_DIR/*.toml"
+else
 {{{ grub2_bootloader_argument_absent_remediation(ARG_NAME) }}}
+fi
diff --git a/shared/templates/grub2_bootloader_argument_absent/oval.template b/shared/templates/grub2_bootloader_argument_absent/oval.template
index e59b944cbd7..813fca5703b 100644
--- a/shared/templates/grub2_bootloader_argument_absent/oval.template
+++ b/shared/templates/grub2_bootloader_argument_absent/oval.template
@@ -32,6 +32,7 @@
 <def-group>
   <definition class="compliance" id="{{{ _RULE_ID }}}" version="2">
     {{{ oval_metadata("Ensure " + ARG_NAME + " is not set in the kernel line in /etc/default/grub.") }}}
+    <criteria operator="OR">
     <criteria operator="AND">
       {{% if system_with_kernel_options_in_grubenv -%}}
       {{% if system_with_bios_and_uefi_support -%}}
@@ -77,6 +78,13 @@
         </criteria>
       {{%- endif %}}
     </criteria>
+    {{% if bootable_containers_supported == "true" %}}
+      <criteria operator="AND">
+        <extend_definition comment="The system is RHEL Image Mode" definition_ref="bootc" />
+        <criterion comment="The {{{ ARG_NAME }}} is not present in the /usr/lib/bootc/kargs.d/*.toml files"  test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_usr_lib_bootc_kargs_d_absent" />
+      </criteria>
+    {{% endif %}}
+    </criteria>
   </definition>
 
 {{%- if system_with_kernel_options_in_etc_default_grub %}}
@@ -174,4 +182,17 @@
 {{%- endif %}}
 {{%- endif %}}
 
+{{% if bootable_containers_supported == "true" %}}
+  <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_usr_lib_bootc_kargs_d_absent"
+                              comment="check kernel command line parameters for {{{ ARG_NAME }}}"
+                              check="at least one" check_existence="none_exist" version="1">
+    <ind:object object_ref="object_grub2_{{{ SANITIZED_ARG_NAME }}}_usr_lib_bootc_kargs_d_absent" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_grub2_{{{ SANITIZED_ARG_NAME }}}_usr_lib_bootc_kargs_d_absent" version="1">
+    <ind:path>/usr/lib/bootc/kargs.d/</ind:path>
+    <ind:filename operation="pattern match">^.*\.toml$</ind:filename>
+    <ind:pattern operation="pattern match">^kargs = \["{{{ ARG_NAME }}}.*"\]$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+{{% endif %}}
 </def-group>

From f0786175a7a7b74ce93c968ce5252644829d7b80 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 3 Dec 2024 14:03:16 +0100
Subject: [PATCH 2/7] Create a product property for bootable containers

Promote the variable `bootable_containers_supported` to a product
property. By default, bootable containers won't be supported.
The RHEL 9 and 10 products will support bootable containers.
This variable can be used at build time in many types of the
code.
---
 products/rhel10/product.yml                              | 1 +
 products/rhel9/product.yml                               | 1 +
 shared/templates/grub2_bootloader_argument/oval.template | 9 ++-------
 ssg/constants.py                                         | 1 +
 ssg/products.py                                          | 4 ++++
 tests/data/product_stability/alinux2.yml                 | 1 +
 tests/data/product_stability/alinux3.yml                 | 1 +
 tests/data/product_stability/anolis23.yml                | 1 +
 tests/data/product_stability/anolis8.yml                 | 1 +
 tests/data/product_stability/chromium.yml                | 1 +
 tests/data/product_stability/debian11.yml                | 1 +
 tests/data/product_stability/debian12.yml                | 1 +
 tests/data/product_stability/eks.yml                     | 1 +
 tests/data/product_stability/example.yml                 | 1 +
 tests/data/product_stability/fedora.yml                  | 1 +
 tests/data/product_stability/firefox.yml                 | 1 +
 tests/data/product_stability/macos1015.yml               | 1 +
 tests/data/product_stability/ocp4.yml                    | 1 +
 tests/data/product_stability/ol7.yml                     | 1 +
 tests/data/product_stability/ol8.yml                     | 1 +
 tests/data/product_stability/ol9.yml                     | 1 +
 tests/data/product_stability/openembedded.yml            | 1 +
 tests/data/product_stability/opensuse.yml                | 1 +
 tests/data/product_stability/rhcos4.yml                  | 1 +
 tests/data/product_stability/rhel8.yml                   | 1 +
 tests/data/product_stability/rhel9.yml                   | 1 +
 tests/data/product_stability/rhv4.yml                    | 1 +
 tests/data/product_stability/sle12.yml                   | 1 +
 tests/data/product_stability/sle15.yml                   | 1 +
 tests/data/product_stability/ubuntu1604.yml              | 1 +
 tests/data/product_stability/ubuntu1804.yml              | 1 +
 tests/data/product_stability/ubuntu2004.yml              | 1 +
 tests/data/product_stability/ubuntu2204.yml              | 1 +
 tests/data/product_stability/ubuntu2404.yml              | 1 +
 34 files changed, 38 insertions(+), 7 deletions(-)

diff --git a/products/rhel10/product.yml b/products/rhel10/product.yml
index 6f502eef3e1..1c8cfea0ccb 100644
--- a/products/rhel10/product.yml
+++ b/products/rhel10/product.yml
@@ -21,6 +21,7 @@ init_system: "systemd"
 # EFI and non-EFI configs are stored in same path, see https://fedoraproject.org/wiki/Changes/UnifyGrubConfig
 
 sshd_distributed_config: "true"
+bootable_containers_supported: "true"
 
 dconf_gdm_dir: "distro.d"
 
diff --git a/products/rhel9/product.yml b/products/rhel9/product.yml
index 30cbdeb0c22..eb0c0ac15ae 100644
--- a/products/rhel9/product.yml
+++ b/products/rhel9/product.yml
@@ -25,6 +25,7 @@ groups:
     name: ssh_keys
 
 sshd_distributed_config: "true"
+bootable_containers_supported: "true"
 
 dconf_gdm_dir: "distro.d"
 
diff --git a/shared/templates/grub2_bootloader_argument/oval.template b/shared/templates/grub2_bootloader_argument/oval.template
index 7159c571597..ebcfbf891db 100644
--- a/shared/templates/grub2_bootloader_argument/oval.template
+++ b/shared/templates/grub2_bootloader_argument/oval.template
@@ -12,7 +12,6 @@
 {{% set system_with_kernel_options_in_etc_default_grub_d = false -%}}
 {{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
 {{% set system_with_bios_and_uefi_support = false -%}}
-{{% set bootable_containers_supported = false %}}
 
 {{% if product in ["fedora", "ol9", "rhel9", "rhel10"] -%}}
 {{% set system_with_expanded_kernel_options_in_loader_entries = true %}}
@@ -34,10 +33,6 @@
 {{% set system_with_bios_and_uefi_support = true %}}
 {{%- endif -%}}
 
