From c13d7796eeb016d10ebcc1534a1701126a6dda8d Mon Sep 17 00:00:00 2001
From: Cameron Baird <cameronbaird@microsoft.com>
Date: Tue, 8 Apr 2025 18:02:04 +0000
Subject: [PATCH] genpolicy: Parse secContext runAsGroup and
 allowPrivilegeEscalation

Our policy should cover these fields for securityContexts at the pod or
container level of granularity.

Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
---
 src/tools/genpolicy/src/pod.rs  | 15 +++++++++++++++
 src/tools/genpolicy/src/yaml.rs |  8 ++++++++
 2 files changed, 23 insertions(+)

diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs
index 18f5ee5ba..4866a97d3 100644
--- a/src/tools/genpolicy/src/pod.rs
+++ b/src/tools/genpolicy/src/pod.rs
@@ -296,6 +296,9 @@ struct SecurityContext {
     #[serde(skip_serializing_if = "Option::is_none")]
     runAsUser: Option<i64>,
 
+    #[serde(skip_serializing_if = "Option::is_none")]
+    runAsGroup: Option<i64>,
+
     #[serde(skip_serializing_if = "Option::is_none")]
     seccompProfile: Option<SeccompProfile>,
 }
@@ -318,6 +321,12 @@ pub struct PodSecurityContext {
 
     #[serde(skip_serializing_if = "Option::is_none")]
     pub sysctls: Option<Vec<Sysctl>>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub runAsGroup: Option<i64>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub allowPrivilegeEscalation: Option<bool>,
     // TODO: additional fields.
 }
 
@@ -962,6 +971,11 @@ impl Container {
             if let Some(uid) = context.runAsUser {
                 process.User.UID = uid.try_into().unwrap();
             }
+
+            if let Some(gid) = context.runAsGroup {
+                process.User.GID = gid.try_into().unwrap();
+            }
+
             if let Some(allow) = context.allowPrivilegeEscalation {
                 process.NoNewPrivileges = !allow
             }
@@ -1008,6 +1022,7 @@ pub async fn add_pause_container(containers: &mut Vec<Container>, config: &Confi
             privileged: None,
             capabilities: None,
             runAsUser: None,
+            runAsGroup: None,
             seccompProfile: None,
         }),
         ..Default::default()
diff --git a/src/tools/genpolicy/src/yaml.rs b/src/tools/genpolicy/src/yaml.rs
index b5d77d81e..10506d975 100644
--- a/src/tools/genpolicy/src/yaml.rs
+++ b/src/tools/genpolicy/src/yaml.rs
@@ -391,6 +391,14 @@ pub fn get_process_fields(
         if let Some(uid) = context.runAsUser {
             process.User.UID = uid.try_into().unwrap();
         }
+
+        if let Some(gid) = context.runAsGroup {
+            process.User.GID = gid.try_into().unwrap();
+        }
+
+        if let Some(allow) = context.allowPrivilegeEscalation {
+            process.NoNewPrivileges = !allow
+        }
     }
 }