mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-07-02 07:02:16 +00:00
agent: gate MemAgentMemcgSet and MemAgentCompactSet behind agent policy
The mem_agent_memcg_set and mem_agent_compact_set handlers in rpc.rs were the only AgentService methods that did not call is_allowed() before executing. Because the policy engine was never consulted, no OPA/Rego policy — including the strict default-deny policy generated by genpolicy — could deny these requests. Add is_allowed(&config).await? as the first statement of both handlers, matching the pattern used by every other handler in the file. Generated-By: IBM Bob Signed-off-by: stevenhorsman <steven@uk.ibm.com>
This commit is contained in:
@@ -1807,6 +1807,7 @@ impl agent_ttrpc::AgentService for AgentService {
|
||||
_ctx: &::ttrpc::r#async::TtrpcContext,
|
||||
config: protocols::agent::MemAgentMemcgConfig,
|
||||
) -> ::ttrpc::Result<Empty> {
|
||||
is_allowed(&config).await?;
|
||||
if let Some(ma) = &self.oma {
|
||||
ma.memcg_set_config_async(mem_agent_memcgconfig_to_memcg_optionconfig(&config))
|
||||
.await
|
||||
@@ -1831,6 +1832,7 @@ impl agent_ttrpc::AgentService for AgentService {
|
||||
_ctx: &::ttrpc::r#async::TtrpcContext,
|
||||
config: protocols::agent::MemAgentCompactConfig,
|
||||
) -> ::ttrpc::Result<Empty> {
|
||||
is_allowed(&config).await?;
|
||||
if let Some(ma) = &self.oma {
|
||||
ma.compact_set_config_async(mem_agent_compactconfig_to_compact_optionconfig(&config))
|
||||
.await
|
||||
|
||||
Reference in New Issue
Block a user