-{{% if product in ["rhel9", "rhel10"] -%}}
-{{% set bootable_containers_supported = true %}}
-{{%- endif -%}}
-
 <def-group>
   <definition class="compliance" id="{{{ _RULE_ID }}}" version="2">
     {{{ oval_metadata("Ensure " + ARG_NAME_VALUE + " is configured in the kernel line in /etc/default/grub.") }}}
@@ -114,7 +109,7 @@
         </criteria>
       {{%- endif %}}
     </criteria>
-    {{% if bootable_containers_supported %}}
+    {{% if bootable_containers_supported == "true" %}}
       <criteria operator="AND">
         <extend_definition comment="The system is RHEL Image Mode"  definition_ref="bootc" />
         <criterion comment="The {{{ ARG_NAME_VALUE }}} is present in the /usr/lib/bootc/kargs.d/*.toml files"  test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_usr_lib_bootc_kargs_d" />
@@ -319,7 +314,7 @@
   <external_variable comment="Variable defining the value the argument should have" datatype="string" id="{{{ ARG_VARIABLE }}}" version="1" />
 {{% endif %}}
 
-{{% if bootable_containers_supported %}}
+{{% if bootable_containers_supported == "true" %}}
   <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_usr_lib_bootc_kargs_d"
                               comment="check kernel command line parameters for {{{ ARG_NAME_VALUE }}} for all boot entries."
                               check="at least one" check_existence="at_least_one_exists" version="1">
diff --git a/ssg/constants.py b/ssg/constants.py
index f64c168495a..baa5484df23 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -457,6 +457,7 @@
 DEFAULT_CHRONY_D_PATH = '/etc/chrony.d/'
 DEFAULT_AUDISP_CONF_PATH = '/etc/audit'
 DEFAULT_SYSCTL_REMEDIATE_DROP_IN_FILE = 'false'
+DEFAULT_BOOTABLE_CONTAINERS_SUPPORTED = 'false'
 
 
 # Constants for OVAL object model
diff --git a/ssg/products.py b/ssg/products.py
index 2c496689b9d..7f3c360b92b 100644
--- a/ssg/products.py
+++ b/ssg/products.py
@@ -20,6 +20,7 @@
                         DEFAULT_AUDISP_CONF_PATH,
                         DEFAULT_FAILLOCK_PATH,
                         DEFAULT_SYSCTL_REMEDIATE_DROP_IN_FILE,
+                        DEFAULT_BOOTABLE_CONTAINERS_SUPPORTED,
                         PKG_MANAGER_TO_SYSTEM,
                         PKG_MANAGER_TO_CONFIG_FILE,
                         XCCDF_PLATFORM_TO_PACKAGE,
@@ -115,6 +116,9 @@ def _get_implied_properties(existing_properties):
     if "sysctl_remediate_drop_in_file" not in existing_properties:
         result["sysctl_remediate_drop_in_file"] = DEFAULT_SYSCTL_REMEDIATE_DROP_IN_FILE
 
+    if "bootable_containers_supported" not in existing_properties:
+        result["bootable_containers_supported"] = DEFAULT_BOOTABLE_CONTAINERS_SUPPORTED
+
     return result
 
