github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-07-30 23:06:27 +00:00
Code Issues Projects Releases Wiki Activity

genpolicy: use process inputs for allow_process()

Browse Source 
Using process data inputs for allow_process() is easier to
read/understand compared with the older OCI data inputs.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
This commit is contained in:
Dan Mihai 2024-12-18 01:10:16 +00:00 committed by Ankita Pareek
parent 2871c31162
commit 6f78aaa411
1 changed files with 2 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/tools/genpolicy/rules.rego
View File

@ -292,7 +292,7 @@ allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) {
allow_by_container_types(p_oci, i_oci, s_name, i_namespace)
allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages)
allow_process(p_oci, i_oci, s_name)
allow_process(p_oci.Process, i_oci.Process, s_name)
print("allow_by_sandbox_name: true")
}
@ -668,10 +668,7 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) {
print("allow_by_bundle_or_sandbox_id: true")
}
allow_process(p_oci, i_oci, s_name) {
p_process := p_oci.Process
i_process := i_oci.Process
allow_process(p_process, i_process, s_name) {
print("allow_process: i terminal =", i_process.Terminal, "p terminal =", p_process.Terminal)
p_process.Terminal == i_process.Terminal