github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-07-18 17:33:02 +00:00
Code Issues Projects Releases Wiki Activity

genpolicy: Enable GID checks in rules.rego

Browse Source 
With fixes to align policy GID parsing with the CRI behavior, we can now
enable policy verification of GIDs.

Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
This commit is contained in:
Cameron Baird 2025-03-25 22:54:05 +00:00
parent eb2c7f4150
commit 938ddeaf1e
1 changed files with 2 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/tools/genpolicy/rules.rego
View File

@ -694,11 +694,8 @@ allow_user(p_process, i_process) {
print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID) print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID)
p_user.UID == i_user.UID p_user.UID == i_user.UID
# TODO: track down the reason for registry.k8s.io/pause:3.9 being print("allow_user: input gid =", i_user.GID, "policy gid =", p_user.GID)
# executed with gid = 0 despite having "65535:65535" in its container image p_user.GID == i_user.GID
# config.
#print("allow_user: input gid =", i_user.GID, "policy gid =", p_user.GID)
#p_user.GID == i_user.GID
# TODO: compare the additionalGids field too after computing its value # TODO: compare the additionalGids field too after computing its value
# based on /etc/passwd and /etc/group from the container image. # based on /etc/passwd and /etc/group from the container image.