 
diff --git a/tests/data/product_stability/alinux2.yml b/tests/data/product_stability/alinux2.yml
index 1d0d21086e4..5d78e56d1c0 100644
--- a/tests/data/product_stability/alinux2.yml
+++ b/tests/data/product_stability/alinux2.yml
@@ -7,6 +7,7 @@ auid: 1000
 basic_properties_derived: true
 benchmark_id: ALINUX-2
 benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony.conf
 chrony_d_path: /etc/chrony.d/
 cpes:
diff --git a/tests/data/product_stability/alinux3.yml b/tests/data/product_stability/alinux3.yml
index b9911b65b23..a35c8bc095a 100644
--- a/tests/data/product_stability/alinux3.yml
+++ b/tests/data/product_stability/alinux3.yml
@@ -7,6 +7,7 @@ auid: 1000
 basic_properties_derived: true
 benchmark_id: ALINUX-3
 benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony.conf
 chrony_d_path: /etc/chrony.d/
 cpes:
diff --git a/tests/data/product_stability/anolis23.yml b/tests/data/product_stability/anolis23.yml
index 5d075e1dbae..5cf40e76f80 100644
--- a/tests/data/product_stability/anolis23.yml
+++ b/tests/data/product_stability/anolis23.yml
@@ -7,6 +7,7 @@ auid: 1000
 basic_properties_derived: true
 benchmark_id: ANOLIS-23
 benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony.conf
 chrony_d_path: /etc/chrony.d/
 cpes:
diff --git a/tests/data/product_stability/anolis8.yml b/tests/data/product_stability/anolis8.yml
index 1234155c677..6897ec95e56 100644
--- a/tests/data/product_stability/anolis8.yml
+++ b/tests/data/product_stability/anolis8.yml
@@ -7,6 +7,7 @@ auid: 1000
 basic_properties_derived: true
 benchmark_id: ANOLIS-8
 benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony.conf
 chrony_d_path: /etc/chrony.d/
 cpes:
diff --git a/tests/data/product_stability/chromium.yml b/tests/data/product_stability/chromium.yml
index 988756f6b2a..cabfac582bb 100644
--- a/tests/data/product_stability/chromium.yml
+++ b/tests/data/product_stability/chromium.yml
@@ -7,6 +7,7 @@ auid: 1000
 basic_properties_derived: true
 benchmark_id: CHROMIUM
 benchmark_root: ./guide
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony.conf
 chrony_d_path: /etc/chrony.d/
 cpes:
diff --git a/tests/data/product_stability/debian11.yml b/tests/data/product_stability/debian11.yml
index 781766106c0..fd61f5233c5 100644
--- a/tests/data/product_stability/debian11.yml
+++ b/tests/data/product_stability/debian11.yml
@@ -7,6 +7,7 @@ auid: 1000
 basic_properties_derived: true
 benchmark_id: DEBIAN-11
 benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony.conf
 chrony_d_path: /etc/chrony.d/
 cpes:
diff --git a/tests/data/product_stability/debian12.yml b/tests/data/product_stability/debian12.yml
index e255f44fdda..e97bfc39f9e 100644
--- a/tests/data/product_stability/debian12.yml
+++ b/tests/data/product_stability/debian12.yml
@@ -7,6 +7,7 @@ auid: 1000
 basic_properties_derived: true
 benchmark_id: DEBIAN-12
 benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony/chrony.conf
 chrony_d_path: /etc/chrony/chrony.d/
 cpes:
diff --git a/tests/data/product_stability/eks.yml b/tests/data/product_stability/eks.yml
index 8d5d75abbaa..c509b65d65c 100644
--- a/tests/data/product_stability/eks.yml
+++ b/tests/data/product_stability/eks.yml
@@ -7,6 +7,7 @@ auid: 1000
 basic_properties_derived: true
 benchmark_id: EKS
 benchmark_root: ../../applications
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony.conf
 chrony_d_path: /etc/chrony.d/
 cpes:
diff --git a/tests/data/product_stability/example.yml b/tests/data/product_stability/example.yml
index d57b09f6bc8..b0194b338be 100644
--- a/tests/data/product_stability/example.yml
+++ b/tests/data/product_stability/example.yml
@@ -7,6 +7,7 @@ auid: 1000
 basic_properties_derived: true
 benchmark_id: EXAMPLE
 benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony.conf
 chrony_d_path: /etc/chrony.d/
 components_root: ../../components
diff --git a/tests/data/product_stability/fedora.yml b/tests/data/product_stability/fedora.yml
index 6e90589886b..0b8886d55df 100644
--- a/tests/data/product_stability/fedora.yml
+++ b/tests/data/product_stability/fedora.yml
@@ -7,6 +7,7 @@ auid: 1000
 basic_properties_derived: true
 benchmark_id: FEDORA
 benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony.conf
 chrony_d_path: /etc/chrony.d/
 components_root: ../../components
diff --git a/tests/data/product_stability/firefox.yml b/tests/data/product_stability/firefox.yml
index d34ed55f33b..843bedc1b55 100644
--- a/tests/data/product_stability/firefox.yml
+++ b/tests/data/product_stability/firefox.yml
@@ -7,6 +7,7 @@ auid: 1000
 basic_properties_derived: true
 benchmark_id: FIREFOX
 benchmark_root: ./guide
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony.conf
 chrony_d_path: /etc/chrony.d/
 cpes:
diff --git a/tests/data/product_stability/macos1015.yml b/tests/data/product_stability/macos1015.yml
index c5be4ce23ef..ec7e7c1b948 100644
--- a/tests/data/product_stability/macos1015.yml
+++ b/tests/data/product_stability/macos1015.yml
@@ -7,6 +7,7 @@ auid: 1000
 basic_properties_derived: true
 benchmark_id: macOS-1015
 benchmark_root: ../../apple_os/
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony.conf
 chrony_d_path: /etc/chrony.d/
 cpes:
diff --git a/tests/data/product_stability/ocp4.yml b/tests/data/product_stability/ocp4.yml
index fabaf419733..8a791680945 100644
--- a/tests/data/product_stability/ocp4.yml
+++ b/tests/data/product_stability/ocp4.yml
@@ -7,6 +7,7 @@ auid: 1000
 basic_properties_derived: true
 benchmark_id: OCP-4
 benchmark_root: ../../applications
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony.conf
 chrony_d_path: /etc/chrony.d/
 cpes:
diff --git a/tests/data/product_stability/ol7.yml b/tests/data/product_stability/ol7.yml
index 6540a69e646..a82c12ecf64 100644
--- a/tests/data/product_stability/ol7.yml
+++ b/tests/data/product_stability/ol7.yml
@@ -7,6 +7,7 @@ auid: 1000
 basic_properties_derived: true
 benchmark_id: OL-7
 benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony.conf
 chrony_d_path: /etc/chrony.d/
 cpes:
diff --git a/tests/data/product_stability/ol8.yml b/tests/data/product_stability/ol8.yml
index 3de5d9a3218..5ff104357a2 100644
--- a/tests/data/product_stability/ol8.yml
+++ b/tests/data/product_stability/ol8.yml
@@ -7,6 +7,7 @@ auid: 1000
 basic_properties_derived: true
 benchmark_id: OL-8
 benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony.conf
 chrony_d_path: /etc/chrony.d/
 cpes:
diff --git a/tests/data/product_stability/ol9.yml b/tests/data/product_stability/ol9.yml
index 54f95e16db5..9cd20637ca1 100644
--- a/tests/data/product_stability/ol9.yml
+++ b/tests/data/product_stability/ol9.yml
@@ -10,6 +10,7 @@ auxiliary_key_fingerprint: 982231759C7467065D0CE9B2A7DD07088B4EFBE6
 basic_properties_derived: true
 benchmark_id: OL-9
 benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony.conf
 chrony_d_path: /etc/chrony.d/
 cpes:
diff --git a/tests/data/product_stability/openembedded.yml b/tests/data/product_stability/openembedded.yml
index c94f79d4c41..dc88232705a 100644
--- a/tests/data/product_stability/openembedded.yml
+++ b/tests/data/product_stability/openembedded.yml
@@ -7,6 +7,7 @@ auid: 1000
 basic_properties_derived: true
 benchmark_id: OPENEMBEDDED
 benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony.conf
 chrony_d_path: /etc/chrony.d/
 cpes:
diff --git a/tests/data/product_stability/opensuse.yml b/tests/data/product_stability/opensuse.yml
index bd26608bfcd..ff9555f3abb 100644
--- a/tests/data/product_stability/opensuse.yml
+++ b/tests/data/product_stability/opensuse.yml
@@ -7,6 +7,7 @@ auid: 1000
 basic_properties_derived: true
 benchmark_id: OPENSUSE
 benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony.conf
 chrony_d_path: /etc/chrony.d/
 cpes:
diff --git a/tests/data/product_stability/rhcos4.yml b/tests/data/product_stability/rhcos4.yml
index aabfed5ee07..cafb6b18c3c 100644
--- a/tests/data/product_stability/rhcos4.yml
+++ b/tests/data/product_stability/rhcos4.yml
@@ -7,6 +7,7 @@ auid: 1000
 basic_properties_derived: true
 benchmark_id: RHCOS-4
 benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony.conf
 chrony_d_path: /etc/chrony.d/
 cpes:
diff --git a/tests/data/product_stability/rhel8.yml b/tests/data/product_stability/rhel8.yml
index be505770304..61ed42a1285 100644
--- a/tests/data/product_stability/rhel8.yml
+++ b/tests/data/product_stability/rhel8.yml
@@ -10,6 +10,7 @@ auxiliary_key_fingerprint: 6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792
 basic_properties_derived: true
 benchmark_id: RHEL-8
 benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
 centos_major_version: '8'
 centos_pkg_release: 5ccc5b19
 centos_pkg_version: 8483c65d
diff --git a/tests/data/product_stability/rhel9.yml b/tests/data/product_stability/rhel9.yml
index 839bc42a030..1f4b5144bcd 100644
--- a/tests/data/product_stability/rhel9.yml
+++ b/tests/data/product_stability/rhel9.yml
@@ -10,6 +10,7 @@ auxiliary_key_fingerprint: 7E4624258C406535D56D6F135054E4A45A6340B3
 basic_properties_derived: true
 benchmark_id: RHEL-9
 benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'true'
 centos_major_version: '9'
 centos_pkg_release: 5ccc5b19
 centos_pkg_version: 8483c65d
diff --git a/tests/data/product_stability/rhv4.yml b/tests/data/product_stability/rhv4.yml
index 1d023d03201..0746eeaa7d3 100644
--- a/tests/data/product_stability/rhv4.yml
+++ b/tests/data/product_stability/rhv4.yml
@@ -10,6 +10,7 @@ auxiliary_key_fingerprint: 6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792
 basic_properties_derived: true
 benchmark_id: RHV-4
 benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony.conf
 chrony_d_path: /etc/chrony.d/
 cpes:
diff --git a/tests/data/product_stability/sle12.yml b/tests/data/product_stability/sle12.yml
index 870ac6482da..2b0962bde5f 100644
--- a/tests/data/product_stability/sle12.yml
+++ b/tests/data/product_stability/sle12.yml
@@ -7,6 +7,7 @@ auid: 1000
 basic_properties_derived: true
 benchmark_id: SLE-12
 benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony.conf
 chrony_d_path: /etc/chrony.d/
 cpes:
diff --git a/tests/data/product_stability/sle15.yml b/tests/data/product_stability/sle15.yml
index fb226b17f5c..fca0213d418 100644
--- a/tests/data/product_stability/sle15.yml
+++ b/tests/data/product_stability/sle15.yml
@@ -7,6 +7,7 @@ auid: 1000
 basic_properties_derived: true
 benchmark_id: SLE-15
 benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony.conf
 chrony_d_path: /etc/chrony.d/
 cpes:
diff --git a/tests/data/product_stability/ubuntu1604.yml b/tests/data/product_stability/ubuntu1604.yml
index 938835c6c64..b4288d197aa 100644
--- a/tests/data/product_stability/ubuntu1604.yml
+++ b/tests/data/product_stability/ubuntu1604.yml
@@ -7,6 +7,7 @@ auid: 1000
 basic_properties_derived: true
 benchmark_id: UBUNTU-XENIAL
 benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony/chrony.conf
 chrony_d_path: /etc/chrony/conf.d/
 cpes:
diff --git a/tests/data/product_stability/ubuntu1804.yml b/tests/data/product_stability/ubuntu1804.yml
index b2cff15e15f..176cd33d297 100644
--- a/tests/data/product_stability/ubuntu1804.yml
+++ b/tests/data/product_stability/ubuntu1804.yml
@@ -7,6 +7,7 @@ auid: 1000
 basic_properties_derived: true
 benchmark_id: UBUNTU-BIONIC
 benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony/chrony.conf
 chrony_d_path: /etc/chrony/conf.d/
 cpes:
diff --git a/tests/data/product_stability/ubuntu2004.yml b/tests/data/product_stability/ubuntu2004.yml
index 17a596d37cd..416270f9c8b 100644
--- a/tests/data/product_stability/ubuntu2004.yml
+++ b/tests/data/product_stability/ubuntu2004.yml
@@ -8,6 +8,7 @@ auid: 1000
 basic_properties_derived: true
 benchmark_id: UBUNTU_20-04
 benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony/chrony.conf
 chrony_d_path: /etc/chrony/conf.d/
 cpes:
diff --git a/tests/data/product_stability/ubuntu2204.yml b/tests/data/product_stability/ubuntu2204.yml
index e4a53f9749d..4b0c515c1c6 100644
--- a/tests/data/product_stability/ubuntu2204.yml
+++ b/tests/data/product_stability/ubuntu2204.yml
@@ -8,6 +8,7 @@ auid: 1000
 basic_properties_derived: true
 benchmark_id: UBUNTU_22-04
 benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony/chrony.conf
 chrony_d_path: /etc/chrony/conf.d/
 cpes:
diff --git a/tests/data/product_stability/ubuntu2404.yml b/tests/data/product_stability/ubuntu2404.yml
index 50d4e232f1a..62853e25cb5 100644
--- a/tests/data/product_stability/ubuntu2404.yml
+++ b/tests/data/product_stability/ubuntu2404.yml
@@ -8,6 +8,7 @@ auid: 1000
 basic_properties_derived: true
 benchmark_id: UBUNTU_24-04
 benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
 chrony_conf_path: /etc/chrony/chrony.conf
 chrony_d_path: /etc/chrony/conf.d/
 components_root: ../../components

