github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-28 00:07:16 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #11103 from Ankita13-code/ankitapareek/policy-input-validation

Browse Source 
policy: Add missing input validations for ExecProcessRequest
This commit is contained in:
Dan Mihai 2025-04-07 07:26:24 -07:00 committed by GitHub
commit e606a8deb5
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 181 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/tools/genpolicy/rules.rego
View File

@ -1276,6 +1276,7 @@ CreateSandboxRequest {
ExecProcessRequest { ExecProcessRequest {
print("ExecProcessRequest 1: input =", input) print("ExecProcessRequest 1: input =", input)
allow_exec_process_input
some p_command in policy_data.request_defaults.ExecProcessRequest.allowed_commands some p_command in policy_data.request_defaults.ExecProcessRequest.allowed_commands
print("ExecProcessRequest 1: p_command =", p_command) print("ExecProcessRequest 1: p_command =", p_command)
@ -1285,6 +1286,7 @@ ExecProcessRequest {
} }
ExecProcessRequest { ExecProcessRequest {
print("ExecProcessRequest 2: input =", input) print("ExecProcessRequest 2: input =", input)
allow_exec_process_input
# TODO: match input container ID with its corresponding container.exec_commands. # TODO: match input container ID with its corresponding container.exec_commands.
some container in policy_data.containers some container in policy_data.containers
@ -1298,6 +1300,7 @@ ExecProcessRequest {
} }
ExecProcessRequest { ExecProcessRequest {
print("ExecProcessRequest 3: input =", input) print("ExecProcessRequest 3: input =", input)
allow_exec_process_input
i_command = concat(" ", input.process.Args) i_command = concat(" ", input.process.Args)
print("ExecProcessRequest 3: i_command =", i_command) print("ExecProcessRequest 3: i_command =", i_command)
@ -1310,6 +1313,16 @@ ExecProcessRequest {
print("ExecProcessRequest 3: true") print("ExecProcessRequest 3: true")
} }
allow_exec_process_input {
is_null(input.string_user)
i_process := input.process
count(i_process.SelinuxLabel) == 0
count(i_process.ApparmorProfile) == 0
print("allow_exec_process_input: true")
}
UpdateRoutesRequest { UpdateRoutesRequest {
print("UpdateRoutesRequest: input =", input) print("UpdateRoutesRequest: input =", input)
print("UpdateRoutesRequest: policy =", policy_data.request_defaults.UpdateRoutesRequest) print("UpdateRoutesRequest: policy =", policy_data.request_defaults.UpdateRoutesRequest)

11
src/tools/genpolicy/tests/main.rs
View File

@ -12,8 +12,8 @@ mod tests {
use std::str; use std::str;
use protocols::agent::{ use protocols::agent::{
CopyFileRequest, CreateContainerRequest, CreateSandboxRequest, UpdateInterfaceRequest, CopyFileRequest, CreateContainerRequest, CreateSandboxRequest, ExecProcessRequest,
UpdateRoutesRequest, UpdateInterfaceRequest, UpdateRoutesRequest,
}; };
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
@ -29,6 +29,7 @@ mod tests {
CreateSandbox(CreateSandboxRequest), CreateSandbox(CreateSandboxRequest),
UpdateInterface(UpdateInterfaceRequest), UpdateInterface(UpdateInterfaceRequest),
UpdateRoutes(UpdateRoutesRequest), UpdateRoutes(UpdateRoutesRequest),
ExecProcess(ExecProcessRequest),
} }
impl Display for TestRequest { impl Display for TestRequest {
@ -39,6 +40,7 @@ mod tests {
TestRequest::CreateSandbox(_) => write!(f, "CreateSandboxRequest"), TestRequest::CreateSandbox(_) => write!(f, "CreateSandboxRequest"),
TestRequest::UpdateInterface(_) => write!(f, "UpdateInterfaceRequest"), TestRequest::UpdateInterface(_) => write!(f, "UpdateInterfaceRequest"),
TestRequest::UpdateRoutes(_) => write!(f, "UpdateRoutesRequest"), TestRequest::UpdateRoutes(_) => write!(f, "UpdateRoutesRequest"),
TestRequest::ExecProcess(_) => write!(f, "ExecProcessRequest"),
} }
} }
} }
@ -183,4 +185,9 @@ mod tests {
async fn test_create_container_generate_name() { async fn test_create_container_generate_name() {
runtests("createcontainer/generate_name").await; runtests("createcontainer/generate_name").await;
} }
#[tokio::test]
async fn test_exec_process() {
runtests("execprocess").await;
}
} }

20
src/tools/genpolicy/tests/testdata/execprocess/pod.yaml vendored Normal file
View File

@ -0,0 +1,20 @@
apiVersion: v1
kind: Pod
metadata:
name: busybox
spec:
runtimeClassName: kata-cc
containers:
- name: first-test-container
image: "quay.io/prometheus/busybox:latest"
env:
- name: CONTAINER_NAME
value: first-test-container
command:
- sleep
- "3600"
livenessProbe:
exec:
command:
- echo
- test

139
src/tools/genpolicy/tests/testdata/execprocess/testcases.json vendored Normal file
View File

@ -0,0 +1,139 @@
[
{
"description": "test exec process with correct args",
"allowed": true,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"Args": [
"echo",
"test"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": "",
"ApparmorProfile": ""
}
}
},
{
"description": "test exec process with incorrect args",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"Args": [],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": "",
"ApparmorProfile": ""
}
}
},
{
"description": "test exec process with non-null selinuxLabel",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"Args": [],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": "system_u:system_r:container_t",
"ApparmorProfile": ""
}
}
},
{
"description": "test exec process with random ApparmorProfile",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"Args": [],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": "",
"ApparmorProfile": "localhost/root-user"
}
}
},
{
"description": "test exec process with random string_user",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200",
"string_user": {
"uid": "0",
"gid": "12",
"additional_gids": []
},
"process": {
"Terminal": false,
"ConsoleSize": null,
"Args": [],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": "",
"ApparmorProfile": ""
}
}
}
]