Merge pull request #9911 from microsoft/saulparedes/mounts

genpolicy: deny UpdateEphemeralMountsRequest
This commit is contained in:
Dan Mihai 2024-08-21 10:12:28 -07:00 committed by GitHub
commit 8ccc8a8d0b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 23 additions and 1 deletions

View File

@ -316,6 +316,7 @@
},
"CloseStdinRequest": false,
"ReadStreamRequest": false,
"UpdateEphemeralMountsRequest": false,
"WriteStreamRequest": false
}
}

View File

@ -39,7 +39,7 @@ default StatsContainerRequest := true
default StopTracingRequest := false
default TtyWinResizeRequest := true
default UpdateContainerRequest := false
default UpdateEphemeralMountsRequest := true
default UpdateEphemeralMountsRequest := false
default UpdateInterfaceRequest := true
default UpdateRoutesRequest := true
default WaitProcessRequest := true
@ -1169,6 +1169,10 @@ ReadStreamRequest {
policy_data.request_defaults.ReadStreamRequest == true
}
UpdateEphemeralMountsRequest {
policy_data.request_defaults.UpdateEphemeralMountsRequest == true
}
WriteStreamRequest {
policy_data.request_defaults.WriteStreamRequest == true
}

View File

@ -344,6 +344,9 @@ pub struct RequestDefaults {
/// Allow Host reading from Guest containers stdout and stderr.
pub ReadStreamRequest: bool,
/// Allow Host to update Guest mounts.
pub UpdateEphemeralMountsRequest: bool,
/// Allow Host writing to Guest containers stdin.
pub WriteStreamRequest: bool,
}

View File

@ -153,6 +153,14 @@ adapt_common_policy_settings_for_sev() {
jq '.kata_config.oci_version = "1.1.0-rc.1" | .common.cpath = "/run/kata-containers" | .volumes.configMap.mount_point = "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-"' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
}
# adapt common policy settings for CBL-Mariner https://github.com/kata-containers/kata-containers/issues/10189
adapt_common_policy_settings_for_cbl_mariner() {
local settings_dir=$1
info "Adapting common policy settings for CBL-Mariner"
jq '.request_defaults.UpdateEphemeralMountsRequest = true' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
}
# adapt common policy settings for various platforms
adapt_common_policy_settings() {
@ -166,6 +174,12 @@ adapt_common_policy_settings() {
adapt_common_policy_settings_for_sev "${settings_dir}"
;;
esac
case "${KATA_HOST_OS}" in
"cbl-mariner")
adapt_common_policy_settings_for_cbl_mariner "${settings_dir}"
;;
esac
}
# If auto-generated policy testing is enabled, make a copy of the genpolicy settings,