From 2ce53c448bb4f8f8902190f6174ca25ce630128f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 12 Dec 2024 10:04:49 +0100
Subject: [PATCH 3/7] Optimize platform expressions in bootloader-grub2 group

The bootloader-grub2 group contains multiple different platform
expressions. However, all of them are related to grub2 and all of them
should be applicable for bootable container, therefore, the platform can
be set on the group level in group.yml to `grub2 and system_with_kernel`.
Setting the platform on the group level allows us to simplify platform
expressions in individual rules. Most of them that only set platform
to `machine` or to `system_with_kernel` can be removed completely.
---
 linux_os/guide/system/bootloader-grub2/group.yml                | 2 +-
 .../system/bootloader-grub2/grub2_disable_recovery/rule.yml     | 2 --
 .../system/bootloader-grub2/grub2_enable_iommu_force/rule.yml   | 1 -
 .../bootloader-grub2/grub2_init_on_alloc_argument/rule.yml      | 1 -
 .../system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml | 1 -
 .../guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml  | 1 -
 .../guide/system/bootloader-grub2/grub2_mce_argument/rule.yml   | 1 -
 .../guide/system/bootloader-grub2/grub2_mds_argument/rule.yml   | 1 -
 .../system/bootloader-grub2/grub2_mitigation_argument/rule.yml  | 1 -
 .../bootloader-grub2/grub2_nosmap_argument_absent/rule.yml      | 1 -
 .../bootloader-grub2/grub2_nosmep_argument_absent/rule.yml      | 1 -
 .../bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml | 1 -
 .../guide/system/bootloader-grub2/grub2_pti_argument/rule.yml   | 1 -
 .../grub2_rng_core_default_quality_argument/rule.yml            | 1 -
 .../bootloader-grub2/grub2_slab_nomerge_argument/rule.yml       | 1 -
 .../grub2_spec_store_bypass_disable_argument/rule.yml           | 1 -
 .../system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml  | 1 -
 .../grub2_systemd_debug-shell_argument_absent/rule.yml          | 1 -
 .../system/bootloader-grub2/grub2_vsyscall_argument/rule.yml    | 2 +-
 .../non-uefi/file_groupowner_grub2_cfg/rule.yml                 | 1 -
 .../bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml | 1 -
 .../bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml     | 1 -
 .../bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml      | 1 -
 .../non-uefi/file_permissions_grub2_cfg/rule.yml                | 1 -
 .../non-uefi/file_permissions_user_cfg/rule.yml                 | 1 -
 .../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml     | 1 -
 .../non-uefi/grub2_no_removeable_media/rule.yml                 | 1 -
 .../system/bootloader-grub2/non-uefi/grub2_password/rule.yml    | 1 -
 .../bootloader-grub2/non-uefi/grub2_password_legacy/rule.yml    | 1 -
 .../uefi/file_groupowner_efi_grub2_cfg/rule.yml                 | 1 -
 .../bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml | 1 -
 .../bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml     | 1 -
 .../bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml      | 1 -
 .../uefi/file_permissions_efi_grub2_cfg/rule.yml                | 1 -
 .../uefi/file_permissions_efi_user_cfg/rule.yml                 | 1 -
 .../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml    | 1 -
 .../system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml   | 1 -
 .../bootloader-grub2/uefi/grub2_uefi_password_legacy/rule.yml   | 1 -
 .../bootloader-grub2/uefi/uefi_no_removeable_media/rule.yml     | 1 -
 39 files changed, 2 insertions(+), 40 deletions(-)

diff --git a/linux_os/guide/system/bootloader-grub2/group.yml b/linux_os/guide/system/bootloader-grub2/group.yml
index 4ffb40c0e8c..d1b4a3e3389 100644
--- a/linux_os/guide/system/bootloader-grub2/group.yml
+++ b/linux_os/guide/system/bootloader-grub2/group.yml
@@ -15,4 +15,4 @@ description: |-
     with a password and ensure its configuration file's permissions
     are set properly.
 
