github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-04-28 19:54:35 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #11113 from Sumynwa/sumsharma/policy_execprocess_container_id

Browse Source 
genpolicy: Add container_id & related policy container data to state.
This commit is contained in:
Aurélien Bombo 2025-04-22 18:37:58 +01:00 committed by GitHub
commit bf93b5daf1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 1328 additions and 151 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
src/tools/genpolicy/rules.rego
View File

@ -71,7 +71,7 @@ CreateContainerRequest:= {"ops": ops, "allowed": true} {
ops_builder1 := concat_op_if_not_null(ops_builder, add_sandbox_name_to_state) ops_builder1 := concat_op_if_not_null(ops_builder, add_sandbox_name_to_state)
# Check if any element from the policy_data.containers array allows the input request. # Check if any element from the policy_data.containers array allows the input request.
some p_container in policy_data.containers some idx, p_container in policy_data.containers
print("======== CreateContainerRequest: trying next policy container") print("======== CreateContainerRequest: trying next policy container")
p_pidns := p_container.sandbox_pidns p_pidns := p_container.sandbox_pidns
@ -105,7 +105,13 @@ CreateContainerRequest:= {"ops": ops, "allowed": true} {
ret := allow_linux(ops_builder2, p_oci, i_oci) ret := allow_linux(ops_builder2, p_oci, i_oci)
ret.allowed ret.allowed
ops := ret.ops # save to policy state
# key: input.container_id
# val: index of p_container in the policy_data.containers array
print("CreateContainerRequest: addding container_id=", input.container_id, " to state")
add_p_container_to_state := state_allows(input.container_id, idx)
ops := concat_op_if_not_null(ret.ops, add_p_container_to_state)
print("CreateContainerRequest: true") print("CreateContainerRequest: true")
} }
@ -176,11 +182,28 @@ state_allows(key, value) = action {
action := null action := null
} }
# delete key=value from state
state_del_key(key) = action {
print("state_del_key: ", key)
state := get_state()
print("state_del_key: deleting from state key =", key)
path := get_state_path(key)
action := {
"op": "remove",
"path": path,
}
}
# helper functions to interact with the state # helper functions to interact with the state
get_state() = state { get_state() = state {
state := data["pstate"] state := data["pstate"]
} }
get_state_val(key) = value {
state := get_state()
value := state[key]
}
get_state_path(key) = path { get_state_path(key) = path {
# prepend "/pstate/" to key # prepend "/pstate/" to key
path := concat("/", ["/pstate", key]) path := concat("/", ["/pstate", key])
@ -1288,9 +1311,11 @@ ExecProcessRequest {
print("ExecProcessRequest 2: input =", input) print("ExecProcessRequest 2: input =", input)
allow_exec_process_input allow_exec_process_input
# TODO: match input container ID with its corresponding container.exec_commands. # get p_container from state
some container in policy_data.containers idx := get_state_val(input.container_id)
some p_command in container.exec_commands p_container := policy_data.containers[idx]
some p_command in p_container.exec_commands
print("ExecProcessRequest 2: p_command =", p_command) print("ExecProcessRequest 2: p_command =", p_command)
# TODO: should other input data fields be validated as well? # TODO: should other input data fields be validated as well?
