Merge pull request #8836 from microsoft/danmihai1/test-with-cbl-mariner

genpolicy: use root path from cbl-mariner Guest VM
2025-09-19 15:58:25 +00:00 · 2024-01-17 17:51:44 +01:00
parent e11c520ffa f4106a6107
commit 147d5fd752
2 changed files with 5 additions and 4 deletions
--- a/src/tools/genpolicy/genpolicy-settings.json
+++ b/src/tools/genpolicy/genpolicy-settings.json
@@ -1,7 +1,7 @@
 {
    "pause_container": {
        "Root": {
-            "Path": "$(cpath)/$(bundle-id)",
+            "Path": "$(cpath)/$(bundle-id)/rootfs",
            "Readonly": true
        },
        "Mounts": [
@@ -62,7 +62,7 @@
    },
    "other_container": {
        "Root": {
-            "Path": "$(cpath)/$(bundle-id)"
+            "Path": "$(cpath)/$(bundle-id)/rootfs"
        },
        "Mounts": [
            {
--- a/src/tools/genpolicy/rules.rego
+++ b/src/tools/genpolicy/rules.rego
@@ -701,8 +701,9 @@ is_ip_other_byte(component) {

 # OCI root.Path
 allow_root_path(p_oci, i_oci, bundle_id) {
+    i_path := i_oci.Root.Path
    p_path1 := p_oci.Root.Path
-    print("allow_root_path: p_path1 =", p_path1)
+    print("allow_root_path: i_path =", i_path, "p_path1 =", p_path1)

    p_path2 := replace(p_path1, "$(cpath)", policy_data.common.cpath)
    print("allow_root_path: p_path2 =", p_path2)
@@ -710,7 +711,7 @@ allow_root_path(p_oci, i_oci, bundle_id) {
    p_path3 := replace(p_path2, "$(bundle-id)", bundle_id)
    print("allow_root_path: p_path3 =", p_path3)

-    p_path3 == i_oci.Root.Path
+    p_path3 == i_path

    print("allow_root_path: true")
 }