-platform: grub2
+platform: grub2 and system_with_kernel
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
index 6919ef54873..e8878c4cd45 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
@@ -41,5 +41,3 @@ fixtext: |-
     Then, run the following command:
 
     $ sudo {{{ grub_command("update") }}}
-
-platform: grub2
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
index 4fa2ffd16ac..41ee2618721 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
@@ -20,7 +20,6 @@ identifiers:
     cce@sle12: CCE-91532-2
     cce@sle15: CCE-91217-0
 
-platform: system_with_kernel
 
 ocil_clause: 'I/OMMU is not activated'
 
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
index ef5dc89ebb0..2e721d99c54 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
@@ -24,7 +24,6 @@ ocil_clause: 'the kernel is not configured to zero out memory before allocation'
 ocil: |-
     {{{ ocil_grub2_argument("init_on_alloc=1") | indent(4) }}}
 
-platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
index 93e6ac01ce2..3d6b750d92f 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
@@ -46,7 +46,6 @@ ocil: |-
     the kernel, check that the option is configured through boot parameter.
     {{{ ocil_grub2_argument("random.trust_cpu=on") | indent(4) }}}
 
-platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml
index 979ec7c3554..8776d5bf328 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml
@@ -36,7 +36,6 @@ ocil_clause: 'l1tf mitigations are not configured appropriately'
 ocil: |-
     {{{ ocil_grub2_argument("l1tf=" + xccdf_value("var_l1tf_options")) | indent(4) }}}
 
-platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml
index 8ebd96ed33d..b9d0db90b0f 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml
@@ -29,7 +29,6 @@ ocil_clause: 'MCE tolerance is not set to zero'
 ocil: |-
     {{{ ocil_grub2_argument("mce=0") | indent(4) }}}
 
-platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_mds_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_mds_argument/rule.yml
index afd6d1fccb6..6e24c5e5e07 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_mds_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_mds_argument/rule.yml
@@ -47,7 +47,6 @@ ocil_clause: 'MDS mitigations are not configured appropriately'
 ocil: |-
     {{{ ocil_grub2_argument("mds=" + xccdf_value(var_mds_options)) | indent(4) }}}
 
-platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml
index af4e46f8cfb..19ef226e4d6 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml
@@ -24,7 +24,6 @@ references:
     srg: SRG-OS-000480-GPOS-00227
     stigid@ol8: OL08-00-010424
 
-platform: system_with_kernel
 
 ocil_clause: 'mitigations is set to off'
 
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml
index df1110432f2..691a8857d01 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml
@@ -34,7 +34,6 @@ ocil: |-
     <pre>grep -q nosmap /boot/config-`uname -r`</pre>
     If the command returns a line, it means that SMAP is being disabled.
 
-platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument_absent
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml
index ba17b67cc90..d887e29fbf6 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml
@@ -34,7 +34,6 @@ ocil: |-
     <pre>grep -q nosmep /boot/config-`uname -r`</pre>
     If the command returns a line, it means that SMEP is being disabled.
 
-platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument_absent
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml
index bf166f797d4..f94c8556847 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml
@@ -31,7 +31,6 @@ ocil_clause: 'randomization of the page allocator is not enabled in the kernel'
 ocil: |-
     {{{ ocil_grub2_argument("page_alloc.shuffle=1") | indent(4) }}}
 
-platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
index 373a3b49776..43ac06be3c1 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
@@ -34,7 +34,6 @@ ocil_clause: 'Kernel page-table isolation is not enabled'
 ocil: |-
     {{{ ocil_grub2_argument("pti=on") | indent(4) }}}
 
-platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml
index 6168d85abce..ed4f2ce3dfc 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml
@@ -37,7 +37,6 @@ ocil_clause: 'trust on hardware random number generator is not configured approp
 ocil: |-
     {{{ ocil_grub2_argument("rng_core.default_quality=" + xccdf_value("var_rng_core_default_quality")) | indent(4) }}}
 
-platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml
index f4e9ec445a3..bc977ab55fa 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml
@@ -35,7 +35,6 @@ ocil_clause: 'merging of slabs with similar size is enabled'
 ocil: |-
     {{{ ocil_grub2_argument("slab_nomerge=yes") | indent(4) }}}
 
-platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml
index c302a04e37a..31e883c710e 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml
@@ -39,7 +39,6 @@ ocil_clause: 'SSB is not configured appropriately'
 ocil: |-
     {{{ ocil_grub2_argument("spec_store_bypass_disable=" + xccdf_value("var_spec_store_bypass_disable_options")) | indent(4) }}}
 
-platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml
index c6dceb12c27..6d449bf5d21 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml
@@ -32,7 +32,6 @@ ocil_clause: 'spectre_v2 mitigation is not enforced'
 ocil: |-
     {{{ ocil_grub2_argument("spectre_v2=on") | indent(4) }}}
 
-platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
index 973d2447dd7..a8315352e60 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
@@ -44,7 +44,6 @@ ocil: |-
 fixtext: |-
     {{{ fixtext_grub2_bootloader_argument_absent("debug-shell") | indent(4) }}}
 
-platform: system_with_kernel
 
 template:
     name: grub2_bootloader_argument_absent
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
index f3907cd08d8..28da623cf90 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
@@ -33,7 +33,7 @@ ocil_clause: 'vsyscalls are enabled'
 ocil: |-
     {{{ ocil_grub2_argument("vsyscall=none") | indent(4) }}}
 
-platform: system_with_kernel and x86_64_arch
+platform: x86_64_arch
 
 template:
     name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml
index 5c9a0b07154..fea605a8699 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml
@@ -50,7 +50,6 @@ fixtext: '{{{ fixtext_file_group_owner(grub2_boot_path ~ "/grub.cfg", "root") }}
 
 srg_requirement: '{{{ srg_requirement_file_group_owner(grub2_boot_path ~ "/grub.cfg", "root") }}}'
 
-platform: system_with_kernel
 
 template:
     name: file_groupowner
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml
index 9dac1e38944..038ae369e6e 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml
@@ -44,7 +44,6 @@ fixtext: '{{{ fixtext_file_group_owner(grub2_boot_path ~ "/user.cfg", "root") }}
 
 srg_requirement: '{{{ srg_requirement_file_group_owner(grub2_boot_path ~ "/user.cfg", "root") }}}'
 
