From d3b652014aeade531a4d291acf2f3fb123b68e11 Mon Sep 17 00:00:00 2001 From: Cameron Baird Date: Fri, 11 Apr 2025 22:41:38 +0000 Subject: [PATCH] genpolicy: Introduce genpolicy tests for security contexts Add security context testcases for genpolicy, verifying that UID and GID configurations controlled by the kubernetes security context are enforced. Also, fix the other CreateContainerRequest tests' expected contents to reflect our new genpolicy parsing/enforcement of GIDs. Signed-off-by: Cameron Baird --- src/tools/genpolicy/tests/main.rs | 5 + .../generate_name/testcases.json | 8 +- .../network_namespace/testcases.json | 14 +- .../createcontainer/security_context/pod.yaml | 12 + .../security_context/testcases.json | 737 ++++++++++++++++++ .../createcontainer/sysctls/testcases.json | 14 +- .../state/createcontainer/testcases.json | 4 +- 7 files changed, 779 insertions(+), 15 deletions(-) create mode 100644 src/tools/genpolicy/tests/testdata/createcontainer/security_context/pod.yaml create mode 100644 src/tools/genpolicy/tests/testdata/createcontainer/security_context/testcases.json diff --git a/src/tools/genpolicy/tests/main.rs b/src/tools/genpolicy/tests/main.rs index c0ed5af144..4e01fa28ed 100644 --- a/src/tools/genpolicy/tests/main.rs +++ b/src/tools/genpolicy/tests/main.rs @@ -197,4 +197,9 @@ mod tests { async fn test_state_exec_process() { runtests("state/execprocess").await; } + + #[tokio::test] + async fn test_create_container_security_context() { + runtests("createcontainer/security_context").await; + } } diff --git a/src/tools/genpolicy/tests/testdata/createcontainer/generate_name/testcases.json b/src/tools/genpolicy/tests/testdata/createcontainer/generate_name/testcases.json index 87865f4c5b..458b324c7c 100644 --- a/src/tools/genpolicy/tests/testdata/createcontainer/generate_name/testcases.json +++ b/src/tools/genpolicy/tests/testdata/createcontainer/generate_name/testcases.json @@ -65,7 +65,8 @@ "SelinuxLabel": "", "User": { "Username": "", - "UID": 65535 + "UID": 65535, + "GID": 65535 }, "Args": [ "/pause" @@ -197,7 +198,8 @@ "SelinuxLabel": "", "User": { "Username": "", - "UID": 65535 + "UID": 65535, + "GID": 65535 }, "Args": [ "/pause" @@ -263,4 +265,4 @@ } } } -] +] \ No newline at end of file diff --git a/src/tools/genpolicy/tests/testdata/createcontainer/network_namespace/testcases.json b/src/tools/genpolicy/tests/testdata/createcontainer/network_namespace/testcases.json index 67b780f71c..1e37e157cc 100644 --- a/src/tools/genpolicy/tests/testdata/createcontainer/network_namespace/testcases.json +++ b/src/tools/genpolicy/tests/testdata/createcontainer/network_namespace/testcases.json @@ -65,7 +65,8 @@ "SelinuxLabel": "", "User": { "Username": "", - "UID": 65535 + "UID": 65535, + "GID": 65535 }, "Args": [ "/pause" @@ -197,7 +198,8 @@ "SelinuxLabel": "", "User": { "Username": "", - "UID": 65535 + "UID": 65535, + "GID": 65535 }, "Args": [ "/pause" @@ -325,7 +327,8 @@ "SelinuxLabel": "", "User": { "Username": "", - "UID": 65535 + "UID": 65535, + "GID": 65535 }, "Args": [ "/pause" @@ -457,7 +460,8 @@ "SelinuxLabel": "", "User": { "Username": "", - "UID": 65535 + "UID": 65535, + "GID": 65535 }, "Args": [ "/pause" @@ -523,4 +527,4 @@ } } } -] +] \ No newline at end of file diff --git a/src/tools/genpolicy/tests/testdata/createcontainer/security_context/pod.yaml b/src/tools/genpolicy/tests/testdata/createcontainer/security_context/pod.yaml new file mode 100644 index 0000000000..51008f05e7 --- /dev/null +++ b/src/tools/genpolicy/tests/testdata/createcontainer/security_context/pod.