From 1c240de58d13fc591b2ed4848d2beb8b934399a3 Mon Sep 17 00:00:00 2001
From: Markus Rudy <mr@edgeless.systems>
Date: Wed, 4 Jun 2025 17:13:44 +0200
Subject: [PATCH] genpolicy: don't parse /etc/passwd in a loop

Instead of looping over the users per group and parsing passwd for each
user, we can do the reverse lookup uid->user up front and then compare
the names directly. This has the nice side-effect of silencing warnings
about non-existent users mentioned in /etc/group, which is not relevant
for policy decisions.

Signed-off-by: Markus Rudy <mr@edgeless.systems>
---
 src/tools/genpolicy/src/registry.rs | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/src/tools/genpolicy/src/registry.rs b/src/tools/genpolicy/src/registry.rs
index d2545cf8b..bf92f33ac 100644
--- a/src/tools/genpolicy/src/registry.rs
+++ b/src/tools/genpolicy/src/registry.rs
@@ -258,29 +258,34 @@ impl Container {
         }
     }
 
+    fn get_user_from_passwd_uid(&self, uid: u32) -> Result<String> {
+        for record in parse_passwd_file(&self.passwd)? {
+            if record.uid == uid {
+                return Ok(record.user);
+            }
+        }
+        Err(anyhow!("No user found with uid {uid}"))
+    }
+
     pub fn get_additional_groups_from_uid(&self, uid: u32) -> Result<Vec<u32>> {
         if self.group.is_empty() || self.passwd.is_empty() {
             return Err(anyhow!(
                 "No /etc/group, /etc/passwd file is available, unable to parse additional group membership from uid"
             ));
         }
+
+        let user = self.get_user_from_passwd_uid(uid)?;
+
         match parse_group_file(&self.group) {
             Ok(records) => {
                 let mut groups = Vec::new();
                 for record in records.iter() {
                     record.user_list.iter().for_each(|u| {
-                        match self.get_uid_gid_from_passwd_user(u.to_string()) {
-                            Ok((record_uid, _)) => {
-                                if record_uid == uid && &record.name != u {
-                                    // The second condition works around containerd bug
-                                    // https://github.com/containerd/containerd/issues/11937.
-                                    groups.push(record.gid);
-                                }
-                            },
-                            Err(inner_e) => warn!(
-                                "/etc/group indicates a user {u} that is not in /etc/passwd - error {inner_e}"
-                            ),
-                        };
+                        if u == &user && &record.name != u {
+                            // The second condition works around containerd bug
+                            // https://github.com/containerd/containerd/issues/11937.
+                            groups.push(record.gid);
+                        }
                     });
                 }
                 Ok(groups)