From a113b9eefd3fc3f0d1aa2bd53055bc41c27b884d Mon Sep 17 00:00:00 2001
From: Dan Mihai <dmihai@microsoft.com>
Date: Wed, 18 Dec 2024 02:20:21 +0000
Subject: [PATCH] genpolicy: validate probe process fields

Validate more process fields for k8s probe commands - e.g.,
livenessProbe, readinessProbe, etc.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
---
 src/tools/genpolicy/rules.rego | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
index 2224a6b7f2..203dfc6345 100644
--- a/src/tools/genpolicy/rules.rego
+++ b/src/tools/genpolicy/rules.rego
@@ -686,6 +686,7 @@ allow_process_common(p_process, i_process, s_name) {
 allow_process(p_process, i_process, s_name) {
     print("allow_process: start")
 
+    allow_args(p_process, i_process, s_name)
     allow_process_common(p_process, i_process, s_name)
     allow_caps(p_process.Capabilities, i_process.Capabilities)
     p_process.Terminal == i_process.Terminal
@@ -697,7 +698,6 @@ allow_process(p_process, i_process, s_name) {
 allow_interactive_process(p_process, i_process, s_name) {
     print("allow_interactive_process: start")
 
-    allow_args(p_process, i_process, s_name)
     allow_process_common(p_process, i_process, s_name)
     allow_exec_caps(i_process.Capabilities)
 
@@ -707,6 +707,17 @@ allow_interactive_process(p_process, i_process, s_name) {
     print("allow_interactive_process: true")
 }
 
+# Compare the OCI Process field of a policy container with the input process field from ExecProcessRequest
+allow_probe_process(p_process, i_process, s_name) {
+    print("allow_probe_process: start")
+
+    allow_process_common(p_process, i_process, s_name)
+    allow_exec_caps(i_process.Capabilities)
+    p_process.Terminal == i_process.Terminal
+
+    print("allow_probe_process: true")
+}
+
 allow_user(p_process, i_process) {
     p_user := p_process.User
     i_user := i_process.User