diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego index 1e281794f..015571d40 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -71,7 +71,7 @@ CreateContainerRequest:= {"ops": ops, "allowed": true} { ops_builder1 := concat_op_if_not_null(ops_builder, add_sandbox_name_to_state) # Check if any element from the policy_data.containers array allows the input request. - some p_container in policy_data.containers + some idx, p_container in policy_data.containers print("======== CreateContainerRequest: trying next policy container") p_pidns := p_container.sandbox_pidns @@ -105,7 +105,13 @@ CreateContainerRequest:= {"ops": ops, "allowed": true} { ret := allow_linux(ops_builder2, p_oci, i_oci) ret.allowed - ops := ret.ops + # save to policy state + # key: input.container_id + # val: index of p_container in the policy_data.containers array + print("CreateContainerRequest: addding container_id=", input.container_id, " to state") + add_p_container_to_state := state_allows(input.container_id, idx) + + ops := concat_op_if_not_null(ret.ops, add_p_container_to_state) print("CreateContainerRequest: true") } @@ -176,11 +182,28 @@ state_allows(key, value) = action { action := null } +# delete key=value from state +state_del_key(key) = action { + print("state_del_key: ", key) + state := get_state() + print("state_del_key: deleting from state key =", key) + path := get_state_path(key) + action := { + "op": "remove", + "path": path, + } +} + # helper functions to interact with the state get_state() = state { state := data["pstate"] } +get_state_val(key) = value { + state := get_state() + value := state[key] +} + get_state_path(key) = path { # prepend "/pstate/" to key path := concat("/", ["/pstate", key]) @@ -1288,9 +1311,11 @@ ExecProcessRequest { print("ExecProcessRequest 2: input =", input) allow_exec_process_input - # TODO: match input container ID with its corresponding container.exec_commands. - some container in policy_data.containers - some p_command in container.exec_commands + # get p_container from state + idx := get_state_val(input.container_id) + p_container := policy_data.containers[idx] + + some p_command in p_container.exec_commands print("ExecProcessRequest 2: p_command =", p_command) # TODO: should other input data fields be validated as well? @@ -1381,3 +1406,14 @@ UpdateEphemeralMountsRequest { WriteStreamRequest { policy_data.request_defaults.WriteStreamRequest == true } + +RemoveContainerRequest:= {"ops": ops, "allowed": true} { + print("RemoveContainerRequest: input =", input) + + # Delete input.container_id from p_state + ops_builder1 := [] + del_container := state_del_key(input.container_id) + ops := concat_op_if_not_null(ops_builder1, del_container) + + print("RemoveContainerRequest: true") +} diff --git a/src/tools/genpolicy/tests/main.rs b/src/tools/genpolicy/tests/main.rs index d5eeebc75..c0ed5af14 100644 --- a/src/tools/genpolicy/tests/main.rs +++ b/src/tools/genpolicy/tests/main.rs @@ -13,7 +13,7 @@ mod tests { use protocols::agent::{ CopyFileRequest, CreateContainerRequest, CreateSandboxRequest, ExecProcessRequest, - UpdateInterfaceRequest, UpdateRoutesRequest, + RemoveContainerRequest, UpdateInterfaceRequest, UpdateRoutesRequest, }; use serde::{Deserialize, Serialize}; @@ -27,9 +27,10 @@ mod tests { CopyFile(CopyFileRequest), CreateContainer(CreateContainerRequest), CreateSandbox(CreateSandboxRequest), + ExecProcess(ExecProcessRequest), + RemoveContainer(RemoveContainerRequest), UpdateInterface(UpdateInterfaceRequest), UpdateRoutes(UpdateRoutesRequest), - ExecProcess(ExecProcessRequest), } impl Display for TestRequest { @@ -38,9 +39,10 @@ mod tests { TestRequest::CopyFile(_) => write!(f, "CopyFileRequest"), TestRequest::CreateContainer(_) => write!(f, "CreateContainerRequest"), TestRequest::CreateSandbox(_) => write!(f, "CreateSandboxRequest"), + TestRequest::ExecProcess(_) => write!(f, "ExecProcessRequest"), + TestRequest::RemoveContainer(_) => write!(f, "RemoveContainerRequest"), TestRequest::UpdateInterface(_) => write!(f, "UpdateInterfaceRequest"), TestRequest::UpdateRoutes(_) => write!(f, "UpdateRoutesRequest"), - TestRequest::ExecProcess(_) => write!