From 3ed9424d60b68c323c89f26bba4ca92d909f44b1 Mon Sep 17 00:00:00 2001
From: Adam Farley <adfarley@redhat.com>
Date: Wed, 4 Dec 2024 15:25:20 +0000
Subject: [PATCH] Adding secure mode option to build scripting

This mode will eventually be used to disable a range of
build script functionality that raises the potential security
risk level during the build process.

After this commit is merged, we will need to add the flag to the
pipeline job configurations in order to pass it into build jobs.

Signed-off-by: Adam Farley <adfarley@redhat.com>
---
 sbin/common/config_init.sh | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sbin/common/config_init.sh b/sbin/common/config_init.sh
index 1a649a805..b4b9ab194 100755
--- a/sbin/common/config_init.sh
+++ b/sbin/common/config_init.sh
@@ -63,6 +63,7 @@ DISABLE_ADOPT_BRANCH_SAFETY
 DOCKER_FILE_PATH
 DOCKER_SOURCE_VOLUME_NAME
 ENABLE_SBOM_STRACE
+ENABLE_SECURE_MODE
 FREETYPE
 FREETYPE_DIRECTORY
 FREETYPE_FONT_BUILD_TYPE_PARAM
@@ -299,6 +300,9 @@ function parseConfigurationArguments() {
         "--enable-sbom-strace" )
         BUILD_CONFIG[ENABLE_SBOM_STRACE]=true;;
 
+        "--enable-secure-mode" )
+        BUILD_CONFIG[ENABLE_SECURE_MODE]=true;;
+
         "--freetype-dir" | "-f" )
         BUILD_CONFIG[FREETYPE_DIRECTORY]="$1"; shift;;
 
@@ -558,6 +562,9 @@ function configDefaults() {
 
   BUILD_CONFIG[ENABLE_SBOM_STRACE]="false"
 
+  # Set default value to "false", for maximum user convenience. "false" enables potentially-insecure functionality, like the dynamic download of boot JDKs.
+  BUILD_CONFIG[ENABLE_SECURE_MODE]="false"
+
   # The default behavior of whether we want to create a separate source archive
   BUILD_CONFIG[CREATE_SOURCE_ARCHIVE]="false"