@ -1381,3 +1406,14 @@ UpdateEphemeralMountsRequest {
WriteStreamRequest { WriteStreamRequest {
policy_data.request_defaults.WriteStreamRequest == true policy_data.request_defaults.WriteStreamRequest == true
} }
RemoveContainerRequest:= {"ops": ops, "allowed": true} {
print("RemoveContainerRequest: input =", input)
# Delete input.container_id from p_state
ops_builder1 := []
del_container := state_del_key(input.container_id)
ops := concat_op_if_not_null(ops_builder1, del_container)
print("RemoveContainerRequest: true")
}

17
src/tools/genpolicy/tests/main.rs
View File

@ -13,7 +13,7 @@ mod tests {
use protocols::agent::{ use protocols::agent::{
CopyFileRequest, CreateContainerRequest, CreateSandboxRequest, ExecProcessRequest, CopyFileRequest, CreateContainerRequest, CreateSandboxRequest, ExecProcessRequest,
UpdateInterfaceRequest, UpdateRoutesRequest, RemoveContainerRequest, UpdateInterfaceRequest, UpdateRoutesRequest,
}; };
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
@ -27,9 +27,10 @@ mod tests {
CopyFile(CopyFileRequest), CopyFile(CopyFileRequest),
CreateContainer(CreateContainerRequest), CreateContainer(CreateContainerRequest),
CreateSandbox(CreateSandboxRequest), CreateSandbox(CreateSandboxRequest),
ExecProcess(ExecProcessRequest),
RemoveContainer(RemoveContainerRequest),
UpdateInterface(UpdateInterfaceRequest), UpdateInterface(UpdateInterfaceRequest),
UpdateRoutes(UpdateRoutesRequest), UpdateRoutes(UpdateRoutesRequest),
ExecProcess(ExecProcessRequest),
} }
impl Display for TestRequest { impl Display for TestRequest {
@ -38,9 +39,10 @@ mod tests {
TestRequest::CopyFile(_) => write!(f, "CopyFileRequest"), TestRequest::CopyFile(_) => write!(f, "CopyFileRequest"),
TestRequest::CreateContainer(_) => write!(f, "CreateContainerRequest"), TestRequest::CreateContainer(_) => write!(f, "CreateContainerRequest"),
TestRequest::CreateSandbox(_) => write!(f, "CreateSandboxRequest"), TestRequest::CreateSandbox(_) => write!(f, "CreateSandboxRequest"),
TestRequest::ExecProcess(_) => write!(f, "ExecProcessRequest"),
TestRequest::RemoveContainer(_) => write!(f, "RemoveContainerRequest"),
TestRequest::UpdateInterface(_) => write!(f, "UpdateInterfaceRequest"), TestRequest::UpdateInterface(_) => write!(f, "UpdateInterfaceRequest"),
TestRequest::UpdateRoutes(_) => write!(f, "UpdateRoutesRequest"), TestRequest::UpdateRoutes(_) => write!(f, "UpdateRoutesRequest"),
TestRequest::ExecProcess(_) => write!(f, "ExecProcessRequest"),
} }
} }
} }
@ -187,7 +189,12 @@ mod tests {
} }
#[tokio::test] #[tokio::test]
async fn test_exec_process() { async fn test_state_create_container() {
runtests("execprocess").await; runtests("state/createcontainer").await;
}
#[tokio::test]
async fn test_state_exec_process() {
runtests("state/execprocess").await;
} }
} }

139
src/tools/genpolicy/tests/testdata/execprocess/testcases.json vendored
View File

@ -1,139 +0,0 @@
[
{
"description": "test exec process with correct args",
"allowed": true,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"Args": [
"echo",
"test"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": "",
"ApparmorProfile": ""
}
}
},
{
"description": "test exec process with incorrect args",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"Args": [],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": "",
"ApparmorProfile": ""
}
}
},
{
"description": "test exec process with non-null selinuxLabel",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"Args": [],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": "system_u:system_r:container_t",
"ApparmorProfile": ""
}
}
},
{
"description": "test exec process with random ApparmorProfile",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"Args": [],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": "",
"ApparmorProfile": "localhost/root-user"