(f, "ExecProcessRequest"), } } } @@ -187,7 +189,12 @@ mod tests { } #[tokio::test] - async fn test_exec_process() { - runtests("execprocess").await; + async fn test_state_create_container() { + runtests("state/createcontainer").await; + } + + #[tokio::test] + async fn test_state_exec_process() { + runtests("state/execprocess").await; } } diff --git a/src/tools/genpolicy/tests/testdata/execprocess/testcases.json b/src/tools/genpolicy/tests/testdata/execprocess/testcases.json deleted file mode 100644 index fadf0a80b..000000000 --- a/src/tools/genpolicy/tests/testdata/execprocess/testcases.json +++ /dev/null @@ -1,139 +0,0 @@ -[ - { - "description": "test exec process with correct args", - "allowed": true, - "request": { - "type": "ExecProcess", - "container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9", - "exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200", - "string_user": null, - "process": { - "Terminal": false, - "ConsoleSize": null, - "Args": [ - "echo", - "test" - ], - "Env": [ - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", - "HOSTNAME=busybox-cc" - ], - "Cwd": "/", - "Capabilities": null, - "Rlimits": [], - "NoNewPrivileges": false, - "OOMScoreAdj": 0, - "SelinuxLabel": "", - "ApparmorProfile": "" - } - } - }, - { - "description": "test exec process with incorrect args", - "allowed": false, - "request": { - "type": "ExecProcess", - "container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9", - "exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200", - "string_user": null, - "process": { - "Terminal": false, - "ConsoleSize": null, - "Args": [], - "Env": [ - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", - "HOSTNAME=busybox-cc" - ], - "Cwd": "/", - "Capabilities": null, - "Rlimits": [], - "NoNewPrivileges": false, - "OOMScoreAdj": 0, - "SelinuxLabel": "", - "ApparmorProfile": "" - } - } - }, - { - "description": "test exec process with non-null selinuxLabel", - "allowed": false, - "request": { - "type": "ExecProcess", - "container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9", - "exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200", - "string_user": null, - "process": { - "Terminal": false, - "ConsoleSize": null, - "Args": [], - "Env": [ - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", - "HOSTNAME=busybox-cc" - ], - "Cwd": "/", - "Capabilities": null, - "Rlimits": [], - "NoNewPrivileges": false, - "OOMScoreAdj": 0, - "SelinuxLabel": "system_u:system_r:container_t", - "ApparmorProfile": "" - } - } - }, - { - "description": "test exec process with random ApparmorProfile", - "allowed": false, - "request": { - "type": "ExecProcess", - "container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9", - "exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200", - "string_user": null, - "process": { - "Terminal": false, - "ConsoleSize": null, - "Args": [], - "Env": [ - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", - "HOSTNAME=busybox-cc" - ], - "Cwd": "/", - "Capabilities": null, - "Rlimits": [], - "NoNewPrivileges": false, - "OOMScoreAdj": 0, - "SelinuxLabel": "", - "ApparmorProfile": "localhost/root-user" - } - } - }, - { - "description": "test exec process with random string_user", - "allowed": false, - "request": { - "type": "ExecProcess", - "container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9", - "exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200", - "string_user": { - "uid": "0", - "gid": "12", - "additional_gids": [] - }, - "process": { - "Terminal": false, - "ConsoleSize": null, - "Args": [], - "Env": [ - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", - "HOSTNAME=busybox-cc" - ], - "Cwd": "/", - "Capabilities": null, - "Rlimits": [], - "NoNewPrivileges": false, - "OOMScoreAdj": 0, - "SelinuxLabel": "", - "ApparmorProfile": "" - } - } - } -] diff --git a/src/tools/genpolicy/tests/testdata/state/createcontainer/pod.yaml b/src/tools/genpolicy/tests/testdata/state/createcontainer/pod.yaml new file mode 100644 index 000000000..60bef94c0 --- /dev/null +++ b/src/tools/genpolicy/tests/testdata/state/createcontainer/pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: policy-redis-deployment-6674f9448-xjrzf +spec: + runtimeClassName: kata-cc-isolation + containers: + - name: redis + image: registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db diff --git a/src/tools/genpolicy/tests/testdata/state/createcontainer/testcases.json b/src/tools/genpolicy/tests/testdata/state/createcontainer/testcases.json new file mode 100644 index 000000000..990879fdc --- /dev/null +++ b/src/tools/genpolicy/tests/testdata/state/createcontainer/testcases.json @@ -0,0 +1,282 @@ +[ + { + "description": "test create container and save container_id in state", + "allowed": true, + "request": { + "type": "CreateContainer", + "OCI": { + "Annotations": { + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12", + "io.katacontainers.pkg.oci.container_type": "pod_sandbox", + "io.kubernetes.cri.container-type": "sandbox", + "io.kubernetes.cri.podsandbox.image-name": "registry.k8s.io/pause:3.10", + "io.kubernetes.cri.sandbox-cpu-period": "100000", + "io.kubernetes.cri.sandbox-cpu-quota": "0", + "io.kubernetes.cri.sandbox-cpu-shares": "102", + "io.kubernetes.cri.sandbox-id": "4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12", + "io.kubernetes.cri.sandbox-log-directory": "/var/log/pods/default_policy-redis-deployment-6674f9448-xjrzf_9c64c5bf-298f-46c4-ad63-e2270a2ff44c", + "io.kubernetes.cri.sandbox-memory": "0", + "io.kubernetes.cri.sandbox-name": "policy-redis-deployment-6674f9448-xjrzf", + "io.kubernetes.cri.sandbox-namespace": "default", + "io.kubernetes.cri.sandbox-uid": "9c64c5bf-298f-46c4-ad63-e2270a2ff44c", + "nerdctl/network-namespace": "/var/run/netns/cni-22190131-6f68-2878-6d7b-418baf176cdf" + }, + "Hooks": null, + "Hostname": "policy-redis-deployment-6674f9448-xjrzf", + "Linux": { + "CgroupsPath": "/kubepods/burstable/pod9c64c5bf-298f-46c4-ad63-e2270a2ff44c/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12", + "Devices": [], + "GIDMappings": [], + "IntelRdt": null, + "MaskedPaths": [ + "/proc/acpi", + "/proc/asound", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/sys/firmware", + "/sys/devices/virtual/powercap", + "/proc/scsi" + ], + "MountLabel": "", + "Namespaces": [ + { + "Path": "", + "Type": "ipc" + }, + { + "Path": "", + "Type": "uts" + }, + { + "Path": "", + "Type": "mount" + } + ], + "ReadonlyPaths": [ + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ], + "Resources": { + "BlockIO": null, + "CPU": { + "Cpus": "", + "Mems": "", + "Period": 0, + "Quota": 0, + "RealtimePeriod": 0, + "RealtimeRuntime": 0, + "Shares": 2 + }, + "Devices": [], + "HugepageLimits": [], + "Memory": null, + "Network": null, + "Pids": null + }, + "RootfsPropagation": "", + "Seccomp": null, + "Sysctl": {}, + "UIDMappings": [] + }, + "Mounts": [ + { + "destination": "/proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ], + "source": "proc", + "type_": "proc" + }, + { + "destination": "/dev", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ], + "source": "tmpfs", + "type_": "tmpfs" + }, + { + "destination": "/dev/pts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ], + "source": "devpts", + "type_": "devpts" + }, + { + "destination": "/dev/mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ], + "source": "mqueue", + "type_": "mqueue" + }, + { + "destination": "/sys", + "options": [ + "nosuid", + "noexec", + "nodev", + "ro" + ], + "source": "sysfs", + "type_": "sysfs" + }, + { + "destination": "/dev/shm", + "options": [ + "rbind" + ], + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind" + }, + { + "destination": "/etc/resolv.conf", + "options": [ + "rbind", + "ro", + "nosuid", + "nodev", + "noexec" + ], + "source": "/run/kata-containers/shared/containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12-b3930b9af7125931-resolv.conf", + "type_": "bind" + } + ], + "Process": { + "ApparmorProfile": "", + "Args": [ + "/pause" + ], + "Capabilities": { + "Ambient": [], + "Bounding": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ], + "Effective": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ], + "Inheritable": [], + "Permitted": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ] + }, + "ConsoleSize": null, + "Cwd": "/", + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ], + "NoNewPrivileges": true, + "OOMScoreAdj": -998, + "Rlimits": [], + "SelinuxLabel": "", + "Terminal": false, + "User": { + "AdditionalGids": [ + 0 + ], + "GID": 0, + "UID": 65535, + "Username": "" + } + }, + "Root": { + "Path": "/run/kata-containers/shared/containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs", + "Readonly": true + }, + "Solaris": null, + "Version": "1.1.0", + "Windows": null + }, + "container_id": "4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12", + "devices": [], + "exec_id": "4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12", + "sandbox_pidns": false, + "shared_mounts": [], + "stderr_port": 