OPENSCAP-5235: Block remediation on deployed bootc system

OpenSCAP remediation is supposed to be used only at bootc container
image build. Deployed bootc system is immutable, it can't be remediated
with OpenSCAP and trying to do so would result in errors and bad user
experience.

We will update OpenSCAP to print error message for users in case they
try to run remediation on an already deployed bootc system, informing
them that it is not possible and that the openscap remediation must be
performed during container build.

Author: jan-cerny

src/XCCDF/xccdf_session.c

@@ -1906,6 +1906,27 @@ struct xccdf_rule_result_iterator *xccdf_session_get_rule_results(const struct x
 	return xccdf_result_get_rule_results(session->xccdf.result);
 }
 
+static int system_is_in_bootc_mode(void)
+{
+#ifdef OS_WINDOWS
+	return 0;
+#else
+	FILE *output = popen("bootc status --format json 2>/dev/null | jq \".status.booted\"", "r");
+	if (output == NULL) {
+		return 0;
+	}
+	char buf[1024] = {0};
+	int c;
+	size_t i = 0;
+	while (i < sizeof(buf) && (c = fgetc(output)) != EOF) {
+		buf[i] = c;
+		i++;
+	}
+	pclose(output);
+	return strcmp(buf, "null\n") != 0;
+#endif
+}
+
 int xccdf_session_remediate(struct xccdf_session *session)
 {
 	int res = 0;
@@ -1917,6 +1938,14 @@ int xccdf_session_remediate(struct xccdf_session *session)
 		oscap_seterr(OSCAP_EFAMILY_OSCAP, "Can't perform remediation in offline mode: not implemented");
 		return 1;
 	}
+	if (system_is_in_bootc_mode()) {
+		oscap_seterr(OSCAP_EFAMILY_OSCAP,
+			"Detected running Image Mode operating system. OpenSCAP can't "
+			"perform remediation of this system because majority of the "
+			"system is read-only. Please apply remediation during bootable "
+			"container image build using 'oscap-im' instead.");
+		return 1;
+	}
 	xccdf_policy_model_unregister_engines(session->xccdf.policy_model, oval_sysname);
 	if ((res = xccdf_session_load_oval(session)) != 0)
 		return res;