}
}
},
{
"description": "test exec process with random string_user",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200",
"string_user": {
"uid": "0",
"gid": "12",
"additional_gids": []
},
"process": {
"Terminal": false,
"ConsoleSize": null,
"Args": [],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": "",
"ApparmorProfile": ""
}
}
}
]

9
src/tools/genpolicy/tests/testdata/state/createcontainer/pod.yaml vendored Normal file
View File

@ -0,0 +1,9 @@
apiVersion: v1
kind: Pod
metadata:
name: policy-redis-deployment-6674f9448-xjrzf
spec:
runtimeClassName: kata-cc-isolation
containers:
- name: redis
image: registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db

282
src/tools/genpolicy/tests/testdata/state/createcontainer/testcases.json vendored Normal file
View File

@ -0,0 +1,282 @@
[
{
"description": "test create container and save container_id in state",
"allowed": true,
"request": {
"type": "CreateContainer",
"OCI": {
"Annotations": {
"io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12",
"io.katacontainers.pkg.oci.container_type": "pod_sandbox",
"io.kubernetes.cri.container-type": "sandbox",
"io.kubernetes.cri.podsandbox.image-name": "registry.k8s.io/pause:3.10",
"io.kubernetes.cri.sandbox-cpu-period": "100000",
"io.kubernetes.cri.sandbox-cpu-quota": "0",
"io.kubernetes.cri.sandbox-cpu-shares": "102",
"io.kubernetes.cri.sandbox-id": "4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12",
"io.kubernetes.cri.sandbox-log-directory": "/var/log/pods/default_policy-redis-deployment-6674f9448-xjrzf_9c64c5bf-298f-46c4-ad63-e2270a2ff44c",
"io.kubernetes.cri.sandbox-memory": "0",
"io.kubernetes.cri.sandbox-name": "policy-redis-deployment-6674f9448-xjrzf",
"io.kubernetes.cri.sandbox-namespace": "default",
"io.kubernetes.cri.sandbox-uid": "9c64c5bf-298f-46c4-ad63-e2270a2ff44c",
"nerdctl/network-namespace": "/var/run/netns/cni-22190131-6f68-2878-6d7b-418baf176cdf"
},
"Hooks": null,
"Hostname": "policy-redis-deployment-6674f9448-xjrzf",
"Linux": {
"CgroupsPath": "/kubepods/burstable/pod9c64c5bf-298f-46c4-ad63-e2270a2ff44c/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12",
"Devices": [],
"GIDMappings": [],
"IntelRdt": null,
"MaskedPaths": [
"/proc/acpi",
"/proc/asound",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/sys/firmware",
"/sys/devices/virtual/powercap",
"/proc/scsi"
],
"MountLabel": "",
"Namespaces": [
{
"Path": "",
"Type": "ipc"
},
{
"Path": "",
"Type": "uts"
},
{
"Path": "",
"Type": "mount"
}
],
"ReadonlyPaths": [
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
],
"Resources": {
"BlockIO": null,
"CPU": {
"Cpus": "",
"Mems": "",
"Period": 0,
"Quota": 0,
"RealtimePeriod": 0,
"RealtimeRuntime": 0,
"Shares": 2
},
"Devices": [],
"HugepageLimits": [],
"Memory": null,
"Network": null,
"Pids": null
},
"RootfsPropagation": "",
"Seccomp": null,
"Sysctl": {},
"UIDMappings": []
},
"Mounts": [
{
"destination": "/proc",
"options": [
"nosuid",
"noexec",
"nodev"
],
"source": "proc",
"type_": "proc"
},
{
"destination": "/dev",
"options": [
"nosuid",
"strictatime",
"mode=755",
"size=65536k"
],
"source": "tmpfs",
"type_": "tmpfs"
},
{
"destination": "/dev/pts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620",
"gid=5"
],
"source": "devpts",
"type_": "devpts"
},
{
"destination": "/dev/mqueue",
"options": [
"nosuid",
"noexec",
"nodev"
],
"source": "mqueue",
"type_": "mqueue"
},
{
"destination": "/sys",
"options": [
"nosuid",
"noexec",
"nodev",
"ro"
],
"source": "sysfs",
"type_": "sysfs"
},
{
"destination": "/dev/shm",
"options": [
"rbind"
],
"source": "/run/kata-containers/sandbox/shm",
"type_": "bind"
},
{
"destination": "/etc/resolv.conf",
"options": [
"rbind",
"ro",
"nosuid",
"nodev",
"noexec"
],
"source": "/run/kata-containers/shared/containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12-b3930b9af7125931-resolv.conf",
