From 95b57b025cc9825b09443fc43de89d07f3b58e13 Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Thu, 25 Jun 2026 16:25:50 +0100 Subject: [PATCH] agent: gate MemAgentMemcgSet and MemAgentCompactSet behind agent policy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The mem_agent_memcg_set and mem_agent_compact_set handlers in rpc.rs were the only AgentService methods that did not call is_allowed() before executing. Because the policy engine was never consulted, no OPA/Rego policy — including the strict default-deny policy generated by genpolicy — could deny these requests. Add is_allowed(&config).await? as the first statement of both handlers, matching the pattern used by every other handler in the file. Generated-By: IBM Bob Signed-off-by: stevenhorsman --- src/agent/src/rpc.rs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/agent/src/rpc.rs b/src/agent/src/rpc.rs index d3876cc814..1536e3a28b 100644 --- a/src/agent/src/rpc.rs +++ b/src/agent/src/rpc.rs @@ -1807,6 +1807,7 @@ impl agent_ttrpc::AgentService for AgentService { _ctx: &::ttrpc::r#async::TtrpcContext, config: protocols::agent::MemAgentMemcgConfig, ) -> ::ttrpc::Result { + is_allowed(&config).await?; if let Some(ma) = &self.oma { ma.memcg_set_config_async(mem_agent_memcgconfig_to_memcg_optionconfig(&config)) .await @@ -1831,6 +1832,7 @@ impl agent_ttrpc::AgentService for AgentService { _ctx: &::ttrpc::r#async::TtrpcContext, config: protocols::agent::MemAgentCompactConfig, ) -> ::ttrpc::Result { + is_allowed(&config).await?; if let Some(ma) = &self.oma { ma.compact_set_config_async(mem_agent_compactconfig_to_compact_optionconfig(&config)) .await