github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-07-04 11:06:21 +00:00
Code Issues Projects Releases Wiki Activity

genpolicy: reject untested CreateContainer field values

Browse Source 
Reject CreateContainerRequest field values that are not tested by
Kata CI and that might impact the confidentiality of CoCo Guests.

This change uses a "better safe than sorry" approach to untested
fields. It is very possible that in the future we'll encounter
reasonable use cases that will either:

- Show that some of these fields are benign and don't have to be
  verified by Policy, or
- Show that Policy should verify legitimate values of these fields

These are the new CreateContainerRequest Policy rules:

    count(input.shared_mounts) == 0
    is_null(input.string_user)

    i_oci := input.OCI
    is_null(i_oci.Hooks)
    is_null(i_oci.Linux.Seccomp)
    is_null(i_oci.Solaris)
    is_null(i_oci.Windows)

    i_linux := i_oci.Linux
    count(i_linux.GIDMappings) == 0
    count(i_linux.MountLabel) == 0
    count(i_linux.Resources.Devices) == 0
    count(i_linux.RootfsPropagation) == 0
    count(i_linux.UIDMappings) == 0
    is_null(i_linux.IntelRdt)
    is_null(i_linux.Resources.BlockIO)
    is_null(i_linux.Resources.Network)
    is_null(i_linux.Resources.Pids)
    is_null(i_linux.Seccomp)
    i_linux.Sysctl == {}

    i_process := i_oci.Process
    count(i_process.SelinuxLabel) == 0
    count(i_process.User.Username) == 0

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
This commit is contained in:
Dan Mihai 2024-06-14 19:33:53 +00:00
parent cf372f41bf
commit 4df66568cf
1 changed files with 36 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
src/tools/genpolicy/rules.rego
View File

@ -52,10 +52,15 @@ default WriteStreamRequest := false
default AllowRequestsFailingPolicy := false default AllowRequestsFailingPolicy := false
CreateContainerRequest { CreateContainerRequest {
# Check if the input request should be rejected even before checking the
# policy_data.containers information.
allow_create_container_input
i_oci := input.OCI i_oci := input.OCI
i_storages := input.storages i_storages := input.storages
i_devices := input.devices i_devices := input.devices
# Check if any element from the policy_data.containers array allows the input request.
some p_container in policy_data.containers some p_container in policy_data.containers
print("======== CreateContainerRequest: trying next policy container") print("======== CreateContainerRequest: trying next policy container")
@ -85,6 +90,37 @@ CreateContainerRequest {
print("CreateContainerRequest: true") print("CreateContainerRequest: true")
} }
allow_create_container_input {
print("allow_create_container_input: input =", input)
count(input.shared_mounts) == 0
is_null(input.string_user)
i_oci := input.OCI
is_null(i_oci.Hooks)
is_null(i_oci.Solaris)
is_null(i_oci.Windows)
i_linux := i_oci.Linux
count(i_linux.GIDMappings) == 0
count(i_linux.MountLabel) == 0
count(i_linux.Resources.Devices) == 0
count(i_linux.RootfsPropagation) == 0
count(i_linux.UIDMappings) == 0
is_null(i_linux.IntelRdt)
is_null(i_linux.Resources.BlockIO)
is_null(i_linux.Resources.Network)
is_null(i_linux.Resources.Pids)
is_null(i_linux.Seccomp)
i_linux.Sysctl == {}
i_process := i_oci.Process
count(i_process.SelinuxLabel) == 0
count(i_process.User.Username) == 0
print("allow_create_container_input: true")
}
# Reject unexpected annotations. # Reject unexpected annotations.
allow_anno(p_oci, i_oci) { allow_anno(p_oci, i_oci) {
print("allow_anno 1: start") print("allow_anno 1: start")