"type_": "bind"
}
],
"Process": {
"ApparmorProfile": "",
"Args": [
"/pause"
],
"Capabilities": {
"Ambient": [],
"Bounding": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"Effective": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"Inheritable": [],
"Permitted": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
]
},
"ConsoleSize": null,
"Cwd": "/",
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"NoNewPrivileges": true,
"OOMScoreAdj": -998,
"Rlimits": [],
"SelinuxLabel": "",
"Terminal": false,
"User": {
"AdditionalGids": [
0
],
"GID": 0,
"UID": 65535,
"Username": ""
}
},
"Root": {
"Path": "/run/kata-containers/shared/containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs",
"Readonly": true
},
"Solaris": null,
"Version": "1.1.0",
"Windows": null
},
"container_id": "4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12",
"devices": [],
"exec_id": "4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12",
"sandbox_pidns": false,
"shared_mounts": [],
"stderr_port": 0,
"stdin_port": 0,
"stdout_port": 0,
"storages": [
{
"driver": "image_guest_pull",
"driver_options": [
"image_guest_pull={\"metadata\":{\"io.katacontainers.pkg.oci.bundle_path\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12\",\"io.katacontainers.pkg.oci.container_type\":\"pod_sandbox\",\"io.kubernetes.cri.container-type\":\"sandbox\",\"io.kubernetes.cri.podsandbox.image-name\":\"registry.k8s.io/pause:3.10\",\"io.kubernetes.cri.sandbox-cpu-period\":\"100000\",\"io.kubernetes.cri.sandbox-cpu-quota\":\"0\",\"io.kubernetes.cri.sandbox-cpu-shares\":\"102\",\"io.kubernetes.cri.sandbox-id\":\"4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12\",\"io.kubernetes.cri.sandbox-log-directory\":\"/var/log/pods/default_policy-redis-deployment-6674f9448-xjrzf_9c64c5bf-298f-46c4-ad63-e2270a2ff44c\",\"io.kubernetes.cri.sandbox-memory\":\"0\",\"io.kubernetes.cri.sandbox-name\":\"policy-redis-deployment-6674f9448-xjrzf\",\"io.kubernetes.cri.sandbox-namespace\":\"default\",\"io.kubernetes.cri.sandbox-uid\":\"9c64c5bf-298f-46c4-ad63-e2270a2ff44c\",\"nerdctl/network-namespace\":\"/var/run/netns/cni-22190131-6f68-2878-6d7b-418baf176cdf\"}}"
],
"fs_group": null,
"fstype": "overlay",
"mount_point": "/run/kata-containers/shared/containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs",
"options": [],
"source": "pause"
}
],
"string_user": null
}
},
{
"description": "test remove container and remove container_id from state",
"allowed": true,
"request": {
"type": "RemoveContainer",
"container_id": "4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12",
"timeout": 0
}
}
]

15
src/tools/genpolicy/tests/testdata/execprocess/pod.yaml → src/tools/genpolicy/tests/testdata/state/execprocess/pod.yaml vendored
View File

@ -16,5 +16,16 @@ spec:
livenessProbe: livenessProbe:
exec: exec:
command: command:
- echo - test1
- test - name: second-test-container
image: "quay.io/prometheus/busybox:latest"
env:
- name: CONTAINER_NAME
value: second-test-container
command:
- sleep
- "3600"
livenessProbe:
exec:
command:
- test2

971
src/tools/genpolicy/tests/testdata/state/execprocess/testcases.json vendored Normal file
View File

@ -0,0 +1,971 @@
[
{
"description": "create container request for first container",
"allowed": true,
"request": {
"type": "CreateContainer",
"OCI": {
"Annotations": {
"io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"io.katacontainers.pkg.oci.container_type": "pod_container",
"io.kubernetes.cri.container-type": "container",
"io.kubernetes.cri.sandbox-cpu-period": "100000",
"io.kubernetes.cri.sandbox-cpu-quota": "0",
"io.kubernetes.cri.sandbox-cpu-shares": "2",
"io.kubernetes.cri.sandbox-id": "257a671dd451a8bf7ea4950d722106db358ef5ded2997c60f7dc1101b31b727a",
"io.kubernetes.cri.sandbox-memory": "0",