0, + "stdin_port": 0, + "stdout_port": 0, + "storages": [ + { + "driver": "image_guest_pull", + "driver_options": [ + "image_guest_pull={\"metadata\":{\"io.katacontainers.pkg.oci.bundle_path\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12\",\"io.katacontainers.pkg.oci.container_type\":\"pod_sandbox\",\"io.kubernetes.cri.container-type\":\"sandbox\",\"io.kubernetes.cri.podsandbox.image-name\":\"registry.k8s.io/pause:3.10\",\"io.kubernetes.cri.sandbox-cpu-period\":\"100000\",\"io.kubernetes.cri.sandbox-cpu-quota\":\"0\",\"io.kubernetes.cri.sandbox-cpu-shares\":\"102\",\"io.kubernetes.cri.sandbox-id\":\"4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12\",\"io.kubernetes.cri.sandbox-log-directory\":\"/var/log/pods/default_policy-redis-deployment-6674f9448-xjrzf_9c64c5bf-298f-46c4-ad63-e2270a2ff44c\",\"io.kubernetes.cri.sandbox-memory\":\"0\",\"io.kubernetes.cri.sandbox-name\":\"policy-redis-deployment-6674f9448-xjrzf\",\"io.kubernetes.cri.sandbox-namespace\":\"default\",\"io.kubernetes.cri.sandbox-uid\":\"9c64c5bf-298f-46c4-ad63-e2270a2ff44c\",\"nerdctl/network-namespace\":\"/var/run/netns/cni-22190131-6f68-2878-6d7b-418baf176cdf\"}}" + ], + "fs_group": null, + "fstype": "overlay", + "mount_point": "/run/kata-containers/shared/containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs", + "options": [], + "source": "pause" + } + ], + "string_user": null + } + }, + { + "description": "test remove container and remove container_id from state", + "allowed": true, + "request": { + "type": "RemoveContainer", + "container_id": "4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12", + "timeout": 0 + } + } +] diff --git a/src/tools/genpolicy/tests/testdata/execprocess/pod.yaml b/src/tools/genpolicy/tests/testdata/state/execprocess/pod.yaml similarity index 54% rename from src/tools/genpolicy/tests/testdata/execprocess/pod.yaml rename to src/tools/genpolicy/tests/testdata/state/execprocess/pod.yaml index a7b5b464b..cec6f5aeb 100644 --- a/src/tools/genpolicy/tests/testdata/execprocess/pod.yaml +++ b/src/tools/genpolicy/tests/testdata/state/execprocess/pod.yaml @@ -16,5 +16,16 @@ spec: livenessProbe: exec: command: - - echo - - test + - test1 + - name: second-test-container + image: "quay.io/prometheus/busybox:latest" + env: + - name: CONTAINER_NAME + value: second-test-container + command: + - sleep + - "3600" + livenessProbe: + exec: + command: + - test2 diff --git a/src/tools/genpolicy/tests/testdata/state/execprocess/testcases.json b/src/tools/genpolicy/tests/testdata/state/execprocess/testcases.json new file mode 100644 index 000000000..135519de4 --- /dev/null +++ b/src/tools/genpolicy/tests/testdata/state/execprocess/testcases.json @@ -0,0 +1,971 @@ +[ + { + "description": "create container request for first container", + "allowed": true, + "request": { + "type": "CreateContainer", + "OCI": { + "Annotations": { + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9", + "io.katacontainers.pkg.oci.container_type": "pod_container", + "io.kubernetes.cri.container-type": "container", + "io.kubernetes.cri.sandbox-cpu-period": "100000", + "io.kubernetes.cri.sandbox-cpu-quota": "0", + "io.kubernetes.cri.sandbox-cpu-shares": "2", + "io.kubernetes.cri.sandbox-id": "257a671dd451a8bf7ea4950d722106db358ef5ded2997c60f7dc1101b31b727a", + "io.kubernetes.cri.sandbox-memory": "0", + "io.kubernetes.cri.sandbox-name": "busybox", + "io.kubernetes.cri.sandbox-namespace": "default", + "io.kubernetes.cri.sandbox-uid": "eb1495ed-331a-44ff-ad6d-fce1a69280cd", + "io.kubernetes.cri.container-name": "first-test-container" + }, + "Hooks": null, + "Hostname": "busybox", + "Linux": { + "CgroupsPath": "/kubepods/besteffort/podeb1495ed-331a-44ff-ad6d-fce1a69280cd/4878266238663ca723dc5ecbd8b2d06a56c2d5e562eeb77b492046a267c50951", + "Devices": [], + "GIDMappings": [], + "IntelRdt": null, + "MaskedPaths": [ + "/proc/acpi", + "/proc/asound", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/sys/firmware", + "/proc/scsi" + ], + "MountLabel": "", + "Namespaces": [ + { + "Path": "", + "Type": "ipc" + }, + { + "Path": "", + "Type": "uts" + }, + { + "Path": "", + "Type": "mount" + } + ], + "ReadonlyPaths": [ + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ], + "Resources": { + "BlockIO": null, + "CPU": { + "Cpus": "", + "Mems": "", + "Period": 0, + "Quota": 0, + "RealtimePeriod": 