genpolicy: Support cpath for mount sources

Add setting to allow specifying the cpath for a mount source. cpath is the root path for most files used by a container. For example, the container rootfs and various files copied from the Host to the Guest when shared_fs=none are hosted under cpath. mount_source_cpath is the root of the paths used a storage mount sources. Depending on Kata settings, mount_source_cpath might have the same value as cpath - but on TDX for example these two paths are different: TDX uses "/run/kata-containers" as cpath, but "/run/kata-containers/shared/containers" as mount_source_cpath. Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2025-08-24 02:31:12 +00:00 · 2024-07-15 11:31:52 -07:00 · 2024-07-15 11:31:52 -07:00 · 0b3d193730
commit 0b3d193730
parent 648265d80e
3 changed files with 6 additions and 2 deletions
--- a/src/tools/genpolicy/genpolicy-settings.json
+++ b/src/tools/genpolicy/genpolicy-settings.json
@ -203,6 +203,7 @@
    ],
    "common": {
        "cpath": "/run/kata-containers/shared/containers",
+        "mount_source_cpath": "/run/kata-containers/shared/containers",
        "sfprefix": "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-",
        "ip_p": "[0-9]{1,5}",
        "ipv4_a": "(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])",
--- a/src/tools/genpolicy/rules.rego
+++ b/src/tools/genpolicy/rules.rego
@ -805,7 +805,7 @@ check_mount(p_mount, i_mount, bundle_id, sandbox_id) {
 mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) {
    regex1 := p_mount.source
    regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix)
-    regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath)
+    regex3 := replace(regex2, "$(cpath)", policy_data.common.mount_source_cpath)
    regex4 := replace(regex3, "$(bundle-id)", bundle_id)

    print("mount_source_allows 1: regex4 =", regex4)
@ -816,7 +816,7 @@ mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) {
 mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) {
    regex1 := p_mount.source
    regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix)
-    regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath)
+    regex3 := replace(regex2, "$(cpath)", policy_data.common.mount_source_cpath)
    regex4 := replace(regex3, "$(sandbox-id)", sandbox_id)

    print("mount_source_allows 2: regex4 =", regex4)
--- a/src/tools/genpolicy/src/policy.rs
+++ b/src/tools/genpolicy/src/policy.rs
@ -349,6 +349,9 @@ pub struct CommonData {
    /// Path to the shared container files - e.g., "/run/kata-containers/shared/containers".
    pub cpath: String,

+    /// Path to the shared container files for mount sources - e.g., "/run/kata-containers/shared/containers".
+    pub mount_source_cpath: String,
+
    /// Regex prefix for shared file paths - e.g., "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-".
    pub sfprefix: String,