"io.kubernetes.cri.sandbox-name": "busybox",
"io.kubernetes.cri.sandbox-namespace": "default",
"io.kubernetes.cri.sandbox-uid": "eb1495ed-331a-44ff-ad6d-fce1a69280cd",
"io.kubernetes.cri.container-name": "first-test-container"
},
"Hooks": null,
"Hostname": "busybox",
"Linux": {
"CgroupsPath": "/kubepods/besteffort/podeb1495ed-331a-44ff-ad6d-fce1a69280cd/4878266238663ca723dc5ecbd8b2d06a56c2d5e562eeb77b492046a267c50951",
"Devices": [],
"GIDMappings": [],
"IntelRdt": null,
"MaskedPaths": [
"/proc/acpi",
"/proc/asound",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/sys/firmware",
"/proc/scsi"
],
"MountLabel": "",
"Namespaces": [
{
"Path": "",
"Type": "ipc"
},
{
"Path": "",
"Type": "uts"
},
{
"Path": "",
"Type": "mount"
}
],
"ReadonlyPaths": [
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
],
"Resources": {
"BlockIO": null,
"CPU": {
"Cpus": "",
"Mems": "",
"Period": 0,
"Quota": 0,
"RealtimePeriod": 0,
"RealtimeRuntime": 0,
"Shares": 2
},
"Devices": [],
"HugepageLimits": [],
"Memory": null,
"Network": null,
"Pids": null
},
"RootfsPropagation": "",
"Seccomp": null,
"Sysctl": {},
"UIDMappings": []
},
"Mounts": [
{
"destination": "/proc",
"source": "proc",
"type_": "proc",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/dev",
"source": "tmpfs",
"type_": "tmpfs",
"options": [
"nosuid",
"strictatime",
"mode=755",
"size=65536k"
]
},
{
"destination": "/dev/pts",
"source": "devpts",
"type_": "devpts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620",
"gid=5"
]
},
{
"destination": "/dev/mqueue",
"source": "mqueue",
"type_": "mqueue",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/sys",
"source": "sysfs",
"type_": "sysfs",
"options": [
"nosuid",
"noexec",
"nodev",
"ro"
]
},
{
"destination": "/sys/fs/cgroup",
"source": "cgroup",
"type_": "cgroup",
"options": [
"nosuid",
"noexec",
"nodev",
"relatime",
"ro"
]
},
{
"destination": "/etc/hosts",
"source": "/run/kata-containers/shared/containers/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-e9bb691ee0df3258-hosts",
"type_": "bind",
"options": [
"rbind",
"rprivate",
"rw"
]
},
{
"destination": "/dev/termination-log",
"source": "/run/kata-containers/shared/containers/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-c57801af2d60a6e8-termination-log",
"type_": "bind",
"options": [
"rbind",
"rprivate",
"rw"
]
},
{
"destination": "/etc/hostname",
"source": "/run/kata-containers/shared/containers/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-ca728aaeede4bb80-hostname",
"type_": "bind",
"options": [
"rbind",
"rprivate",
"rw"
]
},
{
"destination": "/etc/resolv.conf",
"source": "/run/kata-containers/shared/containers/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-cfc6eca9fd2d0cce-resolv.conf",
"type_": "bind",
"options": [
"rbind",
"rprivate",
"rw"
]
},
{
"destination": "/dev/shm",
"source": "/run/kata-containers/sandbox/shm",
"type_": "bind",
"options": [
"rbind"
]
},
{
"destination": "/var/run/secrets/kubernetes.io/serviceaccount",
"source": "/run/kata-containers/shared/containers/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-bbb1a5bd88623ac4-serviceaccount",
"type_": "bind",
"options": [
"rbind",
"rprivate",
"ro"
]
}
],
"Process": {
"Args": [
"sleep",
"3600"
],
"Capabilities": {
"Ambient": [],
"Bounding": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"Effective": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"Inheritable": [],
"Permitted": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
]
},
"ConsoleSize": null,
"Cwd": "/",
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"NoNewPrivileges": false,
"OOMScoreAdj": -998,
"Rlimits": [],
"SelinuxLabel": "",
"Terminal": false,
"User": {
"AdditionalGids": [
],
"GID": 0,
"UID": 0,
"Username": ""
}
},
"Root": {
"Path": "/run/kata-containers/shared/containers/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9/rootfs",
