From f4106a610768e3cd95b7d46fc0c5bacb69efb852 Mon Sep 17 00:00:00 2001
From: Dan Mihai <dmihai@microsoft.com>
Date: Mon, 15 Jan 2024 23:33:28 +0000
Subject: [PATCH] genpolicy: use root path from cbl-mariner Guest VM

Adjust genpolicy-settings.json to match the container root path from
the main branch + cbl-mariner Guest VMs.

This configuration might have to be adjusted again when other types of
Guest VMs will be tested during CI using genpolicy, in the future.

Also, improve logging from allow_root_path(), to easier debug these
issues in the future.

Fixes: #8835

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
---
 src/tools/genpolicy/genpolicy-settings.json | 4 ++--
 src/tools/genpolicy/rules.rego              | 5 +++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json
index 8b438cc7cf..0cc1068b84 100644
--- a/src/tools/genpolicy/genpolicy-settings.json
+++ b/src/tools/genpolicy/genpolicy-settings.json
@@ -1,7 +1,7 @@
 {
     "pause_container": {
         "Root": {
-            "Path": "$(cpath)/$(bundle-id)",
+            "Path": "$(cpath)/$(bundle-id)/rootfs",
             "Readonly": true
         },
         "Mounts": [
@@ -62,7 +62,7 @@
     },
     "other_container": {
         "Root": {
-            "Path": "$(cpath)/$(bundle-id)"
+            "Path": "$(cpath)/$(bundle-id)/rootfs"
         },
         "Mounts": [
             {
diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
index 2719e65795..0cd0679e63 100644
--- a/src/tools/genpolicy/rules.rego
+++ b/src/tools/genpolicy/rules.rego
@@ -700,8 +700,9 @@ is_ip_other_byte(component) {
 
 # OCI root.Path
 allow_root_path(p_oci, i_oci, bundle_id) {
+    i_path := i_oci.Root.Path
     p_path1 := p_oci.Root.Path
-    print("allow_root_path: p_path1 =", p_path1)
+    print("allow_root_path: i_path =", i_path, "p_path1 =", p_path1)
 
     p_path2 := replace(p_path1, "$(cpath)", policy_data.common.cpath)
     print("allow_root_path: p_path2 =", p_path2)
@@ -709,7 +710,7 @@ allow_root_path(p_oci, i_oci, bundle_id) {
     p_path3 := replace(p_path2, "$(bundle-id)", bundle_id)
     print("allow_root_path: p_path3 =", p_path3)
 
-    p_path3 == i_oci.Root.Path
+    p_path3 == i_path
 
     print("allow_root_path: true")
 }