github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-18 23:39:30 +00:00
Code Issues Projects Releases Wiki Activity

genpolicy: deny UpdateEphemeralMountsRequest

Browse Source 
* genpolicy: deny UpdateEphemeralMountsRequest

Deny UpdateEphemeralMountsRequest by default, because paths to
critical Guest components can be redirected using such request.

Signed-off-by: Dan Mihai <Daniel.Mihai@microsoft.com>
This commit is contained in:
Dan Mihai
2023-12-19 09:54:55 -08:00
committed by Saul Paredes
parent e0bff7ed14
commit 6654491cc3
4 changed files with 23 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
tests/integration/kubernetes/tests_common.sh
View File

@@ -153,6 +153,14 @@ adapt_common_policy_settings_for_sev() {
jq '.kata_config.oci_version = "1.1.0-rc.1" | .common.cpath = "/run/kata-containers" | .volumes.configMap.mount_point = "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-"' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
}
# adapt common policy settings for CBL-Mariner https://github.com/kata-containers/kata-containers/issues/10189
adapt_common_policy_settings_for_cbl_mariner() {
local settings_dir=$1
info "Adapting common policy settings for CBL-Mariner"
jq '.request_defaults.UpdateEphemeralMountsRequest = true' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
}
# adapt common policy settings for various platforms
adapt_common_policy_settings() {
@@ -166,6 +174,12 @@ adapt_common_policy_settings() {
adapt_common_policy_settings_for_sev "${settings_dir}"
;;
esac
case "${KATA_HOST_OS}" in
"cbl-mariner")
adapt_common_policy_settings_for_cbl_mariner "${settings_dir}"
;;
esac
}
# If auto-generated policy testing is enabled, make a copy of the genpolicy settings,