From 4c3d6fadc8e6cc758e5453e1fd7c8264b4d05485 Mon Sep 17 00:00:00 2001
From: Dan Mihai <dmihai@microsoft.com>
Date: Wed, 6 Mar 2024 23:42:01 +0000
Subject: [PATCH] genpolicy: default env if image doesn't have env

Use containerd's default environment for container images that don't
specify the Env field.

Also, re-enable policy env variable verification, now that these
uncommon images are supported too.

Fixes: #9239

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
---
 src/tools/genpolicy/rules.rego        | 7 +++----
 src/tools/genpolicy/src/containerd.rs | 7 +++++++
 src/tools/genpolicy/src/registry.rs   | 4 ++++
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
index 907f18830b..648eb1c44c 100644
--- a/src/tools/genpolicy/rules.rego
+++ b/src/tools/genpolicy/rules.rego
@@ -550,10 +550,9 @@ allow_env(p_process, i_process, s_name) {
     print("allow_env: p env =", p_process.Env)
     print("allow_env: i env =", i_process.Env)
 
-    # TODO: re-enable after fixing https://github.com/kata-containers/kata-containers/issues/9239.
-    # every i_var in i_process.Env {
-    #    allow_var(p_process, i_process, i_var, s_name)
-    # }
+    every i_var in i_process.Env {
+        allow_var(p_process, i_process, i_var, s_name)
+    }
 
     print("allow_env: true")
 }
diff --git a/src/tools/genpolicy/src/containerd.rs b/src/tools/genpolicy/src/containerd.rs
index 03f47f3cec..19751bfa7d 100644
--- a/src/tools/genpolicy/src/containerd.rs
+++ b/src/tools/genpolicy/src/containerd.rs
@@ -161,3 +161,10 @@ pub fn get_linux(privileged_container: bool) -> policy::KataLinux {
         }
     }
 }
+
+pub fn get_default_unix_env(env: &mut Vec<String>) {
+    assert!(env.is_empty());
+
+    // Return the value of defaultUnixEnv from containerd.
+    env.push("PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin".to_string());
+}
diff --git a/src/tools/genpolicy/src/registry.rs b/src/tools/genpolicy/src/registry.rs
index 13e0bf2276..ccd5413aa8 100644
--- a/src/tools/genpolicy/src/registry.rs
+++ b/src/tools/genpolicy/src/registry.rs
@@ -6,6 +6,7 @@
 // Allow Docker image config field names.
 #![allow(non_snake_case)]
 
+use crate::containerd;
 use crate::policy;
 use crate::verity;
 
@@ -159,10 +160,13 @@ impl Container {
             process.Terminal = false;
         }
 
+        assert!(process.Env.is_empty());
         if let Some(config_env) = &docker_config.Env {
             for env in config_env {
                 process.Env.push(env.clone());
             }
+        } else {
+            containerd::get_default_unix_env(&mut process.Env);
         }
 
         let policy_args = &mut process.Args;