From 938ddeaf1e042c5af05c2a24f8dc48aa28b32bfd Mon Sep 17 00:00:00 2001 From: Cameron Baird Date: Tue, 25 Mar 2025 22:54:05 +0000 Subject: [PATCH] genpolicy: Enable GID checks in rules.rego With fixes to align policy GID parsing with the CRI behavior, we can now enable policy verification of GIDs. Signed-off-by: Cameron Baird --- src/tools/genpolicy/rules.rego | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego index 015571d40e..86eb47e0b8 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -694,11 +694,8 @@ allow_user(p_process, i_process) { print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID) p_user.UID == i_user.UID - # TODO: track down the reason for registry.k8s.io/pause:3.9 being - # executed with gid = 0 despite having "65535:65535" in its container image - # config. - #print("allow_user: input gid =", i_user.GID, "policy gid =", p_user.GID) - #p_user.GID == i_user.GID + print("allow_user: input gid =", i_user.GID, "policy gid =", p_user.GID) + p_user.GID == i_user.GID # TODO: compare the additionalGids field too after computing its value # based on /etc/passwd and /etc/group from the container image.