0, + "RealtimeRuntime": 0, + "Shares": 2 + }, + "Devices": [], + "HugepageLimits": [], + "Memory": null, + "Network": null, + "Pids": null + }, + "RootfsPropagation": "", + "Seccomp": null, + "Sysctl": {}, + "UIDMappings": [] + }, + "Mounts": [ + { + "destination": "/proc", + "source": "proc", + "type_": "proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/dev", + "source": "tmpfs", + "type_": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "source": "devpts", + "type_": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/mqueue", + "source": "mqueue", + "type_": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "source": "sysfs", + "type_": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "ro" + ] + }, + { + "destination": "/sys/fs/cgroup", + "source": "cgroup", + "type_": "cgroup", + "options": [ + "nosuid", + "noexec", + "nodev", + "relatime", + "ro" + ] + }, + { + "destination": "/etc/hosts", + "source": "/run/kata-containers/shared/containers/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-e9bb691ee0df3258-hosts", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/dev/termination-log", + "source": "/run/kata-containers/shared/containers/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-c57801af2d60a6e8-termination-log", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/hostname", + "source": "/run/kata-containers/shared/containers/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-ca728aaeede4bb80-hostname", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/resolv.conf", + "source": "/run/kata-containers/shared/containers/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-cfc6eca9fd2d0cce-resolv.conf", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/dev/shm", + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind", + "options": [ + "rbind" + ] + }, + { + "destination": "/var/run/secrets/kubernetes.io/serviceaccount", + "source": "/run/kata-containers/shared/containers/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-bbb1a5bd88623ac4-serviceaccount", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + } + ], + "Process": { + "Args": [ + "sleep", + "3600" + ], + "Capabilities": { + "Ambient": [], + "Bounding": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ], + "Effective": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ], + "Inheritable": [], + "Permitted": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ] + }, + "ConsoleSize": null, + "Cwd": "/", + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ], + "NoNewPrivileges": false, + "OOMScoreAdj": -998, + "Rlimits": [], + "SelinuxLabel": "", + "Terminal": false, + "User": { + "AdditionalGids": [ + ], + "GID": 0, + "UID": 0, + "Username": "" + } + }, + "Root": { + "Path": "/run/kata-containers/shared/containers/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9/rootfs", + "Readonly": false + }, + "Solaris": null, + "Version": "1.1.0", + "Windows": null + }, + "container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9", + "exec_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9", + "devices": [], + "sandbox_pidns": false, + "shared_mounts": [], + "storages": [ + { + "driver": "blk", + "driver_options": [], + "source": "0001:00:02.0", + "fstype": "tar", + "options": [ + "ro", + "io.katacontainers.fs-opt.block_device=file", + "io.katacontainers.fs-opt.is-layer", + "io.katacontainers.fs-opt.root-hash=75ed5e78d30374b9557d32c17ae6d2e1b4afdc5efd128812e6c99a0f60708dba" + ], + "mount_point": "/run/kata-containers/sandbox/layers/b1ef3d18661ad727a8ad01d462fffc63ec90420a938056bc0422822328f83ff7", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "0001:00:03.0", + "fstype": "tar", + "options": [ + "ro", + "io.katacontainers.fs-opt.block_device=file", + "io.katacontainers.fs-opt.is-layer", + "io.katacontainers.fs-opt.root-hash=2e52d86498030b4b99318650826d3f121bdfac5fe7bbbea9d18c546d48003aa0" + ], + "mount_point": "/run/kata-containers/sandbox/layers/a8650d4a279d4537d7fc43c582a264528a96f041b1327d41b503f368c301594f", + "fs_group": null + }, + { + "driver": "overlayfs", + "driver_options": [], + "source": "none", + "fstype": "fuse3.kata-overlay", + "options": [ + "io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers", + "io.katacontainers.fs-opt.layer=YjFlZjNkMTg2NjFhZDcyN2E4YWQwMWQ0NjJmZmZjNjNlYzkwNDIwYTkzODA1NmJjMDQyMjgyMjMyOGY4M2ZmNyx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTc1ZWQ1ZTc4ZDMwMzc0Yjk1NTdkMzJjMTdhZTZkMmUxYjRhZmRjNWVmZDEyODgxMmU2Yzk5YTBmNjA3MDhkYmE=", + "io.katacontainers.fs-opt.layer=YTg2NTBkNGEyNzlkNDUzN2Q3ZmM0M2M1ODJhMjY0NTI4YTk2ZjA0MWIxMzI3ZDQxYjUwM2YzNjhjMzAxNTk0Zix0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTJlNTJkODY0OTgwMzBiNGI5OTMxODY1MDgyNmQzZjEyMWJkZmFjNWZlN2JiYmVhOWQxOGM1NDZkNDgwMDNhYTA=", + "io.katacontainers.fs-opt.overlay-rw", + "lowerdir=b1ef3d18661ad727a8ad01d462fffc63ec90420a938056bc0422822328f83ff7:a8650d4a279d4537d7fc43c582a264528a96f041b1327d41b503f368c301594f" + ], + "mount_point": "/run/kata-containers/shared/containers/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9", + "fs_group": null + } + ], + "string_user": null + } + }, + { + "description": "create container request for second container", + "allowed": true, + "request": { + "type": "CreateContainer", + "OCI": { + "Annotations": { + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9", + "io.katacontainers.pkg.oci.container_type": "pod_container", + "io.kubernetes.cri.container-type": "container", + "io.kubernetes.cri.sandbox-cpu-period": "100000", + "io.kubernetes.cri.sandbox-cpu-quota": "0", + "io.kubernetes.cri.sandbox-cpu-shares": "2", + "io.kubernetes.cri.sandbox-id": "257a671dd451a8bf7ea4950d722106db358ef5ded2997c60f7dc1101b31b727a", + "io.kubernetes.cri.sandbox-memory": "0", + "io.kubernetes.cri.sandbox-name": "busybox", + "io.kubernetes.cri.sandbox-namespace": "default", + "io.kubernetes.cri.sandbox-uid": "eb1495ed-331a-44ff-ad6d-fce1a69280cd", + "io.kubernetes.cri.container-name": "second-test-container" + }, + "Hooks": null, + "Hostname": "busybox", + "Linux": { + "CgroupsPath": "/kubepods/besteffort/podeb1495ed-331a-44ff-ad6d-fce1a69280cd/4878266238663ca723dc5ecbd8b2d06a56c2d5e562eeb77b492046a267c50951", + "Devices": [], + "GIDMappings": [], + "IntelRdt": null, + "MaskedPaths": [ + "/proc/acpi", + "/proc/asound", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/sys/firmware", + "/proc/scsi" + ], + "MountLabel": "", + "Namespaces": [ + { + "Path": "", + "Type": "ipc" + }, + { + "Path": "", + "Type": "uts" + }, + { + "Path": "", + "Type": "mount" + } + ], + "ReadonlyPaths": [ + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ], + "Resources": { + "BlockIO": null, + "CPU": { + "Cpus": "", + "Mems": "", + "Period": 0, + "Quota": 0, + "RealtimePeriod": 0, + "RealtimeRuntime": 0, + "Shares": 2 + }, + "Devices": [], + "HugepageLimits": [], + "Memory": null, + "Network": null, + "Pids": null + }, + "RootfsPropagation": "", + "Seccomp": null, + "Sysctl": {}, + "UIDMappings": [] + }, + "Mounts": [ + { + "destination": "/proc", + "source": "proc", + "type_": "proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/dev", + "source": "tmpfs", + "type_": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "source": "devpts", + "type_": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/mqueue", + "source": "mqueue", + "type_": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "source": "sysfs", + "type_": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "ro" + ] + }, + { + "destination": "/sys/fs/cgroup", + "source": "cgroup", + "type_": "cgroup", + "options": [ + "nosuid", + "noexec", + "nodev", + "relatime", + "ro" + ] + }, + { + "destination": "/etc/hosts", + "source": "/run/kata-containers/shared/containers/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-e9bb691ee0df3258-hosts", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/dev/termination-log", + "source": "/run/kata-containers/shared/containers/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-c57801af2d60a6e8-termination-log", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/hostname", + "source": "/run/kata-containers/shared/containers/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-ca728aaeede4bb80-hostname", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/resolv.conf", + "source": "/run/kata-containers/shared/containers/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-cfc6eca9fd2d0cce-resolv.conf", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/dev/shm", + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind", + "options": [ + "rbind" + ] + }, + { + "destination": "/var/run/secrets/kubernetes.io/serviceaccount", + "source": "/run/kata-containers/shared/containers/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-bbb1a5bd88623ac4-serviceaccount", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + } + ], + "Process": { + "Args": [ + "sleep", + "3600" + ], + "Capabilities": { + "Ambient": [], + "Bounding": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ], + "Effective": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ], + "Inheritable": [], + "Permitted": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ] + }, + "ConsoleSize": null, + "Cwd": "/", + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ], + "NoNewPrivileges": false, + "OOMScoreAdj": -998, + "Rlimits": [], + "SelinuxLabel": "", + "Terminal": false, + "User": { + "AdditionalGids": [ + ], + "GID": 0, + "UID": 0, + "Username": "" + } + }, + "Root": { + "Path": "/run/kata-containers/shared/containers/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9/rootfs", + "Readonly": false + }, + "Solaris": null, + "Version": "1.1.0", + "Windows": null + }, + "container_id": "22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9", + "exec_id": "22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9", + "devices": [], + "sandbox_pidns": false, + "shared_mounts": [], + "storages": [ + { + "driver": "blk", + "driver_options": [], + "source": "0001:00:02.0", + "fstype": "tar", + "options": [ + "ro", + "io.katacontainers.fs-opt.block_device=file", + "io.katacontainers.fs-opt.is-layer", + "io.katacontainers.fs-opt.root-hash=75ed5e78d30374b9557d32c17ae6d2e1b4afdc5efd128812e6c99a0f60708dba" + ], + "mount_point": "/run/kata-containers/sandbox/layers/b1ef3d18661ad727a8ad01d462fffc63ec90420a938056bc0422822328f83ff7", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "0001:00:03.0", + "fstype": "tar", + "options": [ + "ro", + "io.katacontainers.fs-opt.block_device=file", + "io.katacontainers.fs-opt.is-layer", + "io.katacontainers.fs-opt.root-hash=2e52d86498030b4b99318650826d3f121bdfac5fe7bbbea9d18c546d48003aa0" + ], + "mount_point": "/run/kata-containers/sandbox/layers/a8650d4a279d4537d7fc43c582a264528a96f041b1327d41b503f368c301594f", + "fs_group": null + }, + { + "driver": "overlayfs", + "driver_options": [], + "source": "none", + "fstype": "fuse3.kata-overlay", + "options": [ + "io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers", + "io.katacontainers.fs-opt.layer=YjFlZjNkMTg2NjFhZDcyN2E4YWQwMWQ0NjJmZmZjNjNlYzkwNDIwYTkzODA1NmJjMDQyMjgyMjMyOGY4M2ZmNyx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTc1ZWQ1ZTc4ZDMwMzc0Yjk1NTdkMzJjMTdhZTZkMmUxYjRhZmRjNWVmZDEyODgxMmU2Yzk5YTBmNjA3MDhkYmE=", + "io.katacontainers.fs-opt.layer=YTg2NTBkNGEyNzlkNDUzN2Q3ZmM0M2M1ODJhMjY0NTI4YTk2ZjA0MWIxMzI3ZDQxYjUwM2YzNjhjMzAxNTk0Zix0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTJlNTJkODY0OTgwMzBiNGI5OTMxODY1MDgyNmQzZjEyMWJkZmFjNWZlN2JiYmVhOWQxOGM1NDZkNDgwMDNhYTA=", + "io.katacontainers.fs-opt.overlay-rw", + "lowerdir=b1ef3d18661ad727a8ad01d462fffc63ec90420a938056bc0422822328f83ff7:a8650d4a279d4537d7fc43c582a264528a96f041b1327d41b503f368c301594f" + ], + "mount_point": "/run/kata-containers/shared/containers/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9", + "fs_group": null + } + ], + "string_user": null + } + }, + { + "description": "test exec process in first container with correct args", + "allowed": true, + "request": { + "type": "ExecProcess", + "container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9", + "exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200", + "string_user": null, + "process": { + "Terminal": false, + "ConsoleSize": null, + "User": { + "UID": 0, + "GID": 0, + "AdditionalGids": [ + 0, + 10 + ], + "Username": "" + }, + "Args": [ + "test1" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "HOSTNAME=busybox-cc" + ], + "Cwd": "/", + "Capabilities": null, + "Rlimits": [], + "NoNewPrivileges": false, + "OOMScoreAdj": 0, + "SelinuxLabel": "" + } + } + }, + { + "description": "test exec process in first container with incorrect args", + "allowed": false, + "request": { + "type": "ExecProcess", + "container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9", + "exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200", + "string_user": null, + "process": { + "Terminal": false, + "ConsoleSize": null, + "User": { + "UID": 0, + "GID": 0, + "AdditionalGids": [ + 0, + 10 + ], + "Username": "" + }, + "Args": [ + "foo" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "HOSTNAME=busybox-cc" + ], + "Cwd": "/", + "Capabilities": null, + "Rlimits": [], + "NoNewPrivileges": false, + "OOMScoreAdj": 