-platform: machine
 
 template:
     name: file_groupowner
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
index 0e797faaadd..2bbb3449f7e 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
@@ -46,7 +46,6 @@ ocil_clause: '{{{ ocil_clause_file_owner(file=grub2_boot_path ~ "/grub.cfg", own
 ocil: |-
     {{{ ocil_file_owner(file=grub2_boot_path ~ "/grub.cfg", owner="root") }}}
 
-platform: system_with_kernel
 
 template:
     name: file_owner
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml
index 85899b1ee9f..9d55b3ded1e 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml
@@ -39,7 +39,6 @@ ocil_clause: '{{{ ocil_clause_file_owner(file=grub2_boot_path ~ "/user.cfg", own
 ocil: |-
     {{{ ocil_file_owner(file=grub2_boot_path ~ "/user.cfg", owner="root") }}}
 
-platform: machine
 
 template:
     name: file_owner
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml
index 08a379d1712..9bd39315826 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml
@@ -46,7 +46,6 @@ ocil: |-
     If properly configured, the output should indicate the following
     permissions: <tt>-rw-------</tt>
 
-platform: system_with_kernel
 
 template:
     name: file_permissions
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_user_cfg/rule.yml
index b8258f5e9f3..55653bd8c6d 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_user_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_user_cfg/rule.yml
@@ -35,7 +35,6 @@ ocil_clause: '{{{ ocil_clause_file_permissions(file=grub2_boot_path ~ "/user.cfg
 ocil: |-
     {{{ ocil_file_permissions(file=grub2_boot_path ~ "/user.cfg", perms="-rw-------") }}}
 
-platform: machine
 
 template:
     name: file_permissions
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
index c476ddec3f4..9f8cc264b95 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
@@ -68,7 +68,6 @@ warnings:
         Also, do NOT manually add the superuser account and password to the
         <tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
 
-platform: machine
 
 fixtext: |-
     Configure {{{ full_name }}} to have a unique username for the grub superuser account.
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_no_removeable_media/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_no_removeable_media/rule.yml
index eabe7356e79..114cfd9340f 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_no_removeable_media/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_no_removeable_media/rule.yml
@@ -38,4 +38,3 @@ ocil: |-
     media which should not exist in the lines:
     <pre>set root='hd0,msdos1'</pre>
 
-platform: machine
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
index bb7ceedc8f8..a2b97c4ee57 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
@@ -92,7 +92,6 @@ warnings:
         Also, do NOT manually add the superuser account and password to the
         <tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
 
-platform: machine
 
 fixtext: |-
     Configure {{{ full_name }}} to require a grub bootloader password for the grub superuser account.
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password_legacy/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password_legacy/rule.yml
index e492a98fa3f..b4f144c18b4 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password_legacy/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password_legacy/rule.yml
@@ -51,4 +51,3 @@ warnings:
         Also, do NOT manually add the superuser account and password to the
         <tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
 
-platform: system_with_kernel
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml
index 1b18ddff95a..2cde2a0533e 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml
@@ -38,7 +38,6 @@ ocil_clause: '{{{ ocil_clause_file_group_owner(file=grub2_uefi_boot_path ~ "/gru
 ocil: |-
     {{{ ocil_file_group_owner(file=grub2_uefi_boot_path ~ "/grub.cfg", group="root") }}}
 
-platform: machine
 
 template:
     name: file_groupowner
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml
index 55e0ccb1334..bea3273644f 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml
@@ -38,7 +38,6 @@ ocil_clause: '{{{ ocil_clause_file_group_owner(file=grub2_uefi_boot_path ~ "/use
 ocil: |-
     {{{ ocil_file_group_owner(file=grub2_uefi_boot_path ~ "/user.cfg", group="root") }}}
 
-platform: machine
 
 template:
     name: file_groupowner
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml
index 63e6683341b..acbf05579a4 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml
@@ -36,7 +36,6 @@ ocil_clause: '{{{ ocil_clause_file_owner(file=grub2_uefi_boot_path ~ "/grub.cfg"
 ocil: |-
     {{{ ocil_file_owner(file=grub2_uefi_boot_path ~ "/grub.cfg", owner="root") }}}
 
-platform: machine
 
 template:
     name: file_owner
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml
index 4c154afd3d2..ff55a8112e1 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml
@@ -38,7 +38,6 @@ ocil_clause: '{{{ ocil_clause_file_owner(file=grub2_uefi_boot_path ~ "/user.cfg"
 ocil: |-
     {{{ ocil_file_owner(file=grub2_uefi_boot_path ~ "/user.cfg", owner="root") }}}
 
-platform: machine
 
 template:
     name: file_owner
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
index e6c401a43c9..16acb38ae7a 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
@@ -38,7 +38,6 @@ ocil: |-
     If properly configured, the output should indicate the following
     permissions: <tt>-rwx------</tt>
 
-platform: machine
 
 template:
     name: file_permissions
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml
index 1254dfbaade..6112e68f8b0 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml
@@ -35,7 +35,6 @@ ocil_clause: '{{{ ocil_clause_file_permissions(file=grub2_uefi_boot_path ~ "/use
 ocil: |-
     {{{ ocil_file_permissions(file=grub2_uefi_boot_path ~ "/user.cfg", perms="-rw-------") }}}
 
-platform: machine
 
 template:
     name: file_permissions
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index bd64b621f10..83be376b8dc 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -69,7 +69,6 @@ warnings:
         Also, do NOT manually add the superuser account and password to the
         <tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
 
-platform: machine
 
 fixtext: |-
     Configure {{{ full_name }}} to have a unique username for the grub superuser account.
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
index 4cf5ee4725c..831aa6ec3dd 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
@@ -93,7 +93,6 @@ warnings:
         Also, do NOT manually add the superuser account and password to the
         <tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
 
-platform: system_with_kernel
 
 fixtext: |-
     Configure {{{ full_name }}} to use a secure UEFI boot loader password.
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password_legacy/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password_legacy/rule.yml
index 8014fa95781..75218ef36d3 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password_legacy/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password_legacy/rule.yml
@@ -50,4 +50,3 @@ warnings:
         Also, do NOT manually add the superuser account and password to the
         <tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
 
-platform: machine
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/rule.yml
index 059e63db720..f03bda5d61f 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/rule.yml
@@ -38,4 +38,3 @@ ocil: |-
     media which should not exist in the lines:
     <pre>set root='hd0,msdos1'</pre>
 
-platform: machine

From 32e5fdbde5ff902b7a5ff42b5008c73c3aa5df75 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 12 Dec 2024 11:09:28 +0100
Subject: [PATCH 4/7] Improve regular expressions

This change will ensure that the first `sed` command that removes the
`kargs` key completely will also remove the following
`match-architectures` key if the key exists. Also, the second `sed`
command that just removes an item from the list if the list contains
multiple items has been adjusted to correctly remove commans between
the items.

