github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-25 06:52:13 +00:00
Code Issues Projects Releases Wiki Activity

tools: genpolicy static checks

Browse Source 
Package genpolicy and enable static checks for it.

Fixes: #8813

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
This commit is contained in:
Dan Mihai 2024-01-12 16:43:27 +00:00
parent 0dc00ae373
commit 201eec628a
9 changed files with 31 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/build-kata-static-tarball-amd64.yaml vendored
View File

@ -33,6 +33,7 @@ jobs:
- cloud-hypervisor - cloud-hypervisor
- cloud-hypervisor-glibc - cloud-hypervisor-glibc
- firecracker - firecracker
- genpolicy
- kata-ctl - kata-ctl
- kernel - kernel
- kernel-confidential - kernel-confidential

3
.github/workflows/static-checks.yaml vendored
View File

@ -48,6 +48,7 @@ jobs:
- kata-ctl - kata-ctl
- runk - runk
- trace-forwarder - trace-forwarder
- genpolicy
command: command:
- "make vendor" - "make vendor"
- "make check" - "make check"
@ -75,6 +76,8 @@ jobs:
install-libseccomp: yes install-libseccomp: yes
- component: runk - component: runk
install-libseccomp: yes install-libseccomp: yes
- component: genpolicy
component-path: src/tools/genpolicy
steps: steps:
- name: Checkout the code - name: Checkout the code
uses: actions/checkout@v4 uses: actions/checkout@v4

10
src/tools/genpolicy/Cargo.lock generated
View File

@ -1112,15 +1112,6 @@ version = "0.1.5"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf"
[[package]]
name = "openssl-src"
version = "111.25.1+1.1.1t"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1ef9a9cc6ea7d9d5e7c4a913dc4b48d0e359eddf01af1dfec96ba7064b4aba10"
dependencies = [
"cc",
]
[[package]] [[package]]
name = "openssl-sys" name = "openssl-sys"
version = "0.9.90" version = "0.9.90"
@ -1129,7 +1120,6 @@ checksum = "374533b0e45f3a7ced10fcaeccca020e66656bc03dac384f852e4e5a7a8104a6"
dependencies = [ dependencies = [
"cc", "cc",
"libc", "libc",
"openssl-src",
"pkg-config", "pkg-config",
"vcpkg", "vcpkg",
] ]

9
src/tools/genpolicy/Cargo.toml
View File

@ -1,3 +1,8 @@
# Copyright (c) 2024 Microsoft Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
[package] [package]
name = "genpolicy" name = "genpolicy"
version = "0.1.0" version = "0.1.0"
@ -35,7 +40,7 @@ async-trait = "0.1.68"
docker_credential = "1.2.0" docker_credential = "1.2.0"
flate2 = { version = "1.0.26", features = ["zlib-ng"], default-features = false } flate2 = { version = "1.0.26", features = ["zlib-ng"], default-features = false }
oci-distribution = { version = "0.10.0" } oci-distribution = { version = "0.10.0" }
openssl = { version = "0.10.54", features = ["vendored"] } openssl = { version = "0.10.54" }
serde_ignored = "0.1.7" serde_ignored = "0.1.7"
serde_json = "1.0.39" serde_json = "1.0.39"
serde-transcode = "1.1.1" serde-transcode = "1.1.1"
@ -44,7 +49,7 @@ tokio = {version = "1.33.0", features = ["rt-multi-thread"]}
# OCI container specs. # OCI container specs.
oci = { path = "../../libs/oci" } oci = { path = "../../libs/oci" }
# Kata Agent prototol. # Kata Agent protocol.
protocols = { path = "../../libs/protocols", features = ["with-serde"] } protocols = { path = "../../libs/protocols", features = ["with-serde"] }
protobuf = "3.2.0" protobuf = "3.2.0"

