mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-08-25 11:13:15 +00:00
Merge pull request #9911 from microsoft/saulparedes/mounts
genpolicy: deny UpdateEphemeralMountsRequest
This commit is contained in:
commit
8ccc8a8d0b
@ -316,6 +316,7 @@
|
||||
},
|
||||
"CloseStdinRequest": false,
|
||||
"ReadStreamRequest": false,
|
||||
"UpdateEphemeralMountsRequest": false,
|
||||
"WriteStreamRequest": false
|
||||
}
|
||||
}
|
@ -39,7 +39,7 @@ default StatsContainerRequest := true
|
||||
default StopTracingRequest := false
|
||||
default TtyWinResizeRequest := true
|
||||
default UpdateContainerRequest := false
|
||||
default UpdateEphemeralMountsRequest := true
|
||||
default UpdateEphemeralMountsRequest := false
|
||||
default UpdateInterfaceRequest := true
|
||||
default UpdateRoutesRequest := true
|
||||
default WaitProcessRequest := true
|
||||
@ -1169,6 +1169,10 @@ ReadStreamRequest {
|
||||
policy_data.request_defaults.ReadStreamRequest == true
|
||||
}
|
||||
|
||||
UpdateEphemeralMountsRequest {
|
||||
policy_data.request_defaults.UpdateEphemeralMountsRequest == true
|
||||
}
|
||||
|
||||
WriteStreamRequest {
|
||||
policy_data.request_defaults.WriteStreamRequest == true
|
||||
}
|
||||
|
@ -344,6 +344,9 @@ pub struct RequestDefaults {
|
||||
/// Allow Host reading from Guest containers stdout and stderr.
|
||||
pub ReadStreamRequest: bool,
|
||||
|
||||
/// Allow Host to update Guest mounts.
|
||||
pub UpdateEphemeralMountsRequest: bool,
|
||||
|
||||
/// Allow Host writing to Guest containers stdin.
|
||||
pub WriteStreamRequest: bool,
|
||||
}
|
||||
|
@ -153,6 +153,14 @@ adapt_common_policy_settings_for_sev() {
|
||||
jq '.kata_config.oci_version = "1.1.0-rc.1" | .common.cpath = "/run/kata-containers" | .volumes.configMap.mount_point = "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-"' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
|
||||
}
|
||||
|
||||
# adapt common policy settings for CBL-Mariner https://github.com/kata-containers/kata-containers/issues/10189
|
||||
adapt_common_policy_settings_for_cbl_mariner() {
|
||||
local settings_dir=$1
|
||||
|
||||
info "Adapting common policy settings for CBL-Mariner"
|
||||
jq '.request_defaults.UpdateEphemeralMountsRequest = true' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
|
||||
}
|
||||
|
||||
# adapt common policy settings for various platforms
|
||||
adapt_common_policy_settings() {
|
||||
|
||||
@ -166,6 +174,12 @@ adapt_common_policy_settings() {
|
||||
adapt_common_policy_settings_for_sev "${settings_dir}"
|
||||
;;
|
||||
esac
|
||||
|
||||
case "${KATA_HOST_OS}" in
|
||||
"cbl-mariner")
|
||||
adapt_common_policy_settings_for_cbl_mariner "${settings_dir}"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
# If auto-generated policy testing is enabled, make a copy of the genpolicy settings,
|
||||
|
Loading…
Reference in New Issue
Block a user