From 36a410475369d6390e467419534772d77c934620 Mon Sep 17 00:00:00 2001
From: Saul Paredes <saulparedes@microsoft.com>
Date: Sun, 14 Apr 2024 15:47:22 -0700
Subject: [PATCH 1/2] genpolicy: support readonly hostpath

Set hostpath access based on volume mount readOnly value

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
---
 src/tools/genpolicy/src/mount_and_storage.rs          | 11 +++++++++--
 .../runtimeclass_workloads/k8s-policy-rc.yaml         | 11 +++++++++++
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs
index 0e5a5da193..69aee1e760 100644
--- a/src/tools/genpolicy/src/mount_and_storage.rs
+++ b/src/tools/genpolicy/src/mount_and_storage.rs
@@ -209,6 +209,13 @@ fn get_host_path_mount(
         }
     }
 
+    let access = match yaml_mount.readOnly {
+        Some(true) => {
+            debug!("setting read only access for host path mount");
+            "ro"
+        }
+        _ => "rw",
+    };
     // TODO:
     //
     // - When volume.hostPath.path: /dev/ttyS0
@@ -220,7 +227,7 @@ fn get_host_path_mount(
     if !path.starts_with("/dev/") && !path.starts_with("/sys/") {
         debug!("get_host_path_mount: calling get_shared_bind_mount");
         let propagation = if biderectional { "rshared" } else { "rprivate" };
-        get_shared_bind_mount(yaml_mount, p_mounts, propagation, "rw");
+        get_shared_bind_mount(yaml_mount, p_mounts, propagation, access);
     } else {
         let dest = yaml_mount.mountPath.clone();
         let type_ = "bind".to_string();
@@ -228,7 +235,7 @@ fn get_host_path_mount(
         let options = vec![
             "rbind".to_string(),
             mount_option.to_string(),
-            "rw".to_string(),
+            access.to_string(),
         ];
 
         if let Some(policy_mount) = p_mounts.iter_mut().find(|m| m.destination.eq(&dest)) {
diff --git a/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-rc.yaml b/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-rc.yaml
index 1e58ceb9bf..8f5145479d 100644
--- a/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-rc.yaml
+++ b/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-rc.yaml
@@ -27,6 +27,17 @@ spec:
         volumeMounts:
           - name: host-empty-vol
             mountPath: "/host/cache"
+          - mountPath: /tmp/results
+            name: hostpath-vol
+          - mountPath: /tmp/results-read-only
+            name: hostpath-vol-read-only
+            readOnly: true
       volumes:
       - name: host-empty-vol
         emptyDir: {}
+      - name: hostpath-vol
+        hostPath:
+          path: /tmp/results
+      - name: hostpath-vol-read-only
+        hostPath:
+          path: /tmp/results-read-only
\ No newline at end of file

From 24c2d13fd3b85e601d0e6cb9c9855d528c0deeb6 Mon Sep 17 00:00:00 2001
From: Saul Paredes <saulparedes@microsoft.com>
Date: Tue, 3 Sep 2024 19:09:13 -0700
Subject: [PATCH 2/2] genpolicy: support readonly emptyDir mount

Set emptyDir access based on volume mount readOnly value

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
---
 src/tools/genpolicy/src/mount_and_storage.rs           | 10 +++++++++-
 .../runtimeclass_workloads/k8s-policy-rc.yaml          |  3 +++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs
index 69aee1e760..394c066585 100644
--- a/src/tools/genpolicy/src/mount_and_storage.rs
+++ b/src/tools/genpolicy/src/mount_and_storage.rs
@@ -181,6 +181,14 @@ fn get_empty_dir_mount_and_storage(
         &settings_empty_dir.mount_type
     };
 
+    let access = match yaml_mount.readOnly {
+        Some(true) => {
+            debug!("setting read only access for emptyDir mount");
+            "ro"
+        }
+        _ => "rw",
+    };
+
     p_mounts.push(policy::KataMount {
         destination: yaml_mount.mountPath.to_string(),
         type_: mount_type.to_string(),
@@ -188,7 +196,7 @@ fn get_empty_dir_mount_and_storage(
         options: vec![
             "rbind".to_string(),
             "rprivate".to_string(),
-            "rw".to_string(),
+            access.to_string(),
         ],
     });
 }
diff --git a/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-rc.yaml b/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-rc.yaml
index 8f5145479d..52c39ae31c 100644
--- a/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-rc.yaml
+++ b/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-rc.yaml
@@ -27,6 +27,9 @@ spec:
         volumeMounts:
           - name: host-empty-vol
             mountPath: "/host/cache"
+          - name: host-empty-vol
+            mountPath: "/host/cache-read-only"
+            readOnly: true
           - mountPath: /tmp/results
             name: hostpath-vol
           - mountPath: /tmp/results-read-only