28
src/tools/genpolicy/README.md
View File

@ -18,32 +18,12 @@ The Policy auto-generated by `genpolicy` is typically used for implementing conf
# Building `genpolicy` from source code # Building `genpolicy` from source code
## Install build dependencies Build in docker container:
Example for Ubuntu 22.04.3: ```sh
```bash
$ sudo apt-get update
$ sudo apt-get install -y build-essential cmake curl git musl-dev musl-tools
$ curl --proto '=https' --tlsv1.3 https://sh.rustup.rs -sSf | sh
$ source "$HOME/.cargo/env"
$ arch=$(uname -m)
$ rustup target add "${arch}-unknown-linux-musl"
```
# Build `genpolicy`
```bash
$ git clone https://github.com/kata-containers/kata-containers.git $ git clone https://github.com/kata-containers/kata-containers.git
$ cd kata-containers/src/tools/genpolicy $ cd kata-containers
$ source "$HOME/.cargo/env" $ tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh --build=genpolicy
$ make && make install
```
If you want to use `LIBC=gnu` instead of the default `LIBC=musl`, change the last step above to:
```bash
$ LIBC=gnu make && LIBC=gnu make install
``` ```
# Executing `genpolicy` # Executing `genpolicy`

7
src/tools/genpolicy/src/verity.rs
View File

@ -56,9 +56,7 @@ impl<T: Digest + Clone> Verity<T> {
count count
}; };
let mut data = Vec::new(); let data = vec![0; hash_block_size];
data.resize(hash_block_size, 0);
let mut levels = Vec::new(); let mut levels = Vec::new();
levels.resize( levels.resize(
level_count, level_count,
@ -209,8 +207,7 @@ pub fn traverse_file<T: Digest + Clone>(
mut verity: Verity<T>, mut verity: Verity<T>,
writer: &mut impl FnMut(&mut File, &[u8], u64) -> io::Result<()>, writer: &mut impl FnMut(&mut File, &[u8], u64) -> io::Result<()>,
) -> io::Result<GenericArray<u8, T::OutputSize>> { ) -> io::Result<GenericArray<u8, T::OutputSize>> {
let mut buf = Vec::new(); let mut buf = vec![0; verity.data_block_size];
buf.resize(verity.data_block_size, 0);
while verity.more_blocks() { while verity.more_blocks() {
file.seek(SeekFrom::Start(read_offset))?; file.seek(SeekFrom::Start(read_offset))?;
file.read_exact(&mut buf)?; file.read_exact(&mut buf)?;

3
tools/packaging/kata-deploy/local-build/Makefile
View File

@ -93,6 +93,9 @@ cloud-hypervisor-glibc-tarball:
firecracker-tarball: firecracker-tarball:
${MAKE} $@-build ${MAKE} $@-build
genpolicy-tarball:
${MAKE} $@-build
kata-ctl-tarball: kata-ctl-tarball:
${MAKE} $@-build ${MAKE} $@-build

8
tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
View File

@ -90,6 +90,7 @@ options:
cloud-hypervisor cloud-hypervisor
cloud-hypervisor-glibc cloud-hypervisor-glibc
firecracker firecracker
genpolicy
kata-ctl kata-ctl
kernel kernel
kernel-confidential kernel-confidential
@ -713,6 +714,10 @@ install_agent_ctl() {
install_tools_helper "agent-ctl" install_tools_helper "agent-ctl"
} }
install_genpolicy() {
install_tools_helper "genpolicy"
}
install_kata_ctl() { install_kata_ctl() {
install_tools_helper "kata-ctl" install_tools_helper "kata-ctl"
} }
@ -787,6 +792,8 @@ handle_build() {
firecracker) install_firecracker ;; firecracker) install_firecracker ;;
genpolicy) install_genpolicy ;;
kata-ctl) install_kata_ctl ;; kata-ctl) install_kata_ctl ;;
kernel) install_kernel ;; kernel) install_kernel ;;
@ -893,6 +900,7 @@ main() {
agent-ctl agent-ctl
cloud-hypervisor cloud-hypervisor
firecracker firecracker
genpolicy
kata-ctl kata-ctl
kernel kernel
kernel-experimental kernel-experimental

3
tools/packaging/static-build/tools/Dockerfile
View File

@ -9,11 +9,14 @@ ARG RUST_TOOLCHAIN
SHELL ["/bin/ash", "-o", "pipefail", "-c"] SHELL ["/bin/ash", "-o", "pipefail", "-c"]
RUN apk --no-cache add \ RUN apk --no-cache add \
bash \ bash \
cmake \
curl \ curl \
gcc \ gcc \
git \ git \
libcap-ng-static \ libcap-ng-static \
libseccomp-static \ libseccomp-static \
openssl-dev \
openssl-libs-static \
make \ make \
musl-dev \ musl-dev \
protoc && \ protoc && \