github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-25 19:21:53 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #9911 from microsoft/saulparedes/mounts

Browse Source 
genpolicy: deny UpdateEphemeralMountsRequest
This commit is contained in:
Dan Mihai 2024-08-21 10:12:28 -07:00 committed by GitHub
commit 8ccc8a8d0b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 23 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/tools/genpolicy/genpolicy-settings.json
View File

@ -316,6 +316,7 @@
}, },
"CloseStdinRequest": false, "CloseStdinRequest": false,
"ReadStreamRequest": false, "ReadStreamRequest": false,
"UpdateEphemeralMountsRequest": false,
"WriteStreamRequest": false "WriteStreamRequest": false
} }
} }

6
src/tools/genpolicy/rules.rego
View File

@ -39,7 +39,7 @@ default StatsContainerRequest := true
default StopTracingRequest := false default StopTracingRequest := false
default TtyWinResizeRequest := true default TtyWinResizeRequest := true
default UpdateContainerRequest := false default UpdateContainerRequest := false
default UpdateEphemeralMountsRequest := true default UpdateEphemeralMountsRequest := false
default UpdateInterfaceRequest := true default UpdateInterfaceRequest := true
default UpdateRoutesRequest := true default UpdateRoutesRequest := true
default WaitProcessRequest := true default WaitProcessRequest := true
@ -1169,6 +1169,10 @@ ReadStreamRequest {
policy_data.request_defaults.ReadStreamRequest == true policy_data.request_defaults.ReadStreamRequest == true
} }
UpdateEphemeralMountsRequest {
policy_data.request_defaults.UpdateEphemeralMountsRequest == true
}
WriteStreamRequest { WriteStreamRequest {
policy_data.request_defaults.WriteStreamRequest == true policy_data.request_defaults.WriteStreamRequest == true
} }

3
src/tools/genpolicy/src/policy.rs
View File

@ -344,6 +344,9 @@ pub struct RequestDefaults {
/// Allow Host reading from Guest containers stdout and stderr. /// Allow Host reading from Guest containers stdout and stderr.
pub ReadStreamRequest: bool, pub ReadStreamRequest: bool,
/// Allow Host to update Guest mounts.
pub UpdateEphemeralMountsRequest: bool,
/// Allow Host writing to Guest containers stdin. /// Allow Host writing to Guest containers stdin.
pub WriteStreamRequest: bool, pub WriteStreamRequest: bool,
} }

14
tests/integration/kubernetes/tests_common.sh
View File

@ -153,6 +153,14 @@ adapt_common_policy_settings_for_sev() {
jq '.kata_config.oci_version = "1.1.0-rc.1" | .common.cpath = "/run/kata-containers" | .volumes.configMap.mount_point = "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-"' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json" jq '.kata_config.oci_version = "1.1.0-rc.1" | .common.cpath = "/run/kata-containers" | .volumes.configMap.mount_point = "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-"' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
} }
# adapt common policy settings for CBL-Mariner https://github.com/kata-containers/kata-containers/issues/10189
adapt_common_policy_settings_for_cbl_mariner() {
local settings_dir=$1
info "Adapting common policy settings for CBL-Mariner"
jq '.request_defaults.UpdateEphemeralMountsRequest = true' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
}
# adapt common policy settings for various platforms # adapt common policy settings for various platforms
adapt_common_policy_settings() { adapt_common_policy_settings() {
@ -166,6 +174,12 @@ adapt_common_policy_settings() {
adapt_common_policy_settings_for_sev "${settings_dir}" adapt_common_policy_settings_for_sev "${settings_dir}"
;; ;;
esac esac
case "${KATA_HOST_OS}" in
"cbl-mariner")
adapt_common_policy_settings_for_cbl_mariner "${settings_dir}"
;;
esac
} }
# If auto-generated policy testing is enabled, make a copy of the genpolicy settings, # If auto-generated policy testing is enabled, make a copy of the genpolicy settings,