Merge pull request #11127 from microsoft/archana1/mount-tc

genpolicy: improve validation for mounts
2025-09-15 22:08:47 +00:00 · 2025-05-08 15:41:23 -07:00
parent e3e0007bf7 fb815b77c1
commit 1e09dfb0df
4 changed files with 1412 additions and 9 deletions
--- a/src/tools/genpolicy/rules.rego
+++ b/src/tools/genpolicy/rules.rego
@@ -656,9 +656,11 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) {

    allow_root_path(p_oci, i_oci, bundle_id)

-    every i_mount in input.OCI.Mounts {
-        allow_mount(p_oci, i_mount, bundle_id, sandbox_id)
-    }
+    # Match each input mount with a Policy mount.
+    # Reject possible attempts to match multiple input mounts with a single Policy mount.
+    p_matches := { p_index | some i_index; p_index = allow_mount(p_oci, input.OCI.Mounts[i_index], bundle_id, sandbox_id) }
+
+    count(p_matches) == count(input.OCI.Mounts)

    # TODO: enable allow_storages() after fixing https://github.com/kata-containers/kata-containers/issues/8833
    # allow_storages(p_storages, i_storages, bundle_id, sandbox_id)
@@ -920,17 +922,15 @@ allow_root_path(p_oci, i_oci, bundle_id) {
 }

 # device mounts
-allow_mount(p_oci, i_mount, bundle_id, sandbox_id) {
+# allow_mount returns the policy index (p_index) if a given input mount matches a policy mount.
+allow_mount(p_oci, i_mount, bundle_id, sandbox_id):= p_index {
    print("allow_mount: i_mount =", i_mount)

-    some p_mount in p_oci.Mounts
+    p_mount := p_oci.Mounts[p_index]
    print("allow_mount: p_mount =", p_mount)
    check_mount(p_mount, i_mount, bundle_id, sandbox_id)

-    # TODO: are there any other required policy checks for mounts - e.g.,
-    #       multiple mounts with same source or destination?
-
-    print("allow_mount: true")
+    print("allow_mount: true, p_index =", p_index)
 }

 check_mount(p_mount, i_mount, bundle_id, sandbox_id) {
--- a/src/tools/genpolicy/tests/main.rs
+++ b/src/tools/genpolicy/tests/main.rs
@@ -202,4 +202,9 @@ mod tests {
    async fn test_create_container_security_context() {
        runtests("createcontainer/security_context").await;
    }
+
+    #[tokio::test]
+    async fn test_create_container_mounts() {
+        runtests("createcontainer/volumes/emptydir").await;
+    }
 }
--- a/src/tools/genpolicy/tests/testdata/createcontainer/volumes/emptydir/pod.yaml
+++ b/src/tools/genpolicy/tests/testdata/createcontainer/volumes/emptydir/pod.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: dummy
+spec:
+  runtimeClassName: kata-cc-isolation
+  containers:
+  - name: dummy
+    image: registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db
+    volumeMounts:
+    - mountPath: /mnt/test
+      name: test-volume
+    - mountPath: /mnt/test2
+      name: test-volume
+      mountPropagation: Bidirectional
+    - mountPath: /mnt/test3
+      name: test-volume
+      readOnly: true
+    - mountPath: /mnt/test4
+      name: test-volume2
+  volumes:
+  - name: test-volume
+    emptyDir: {}
+  - name: test-volume2
+    emptyDir: {}
--- a/src/tools/genpolicy/tests/testdata/createcontainer/volumes/emptydir/testcases.json
+++ b/src/tools/genpolicy/tests/testdata/createcontainer/volumes/emptydir/testcases.json