diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json index c84550181b..8a5f6324e0 100644 --- a/src/tools/genpolicy/genpolicy-settings.json +++ b/src/tools/genpolicy/genpolicy-settings.json @@ -342,6 +342,15 @@ "allowed_commands": [], "regex": [] }, + "UpdateRoutesRequest": { + "forbidden_device_names": [ + "lo" + ], + "forbidden_source_regex": [ + "^(?:0{0,4}:){0,7}0{0,3}1$", + "^127\\.(?:[0-9]{1,3}\\.){2}[0-9]{1,3}$" + ] + }, "CloseStdinRequest": false, "ReadStreamRequest": false, "UpdateEphemeralMountsRequest": false, diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego index 36f4bdd098..22c7a97bbb 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -39,7 +39,7 @@ default TtyWinResizeRequest := true default UpdateContainerRequest := false default UpdateEphemeralMountsRequest := false default UpdateInterfaceRequest := true -default UpdateRoutesRequest := true +default UpdateRoutesRequest := false default WaitProcessRequest := true default WriteStreamRequest := false @@ -1319,6 +1319,28 @@ ExecProcessRequest { print("ExecProcessRequest 3: true") } +UpdateRoutesRequest { + print("UpdateRoutesRequest: input =", input) + print("UpdateRoutesRequest: policy =", policy_data.request_defaults.UpdateRoutesRequest) + + i_routes := input.routes.Routes + p_source_regex = policy_data.request_defaults.UpdateRoutesRequest.forbidden_source_regex + p_names = policy_data.request_defaults.UpdateRoutesRequest.forbidden_device_names + + every i_route in i_routes { + print("i_route.source =", i_route.source) + every p_regex in p_source_regex { + print("p_regex =", p_regex) + not regex.match(p_regex, i_route.source) + } + + print("i_route.device =", i_route.device) + not i_route.device in p_names + } + + print("UpdateRoutesRequest: true") +} + CloseStdinRequest { policy_data.request_defaults.CloseStdinRequest == true } diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs index fa469f63ff..d7c93c95e9 100644 --- a/src/tools/genpolicy/src/policy.rs +++ b/src/tools/genpolicy/src/policy.rs @@ -334,6 +334,16 @@ pub struct ExecProcessRequestDefaults { regex: Vec, } +/// UpdateRoutesRequest settings from genpolicy-settings.json. +#[derive(Clone, Debug, Serialize, Deserialize)] +pub struct UpdateRoutesRequestDefaults { + /// Forbid adding routes to devices of these names. + forbidden_device_names: Vec, + + /// Forbid adding routes originating from these addresses. + forbidden_source_regex: Vec, +} + /// Settings specific to each kata agent endpoint, loaded from /// genpolicy-settings.json. #[derive(Clone, Debug, Serialize, Deserialize)] @@ -347,6 +357,9 @@ pub struct RequestDefaults { /// Commands allowed to be executed by the Host in all Guest containers. pub ExecProcessRequest: ExecProcessRequestDefaults, + /// Allow the host to update routes for devices other than the loopback. + pub UpdateRoutesRequest: UpdateRoutesRequestDefaults, + /// Allow the Host to close stdin for a container. Typically used with WriteStreamRequest. pub CloseStdinRequest: bool, diff --git a/src/tools/genpolicy/tests/main.rs b/src/tools/genpolicy/tests/main.rs index e0082f6870..2dd1ad4c74 100644 --- a/src/tools/genpolicy/tests/main.rs +++ b/src/tools/genpolicy/tests/main.rs @@ -11,7 +11,9 @@ mod tests { use std::path; use std::str; - use protocols::agent::{CopyFileRequest, CreateContainerRequest, CreateSandboxRequest}; + use protocols::agent::{ + CopyFileRequest, CreateContainerRequest, CreateSandboxRequest, UpdateRoutesRequest, + }; use serde::de::DeserializeOwned; use serde::{Deserialize, Serialize}; @@ -135,6 +137,11 @@ mod tests { runtests::("createsandbox").await; } + #[tokio::test] + async fn test_update_routes() { + runtests::("updateroutes").await; + } + #[tokio::test] async fn test_create_container_network_namespace() { runtests::("createcontainer/network_namespace").await; diff --git a/src/tools/genpolicy/tests/testdata/updateroutes/pod.yaml b/src/tools/genpolicy/tests/testdata/updateroutes/pod.yaml new file mode 100644 index 0000000000..7ac6554ed9 --- /dev/null +++ b/src/tools/genpolicy/tests/testdata/updateroutes/pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: dummy +spec: + runtimeClassName: kata-cc-isolation + containers: + - name: dummy + image: registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db diff --git a/src/tools/genpolicy/tests/testdata/updateroutes/testcases.json b/src/tools/genpolicy/tests/testdata/updateroutes/testcases.json new file mode 100644 index 0000000000..bc581e6bad --- /dev/null +++ b/src/tools/genpolicy/tests/testdata/updateroutes/testcases.json @@ -0,0 +1,118 @@ +[ + { + "description": "compliant routes", + "allowed": true, + "request": { + "routes": { + "Routes": [ + { + "dest": "", + "gateway": "10.244.0.1", + "device": "eth0", + "source": "", + "scope": 0, + "family": 0 + } + ] + } + } + }, + { + "description": "forbidden device", + "allowed": false, + "request": { + "routes": { + "Routes": [ + { + "dest": "", + "gateway": "10.244.0.1", + "device": "lo", + "source": "", + "scope": 0, + "family": 0 + } + ] + } + } + }, + { + "description": "one compliant route, one noncompliant", + "allowed": false, + "request": { + "routes": { + "Routes": [ + { + "dest": "", + "gateway": "10.244.0.1", + "device": "eth0", + "source": "", + "scope": 0, + "family": 0 + }, + { + "dest": "", + "gateway": "10.244.0.1", + "device": "eth0", + "source": "::1", + "scope": 0, + "family": 0 + } + ] + } + } + }, + { + "description": "noncompliant routes", + "allowed": false, + "request": { + "routes": { + "Routes": [ + { + "dest": "", + "gateway": "10.244.0.1", + "device": "eth0", + "source": "127.0.0.1", + "scope": 0, + "family": 0 + } + ] + } + } + }, + { + "description": "noncompliant routes ipv6 1", + "allowed": false, + "request": { + "routes": { + "Routes": [ + { + "dest": "", + "gateway": "10.244.0.1", + "device": "eth0", + "source": "::1", + "scope": 0, + "family": 0 + } + ] + } + } + }, + { + "description": "noncompliant routes ipv6 2", + "allowed": false, + "request": { + "routes": { + "Routes": [ + { + "dest": "", + "gateway": "10.244.0.1", + "device": "eth0", + "source": "00::001", + "scope": 0, + "family": 0 + } + ] + } + } + } +]