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: dummy +spec: + runtimeClassName: kata-cc-isolation + securityContext: + runAsUser: 65534 + runAsGroup: 65534 + containers: + - name: dummy + image: quay.io/opstree/redis@sha256:2642c7b07713df6897fa88cbe6db85170690cf3650018ceb2ab16cfa0b4f8d48 \ No newline at end of file diff --git a/src/tools/genpolicy/tests/testdata/createcontainer/security_context/testcases.json b/src/tools/genpolicy/tests/testdata/createcontainer/security_context/testcases.json new file mode 100644 index 0000000000..e5800c164f --- /dev/null +++ b/src/tools/genpolicy/tests/testdata/createcontainer/security_context/testcases.json @@ -0,0 +1,737 @@ +[ + { + "description": "Correct User for security context", + "allowed": true, + "request": { + "type": "CreateContainer", + "OCI": { + "Annotations": { + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4", + "io.katacontainers.pkg.oci.container_type": "pod_sandbox", + "io.kubernetes.cri.container-type": "sandbox", + "io.kubernetes.cri.sandbox-cpu-period": "100000", + "io.kubernetes.cri.sandbox-cpu-quota": "0", + "io.kubernetes.cri.sandbox-cpu-shares": "2", + "io.kubernetes.cri.sandbox-id": "a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4", + "io.kubernetes.cri.sandbox-log-directory": "/var/log/pods/kata-containers-k8s-tests_dummy_fd055c20-d44c-4fc5-aa90-283f629201af", + "io.kubernetes.cri.sandbox-memory": "0", + "io.kubernetes.cri.sandbox-name": "dummy", + "io.kubernetes.cri.sandbox-namespace": "kata-containers-k8s-tests", + "io.kubernetes.cri.sandbox-uid": "fd055c20-d44c-4fc5-aa90-283f629201af", + "nerdctl/network-namespace": "/var/run/netns/cni-50720768-bd65-bf4b-6185-5d5a2adf5305" + }, + "Hooks": null, + "Hostname": "dummy", + "Linux": { + "CgroupsPath": "kubepods-besteffort-podfd055c20_d44c_4fc5_aa90_283f629201af.slice:cri-containerd:a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4", + "Devices": [], + "GIDMappings": [], + "IntelRdt": null, + "MaskedPaths": [ + "/proc/acpi", + "/proc/asound", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/sys/firmware", + "/sys/devices/virtual/powercap", + "/proc/scsi" + ], + "MountLabel": "", + "Namespaces": [ + { + "Path": "", + "Type": "ipc" + }, + { + "Path": "", + "Type": "uts" + }, + { + "Path": "", + "Type": "mount" + } + ], + "ReadonlyPaths": [ + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ], + "Resources": { + "BlockIO": null, + "CPU": { + "Cpus": "", + "Mems": "", + "Period": 0, + "Quota": 0, + "RealtimePeriod": 0, + "RealtimeRuntime": 0, + "Shares": 2 + }, + "Devices": [], + "HugepageLimits": [], + "Memory": null, + "Network": null, + "Pids": null + }, + "RootfsPropagation": "", + "Seccomp": null, + "Sysctl": {}, + "UIDMappings": [] + }, + "Mounts": [ + { + "destination": "/proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ], + "source": "proc", + "type_": "proc" + }, + { + "destination": "/dev", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ], + "source": "tmpfs", + "type_": "tmpfs" + }, + { + "destination": "/dev/pts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ], + "source": "devpts", + "type_": "devpts" + }, + { + "destination": "/dev/mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ], + "source": "mqueue", + "type_": "mqueue" + }, + { + "destination": "/sys", + "options": [ + "nosuid", + "noexec", + "nodev", + "ro" + ], + "source": "sysfs", + "type_": "sysfs" + }, + { + "destination": "/dev/shm", + "options": [ + "rbind" + ], + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind" + }, + { + "destination": "/etc/resolv.conf", + "options": [ + "rbind", + "ro", + "nosuid", + "nodev", + "noexec" + ], + "source": "/run/kata-containers/shared/containers/a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4-8f7f27d37e8af290-resolv.conf", + "type_": "bind" + } + ], + "Process": { + "ApparmorProfile": "", + "Args": [ + "/pause" + ], + "Capabilities": { + "Ambient": [], + "Bounding": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ], + "Effective": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ], + "Inheritable": [], + "Permitted": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ] + }, + "ConsoleSize": null, + "Cwd": "/", + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ], + "NoNewPrivileges": true, + "OOMScoreAdj": -998, + "Rlimits": [], + "SelinuxLabel": "", + "Terminal": false, + "User": { + "GID": 65534, + "UID": 65534, + "Username": "" + } + }, + "Root": { + "Path": "/run/kata-containers/shared/containers/a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4/rootfs", + "Readonly": true + }, + "Solaris": null, + "Version": "1.1.0", + "Windows": null + } + } + }, + { + "description": "Incorrect User.UID for security context", + "allowed": false, + "request": { + "type": "CreateContainer", + "OCI": { + "Annotations": { + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4", + "io.katacontainers.pkg.oci.container_type": "pod_sandbox", + "io.kubernetes.cri.container-type": "sandbox", + "io.kubernetes.cri.sandbox-cpu-period": "100000", + "io.kubernetes.cri.sandbox-cpu-quota": "0", + "io.kubernetes.cri.sandbox-cpu-shares": "2", + "io.kubernetes.cri.sandbox-id": "a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4", + "io.kubernetes.cri.sandbox-log-directory": "/var/log/pods/kata-containers-k8s-tests_dummy_fd055c20-d44c-4fc5-aa90-283f629201af", + "io.kubernetes.cri.sandbox-memory": "0", + "io.kubernetes.cri.sandbox-name": "dummy", + "io.kubernetes.cri.sandbox-namespace": "kata-containers-k8s-tests", + "io.kubernetes.cri.sandbox-uid": "fd055c20-d44c-4fc5-aa90-283f629201af", + "nerdctl/network-namespace": "/var/run/netns/cni-50720768-bd65-bf4b-6185-5d5a2adf5305" + }, + "Hooks": null, + "Hostname": "dummy", + "Linux": { + "CgroupsPath": "kubepods-besteffort-podfd055c20_d44c_4fc5_aa90_283f629201af.slice:cri-containerd:a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4", + "Devices": [], + "GIDMappings": [], + "IntelRdt": null, + "MaskedPaths": [ + "/proc/acpi", + "/proc/asound", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/sys/firmware", + "/sys/devices/virtual/powercap", + "/proc/scsi" + ], + "MountLabel": "", + "Namespaces": [ + { + "Path": "", + "Type": "ipc" + }, + { + "Path": "", + "Type": "uts" + }, + { + "Path": "", + "Type": "mount" + } + ], + "ReadonlyPaths": [ + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ], + "Resources": { + "BlockIO": null, + "CPU": { + "Cpus": "", + "Mems": "", + "Period": 0, + "Quota": 0, + "RealtimePeriod": 0, + "RealtimeRuntime": 0, + "Shares": 2 + }, + "Devices": [], + "HugepageLimits": [], + "Memory": null, + "Network": null, + "Pids": null + }, + "RootfsPropagation": "", + "Seccomp": null, + "Sysctl": {}, + "UIDMappings": [] + }, + "Mounts": [ + { + "destination": "/proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ], + "source": "proc", + "type_": "proc" + }, + { + "destination": "/dev", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ], + "source": "tmpfs", + "type_": "tmpfs" + }, + { + "destination": "/dev/pts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ], + "source": "devpts", + "type_": "devpts" + }, + { + "destination": "/dev/mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ], + "source": "mqueue", + "type_": "mqueue" + }, + { + "destination": "/sys", + "options": [ + "nosuid", + "noexec", + "nodev", + "ro" + ], + "source": "sysfs", + "type_": "sysfs" + }, + { + "destination": "/dev/shm", + "options": [ + "rbind" + ], + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind" + }, + { + "destination": "/etc/resolv.conf", + "options": [ + "rbind", + "ro", + "nosuid", + "nodev", + "noexec" + ], + "source": "/run/kata-containers/shared/containers/a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4-8f7f27d37e8af290-resolv.conf", + "type_": "bind" + } + ], + "Process": { + "ApparmorProfile": "", + "Args": [ + "/pause" + ], + "Capabilities": { + "Ambient": [], + "Bounding": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ], + "Effective": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ], + "Inheritable": [], + "Permitted": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ] + }, + "ConsoleSize": null, + "Cwd": "/", + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ], + "NoNewPrivileges": true, + "OOMScoreAdj": -998, + "Rlimits": [], + "SelinuxLabel": "", + "Terminal": false, + "User": { + "GID": 65534, + "UID": 0, + "Username": "" + } + }, + "Root": { + "Path": "/run/kata-containers/shared/containers/a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4/rootfs", + "Readonly": true + }, + "Solaris": null, + "Version": "1.1.0", + "Windows": null + } + } + }, + { + "description": "Incorrect User.GID for security context", + "allowed": false, + "request": { + "type": "CreateContainer", + "OCI": { + "Annotations": { + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4", + "io.katacontainers.pkg.oci.container_type": "pod_sandbox", + "io.kubernetes.cri.container-type": "sandbox", + "io.kubernetes.cri.sandbox-cpu-period": "100000", + "io.kubernetes.cri.sandbox-cpu-quota": "0", + "io.kubernetes.cri.sandbox-cpu-shares": "2", + "io.kubernetes.cri.sandbox-id": "a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4", + "io.kubernetes.cri.sandbox-log-directory": "/var/log/pods/kata-containers-k8s-tests_dummy_fd055c20-d44c-4fc5-aa90-283f629201af", + "io.kubernetes.cri.sandbox-memory": "0", + "io.kubernetes.cri.sandbox-name": "dummy", + "io.kubernetes.cri.sandbox-namespace": "kata-containers-k8s-tests", + "io.kubernetes.cri.sandbox-uid": "fd055c20-d44c-4fc5-aa90-283f629201af", + "nerdctl/network-namespace": "/var/run/netns/cni-50720768-bd65-bf4b-6185-5d5a2adf5305" + }, + "Hooks": null, + "Hostname": "dummy", + "Linux": { + "CgroupsPath": "kubepods-besteffort-podfd055c20_d44c_4fc5_aa90_283f629201af.slice:cri-containerd:a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4", + "Devices": [], + "GIDMappings": [], + "IntelRdt": null, + "MaskedPaths": [ + "/proc/acpi", + "/proc/asound", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/sys/firmware", + "/sys/devices/virtual/powercap", + "/proc/scsi" + ], + "MountLabel": "", + "Namespaces": [ + { + "Path": "", + "Type": "ipc" + }, + { + "Path": "", + "Type": "uts" + }, + { + "Path": "", + "Type": "mount" + } + ], + "ReadonlyPaths": [ + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ], + "Resources": { + "BlockIO": null, + "CPU": { + "Cpus": "", + "Mems": "", + "Period": 0, + "Quota": 0, + "RealtimePeriod": 0, + "RealtimeRuntime": 0, + "Shares": 2 + }, + "Devices": [], + "HugepageLimits": [], + "Memory": null, + "Network": null, + "Pids": null + }, + "RootfsPropagation": "", + "Seccomp": null, + "Sysctl": {}, + "UIDMappings": [] + }, + "Mounts": [ + { + "destination": "/proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ], + "source": "proc", + "type_": "proc" + }, + { + "destination": "/dev", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ], + "source": "tmpfs", + "type_": "tmpfs" + }, + { + "destination": "/dev/pts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ], + "source": "devpts", + "type_": "devpts" + }, + { + "destination": "/dev/mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ], + "source": "mqueue", + "type_": "mqueue" + }, + { + "destination": "/sys", + "options": [ + "nosuid", + "noexec", + "nodev", + "ro" + ], + "source": "sysfs", + "type_": "sysfs" + }, + { + "destination": "/dev/shm", + "options": [ + "rbind" + ], + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind" + }, + { + "destination": "/etc/resolv.conf", + "options": [ + "rbind", + "ro", + "nosuid", + "nodev", + "noexec" + ], + "source": "/run/kata-containers/shared/containers/a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4-8f7f27d37e8af290-resolv.conf", + "type_": "bind" + } + ], + "Process": { + "ApparmorProfile": "", + "Args": [ + "/pause" + ], + "Capabilities": { + "Ambient": [], + "Bounding": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ], + "Effective": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ], + "Inheritable": [], + "Permitted": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ] + }, + "ConsoleSize": null, + "Cwd": "/", + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ], + "NoNewPrivileges": true, + "OOMScoreAdj": -998, + "Rlimits": [], + "SelinuxLabel": "", + "Terminal": false, + "User": { + "GID": 65534, + "UID": 0, + "Username": "" + } + }, + "Root": { + "Path": "/run/kata-containers/shared/containers/a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4/rootfs", + "Readonly": true + }, + "Solaris": null, + "Version": "1.1.0", + "Windows": null + } + } + } +] \ No newline at end of file diff --git a/src/tools/genpolicy/tests/testdata/createcontainer/sysctls/testcases.json b/src/tools/genpolicy/tests/testdata/createcontainer/sysctls/testcases.json index a3209134ba..cbf3ab6316 100644 --- a/src/tools/genpolicy/tests/testdata/createcontainer/sysctls/testcases.json +++ b/src/tools/genpolicy/tests/testdata/createcontainer/sysctls/testcases.json @@ -2,7 +2,9 @@ { "description": "sysctls listed in yaml or settings", "allowed": true, - "state": {"sandbox_name": "policy-redis-deployment-6674f9448-xjrzf"}, + "state": { + "sandbox_name": "policy-redis-deployment-6674f9448-xjrzf" + }, "request": { "type": "CreateContainer", "OCI": { @@ -238,7 +240,7 @@ "AdditionalGids": [ 0 ], - "GID": 0, + "GID": 65535, "UID": 65535, "Username": "" } @@ -278,7 +280,9 @@ { "description": "sysctl not listed in yaml or settings", "allowed": false, - "state": {"sandbox_name": "policy-redis-deployment-6674f9448-xjrzf"}, + "state": { + "sandbox_name": "policy-redis-deployment-6674f9448-xjrzf" + }, "request": { "type": "CreateContainer", "OCI": { @@ -514,7 +518,7 @@ "AdditionalGids": [ 0 ], - "GID": 0, + "GID": 65535, "UID": 65535, "Username": "" } @@ -551,4 +555,4 @@ "string_user": null } } -] +] \ No newline at end of file diff --git a/src/tools/genpolicy/tests/testdata/state/createcontainer/testcases.json b/src/tools/genpolicy/tests/testdata/state/createcontainer/testcases.json index 990879fdcd..a9e5f049a9 100644 --- a/src/tools/genpolicy/tests/testdata/state/createcontainer/testcases.json +++ b/src/tools/genpolicy/tests/testdata/state/createcontainer/testcases.json @@ -233,7 +233,7 @@ "AdditionalGids": [ 0 ], - "GID": 0, + "GID": 65535, "UID": 65535, "Username": "" } @@ -279,4 +279,4 @@ "timeout": 0 } } -] +] \ No newline at end of file