Credit to Matus Marhefka :+1:
---
 .../templates/grub2_bootloader_argument_absent/bash.template  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/shared/templates/grub2_bootloader_argument_absent/bash.template b/shared/templates/grub2_bootloader_argument_absent/bash.template
index ca95bdea81b..bf3a443bf48 100644
--- a/shared/templates/grub2_bootloader_argument_absent/bash.template
+++ b/shared/templates/grub2_bootloader_argument_absent/bash.template
@@ -4,8 +4,8 @@
    Product-specific categorization should be synced across all template content types
 -#}}
 if {{{ bash_bootc_build() }}} ; then
-    sed -i -E "/kargs\s*=\s*\[\s*\"{{{ ARG_NAME }}}=[^\"]*\"\s*]/d" "$KARGS_DIR/*.toml"
-    sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"{{{ ARG_NAME }}}=[^\"]*\"(.*]\s*)/\1\2/" "$KARGS_DIR/*.toml"
+    sed -i -E "/kargs\s*=\s*\[\s*\"{{{ ARG_NAME }}}=[^\"]*\"\s*]/{:a;N;/^\n$/ba;N;/match-architectures.*/d;}" "$KARGS_DIR/*.toml"
+    sed -i -E -e "s/^(\s*kargs\s*=\s*\[.*)\"{{{ ARG_NAME }}}=[^\"]*\"[,[:space:]]*(.*]\s*)/\1\2/" -e "s/^(\s*kargs.*),\s*\]$/\1\]/" "$KARGS_DIR/*.toml"
 else
 {{{ grub2_bootloader_argument_absent_remediation(ARG_NAME) }}}
 fi

From 0dfba74b7fca902322bc9856ff83e18b6645fed5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 12 Dec 2024 14:15:49 +0100
Subject: [PATCH 5/7] Update rule description

Mention that the kernel args configuration is different if using
a bootable container image.

This commit also unifies the description of removing the argument
by defining a new Jinja macro containing the description.
---
 .../grub2_mitigation_argument/rule.yml        |  2 ++
 .../grub2_nosmap_argument_absent/rule.yml     |  5 +---
 .../grub2_nosmep_argument_absent/rule.yml     |  5 +---
 .../rule.yml                                  |  8 +++---
 shared/macros/01-general.jinja                | 26 +++++++++++++++++++
 5 files changed, 33 insertions(+), 13 deletions(-)

diff --git a/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml
index 19ef226e4d6..78d2204659c 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml
@@ -9,6 +9,8 @@ description: |-
 
     The mitigations must not be set to "off".
 
+    {{{ describe_grub2_argument_absent("mitigations=off") | indent(4) }}}
+
 rationale: |-
     Hardware vulnerabilities allow programs to steal data that is currently processed on the
     computer. While programs are typically not permitted to read data from other programs, a
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml
index 691a8857d01..f54daaf2b3e 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml
@@ -10,10 +10,7 @@ description: |-
     Ensure that Supervisor Mode Access Prevention (SMAP) is not disabled by
     the <tt>nosmap</tt> boot paramenter option.
 
-    Check that the line <pre>GRUB_CMDLINE_LINUX="..."</pre> within <tt>/etc/default/grub</tt>
-    doesn't contain the argument <tt>nosmap</tt>.
-    Run the following command to update command line for already installed kernels:
-    <pre># grubby --update-kernel=ALL --remove-args="nosmap"</pre>
+    {{{ describe_grub2_argument_absent("nosmap") | indent(4) }}}
 
 rationale: |-
     Disabling SMAP can facilitate exploitation of vulnerabilities caused by unintended access and
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml
index d887e29fbf6..fd643ee7192 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml
@@ -10,10 +10,7 @@ description: |-
     Ensure that Supervisor Mode Execution Prevention (SMEP) is not disabled by
     the <tt>nosmep</tt> boot paramenter option.
 
-    Check that the line <pre>GRUB_CMDLINE_LINUX="..."</pre> within <tt>/etc/default/grub</tt>
-    doesn't contain the argument <tt>nosmep</tt>.
-    Run the following command to update command line for already installed kernels:
-    <pre># grubby --update-kernel=ALL --remove-args="nosmep"</pre>
+    {{{ describe_grub2_argument_absent("nosmep") | indent(4) }}}
 
 rationale: |-
     Disabling SMEP can facilitate exploitation of certain vulnerabilities because it allows
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
index a8315352e60..5649cb56a45 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
@@ -13,12 +13,10 @@ description: |-
     By default, the <tt>debug-shell</tt> systemd service is already disabled.
 
     Ensure the debug-shell is not enabled by the <tt>systemd.debug-shel=1</tt>
-    boot paramenter option.
+    boot parameter option.
+
+    {{{ describe_grub2_argument_absent("systemd.debug-shell")  | indent(4) }}}
 
-    Check that the line <pre>GRUB_CMDLINE_LINUX="..."</pre> within <tt>/etc/default/grub</tt>
-    doesn't contain the argument <tt>systemd.debug-shell=1</tt>.
-    Run the following command to update command line for already installed kernels:
-    <pre># grubby --update-kernel=ALL --remove-args="systemd.debug-shell"</pre>
 
 rationale: |-
     This prevents attackers with physical access from trivially bypassing security
diff --git a/shared/macros/01-general.jinja b/shared/macros/01-general.jinja
index 4089d4d8707..22787371dea 100644
--- a/shared/macros/01-general.jinja
+++ b/shared/macros/01-general.jinja
@@ -1069,8 +1069,34 @@ Run the following command to update command line for already installed kernels:
 Configure the default Grub2 kernel command line to contain {{{ arg_name_value }}} as follows:
 <pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) {{{ arg_name_value }}}"</pre>
 {{%- endif -%}}
+{{% if bootable_containers_supported == "true" %}}
+If the system is distributed as a bootable container image, GRUB2 can't be configured using the method described above, but the following method needs to be used instead.
+The kernel arguments should be set in <tt>/usr/lib/bootc/kargs.d</tt> in a TOML file that has the following form:
+<pre>
+# /usr/lib/bootc/kargs.d/10-example.toml
+kargs = ["{{{ arg_name_value }}}"]
+</pre>
+For more details on configuring kernel arguments in bootable container images, please refer to {{{ weblink(link="https://containers.github.io/bootc/building/kernel-arguments.html", text="Bootc documentation") }}}.
+{{%- endif -%}}
 {{%- endmacro -%}}
 
+{{#
+    Describe how to remove a kernel argument from Grub2 default kernel command line.
+
+:param arg_name: The kernel parameter name
+:type arg_name: str
+#}}
+{{%- macro describe_grub2_argument_absent(arg_name) -%}}
+Check that the line <pre>GRUB_CMDLINE_LINUX="..."</pre> within <tt>/etc/default/grub</tt>
+doesn't contain the argument <tt>{{{ arg_name }}}</tt>.
+Run the following command to update command line for already installed kernels:
+<pre># grubby --update-kernel=ALL --remove-args="{{{ arg_name }}}"</pre>
+{{% if bootable_containers_supported == "true" %}}
+If the system is distributed as a bootable container image, GRUB2 can't be configured using the method described above, but the kernel arguments should be configured using TOML files located in the <tt>/usr/lib/bootc/kargs.d</tt> directory.
+Remove all occurences of <tt>{{{ arg_name }}}</tt> from all files in <tt>/usr/lib/bootc/kargs.d</tt>.
+For more details on configuring kernel arguments in bootable container images, please refer to {{{ weblink(link="https://containers.github.io/bootc/building/kernel-arguments.html", text="Bootc documentation") }}}.
+{{%- endif -%}}
+{{%- endmacro -%}}
 