"Readonly": false
},
"Solaris": null,
"Version": "1.1.0",
"Windows": null
},
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"devices": [],
"sandbox_pidns": false,
"shared_mounts": [],
"storages": [
{
"driver": "blk",
"driver_options": [],
"source": "0001:00:02.0",
"fstype": "tar",
"options": [
"ro",
"io.katacontainers.fs-opt.block_device=file",
"io.katacontainers.fs-opt.is-layer",
"io.katacontainers.fs-opt.root-hash=75ed5e78d30374b9557d32c17ae6d2e1b4afdc5efd128812e6c99a0f60708dba"
],
"mount_point": "/run/kata-containers/sandbox/layers/b1ef3d18661ad727a8ad01d462fffc63ec90420a938056bc0422822328f83ff7",
"fs_group": null
},
{
"driver": "blk",
"driver_options": [],
"source": "0001:00:03.0",
"fstype": "tar",
"options": [
"ro",
"io.katacontainers.fs-opt.block_device=file",
"io.katacontainers.fs-opt.is-layer",
"io.katacontainers.fs-opt.root-hash=2e52d86498030b4b99318650826d3f121bdfac5fe7bbbea9d18c546d48003aa0"
],
"mount_point": "/run/kata-containers/sandbox/layers/a8650d4a279d4537d7fc43c582a264528a96f041b1327d41b503f368c301594f",
"fs_group": null
},
{
"driver": "overlayfs",
"driver_options": [],
"source": "none",
"fstype": "fuse3.kata-overlay",
"options": [
"io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers",
"io.katacontainers.fs-opt.layer=YjFlZjNkMTg2NjFhZDcyN2E4YWQwMWQ0NjJmZmZjNjNlYzkwNDIwYTkzODA1NmJjMDQyMjgyMjMyOGY4M2ZmNyx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTc1ZWQ1ZTc4ZDMwMzc0Yjk1NTdkMzJjMTdhZTZkMmUxYjRhZmRjNWVmZDEyODgxMmU2Yzk5YTBmNjA3MDhkYmE=",
"io.katacontainers.fs-opt.layer=YTg2NTBkNGEyNzlkNDUzN2Q3ZmM0M2M1ODJhMjY0NTI4YTk2ZjA0MWIxMzI3ZDQxYjUwM2YzNjhjMzAxNTk0Zix0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTJlNTJkODY0OTgwMzBiNGI5OTMxODY1MDgyNmQzZjEyMWJkZmFjNWZlN2JiYmVhOWQxOGM1NDZkNDgwMDNhYTA=",
"io.katacontainers.fs-opt.overlay-rw",
"lowerdir=b1ef3d18661ad727a8ad01d462fffc63ec90420a938056bc0422822328f83ff7:a8650d4a279d4537d7fc43c582a264528a96f041b1327d41b503f368c301594f"
],
"mount_point": "/run/kata-containers/shared/containers/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"fs_group": null
}
],
"string_user": null
}
},
{
"description": "create container request for second container",
"allowed": true,
"request": {
"type": "CreateContainer",
"OCI": {
"Annotations": {
"io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"io.katacontainers.pkg.oci.container_type": "pod_container",
"io.kubernetes.cri.container-type": "container",
"io.kubernetes.cri.sandbox-cpu-period": "100000",
"io.kubernetes.cri.sandbox-cpu-quota": "0",
"io.kubernetes.cri.sandbox-cpu-shares": "2",
"io.kubernetes.cri.sandbox-id": "257a671dd451a8bf7ea4950d722106db358ef5ded2997c60f7dc1101b31b727a",
"io.kubernetes.cri.sandbox-memory": "0",
"io.kubernetes.cri.sandbox-name": "busybox",
"io.kubernetes.cri.sandbox-namespace": "default",
"io.kubernetes.cri.sandbox-uid": "eb1495ed-331a-44ff-ad6d-fce1a69280cd",
"io.kubernetes.cri.container-name": "second-test-container"
},
"Hooks": null,
"Hostname": "busybox",
"Linux": {
"CgroupsPath": "/kubepods/besteffort/podeb1495ed-331a-44ff-ad6d-fce1a69280cd/4878266238663ca723dc5ecbd8b2d06a56c2d5e562eeb77b492046a267c50951",
"Devices": [],
"GIDMappings": [],
"IntelRdt": null,
"MaskedPaths": [
"/proc/acpi",
"/proc/asound",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/sys/firmware",
"/proc/scsi"
],
"MountLabel": "",
"Namespaces": [
{
"Path": "",
"Type": "ipc"
},
{
"Path": "",
"Type": "uts"
},
{
"Path": "",
"Type": "mount"
}
],
"ReadonlyPaths": [
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
],
"Resources": {
"BlockIO": null,
"CPU": {
"Cpus": "",
"Mems": "",
"Period": 0,
"Quota": 0,
"RealtimePeriod": 0,
"RealtimeRuntime": 0,
"Shares": 2
},
"Devices": [],
"HugepageLimits": [],
"Memory": null,
"Network": null,
"Pids": null
},
