From dab567bdfa377fffea41f7fa82ea7b199add9652 Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Wed, 7 Feb 2024 21:58:13 +0000 Subject: [PATCH] genpolicy: add easy way to allow CloseStdinRequest For example, Kata CI's k8s-copy-file.bats transfers files between the Host and the Guest using "kubectl exec", and that results in CloseStdinRequest being called from the Host. Signed-off-by: Dan Mihai --- src/tools/genpolicy/genpolicy-settings.json | 1 + src/tools/genpolicy/rules.rego | 4 ++++ src/tools/genpolicy/src/policy.rs | 3 +++ 3 files changed, 8 insertions(+) diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json index bc355fa5fa..4aef352a98 100644 --- a/src/tools/genpolicy/genpolicy-settings.json +++ b/src/tools/genpolicy/genpolicy-settings.json @@ -299,6 +299,7 @@ "commands": [], "regex": [] }, + "CloseStdinRequest": false, "ReadStreamRequest": false, "WriteStreamRequest": false } diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego index f5f616ced6..04ac97d45c 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -1143,6 +1143,10 @@ ExecProcessRequest { print("ExecProcessRequest 3: true") } +CloseStdinRequest { + policy_data.request_defaults.CloseStdinRequest == true +} + ReadStreamRequest { policy_data.request_defaults.ReadStreamRequest == true } diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs index 794c583d2e..56c79412fe 100644 --- a/src/tools/genpolicy/src/policy.rs +++ b/src/tools/genpolicy/src/policy.rs @@ -324,6 +324,9 @@ pub struct RequestDefaults { /// Commands allowed to be executed by the Host in all Guest containers. pub ExecProcessRequest: ExecProcessRequestDefaults, + /// Allow the Host to close stdin for a container. Typically used with WriteStreamRequest. + pub CloseStdinRequest: bool, + /// Allow Host reading from Guest containers stdout and stderr. pub ReadStreamRequest: bool,