0, + "SelinuxLabel": "" + } + } + }, + { + "description": "test exec process in first container with non-null selinuxLabel", + "allowed": false, + "request": { + "type": "ExecProcess", + "container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9", + "exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200", + "string_user": null, + "process": { + "Terminal": false, + "ConsoleSize": null, + "Args": [ + "test1" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "HOSTNAME=busybox-cc" + ], + "Cwd": "/", + "Capabilities": null, + "Rlimits": [], + "NoNewPrivileges": false, + "OOMScoreAdj": 0, + "SelinuxLabel": "system_u:system_r:container_t", + "ApparmorProfile": "" + } + } + }, + { + "description": "test exec process in first container with random ApparmorProfile", + "allowed": false, + "request": { + "type": "ExecProcess", + "container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9", + "exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200", + "string_user": null, + "process": { + "Terminal": false, + "ConsoleSize": null, + "Args": [ + "test1" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "HOSTNAME=busybox-cc" + ], + "Cwd": "/", + "Capabilities": null, + "Rlimits": [], + "NoNewPrivileges": false, + "OOMScoreAdj": 0, + "SelinuxLabel": "", + "ApparmorProfile": "localhost/root-user" + } + } + }, + { + "description": "test exec process in first container with random string_user", + "allowed": false, + "request": { + "type": "ExecProcess", + "container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9", + "exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200", + "string_user": { + "uid": "0", + "gid": "12", + "additional_gids": [] + }, + "process": { + "Terminal": false, + "ConsoleSize": null, + "Args": [ + "test1" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "HOSTNAME=busybox-cc" + ], + "Cwd": "/", + "Capabilities": null, + "Rlimits": [], + "NoNewPrivileges": false, + "OOMScoreAdj": 0, + "SelinuxLabel": "", + "ApparmorProfile": "" + } + } + }, + { + "description": "test exec process in second container with first container args", + "allowed": false, + "request": { + "type": "ExecProcess", + "container_id": "22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9", + "exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200", + "string_user": null, + "process": { + "Terminal": false, + "ConsoleSize": null, + "User": { + "UID": 0, + "GID": 0, + "AdditionalGids": [ + 0, + 10 + ], + "Username": "" + }, + "Args": [ + "test1" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "HOSTNAME=busybox-cc" + ], + "Cwd": "/", + "Capabilities": null, + "Rlimits": [], + "NoNewPrivileges": false, + "OOMScoreAdj": 0, + "SelinuxLabel": "" + } + } + }, + { + "description": "test exec process with invalid container_id", + "allowed": false, + "request": { + "type": "ExecProcess", + "container_id": "1070be4405d02db09ddaa02b73c0670f5fe5511d5efb45608da2366074dc4e08", + "exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b24f", + "string_user": null, + "process": { + "Terminal": false, + "ConsoleSize": null, + "User": { + "UID": 0, + "GID": 0, + "AdditionalGids": [ + 0, + 10 + ], + "Username": "" + }, + "Args": [ + "bar" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "HOSTNAME=busybox-cc" + ], + "Cwd": "/", + "Capabilities": null, + "Rlimits": [], + "NoNewPrivileges": false, + "OOMScoreAdj": 0, + "SelinuxLabel": "" + } + } + }, + { + "description": "remove first container", + "allowed": true, + "request": { + "type": "RemoveContainer", + "container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9", + "timeout": 0 + } + }, + { + "description": "test exec process fail for first container", + "allowed": false, + "request": { + "type": "ExecProcess", + "container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9", + "exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200", + "string_user": null, + "process": { + "Terminal": false, + "ConsoleSize": null, + "User": { + "UID": 0, + "GID": 0, + "AdditionalGids": [ + 0, + 10 + ], + "Username": "" + }, + "Args": [ + "test1" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "HOSTNAME=busybox-cc" + ], + "Cwd": "/", + "Capabilities": null, + "Rlimits": [], + "NoNewPrivileges": false, + "OOMScoreAdj": 0, + "SelinuxLabel": "" + } + } + } +]