"RootfsPropagation": "",
"Seccomp": null,
"Sysctl": {},
"UIDMappings": []
},
"Mounts": [
{
"destination": "/proc",
"source": "proc",
"type_": "proc",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/dev",
"source": "tmpfs",
"type_": "tmpfs",
"options": [
"nosuid",
"strictatime",
"mode=755",
"size=65536k"
]
},
{
"destination": "/dev/pts",
"source": "devpts",
"type_": "devpts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620",
"gid=5"
]
},
{
"destination": "/dev/mqueue",
"source": "mqueue",
"type_": "mqueue",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/sys",
"source": "sysfs",
"type_": "sysfs",
"options": [
"nosuid",
"noexec",
"nodev",
"ro"
]
},
{
"destination": "/sys/fs/cgroup",
"source": "cgroup",
"type_": "cgroup",
"options": [
"nosuid",
"noexec",
"nodev",
"relatime",
"ro"
]
},
{
"destination": "/etc/hosts",
"source": "/run/kata-containers/shared/containers/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-e9bb691ee0df3258-hosts",
"type_": "bind",
"options": [
"rbind",
"rprivate",
"rw"
]
},
{
"destination": "/dev/termination-log",
"source": "/run/kata-containers/shared/containers/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-c57801af2d60a6e8-termination-log",
"type_": "bind",
"options": [
"rbind",
"rprivate",
"rw"
]
},
{
"destination": "/etc/hostname",
"source": "/run/kata-containers/shared/containers/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-ca728aaeede4bb80-hostname",
"type_": "bind",
"options": [
"rbind",
"rprivate",
"rw"
]
},
{
"destination": "/etc/resolv.conf",
"source": "/run/kata-containers/shared/containers/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-cfc6eca9fd2d0cce-resolv.conf",
"type_": "bind",
"options": [
"rbind",
"rprivate",
"rw"
]
},
{
"destination": "/dev/shm",
"source": "/run/kata-containers/sandbox/shm",
"type_": "bind",
"options": [
"rbind"
]
},
{
"destination": "/var/run/secrets/kubernetes.io/serviceaccount",
"source": "/run/kata-containers/shared/containers/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-bbb1a5bd88623ac4-serviceaccount",
"type_": "bind",
"options": [
"rbind",
"rprivate",
"ro"
]
}
],
"Process": {
"Args": [
"sleep",
"3600"
],
"Capabilities": {
"Ambient": [],
"Bounding": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"Effective": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"Inheritable": [],
"Permitted": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
]
},
"ConsoleSize": null,
"Cwd": "/",
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"NoNewPrivileges": false,
"OOMScoreAdj": -998,
"Rlimits": [],
"SelinuxLabel": "",
"Terminal": false,
"User": {
"AdditionalGids": [
],
"GID": 0,
"UID": 0,
"Username": ""
}
},
"Root": {
"Path": "/run/kata-containers/shared/containers/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9/rootfs",
"Readonly": false
},
"Solaris": null,
"Version": "1.1.0",
"Windows": null
},
"container_id": "22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"devices": [],
"sandbox_pidns": false,
"shared_mounts": [],
"storages": [
{
"driver": "blk",
"driver_options": [],
"source": "0001:00:02.0",
"fstype": "tar",
"options": [
"ro",
"io.katacontainers.fs-opt.block_device=file",
"io.katacontainers.fs-opt.is-layer",
"io.katacontainers.fs-opt.root-hash=75ed5e78d30374b9557d32c17ae6d2e1b4afdc5efd128812e6c99a0f60708dba"
],
"mount_point": "/run/kata-containers/sandbox/layers/b1ef3d18661ad727a8ad01d462fffc63ec90420a938056bc0422822328f83ff7",
"fs_group": null
},
{
"driver": "blk",
"driver_options": [],
"source": "0001:00:03.0",
"fstype": "tar",
"options": [
"ro",
"io.katacontainers.fs-opt.block_device=file",
"io.katacontainers.fs-opt.is-layer",
"io.katacontainers.fs-opt.root-hash=2e52d86498030b4b99318650826d3f121bdfac5fe7bbbea9d18c546d48003aa0"
],
"mount_point": "/run/kata-containers/sandbox/layers/a8650d4a279d4537d7fc43c582a264528a96f041b1327d41b503f368c301594f",