 {{#
     Describe how to check a kernel compile parameter

From 6626b2de754f82dc649b94414d9e6c2778f18c24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 12 Dec 2024 16:42:04 +0100
Subject: [PATCH 6/7] Improve regular expression

Improve regular expression so that it will match kernel arguments
presents in lists that have more than 1 item.
---
 .../grub2_bootloader_argument/oval.template          | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/shared/templates/grub2_bootloader_argument/oval.template b/shared/templates/grub2_bootloader_argument/oval.template
index ebcfbf891db..de394912a4f 100644
--- a/shared/templates/grub2_bootloader_argument/oval.template
+++ b/shared/templates/grub2_bootloader_argument/oval.template
@@ -324,23 +324,23 @@
   <ind:textfilecontent54_object id="object_grub2_{{{ SANITIZED_ARG_NAME }}}_usr_lib_bootc_kargs_d" version="1">
     <ind:path>/usr/lib/bootc/kargs.d/</ind:path>
     <ind:filename operation="pattern match">^.*\.toml$</ind:filename>
-    <ind:pattern operation="pattern match">^kargs = \["([^\"]+)"\]$</ind:pattern>
+    <ind:pattern operation="pattern match">^kargs = \[([^\]]+)\]$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 {{% if ARG_VALUE %}}
   <ind:textfilecontent54_state id="state_grub2_{{{ SANITIZED_ARG_NAME }}}_usr_lib_bootc_kargs_d" version="1">
-    <ind:subexpression operation="pattern match">^(?:.*\s)?{{{ ESCAPED_ARG_NAME_VALUE }}}(?:\s.*)?$</ind:subexpression>
+    <ind:subexpression operation="pattern match">^.*"{{{ ESCAPED_ARG_NAME_VALUE }}}".*$</ind:subexpression>
   </ind:textfilecontent54_state>
 {{% else %}}
   <ind:textfilecontent54_state id="state_grub2_{{{ SANITIZED_ARG_NAME }}}_usr_lib_bootc_kargs_d" version="1">
-    <ind:subexpression operation="pattern match" var_ref="local_var_regex_{{{ SANITIZED_ARG_NAME }}}_{{{ ARG_VARIABLE }}}" />
+    <ind:subexpression operation="pattern match" var_ref="local_var_regex_{{{ SANITIZED_ARG_NAME }}}_{{{ ARG_VARIABLE }}}_bootc_kargs" />
   </ind:textfilecontent54_state>
 
-  <local_variable id="local_var_regex_{{{ SANITIZED_ARG_NAME }}}_{{{ ARG_VARIABLE }}}"
+  <local_variable id="local_var_regex_{{{ SANITIZED_ARG_NAME }}}_{{{ ARG_VARIABLE }}}_bootc_kargs"
   comment="Regex that matches {{{ ARG_NAME }}} with value {{{ ARG_VARIABLE }}}"
   datatype="string" version="1">
     <concat>
-      <literal_component>^(?:.*\s)?{{{ ARG_NAME }}}=</literal_component>
+      <literal_component>^.*"{{{ ARG_NAME }}}=</literal_component>
       {{% if IS_SUBSTRING == "true" %}}
       <literal_component>\S*</literal_component>
       {{% endif %}}
@@ -348,7 +348,7 @@
       {{% if IS_SUBSTRING == "true" %}}
       <literal_component>\S*</literal_component>
       {{% endif %}}
-      <literal_component>(?:\s.*)?$</literal_component>
+      <literal_component>".*$</literal_component>
     </concat>
   </local_variable>
 

From 4077a0ea8f9fe136ab87cc9f81d1758bdce62e74 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 19 Dec 2024 11:59:20 +0100
Subject: [PATCH 7/7] Prevent false negative results

With this change will will ensure that the rule will not pass
if we are in RHEL Image mode and we have configuration for the
classic RHEL mode set in place.
---
 shared/templates/grub2_bootloader_argument/oval.template     | 5 ++++-
 .../templates/grub2_bootloader_argument_absent/oval.template | 3 +++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/shared/templates/grub2_bootloader_argument/oval.template b/shared/templates/grub2_bootloader_argument/oval.template
index de394912a4f..eaf78a6bf62 100644
--- a/shared/templates/grub2_bootloader_argument/oval.template
+++ b/shared/templates/grub2_bootloader_argument/oval.template
@@ -38,6 +38,9 @@
     {{{ oval_metadata("Ensure " + ARG_NAME_VALUE + " is configured in the kernel line in /etc/default/grub.") }}}
     <criteria operator="OR">
     <criteria operator="AND">
+      {{% if bootable_containers_supported == "true" %}}
+        <extend_definition comment="The system is RHEL Image Mode" definition_ref="bootc" negate="true" />
+      {{% endif %}}
       {{% if system_with_expanded_kernel_options_in_loader_entries_or_with_options_in_grubenv %}}
       <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_entries_expanded_or_referenced"
       comment="Check /boot/loader/entries/*.conf files if they contain direct reference to {{{ ARG_NAME_VALUE }}} or if they contain $kernelopts" />
@@ -111,7 +114,7 @@
     </criteria>
     {{% if bootable_containers_supported == "true" %}}
       <criteria operator="AND">
-        <extend_definition comment="The system is RHEL Image Mode"  definition_ref="bootc" />
+        <extend_definition comment="The system is RHEL Image Mode" definition_ref="bootc" />
         <criterion comment="The {{{ ARG_NAME_VALUE }}} is present in the /usr/lib/bootc/kargs.d/*.toml files"  test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_usr_lib_bootc_kargs_d" />
       </criteria>
     {{% endif %}}
diff --git a/shared/templates/grub2_bootloader_argument_absent/oval.template b/shared/templates/grub2_bootloader_argument_absent/oval.template
index 813fca5703b..915bb86a717 100644
--- a/shared/templates/grub2_bootloader_argument_absent/oval.template
+++ b/shared/templates/grub2_bootloader_argument_absent/oval.template
@@ -34,6 +34,9 @@
     {{{ oval_metadata("Ensure " + ARG_NAME + " is not set in the kernel line in /etc/default/grub.") }}}
     <criteria operator="OR">
     <criteria operator="AND">
+      {{% if bootable_containers_supported == "true" %}}
+        <extend_definition comment="The system is RHEL Image Mode" definition_ref="bootc" negate="true" />
+      {{% endif %}}
       {{% if system_with_kernel_options_in_grubenv -%}}
       {{% if system_with_bios_and_uefi_support -%}}
       <criteria operator="OR">