github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-07-31 23:36:12 +00:00
Code Issues Projects Releases Wiki Activity

policy: fix parse errors in rules.rego

Browse Source 
This patch fixes the rules.rego file to ensure that the
policy is correctly parsed and applied by opa.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
This commit is contained in:
Archana Choudhary 2025-07-01 12:43:41 +00:00
parent abbe1be69f
commit 6932beb01f
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/tools/genpolicy/rules.rego
View File

@ -1051,10 +1051,10 @@ allow_storages(p_storages, i_storages, bundle_id, sandbox_id) if {
# Currently, Image Layer Integrity Verification through Policy is only required for Guest VMs
# that use container image layers provided as dm-verity-protected block device images created on the Host.
allow_container_image_storage(p_storages) = { "layer_ids": [], "root_hashes": [] } {
allow_container_image_storage(p_storages) = { "layer_ids": [], "root_hashes": [] } if {
policy_data.common.image_layer_verification != "host-tarfs-dm-verity"
}
allow_container_image_storage(p_storages) = { "layer_ids": layer_ids, "root_hashes": root_hashes } {
allow_container_image_storage(p_storages) = { "layer_ids": layer_ids, "root_hashes": root_hashes } if {
policy_data.common.image_layer_verification == "host-tarfs-dm-verity"
some overlay_storage in p_storages
@ -1082,7 +1082,7 @@ allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hash
print("allow_storage: true")
}
allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) {
allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) if {
i_storage.driver == "image_guest_pull"
print("allow_storage with image_guest_pull: start")
i_storage.fstype == "overlay"
@ -1092,14 +1092,14 @@ allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hash
print("allow_storage with image_guest_pull: true")
}
allow_storage_source(p_storage, i_storage, bundle_id) {
allow_storage_source(p_storage, i_storage, bundle_id) if {
print("allow_storage_source 1: start")
p_storage.source == i_storage.source
print("allow_storage_source 1: true")
}
allow_storage_source(p_storage, i_storage, bundle_id) {
allow_storage_source(p_storage, i_storage, bundle_id) if {
print("allow_storage_source 2: start")
source1 := p_storage.source
@ -1112,7 +1112,7 @@ allow_storage_source(p_storage, i_storage, bundle_id) {
print("allow_storage_source 2: true")
}
allow_storage_source(p_storage, i_storage, bundle_id) {
allow_storage_source(p_storage, i_storage, bundle_id) if {
print("allow_storage_source 3: start")
p_storage.driver == "overlayfs"