"fs_group": null
},
{
"driver": "overlayfs",
"driver_options": [],
"source": "none",
"fstype": "fuse3.kata-overlay",
"options": [
"io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers",
"io.katacontainers.fs-opt.layer=YjFlZjNkMTg2NjFhZDcyN2E4YWQwMWQ0NjJmZmZjNjNlYzkwNDIwYTkzODA1NmJjMDQyMjgyMjMyOGY4M2ZmNyx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTc1ZWQ1ZTc4ZDMwMzc0Yjk1NTdkMzJjMTdhZTZkMmUxYjRhZmRjNWVmZDEyODgxMmU2Yzk5YTBmNjA3MDhkYmE=",
"io.katacontainers.fs-opt.layer=YTg2NTBkNGEyNzlkNDUzN2Q3ZmM0M2M1ODJhMjY0NTI4YTk2ZjA0MWIxMzI3ZDQxYjUwM2YzNjhjMzAxNTk0Zix0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTJlNTJkODY0OTgwMzBiNGI5OTMxODY1MDgyNmQzZjEyMWJkZmFjNWZlN2JiYmVhOWQxOGM1NDZkNDgwMDNhYTA=",
"io.katacontainers.fs-opt.overlay-rw",
"lowerdir=b1ef3d18661ad727a8ad01d462fffc63ec90420a938056bc0422822328f83ff7:a8650d4a279d4537d7fc43c582a264528a96f041b1327d41b503f368c301594f"
],
"mount_point": "/run/kata-containers/shared/containers/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"fs_group": null
}
],
"string_user": null
}
},
{
"description": "test exec process in first container with correct args",
"allowed": true,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"User": {
"UID": 0,
"GID": 0,
"AdditionalGids": [
0,
10
],
"Username": ""
},
"Args": [
"test1"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": ""
}
}
},
{
"description": "test exec process in first container with incorrect args",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"User": {
"UID": 0,
"GID": 0,
"AdditionalGids": [
0,
10
],
"Username": ""
},
"Args": [
"foo"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": ""
}
}
},
{
"description": "test exec process in first container with non-null selinuxLabel",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"Args": [
"test1"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": "system_u:system_r:container_t",
"ApparmorProfile": ""
}
}
},
{
"description": "test exec process in first container with random ApparmorProfile",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"Args": [
"test1"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": "",
"ApparmorProfile": "localhost/root-user"
}
}
},
{
"description": "test exec process in first container with random string_user",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200",
"string_user": {
"uid": "0",
"gid": "12",
"additional_gids": []
},
"process": {
"Terminal": false,
"ConsoleSize": null,
"Args": [
"test1"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": "",
"ApparmorProfile": ""
}
}
},
{
"description": "test exec process in second container with first container args",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"User": {
"UID": 0,
"GID": 0,
"AdditionalGids": [
0,
10
],
"Username": ""
},
"Args": [
"test1"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": ""
}
}
},
{
"description": "test exec process with invalid container_id",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "1070be4405d02db09ddaa02b73c0670f5fe5511d5efb45608da2366074dc4e08",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b24f",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"User": {
"UID": 0,
"GID": 0,
"AdditionalGids": [
0,
10
],
"Username": ""
},
"Args": [
"bar"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": ""
}
}
},
{
"description": "remove first container",
"allowed": true,
"request": {
"type": "RemoveContainer",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"timeout": 0
}
},
{
"description": "test exec process fail for first container",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"User": {
"UID": 0,
"GID": 0,
"AdditionalGids": [
0,
10
],
"Username": ""
},
"Args": [
"test1"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": ""
}
}
}
]